def log_event(source, type="error", message=None, data=None, id=0, category=0, principal=core.UNSET):
"""Convenience function to log an event against an existing source.
:param source: anything accepted by :func:`event_source`
:param type: an :data:`EVENTLOG_TYPE`
:param message: a string or list of strings
:param data: a bytestring
:param id: a number corresponding to the event message
:param category: a number relevant to the event source
:param principal: anything which :func:`accounts.principal` accepts [logged-on user]
"""
type = EVENTLOG_TYPE.constant(type)
principal = accounts.me() if principal is core.UNSET else accounts.principal(principal)
if isinstance(message, basestring):
message = [message]
message = message or []
with event_source(source) as hLog:
wrapped(
win32evtlog.ReportEvent,
hLog,
type,
category,
id,
principal.pyobject(),
message,
data
)
def _from_sid_and_attribute (data): sid, attributes = data # # SDK says that no attributes are defined at present, # so ignore them! # return accounts.principal (sid)
def delete_user(user_name=None):
if user_name is None:
user_name = util.get_param(2, None)
if user_name is None:
p("}}enInvalid User name - not removing account!}}xx")
return False
curr_user = None
try:
curr_user = accounts.principal(user_name)
except Exception as ex:
p("}}rbInvalid User Account - Not deleting!}}xx", debug_level=1)
return False
# Remove the profile first
ret = UserAccounts.remove_account_profile(user_name)
# Remove the local user
try:
curr_user.delete()
except Exception as ex:
p("}}rbError - Unable to remove account: " + str(user_name) +
"}}xx\n" + str(ex))
return False
return True
def _from_sid_and_attribute(data):
sid, attributes = data
#
# SDK says that no attributes are defined at present,
# so ignore them!
#
return accounts.principal(sid)
def log_event(source,
type="error",
message=None,
data=None,
id=0,
category=0,
principal=core.UNSET):
"""Convenience function to log an event against an existing source.
:param source: anything accepted by :func:`event_source`
:param type: an :data:`EVENTLOG_TYPE`
:param message: a string or list of strings
:param data: a bytestring
:param id: a number corresponding to the event message
:param category: a number relevant to the event source
:param principal: anything which :func:`accounts.principal` accepts [logged-on user]
"""
type = EVENTLOG_TYPE.constant(type)
principal = accounts.me(
) if principal is core.UNSET else accounts.principal(principal)
if isinstance(message, basestring):
message = [message]
message = message or []
with event_source(source) as hLog:
wrapped(win32evtlog.ReportEvent, hLog, type, category, id,
principal.pyobject(), message, data)
def from_tuple(cls, ace_info):
(trustee, access, audit_what) = ace_info
audit_success, audit_failure = cls._audit_what(audit_what)
return cls(trustee=accounts.principal(trustee),
access=cls._access(access),
type=ACE_TYPE.SYSTEM_AUDIT,
audit_success=audit_success,
audit_failure=audit_failure)
def test_dace_tuple2(self):
dace2 = _aces.dace((accounts.principal("Everyone"), "F", "ALLOW"))
assert dace2.type == win32security.ACCESS_ALLOWED_ACE_TYPE
assert dace2.is_allowed == True
assert dace2._trustee.pyobject() == everyone
assert dace2._access_mask == ntsecuritycon.GENERIC_ALL
assert dace2.flags == _aces.ACE.FLAGS
assert dace2.object_type is core.UNSET
assert dace2.inherited_object_type is core.UNSET
def test_dace_tuple1 (self): dace1 = _aces.dace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) assert dace1.type == win32security.ACCESS_ALLOWED_ACE_TYPE assert dace1.is_allowed == True assert dace1._trustee.pyobject () == everyone assert dace1._access_mask == ntsecuritycon.GENERIC_ALL assert dace1.flags == _aces.ACE.FLAGS assert dace1.object_type is core.UNSET assert dace1.inherited_object_type is core.UNSET
def test_dace_tuple2 ():
dace2 = _aces.dace ((accounts.principal ("Everyone"), "F", "ALLOW"))
assert dace2.type == win32security.ACCESS_ALLOWED_ACE_TYPE
assert dace2.is_allowed == True
assert dace2._trustee.pyobject () == everyone
assert dace2._access_mask == ntsecuritycon.GENERIC_ALL
assert dace2.flags == _aces.ACE.FLAGS
assert dace2.object_type is core.UNSET
assert dace2.inherited_object_type is core.UNSET
def test_sace_tuple2 ():
sace1 = _aces.sace ((accounts.principal ("Everyone"), "F", "FAILURE"))
assert sace1.type == win32security.SYSTEM_AUDIT_ACE_TYPE
assert not sace1.audit_success
assert sace1.audit_failure
assert sace1._trustee.pyobject () == everyone
assert sace1._access_mask == ntsecuritycon.GENERIC_ALL
assert sace1.flags == _aces.ACE.FLAGS
assert sace1.object_type is core.UNSET
assert sace1.inherited_object_type is core.UNSET
def test_sace_tuple2(self):
sace1 = _aces.sace((accounts.principal("Everyone"), "F", "FAILURE"))
assert sace1.type == win32security.SYSTEM_AUDIT_ACE_TYPE
assert not sace1.audit_success
assert sace1.audit_failure
assert sace1._trustee.pyobject() == everyone
assert sace1._access_mask == ntsecuritycon.GENERIC_ALL
assert sace1.flags == _aces.ACE.FLAGS
assert sace1.object_type is core.UNSET
assert sace1.inherited_object_type is core.UNSET
def from_tuple (cls, ace_info):
(trustee, access, audit_what) = ace_info
audit_success, audit_failure = cls._audit_what (audit_what)
return cls (
trustee=accounts.principal (trustee),
access=cls._access (access),
type=ACE_TYPE.SYSTEM_AUDIT,
audit_success=audit_success,
audit_failure=audit_failure
)
def test_dace_tuple1():
dace1 = _aces.dace(
(accounts.principal(everyone), ntsecuritycon.GENERIC_ALL,
win32security.ACCESS_ALLOWED_ACE_TYPE))
assert dace1.type == win32security.ACCESS_ALLOWED_ACE_TYPE
assert dace1.is_allowed == True
assert dace1._trustee.pyobject() == everyone
assert dace1._access_mask == ntsecuritycon.GENERIC_ALL
assert dace1.flags == _aces.ACE.FLAGS
assert dace1.object_type is core.UNSET
assert dace1.inherited_object_type is core.UNSET
def __init__(self, event_log_name, event_log_entry):
self._event_log_name = event_log_name
self._event_log_entry = event_log_entry
self.record_number = event_log_entry.RecordNumber
self.time_generated = utils.from_pytime(event_log_entry.TimeGenerated)
self.time_written = utils.from_pytime(event_log_entry.TimeWritten)
self.event_id = event_log_entry.EventID
self.event_type = event_log_entry.EventType
self.event_category = event_log_entry.EventCategory
self.sid = accounts.principal(event_log_entry.Sid)
self.computer_name = event_log_entry.ComputerName
self.source_name = event_log_entry.SourceName
self.data = event_log_entry.Data
self._message = None
def __init__ (self, event_log_name, event_log_entry): self._event_log_name = event_log_name self._event_log_entry = event_log_entry self.record_number = event_log_entry.RecordNumber self.time_generated = utils.from_pytime (event_log_entry.TimeGenerated) self.time_written = utils.from_pytime (event_log_entry.TimeWritten) self.event_id = event_log_entry.EventID self.event_type = event_log_entry.EventType self.event_category = event_log_entry.EventCategory self.sid = accounts.principal (event_log_entry.Sid) self.computer_name = event_log_entry.ComputerName self.source_name = event_log_entry.SourceName self.data = event_log_entry.Data self._message = None
def from_ace (cls, ace):
(type, flags) = ace[0]
name = ACE_TYPE.name_from_value (type)
if u"object" in name.lower ().split (u"_"):
mask, object_type, inherited_object_type, sid = ace[1:]
else:
mask, sid = ace[1:]
object_type = inherited_object_type = None
if issubclass (cls, DACE):
_class = DACE
elif issubclass (cls, SACE):
_class = SACE
else:
if name in ACE_TYPE.names (u"ACCESS_*"):
_class = DACE
else:
_class = SACE
return _class (accounts.principal (sid), mask, type, flags, object_type, inherited_object_type)
def from_ace(cls, ace):
(type, flags) = ace[0]
name = ACE_TYPE.name_from_value(type)
if u"object" in name.lower().split(u"_"):
mask, object_type, inherited_object_type, sid = ace[1:]
else:
mask, sid = ace[1:]
object_type = inherited_object_type = None
if issubclass(cls, DACE):
_class = DACE
elif issubclass(cls, SACE):
_class = SACE
else:
if name in ACE_TYPE.names(u"ACCESS_*"):
_class = DACE
else:
_class = SACE
return _class(accounts.principal(sid), mask, type, flags, object_type,
inherited_object_type)
def text_context(self):
assert win32api.GetUserName() != "alice"
with accounts.principal("alice").impersonate("Passw0rd"):
assert win32api.GetUserName() == "alice"
assert win32api.GetUserName() != "alice"
def set_default_ope_registry_permissions(student_user = "", laptop_admin_user = ""):
try:
if student_user == "":
student_user = RegistrySettings.get_reg_value(value_name="student_user", default="")
if laptop_admin_user == "":
laptop_admin_user = RegistrySettings.get_reg_value(app="OPEService", value_name="admin_user", default="administrator")
if laptop_admin_user == "":
laptop_admin_user = None
if student_user == "":
p("}}rnNo credentialed student set!}}xx")
#return False
student_user = None
# Make sure this user exists
if student_user is not None:
try:
# Will throw an exception if the user doesn't exist
student_p = accounts.principal(student_user)
except Exception as ex:
# Invalid student account
p("}}rbInvalid Student Account - skipping permissions for this account: " + str(student_user) + "}}xx")
student_user = None
# Make sure the admin user exists
if laptop_admin_user is not None:
try:
admin_p = accounts.principal(laptop_admin_user)
except Exception as ex:
# Invalid admin account!
p("}}rbInvalid Admin Account - skipping permissions for this account: " + str(laptop_admin_user) + "}}xx")
laptop_admin_user = None
base_dacl = [
("Administrators", registry.Registry.ACCESS["F"], "ALLOW"),
("SYSTEM", registry.Registry.ACCESS["F"], "ALLOW"),
#("Users", registry.Registry.ACCESS["Q"], "ALLOW")
]
service_base_dacl = [
("Administrators", registry.Registry.ACCESS["F"], "ALLOW"),
("SYSTEM", registry.Registry.ACCESS["F"], "ALLOW"),
# Don't let regular users read OPEService key
#("Users", registry.Registry.ACCESS["Q"], "ALLOW")
]
logged_in_user = win32api.GetUserName()
if logged_in_user.upper() != "SYSTEM" and logged_in_user != "":
base_dacl.append((logged_in_user, registry.Registry.ACCESS["F"], "ALLOW"))
service_base_dacl.append((logged_in_user, registry.Registry.ACCESS["F"], "ALLOW"))
if laptop_admin_user is not None and laptop_admin_user != "":
# Make sure this admin has registry access
base_dacl.append((laptop_admin_user, registry.Registry.ACCESS["F"], "ALLOW"))
service_base_dacl.append((laptop_admin_user, registry.Registry.ACCESS["F"], "ALLOW"))
# Make sure the logging registry key has proper permissions
reg = registry.registry(r"HKLM\System\CurrentControlSet\Services\EventLog\Application\OPE",
access=REGISTRY_ACCESS.KEY_ALL_ACCESS|REGISTRY_ACCESS.KEY_WOW64_64KEY)
reg.create()
with reg.security() as s:
# Break inheritance causes things to reapply properly
s.break_inheritance(copy_first=True)
#s.dacl = base_dacl
s.dacl.append(("Everyone",
registry.Registry.ACCESS["R"],
"ALLOW"))
# s.dacl.dump()
reg = registry.registry(r"HKLM\Software\OPE",
access=REGISTRY_ACCESS.KEY_ALL_ACCESS|REGISTRY_ACCESS.KEY_WOW64_64KEY)
reg.create()
with reg.security() as s:
# Break inheritance causes things to reapply properly
s.break_inheritance(copy_first=True)
s.dacl = base_dacl
if student_user is not None:
s.dacl.append((student_user, registry.Registry.ACCESS["R"], "ALLOW"))
s.dacl.append(("Everyone",
registry.Registry.ACCESS["R"],
"ALLOW"
))
# s.dacl.dump()
reg = registry.registry(r"HKLM\Software\OPE\OPELMS",
access=REGISTRY_ACCESS.KEY_ALL_ACCESS|REGISTRY_ACCESS.KEY_WOW64_64KEY)
reg.create()
with reg.security() as s:
# Break inheritance causes things to reapply properly
s.break_inheritance(copy_first=True)
s.dacl = base_dacl
if student_user is not None:
s.dacl.append((student_user, registry.Registry.ACCESS["C"],
"ALLOW"))
s.dacl.append(("Everyone",
registry.Registry.ACCESS["R"],
"ALLOW"
))
# s.dacl.dump()
reg = registry.registry(r"HKLM\Software\OPE\OPEService",
access=REGISTRY_ACCESS.KEY_READ|REGISTRY_ACCESS.KEY_WOW64_64KEY)
reg.create()
with reg.security() as s:
# Break inheritance causes things to reapply properly
s.break_inheritance(copy_first=True)
s.dacl = service_base_dacl
#if student_user is not None:
# s.dacl.append((student_user, registry.Registry.ACCESS["Q"], "ALLOW"))
# s.dacl.dump()
reg = registry.registry(r"HKLM\Software\OPE\OPELMS\student",
access=REGISTRY_ACCESS.KEY_READ|REGISTRY_ACCESS.KEY_WOW64_64KEY)
reg.create()
with reg.security() as s:
# Break inheritance causes things to reapply properly
s.break_inheritance(copy_first=True)
s.dacl = base_dacl
if student_user is not None:
s.dacl.append((student_user, registry.Registry.ACCESS["C"],
"ALLOW"))
s.dacl.append(("Everyone",
registry.Registry.ACCESS["R"],
"ALLOW"
))
# s.dacl.dump()
p("}}gnRegistry Permissions Set}}xx", log_level=3)
except Exception as ex:
p("}}rbUnknown Exception! }}xx\n" + str(ex))
return False
return True
def test_dace_ne_type ():
assert \
_aces.dace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) != \
_aces.dace ((accounts.principal ("Everyone"), "R", "DENY"))
def test_dace_eq ():
assert \
_aces.dace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) == \
_aces.dace ((accounts.principal ("Everyone"), "F", "ALLOW"))
def test_sace_ne_type ():
assert \
_aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 0))) != \
_aces.sace ((accounts.principal ("Everyone"), "R", "FAILURE"))
def test_sace_eq ():
assert \
_aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 1))) == \
_aces.sace ((accounts.principal ("Everyone"), "F", "ALL"))
import os, sys
import operator
from nose.tools import *
import utils
from winsys import core, accounts
from winsys._security import _aces
import win32security
import ntsecuritycon
import tempfile
everyone, _, _ = win32security.LookupAccountName (None, "Everyone")
me = accounts.me ()
administrators = accounts.principal ("Administrators")
filehandle = filename = None
def setup ():
utils.change_priv (win32security.SE_SECURITY_NAME, True)
global filehandle, filename
filehandle, filename = tempfile.mkstemp ()
print filename
dacl = win32security.ACL ()
dacl.AddAccessAllowedAceEx (win32security.ACL_REVISION_DS, 0, ntsecuritycon.FILE_READ_DATA, everyone)
sacl = win32security.ACL ()
sacl.AddAuditAccessAce (win32security.ACL_REVISION_DS, ntsecuritycon.FILE_READ_DATA, everyone, 1, 1)
win32security.SetNamedSecurityInfo (
filename, win32security.SE_FILE_OBJECT,
win32security.DACL_SECURITY_INFORMATION | win32security.SACL_SECURITY_INFORMATION,
None, None, dacl, sacl
)
def test_principal_sid (self): everyone, domain, type = win32security.LookupAccountName (None, "Everyone") assert accounts.principal (everyone).pyobject () == everyone
def test_principal_string(self):
everyone, domain, type = win32security.LookupAccountName(
None, "Everyone")
assert accounts.principal("Everyone") == everyone
def test_principal_invalid(self):
with self.assertRaises(accounts.exc.x_not_found):
accounts.principal(object)
def test_principal_Principal(self):
everyone, domain, type = win32security.LookupAccountName(
None, "Everyone")
principal = accounts.Principal(everyone)
assert accounts.principal(principal) is principal
def test_principal_sid(self):
everyone, domain, type = win32security.LookupAccountName(
None, "Everyone")
assert accounts.principal(everyone).pyobject() == everyone
def test_principal_None(self):
assert accounts.principal(None) is None
def _set_trustee (self, trustee):
if self.inherited:
raise exc.x_access_denied (errctx=u"ACE._get_trustee", errmsg=u"Cannot change an inherited ACE")
self._trustee = accounts.principal (trustee)
def test_sace_ne_access():
assert \
_aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 0))) != \
_aces.sace ((accounts.principal ("Everyone"), "R", (1, 0)))
def from_tuple(cls, ace_info):
(trustee, access, allow_or_deny) = ace_info
return cls(accounts.principal(trustee), cls._access(access),
cls._type(allow_or_deny))
def test_sace_ne_trustee(self):
assert \
_aces.sace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL,(1, 1))) != \
_aces.sace((accounts.principal("Administrators"), "F", "ALL"))
def principal(account):
try:
return accounts.principal(account)
except exc.x_not_found:
return "<unknown>"
def text_context (self):
assert win32api.GetUserName () != "alice"
with accounts.principal ("alice").impersonate ("Passw0rd"):
assert win32api.GetUserName () == "alice"
assert win32api.GetUserName () != "alice"
def test_principal_None (self): assert accounts.principal (None) is None
def test_dace_ne_access(self):
assert \
_aces.dace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) != \
_aces.dace((accounts.principal("Everyone"), "R", "ALLOW"))
def test_sace_ne_trustee ():
assert \
_aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 1))) != \
_aces.sace ((accounts.principal ("Administrators"), "F", "ALL"))
def test_principal_invalid (self):
with self.assertRaises (accounts.exc.x_not_found):
accounts.principal (object)
def test_principal_invalid (): accounts.principal (object)
def test_principal_string (self):
everyone, domain, type = win32security.LookupAccountName (None, "Everyone")
assert accounts.principal ("Everyone") == everyone
def test_dace_ne_trustee ():
assert \
_aces.dace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) != \
_aces.dace ((accounts.principal ("Administrators"), "F", "ALLOW"))
def test_principal_Principal (self): everyone, domain, type = win32security.LookupAccountName (None, "Everyone") principal = accounts.Principal (everyone) assert accounts.principal (principal) is principal
import os, sys
import functools
import operator
import win32security
import ntsecuritycon
import tempfile
from winsys._compat import unittest
from winsys.tests import utils as testutils
from winsys import core, accounts
from winsys._security import _aces
everyone, _, _ = win32security.LookupAccountName(None, "Everyone")
me = accounts.me()
administrators = accounts.principal("Administrators")
@unittest.skipUnless(testutils.i_am_admin(),
"These tests must be run as Administrator")
class TestAces(unittest.TestCase):
def setUp(self):
testutils.change_priv(win32security.SE_SECURITY_NAME, True)
self.filehandle, self.filename = tempfile.mkstemp()
dacl = win32security.ACL()
dacl.AddAccessAllowedAceEx(win32security.ACL_REVISION_DS, 0,
ntsecuritycon.FILE_READ_DATA, everyone)
sacl = win32security.ACL()
sacl.AddAuditAccessAce(win32security.ACL_REVISION_DS,
ntsecuritycon.FILE_READ_DATA, everyone, 1, 1)
win32security.SetNamedSecurityInfo(
def _set_trustee(self, trustee):
if self.inherited:
raise exc.x_access_denied(errctx=u"ACE._get_trustee",
errmsg=u"Cannot change an inherited ACE")
self._trustee = accounts.principal(trustee)
def test_sace_eq(self):
assert \
_aces.sace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL,(1, 1))) == \
_aces.sace((accounts.principal("Everyone"), "F", "ALL"))
def from_tuple (cls, ace_info): (trustee, access, allow_or_deny) = ace_info return cls (accounts.principal (trustee), cls._access (access), cls._type (allow_or_deny))
def test_sace_ne_type(self):
assert \
_aces.sace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL,(1, 0))) != \
_aces.sace((accounts.principal("Everyone"), "R", "FAILURE"))
from winsys import accounts
accounts.principal("python").delete()
def test_dace_ne_trustee(self):
assert \
_aces.dace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) != \
_aces.dace((accounts.principal("Administrators"), "F", "ALLOW"))
def test_sace_ne_access (self):
assert \
_aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 0))) != \
_aces.sace ((accounts.principal ("Everyone"), "R", (1, 0)))
def principal (account):
try:
return accounts.principal (account)
except exc.x_not_found:
return "<unknown>"
def test_principal_invalid():
accounts.principal(object)
