a )&iÈ@sddlZddlZddlZddlZddlmZddlmZddlZddl m Z ddl m Z m Z ddlmZddlmZmZddlmZmZdd lmZddlmZddlZdd lmZmZmZdd lm Z m!Z!d Z"hd Z#dZ$dZ%dZ&ej'Z(ej)Z*ej+Z,ej-Z.ej/Z0ej1Z2ej3Z4ze5Wne6y2ddZ5Yn0ddZ7e7d&ddZ8d'ddZ9d(ddZ:GdddeZ;eGddde;Zd$d%Z?e?dS))N)SamDB)system_session)SDUtils)DONT_USE_KERBEROS Credentials) FEATURE_SEAL)SubunitOptions TestProgram)TestCaseldb_err)DynamicTestCase)c_REDc_GREEN c_DARK_YELLOW)UF_SERVER_TRUST_ACCOUNTUF_TRUSTED_FOR_DELEGATIONz$f3a64788-5306-11d1-a9c5-0000f80367c1> dNSHostNameservicePrincipalNamednsAMAccountNameTFreportcCsddl}|dS)Nr)pdbZ set_trace)rr6/usr/lib/python3/dist-packages/samba/tests/ldap_spn.py breakpointAsrcCstd}t|}||t|}||t|a|t|jdddt j d|jddd| \}}t |d kr|t d |a|ta|d ata|ja|jadS) Nz&python3 ldap_spn.py [options]z--colour store_truezuse colour text)actionhelpdefaultz--filterz"only run tests matching this regex)rr)optparseZ OptionParseroptionsZ SambaOptionsZadd_option_groupZCredentialsOptionsr subunitoptsZ add_optionsysstdoutisatty parse_argslenZ print_usageexitZ get_loadparmLPZget_credentialsCREDSSERVER get_realmREALMZcolour COLOUR_TEXTfilterFILTER)parserZ sambaoptsZcredoptsoptsargsrrrinitFs0         r4cCs0ts|S|dkrt|S|dkr(t|St|S)Nerrorpass)r.r rr)xstaterrr colour_textlsr9cCs.|durt}t}nd}tdtt||dS)Nzldap://)ZurlZlpZ session_infoZ credentials)r*rrr+r))credsZsessionrrr get_samdbws r; samba123@c Cst}|||||t|t|t | t t B| td|d|}|ddd}|j|||d|rt|}||} |D]"} dtd| d} || | qt|d } | S) NCN=,rr)Zuserouz (OA;CI;WP;z;;))r:)rZ set_usernameZ set_passwordZ set_domainr*Z get_domainZ set_realmr,Zset_workstationZget_workstationZset_gensec_featuresZget_gensec_featuresrZset_kerberos_statersplitZnewuserrZget_object_sidSPN_GUIDZ dacl_add_acer;) samdbouZusernamewriteable_objectsZpasswordr:ZdnstrZshort_ouZsd_utilsZsidobjmodZ unpriv_samdbrrradd_unpriv_users&     rGc@sLeZdZdZeddZddZddZdd Zd d Z d d Z ddZ dS)LdapSpnTestBaseFcCsTt|ddrdS|jD]8^}}tr0tt|s0qtdd|}|d|||qdS)N _disabledFz\W+_Ztest_spn)getattrcasesr0researchsubZgenerate_dynamic_test)clsdocrowsnamerrrsetUpDynamicTestCasess  z%LdapSpnTestBase.setUpDynamicTestCasescCsRtdd|D}|D]6}d|vr4|dd\}}nd}t|d||qdS)Ncss|]}|dVqdS)rNr.0rrrr z0LdapSpnTestBase.setup_objects..:rdcZadd_)setr@rK)selfrRobjectsrSobjtyperrr setup_objectss zLdapSpnTestBase.setup_objectscsdji_tdd|D}|D]`}|dkr0q"|dkrBd}d}n(d|dd}fd d |dD}tjj||j|<q"dS) N*css|]}|dVqdS)NrrUrrrrXrYz.LdapSpnTestBase.setup_users..ZnobodyZwrites_r>rJcsg|]}j|dqS)r)r^rVr7r]rr rYz/LdapSpnTestBase.setup_users..)rBuserdbsr\replacer@rGrC)r]rRZ permissionspuserrDrrer setup_userss zLdapSpnTestBase.setup_userscCsXt|}t|d}t|d}trLtjtdtdd|dtjt|_ |j |_ | ddddd |_i|_d |jd |j |_||j j|jd g|j |j||||t|D]v\}}t|d kr|\}} } } } n|\}} } } tj} |j| } d|vr:|dd\}}nd}|j|\}}d|i}t| trl|| n| |d<t| }|!t"st#d|t"ddD]\}t|$|t%r||j&dt'd||<n(t|$|t(rdd||D||<qtj)*| || }| t+urz| ,|WnXtj-y}zz tree_delete:1rZr[rrzunexpected attr z. Casefold typo?)rrx.dnsnamecSsg|]}|jdtdqS)rprq)formatr-rdrrrrfrYz7LdapSpnTestBase._test_spn_with_args..zrow z of 'z' failed as expected with z:  z on z should fail (r?z of z failed with z: z' Z SUCCEEDEDZFAILEDz with z' FAILED with rz' should have failed with z: not )6r9r.r#stderrflushprintrr$r;rBZget_default_basednbase_dnidrsplitZshort_idr^rC addCleanupdeleteZ create_our`rk enumerater'ldbFLAG_MOD_REPLACErgr@ isinstancedictupdater\keysissubsetRELEVANT_ATTRS ValueErrorgetstrrsr-listZMessageZ from_dictbadZmodifyZLdbErrorr ZfailpprintZpformatokrrr3)r]rRrQZcdocZedocZpdocirowrEdataZrightsZexpectedoprBr_rrrmrkmsgerrr_test_spn_with_argss                "         < z#LdapSpnTestBase._test_spn_with_argscCshd|d|j}|dt}|j|dtttB||d| |j |||f|j |<dS)Nr=z,OU=Domain Controllers,rmZcomputer)r objectclassZuserAccountControlZ dnsHostName carLicense) rxr-lowerrBaddrrrryr{ remove_objectr^r]rSrrrrrradd_dcFszLdapSpnTestBase.add_dccCsNd|d|j}|j|||d|d||j||df|j|<dS)Nr=r>rj)rrSZsamAccountNamerr)rCrBrryr{rr^)r]rSrrrradd_userTszLdapSpnTestBase.add_usercCs |j|\}}|j|dS)N)r^poprBr|rrrrr`szLdapSpnTestBase.remove_objectN) __name__ __module__ __qualname__rI classmethodrTr`rkrrrrrrrrrHs  !m rHcd@seZdZdZddddeffddddeffddddeffd dddefdd deffd dddefdd deffd dddefdd deffd dddefdd deeffddddefdd deeffddddefdd deeffddddefdddeeffddddefdddeeffddddefdddeeffddddefdddeffddddefdddeffddddefdddefdddeffddddefdddefdddeffddddefdddefdddeffd dddefdddefddd!effd"dddefddd#efddd#effd$dddefdddefdddeffd%dddefdd&defdddeffd'dddefdd&defddd#effd(dddefdd&defdddeffd)dddefdddeffd*dddefdddeffd+dddefdddeeffd,dddefdddeeffd-dddefdddeeffd.dddefdddeeffd/d0ddefdddeffd1d0ddefdddeffd2d0ddefddd3effd4d0ddefd5d&deffd6d0ddefd5d&deffd7d0ddefd5d&d8effd9d0ddefd5d&deffd:dddefddd#effd;dddefd5ddeffddd?defdd@deffdAdd?defdd@deffdBdd?defdd@deffdCddDdefddEdeffdFd0dEdefd5dDdeffdGddHdIidefddJdefddJdefddHdKidefddJdefddLdeffdMddHdNidefddOdefddOdefddHdPidefddOdefddQdefddRdeffdSddIdefddTdefddUdefddVdefd0dWdeffdXddYdefddZdefdd[defdd\defdd]defdd^deefdd_deefdd`defddadefddbdefddcdefddddeefddedeefddfdefddgdefddhdefddidefddjdefddkdefddldefddmdefd0dndefd0dodefddodefddpdefddqdefddrdefddsdefddtdefddudefddvdefddwdeefddxdefddydefddydefddzdefdd{defdd|deefdd}deefdd~defdddefdddefdddefdddefdddefdddefdddefdddefdddeff2ddddefdddefdddefdddeffddddefddHdKidefdddefdddefdddeffddddefdddeffddddefdddeffddddefdddeffddddefddHdKidefdddefdddefdddeffdddHdIidefdddefddHdKidefdddefdddefdddeffg7Z dS) LdapSpnTestuMake sure we can't add clashing servicePrincipalNames. This would be possible using sPNMappings aliases — for example, if the mapping maps host/ to cifs/, we should not be able to add different addresses for each. zadd one as adminAhost/{dnsname}razadd one as rightful userzattempt to add one as nobodyrczadd and replace as adminzhost/x.{dnsname}zreplace as rightful userz attempt to replace one as nobodyzadd second as adminzadd second as rightful userzattempt to add second as nobodyz.add the same one twice, simple duplicate errorz)simple duplicate attributes, as non-adminz+add the same one twice, identical duplicatez%add a conflict, host first, as nobodyhost/z.{dnsname}Bcifs/z.{dnsname}z(add a conflict, service first, as nobodycifs/{dnsname}z(three way conflict, host first, as adminCwww/z.{dnsname}z6three way conflict, host first, with sufficient rightszB,AC,Az0three way conflict, host first, adding duplicatez=three way conflict, host first, adding duplicate, full rightszC,B,Az7three way conflict, host first, with other write rightsA,Bz)three way conflict, host first, as nobodyz,three way conflict, services first, as admin www/{dnsname}z=three way conflict, services first, with service write rightsz,three way conflict, service first, as nobodyzreplace host before specificz&replace host after specific, as nobodyz!non-conflict host before specificz non-conflict host after specificz,non-conflict host before specific, non-adminz+non-conflict host after specific, as nobodyz,add a conflict, host first on user, as adminuser:Cz/add a conflict, host first on user, host rightsz/add a conflict, host first on user, both rightsB,Cz'add a conflict, host first both on useruser:Dz4add a conflict, host first both on user, host rightsz4add a conflict, host first both on user, both rightszC,Dz2add a conflict, host first both on user, as nobodyz2add a conflict, host first, with both write rightsz4add a conflict, host first, second on user, as adminz7add a conflict, host first, second on user, with rightszA,Dznonsense SPNs, part 1, as adminza-b-c/{dnsname}zrrrrrrrrrrrrr /{dnsname}znonsense SPNs, part 1, as userz nonsense SPNs, part 1, as nobodyzadd a conflict, using portz dns/{dnsname}zdns/{dnsname}:53z&add a conflict, using port, port firstzthree part spnsr {dnsname}'cifs/{dnsname}/DomainDNSZones.{dnsname} y.{dnsname})cifs/y.{dnsname}/DomainDNSZones.{dnsname}zthree part nonsense spnsZbeanzcifs/bean/DomainDNSZones.beanzy.beanzcifs/y.bean/DomainDNSZones.beanzhost/bean/beanzone part spns (no slashes)Zcifszcifs/rtZhostz dodgy spnsz \/{dnsname}zcifs/\\{dnsname}zcifs/\\\{dnsname}zcifs/\\\{dnsname}/ucīfs/\\\{dnsname}/u cifs/sficucifs/\\\{dnsname}rlz / z / / z / / / z /* and so on */ u ¯\_(ツ)_/¯u ¯\_(つ)_/¯u ¯\_(㋡)_/¯z//z //z/host/{dnsname}z /host/x.y.zz/ /x.y.zz / / shost/z /hostu /HōSTu /ħØştz /H0STu /НoSTz /hostu /hostu 2/HōST/⌷[ ][]¨(z (//)z ///z /\//z\//z\\/\\/z|//|z\/\/\\rZz:/:z:/:80u:/:( ツz:/:/:scifs/\example.coms:/s :/b/b/b/bs a@b/a@b/a@bs a/a@b/a@bz%empty part spns (consecutive slashes)zcifs//{dnsname}zcifs/zzzy.{dnsname}/z/host/zzzy.{dnsname}ztoo many spn partsz"cifs/{dnsname}/{dnsname}/{dnsname}zcifs/{dnsname}/{dnsname}/zcifs/y.{dnsname}/{dnsname}/toopzhost/{dnsname}/a/b/cz$add a conflict, host first, as adminz2add a conflict, host first, with host write rightsz8add a conflict, service first, with service write rightsz5adding dNSHostName after cifs with no old dNSHostNamecifs/y.{dnsname}host/y.{dnsname}zchanging dNSHostName after cifsN) rrr__doc__rdeniedrr constraintrLrrrrresZ                                                                                                                                                              <                      rc'@seZdZdejvZddddefdddeffddd defdd deffd dd defdd deffd dd defdd d effddd defdddeffddd defdddefddd gdeffddddidefdd defdddidefdd defddde fddde ffddddefdddeffddddefdddeffddd defdd defdd deffd dd defdd defdd deffd!dd defdd defdd dee fdd dee ffd"dd#defdd defdd defdd deffd$dd#defdd defdd d%efdd d%effd&dd defdd dee fdddee fdd'dee fdd(dee fdddee fdd dee fdd dee fdddee fdd(dee ff d)dd defdd dee fdddee fdd'dee fdd(dee fdddee fdd dee fdd dee fdddee fdd(dee ff d*dddefdddefd+d,d+effd-dddefddde fd+d,d.effd/dd defdd d efdd defdd defd+dd0efd+dd1efdd d efdd2defd+dd+efdd defdd de fdd d0e fd+dd+ee fdd dee fdd defd+dd1ee fdd d effd3dd defddd0efd+d d0e ffd4dd defdddefd+d d0e ffd5dd defdddefd+d d+e ffd6dd defdd dee fddd0efdd d e fdddee fdd d efd+d d+e fd+d d1eff d7dd d8efdddefd+d d8e ffgZ d9S):LdapSpnSambaOnlyTestZSAMBA_SELFTESTz5add a conflict, host first, with service write rightsrrrarrz5add a conflict, service first, with host write rightsrrz'add a conflict, service first, as adminz5add a conflict, service first, with both write rightsrz7add a conflict, host first both on user, service rightsrrrDz)add a conflict, along with a re-added SPNzcifs/heeble.example.netzchanging dNSHostName after hostrrrrrz!mystery dnsname clash, host firstzhost/heeble.example.netzwww/heeble.example.netz mystery dnsname clash, www firstzreplace as adminz replace as non-admin with rightsz,replace vial delete as non-admin with rightsz#replace as non-admin without rightszcifs/bzreplace as nobodyrczaccumulate and delete as adminzwww/...zhost/...z&accumulate and delete with user rightsz9three way conflict, host first, with partial write rightsrrz;three way conflict, host first, with partial write rights 2rz.three way conflict sandwich, sufficient rightszA,B,Crzldap/{dnsname}z8three way conflict, service first, with all write rightsz9three way conflict, service first, just sufficient rightsz9three way conflict, service first, with host write rightsz9three way conflict, service first, with both write rightsz7three way conflict, services first, with partial rightszA,CN) rrrosenvironrIrrrrr|rrLrrrrrs6                                                                                                          rc@seZdZdZddddefdddeffdd ddefd d deeffd d d deffd dd d ddej fdddidefdddidefdddidefdddideffdd ddidefd ddefd ddidefdddefdddefdddefd ddeffgZ dS)LdapSpnAmbitiousTestTz1add a conflict with port, host first both on userrrrarzwww/{dnsname}:80z2add the same one twice, case-insensitive duplicaterzHost/{dnsname}z special SPNzSE3514235-4B06-11D1-AB04-00C04FC2DCD2/75b84f00-a81b-4a19-8ef2-8e483cccff11/{dnsname}z(single part SPNs matching sAMAccountNamezuser:A)rrzuser:Brrrrz three part spns with dnsHostNamerrrrrzhost/{y.dnsname}/{y.dnsname}zhost/y.{dnsname}/{dnsname}N) rrrrIrrrrr~ZERR_NO_SUCH_OBJECTrLrrrrrpsF          rcCstttddS)N)moduler2)r rr"rrrrmainsr)N)N)Nr<)@r#rrrMZ samba.samdbrZ samba.authrr~Zsamba.sd_utilsrZsamba.credentialsrrZ samba.gensecrZsamba.tests.subunitrunrr Z samba.testsr r r Z samba.getoptZgetoptr!r Z samba.colourr rrZ samba.dsdbrrrArrrrZERR_OPERATIONS_ERRORZoperrZERR_INSUFFICIENT_ACCESS_RIGHTSrZERR_CONSTRAINT_VIOLATIONrZERR_ENTRY_ALREADY_EXISTSexistsZ FLAG_MOD_ADDrrrhZFLAG_MOD_DELETEr|r NameErrorr4r9r;rGrHrrrrrrrrsh      #  E^.(