1# 2# Helper classes for testing Password Settings Objects. 3# 4# This also tests the default password complexity (i.e. pwdProperties), 5# minPwdLength, pwdHistoryLength settings as a side-effect. 6# 7# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018 8# 9# This program is free software; you can redistribute it and/or modify 10# it under the terms of the GNU General Public License as published by 11# the Free Software Foundation; either version 3 of the License, or 12# (at your option) any later version. 13# 14# This program is distributed in the hope that it will be useful, 15# but WITHOUT ANY WARRANTY; without even the implied warranty of 16# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17# GNU General Public License for more details. 18# 19# You should have received a copy of the GNU General Public License 20# along with this program. If not, see <http://www.gnu.org/licenses/>. 21# 22 23import ldb 24from ldb import FLAG_MOD_DELETE, FLAG_MOD_ADD, FLAG_MOD_REPLACE 25from samba.dcerpc.samr import (DOMAIN_PASSWORD_COMPLEX, 26 DOMAIN_PASSWORD_STORE_CLEARTEXT) 27 28 29class TestUser: 30 def __init__(self, username, samdb, userou=None): 31 initial_password = "Initial12#" 32 self.name = username 33 self.ldb = samdb 34 self.dn = "CN=%s,%s,%s" % (username, (userou or "CN=Users"), 35 self.ldb.domain_dn()) 36 37 # store all passwords that have ever been used for this user, as well 38 # as a pwd_history that more closely resembles the history on the DC 39 self.all_old_passwords = [initial_password] 40 self.pwd_history = [initial_password] 41 self.ldb.newuser(username, initial_password, userou=userou) 42 self.ldb.enable_account("(sAMAccountName=%s)" % username) 43 self.last_pso = None 44 45 def old_invalid_passwords(self, hist_len): 46 """Returns the expected password history for the DC""" 47 if hist_len == 0: 48 return [] 49 50 # return the last n items in the list 51 return self.pwd_history[-hist_len:] 52 53 def old_valid_passwords(self, hist_len): 54 """Returns old passwords that fall outside the DC's expected history""" 55 # if PasswordHistoryLength is zero, any previous password can be valid 56 if hist_len == 0: 57 return self.all_old_passwords[:] 58 59 # just exclude our pwd_history if there's not much in it. This can 60 # happen if we've been using a lower PasswordHistoryLength setting 61 # previously 62 hist_len = min(len(self.pwd_history), hist_len) 63 64 # return any passwords up to the nth-from-last item 65 return self.all_old_passwords[:-hist_len] 66 67 def update_pwd_history(self, new_password): 68 """Updates the user's password history to reflect a password change""" 69 # we maintain 2 lists: all passwords the user has ever had, and an 70 # effective password-history that should roughly mirror the DC. 71 # pwd_history_change() handles the corner-case where we need to 72 # truncate password-history due to PasswordHistoryLength settings 73 # changes 74 if new_password in self.all_old_passwords: 75 self.all_old_passwords.remove(new_password) 76 self.all_old_passwords.append(new_password) 77 78 if new_password in self.pwd_history: 79 self.pwd_history.remove(new_password) 80 self.pwd_history.append(new_password) 81 82 def get_resultant_PSO(self): 83 """Returns the DN of the applicable PSO, or None if none applies""" 84 res = self.ldb.search(self.dn, attrs=['msDS-ResultantPSO']) 85 86 if 'msDS-ResultantPSO' in res[0]: 87 return str(res[0]['msDS-ResultantPSO'][0]) 88 else: 89 return None 90 91 def get_password(self): 92 """Returns the user's current password""" 93 # current password in the last item in the list 94 return self.all_old_passwords[-1] 95 96 def set_password(self, new_password): 97 """Attempts to change a user's password""" 98 ldif = """ 99dn: %s 100changetype: modify 101delete: userPassword 102userPassword: %s 103add: userPassword 104userPassword: %s 105""" % (self.dn, self.get_password(), new_password) 106 # this modify will throw an exception if new_password doesn't meet the 107 # PSO constraints (which the test code catches if it's expected to 108 # fail) 109 self.ldb.modify_ldif(ldif) 110 self.update_pwd_history(new_password) 111 112 def pwd_history_change(self, old_hist_len, new_hist_len): 113 """ 114 Updates the effective password history, to reflect changes on the DC. 115 When the PasswordHistoryLength applied to a user changes from a low 116 setting (e.g. 2) to a higher setting (e.g. 4), passwords #3 and #4 117 won't actually have been stored on the DC, so we need to make sure they 118 are removed them from our mirror pwd_history list. 119 """ 120 121 # our list may have been tracking more passwords than the DC actually 122 # stores. Truncate the list now to match what the DC currently has 123 hist_len = min(new_hist_len, old_hist_len) 124 if hist_len == 0: 125 self.pwd_history = [] 126 elif hist_len < len(self.pwd_history): 127 self.pwd_history = self.pwd_history[-hist_len:] 128 129 # corner-case where history-length goes from zero to non-zero. Windows 130 # counts the current password as being in the history even before it 131 # changes (Samba only counts it from the next change onwards). We don't 132 # exercise this in the PSO tests due to this discrepancy, but the 133 # following check will support the Windows behaviour 134 if old_hist_len == 0 and new_hist_len > 0: 135 self.pwd_history = [self.get_password()] 136 137 def set_primary_group(self, group_dn): 138 """Sets a user's primaryGroupID to be that of the specified group""" 139 140 # get the primaryGroupToken of the group 141 res = self.ldb.search(base=group_dn, attrs=["primaryGroupToken"], 142 scope=ldb.SCOPE_BASE) 143 group_id = res[0]["primaryGroupToken"] 144 145 # set primaryGroupID attribute of the user to that group 146 m = ldb.Message() 147 m.dn = ldb.Dn(self.ldb, self.dn) 148 m["primaryGroupID"] = ldb.MessageElement(group_id, FLAG_MOD_REPLACE, 149 "primaryGroupID") 150 self.ldb.modify(m) 151 152 153class PasswordSettings: 154 def default_settings(self, samdb): 155 """ 156 Returns a object representing the default password settings that will 157 take effect (i.e. when no other Fine-Grained Password Policy applies) 158 """ 159 pw_attrs = ["minPwdAge", "lockoutDuration", "lockOutObservationWindow", 160 "lockoutThreshold", "maxPwdAge", "minPwdAge", 161 "minPwdLength", "pwdHistoryLength", "pwdProperties"] 162 res = samdb.search(samdb.domain_dn(), scope=ldb.SCOPE_BASE, 163 attrs=pw_attrs) 164 165 self.name = "Defaults" 166 self.dn = None 167 self.ldb = samdb 168 self.precedence = 0 169 self.complexity = \ 170 int(res[0]["pwdProperties"][0]) & DOMAIN_PASSWORD_COMPLEX 171 self.store_plaintext = \ 172 int(res[0]["pwdProperties"][0]) & DOMAIN_PASSWORD_STORE_CLEARTEXT 173 self.password_len = int(res[0]["minPwdLength"][0]) 174 self.lockout_attempts = int(res[0]["lockoutThreshold"][0]) 175 self.history_len = int(res[0]["pwdHistoryLength"][0]) 176 # convert to time in secs 177 self.lockout_duration = int(res[0]["lockoutDuration"][0]) / -int(1e7) 178 self.lockout_window =\ 179 int(res[0]["lockOutObservationWindow"][0]) / -int(1e7) 180 self.password_age_min = int(res[0]["minPwdAge"][0]) / -int(1e7) 181 self.password_age_max = int(res[0]["maxPwdAge"][0]) / -int(1e7) 182 183 def __init__(self, name, samdb, precedence=10, complexity=True, 184 password_len=10, lockout_attempts=0, lockout_duration=5, 185 password_age_min=0, password_age_max=60 * 60 * 24 * 30, 186 history_len=2, store_plaintext=False, container=None): 187 188 # if no PSO was specified, return an object representing the global 189 # password settings (i.e. the default settings, if no PSO trumps them) 190 if name is None: 191 return self.default_settings(samdb) 192 193 # only PSOs in the Password Settings Container are considered. You can 194 # create PSOs outside of this container, but it's not recommended 195 if container is None: 196 base_dn = samdb.domain_dn() 197 container = "CN=Password Settings Container,CN=System,%s" % base_dn 198 199 self.name = name 200 self.dn = "CN=%s,%s" % (name, container) 201 self.ldb = samdb 202 self.precedence = precedence 203 self.complexity = complexity 204 self.store_plaintext = store_plaintext 205 self.password_len = password_len 206 self.lockout_attempts = lockout_attempts 207 self.history_len = history_len 208 # times in secs 209 self.lockout_duration = lockout_duration 210 # lockout observation-window must be <= lockout-duration (the existing 211 # lockout tests just use the same value for both settings) 212 self.lockout_window = lockout_duration 213 self.password_age_min = password_age_min 214 self.password_age_max = password_age_max 215 216 # add the PSO to the DB 217 self.ldb.add_ldif(self.get_ldif()) 218 219 def get_ldif(self): 220 complexity_str = "TRUE" if self.complexity else "FALSE" 221 plaintext_str = "TRUE" if self.store_plaintext else "FALSE" 222 223 # timestamps here are in units of -100 nano-seconds 224 lockout_duration = -int(self.lockout_duration * (1e7)) 225 lockout_window = -int(self.lockout_window * (1e7)) 226 min_age = -int(self.password_age_min * (1e7)) 227 max_age = -int(self.password_age_max * (1e7)) 228 229 # all the following fields are mandatory for the PSO object 230 ldif = """ 231dn: {0} 232objectClass: msDS-PasswordSettings 233msDS-PasswordSettingsPrecedence: {1} 234msDS-PasswordReversibleEncryptionEnabled: {2} 235msDS-PasswordHistoryLength: {3} 236msDS-PasswordComplexityEnabled: {4} 237msDS-MinimumPasswordLength: {5} 238msDS-MinimumPasswordAge: {6} 239msDS-MaximumPasswordAge: {7} 240msDS-LockoutThreshold: {8} 241msDS-LockoutObservationWindow: {9} 242msDS-LockoutDuration: {10} 243""".format(self.dn, self.precedence, plaintext_str, self.history_len, 244 complexity_str, self.password_len, min_age, max_age, 245 self.lockout_attempts, lockout_window, lockout_duration) 246 247 return ldif 248 249 def apply_to(self, user_group, operation=FLAG_MOD_ADD): 250 """Updates this Password Settings Object to apply to a user or group""" 251 m = ldb.Message() 252 m.dn = ldb.Dn(self.ldb, self.dn) 253 m["msDS-PSOAppliesTo"] = ldb.MessageElement(user_group, operation, 254 "msDS-PSOAppliesTo") 255 self.ldb.modify(m) 256 257 def unapply(self, user_group): 258 """Updates this PSO to no longer apply to a user or group""" 259 # just delete the msDS-PSOAppliesTo attribute (instead of adding it) 260 self.apply_to(user_group, operation=FLAG_MOD_DELETE) 261 262 def set_precedence(self, new_precedence, samdb=None): 263 if samdb is None: 264 samdb = self.ldb 265 ldif = """ 266dn: %s 267changetype: modify 268replace: msDS-PasswordSettingsPrecedence 269msDS-PasswordSettingsPrecedence: %u 270""" % (self.dn, new_precedence) 271 samdb.modify_ldif(ldif) 272 self.precedence = new_precedence 273