Update doc/samples/test of windows.security

Author: hakril

docs/source/security.rst

@@ -0,0 +1,255 @@
+``windows.security`` -- Security Descriptor & related
+*****************************************************
+
+.. warning:
+
+    Foutre les token ici ?
+    Ca a du sens https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-control-components
+
+    ACCESS CONTROL TOUT CA..
+    Les deux  vont bien ensemble..
+
+
+.. module:: windows.security
+
+
+SecurityDescriptor
+""""""""""""""""""
+
+.. autoclass:: SecurityDescriptor
+
+
+Acl
+"""
+
+.. autoclass:: Acl
+    :special-members: __len__, __iter__
+
+
+.. _security_ace:
+
+Ace
+"""
+
+The ACE are regrouped in two categories.
+
+The DACL related ACEs:
+
+    - :class:`AccessAllowedACE`
+    - :class:`AccessDeniedACE`
+    - :class:`AccessAllowedCallbackACE`
+    - :class:`AccessDeniedCallbackACE`
+    - :class:`AccessAllowedObjectACE`
+    - :class:`AccessDeniedObjectACE`
+    - :class:`AccessAllowedCallbackObjectACE`
+    - :class:`AccessDeniedCallbackObjectACE`
+
+The SACL related ACEs:
+
+    - :class:`SystemAuditACE`
+    - :class:`SystemAlarmACE`
+    - :class:`SystemAuditObjectACE`
+    - :class:`SystemAlarmObjectACE`
+    - :class:`SystemAuditCallbackACE`
+    - :class:`SystemAlarmCallbackACE`
+    - :class:`SystemAuditCallbackObjectACE`
+    - :class:`SystemAlarmCallbackObjectACE`
+    - :class:`SystemMandatoryLabelACE`
+    - :class:`SystemResourceAttributeACE`
+    - :class:`SystemScopedPolicyIDACE`
+    - :class:`SystemProcessTrustLabelACE`
+
+
+Ace classes
+'''''''''''
+
+AccessAllowedACE
+~~~~~~~~~~~~~~~~
+
+.. autoclass:: AccessAllowedACE
+    :show-inheritance:
+    :inherited-members:
+
+AccessDeniedACE
+~~~~~~~~~~~~~~~
+
+.. autoclass:: AccessDeniedACE
+    :show-inheritance:
+    :inherited-members:
+
+
+AccessAllowedCallbackACE
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: AccessAllowedCallbackACE
+    :show-inheritance:
+    :inherited-members:
+
+
+AccessDeniedCallbackACE
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: AccessDeniedCallbackACE
+    :show-inheritance:
+    :inherited-members:
+
+AccessAllowedObjectACE
+~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: AccessAllowedObjectACE
+    :show-inheritance:
+    :inherited-members:
+
+AccessDeniedObjectACE
+~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: AccessDeniedObjectACE
+    :show-inheritance:
+    :inherited-members:
+
+
+AccessAllowedCallbackObjectACE
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: AccessAllowedCallbackObjectACE
+    :show-inheritance:
+    :inherited-members:
+
+
+AccessDeniedCallbackObjectACE
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: AccessDeniedCallbackObjectACE
+    :show-inheritance:
+    :inherited-members:
+
+
+SystemAuditACE
+~~~~~~~~~~~~~~
+
+.. autoclass:: SystemAuditACE
+    :show-inheritance:
+    :inherited-members:
+
+
+SystemAlarmACE
+~~~~~~~~~~~~~~
+
+.. autoclass:: SystemAlarmACE
+    :show-inheritance:
+    :inherited-members:
+
+SystemAuditObjectACE
+~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemAuditObjectACE
+    :show-inheritance:
+    :inherited-members:
+
+SystemAlarmObjectACE
+~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemAlarmObjectACE
+    :show-inheritance:
+    :inherited-members:
+
+SystemAuditCallbackACE
+~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemAuditCallbackACE
+    :show-inheritance:
+    :inherited-members:
+
+
+SystemAlarmCallbackACE
+~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemAlarmCallbackACE
+    :show-inheritance:
+    :inherited-members:
+
+SystemAuditCallbackObjectACE
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemAuditCallbackObjectACE
+    :show-inheritance:
+    :inherited-members:
+
+
+SystemAlarmCallbackObjectACE
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemAlarmCallbackObjectACE
+    :show-inheritance:
+    :inherited-members:
+
+
+SystemMandatoryLabelACE
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemMandatoryLabelACE
+    :show-inheritance:
+    :inherited-members:
+
+
+SystemResourceAttributeACE
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemResourceAttributeACE
+    :show-inheritance:
+    :inherited-members:
+
+
+SystemScopedPolicyIDACE
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemScopedPolicyIDACE
+    :show-inheritance:
+    :inherited-members:
+
+
+SystemProcessTrustLabelACE
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. autoclass:: SystemProcessTrustLabelACE
+    :show-inheritance:
+    :inherited-members:
+
+
+
+Ace common base
+"""""""""""""""
+
+These classes are internals and here for completness sake.
+You should not need to instanciate/use them directly.
+
+AceHeader
+'''''''''
+
+.. autoclass:: AceHeader
+
+AceBase
+'''''''
+
+.. autoclass:: AceBase
+
+
+MaskAndSidACE
+'''''''''''''
+
+.. autoclass:: MaskAndSidACE
+
+
+CallbackACE
+'''''''''''
+
+.. autoclass:: CallbackACE
+
+
+ObjectRelatedACE
+''''''''''''''''
+
+.. autoclass:: ObjectRelatedACE
+
+
+

samples/security/query_sacl.py

@@ -0,0 +1,34 @@
+import sys
+import windows.security
+
+TARGET = r"C:\windows\notepad.exe" # On WIN10 (at least) notepad.exe has a AuditACE
+
+if not windows.current_process.token.elevated:
+    print(ValueError("This sample should be run as admin to demonstration SACL access"))
+
+print("")
+print("[NO-PRIV] Querying <{0}> SecurityDescriptor without SACL".format(TARGET))
+sd = windows.security.SecurityDescriptor.from_filename(TARGET)
+print("sacl = {0}".format(sd.sacl))
+
+print("")
+print("[NO-PRIV] Querying <{0}> SecurityDescriptor with SACL".format(TARGET))
+try:
+    sd = windows.security.SecurityDescriptor.from_filename(TARGET, query_sacl=True)
+    print("sacl = {0}".format(sd.sacl))
+except WindowsError as e:
+    print(e)
+
+print("")
+print("Enabling <SeSecurityPrivilege>")
+try:
+    windows.current_process.token.enable_privilege("SeSecurityPrivilege")
+except ValueError as e:
+    print("[ERROR] {0}".format(e))
+    exit(1)
+
+print("")
+print("[PRIV] Querying <{0}> SecurityDescriptor with SACL".format(TARGET))
+sd = windows.security.SecurityDescriptor.from_filename(TARGET, query_sacl=True)
+print("sacl = {0}".format(sd.sacl))
+print(list(sd.sacl))

samples/security/security_descriptor.py

@@ -0,0 +1,24 @@
+import windows.security
+
+SDDL = "O:BAG:AND:(A;OI;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)(D;CIIO;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
+
+sd = windows.security.SecurityDescriptor.from_string(SDDL)
+print("Security descriptor is: {0}".format(sd))
+
+print("Owner: {0}".format(sd.owner))
+print("  - lookup: {0}".format(windows.security.lookup_sid(sd.owner)))
+print("Group: {0}".format(sd.group))
+print("  - lookup: {0}".format(windows.security.lookup_sid(sd.group)))
+
+dacl = sd.dacl
+print("Dacl: {0}".format(dacl))
+
+for i, ace in enumerate(dacl):
+    print("")
+    print("  ACE [{0}]: {1}".format(i, ace))
+    print("    - Header-AceType: {0}".format(ace.Header.AceType))
+    print("    - Header-AceFlags: {0}".format(ace.Header.AceFlags))
+    print("    - Header-flags: {0}".format(ace.Header.flags))
+    print("    - Mask: {0}".format(ace.Mask))
+    print("    - mask: {0}".format(ace.mask))
+    print("    - Sid:  {0}".format(ace.sid))

tests/test_security.py

@@ -19,6 +19,13 @@
 def test_security_descriptor_from_string(sddl):
     sd = SecurityDescriptor.from_string(sddl)
 
+def test_empty_security_descriptor():
+    esd = SecurityDescriptor.from_string("")
+    assert esd.owner is None # Should NOT be NULL PSID but None
+    assert esd.group is None # Should NOT be NULL PSID but None
+    assert esd.dacl is None
+    assert esd.sacl is None
+
 
 def test_pacl_object():
     SDDL = "O:ANG:S-1-2-3D:(A;;;;;S-1-42-42)(A;;;;;S-1-42-43)(A;;;;;S-1-42-44)"
@@ -193,3 +200,4 @@ def test_conditional_ace_applicationdata(sddl, expected_value):
     assert expected_value in appdata.replace("\x00", "")
 
 
+