def test_executeAsUser_unix_user_does_not_exists(self): """ If the user does not exist, executeAsUser will raise ChangeUserException. """ with self.assertRaises(ChangeUserException): system_users.executeAsUser(username=u'no-such-user')
def test_executeAsUser_multiple_call_on_same_credentials(self): """ Test executing as a different user reusing the credentials. """ test_user = mk.getTestUser(u'normal') with system_users.executeAsUser( username=test_user.name, token=test_user.token): pass with system_users.executeAsUser( username=test_user.name, token=test_user.token): pass
def test_executeAsUser_Unix(self): """ Test executing as a different user. """ initial_uid, initial_gid = os.geteuid(), os.getegid() initial_groups = os.getgroups() test_user = mk.getTestUser(u'normal') self.assertNotEqual( sorted(self.getGroupsIDForTestAccount()), sorted(os.getgroups()), ) with system_users.executeAsUser(username=test_user.name): import pwd import grp uid, gid = os.geteuid(), os.getegid() impersonated_username = pwd.getpwuid(uid)[0].decode('utf-8') impersonated_groupname = grp.getgrgid(gid)[0].decode('utf-8') impersonated_groups = os.getgroups() self.assertEqual(test_user.name, impersonated_username) self.assertEqual(TEST_ACCOUNT_GROUP, impersonated_groupname) self.assertNotEqual(initial_uid, uid) self.assertNotEqual(initial_gid, gid) self.assertNotEqual(initial_groups, impersonated_groups) if self.os_name != 'osx': # On OSX newer than 10.5 get/set groups are useless. self.assertEqual( sorted(self.getGroupsIDForTestAccount()), sorted(impersonated_groups), ) self.assertEqual(initial_uid, os.geteuid()) self.assertEqual(initial_gid, os.getegid()) self.assertEqual(initial_groups, os.getgroups())
def test_getCurrentPrivilegesDescription_impersonated(self): """ getCurrentPrivilegesDescription can be used for impersonated accounts and will still get full process capabilities. The process under impersonated account still has root capabilities. """ with system_users.executeAsUser( username=self.os_user.name, token=self.os_user.token): text = self.capabilities.getCurrentPrivilegesDescription() self.assertEqual(u'root capabilities enabled.', text)
def test_executeAsUser_NT(self): """ Test executing as a different user. """ test_user = mk.getTestUser(u'normal') with system_users.executeAsUser( username=test_user.name, token=test_user.token): self.assertEqual( test_user.name, system_users.getCurrentUserName()) self.assertEqual( mk.username, system_users.getCurrentUserName())
def test_executeAsUser(self): """ It uses the token to impersonate the account under which this process is executed.. """ test_user = mk.getTestUser(u'domain') self.assertNotEqual(test_user.name, system_users.getCurrentUserName()) with system_users.executeAsUser( username=test_user.name, token=test_user.token): self.assertEqual( test_user.name, system_users.getCurrentUserName())
def test_getCurrentPrivilegesDescription_impersonated_nt(self): """ getCurrentPrivilegesDescription can be used for impersonated accounts and will return the impersonated user's capabilities instead. """ # FIXME:2095: # Unify tests once proper capabilities support is implemented. initial_text = self.capabilities.getCurrentPrivilegesDescription() self.assertContains(u'SeIncreaseWorkingSetPrivilege:0', initial_text) with system_users.executeAsUser( username=self.os_user.name, token=self.os_user.token): text = self.capabilities.getCurrentPrivilegesDescription() # These assertion are fragile. Feel free to improve it. self.assertContains(u'SeIncreaseWorkingSetPrivilege:3', text)
def test_elevatePrivileges_impersonated_not_present(self): """ Trying to elevate privilege under impersonated account will raise an error if privilege is not present. """ import win32security with system_users.executeAsUser( username=self.os_user.name, token=self.os_user.token): initial_state = self.capabilities._getPrivilegeState( win32security.SE_CREATE_SYMBOLIC_LINK_NAME) self.assertEqual(u'absent', initial_state) with self.assertRaises(AdjustPrivilegeException): with self.capabilities._elevatePrivileges( win32security.SE_CREATE_SYMBOLIC_LINK_NAME): pass
def test_elevatePrivileges_impersonated(self): """ Can elevate privileges while running under impersonated account if privilege is already present. """ import win32security initial_state = self.capabilities._getPrivilegeState( win32security.SE_INC_WORKING_SET_NAME) self.assertEqual(u'present', initial_state) with system_users.executeAsUser( username=self.os_user.name, token=self.os_user.token): with self.capabilities._elevatePrivileges( win32security.SE_INC_WORKING_SET_NAME): update_state = self.capabilities._getPrivilegeState( win32security.SE_INC_WORKING_SET_NAME) self.assertStartsWith(u'enabled', update_state)
def test_authenticateWithUsernameAndPassword_good(self): """ Return `True` when username and passwords are valid, together with a token that can be used for impersonating the account. """ result, token = system_users.authenticateWithUsernameAndPassword( username=TEST_ACCOUNT_USERNAME_DOMAIN, password=TEST_ACCOUNT_PASSWORD_DOMAIN, ) self.assertIsTrue(result) self.assertIsNotNone(token) with system_users.executeAsUser( username=TEST_ACCOUNT_USERNAME_DOMAIN, token=token): self.assertEqual( TEST_ACCOUNT_USERNAME_DOMAIN, system_users.getCurrentUserName(), )
def test_executeAsUser_Unix(self): """ Test executing as a different user. """ initial_uid, initial_gid = os.geteuid(), os.getegid() initial_groups = os.getgroups() test_user = mk.getTestUser(u'normal') self.assertNotEqual( sorted(self.getGroupsIDForTestAccount()), sorted(os.getgroups()), ) with system_users.executeAsUser(username=test_user.name): import pwd import grp uid, gid = os.geteuid(), os.getegid() impersonated_username = pwd.getpwuid(uid)[0].decode('utf-8') impersonated_groupname = grp.getgrgid(gid)[0].decode('utf-8') impersonated_groups = os.getgroups() self.assertEqual(test_user.name, impersonated_username) self.assertEqual(TEST_ACCOUNT_GROUP, impersonated_groupname) self.assertNotEqual(initial_uid, uid) self.assertNotEqual(initial_gid, gid) if self.os_name != 'osx': # FIXME:3808: # Investigate why this no longer works/passes on OSX. # On OSX newer than 10.5 get/set groups are useless. self.assertNotEqual(initial_groups, impersonated_groups) # On Alpine, we get duplicate groups from the Python os. if self.os_version.startswith('alpine'): impersonated_groups = list(set(impersonated_groups)) self.assertEqual( sorted(self.getGroupsIDForTestAccount()), sorted(impersonated_groups), ) self.assertEqual(initial_uid, os.geteuid()) self.assertEqual(initial_gid, os.getegid()) self.assertEqual(initial_groups, os.getgroups())