1#
2# Helper classes for testing Password Settings Objects.
3#
4# This also tests the default password complexity (i.e. pwdProperties),
5# minPwdLength, pwdHistoryLength settings as a side-effect.
6#
7# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
8#
9# This program is free software; you can redistribute it and/or modify
10# it under the terms of the GNU General Public License as published by
11# the Free Software Foundation; either version 3 of the License, or
12# (at your option) any later version.
13#
14# This program is distributed in the hope that it will be useful,
15# but WITHOUT ANY WARRANTY; without even the implied warranty of
16# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17# GNU General Public License for more details.
18#
19# You should have received a copy of the GNU General Public License
20# along with this program.  If not, see <http://www.gnu.org/licenses/>.
21#
22
23import ldb
24from ldb import FLAG_MOD_DELETE, FLAG_MOD_ADD, FLAG_MOD_REPLACE
25from samba.dcerpc.samr import (DOMAIN_PASSWORD_COMPLEX,
26                               DOMAIN_PASSWORD_STORE_CLEARTEXT)
27
28
29class TestUser:
30    def __init__(self, username, samdb, userou=None):
31        initial_password = "Initial12#"
32        self.name = username
33        self.ldb = samdb
34        self.dn = "CN=%s,%s,%s" % (username, (userou or "CN=Users"),
35                                   self.ldb.domain_dn())
36
37        # store all passwords that have ever been used for this user, as well
38        # as a pwd_history that more closely resembles the history on the DC
39        self.all_old_passwords = [initial_password]
40        self.pwd_history = [initial_password]
41        self.ldb.newuser(username, initial_password, userou=userou)
42        self.ldb.enable_account("(sAMAccountName=%s)" % username)
43        self.last_pso = None
44
45    def old_invalid_passwords(self, hist_len):
46        """Returns the expected password history for the DC"""
47        if hist_len == 0:
48            return []
49
50        # return the last n items in the list
51        return self.pwd_history[-hist_len:]
52
53    def old_valid_passwords(self, hist_len):
54        """Returns old passwords that fall outside the DC's expected history"""
55        # if PasswordHistoryLength is zero, any previous password can be valid
56        if hist_len == 0:
57            return self.all_old_passwords[:]
58
59        # just exclude our pwd_history if there's not much in it. This can
60        # happen if we've been using a lower PasswordHistoryLength setting
61        # previously
62        hist_len = min(len(self.pwd_history), hist_len)
63
64        # return any passwords up to the nth-from-last item
65        return self.all_old_passwords[:-hist_len]
66
67    def update_pwd_history(self, new_password):
68        """Updates the user's password history to reflect a password change"""
69        # we maintain 2 lists: all passwords the user has ever had, and an
70        # effective password-history that should roughly mirror the DC.
71        # pwd_history_change() handles the corner-case where we need to
72        # truncate password-history due to PasswordHistoryLength settings
73        # changes
74        if new_password in self.all_old_passwords:
75            self.all_old_passwords.remove(new_password)
76        self.all_old_passwords.append(new_password)
77
78        if new_password in self.pwd_history:
79            self.pwd_history.remove(new_password)
80        self.pwd_history.append(new_password)
81
82    def get_resultant_PSO(self):
83        """Returns the DN of the applicable PSO, or None if none applies"""
84        res = self.ldb.search(self.dn, attrs=['msDS-ResultantPSO'])
85
86        if 'msDS-ResultantPSO' in res[0]:
87            return str(res[0]['msDS-ResultantPSO'][0])
88        else:
89            return None
90
91    def get_password(self):
92        """Returns the user's current password"""
93        # current password in the last item in the list
94        return self.all_old_passwords[-1]
95
96    def set_password(self, new_password):
97        """Attempts to change a user's password"""
98        ldif = """
99dn: %s
100changetype: modify
101delete: userPassword
102userPassword: %s
103add: userPassword
104userPassword: %s
105""" % (self.dn, self.get_password(), new_password)
106        # this modify will throw an exception if new_password doesn't meet the
107        # PSO constraints (which the test code catches if it's expected to
108        # fail)
109        self.ldb.modify_ldif(ldif)
110        self.update_pwd_history(new_password)
111
112    def pwd_history_change(self, old_hist_len, new_hist_len):
113        """
114        Updates the effective password history, to reflect changes on the DC.
115        When the PasswordHistoryLength applied to a user changes from a low
116        setting (e.g. 2) to a higher setting (e.g. 4), passwords #3 and #4
117        won't actually have been stored on the DC, so we need to make sure they
118        are removed them from our mirror pwd_history list.
119        """
120
121        # our list may have been tracking more passwords than the DC actually
122        # stores. Truncate the list now to match what the DC currently has
123        hist_len = min(new_hist_len, old_hist_len)
124        if hist_len == 0:
125            self.pwd_history = []
126        elif hist_len < len(self.pwd_history):
127            self.pwd_history = self.pwd_history[-hist_len:]
128
129        # corner-case where history-length goes from zero to non-zero. Windows
130        # counts the current password as being in the history even before it
131        # changes (Samba only counts it from the next change onwards). We don't
132        # exercise this in the PSO tests due to this discrepancy, but the
133        # following check will support the Windows behaviour
134        if old_hist_len == 0 and new_hist_len > 0:
135            self.pwd_history = [self.get_password()]
136
137    def set_primary_group(self, group_dn):
138        """Sets a user's primaryGroupID to be that of the specified group"""
139
140        # get the primaryGroupToken of the group
141        res = self.ldb.search(base=group_dn, attrs=["primaryGroupToken"],
142                              scope=ldb.SCOPE_BASE)
143        group_id = res[0]["primaryGroupToken"]
144
145        # set primaryGroupID attribute of the user to that group
146        m = ldb.Message()
147        m.dn = ldb.Dn(self.ldb, self.dn)
148        m["primaryGroupID"] = ldb.MessageElement(group_id, FLAG_MOD_REPLACE,
149                                                 "primaryGroupID")
150        self.ldb.modify(m)
151
152
153class PasswordSettings:
154    def default_settings(self, samdb):
155        """
156        Returns a object representing the default password settings that will
157        take effect (i.e. when no other Fine-Grained Password Policy applies)
158        """
159        pw_attrs = ["minPwdAge", "lockoutDuration", "lockOutObservationWindow",
160                    "lockoutThreshold", "maxPwdAge", "minPwdAge",
161                    "minPwdLength", "pwdHistoryLength", "pwdProperties"]
162        res = samdb.search(samdb.domain_dn(), scope=ldb.SCOPE_BASE,
163                           attrs=pw_attrs)
164
165        self.name = "Defaults"
166        self.dn = None
167        self.ldb = samdb
168        self.precedence = 0
169        self.complexity = \
170            int(res[0]["pwdProperties"][0]) & DOMAIN_PASSWORD_COMPLEX
171        self.store_plaintext = \
172            int(res[0]["pwdProperties"][0]) & DOMAIN_PASSWORD_STORE_CLEARTEXT
173        self.password_len = int(res[0]["minPwdLength"][0])
174        self.lockout_attempts = int(res[0]["lockoutThreshold"][0])
175        self.history_len = int(res[0]["pwdHistoryLength"][0])
176        # convert to time in secs
177        self.lockout_duration = int(res[0]["lockoutDuration"][0]) / -int(1e7)
178        self.lockout_window =\
179            int(res[0]["lockOutObservationWindow"][0]) / -int(1e7)
180        self.password_age_min = int(res[0]["minPwdAge"][0]) / -int(1e7)
181        self.password_age_max = int(res[0]["maxPwdAge"][0]) / -int(1e7)
182
183    def __init__(self, name, samdb, precedence=10, complexity=True,
184                 password_len=10, lockout_attempts=0, lockout_duration=5,
185                 password_age_min=0, password_age_max=60 * 60 * 24 * 30,
186                 history_len=2, store_plaintext=False, container=None):
187
188        # if no PSO was specified, return an object representing the global
189        # password settings (i.e. the default settings, if no PSO trumps them)
190        if name is None:
191            return self.default_settings(samdb)
192
193        # only PSOs in the Password Settings Container are considered. You can
194        # create PSOs outside of this container, but it's not recommended
195        if container is None:
196            base_dn = samdb.domain_dn()
197            container = "CN=Password Settings Container,CN=System,%s" % base_dn
198
199        self.name = name
200        self.dn = "CN=%s,%s" % (name, container)
201        self.ldb = samdb
202        self.precedence = precedence
203        self.complexity = complexity
204        self.store_plaintext = store_plaintext
205        self.password_len = password_len
206        self.lockout_attempts = lockout_attempts
207        self.history_len = history_len
208        # times in secs
209        self.lockout_duration = lockout_duration
210        # lockout observation-window must be <= lockout-duration (the existing
211        # lockout tests just use the same value for both settings)
212        self.lockout_window = lockout_duration
213        self.password_age_min = password_age_min
214        self.password_age_max = password_age_max
215
216        # add the PSO to the DB
217        self.ldb.add_ldif(self.get_ldif())
218
219    def get_ldif(self):
220        complexity_str = "TRUE" if self.complexity else "FALSE"
221        plaintext_str = "TRUE" if self.store_plaintext else "FALSE"
222
223        # timestamps here are in units of -100 nano-seconds
224        lockout_duration = -int(self.lockout_duration * (1e7))
225        lockout_window = -int(self.lockout_window * (1e7))
226        min_age = -int(self.password_age_min * (1e7))
227        max_age = -int(self.password_age_max * (1e7))
228
229        # all the following fields are mandatory for the PSO object
230        ldif = """
231dn: {0}
232objectClass: msDS-PasswordSettings
233msDS-PasswordSettingsPrecedence: {1}
234msDS-PasswordReversibleEncryptionEnabled: {2}
235msDS-PasswordHistoryLength: {3}
236msDS-PasswordComplexityEnabled: {4}
237msDS-MinimumPasswordLength: {5}
238msDS-MinimumPasswordAge: {6}
239msDS-MaximumPasswordAge: {7}
240msDS-LockoutThreshold: {8}
241msDS-LockoutObservationWindow: {9}
242msDS-LockoutDuration: {10}
243""".format(self.dn, self.precedence, plaintext_str, self.history_len,
244           complexity_str, self.password_len, min_age, max_age,
245           self.lockout_attempts, lockout_window, lockout_duration)
246
247        return ldif
248
249    def apply_to(self, user_group, operation=FLAG_MOD_ADD):
250        """Updates this Password Settings Object to apply to a user or group"""
251        m = ldb.Message()
252        m.dn = ldb.Dn(self.ldb, self.dn)
253        m["msDS-PSOAppliesTo"] = ldb.MessageElement(user_group, operation,
254                                                    "msDS-PSOAppliesTo")
255        self.ldb.modify(m)
256
257    def unapply(self, user_group):
258        """Updates this PSO to no longer apply to a user or group"""
259        # just delete the msDS-PSOAppliesTo attribute (instead of adding it)
260        self.apply_to(user_group, operation=FLAG_MOD_DELETE)
261
262    def set_precedence(self, new_precedence, samdb=None):
263        if samdb is None:
264            samdb = self.ldb
265        ldif = """
266dn: %s
267changetype: modify
268replace: msDS-PasswordSettingsPrecedence
269msDS-PasswordSettingsPrecedence: %u
270""" % (self.dn, new_precedence)
271        samdb.modify_ldif(ldif)
272        self.precedence = new_precedence
273