def security_descriptor(self):
"""The security descriptor of the device.
:type: :class:`~windows.security.SecurityDescriptor`
"""
return SecurityDescriptor.from_binary(self.raw_security_descriptor)
def test_ace_resource_attribute(sddl, expected_values):
sd = SecurityDescriptor.from_string(sddl)
ra = sd.sacl[0]
assert ra.Header.AceType == gdef.SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE
attr = ra.attribute
assert attr.name == "TestName"
assert attr.values == expected_values
def test_sec_descrip_owner_group():
SDDL = "O:ANG:S-1-2-3"
sd = SecurityDescriptor.from_string(SDDL)
assert sd.owner.to_string() == "S-1-5-7"
assert sd.group.to_string() == "S-1-2-3"
assert sd.dacl is None
assert sd.sacl is None
def test_conditional_ace_applicationdata(sddl, expected_value):
sd = SecurityDescriptor.from_string(sddl)
acl = sd.dacl
if acl is None:
acl = sd.sacl
ace = acl[0]
appdata = ace.application_data
# https://msdn.microsoft.com/en-us/library/hh877860.aspx
assert appdata.startswith(b"artx")
assert expected_value in appdata.replace(b"\x00", b"")
def test_complex_ace_guid_sid(sddl, obj_guid, inherited_object_guid):
sd = SecurityDescriptor.from_string(sddl)
assert sd.dacl is not None
ace = sd.dacl[0]
assert ace.sid.to_string() == "S-1-0-0"
if obj_guid is None and inherited_object_guid is None:
# No GUID -> transformed in ACCESS_ALLOWED_ACE_TYPE
assert ace.Header.AceType == gdef.ACCESS_ALLOWED_ACE_TYPE
return
assert ace.object_type == obj_guid
assert ace.inherited_object_type == inherited_object_guid
def test_pacl_object():
SDDL = "O:ANG:S-1-2-3D:(A;;;;;S-1-42-42)(A;;;;;S-1-42-43)(A;;;;;S-1-42-44)"
dacl = SecurityDescriptor.from_string(SDDL).dacl
assert dacl is not None
assert len(dacl) == 3 # __len__
assert len(list(dacl)) == 3 # __iter__
assert len(dacl.aces) == 3
assert ctypes.addressof(dacl[0]) == ctypes.addressof(dacl[0]) # __getitem__
assert len([ctypes.addressof(dacl[i])for i in range(3)]) == 3
with pytest.raises(IndexError):
x = dacl[3]
def test_mask_sid_ace():
SDDL = "D:(A;CIOI;CCGR;;;S-1-42-42)"
# OBJECT_INHERIT_ACE(0x1L) | CONTAINER_INHERIT_ACE(0x2L)
# Create-Child | GENERIC_READ(0x80000000L)
sd = SecurityDescriptor.from_string(SDDL)
dacl = sd.dacl
assert dacl is not None
ace = dacl[0]
# Test the ACE
assert ace.Header.AceType == gdef.ACCESS_ALLOWED_ACE_TYPE
# flags + flags split
assert ace.Header.AceFlags == gdef.OBJECT_INHERIT_ACE | gdef.CONTAINER_INHERIT_ACE
assert set(ace.Header.flags) == {gdef.OBJECT_INHERIT_ACE, gdef.CONTAINER_INHERIT_ACE}
# mask + mask split
assert ace.Mask == 1 | gdef.GENERIC_READ
assert set(ace.mask) == {1, gdef.GENERIC_READ}
# SID
assert ace.sid.to_string() == "S-1-42-42"
def test_security_descriptor__str__():
sddl = "D:(A;;FA;;;WD)"
sd = SecurityDescriptor.from_string(sddl)
assert str(sd) == sddl
def test_empty_security_descriptor():
esd = SecurityDescriptor.from_string("")
assert esd.owner is None # Should NOT be NULL PSID but None
assert esd.group is None # Should NOT be NULL PSID but None
assert esd.dacl is None
assert esd.sacl is None
def test_security_descriptor_from_binary(binsd):
sd = SecurityDescriptor.from_binary(binsd)
def test_security_descriptor_from_string(sddl):
sd = SecurityDescriptor.from_string(sddl)
def test_ace_sacl_subclass(sddl, ace_type):
sd = SecurityDescriptor.from_string(sddl)
sacl = sd.sacl
assert len(sacl) == 1
ace = sacl[0] # Will raise if AceHeader is not handled
assert ace.Header.AceType == ace_type
