samba.git/source4/dsdb/tests/python/acl.py, branch talloc-2.4.0 Unnamed repository; edit this file 'description' to name the repository. CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-22T18:10:35+00:00 6dc6ca56bd517a5cba85bb4ec120fcfb5feadfb8 Test using non-priviledged accounts now need to make sure they have WP access on the prvided attributes, or Write-DACL Some test create organizational units with a specific SD, and those now need the user to have WD or else they give errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Test using non-priviledged accounts now need to make sure they have
WP access on the prvided attributes, or Write-DACL
Some test create organizational units with a specific SD, and those now
need the user to have WD or else they give errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25720 s4-acl: Test Create Child permission should not allow full write to all attributes 2022-09-16T02:32:36+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-25T08:34:57+00:00 c2761a47fd12cc2a79a02707ed9d778e496b1fd4 Up to now, the rights to modify an attribute were not checked during an LDAP add operation. This means that even if a user has no right to modify an attribute, they can still specify any value during object creation, and the validated writes were not checked. This patch includes tests for the proposed change of behavior. test_add_c3 and c4 pass, because mandatory attributes can still be set, and in the old behavior SD permissions were irrelevant BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch includes tests for the proposed change of behavior.
test_add_c3 and c4 pass, because mandatory attributes can still be
set, and in the old behavior SD permissions were irrelevant

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2022-32743 s4-acl: Add tests for validated dNSHostName write 2022-07-28T22:47:37+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-06-01T04:07:17+00:00 d277700710dc118f61065ed9e16e08e76820b66a BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN 2022-07-27T10:52:36+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-06-21T03:37:15+00:00 852a79c63c965b9861a1bd319948a51f116b7e9a If an account has an SPN that requires Write Property to set, we should still be able to delete it with just Validated Write. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> 
If an account has an SPN that requires Write Property to set, we should
still be able to delete it with just Validated Write.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
python: Don't use deprecated escape sequences 2022-06-14T07:21:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-04-28T08:31:50+00:00 5045382c6dd04b1bae0eaaae823be908213ff079 Certain escape sequences are not valid in Python string literals, and will eventually result in a SyntaxError. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Certain escape sequences are not valid in Python string literals, and
will eventually result in a SyntaxError.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute 2021-11-09T19:45:33+00:00 Nadezhda Ivanova nivanova@symas.com 2021-10-25T11:54:56+00:00 6121f31c0e1553194d74de41ea7bcc55364a2612 Validate Writes and Control Access Rights should only grant access if the object is of the type listed in the Right's appliesTo attribute. Tests to verify this behavior BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832 Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Validate Writes and Control Access Rights should only grant access if the
object is of the type listed in the Right's appliesTo attribute.
Tests to verify this behavior

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls 2021-11-09T19:45:33+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-10-08T02:49:31+00:00 48e3cf96511607e99c665773b30654c918dfa992 Without these calls the tests could pass if an expected error did not occur. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Included in backport as changing ACLs while ACL tests are not checking for unexpected success would be bad] 
Without these calls the tests could pass if an expected error did not
occur.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14832

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Included in backport as changing ACLs while
 ACL tests are not checking for unexpected success would be bad]
CVE-2020-25722 Add test for SPN deletion followed by addition 2021-11-09T19:45:33+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-10-18T01:07:41+00:00 62d1cb4c19670b7d5ad24083931c1b644ead5eac BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Removed transaction hooks, these do nothing over remote LDAP] 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Removed transaction hooks, these do nothing over
 remote LDAP]
python: remove all 'from __future__ import print_function' 2021-04-28T03:43:34+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-04-28T01:02:37+00:00 aecb2b779b88c13784b7c2691ae08da716d65ab2 This made Python 2's print behave like Python 3's print(). In some cases, where we had: from __future__ import print_function """Intended module documentation...""" this will have the side effect of making the intended module documentation work as the actual module documentation (i.e. becoming __doc__), because it is once again the first statement in the module. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This made Python 2's print behave like Python 3's print().

In some cases, where we had:

   from __future__ import print_function
   """Intended module documentation..."""

this will have the side effect of making the intended module documentation
work as the actual module documentation (i.e. becoming __doc__), because
it is once again the first statement in the module.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:dsdb:tests: add AclVisibiltyTests 2020-10-21T07:25:37+00:00 Stefan Metzmacher metze@samba.org 2020-10-07T11:21:06+00:00 06d134406739e76b97273db3023855150dbaebbc This tests a sorts of combinations in order to demonstrate the visibility of objects depending on: - with or without fDoListObject - with or without explicit DENY ACEs - A hierachy of objects with 4 levels from the base dn - SEC_ADS_LIST (List Children) - SEC_ADS_LIST_LIST_OBJECT (List Object) - SEC_ADS_READ_PROP - all possible scopes and basedns This demonstrates that NO_SUCH_OBJECT doesn't depend purely on the visibility of the base dn, it's still possible to get children returned und an invisible base dn. It also demonstrates the additional behavior with "List Object" mode. See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
This tests a sorts of combinations in order to
demonstrate the visibility of objects depending on:

- with or without fDoListObject
- with or without explicit DENY ACEs
- A hierachy of objects with 4 levels from the base dn
- SEC_ADS_LIST (List Children)
- SEC_ADS_LIST_LIST_OBJECT (List Object)
- SEC_ADS_READ_PROP
- all possible scopes and basedns

This demonstrates that NO_SUCH_OBJECT doesn't depend purely
on the visibility of the base dn, it's still possible to
get children returned und an invisible base dn.

It also demonstrates the additional behavior with "List Object" mode.
See [MS-ADTS] 5.1.3.3.6 Checking Object Visibility

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14531

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>