def test_pso_nested_groups(self):
"""PSOs operate correctly when applied to nested groups"""
# create some PSOs that vary in priority and basic password-len
group1_pso = PasswordSettings("group1-PSO", self.ldb, precedence=50,
password_len=12, history_len=3)
group2_pso = PasswordSettings("group2-PSO", self.ldb, precedence=25,
password_len=10, history_len=5,
complexity=False)
group3_pso = PasswordSettings("group3-PSO", self.ldb, precedence=10,
password_len=6, history_len=2)
# create some groups and apply the PSOs to the groups
group1 = self.add_group("Group-1")
group2 = self.add_group("Group-2")
group3 = self.add_group("Group-3")
group4 = self.add_group("Group-4")
group1_pso.apply_to(group1)
group2_pso.apply_to(group2)
group3_pso.apply_to(group3)
# create a PSO and apply it to a group that the user is not a member
# of - it should not have any effect on the user
unused_pso = PasswordSettings("unused-PSO", self.ldb, precedence=1,
password_len=20)
unused_pso.apply_to(group4)
# handle PSO clean-up (as they're outside the top-level test OU)
self.add_obj_cleanup([group1_pso.dn, group2_pso.dn, group3_pso.dn,
unused_pso.dn])
# create a user and check the default settings apply to it
user = self.add_user("testuser")
self.assert_PSO_applied(user, self.pwd_defaults)
# add user to a group. Check that the group's PSO applies to the user
self.set_attribute(group1, "member", user.dn)
self.set_attribute(group2, "member", group1)
self.assert_PSO_applied(user, group2_pso)
# add another level to the group heirachy & check this PSO takes effect
self.set_attribute(group3, "member", group2)
self.assert_PSO_applied(user, group3_pso)
# invert the PSO precedence and check the new lowest value takes effect
group1_pso.set_precedence(3)
group2_pso.set_precedence(13)
group3_pso.set_precedence(33)
self.assert_PSO_applied(user, group1_pso)
# delete a PSO and check it no longer applies
self.ldb.delete(group1_pso.dn)
self.test_objs.remove(group1_pso.dn)
self.assert_PSO_applied(user, group2_pso)
def test_pso_nested_groups(self):
"""PSOs operate correctly when applied to nested groups"""
# create some PSOs that vary in priority and basic password-len
group1_pso = PasswordSettings("group1-PSO", self.ldb, precedence=50,
password_len=12, history_len=3)
group2_pso = PasswordSettings("group2-PSO", self.ldb, precedence=25,
password_len=10, history_len=5,
complexity=False)
group3_pso = PasswordSettings("group3-PSO", self.ldb, precedence=10,
password_len=6, history_len=2)
# create some groups and apply the PSOs to the groups
group1 = self.add_group("Group-1")
group2 = self.add_group("Group-2")
group3 = self.add_group("Group-3")
group4 = self.add_group("Group-4")
group1_pso.apply_to(group1)
group2_pso.apply_to(group2)
group3_pso.apply_to(group3)
# create a PSO and apply it to a group that the user is not a member
# of - it should not have any effect on the user
unused_pso = PasswordSettings("unused-PSO", self.ldb, precedence=1,
password_len=20)
unused_pso.apply_to(group4)
# handle PSO clean-up (as they're outside the top-level test OU)
self.add_obj_cleanup([group1_pso.dn, group2_pso.dn, group3_pso.dn,
unused_pso.dn])
# create a user and check the default settings apply to it
user = self.add_user("testuser")
self.assert_PSO_applied(user, self.pwd_defaults)
# add user to a group. Check that the group's PSO applies to the user
self.set_attribute(group1, "member", user.dn)
self.set_attribute(group2, "member", group1)
self.assert_PSO_applied(user, group2_pso)
# add another level to the group heirachy & check this PSO takes effect
self.set_attribute(group3, "member", group2)
self.assert_PSO_applied(user, group3_pso)
# invert the PSO precedence and check the new lowest value takes effect
group1_pso.set_precedence(3)
group2_pso.set_precedence(13)
group3_pso.set_precedence(33)
self.assert_PSO_applied(user, group1_pso)
# delete a PSO and check it no longer applies
self.ldb.delete(group1_pso.dn)
self.test_objs.remove(group1_pso.dn)
self.assert_PSO_applied(user, group2_pso)
def test_pso_permissions(self):
"""Checks that regular users can't modify/view PSO objects"""
user = self.add_user("testuser")
# get an ldb connection with the new user's privileges
user_ldb = self.get_ldb_connection("testuser", user.get_password(),
self.host_url)
# regular users should not be able to create a PSO (at least, not in
# the default Password Settings container)
try:
priv_pso = PasswordSettings("priv-PSO", user_ldb, password_len=20)
self.fail()
except ldb.LdbError as e:
(num, msg) = e.args
self.assertEqual(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
# create a PSO as the admin user
priv_pso = PasswordSettings("priv-PSO", self.ldb, password_len=20)
self.add_obj_cleanup([priv_pso.dn])
# regular users should not be able to apply a PSO to a user
try:
self.set_attribute(priv_pso.dn,
"msDS-PSOAppliesTo",
user.dn,
samdb=user_ldb)
self.fail()
except ldb.LdbError as e:
(num, msg) = e.args
self.assertEqual(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
self.assertTrue('00002098' in msg, msg)
self.set_attribute(priv_pso.dn,
"msDS-PSOAppliesTo",
user.dn,
samdb=self.ldb)
# regular users should not be able to change a PSO's precedence
try:
priv_pso.set_precedence(100, samdb=user_ldb)
self.fail()
except ldb.LdbError as e:
(num, msg) = e.args
self.assertEqual(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
self.assertTrue('00002098' in msg, msg)
priv_pso.set_precedence(100, samdb=self.ldb)
# regular users should not be able to view a PSO's settings
pso_attrs = [
"msDS-PSOAppliesTo", "msDS-PasswordSettingsPrecedence",
"msDS-PasswordHistoryLength", "msDS-LockoutThreshold",
"msDS-PasswordComplexityEnabled"
]
# users can see the PSO object's DN, but not its attributes
res = user_ldb.search(priv_pso.dn,
scope=ldb.SCOPE_BASE,
attrs=pso_attrs)
self.assertTrue(str(priv_pso.dn) == str(res[0].dn))
for attr in pso_attrs:
self.assertFalse(attr in res[0])
# whereas admin users can see everything
res = self.ldb.search(priv_pso.dn,
scope=ldb.SCOPE_BASE,
attrs=pso_attrs)
for attr in pso_attrs:
self.assertTrue(attr in res[0])
# check replace/delete operations can't be performed by regular users
operations = [FLAG_MOD_REPLACE, FLAG_MOD_DELETE]
for oper in operations:
try:
self.set_attribute(priv_pso.dn,
"msDS-PSOAppliesTo",
user.dn,
samdb=user_ldb,
operation=oper)
self.fail()
except ldb.LdbError as e:
(num, msg) = e.args
self.assertEqual(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
self.assertTrue('00002098' in msg, msg)
# ...but can be performed by the admin user
self.set_attribute(priv_pso.dn,
"msDS-PSOAppliesTo",
user.dn,
samdb=self.ldb,
operation=oper)
def test_pso_permissions(self):
"""Checks that regular users can't modify/view PSO objects"""
user = self.add_user("testuser")
# get an ldb connection with the new user's privileges
user_ldb = self.get_ldb_connection("testuser", user.get_password(),
self.host_url)
# regular users should not be able to create a PSO (at least, not in
# the default Password Settings container)
try:
priv_pso = PasswordSettings("priv-PSO", user_ldb, password_len=20)
self.fail()
except ldb.LdbError as e:
(num, msg) = e.args
self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
# create a PSO as the admin user
priv_pso = PasswordSettings("priv-PSO", self.ldb, password_len=20)
self.add_obj_cleanup([priv_pso.dn])
# regular users should not be able to apply a PSO to a user
try:
self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn,
samdb=user_ldb)
self.fail()
except ldb.LdbError as e:
(num, msg) = e.args
self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
self.assertTrue('00002098' in msg, msg)
self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn,
samdb=self.ldb)
# regular users should not be able to change a PSO's precedence
try:
priv_pso.set_precedence(100, samdb=user_ldb)
self.fail()
except ldb.LdbError as e:
(num, msg) = e.args
self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
self.assertTrue('00002098' in msg, msg)
priv_pso.set_precedence(100, samdb=self.ldb)
# regular users should not be able to view a PSO's settings
pso_attrs = ["msDS-PSOAppliesTo", "msDS-PasswordSettingsPrecedence",
"msDS-PasswordHistoryLength", "msDS-LockoutThreshold",
"msDS-PasswordComplexityEnabled"]
# users can see the PSO object's DN, but not its attributes
res = user_ldb.search(priv_pso.dn, scope=ldb.SCOPE_BASE,
attrs=pso_attrs)
self.assertTrue(str(priv_pso.dn) == str(res[0].dn))
for attr in pso_attrs:
self.assertFalse(attr in res[0])
# whereas admin users can see everything
res = self.ldb.search(priv_pso.dn, scope=ldb.SCOPE_BASE,
attrs=pso_attrs)
for attr in pso_attrs:
self.assertTrue(attr in res[0])
# check replace/delete operations can't be performed by regular users
operations = [ FLAG_MOD_REPLACE, FLAG_MOD_DELETE ]
for oper in operations:
try:
self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn,
samdb=user_ldb, operation=oper)
self.fail()
except ldb.LdbError as e:
(num, msg) = e.args
self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg)
self.assertTrue('00002098' in msg, msg)
# ...but can be performed by the admin user
self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn,
samdb=self.ldb, operation=oper)