1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
#!/usr/bin/env python3
import optparse
import sys
import os
import samba
import samba.getopt as options
from samba.tests.subunitrun import SubunitOptions, TestProgram
from samba.samdb import SamDB
from samba.auth import system_session
from samba import sd_utils
from samba.ndr import ndr_unpack
from ldb import Message, MessageElement, Dn, LdbError
from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
from match_rules import MatchRulesTestsBase
class MatchRulesTestsUser(MatchRulesTestsBase):
def setUp(self):
self.sambaopts = sambaopts
self.credopts = credopts
self.host = host
super().setUp()
self.sd_utils = sd_utils.SDUtils(self.ldb)
self.user_pass = "samba123@"
self.match_test_user = "matchtestuser"
self.ldb.newuser(self.match_test_user,
self.user_pass,
userou=self.ou_rdn)
user_creds = self.insta_creds(template=self.creds,
username=self.match_test_user,
userpass=self.user_pass)
self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
token_res = self.user_ldb.search(scope=SCOPE_BASE,
base="",
attrs=["tokenGroups"])
self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
token_res[0]["tokenGroups"][0])
self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
def test_with_denied_link(self):
# add an ACE that denies the user Read Property (RP) access to
# the member attr (which is similar to making the attribute
# confidential)
ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
self.user_sid)
g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
# add the ACE that denies access to the attr under test
self.sd_utils.dacl_add_ace(g2_dn, ace)
# Search without transitive match must return 0 results
res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
scope=SCOPE_BASE,
expression="member=cn=u1,%s" % self.ou_users)
self.assertEqual(len(res1), 0)
# Search with transitive match must return 1 results
res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
scope=SCOPE_BASE,
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
self.assertEqual(len(res1), 1)
self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower())
# Search as a user match must return 0 results as the intermediate link can't be seen
res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
scope=SCOPE_BASE,
expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
self.assertEqual(len(res1), 0)
parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
# use command line creds if available
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
opts, args = parser.parse_args()
subunitopts = SubunitOptions(parser)
parser.add_option_group(subunitopts)
if len(args) < 1:
parser.print_usage()
sys.exit(1)
host = args[0]
if "://" not in host:
if os.path.isfile(host):
host = "tdb://%s" % host
else:
host = "ldap://%s" % host
TestProgram(module=__name__, opts=subunitopts)
|