def log_event(source, type="error", message=None, data=None, id=0, category=0, principal=core.UNSET): """Convenience function to log an event against an existing source. :param source: anything accepted by :func:`event_source` :param type: an :data:`EVENTLOG_TYPE` :param message: a string or list of strings :param data: a bytestring :param id: a number corresponding to the event message :param category: a number relevant to the event source :param principal: anything which :func:`accounts.principal` accepts [logged-on user] """ type = EVENTLOG_TYPE.constant(type) principal = accounts.me() if principal is core.UNSET else accounts.principal(principal) if isinstance(message, basestring): message = [message] message = message or [] with event_source(source) as hLog: wrapped( win32evtlog.ReportEvent, hLog, type, category, id, principal.pyobject(), message, data )
def _from_sid_and_attribute (data): sid, attributes = data # # SDK says that no attributes are defined at present, # so ignore them! # return accounts.principal (sid)
def delete_user(user_name=None): if user_name is None: user_name = util.get_param(2, None) if user_name is None: p("}}enInvalid User name - not removing account!}}xx") return False curr_user = None try: curr_user = accounts.principal(user_name) except Exception as ex: p("}}rbInvalid User Account - Not deleting!}}xx", debug_level=1) return False # Remove the profile first ret = UserAccounts.remove_account_profile(user_name) # Remove the local user try: curr_user.delete() except Exception as ex: p("}}rbError - Unable to remove account: " + str(user_name) + "}}xx\n" + str(ex)) return False return True
def _from_sid_and_attribute(data): sid, attributes = data # # SDK says that no attributes are defined at present, # so ignore them! # return accounts.principal(sid)
def log_event(source, type="error", message=None, data=None, id=0, category=0, principal=core.UNSET): """Convenience function to log an event against an existing source. :param source: anything accepted by :func:`event_source` :param type: an :data:`EVENTLOG_TYPE` :param message: a string or list of strings :param data: a bytestring :param id: a number corresponding to the event message :param category: a number relevant to the event source :param principal: anything which :func:`accounts.principal` accepts [logged-on user] """ type = EVENTLOG_TYPE.constant(type) principal = accounts.me( ) if principal is core.UNSET else accounts.principal(principal) if isinstance(message, basestring): message = [message] message = message or [] with event_source(source) as hLog: wrapped(win32evtlog.ReportEvent, hLog, type, category, id, principal.pyobject(), message, data)
def from_tuple(cls, ace_info): (trustee, access, audit_what) = ace_info audit_success, audit_failure = cls._audit_what(audit_what) return cls(trustee=accounts.principal(trustee), access=cls._access(access), type=ACE_TYPE.SYSTEM_AUDIT, audit_success=audit_success, audit_failure=audit_failure)
def test_dace_tuple2(self): dace2 = _aces.dace((accounts.principal("Everyone"), "F", "ALLOW")) assert dace2.type == win32security.ACCESS_ALLOWED_ACE_TYPE assert dace2.is_allowed == True assert dace2._trustee.pyobject() == everyone assert dace2._access_mask == ntsecuritycon.GENERIC_ALL assert dace2.flags == _aces.ACE.FLAGS assert dace2.object_type is core.UNSET assert dace2.inherited_object_type is core.UNSET
def test_dace_tuple1 (self): dace1 = _aces.dace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) assert dace1.type == win32security.ACCESS_ALLOWED_ACE_TYPE assert dace1.is_allowed == True assert dace1._trustee.pyobject () == everyone assert dace1._access_mask == ntsecuritycon.GENERIC_ALL assert dace1.flags == _aces.ACE.FLAGS assert dace1.object_type is core.UNSET assert dace1.inherited_object_type is core.UNSET
def test_dace_tuple2 (): dace2 = _aces.dace ((accounts.principal ("Everyone"), "F", "ALLOW")) assert dace2.type == win32security.ACCESS_ALLOWED_ACE_TYPE assert dace2.is_allowed == True assert dace2._trustee.pyobject () == everyone assert dace2._access_mask == ntsecuritycon.GENERIC_ALL assert dace2.flags == _aces.ACE.FLAGS assert dace2.object_type is core.UNSET assert dace2.inherited_object_type is core.UNSET
def test_sace_tuple2 (): sace1 = _aces.sace ((accounts.principal ("Everyone"), "F", "FAILURE")) assert sace1.type == win32security.SYSTEM_AUDIT_ACE_TYPE assert not sace1.audit_success assert sace1.audit_failure assert sace1._trustee.pyobject () == everyone assert sace1._access_mask == ntsecuritycon.GENERIC_ALL assert sace1.flags == _aces.ACE.FLAGS assert sace1.object_type is core.UNSET assert sace1.inherited_object_type is core.UNSET
def test_sace_tuple2(self): sace1 = _aces.sace((accounts.principal("Everyone"), "F", "FAILURE")) assert sace1.type == win32security.SYSTEM_AUDIT_ACE_TYPE assert not sace1.audit_success assert sace1.audit_failure assert sace1._trustee.pyobject() == everyone assert sace1._access_mask == ntsecuritycon.GENERIC_ALL assert sace1.flags == _aces.ACE.FLAGS assert sace1.object_type is core.UNSET assert sace1.inherited_object_type is core.UNSET
def from_tuple (cls, ace_info): (trustee, access, audit_what) = ace_info audit_success, audit_failure = cls._audit_what (audit_what) return cls ( trustee=accounts.principal (trustee), access=cls._access (access), type=ACE_TYPE.SYSTEM_AUDIT, audit_success=audit_success, audit_failure=audit_failure )
def test_dace_tuple1(): dace1 = _aces.dace( (accounts.principal(everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) assert dace1.type == win32security.ACCESS_ALLOWED_ACE_TYPE assert dace1.is_allowed == True assert dace1._trustee.pyobject() == everyone assert dace1._access_mask == ntsecuritycon.GENERIC_ALL assert dace1.flags == _aces.ACE.FLAGS assert dace1.object_type is core.UNSET assert dace1.inherited_object_type is core.UNSET
def __init__(self, event_log_name, event_log_entry): self._event_log_name = event_log_name self._event_log_entry = event_log_entry self.record_number = event_log_entry.RecordNumber self.time_generated = utils.from_pytime(event_log_entry.TimeGenerated) self.time_written = utils.from_pytime(event_log_entry.TimeWritten) self.event_id = event_log_entry.EventID self.event_type = event_log_entry.EventType self.event_category = event_log_entry.EventCategory self.sid = accounts.principal(event_log_entry.Sid) self.computer_name = event_log_entry.ComputerName self.source_name = event_log_entry.SourceName self.data = event_log_entry.Data self._message = None
def __init__ (self, event_log_name, event_log_entry): self._event_log_name = event_log_name self._event_log_entry = event_log_entry self.record_number = event_log_entry.RecordNumber self.time_generated = utils.from_pytime (event_log_entry.TimeGenerated) self.time_written = utils.from_pytime (event_log_entry.TimeWritten) self.event_id = event_log_entry.EventID self.event_type = event_log_entry.EventType self.event_category = event_log_entry.EventCategory self.sid = accounts.principal (event_log_entry.Sid) self.computer_name = event_log_entry.ComputerName self.source_name = event_log_entry.SourceName self.data = event_log_entry.Data self._message = None
def from_ace (cls, ace): (type, flags) = ace[0] name = ACE_TYPE.name_from_value (type) if u"object" in name.lower ().split (u"_"): mask, object_type, inherited_object_type, sid = ace[1:] else: mask, sid = ace[1:] object_type = inherited_object_type = None if issubclass (cls, DACE): _class = DACE elif issubclass (cls, SACE): _class = SACE else: if name in ACE_TYPE.names (u"ACCESS_*"): _class = DACE else: _class = SACE return _class (accounts.principal (sid), mask, type, flags, object_type, inherited_object_type)
def from_ace(cls, ace): (type, flags) = ace[0] name = ACE_TYPE.name_from_value(type) if u"object" in name.lower().split(u"_"): mask, object_type, inherited_object_type, sid = ace[1:] else: mask, sid = ace[1:] object_type = inherited_object_type = None if issubclass(cls, DACE): _class = DACE elif issubclass(cls, SACE): _class = SACE else: if name in ACE_TYPE.names(u"ACCESS_*"): _class = DACE else: _class = SACE return _class(accounts.principal(sid), mask, type, flags, object_type, inherited_object_type)
def text_context(self): assert win32api.GetUserName() != "alice" with accounts.principal("alice").impersonate("Passw0rd"): assert win32api.GetUserName() == "alice" assert win32api.GetUserName() != "alice"
def set_default_ope_registry_permissions(student_user = "", laptop_admin_user = ""): try: if student_user == "": student_user = RegistrySettings.get_reg_value(value_name="student_user", default="") if laptop_admin_user == "": laptop_admin_user = RegistrySettings.get_reg_value(app="OPEService", value_name="admin_user", default="administrator") if laptop_admin_user == "": laptop_admin_user = None if student_user == "": p("}}rnNo credentialed student set!}}xx") #return False student_user = None # Make sure this user exists if student_user is not None: try: # Will throw an exception if the user doesn't exist student_p = accounts.principal(student_user) except Exception as ex: # Invalid student account p("}}rbInvalid Student Account - skipping permissions for this account: " + str(student_user) + "}}xx") student_user = None # Make sure the admin user exists if laptop_admin_user is not None: try: admin_p = accounts.principal(laptop_admin_user) except Exception as ex: # Invalid admin account! p("}}rbInvalid Admin Account - skipping permissions for this account: " + str(laptop_admin_user) + "}}xx") laptop_admin_user = None base_dacl = [ ("Administrators", registry.Registry.ACCESS["F"], "ALLOW"), ("SYSTEM", registry.Registry.ACCESS["F"], "ALLOW"), #("Users", registry.Registry.ACCESS["Q"], "ALLOW") ] service_base_dacl = [ ("Administrators", registry.Registry.ACCESS["F"], "ALLOW"), ("SYSTEM", registry.Registry.ACCESS["F"], "ALLOW"), # Don't let regular users read OPEService key #("Users", registry.Registry.ACCESS["Q"], "ALLOW") ] logged_in_user = win32api.GetUserName() if logged_in_user.upper() != "SYSTEM" and logged_in_user != "": base_dacl.append((logged_in_user, registry.Registry.ACCESS["F"], "ALLOW")) service_base_dacl.append((logged_in_user, registry.Registry.ACCESS["F"], "ALLOW")) if laptop_admin_user is not None and laptop_admin_user != "": # Make sure this admin has registry access base_dacl.append((laptop_admin_user, registry.Registry.ACCESS["F"], "ALLOW")) service_base_dacl.append((laptop_admin_user, registry.Registry.ACCESS["F"], "ALLOW")) # Make sure the logging registry key has proper permissions reg = registry.registry(r"HKLM\System\CurrentControlSet\Services\EventLog\Application\OPE", access=REGISTRY_ACCESS.KEY_ALL_ACCESS|REGISTRY_ACCESS.KEY_WOW64_64KEY) reg.create() with reg.security() as s: # Break inheritance causes things to reapply properly s.break_inheritance(copy_first=True) #s.dacl = base_dacl s.dacl.append(("Everyone", registry.Registry.ACCESS["R"], "ALLOW")) # s.dacl.dump() reg = registry.registry(r"HKLM\Software\OPE", access=REGISTRY_ACCESS.KEY_ALL_ACCESS|REGISTRY_ACCESS.KEY_WOW64_64KEY) reg.create() with reg.security() as s: # Break inheritance causes things to reapply properly s.break_inheritance(copy_first=True) s.dacl = base_dacl if student_user is not None: s.dacl.append((student_user, registry.Registry.ACCESS["R"], "ALLOW")) s.dacl.append(("Everyone", registry.Registry.ACCESS["R"], "ALLOW" )) # s.dacl.dump() reg = registry.registry(r"HKLM\Software\OPE\OPELMS", access=REGISTRY_ACCESS.KEY_ALL_ACCESS|REGISTRY_ACCESS.KEY_WOW64_64KEY) reg.create() with reg.security() as s: # Break inheritance causes things to reapply properly s.break_inheritance(copy_first=True) s.dacl = base_dacl if student_user is not None: s.dacl.append((student_user, registry.Registry.ACCESS["C"], "ALLOW")) s.dacl.append(("Everyone", registry.Registry.ACCESS["R"], "ALLOW" )) # s.dacl.dump() reg = registry.registry(r"HKLM\Software\OPE\OPEService", access=REGISTRY_ACCESS.KEY_READ|REGISTRY_ACCESS.KEY_WOW64_64KEY) reg.create() with reg.security() as s: # Break inheritance causes things to reapply properly s.break_inheritance(copy_first=True) s.dacl = service_base_dacl #if student_user is not None: # s.dacl.append((student_user, registry.Registry.ACCESS["Q"], "ALLOW")) # s.dacl.dump() reg = registry.registry(r"HKLM\Software\OPE\OPELMS\student", access=REGISTRY_ACCESS.KEY_READ|REGISTRY_ACCESS.KEY_WOW64_64KEY) reg.create() with reg.security() as s: # Break inheritance causes things to reapply properly s.break_inheritance(copy_first=True) s.dacl = base_dacl if student_user is not None: s.dacl.append((student_user, registry.Registry.ACCESS["C"], "ALLOW")) s.dacl.append(("Everyone", registry.Registry.ACCESS["R"], "ALLOW" )) # s.dacl.dump() p("}}gnRegistry Permissions Set}}xx", log_level=3) except Exception as ex: p("}}rbUnknown Exception! }}xx\n" + str(ex)) return False return True
def test_dace_ne_type (): assert \ _aces.dace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) != \ _aces.dace ((accounts.principal ("Everyone"), "R", "DENY"))
def test_dace_eq (): assert \ _aces.dace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) == \ _aces.dace ((accounts.principal ("Everyone"), "F", "ALLOW"))
def test_sace_ne_type (): assert \ _aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 0))) != \ _aces.sace ((accounts.principal ("Everyone"), "R", "FAILURE"))
def test_sace_eq (): assert \ _aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 1))) == \ _aces.sace ((accounts.principal ("Everyone"), "F", "ALL"))
import os, sys import operator from nose.tools import * import utils from winsys import core, accounts from winsys._security import _aces import win32security import ntsecuritycon import tempfile everyone, _, _ = win32security.LookupAccountName (None, "Everyone") me = accounts.me () administrators = accounts.principal ("Administrators") filehandle = filename = None def setup (): utils.change_priv (win32security.SE_SECURITY_NAME, True) global filehandle, filename filehandle, filename = tempfile.mkstemp () print filename dacl = win32security.ACL () dacl.AddAccessAllowedAceEx (win32security.ACL_REVISION_DS, 0, ntsecuritycon.FILE_READ_DATA, everyone) sacl = win32security.ACL () sacl.AddAuditAccessAce (win32security.ACL_REVISION_DS, ntsecuritycon.FILE_READ_DATA, everyone, 1, 1) win32security.SetNamedSecurityInfo ( filename, win32security.SE_FILE_OBJECT, win32security.DACL_SECURITY_INFORMATION | win32security.SACL_SECURITY_INFORMATION, None, None, dacl, sacl )
def test_principal_sid (self): everyone, domain, type = win32security.LookupAccountName (None, "Everyone") assert accounts.principal (everyone).pyobject () == everyone
def test_principal_string(self): everyone, domain, type = win32security.LookupAccountName( None, "Everyone") assert accounts.principal("Everyone") == everyone
def test_principal_invalid(self): with self.assertRaises(accounts.exc.x_not_found): accounts.principal(object)
def test_principal_Principal(self): everyone, domain, type = win32security.LookupAccountName( None, "Everyone") principal = accounts.Principal(everyone) assert accounts.principal(principal) is principal
def test_principal_sid(self): everyone, domain, type = win32security.LookupAccountName( None, "Everyone") assert accounts.principal(everyone).pyobject() == everyone
def test_principal_None(self): assert accounts.principal(None) is None
def _set_trustee (self, trustee): if self.inherited: raise exc.x_access_denied (errctx=u"ACE._get_trustee", errmsg=u"Cannot change an inherited ACE") self._trustee = accounts.principal (trustee)
def test_sace_ne_access(): assert \ _aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 0))) != \ _aces.sace ((accounts.principal ("Everyone"), "R", (1, 0)))
def from_tuple(cls, ace_info): (trustee, access, allow_or_deny) = ace_info return cls(accounts.principal(trustee), cls._access(access), cls._type(allow_or_deny))
def test_sace_ne_trustee(self): assert \ _aces.sace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL,(1, 1))) != \ _aces.sace((accounts.principal("Administrators"), "F", "ALL"))
def principal(account): try: return accounts.principal(account) except exc.x_not_found: return "<unknown>"
def text_context (self): assert win32api.GetUserName () != "alice" with accounts.principal ("alice").impersonate ("Passw0rd"): assert win32api.GetUserName () == "alice" assert win32api.GetUserName () != "alice"
def test_principal_None (self): assert accounts.principal (None) is None
def test_dace_ne_access(self): assert \ _aces.dace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) != \ _aces.dace((accounts.principal("Everyone"), "R", "ALLOW"))
def test_sace_ne_trustee (): assert \ _aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 1))) != \ _aces.sace ((accounts.principal ("Administrators"), "F", "ALL"))
def test_principal_invalid (self): with self.assertRaises (accounts.exc.x_not_found): accounts.principal (object)
def test_principal_invalid (): accounts.principal (object)
def test_principal_string (self): everyone, domain, type = win32security.LookupAccountName (None, "Everyone") assert accounts.principal ("Everyone") == everyone
def test_dace_ne_trustee (): assert \ _aces.dace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) != \ _aces.dace ((accounts.principal ("Administrators"), "F", "ALLOW"))
def test_principal_Principal (self): everyone, domain, type = win32security.LookupAccountName (None, "Everyone") principal = accounts.Principal (everyone) assert accounts.principal (principal) is principal
import os, sys import functools import operator import win32security import ntsecuritycon import tempfile from winsys._compat import unittest from winsys.tests import utils as testutils from winsys import core, accounts from winsys._security import _aces everyone, _, _ = win32security.LookupAccountName(None, "Everyone") me = accounts.me() administrators = accounts.principal("Administrators") @unittest.skipUnless(testutils.i_am_admin(), "These tests must be run as Administrator") class TestAces(unittest.TestCase): def setUp(self): testutils.change_priv(win32security.SE_SECURITY_NAME, True) self.filehandle, self.filename = tempfile.mkstemp() dacl = win32security.ACL() dacl.AddAccessAllowedAceEx(win32security.ACL_REVISION_DS, 0, ntsecuritycon.FILE_READ_DATA, everyone) sacl = win32security.ACL() sacl.AddAuditAccessAce(win32security.ACL_REVISION_DS, ntsecuritycon.FILE_READ_DATA, everyone, 1, 1) win32security.SetNamedSecurityInfo(
def _set_trustee(self, trustee): if self.inherited: raise exc.x_access_denied(errctx=u"ACE._get_trustee", errmsg=u"Cannot change an inherited ACE") self._trustee = accounts.principal(trustee)
def test_sace_eq(self): assert \ _aces.sace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL,(1, 1))) == \ _aces.sace((accounts.principal("Everyone"), "F", "ALL"))
def from_tuple (cls, ace_info): (trustee, access, allow_or_deny) = ace_info return cls (accounts.principal (trustee), cls._access (access), cls._type (allow_or_deny))
def test_sace_ne_type(self): assert \ _aces.sace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL,(1, 0))) != \ _aces.sace((accounts.principal("Everyone"), "R", "FAILURE"))
from winsys import accounts accounts.principal("python").delete()
def test_dace_ne_trustee(self): assert \ _aces.dace((accounts.principal(everyone), ntsecuritycon.GENERIC_ALL, win32security.ACCESS_ALLOWED_ACE_TYPE)) != \ _aces.dace((accounts.principal("Administrators"), "F", "ALLOW"))
def test_sace_ne_access (self): assert \ _aces.sace ((accounts.principal (everyone), ntsecuritycon.GENERIC_ALL, (1, 0))) != \ _aces.sace ((accounts.principal ("Everyone"), "R", (1, 0)))
def principal (account): try: return accounts.principal (account) except exc.x_not_found: return "<unknown>"
def test_principal_invalid(): accounts.principal(object)