The Samba-Bugzilla – Attachment 17860 Details for
Bug 15338
DS ACEs might be inherited to unrelated object classes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-18-test
bfixes-tmp418.txt (text/plain), 89.01 KB, created by
Stefan Metzmacher
on 2023-04-12 12:39:49 UTC
(
hide
)
Description:
Patches for v4-18-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2023-04-12 12:39:49 UTC
Size:
89.01 KB
patch
obsolete
>From c42ea90683d562d618700e0b79abe04ba9bc5b1d Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 15 Mar 2022 14:01:13 +1300 >Subject: [PATCH 1/8] libcli/security: Reorder SDDL access flags table to match > Windows > >This means that encoding an ACE in string form will now match Windows. > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Tue Mar 21 01:19:16 UTC 2023 on atb-devel-224 > >(cherry picked from commit be1aae77b7610933b1121f207e0a4df523c2d278) >--- > libcli/security/sddl.c | 18 +++++++++--------- > python/samba/tests/upgradeprovision.py | 20 ++++++++++---------- > source4/dsdb/tests/python/sec_descriptor.py | 12 ++++++------ > source4/torture/ldb/ldb.c | 18 +++++++++--------- > 4 files changed, 34 insertions(+), 34 deletions(-) > >diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c >index e6c3c94f2150..6c9929053ce3 100644 >--- a/libcli/security/sddl.c >+++ b/libcli/security/sddl.c >@@ -237,23 +237,23 @@ static const struct flag_map ace_flags[] = { > }; > > static const struct flag_map ace_access_mask[] = { >- { "RP", SEC_ADS_READ_PROP }, >- { "WP", SEC_ADS_WRITE_PROP }, >- { "CR", SEC_ADS_CONTROL_ACCESS }, > { "CC", SEC_ADS_CREATE_CHILD }, > { "DC", SEC_ADS_DELETE_CHILD }, > { "LC", SEC_ADS_LIST }, >+ { "SW", SEC_ADS_SELF_WRITE }, >+ { "RP", SEC_ADS_READ_PROP }, >+ { "WP", SEC_ADS_WRITE_PROP }, >+ { "DT", SEC_ADS_DELETE_TREE }, > { "LO", SEC_ADS_LIST_OBJECT }, >+ { "CR", SEC_ADS_CONTROL_ACCESS }, >+ { "SD", SEC_STD_DELETE }, > { "RC", SEC_STD_READ_CONTROL }, >- { "WO", SEC_STD_WRITE_OWNER }, > { "WD", SEC_STD_WRITE_DAC }, >- { "SD", SEC_STD_DELETE }, >- { "DT", SEC_ADS_DELETE_TREE }, >- { "SW", SEC_ADS_SELF_WRITE }, >+ { "WO", SEC_STD_WRITE_OWNER }, > { "GA", SEC_GENERIC_ALL }, >- { "GR", SEC_GENERIC_READ }, >- { "GW", SEC_GENERIC_WRITE }, > { "GX", SEC_GENERIC_EXECUTE }, >+ { "GW", SEC_GENERIC_WRITE }, >+ { "GR", SEC_GENERIC_READ }, > { NULL, 0 } > }; > >diff --git a/python/samba/tests/upgradeprovision.py b/python/samba/tests/upgradeprovision.py >index 5f77a777fc91..b281ad8722fb 100644 >--- a/python/samba/tests/upgradeprovision.py >+++ b/python/samba/tests/upgradeprovision.py >@@ -64,21 +64,21 @@ class UpgradeProvisionTestCase(TestCaseInTempDir): > def test_get_diff_sds(self): > domsid = security.dom_sid('S-1-5-21') > >- sddl = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ >+ sddl = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ > (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" >- sddl1 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ >+ sddl1 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ > (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" >- sddl2 = "O:BAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ >+ sddl2 = "O:BAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ > (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" >- sddl3 = "O:SAG:BAD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ >+ sddl3 = "O:SAG:BAD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ > (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" >- sddl4 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;BA)\ >+ sddl4 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;BA)\ > (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" >- sddl5 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ >+ sddl5 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ > (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" >- sddl6 = "O:SAG:DUD:AI(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)\ >+ sddl6 = "O:SAG:DUD:AI(A;CIID;CCLCSWRPWPLOCRRCWDWO;;;SA)\ > (A;CIID;RP LCLORC;;;AU)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)\ >-(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ >+(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ > (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)(AU;CIIDSA;WP;;;WD)" > > self.assertEqual(get_diff_sds(security.descriptor.from_sddl(sddl, domsid), >@@ -96,8 +96,8 @@ class UpgradeProvisionTestCase(TestCaseInTempDir): > security.descriptor.from_sddl(sddl4, domsid), > domsid) > txtmsg = "\tPart dacl is different between reference and current here\ >- is the detail:\n\t\t(A;CI;RPWPCRCCLCLORCWOWDSW;;;BA) ACE is not present in\ >- the reference\n\t\t(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA) ACE is not present in\ >+ is the detail:\n\t\t(A;CI;CCLCSWRPWPLOCRRCWDWO;;;BA) ACE is not present in\ >+ the reference\n\t\t(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA) ACE is not present in\ > the current\n" > self.assertEqual(txt, txtmsg) > >diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py >index 5410e9f72462..43fc6dc75004 100755 >--- a/source4/dsdb/tests/python/sec_descriptor.py >+++ b/source4/dsdb/tests/python/sec_descriptor.py >@@ -1638,22 +1638,22 @@ class DaclDescriptorTests(DescriptorTests): > self.ldb_admin.create_ou(ou_dn6) > > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1) >- self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) >+ self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) > self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2) >- self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) >+ self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) > self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3) >- self.assertTrue("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) >+ self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) > self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4) >- self.assertFalse("(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) >+ self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) > self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5) >- self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) >+ self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) > self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6) >- self.assertTrue("(A;ID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DU)" in desc_sddl) >+ self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) > self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl) > > def test_215(self): >diff --git a/source4/torture/ldb/ldb.c b/source4/torture/ldb/ldb.c >index c170416bec42..94a89f71165a 100644 >--- a/source4/torture/ldb/ldb.c >+++ b/source4/torture/ldb/ldb.c >@@ -375,9 +375,9 @@ static const char dda1d01d_ldif[] = "" > "uSNChanged: 3467\n" > "showInAdvancedViewOnly: TRUE\n" > "nTSecurityDescriptor: O:S-1-5-21-2106703258-1007804629-1260019310-512G:S-1-5-2\n" >-" 1-2106703258-1007804629-1260019310-512D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-\n" >-" 1-5-21-2106703258-1007804629-1260019310-512)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;\n" >-" SY)(A;;RPLCLORC;;;AU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828c\n" >+" 1-2106703258-1007804629-1260019310-512D:AI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-\n" >+" 1-5-21-2106703258-1007804629-1260019310-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;\n" >+" SY)(A;;LCRPLORC;;;AU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828c\n" > " c14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa\n" > " 006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-\n" > " 11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;\n" >@@ -392,12 +392,12 @@ static const char dda1d01d_ldif[] = "" > " 9e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-\n" > " a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967\n" > " a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0\n" >-" c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC;;4828cc1\n" >-" 4-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-11d0-a285\n" >-" -00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU\n" >-" )(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;RPWPCRCCDCL\n" >-" CLORCWOWDSDDTSW;;;S-1-5-21-2106703258-1007804629-1260019310-519)(A;CIID;LC;;;\n" >-" RU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1\n" >+" c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;LCRPLORC;;4828cc1\n" >+" 4-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285\n" >+" -00aa003049e2;RU)(OA;CIIOID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU\n" >+" )(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPW\n" >+" PDTLOCRSDRCWDWO;;;S-1-5-21-2106703258-1007804629-1260019310-519)(A;CIID;LC;;;\n" >+" RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1\n" > " -b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f3\n" > " 0e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)\n" > "name: dda1d01d-4bd7-4c49-a184-46f9241b560e\n" >-- >2.34.1 > > >From 2d54b99defde2f445cda92964c0b2f0b5a4714e1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 20 Mar 2023 12:04:37 +0100 >Subject: [PATCH 2/8] s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() > set the required ACE explicitly > >All other tests use the same logic and run before, which means the ACE >is already there and is implicitly required. > >As we want to cleanup the ACE after each test in the next step, >as the tests should not have side effects for other tests, e.g. >'blackbox.dbcheck'. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 7b0d5285361e6dc40e09bc0d36bb2aae5d5a86a7) >--- > source4/dsdb/tests/python/sec_descriptor.py | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py >index 43fc6dc75004..f9e41eddec4c 100755 >--- a/source4/dsdb/tests/python/sec_descriptor.py >+++ b/source4/dsdb/tests/python/sec_descriptor.py >@@ -865,6 +865,9 @@ class OwnerGroupDescriptorTests(DescriptorTests): > self.check_user_belongs(self.get_users_domain_dn(user_name), []) > # Open Ldb connection with the tested user > _ldb = self.get_ldb_connection(user_name, "samba123@") >+ # Change Schema partition descriptor >+ mod = "(A;;CC;;;AU)" >+ self.sd_utils.dacl_add_ace(self.schema_dn, mod) > # Create a custom security descriptor > # NB! Problematic owner part won't accept DA only <User Sid> !!! > user_sid = self.sd_utils.get_object_sid(self.get_users_domain_dn(user_name)) >-- >2.34.1 > > >From d2ed19e0da42ce882d1521a7d0ef180ab46fcad4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 20 Mar 2023 12:04:37 +0100 >Subject: [PATCH 3/8] s4:dsdb/tests: let OwnerGroupDescriptorTests() remove > temporary ACEs on cleanup > >Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit e0a8e043d339cf5e1c9b2643e6d151ab2ae81c05) >--- > source4/dsdb/tests/python/sec_descriptor.py | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py >index f9e41eddec4c..3732828cb9a0 100755 >--- a/source4/dsdb/tests/python/sec_descriptor.py >+++ b/source4/dsdb/tests/python/sec_descriptor.py >@@ -183,6 +183,8 @@ class OwnerGroupDescriptorTests(DescriptorTests): > delete_force(self.ldb_admin, "OU=test_domain_ou2,OU=test_domain_ou1," + self.base_dn) > delete_force(self.ldb_admin, "OU=test_domain_ou1," + self.base_dn) > # SCHEMA >+ mod = "(A;CI;WDCC;;;AU)(A;;CC;;;AU)" >+ self.sd_utils.dacl_delete_aces(self.schema_dn, mod) > # CONFIGURATION > delete_force(self.ldb_admin, "CN=test-specifier1,CN=test-container1,CN=DisplaySpecifiers," > + self.configuration_dn) >-- >2.34.1 > > >From 5b315897b9bd8d4a9c8dbb796b49b9beb9dce63b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 20 Mar 2023 13:02:47 +0100 >Subject: [PATCH 4/8] s4:dsdb/tests: let AclUndeleteTests.test_undelete() > remove the temporary ACE again > >Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 2436d621d1940f127f164ca227a14b1d9b573eb5) >--- > source4/dsdb/tests/python/acl.py | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py >index ee6b5ae5cf6c..2dd8c541bafa 100755 >--- a/source4/dsdb/tests/python/acl.py >+++ b/source4/dsdb/tests/python/acl.py >@@ -5079,6 +5079,7 @@ class AclUndeleteTests(AclTests): > except LdbError as e38: > (num, _) = e38.args > self.assertEqual(num, ERR_INSUFFICIENT_ACCESS_RIGHTS) >+ self.sd_utils.dacl_delete_aces(self.base_dn, mod) > > > class AclSPNTests(AclTests): >-- >2.34.1 > > >From abc52b46d8beba236eb9240b42ec0184e8d5c4ae Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Mar 2023 14:48:00 +0100 >Subject: [PATCH 5/8] s4:dsdb/tests: convert sec_descriptor.py to use > assert[Not]In() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 6de4849f9cacbe7e08834fa340a70f7aebe9e6f9) >--- > source4/dsdb/tests/python/sec_descriptor.py | 298 ++++++++++---------- > 1 file changed, 149 insertions(+), 149 deletions(-) > >diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py >index 3732828cb9a0..5c69462c69a7 100755 >--- a/source4/dsdb/tests/python/sec_descriptor.py >+++ b/source4/dsdb/tests/python/sec_descriptor.py >@@ -353,7 +353,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): > # User is not a member of any additional groups but default > res = self.ldb_admin.search(user_dn, attrs=["*"]) > res = [x.upper() for x in res[0].keys()] >- self.assertFalse("MEMBEROF" in res) >+ self.assertNotIn("MEMBEROF", res) > > def check_modify_inheritance(self, _ldb, object_dn, owner_group=""): > # Modify >@@ -365,7 +365,7 @@ class OwnerGroupDescriptorTests(DescriptorTests): > sd_user_utils.modify_sd_on_dn(object_dn, "D:" + ace) > # Make sure the modify operation has been applied > desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn) >- self.assertTrue(ace in desc_sddl) >+ self.assertIn(ace, desc_sddl) > # Make sure we have identical result for both "add" and "modify" > res = re.search("(O:.*G:.*?)D:", desc_sddl).group(1) > print(self._testMethodName) >@@ -1276,8 +1276,8 @@ class DaclDescriptorTests(DescriptorTests): > self.sd_utils.modify_sd_on_dn(object_dn, desc_sddl) > # Verify all inheritable ACEs are gone > desc_sddl = self.sd_utils.get_sd_as_sddl(object_dn) >- self.assertFalse("CI" in desc_sddl) >- self.assertFalse("OI" in desc_sddl) >+ self.assertNotIn("CI", desc_sddl) >+ self.assertNotIn("OI", desc_sddl) > > def test_200(self): > """ OU with protected flag and child group. See if the group has inherit ACEs. >@@ -1290,7 +1290,7 @@ class DaclDescriptorTests(DescriptorTests): > self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4) > # Make sure created group object contains NO inherit ACEs > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertFalse("ID" in desc_sddl) >+ self.assertNotIn("ID", desc_sddl) > > def test_201(self): > """ OU with protected flag and no inherit ACEs, child group with custom descriptor. >@@ -1334,17 +1334,17 @@ class DaclDescriptorTests(DescriptorTests): > # Make sure created group object contains NO inherit ACEs > # also make sure the added above non-inheritable ACEs are absent too > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertFalse("ID" in desc_sddl) >+ self.assertNotIn("ID", desc_sddl) > for x in re.findall(r"\(.*?\)", mod): >- self.assertFalse(x in desc_sddl) >+ self.assertNotIn(x, desc_sddl) > try: > self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) > except LdbError as e: > self.fail(str(e)) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertFalse("ID" in desc_sddl) >+ self.assertNotIn("ID", desc_sddl) > for x in re.findall(r"\(.*?\)", mod): >- self.assertFalse(x in desc_sddl) >+ self.assertNotIn(x, desc_sddl) > > def test_203(self): > """ OU with protected flag and add 'CI' ACE, child group. >@@ -1366,14 +1366,14 @@ class DaclDescriptorTests(DescriptorTests): > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) > mod = mod.replace(";CI;", ";CIID;") >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(mod, desc_sddl) > try: > self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) > except LdbError as e: > self.fail(str(e)) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue(moded in desc_sddl) >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(mod, desc_sddl) > > def test_204(self): > """ OU with protected flag and add 'OI' ACE, child group. >@@ -1395,14 +1395,14 @@ class DaclDescriptorTests(DescriptorTests): > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) > mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(mod, desc_sddl) > try: > self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) > except LdbError as e: > self.fail(str(e)) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue(moded in desc_sddl) >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(mod, desc_sddl) > > def test_205(self): > """ OU with protected flag and add 'OA' for GUID & 'CI' ACE, child group. >@@ -1424,14 +1424,14 @@ class DaclDescriptorTests(DescriptorTests): > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) > mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(mod, desc_sddl) > try: > self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) > except LdbError as e: > self.fail(str(e)) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue(moded in desc_sddl) >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(mod, desc_sddl) > > def test_206(self): > """ OU with protected flag and add 'OA' for GUID & 'OI' ACE, child group. >@@ -1453,14 +1453,14 @@ class DaclDescriptorTests(DescriptorTests): > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) > mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(mod, desc_sddl) > try: > self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) > except LdbError as e: > self.fail(str(e)) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue(moded in desc_sddl) >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(mod, desc_sddl) > > def test_207(self): > """ OU with protected flag and add 'OA' for OU specific GUID & 'CI' ACE, child group. >@@ -1482,14 +1482,14 @@ class DaclDescriptorTests(DescriptorTests): > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) > mod = mod.replace(";CI;", ";CIID;") # change it how it's gonna look like >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(mod, desc_sddl) > try: > self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) > except LdbError as e: > self.fail(str(e)) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue(moded in desc_sddl) >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(mod, desc_sddl) > > def test_208(self): > """ OU with protected flag and add 'OA' for OU specific GUID & 'OI' ACE, child group. >@@ -1511,14 +1511,14 @@ class DaclDescriptorTests(DescriptorTests): > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) > mod = mod.replace(";OI;", ";OIIOID;") # change it how it's gonna look like >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(mod, desc_sddl) > try: > self.sd_utils.modify_sd_on_dn(group_dn, "D:(OA;OI;WP;bf967a39-0de6-11d0-a285-00aa003049e2;;DU)" + moded) > except LdbError as e: > self.fail(str(e)) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue(moded in desc_sddl) >- self.assertTrue(mod in desc_sddl) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(mod, desc_sddl) > > def test_209(self): > """ OU with protected flag and add 'CI' ACE with 'CO' SID, child group. >@@ -1539,16 +1539,16 @@ class DaclDescriptorTests(DescriptorTests): > # Make sure created group object contains only the above inherited ACE(s) > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue("(D;ID;WP;;;AU)" in desc_sddl) >- self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) >+ self.assertIn("(D;ID;WP;;;AU)", desc_sddl) >+ self.assertIn("(D;CIIOID;WP;;;CO)", desc_sddl) > try: > self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) > except LdbError as e: > self.fail(str(e)) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue(moded in desc_sddl) >- self.assertTrue("(D;ID;WP;;;DA)" in desc_sddl) >- self.assertTrue("(D;CIIOID;WP;;;CO)" in desc_sddl) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn("(D;ID;WP;;;DA)", desc_sddl) >+ self.assertIn("(D;CIIOID;WP;;;CO)", desc_sddl) > > def test_210(self): > """ OU with protected flag, provide ACEs with ID flag raised. Should be ignored. >@@ -1562,7 +1562,7 @@ class DaclDescriptorTests(DescriptorTests): > self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) > # Make sure created group object does not contain the ID ace > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl) >+ self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl) > > def test_211(self): > """ Provide ACE with CO SID, should be expanded and replaced >@@ -1576,8 +1576,8 @@ class DaclDescriptorTests(DescriptorTests): > tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) > self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue("(D;;WP;;;DA)" in desc_sddl) >- self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl) >+ self.assertIn("(D;;WP;;;DA)", desc_sddl) >+ self.assertIn("(D;CIIO;WP;;;CO)", desc_sddl) > > def test_212(self): > """ Provide ACE with IO flag, should be ignored >@@ -1593,9 +1593,9 @@ class DaclDescriptorTests(DescriptorTests): > # Make sure created group object contains only the above inherited ACE(s) > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertTrue("(D;CIIO;WP;;;CO)" in desc_sddl) >- self.assertFalse("(D;;WP;;;DA)" in desc_sddl) >- self.assertFalse("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)" in desc_sddl) >+ self.assertIn("(D;CIIO;WP;;;CO)", desc_sddl) >+ self.assertNotIn("(D;;WP;;;DA)", desc_sddl) >+ self.assertNotIn("(D;CIIO;WP;;;CO)(D;CIIO;WP;;;CO)", desc_sddl) > > def test_213(self): > """ Provide ACE with IO flag, should be ignored >@@ -1610,7 +1610,7 @@ class DaclDescriptorTests(DescriptorTests): > # Make sure created group object contains only the above inherited ACE(s) > # that we've added manually > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertFalse("(D;IO;WP;;;DA)" in desc_sddl) >+ self.assertNotIn("(D;IO;WP;;;DA)", desc_sddl) > > def test_214(self): > """ Test behavior of ACEs containing generic rights >@@ -1644,22 +1644,22 @@ class DaclDescriptorTests(DescriptorTests): > > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn1) > self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) >- self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl) >+ self.assertIn("(A;CIIO;GA;;;DU)", desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn2) > self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) >- self.assertTrue("(A;CIIO;GA;;;DU)" in desc_sddl) >+ self.assertIn("(A;CIIO;GA;;;DU)", desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn3) > self.assertIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) >- self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl) >+ self.assertNotIn("(A;CIIO;GA;;;DU)", desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn4) > self.assertNotIn("(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) >- self.assertFalse("(A;CIIO;GA;;;DU)" in desc_sddl) >+ self.assertNotIn("(A;CIIO;GA;;;DU)", desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5) > self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) >- self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl) >+ self.assertIn("(A;CIIOID;GA;;;DU)", desc_sddl) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn6) > self.assertIn("(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DU)", desc_sddl) >- self.assertTrue("(A;CIIOID;GA;;;DU)" in desc_sddl) >+ self.assertIn("(A;CIIOID;GA;;;DU)", desc_sddl) > > def test_215(self): > """ Make sure IO flag is removed in child objects >@@ -1676,8 +1676,8 @@ class DaclDescriptorTests(DescriptorTests): > self.ldb_admin.create_ou(ou_dn1, sd=tmp_desc) > self.ldb_admin.create_ou(ou_dn5) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn5) >- self.assertTrue("(A;CIID;WP;;;DU)" in desc_sddl) >- self.assertFalse("(A;CIIOID;WP;;;DU)" in desc_sddl) >+ self.assertIn("(A;CIID;WP;;;DU)", desc_sddl) >+ self.assertNotIn("(A;CIIOID;WP;;;DU)", desc_sddl) > > def test_216(self): > """ Make sure ID ACES provided by user are ignored >@@ -1693,8 +1693,8 @@ class DaclDescriptorTests(DescriptorTests): > self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) > # Make sure created group object does not contain the ID ace > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl) >- self.assertFalse("(A;;WP;;;AU)" in desc_sddl) >+ self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl) >+ self.assertNotIn("(A;;WP;;;AU)", desc_sddl) > > def test_217(self): > """ Make sure ID ACES provided by user are not ignored if P flag is set >@@ -1710,8 +1710,8 @@ class DaclDescriptorTests(DescriptorTests): > self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) > # Make sure created group object does not contain the ID ace > desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >- self.assertFalse("(A;ID;WP;;;AU)" in desc_sddl) >- self.assertTrue("(A;;WP;;;AU)" in desc_sddl) >+ self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl) >+ self.assertIn("(A;;WP;;;AU)", desc_sddl) > > ######################################################################################## > >@@ -1734,11 +1734,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) > # make sure we have modified the owner >- self.assertTrue("O:AU" in desc_sddl) >+ self.assertIn("O:AU", desc_sddl) > # make sure nothing else has been modified >- self.assertFalse("G:AU" in desc_sddl) >- self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) >- self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) >+ self.assertNotIn("G:AU", desc_sddl) >+ self.assertNotIn("D:(D;;CC;;;LG)", desc_sddl) >+ self.assertNotIn("(OU;;WP;;;AU)", desc_sddl) > > def test_302(self): > """ Modify a descriptor with GROUP_SECURITY_INFORMATION set. >@@ -1749,11 +1749,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) > # make sure we have modified the group >- self.assertTrue("G:AU" in desc_sddl) >+ self.assertIn("G:AU", desc_sddl) > # make sure nothing else has been modified >- self.assertFalse("O:AU" in desc_sddl) >- self.assertFalse("D:(D;;CC;;;LG)" in desc_sddl) >- self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) >+ self.assertNotIn("O:AU", desc_sddl) >+ self.assertNotIn("D:(D;;CC;;;LG)", desc_sddl) >+ self.assertNotIn("(OU;;WP;;;AU)", desc_sddl) > > def test_303(self): > """ Modify a descriptor with SACL_SECURITY_INFORMATION set. >@@ -1764,11 +1764,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) > # make sure we have modified the DACL >- self.assertTrue("(D;;CC;;;LG)" in desc_sddl) >+ self.assertIn("(D;;CC;;;LG)", desc_sddl) > # make sure nothing else has been modified >- self.assertFalse("O:AU" in desc_sddl) >- self.assertFalse("G:AU" in desc_sddl) >- self.assertFalse("(OU;;WP;;;AU)" in desc_sddl) >+ self.assertNotIn("O:AU", desc_sddl) >+ self.assertNotIn("G:AU", desc_sddl) >+ self.assertNotIn("(OU;;WP;;;AU)", desc_sddl) > > def test_304(self): > """ Modify a descriptor with SACL_SECURITY_INFORMATION set. >@@ -1779,11 +1779,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) > # make sure we have modified the DACL >- self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) >+ self.assertIn("(OU;;WP;;;AU)", desc_sddl) > # make sure nothing else has been modified >- self.assertFalse("O:AU" in desc_sddl) >- self.assertFalse("G:AU" in desc_sddl) >- self.assertFalse("(D;;CC;;;LG)" in desc_sddl) >+ self.assertNotIn("O:AU", desc_sddl) >+ self.assertNotIn("G:AU", desc_sddl) >+ self.assertNotIn("(D;;CC;;;LG)", desc_sddl) > > def test_305(self): > """ Modify a descriptor with 0x0 set. >@@ -1795,11 +1795,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:0"]) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) > # make sure we have modified the DACL >- self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) >+ self.assertIn("(OU;;WP;;;AU)", desc_sddl) > # make sure nothing else has been modified >- self.assertTrue("O:AU" in desc_sddl) >- self.assertTrue("G:AU" in desc_sddl) >- self.assertTrue("(D;;CC;;;LG)" in desc_sddl) >+ self.assertIn("O:AU", desc_sddl) >+ self.assertIn("G:AU", desc_sddl) >+ self.assertIn("(D;;CC;;;LG)", desc_sddl) > > def test_306(self): > """ Modify a descriptor with 0xF set. >@@ -1809,11 +1809,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.sd_utils.modify_sd_on_dn(ou_dn, self.test_descr, controls=["sd_flags:1:15"]) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) > # make sure we have modified the DACL >- self.assertTrue("(OU;;WP;;;AU)" in desc_sddl) >+ self.assertIn("(OU;;WP;;;AU)", desc_sddl) > # make sure nothing else has been modified >- self.assertTrue("O:AU" in desc_sddl) >- self.assertTrue("G:AU" in desc_sddl) >- self.assertTrue("(D;;CC;;;LG)" in desc_sddl) >+ self.assertIn("O:AU", desc_sddl) >+ self.assertIn("G:AU", desc_sddl) >+ self.assertIn("(D;;CC;;;LG)", desc_sddl) > > def test_307(self): > """ Read a descriptor with OWNER_SECURITY_INFORMATION >@@ -1823,11 +1823,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.ldb_admin.create_ou(ou_dn) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_OWNER)]) > # make sure we have read the owner >- self.assertTrue("O:" in desc_sddl) >+ self.assertIn("O:", desc_sddl) > # make sure we have read nothing else >- self.assertFalse("G:" in desc_sddl) >- self.assertFalse("D:" in desc_sddl) >- self.assertFalse("S:" in desc_sddl) >+ self.assertNotIn("G:", desc_sddl) >+ self.assertNotIn("D:", desc_sddl) >+ self.assertNotIn("S:", desc_sddl) > > def test_308(self): > """ Read a descriptor with GROUP_SECURITY_INFORMATION >@@ -1837,11 +1837,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.ldb_admin.create_ou(ou_dn) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_GROUP)]) > # make sure we have read the owner >- self.assertTrue("G:" in desc_sddl) >+ self.assertIn("G:", desc_sddl) > # make sure we have read nothing else >- self.assertFalse("O:" in desc_sddl) >- self.assertFalse("D:" in desc_sddl) >- self.assertFalse("S:" in desc_sddl) >+ self.assertNotIn("O:", desc_sddl) >+ self.assertNotIn("D:", desc_sddl) >+ self.assertNotIn("S:", desc_sddl) > > def test_309(self): > """ Read a descriptor with SACL_SECURITY_INFORMATION >@@ -1851,11 +1851,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.ldb_admin.create_ou(ou_dn) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_SACL)]) > # make sure we have read the owner >- self.assertTrue("S:" in desc_sddl) >+ self.assertIn("S:", desc_sddl) > # make sure we have read nothing else >- self.assertFalse("O:" in desc_sddl) >- self.assertFalse("D:" in desc_sddl) >- self.assertFalse("G:" in desc_sddl) >+ self.assertNotIn("O:", desc_sddl) >+ self.assertNotIn("D:", desc_sddl) >+ self.assertNotIn("G:", desc_sddl) > > def test_310(self): > """ Read a descriptor with DACL_SECURITY_INFORMATION >@@ -1865,11 +1865,11 @@ class SdFlagsDescriptorTests(DescriptorTests): > self.ldb_admin.create_ou(ou_dn) > desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn, controls=["sd_flags:1:%d" % (SECINFO_DACL)]) > # make sure we have read the owner >- self.assertTrue("D:" in desc_sddl) >+ self.assertIn("D:", desc_sddl) > # make sure we have read nothing else >- self.assertFalse("O:" in desc_sddl) >- self.assertFalse("S:" in desc_sddl) >- self.assertFalse("G:" in desc_sddl) >+ self.assertNotIn("O:", desc_sddl) >+ self.assertNotIn("S:", desc_sddl) >+ self.assertNotIn("G:", desc_sddl) > > def test_311(self): > sd_flags = (SECINFO_OWNER | >@@ -1879,121 +1879,121 @@ class SdFlagsDescriptorTests(DescriptorTests): > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > [], controls=None) >- self.assertFalse("nTSecurityDescriptor" in res[0]) >+ self.assertNotIn("nTSecurityDescriptor", res[0]) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["name"], controls=None) >- self.assertFalse("nTSecurityDescriptor" in res[0]) >+ self.assertNotIn("nTSecurityDescriptor", res[0]) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["name"], controls=["sd_flags:1:%d" % (sd_flags)]) >- self.assertFalse("nTSecurityDescriptor" in res[0]) >+ self.assertNotIn("nTSecurityDescriptor", res[0]) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > controls=["sd_flags:1:%d" % (sd_flags)]) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["*"], controls=["sd_flags:1:%d" % (sd_flags)]) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["nTSecurityDescriptor", "*"], controls=["sd_flags:1:%d" % (sd_flags)]) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["*", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)]) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["nTSecurityDescriptor", "name"], controls=["sd_flags:1:%d" % (sd_flags)]) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["name", "nTSecurityDescriptor"], controls=["sd_flags:1:%d" % (sd_flags)]) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["nTSecurityDescriptor"], controls=None) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["name", "nTSecurityDescriptor"], controls=None) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, > ["nTSecurityDescriptor", "name"], controls=None) >- self.assertTrue("nTSecurityDescriptor" in res[0]) >+ self.assertIn("nTSecurityDescriptor", res[0]) > tmp = res[0]["nTSecurityDescriptor"][0] > sd = ndr_unpack(security.descriptor, tmp) > sddl = sd.as_sddl(self.sd_utils.domain_sid) >- self.assertTrue("O:" in sddl) >- self.assertTrue("G:" in sddl) >- self.assertTrue("D:" in sddl) >- self.assertTrue("S:" in sddl) >+ self.assertIn("O:", sddl) >+ self.assertIn("G:", sddl) >+ self.assertIn("D:", sddl) >+ self.assertIn("S:", sddl) > > def test_312(self): > """This search is done by the windows dc join...""" > > res = self.ldb_admin.search(self.base_dn, SCOPE_BASE, None, ["1.1"], > controls=["extended_dn:1:0", "sd_flags:1:0", "search_options:1:1"]) >- self.assertFalse("nTSecurityDescriptor" in res[0]) >+ self.assertNotIn("nTSecurityDescriptor", res[0]) > > > class RightsAttributesTests(DescriptorTests): >@@ -2068,7 +2068,7 @@ class RightsAttributesTests(DescriptorTests): > attrs=["allowedChildClassesEffective"]) > # there should be no allowed child classes > self.assertEqual(len(res), 1) >- self.assertFalse("allowedChildClassesEffective" in res[0].keys()) >+ self.assertNotIn("allowedChildClassesEffective", res[0].keys()) > # give the user the right to create children of type user > mod = "(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) > self.sd_utils.dacl_add_ace(object_dn, mod) >@@ -2092,7 +2092,7 @@ class RightsAttributesTests(DescriptorTests): > attrs=["allowedAttributesEffective"]) > # there should be no allowed attributes > self.assertEqual(len(res), 1) >- self.assertFalse("allowedAttributesEffective" in res[0].keys()) >+ self.assertNotIn("allowedAttributesEffective", res[0].keys()) > # give the user the right to write displayName and managedBy > mod2 = "(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;%s)" % str(user_sid) > mod = "(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;%s)" % str(user_sid) >@@ -2104,8 +2104,8 @@ class RightsAttributesTests(DescriptorTests): > # value should only contain user and managedBy > self.assertEqual(len(res), 1) > self.assertEqual(len(res[0]["allowedAttributesEffective"]), 2) >- self.assertTrue(b"displayName" in res[0]["allowedAttributesEffective"]) >- self.assertTrue(b"managedBy" in res[0]["allowedAttributesEffective"]) >+ self.assertIn(b"displayName", res[0]["allowedAttributesEffective"]) >+ self.assertIn(b"managedBy", res[0]["allowedAttributesEffective"]) > > > class SdAutoInheritTests(DescriptorTests): >@@ -2144,8 +2144,8 @@ class SdAutoInheritTests(DescriptorTests): > ou_sddl0 = ou_sd0.as_sddl(self.domain_sid) > sub_sddl0 = sub_sd0.as_sddl(self.domain_sid) > >- self.assertFalse(ace in ou_sddl0) >- self.assertFalse(ace in sub_sddl0) >+ self.assertNotIn(ace, ou_sddl0) >+ self.assertNotIn(ace, sub_sddl0) > > ou_sddl1 = (ou_sddl0[:ou_sddl0.index("(")] + ace + > ou_sddl0[ou_sddl0.index("("):]) >@@ -2179,12 +2179,12 @@ class SdAutoInheritTests(DescriptorTests): > print("sub0: %s" % sub_sddl0) > print("sub2: %s" % sub_sddl2) > >- self.assertTrue(ace in ou_sddl2) >- self.assertTrue(sub_ace in sub_sddl2) >+ self.assertIn(ace, ou_sddl2) >+ self.assertIn(sub_ace, sub_sddl2) > > ou_usn0 = int(ou_res0[0]["uSNChanged"][0]) > ou_usn2 = int(ou_res2[0]["uSNChanged"][0]) >- self.assertTrue(ou_usn2 > ou_usn0) >+ self.assertGreater(ou_usn2, ou_usn0) > > sub_usn0 = int(sub_res0[0]["uSNChanged"][0]) > sub_usn2 = int(sub_res2[0]["uSNChanged"][0]) >-- >2.34.1 > > >From 39c147b117cfa11a6f54e0f567070f427c4888d1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Mar 2023 14:48:00 +0100 >Subject: [PATCH 6/8] s4:dsdb/tests: allow sec_descriptor.py to run against > Windows 2022 > >We need SEC_STD_DELETE in order to run the test twice against the same server. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 731c85add116b8ab192d9a2d3bc56296635a226d) >--- > source4/dsdb/tests/python/sec_descriptor.py | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > >diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py >index 5c69462c69a7..c8d506a76ec0 100755 >--- a/source4/dsdb/tests/python/sec_descriptor.py >+++ b/source4/dsdb/tests/python/sec_descriptor.py >@@ -1623,7 +1623,7 @@ class DaclDescriptorTests(DescriptorTests): > ou_dn5 = "OU=test_inherit_ou5," + ou_dn1 > ou_dn6 = "OU=test_inherit_ou6," + ou_dn2 > # Create inheritable-free OU >- mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)" >+ mod = "D:P(A;CI;WPRPLCCCDCWDRCSD;;;DA)" > tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) > self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) > mod = "D:(A;CI;GA;;;DU)" >@@ -1668,7 +1668,7 @@ class DaclDescriptorTests(DescriptorTests): > ou_dn1 = "OU=test_inherit_ou1," + ou_dn > ou_dn5 = "OU=test_inherit_ou5," + ou_dn1 > # Create inheritable-free OU >- mod = "D:P(A;CI;WPRPLCCCDCWDRC;;;DA)" >+ mod = "D:P(A;CI;WPRPLCCCDCWDRCSD;;;DA)" > tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) > self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) > mod = "D:(A;CIIO;WP;;;DU)" >@@ -1684,7 +1684,7 @@ class DaclDescriptorTests(DescriptorTests): > """ > ou_dn = "OU=test_inherit_ou," + self.base_dn > group_dn = "CN=test_inherit_group," + ou_dn >- mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)" >+ mod = "D:P(A;;WPRPLCCCDCWDRCSD;;;DA)" > tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) > self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) > # Add some custom ACE >@@ -1701,7 +1701,7 @@ class DaclDescriptorTests(DescriptorTests): > """ > ou_dn = "OU=test_inherit_ou," + self.base_dn > group_dn = "CN=test_inherit_group," + ou_dn >- mod = "D:P(A;;WPRPLCCCDCWDRC;;;DA)" >+ mod = "D:P(A;;WPRPLCCCDCWDRCSD;;;DA)" > tmp_desc = security.descriptor.from_sddl(mod, self.domain_sid) > self.ldb_admin.create_ou(ou_dn, sd=tmp_desc) > # Add some custom ACE >-- >2.34.1 > > >From 7182cf978da7490a5111cfab05a0ab6ad9ce648d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 22 Mar 2023 14:48:00 +0100 >Subject: [PATCH 7/8] s4:dsdb/tests: add more detailed tests to > sec_descriptor.py > >These demonstrate how inherited aces are constructed and applies >per objectclass, with and without the NO_PROPAGATE_INHERIT flag. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit a0217c50e920557046628bb171f2addea2ad7416) >--- > .../knownfail.d/samba4.ldap.secdesc.python | 13 + > source4/dsdb/tests/python/sec_descriptor.py | 501 ++++++++++++++++++ > 2 files changed, 514 insertions(+) > create mode 100644 selftest/knownfail.d/samba4.ldap.secdesc.python > >diff --git a/selftest/knownfail.d/samba4.ldap.secdesc.python b/selftest/knownfail.d/samba4.ldap.secdesc.python >new file mode 100644 >index 000000000000..4caef1ff2625 >--- /dev/null >+++ b/selftest/knownfail.d/samba4.ldap.secdesc.python >@@ -0,0 +1,13 @@ >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_and_io_on_attribute >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_and_np_on_attribute >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_ga_name_attr_objectclass_same >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_ga_no_attr_objectclass_same >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_name_attr_objectclass_different >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_name_attr_objectclass_same >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_no_attr_objectclass_different >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_no_attr_objectclass_same >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_name_attr_objectclass_different >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_name_attr_objectclass_same >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_no_attr_objectclass_different >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_no_attr_objectclass_same >+^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_oi_and_np_on_attribute >diff --git a/source4/dsdb/tests/python/sec_descriptor.py b/source4/dsdb/tests/python/sec_descriptor.py >index c8d506a76ec0..56ad098ddeb3 100755 >--- a/source4/dsdb/tests/python/sec_descriptor.py >+++ b/source4/dsdb/tests/python/sec_descriptor.py >@@ -1713,6 +1713,507 @@ class DaclDescriptorTests(DescriptorTests): > self.assertNotIn("(A;ID;WP;;;AU)", desc_sddl) > self.assertIn("(A;;WP;;;AU)", desc_sddl) > >+ def test_ci_and_io_on_attribute(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CIOI;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ mod = mod.replace(";CIOI;", ";OICIID;") # change it how it's gonna look like >+ self.assertIn(mod, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(mod, desc_sddl) >+ >+ def test_ci_and_np_on_attribute(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ mod = mod.replace(";CINP;", ";ID;") # change it how it's gonna look like >+ self.assertIn(mod, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(mod, desc_sddl) >+ >+ def test_oi_and_np_on_attribute(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;OINP;WP;bf967a0e-0de6-11d0-a285-00aa003049e2;;DU)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ mod = mod.replace(";OINP;", ";ID;") # change it how it's gonna look like >+ self.assertNotIn(mod, desc_sddl) >+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(mod, desc_sddl) >+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ >+ def test_ci_ga_no_attr_objectclass_same(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CI;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ modob = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" >+ modid = "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(modob, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(modob, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ >+ def test_ci_ga_no_attr_objectclass_different(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CI;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" >+ modid = "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ >+ def test_ci_ga_name_attr_objectclass_same(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ modob = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" >+ modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(modob, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(modob, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ >+ def test_ci_ga_name_attr_objectclass_different(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CI;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ modno = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" >+ modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ >+ def test_ci_lc_no_attr_objectclass_same(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CI;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ modno = "(A;ID;LC;;;DA)" >+ modid = "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ >+ def test_ci_lc_no_attr_objectclass_different(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CI;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" >+ modid = "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ >+ def test_ci_lc_name_attr_objectclass_same(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ modob = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" >+ modid = "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modob, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modob, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ >+ def test_ci_lc_name_attr_objectclass_different(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CI;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ modno = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" >+ modid = "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertIn(modid, desc_sddl) >+ >+ def test_ci_np_ga_no_attr_objectclass_same(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ # Add some custom 'OA' for 'name' attribute & 'CI'+'OI' ACE >+ mod = "(OA;CINP;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ modob = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" >+ modid = "(OA;CIIOID;GA;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(modob, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ >+ def test_ci_np_ga_no_attr_objectclass_different(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CINP;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ modno = "(A;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)" >+ modid = "(OA;CIIOID;GA;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) >+ >+ def test_ci_np_ga_name_attr_objectclass_same(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ modob = "(OA;ID;CCDCLCSWRPWPDTLOCRSDRCWDWO;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" >+ modid = "(OA;CIIOID;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(modob, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(modob, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ >+ def test_ci_np_ga_name_attr_objectclass_different(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CINP;GA;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) >+ >+ def test_ci_np_lc_no_attr_objectclass_same(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CINP;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ modno = "(A;ID;LC;;;DA)" >+ modid = "(OA;CIID;LC;;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(modno, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(modno, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ >+ def test_ci_np_lc_no_attr_objectclass_different(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CINP;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ modno = "(A;ID;LC;;;DA)" >+ modid = "(OA;CIIOID;LC;;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) >+ >+ def test_ci_np_lc_name_attr_objectclass_same(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ modob = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" >+ modid = "(OA;CIID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;bf967a9c-0de6-11d0-a285-00aa003049e2;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(modob, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertIn(modob, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a9c-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ >+ def test_ci_np_lc_name_attr_objectclass_different(self): >+ ou_dn = "OU=test_inherit_ou," + self.base_dn >+ group_dn = "CN=test_inherit_group," + ou_dn >+ # Create inheritable-free OU >+ self.create_clean_ou(ou_dn) >+ mod = "(OA;CINP;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ modno = "(OA;ID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;;DA)" >+ modid = "(OA;CIIOID;LC;bf967a0e-0de6-11d0-a285-00aa003049e2;aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee;DA)" >+ moded = "(D;;CC;;;LG)" >+ self.sd_utils.dacl_add_ace(ou_dn, mod) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(ou_dn) >+ # Create group child object >+ tmp_desc = security.descriptor.from_sddl("O:AUG:AUD:AI(A;;CC;;;AU)", self.domain_sid) >+ self.ldb_admin.newgroup("test_inherit_group", groupou="OU=test_inherit_ou", grouptype=4, sd=tmp_desc) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) >+ try: >+ self.sd_utils.modify_sd_on_dn(group_dn, "D:" + moded) >+ except LdbError as e: >+ self.fail(str(e)) >+ desc_sddl = self.sd_utils.get_sd_as_sddl(group_dn) >+ self.assertIn(moded, desc_sddl) >+ self.assertNotIn(modno, desc_sddl) >+ self.assertNotIn(modid, desc_sddl) >+ self.assertNotIn("bf967a0e-0de6-11d0-a285-00aa003049e2", desc_sddl) >+ self.assertNotIn("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", desc_sddl) >+ > ######################################################################################## > > >-- >2.34.1 > > >From 08a0b11392587d68ad9ff8467fb6ca08d490e98d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Sat, 18 Mar 2023 01:17:04 +0100 >Subject: [PATCH 8/8] libcli/security: rewrite > calculate_inherited_from_parent() > >This allows us to pass the new tests we just added. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit bb09c06d6d58a04e1d270a9f99d1179cfa9acbda) >--- > libcli/security/create_descriptor.c | 247 ++++++++++++++---- > .../knownfail.d/samba4.ldap.secdesc.python | 13 - > 2 files changed, 192 insertions(+), 68 deletions(-) > delete mode 100644 selftest/knownfail.d/samba4.ldap.secdesc.python > >diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c >index ef60d847033f..947d6c19d588 100644 >--- a/libcli/security/create_descriptor.c >+++ b/libcli/security/create_descriptor.c >@@ -78,7 +78,7 @@ uint32_t map_generic_rights_ds(uint32_t access_mask) > > /* Not sure what this has to be, > * and it does not seem to have any influence */ >-static bool object_in_list(struct GUID *object_list, struct GUID *object) >+static bool object_in_list(const struct GUID *object_list, const struct GUID *object) > { > size_t i; > >@@ -107,7 +107,7 @@ static bool object_in_list(struct GUID *object_list, struct GUID *object) > /* returns true if the ACE gontains generic information > * that needs to be processed additionally */ > >-static bool desc_ace_has_generic(struct security_ace *ace) >+static bool desc_ace_has_generic(const struct security_ace *ace) > { > if (ace->access_mask & SEC_GENERIC_ALL || ace->access_mask & SEC_GENERIC_READ || > ace->access_mask & SEC_GENERIC_WRITE || ace->access_mask & SEC_GENERIC_EXECUTE) { >@@ -155,12 +155,114 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, > } > > for (i=0; i < acl->num_aces; i++) { >- struct security_ace *ace = &acl->aces[i]; >- if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) || >- (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { >- struct GUID inherited_object = GUID_zero(); >+ const struct security_ace *ace = &acl->aces[i]; >+ const struct GUID *inherited_object = NULL; >+ const struct GUID *inherited_property = NULL; >+ struct security_ace *tmp_ace = NULL; >+ bool applies = false; >+ bool inherited_only = false; >+ bool expand_ace = false; >+ bool expand_only = false; >+ >+ if (is_container && (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT)) { >+ applies = true; >+ } else if (!is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { >+ applies = true; >+ } >+ >+ if (!applies) { >+ /* >+ * If the ace doesn't apply to the >+ * current node, we should only keep >+ * it as SEC_ACE_FLAG_OBJECT_INHERIT >+ * on a container. We'll add >+ * SEC_ACE_FLAG_INHERITED_ACE >+ * and SEC_ACE_FLAG_INHERIT_ONLY below. >+ * >+ * Otherwise we should completely ignore it. >+ */ >+ if (!(ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { >+ continue; >+ } >+ } >+ >+ switch (ace->type) { >+ case SEC_ACE_TYPE_ACCESS_ALLOWED: >+ case SEC_ACE_TYPE_ACCESS_DENIED: >+ case SEC_ACE_TYPE_SYSTEM_AUDIT: >+ case SEC_ACE_TYPE_SYSTEM_ALARM: >+ case SEC_ACE_TYPE_ALLOWED_COMPOUND: >+ break; >+ >+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: >+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: >+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: >+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: >+ if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { >+ inherited_property = &ace->object.object.type.type; >+ } >+ if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { >+ inherited_object = &ace->object.object.inherited_type.inherited_type; >+ } >+ >+ if (inherited_object != NULL && !object_in_list(object_list, inherited_object)) { >+ /* >+ * An explicit object class schemaId is given, >+ * but doesn't belong to the current object. >+ */ >+ applies = false; >+ } > >- tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, >+ break; >+ } >+ >+ if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { >+ if (!applies) { >+ /* >+ * If the ACE doesn't apply to >+ * the current object, we should >+ * ignore it as it should not be >+ * inherited any further >+ */ >+ continue; >+ } >+ /* >+ * We should only keep the expanded version >+ * of the ACE on the current object. >+ */ >+ expand_ace = true; >+ expand_only = true; >+ } else if (applies) { >+ /* >+ * We check if should also add >+ * the expanded version of the ACE >+ * in addition, in case we should >+ * expand generic access bits or >+ * special sids. >+ * >+ * In that case we need to >+ * keep the original ACE with >+ * SEC_ACE_FLAG_INHERIT_ONLY. >+ */ >+ expand_ace = desc_ace_has_generic(ace); >+ if (expand_ace) { >+ inherited_only = true; >+ } >+ } else { >+ /* >+ * If the ACE doesn't apply >+ * to the current object, >+ * we need to keep it with >+ * SEC_ACE_FLAG_INHERIT_ONLY >+ * in order to apply them to >+ * grandchildren >+ */ >+ inherited_only = true; >+ } >+ >+ if (expand_ace) { >+ tmp_acl->aces = talloc_realloc(tmp_acl, >+ tmp_acl->aces, > struct security_ace, > tmp_acl->num_aces+1); > if (tmp_acl->aces == NULL) { >@@ -168,61 +270,96 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, > return NULL; > } > >- tmp_acl->aces[tmp_acl->num_aces] = *ace; >- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE; >- /* remove IO flag from the child's ace */ >- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY && >- !desc_ace_has_generic(ace)) { >- tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; >- } >+ tmp_ace = &tmp_acl->aces[tmp_acl->num_aces]; >+ tmp_acl->num_aces++; > >- if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) >- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; >- >- switch (ace->type) { >- case SEC_ACE_TYPE_ACCESS_ALLOWED: >- case SEC_ACE_TYPE_ACCESS_DENIED: >- case SEC_ACE_TYPE_SYSTEM_AUDIT: >- case SEC_ACE_TYPE_SYSTEM_ALARM: >- case SEC_ACE_TYPE_ALLOWED_COMPOUND: >- break; >- >- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: >- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: >- case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: >- case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: >- if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { >- inherited_object = ace->object.object.inherited_type.inherited_type; >- } >+ *tmp_ace = *ace; >+ >+ /* >+ * Expand generic access bits as well as special >+ * sids. >+ */ >+ desc_expand_generic(tmp_ace, owner, group); >+ >+ /* >+ * Expanded ACEs are marked as inherited, >+ * but never inherited any further to >+ * grandchildren. >+ */ >+ tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE; >+ tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; >+ tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT; >+ tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; >+ >+ /* >+ * Expanded ACEs never have an explicit >+ * object class schemaId, so clear it >+ * if present. >+ */ >+ if (inherited_object != NULL) { >+ tmp_ace->object.object.flags &= ~SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT; >+ } > >- if (!object_in_list(object_list, &inherited_object)) { >- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; >+ /* >+ * If the ACE had an explicit object class >+ * schemaId, but no attribute/propertySet >+ * we need to downgrate the _OBJECT variants >+ * to the normal ones. >+ */ >+ if (inherited_property == NULL) { >+ switch (tmp_ace->type) { >+ case SEC_ACE_TYPE_ACCESS_ALLOWED: >+ case SEC_ACE_TYPE_ACCESS_DENIED: >+ case SEC_ACE_TYPE_SYSTEM_AUDIT: >+ case SEC_ACE_TYPE_SYSTEM_ALARM: >+ case SEC_ACE_TYPE_ALLOWED_COMPOUND: >+ break; >+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: >+ tmp_ace->type = SEC_ACE_TYPE_ACCESS_ALLOWED; >+ break; >+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: >+ tmp_ace->type = SEC_ACE_TYPE_ACCESS_DENIED; >+ break; >+ case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: >+ tmp_ace->type = SEC_ACE_TYPE_SYSTEM_ALARM; >+ break; >+ case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: >+ tmp_ace->type = SEC_ACE_TYPE_SYSTEM_AUDIT; >+ break; > } >- >- break; > } > >- tmp_acl->num_aces++; >- if (is_container) { >- if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) && >- (desc_ace_has_generic(ace))) { >- tmp_acl->aces = talloc_realloc(tmp_acl, >- tmp_acl->aces, >- struct security_ace, >- tmp_acl->num_aces+1); >- if (tmp_acl->aces == NULL) { >- talloc_free(tmp_ctx); >- return NULL; >- } >- tmp_acl->aces[tmp_acl->num_aces] = *ace; >- desc_expand_generic(&tmp_acl->aces[tmp_acl->num_aces], >- owner, >- group); >- tmp_acl->aces[tmp_acl->num_aces].flags = SEC_ACE_FLAG_INHERITED_ACE; >- tmp_acl->num_aces++; >- } >+ if (expand_only) { >+ continue; > } > } >+ >+ tmp_acl->aces = talloc_realloc(tmp_acl, >+ tmp_acl->aces, >+ struct security_ace, >+ tmp_acl->num_aces+1); >+ if (tmp_acl->aces == NULL) { >+ talloc_free(tmp_ctx); >+ return NULL; >+ } >+ >+ tmp_ace = &tmp_acl->aces[tmp_acl->num_aces]; >+ tmp_acl->num_aces++; >+ >+ *tmp_ace = *ace; >+ tmp_ace->flags |= SEC_ACE_FLAG_INHERITED_ACE; >+ >+ if (inherited_only) { >+ tmp_ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY; >+ } else { >+ tmp_ace->flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; >+ } >+ >+ if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { >+ tmp_ace->flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; >+ tmp_ace->flags &= ~SEC_ACE_FLAG_OBJECT_INHERIT; >+ tmp_ace->flags &= ~SEC_ACE_FLAG_NO_PROPAGATE_INHERIT; >+ } > } > if (tmp_acl->num_aces == 0) { > return NULL; >diff --git a/selftest/knownfail.d/samba4.ldap.secdesc.python b/selftest/knownfail.d/samba4.ldap.secdesc.python >deleted file mode 100644 >index 4caef1ff2625..000000000000 >--- a/selftest/knownfail.d/samba4.ldap.secdesc.python >+++ /dev/null >@@ -1,13 +0,0 @@ >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_and_io_on_attribute >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_and_np_on_attribute >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_ga_name_attr_objectclass_same >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_ga_no_attr_objectclass_same >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_name_attr_objectclass_different >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_name_attr_objectclass_same >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_no_attr_objectclass_different >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_ga_no_attr_objectclass_same >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_name_attr_objectclass_different >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_name_attr_objectclass_same >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_no_attr_objectclass_different >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_ci_np_lc_no_attr_objectclass_same >-^samba4.ldap.secdesc.python.*.__main__.DaclDescriptorTests.test_oi_and_np_on_attribute >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jsutton
:
review-
Actions:
View
Attachments on
bug 15338
:
17860
|
17861
|
17874
|
17875