def test_pso_nested_groups(self): """PSOs operate correctly when applied to nested groups""" # create some PSOs that vary in priority and basic password-len group1_pso = PasswordSettings("group1-PSO", self.ldb, precedence=50, password_len=12, history_len=3) group2_pso = PasswordSettings("group2-PSO", self.ldb, precedence=25, password_len=10, history_len=5, complexity=False) group3_pso = PasswordSettings("group3-PSO", self.ldb, precedence=10, password_len=6, history_len=2) # create some groups and apply the PSOs to the groups group1 = self.add_group("Group-1") group2 = self.add_group("Group-2") group3 = self.add_group("Group-3") group4 = self.add_group("Group-4") group1_pso.apply_to(group1) group2_pso.apply_to(group2) group3_pso.apply_to(group3) # create a PSO and apply it to a group that the user is not a member # of - it should not have any effect on the user unused_pso = PasswordSettings("unused-PSO", self.ldb, precedence=1, password_len=20) unused_pso.apply_to(group4) # handle PSO clean-up (as they're outside the top-level test OU) self.add_obj_cleanup([group1_pso.dn, group2_pso.dn, group3_pso.dn, unused_pso.dn]) # create a user and check the default settings apply to it user = self.add_user("testuser") self.assert_PSO_applied(user, self.pwd_defaults) # add user to a group. Check that the group's PSO applies to the user self.set_attribute(group1, "member", user.dn) self.set_attribute(group2, "member", group1) self.assert_PSO_applied(user, group2_pso) # add another level to the group heirachy & check this PSO takes effect self.set_attribute(group3, "member", group2) self.assert_PSO_applied(user, group3_pso) # invert the PSO precedence and check the new lowest value takes effect group1_pso.set_precedence(3) group2_pso.set_precedence(13) group3_pso.set_precedence(33) self.assert_PSO_applied(user, group1_pso) # delete a PSO and check it no longer applies self.ldb.delete(group1_pso.dn) self.test_objs.remove(group1_pso.dn) self.assert_PSO_applied(user, group2_pso)
def test_pso_permissions(self): """Checks that regular users can't modify/view PSO objects""" user = self.add_user("testuser") # get an ldb connection with the new user's privileges user_ldb = self.get_ldb_connection("testuser", user.get_password(), self.host_url) # regular users should not be able to create a PSO (at least, not in # the default Password Settings container) try: priv_pso = PasswordSettings("priv-PSO", user_ldb, password_len=20) self.fail() except ldb.LdbError as e: (num, msg) = e.args self.assertEqual(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg) # create a PSO as the admin user priv_pso = PasswordSettings("priv-PSO", self.ldb, password_len=20) self.add_obj_cleanup([priv_pso.dn]) # regular users should not be able to apply a PSO to a user try: self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn, samdb=user_ldb) self.fail() except ldb.LdbError as e: (num, msg) = e.args self.assertEqual(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg) self.assertTrue('00002098' in msg, msg) self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn, samdb=self.ldb) # regular users should not be able to change a PSO's precedence try: priv_pso.set_precedence(100, samdb=user_ldb) self.fail() except ldb.LdbError as e: (num, msg) = e.args self.assertEqual(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg) self.assertTrue('00002098' in msg, msg) priv_pso.set_precedence(100, samdb=self.ldb) # regular users should not be able to view a PSO's settings pso_attrs = [ "msDS-PSOAppliesTo", "msDS-PasswordSettingsPrecedence", "msDS-PasswordHistoryLength", "msDS-LockoutThreshold", "msDS-PasswordComplexityEnabled" ] # users can see the PSO object's DN, but not its attributes res = user_ldb.search(priv_pso.dn, scope=ldb.SCOPE_BASE, attrs=pso_attrs) self.assertTrue(str(priv_pso.dn) == str(res[0].dn)) for attr in pso_attrs: self.assertFalse(attr in res[0]) # whereas admin users can see everything res = self.ldb.search(priv_pso.dn, scope=ldb.SCOPE_BASE, attrs=pso_attrs) for attr in pso_attrs: self.assertTrue(attr in res[0]) # check replace/delete operations can't be performed by regular users operations = [FLAG_MOD_REPLACE, FLAG_MOD_DELETE] for oper in operations: try: self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn, samdb=user_ldb, operation=oper) self.fail() except ldb.LdbError as e: (num, msg) = e.args self.assertEqual(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg) self.assertTrue('00002098' in msg, msg) # ...but can be performed by the admin user self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn, samdb=self.ldb, operation=oper)
def test_pso_permissions(self): """Checks that regular users can't modify/view PSO objects""" user = self.add_user("testuser") # get an ldb connection with the new user's privileges user_ldb = self.get_ldb_connection("testuser", user.get_password(), self.host_url) # regular users should not be able to create a PSO (at least, not in # the default Password Settings container) try: priv_pso = PasswordSettings("priv-PSO", user_ldb, password_len=20) self.fail() except ldb.LdbError as e: (num, msg) = e.args self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg) # create a PSO as the admin user priv_pso = PasswordSettings("priv-PSO", self.ldb, password_len=20) self.add_obj_cleanup([priv_pso.dn]) # regular users should not be able to apply a PSO to a user try: self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn, samdb=user_ldb) self.fail() except ldb.LdbError as e: (num, msg) = e.args self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg) self.assertTrue('00002098' in msg, msg) self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn, samdb=self.ldb) # regular users should not be able to change a PSO's precedence try: priv_pso.set_precedence(100, samdb=user_ldb) self.fail() except ldb.LdbError as e: (num, msg) = e.args self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg) self.assertTrue('00002098' in msg, msg) priv_pso.set_precedence(100, samdb=self.ldb) # regular users should not be able to view a PSO's settings pso_attrs = ["msDS-PSOAppliesTo", "msDS-PasswordSettingsPrecedence", "msDS-PasswordHistoryLength", "msDS-LockoutThreshold", "msDS-PasswordComplexityEnabled"] # users can see the PSO object's DN, but not its attributes res = user_ldb.search(priv_pso.dn, scope=ldb.SCOPE_BASE, attrs=pso_attrs) self.assertTrue(str(priv_pso.dn) == str(res[0].dn)) for attr in pso_attrs: self.assertFalse(attr in res[0]) # whereas admin users can see everything res = self.ldb.search(priv_pso.dn, scope=ldb.SCOPE_BASE, attrs=pso_attrs) for attr in pso_attrs: self.assertTrue(attr in res[0]) # check replace/delete operations can't be performed by regular users operations = [ FLAG_MOD_REPLACE, FLAG_MOD_DELETE ] for oper in operations: try: self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn, samdb=user_ldb, operation=oper) self.fail() except ldb.LdbError as e: (num, msg) = e.args self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, msg) self.assertTrue('00002098' in msg, msg) # ...but can be performed by the admin user self.set_attribute(priv_pso.dn, "msDS-PSOAppliesTo", user.dn, samdb=self.ldb, operation=oper)