def test_executeAsUser_unix_user_does_not_exists(self):
"""
If the user does not exist, executeAsUser will raise
ChangeUserException.
"""
with self.assertRaises(ChangeUserException):
system_users.executeAsUser(username=u'no-such-user')
def test_executeAsUser_multiple_call_on_same_credentials(self):
"""
Test executing as a different user reusing the credentials.
"""
test_user = mk.getTestUser(u'normal')
with system_users.executeAsUser(
username=test_user.name, token=test_user.token):
pass
with system_users.executeAsUser(
username=test_user.name, token=test_user.token):
pass
def test_executeAsUser_Unix(self):
"""
Test executing as a different user.
"""
initial_uid, initial_gid = os.geteuid(), os.getegid()
initial_groups = os.getgroups()
test_user = mk.getTestUser(u'normal')
self.assertNotEqual(
sorted(self.getGroupsIDForTestAccount()),
sorted(os.getgroups()),
)
with system_users.executeAsUser(username=test_user.name):
import pwd
import grp
uid, gid = os.geteuid(), os.getegid()
impersonated_username = pwd.getpwuid(uid)[0].decode('utf-8')
impersonated_groupname = grp.getgrgid(gid)[0].decode('utf-8')
impersonated_groups = os.getgroups()
self.assertEqual(test_user.name, impersonated_username)
self.assertEqual(TEST_ACCOUNT_GROUP, impersonated_groupname)
self.assertNotEqual(initial_uid, uid)
self.assertNotEqual(initial_gid, gid)
self.assertNotEqual(initial_groups, impersonated_groups)
if self.os_name != 'osx':
# On OSX newer than 10.5 get/set groups are useless.
self.assertEqual(
sorted(self.getGroupsIDForTestAccount()),
sorted(impersonated_groups),
)
self.assertEqual(initial_uid, os.geteuid())
self.assertEqual(initial_gid, os.getegid())
self.assertEqual(initial_groups, os.getgroups())
def test_getCurrentPrivilegesDescription_impersonated(self):
"""
getCurrentPrivilegesDescription can be used for impersonated accounts
and will still get full process capabilities.
The process under impersonated account still has root capabilities.
"""
with system_users.executeAsUser(
username=self.os_user.name, token=self.os_user.token):
text = self.capabilities.getCurrentPrivilegesDescription()
self.assertEqual(u'root capabilities enabled.', text)
def test_executeAsUser_NT(self):
"""
Test executing as a different user.
"""
test_user = mk.getTestUser(u'normal')
with system_users.executeAsUser(
username=test_user.name, token=test_user.token):
self.assertEqual(
test_user.name, system_users.getCurrentUserName())
self.assertEqual(
mk.username, system_users.getCurrentUserName())
def test_executeAsUser(self):
"""
It uses the token to impersonate the account under which this
process is executed..
"""
test_user = mk.getTestUser(u'domain')
self.assertNotEqual(test_user.name, system_users.getCurrentUserName())
with system_users.executeAsUser(
username=test_user.name, token=test_user.token):
self.assertEqual(
test_user.name, system_users.getCurrentUserName())
def test_getCurrentPrivilegesDescription_impersonated_nt(self):
"""
getCurrentPrivilegesDescription can be used for impersonated accounts
and will return the impersonated user's capabilities instead.
"""
# FIXME:2095:
# Unify tests once proper capabilities support is implemented.
initial_text = self.capabilities.getCurrentPrivilegesDescription()
self.assertContains(u'SeIncreaseWorkingSetPrivilege:0', initial_text)
with system_users.executeAsUser(
username=self.os_user.name, token=self.os_user.token):
text = self.capabilities.getCurrentPrivilegesDescription()
# These assertion are fragile. Feel free to improve it.
self.assertContains(u'SeIncreaseWorkingSetPrivilege:3', text)
def test_elevatePrivileges_impersonated_not_present(self):
"""
Trying to elevate privilege under impersonated account will raise
an error if privilege is not present.
"""
import win32security
with system_users.executeAsUser(
username=self.os_user.name, token=self.os_user.token):
initial_state = self.capabilities._getPrivilegeState(
win32security.SE_CREATE_SYMBOLIC_LINK_NAME)
self.assertEqual(u'absent', initial_state)
with self.assertRaises(AdjustPrivilegeException):
with self.capabilities._elevatePrivileges(
win32security.SE_CREATE_SYMBOLIC_LINK_NAME):
pass
def test_elevatePrivileges_impersonated(self):
"""
Can elevate privileges while running under impersonated account if
privilege is already present.
"""
import win32security
initial_state = self.capabilities._getPrivilegeState(
win32security.SE_INC_WORKING_SET_NAME)
self.assertEqual(u'present', initial_state)
with system_users.executeAsUser(
username=self.os_user.name, token=self.os_user.token):
with self.capabilities._elevatePrivileges(
win32security.SE_INC_WORKING_SET_NAME):
update_state = self.capabilities._getPrivilegeState(
win32security.SE_INC_WORKING_SET_NAME)
self.assertStartsWith(u'enabled', update_state)
def test_authenticateWithUsernameAndPassword_good(self):
"""
Return `True` when username and passwords are valid, together
with a token that can be used for impersonating the account.
"""
result, token = system_users.authenticateWithUsernameAndPassword(
username=TEST_ACCOUNT_USERNAME_DOMAIN,
password=TEST_ACCOUNT_PASSWORD_DOMAIN,
)
self.assertIsTrue(result)
self.assertIsNotNone(token)
with system_users.executeAsUser(
username=TEST_ACCOUNT_USERNAME_DOMAIN, token=token):
self.assertEqual(
TEST_ACCOUNT_USERNAME_DOMAIN,
system_users.getCurrentUserName(),
)
def test_executeAsUser_Unix(self):
"""
Test executing as a different user.
"""
initial_uid, initial_gid = os.geteuid(), os.getegid()
initial_groups = os.getgroups()
test_user = mk.getTestUser(u'normal')
self.assertNotEqual(
sorted(self.getGroupsIDForTestAccount()),
sorted(os.getgroups()),
)
with system_users.executeAsUser(username=test_user.name):
import pwd
import grp
uid, gid = os.geteuid(), os.getegid()
impersonated_username = pwd.getpwuid(uid)[0].decode('utf-8')
impersonated_groupname = grp.getgrgid(gid)[0].decode('utf-8')
impersonated_groups = os.getgroups()
self.assertEqual(test_user.name, impersonated_username)
self.assertEqual(TEST_ACCOUNT_GROUP, impersonated_groupname)
self.assertNotEqual(initial_uid, uid)
self.assertNotEqual(initial_gid, gid)
if self.os_name != 'osx':
# FIXME:3808:
# Investigate why this no longer works/passes on OSX.
# On OSX newer than 10.5 get/set groups are useless.
self.assertNotEqual(initial_groups, impersonated_groups)
# On Alpine, we get duplicate groups from the Python os.
if self.os_version.startswith('alpine'):
impersonated_groups = list(set(impersonated_groups))
self.assertEqual(
sorted(self.getGroupsIDForTestAccount()),
sorted(impersonated_groups),
)
self.assertEqual(initial_uid, os.geteuid())
self.assertEqual(initial_gid, os.getegid())
self.assertEqual(initial_groups, os.getgroups())
