Beispiel #1
0
 def test_executeAsUser_unix_user_does_not_exists(self):
     """
     If the user does not exist, executeAsUser will raise
     ChangeUserException.
     """
     with self.assertRaises(ChangeUserException):
         system_users.executeAsUser(username=u'no-such-user')
Beispiel #2
0
    def test_executeAsUser_multiple_call_on_same_credentials(self):
        """
        Test executing as a different user reusing the credentials.
        """
        test_user = mk.getTestUser(u'normal')
        with system_users.executeAsUser(
                username=test_user.name, token=test_user.token):
            pass

        with system_users.executeAsUser(
                username=test_user.name, token=test_user.token):
            pass
Beispiel #3
0
    def test_executeAsUser_Unix(self):
        """
        Test executing as a different user.
        """
        initial_uid, initial_gid = os.geteuid(), os.getegid()
        initial_groups = os.getgroups()
        test_user = mk.getTestUser(u'normal')
        self.assertNotEqual(
            sorted(self.getGroupsIDForTestAccount()),
            sorted(os.getgroups()),
            )

        with system_users.executeAsUser(username=test_user.name):
            import pwd
            import grp
            uid, gid = os.geteuid(), os.getegid()
            impersonated_username = pwd.getpwuid(uid)[0].decode('utf-8')
            impersonated_groupname = grp.getgrgid(gid)[0].decode('utf-8')
            impersonated_groups = os.getgroups()
            self.assertEqual(test_user.name, impersonated_username)
            self.assertEqual(TEST_ACCOUNT_GROUP, impersonated_groupname)
            self.assertNotEqual(initial_uid, uid)
            self.assertNotEqual(initial_gid, gid)
            self.assertNotEqual(initial_groups, impersonated_groups)
            if self.os_name != 'osx':
                # On OSX newer than 10.5 get/set groups are useless.
                self.assertEqual(
                    sorted(self.getGroupsIDForTestAccount()),
                    sorted(impersonated_groups),
                    )

        self.assertEqual(initial_uid, os.geteuid())
        self.assertEqual(initial_gid, os.getegid())
        self.assertEqual(initial_groups, os.getgroups())
Beispiel #4
0
    def test_getCurrentPrivilegesDescription_impersonated(self):
        """
        getCurrentPrivilegesDescription can be used for impersonated accounts
        and will still get full process capabilities.

        The process under impersonated account still has root capabilities.
        """
        with system_users.executeAsUser(
                username=self.os_user.name, token=self.os_user.token):
            text = self.capabilities.getCurrentPrivilegesDescription()

        self.assertEqual(u'root capabilities enabled.', text)
Beispiel #5
0
    def test_executeAsUser_NT(self):
        """
        Test executing as a different user.
        """
        test_user = mk.getTestUser(u'normal')

        with system_users.executeAsUser(
                username=test_user.name, token=test_user.token):
            self.assertEqual(
                test_user.name, system_users.getCurrentUserName())

        self.assertEqual(
            mk.username, system_users.getCurrentUserName())
Beispiel #6
0
    def test_executeAsUser(self):
        """
        It uses the token to impersonate the account under which this
        process is executed..
        """
        test_user = mk.getTestUser(u'domain')

        self.assertNotEqual(test_user.name, system_users.getCurrentUserName())

        with system_users.executeAsUser(
                username=test_user.name, token=test_user.token):
            self.assertEqual(
                test_user.name, system_users.getCurrentUserName())
Beispiel #7
0
    def test_getCurrentPrivilegesDescription_impersonated_nt(self):
        """
        getCurrentPrivilegesDescription can be used for impersonated accounts
        and will return the impersonated user's capabilities instead.
        """
        # FIXME:2095:
        # Unify tests once proper capabilities support is implemented.
        initial_text = self.capabilities.getCurrentPrivilegesDescription()
        self.assertContains(u'SeIncreaseWorkingSetPrivilege:0', initial_text)

        with system_users.executeAsUser(
                username=self.os_user.name, token=self.os_user.token):
            text = self.capabilities.getCurrentPrivilegesDescription()

        # These assertion are fragile. Feel free to improve it.
        self.assertContains(u'SeIncreaseWorkingSetPrivilege:3', text)
Beispiel #8
0
    def test_elevatePrivileges_impersonated_not_present(self):
        """
        Trying to elevate privilege under impersonated account will raise
        an error if privilege is not present.
        """
        import win32security

        with system_users.executeAsUser(
                username=self.os_user.name, token=self.os_user.token):
            initial_state = self.capabilities._getPrivilegeState(
                win32security.SE_CREATE_SYMBOLIC_LINK_NAME)
            self.assertEqual(u'absent', initial_state)

            with self.assertRaises(AdjustPrivilegeException):
                with self.capabilities._elevatePrivileges(
                        win32security.SE_CREATE_SYMBOLIC_LINK_NAME):
                    pass
Beispiel #9
0
    def test_elevatePrivileges_impersonated(self):
        """
        Can elevate privileges while running under impersonated account if
        privilege is already present.
        """
        import win32security

        initial_state = self.capabilities._getPrivilegeState(
            win32security.SE_INC_WORKING_SET_NAME)
        self.assertEqual(u'present', initial_state)

        with system_users.executeAsUser(
                username=self.os_user.name, token=self.os_user.token):
            with self.capabilities._elevatePrivileges(
                    win32security.SE_INC_WORKING_SET_NAME):
                update_state = self.capabilities._getPrivilegeState(
                    win32security.SE_INC_WORKING_SET_NAME)

        self.assertStartsWith(u'enabled', update_state)
Beispiel #10
0
    def test_authenticateWithUsernameAndPassword_good(self):
        """
        Return `True` when username and passwords are valid, together
        with a token that can be used for impersonating the account.
        """
        result, token = system_users.authenticateWithUsernameAndPassword(
            username=TEST_ACCOUNT_USERNAME_DOMAIN,
            password=TEST_ACCOUNT_PASSWORD_DOMAIN,
            )

        self.assertIsTrue(result)
        self.assertIsNotNone(token)

        with system_users.executeAsUser(
                username=TEST_ACCOUNT_USERNAME_DOMAIN, token=token):
            self.assertEqual(
                TEST_ACCOUNT_USERNAME_DOMAIN,
                system_users.getCurrentUserName(),
                )
Beispiel #11
0
    def test_executeAsUser_Unix(self):
        """
        Test executing as a different user.
        """
        initial_uid, initial_gid = os.geteuid(), os.getegid()
        initial_groups = os.getgroups()
        test_user = mk.getTestUser(u'normal')
        self.assertNotEqual(
            sorted(self.getGroupsIDForTestAccount()),
            sorted(os.getgroups()),
            )

        with system_users.executeAsUser(username=test_user.name):
            import pwd
            import grp
            uid, gid = os.geteuid(), os.getegid()
            impersonated_username = pwd.getpwuid(uid)[0].decode('utf-8')
            impersonated_groupname = grp.getgrgid(gid)[0].decode('utf-8')
            impersonated_groups = os.getgroups()
            self.assertEqual(test_user.name, impersonated_username)
            self.assertEqual(TEST_ACCOUNT_GROUP, impersonated_groupname)
            self.assertNotEqual(initial_uid, uid)
            self.assertNotEqual(initial_gid, gid)
            if self.os_name != 'osx':
                # FIXME:3808:
                # Investigate why this no longer works/passes on OSX.
                # On OSX newer than 10.5 get/set groups are useless.
                self.assertNotEqual(initial_groups, impersonated_groups)

                # On Alpine, we get duplicate groups from the Python os.
                if self.os_version.startswith('alpine'):
                    impersonated_groups = list(set(impersonated_groups))

                self.assertEqual(
                    sorted(self.getGroupsIDForTestAccount()),
                    sorted(impersonated_groups),
                    )

        self.assertEqual(initial_uid, os.geteuid())
        self.assertEqual(initial_gid, os.getegid())
        self.assertEqual(initial_groups, os.getgroups())