[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Mar 8 05:38:01 UTC 2023
The branch, master has been updated
via 403598b3076 s4-dsdb:tests: Correctly handle LdbError
via 38468aa6e8f s4-dsdb:tests: Fix AD DC performance tests
via d5f053711bd ldb: Make ldb_msg_remove_attr O(n)
via 598eaa34741 tests/krb5: Remove old device info and device claims tests
via 0153f6c1f4d tests/krb5: Add tests for device claims
via 0ac800d0081 tests/krb5: Add tests for device info
via 24ee602acb2 tests/krb5: Overhaul check_device_info()
via fa3d693b28f tests/krb5: Allow creating a target server account with or without compound ID support
via 53400a6dfeb tests/krb5: Don't specify extra enctypes for the krbtgt
via 77188f48824 tests/krb5: Allow adding members to a group and changing its type in a single operation
via 75154702d2f tests/krb5: Add test for compressed claim
via 5c744ff9f79 tests/krb5: Test we get correct values for integer syntax claims
via 3550173c804 tests/krb5: Require domain_sid to be non-None when passing a RID to map_to_sid()
via d95b4303ea3 tests/krb5: Allow group_setup to be None in setup_groups()
via 98393d7bfa0 tests/krb5: Test more descriptive security descriptor
via 567f30c5740 tests/krb5: Document and tidy up existing claims tests
via 23ce6f30e28 tests/krb5: Allow creating accounts supporting claims or compound identity separately
via ad19dd100f6 tests/krb5: Make arguments to get_target() keyword arguments
via 644c4ae8d0f tests/krb5: Split out device info checking into new method
via 60c07a49d76 tests/krb5: Fix typo
via 662639e8ee3 tests/krb5: Move some claims tests around
via cbd0955bbd7 tests/krb5: Add type to expect a value is one of a set of possible types
via 2c6ff2ad07d tests/krb5: Allow comparing UnorderedLists only with one another
via 3c333037cd2 tests/krb5: Unconditionally check compressed claims
via 04fd475b434 tests/krb5: Remove unused import
from a1780ed8d1b rpcd: With npa->need_idle_server we can have more than 256 servers
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 403598b3076896287c84059a93569f0e0f3efb80
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Feb 17 16:32:42 2023 +1300
s4-dsdb:tests: Correctly handle LdbError
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Mar 8 05:37:08 UTC 2023 on atb-devel-224
commit 38468aa6e8fd8db3aec9c860ab5c8edf1be83e3c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Feb 17 11:46:09 2023 +1300
s4-dsdb:tests: Fix AD DC performance tests
Calling cmd._run() directly would fail due to the 'command_name'
attribute being absent, so these tests would fail to run. Fix this by
using the samba.netcmd.main.samba_tool helper function.
Check the return code as well for good measure.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d5f053711bd5b78f2eff035b4b287995ae286901
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jan 27 08:06:47 2023 +1300
ldb: Make ldb_msg_remove_attr O(n)
Previously it was O(n²).
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 598eaa3474191d29ab2f1a356a26e479a441a198
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 11:33:15 2023 +1300
tests/krb5: Remove old device info and device claims tests
They have been made superfluous by newer declarative tests in
claims_tests.py and device_tests.py.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0153f6c1f4dfc56608e767ec4a8ad25c0f1b1867
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 12:20:38 2023 +1300
tests/krb5: Add tests for device claims
These test the interaction between claims and groups in the PAC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0ac800d0081fb893effaa555d3117102556a7b75
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 11:48:22 2023 +1300
tests/krb5: Add tests for device info
These tests verify that the groups in the device info structure in the
PAC are exactly as expected under various scenarios.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 24ee602acb2ec5aea1c52edce8740a1982fb12be
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 13:41:19 2023 +1300
tests/krb5: Overhaul check_device_info()
With expected_device_groups, tests can now specify particular group
arrangements they expect to see.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa3d693b28f3079e1f813dcbcd74007f238df56f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 13:24:17 2023 +1300
tests/krb5: Allow creating a target server account with or without compound ID support
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 53400a6dfebb748dde4fe90bb2a9f34c2b1905bf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 13:22:09 2023 +1300
tests/krb5: Don't specify extra enctypes for the krbtgt
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 77188f4882448733d75b50c4add59841eef3838f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 13:20:31 2023 +1300
tests/krb5: Allow adding members to a group and changing its type in a single operation
This is needed in order to get some specific group setups for tests.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 75154702d2fcf5c593d9be43f7871333b05217f3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 13:17:49 2023 +1300
tests/krb5: Add test for compressed claim
Create a claim large enough to cause it to be compressed.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5c744ff9f79aaa0576809b656cd973fc0c94f092
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 13:10:14 2023 +1300
tests/krb5: Test we get correct values for integer syntax claims
Windows erroneously shifts integer syntax claim values four bytes to the
right, resulting in incorrect values (if only one claim is present) or
corrupt claims data that cannot be unpacked (if other claims are
present). There's no reason to emulate such broken behaviour.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3550173c8042c4c6b98194a6d6cda8d83f9aa1aa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 13:04:09 2023 +1300
tests/krb5: Require domain_sid to be non-None when passing a RID to map_to_sid()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d95b4303ea3c5c16afdad92850512d4a18ff8aee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 12:32:06 2023 +1300
tests/krb5: Allow group_setup to be None in setup_groups()
'git show -b' shows that not much actually changes.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 98393d7bfa0a291743d6a2ce9308287c3426f85d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 12:25:06 2023 +1300
tests/krb5: Test more descriptive security descriptor
This one has more flags set, so we can test whether we're getting our
string representation right.
Samba prints the flags in a different order from Windows, but fixing
that now would be too risky and involve far too much churn for minimal
benefit. (Consider how many tests verify security descriptors against
string constants...) Instead, allow one of two possible security
descriptors.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 567f30c574098433141de031398bac7ab96e9c0d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 12:22:35 2023 +1300
tests/krb5: Document and tidy up existing claims tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 23ce6f30e289fcc5ebc4e54a2cd0dd3e47adda6e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 12:20:06 2023 +1300
tests/krb5: Allow creating accounts supporting claims or compound identity separately
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ad19dd100f6a6e2d4b80ac761902a4aed992935b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 12:02:35 2023 +1300
tests/krb5: Make arguments to get_target() keyword arguments
This avoids mistakes by ensuring that passed-in arguments go to their
intended destinations.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 644c4ae8d0fbe0b20488a0b06654920c3d7ca8d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 11:55:42 2023 +1300
tests/krb5: Split out device info checking into new method
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 60c07a49d762d247b2b0b81800d96e5b6bdc73e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 11:42:23 2023 +1300
tests/krb5: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 662639e8ee37ca83e379a64cb3ba7a8d11af084c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 11:29:29 2023 +1300
tests/krb5: Move some claims tests around
It's helpful to have the test declarations be together for better
locality and ease of reading.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cbd0955bbd70df9e48a439c5be25b15c03819171
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 11:19:02 2023 +1300
tests/krb5: Add type to expect a value is one of a set of possible types
This is useful for cases where we differ from Windows in some minor
detail, and where the effort required to reach parity is unjustifiably
high.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2c6ff2ad07d71c79bb3564428c9751f2ce2a5451
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 11:20:46 2023 +1300
tests/krb5: Allow comparing UnorderedLists only with one another
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3c333037cd25687237b7cb0024f31ebaeae5e5cd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 11:39:55 2023 +1300
tests/krb5: Unconditionally check compressed claims
not only if STRICT_CHECKING=1.
This also fixes a bug where the call to huffman_decompress() was
indented incorrectly.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 04fd475b434d95cdfe3f771386b8d00bde836abf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 3 13:45:21 2023 +1300
tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb_msg.c | 13 +-
python/samba/tests/krb5/claims_tests.py | 864 ++++++---
python/samba/tests/krb5/device_tests.py | 2045 ++++++++++++++++++++
python/samba/tests/krb5/fast_tests.py | 2 +
python/samba/tests/krb5/group_tests.py | 6 +-
python/samba/tests/krb5/kdc_base_test.py | 119 +-
python/samba/tests/krb5/raw_testcase.py | 195 +-
python/samba/tests/usage.py | 1 +
selftest/knownfail_heimdal_kdc | 48 +-
selftest/knownfail_mit_kdc | 62 +-
.../dsdb/tests/python/ad_dc_medley_performance.py | 18 +-
source4/dsdb/tests/python/ad_dc_performance.py | 16 +-
.../tests/python/ad_dc_provision_performance.py | 10 +-
source4/selftest/tests.py | 4 +
14 files changed, 2972 insertions(+), 431 deletions(-)
create mode 100755 python/samba/tests/krb5/device_tests.py
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 9cd7998e21c..4146de185d7 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -1464,11 +1464,18 @@ void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element
*/
void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr)
{
- struct ldb_message_element *el;
+ unsigned int i;
+ unsigned int num_del = 0;
- while ((el = ldb_msg_find_element(msg, attr)) != NULL) {
- ldb_msg_remove_element(msg, el);
+ for (i = 0; i < msg->num_elements; ++i) {
+ if (ldb_attr_cmp(msg->elements[i].name, attr) == 0) {
+ ++num_del;
+ } else if (num_del) {
+ msg->elements[i - num_del] = msg->elements[i];
+ }
}
+
+ msg->num_elements -= num_del;
}
/*
diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py
index 9d5121e69ec..78c78476e0c 100755
--- a/python/samba/tests/krb5/claims_tests.py
+++ b/python/samba/tests/krb5/claims_tests.py
@@ -31,31 +31,77 @@ from samba.dcerpc import claims, krb5pac, security
from samba.tests import DynamicTestCase, env_get_var_value
from samba.tests.krb5 import kcrypto
from samba.tests.krb5.kcrypto import Enctype
-from samba.tests.krb5.kdc_base_test import KDCBaseTest
-from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
+from samba.tests.krb5.kdc_base_test import GroupType, KDCBaseTest, Principal
+from samba.tests.krb5.raw_testcase import Krb5EncryptionKey, RawKerberosTest
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
KRB_TGS_REP,
NT_PRINCIPAL,
- NT_SRV_INST,
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+SidType = RawKerberosTest.SidType
+
global_asn1_print = False
global_hexdump = False
class UnorderedList(list):
def __eq__(self, other):
- if isinstance(other, UnorderedList):
- return sorted(self) == sorted(other)
- else:
+ if not isinstance(other, UnorderedList):
+ raise AssertionError('unexpected comparison attempt')
+ return sorted(self) == sorted(other)
+
+
+# Use this to assert that each element of a list belongs to a set() of
+# acceptable elements.
+class OneOf(list):
+ def __eq__(self, other):
+ if not isinstance(other, OneOf):
+ raise AssertionError('unexpected comparison attempt')
+
+ # Lists are of different lengths, so we're trivially done.
+ if len(self) != len(other):
return False
+ # Now we know that the lists are of equal length, we can compare their
+ # elements. These can be normal elements, or set()s to allow any one of
+ # the members of the set to match.
+
+ def elem_eq(this, that):
+ if isinstance(this, set):
+ if isinstance(that, set):
+ raise AssertionError('both sides unexpectedly sets')
+ # Is 'that' contained in the set() of acceptable values,
+ # 'this'?
+ return that in this
+
+ if isinstance(that, set):
+ # Is 'this' contained in the set() of acceptable values,
+ # 'that'?
+ return this in that
+
+ # Neither element is a set(). Compare elements directly.
+ return this == that
+
+ # Are all the elements equal?
+ return all(map(elem_eq, self, other))
+
@DynamicTestCase
class ClaimsTests(KDCBaseTest):
+ # Placeholder objects that represent accounts undergoing testing.
+ user = object()
+ mach = object()
+
+ # Constants for group SID attributes.
+ default_attrs = security.SE_GROUP_DEFAULT_FLAGS
+ resource_attrs = default_attrs | security.SE_GROUP_RESOURCE
+
+ asserted_identity = security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY
+ compounded_auth = security.SID_COMPOUNDED_AUTHENTICATION
+
@classmethod
def setUpClass(cls):
super().setUpClass()
@@ -178,12 +224,95 @@ class ClaimsTests(KDCBaseTest):
modify_pac_fn=modify_pac_fn,
checksum_keys=self.get_krbtgt_checksum_key())
+ def test_tgs_claims(self):
+ self.run_tgs_test(remove_claims=False, to_krbtgt=False)
+
+ def test_tgs_claims_remove_claims(self):
+ self.run_tgs_test(remove_claims=True, to_krbtgt=False)
+
+ def test_tgs_claims_to_krbtgt(self):
+ self.run_tgs_test(remove_claims=False, to_krbtgt=True)
+
+ def test_tgs_claims_remove_claims_to_krbtgt(self):
+ self.run_tgs_test(remove_claims=True, to_krbtgt=True)
+
def test_delegation_claims(self):
self.run_delegation_test(remove_claims=False)
def test_delegation_claims_remove_claims(self):
self.run_delegation_test(remove_claims=True)
+ # Create a user account with an applicable claim for the 'middleName'
+ # attribute. After obtaining a TGT, from which we optionally remove the
+ # claims, change the middleName attribute values for the account in the
+ # database to a different value. By which we may observe, when examining
+ # the reply to our following Kerberos TGS request, whether the claims
+ # contained therein are taken directly from the ticket, or obtained fresh
+ # from the database.
+ def run_tgs_test(self, remove_claims, to_krbtgt):
+ samdb = self.get_samdb()
+ user_creds, user_dn = self.create_account(samdb,
+ self.get_new_username(),
+ additional_details={
+ 'middleName': 'foo',
+ })
+
+ claim_id = self.get_new_username()
+ self.create_claim(claim_id,
+ enabled=True,
+ attribute='middleName',
+ single_valued=True,
+ source_type='AD',
+ for_classes=['user'],
+ value_type=claims.CLAIM_TYPE_STRING)
+
+ expected_claims = {
+ claim_id: {
+ 'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
+ 'type': claims.CLAIM_TYPE_STRING,
+ 'values': ['foo'],
+ },
+ }
+
+ # Get a TGT for the user.
+ tgt = self.get_tgt(user_creds, expect_pac=True,
+ expect_client_claims=True,
+ expected_client_claims=expected_claims)
+
+ if remove_claims:
+ tgt = self.remove_client_claims(tgt)
+
+ # Change the value of the attribute used for the claim.
+ msg = ldb.Message(ldb.Dn(samdb, user_dn))
+ msg['middleName'] = ldb.MessageElement('bar',
+ ldb.FLAG_MOD_REPLACE,
+ 'middleName')
+ samdb.modify(msg)
+
+ if to_krbtgt:
+ target_creds = self.get_krbtgt_creds()
+ sname = self.get_krbtgt_sname()
+ else:
+ target_creds = self.get_service_creds()
+ sname = None
+
+ # Get a service ticket for the user. The claim value should not have
+ # changed, indicating that the client claims are propagated straight
+ # through.
+ self.get_service_ticket(
+ tgt, target_creds,
+ sname=sname,
+ expect_pac=True,
+ expect_client_claims=not remove_claims,
+ expected_client_claims=(expected_claims
+ if not remove_claims else None))
+
+ # Perform a test similar to that preceeding. This time, create both a user
+ # and a computer account, each having an applicable claim. After obtaining
+ # tickets, from which the claims are optionally removed, change the claim
+ # attribute of each account to a different value. Then perform constrained
+ # delegation with the user's service ticket, verifying that the user's
+ # claims are carried into the resulting ticket.
def run_delegation_test(self, remove_claims):
service_creds = self.get_service_creds()
service_spn = service_creds.get_spn()
@@ -228,7 +357,7 @@ class ClaimsTests(KDCBaseTest):
'values': ['user_old'],
},
}
- expected_claims_mac = {
+ expected_claims_mach = {
claim_id: {
'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
'type': claims.CLAIM_TYPE_STRING,
@@ -254,20 +383,20 @@ class ClaimsTests(KDCBaseTest):
mach_tgt = self.get_tgt(mach_creds,
expect_pac=True,
expect_client_claims=True,
- expected_client_claims=expected_claims_mac)
+ expected_client_claims=expected_claims_mach)
if remove_claims:
user_ticket = self.remove_client_claims(user_ticket)
mach_tgt = self.remove_client_claims(mach_tgt)
- # Change the value of the attributes used for the claim.
+ # Change the value of the attribute used for the user claim.
msg = ldb.Message(ldb.Dn(samdb, user_dn))
msg['middleName'] = ldb.MessageElement('user_new',
ldb.FLAG_MOD_REPLACE,
'middleName')
samdb.modify(msg)
- # Change the value of the attributes used for the claim.
+ # Change the value of the attribute used for the machine claim.
msg = ldb.Message(ldb.Dn(samdb, mach_dn))
msg['middleName'] = ldb.MessageElement('mach_new',
ldb.FLAG_MOD_REPLACE,
@@ -300,8 +429,11 @@ class ClaimsTests(KDCBaseTest):
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+ # The user's claims are propagated into the new ticket, while the
+ # machine's claims are dispensed with.
expected_claims = expected_claims_user if not remove_claims else None
+ # Perform constrained delegation.
kdc_exchange_dict = self.tgs_exchange_dict(
expected_crealm=user_realm,
expected_cname=user_cname,
@@ -320,264 +452,15 @@ class ClaimsTests(KDCBaseTest):
expected_transited_services=expected_transited_services,
expect_client_claims=not remove_claims,
expected_client_claims=expected_claims,
+ expect_device_claims=False,
expect_pac=True)
- self._generic_kdc_exchange(kdc_exchange_dict,
- cname=None,
- realm=service_realm,
- sname=service_sname,
- etypes=etypes,
- additional_tickets=additional_tickets)
-
- def test_tgs_claims(self):
- self.run_tgs_test(remove_claims=False, to_krbtgt=False)
-
- def test_tgs_claims_remove_claims(self):
- self.run_tgs_test(remove_claims=True, to_krbtgt=False)
-
- def test_tgs_claims_to_krbtgt(self):
- self.run_tgs_test(remove_claims=False, to_krbtgt=True)
-
- def test_tgs_claims_remove_claims_to_krbtgt(self):
- self.run_tgs_test(remove_claims=True, to_krbtgt=True)
-
- def run_tgs_test(self, remove_claims, to_krbtgt):
- samdb = self.get_samdb()
- user_creds, user_dn = self.create_account(samdb,
- self.get_new_username(),
- additional_details={
- 'middleName': 'foo',
- })
-
- claim_id = self.get_new_username()
- self.create_claim(claim_id,
- enabled=True,
- attribute='middleName',
- single_valued=True,
- source_type='AD',
- for_classes=['user'],
- value_type=claims.CLAIM_TYPE_STRING)
-
- expected_claims = {
- claim_id: {
- 'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
- 'type': claims.CLAIM_TYPE_STRING,
- 'values': ['foo'],
- },
- }
-
- # Get a TGT for the user.
- tgt = self.get_tgt(user_creds, expect_pac=True,
- expect_client_claims=True,
- expected_client_claims=expected_claims)
-
- if remove_claims:
- tgt = self.remove_client_claims(tgt)
-
- # Change the value of the attribute used for the claim.
- msg = ldb.Message(ldb.Dn(samdb, user_dn))
- msg['middleName'] = ldb.MessageElement('bar',
- ldb.FLAG_MOD_REPLACE,
- 'middleName')
- samdb.modify(msg)
-
- if to_krbtgt:
- target_creds = self.get_krbtgt_creds()
- sname = self.get_krbtgt_sname()
- else:
- target_creds = self.get_service_creds()
- sname = None
-
- # Get a service ticket for the user. The value should not have changed.
- self.get_service_ticket(
- tgt, target_creds,
- sname=sname,
- expect_pac=True,
- expect_client_claims=not remove_claims,
- expected_client_claims=(expected_claims
- if not remove_claims else None))
-
- def test_device_info(self):
- self._run_device_info_test(to_krbtgt=False)
-
- def test_device_info_to_krbtgt(self):
- self._run_device_info_test(to_krbtgt=True)
-
- def _run_device_info_test(self, to_krbtgt):
- user_creds = self.get_cached_creds(
- account_type=self.AccountType.USER)
- user_tgt = self.get_tgt(user_creds)
-
- mach_creds = self.get_cached_creds(
- account_type=self.AccountType.COMPUTER)
- mach_tgt = self.get_tgt(mach_creds)
-
- samdb = self.get_samdb()
- expected_sid = self.get_objectSid(samdb, user_creds.get_dn())
-
- subkey = self.RandomKey(user_tgt.session_key.etype)
-
- armor_subkey = self.RandomKey(subkey.etype)
- explicit_armor_key = self.generate_armor_key(armor_subkey,
- mach_tgt.session_key)
- armor_key = kcrypto.cf2(explicit_armor_key.key,
- subkey.key,
- b'explicitarmor',
- b'tgsarmor')
- armor_key = Krb5EncryptionKey(armor_key, None)
-
- target_creds, sname = self.get_target(
- to_krbtgt,
- extra_enctypes=security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED)
- srealm = target_creds.get_realm()
-
- decryption_key = self.TicketDecryptionKey_from_creds(
- target_creds)
-
- etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
-
- kdc_options = '0'
- pac_options = '1' # claims support
-
- kdc_exchange_dict = self.tgs_exchange_dict(
- expected_crealm=user_tgt.crealm,
- expected_cname=user_tgt.cname,
- expected_srealm=srealm,
- expected_sname=sname,
- ticket_decryption_key=decryption_key,
- generate_fast_fn=self.generate_simple_fast,
- generate_fast_armor_fn=self.generate_ap_req,
- check_rep_fn=self.generic_check_kdc_rep,
- check_kdc_private_fn=self.generic_check_kdc_private,
- tgt=user_tgt,
- armor_key=armor_key,
- armor_tgt=mach_tgt,
- armor_subkey=armor_subkey,
- pac_options=pac_options,
- authenticator_subkey=subkey,
- kdc_options=kdc_options,
- expect_pac=True,
- expect_pac_attrs=to_krbtgt,
- expect_pac_attrs_pac_request=to_krbtgt,
- expected_sid=expected_sid,
- expect_device_claims=not to_krbtgt,
- expect_device_info=not to_krbtgt)
-
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=None,
- realm=srealm,
- sname=sname,
- etypes=etypes)
- self.check_reply(rep, KRB_TGS_REP)
-
- def test_device_claims(self):
- self._run_device_claims_test(to_krbtgt=False)
-
- def test_device_claims_to_krbtgt(self):
- self._run_device_claims_test(to_krbtgt=True)
-
- def _run_device_claims_test(self, to_krbtgt):
- user_creds = self.get_cached_creds(
- account_type=self.AccountType.USER)
- user_tgt = self.get_tgt(user_creds)
-
- samdb = self.get_samdb()
- mach_creds, mach_dn = self.create_account(
- samdb,
- self.get_new_username(),
- account_type=self.AccountType.COMPUTER,
- additional_details={
- 'middleName': 'foo',
- })
-
- claim_id = self.get_new_username()
- self.create_claim(claim_id,
- enabled=True,
- attribute='middleName',
- single_valued=True,
- source_type='AD',
- for_classes=['computer'],
- value_type=claims.CLAIM_TYPE_STRING)
-
- expected_claims = {
- claim_id: {
- 'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
- 'type': claims.CLAIM_TYPE_STRING,
- 'values': ['foo'],
- },
- }
-
- # Get a TGT for the computer.
- mach_tgt = self.get_tgt(mach_creds, expect_pac=True,
- expect_client_claims=True,
- expected_client_claims=expected_claims)
-
- # Change the value of the attribute used for the claim.
- msg = ldb.Message(ldb.Dn(samdb, mach_dn))
- msg['middleName'] = ldb.MessageElement('bar',
- ldb.FLAG_MOD_REPLACE,
- 'middleName')
- samdb.modify(msg)
-
- # Get a service ticket for the user, using the computer's TGT as an
- # armor TGT. The value should not have changed.
-
- expected_sid = self.get_objectSid(samdb, user_creds.get_dn())
-
- subkey = self.RandomKey(user_tgt.session_key.etype)
-
- armor_subkey = self.RandomKey(subkey.etype)
- explicit_armor_key = self.generate_armor_key(armor_subkey,
- mach_tgt.session_key)
- armor_key = kcrypto.cf2(explicit_armor_key.key,
- subkey.key,
- b'explicitarmor',
- b'tgsarmor')
- armor_key = Krb5EncryptionKey(armor_key, None)
-
- target_creds, sname = self.get_target(
- to_krbtgt,
- extra_enctypes=security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED)
- srealm = target_creds.get_realm()
-
- decryption_key = self.TicketDecryptionKey_from_creds(
- target_creds)
-
- etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
-
- kdc_options = '0'
- pac_options = '1' # claims support
-
- kdc_exchange_dict = self.tgs_exchange_dict(
- expected_crealm=user_tgt.crealm,
- expected_cname=user_tgt.cname,
- expected_srealm=srealm,
- expected_sname=sname,
- ticket_decryption_key=decryption_key,
- generate_fast_fn=self.generate_simple_fast,
- generate_fast_armor_fn=self.generate_ap_req,
- check_rep_fn=self.generic_check_kdc_rep,
- check_kdc_private_fn=self.generic_check_kdc_private,
- tgt=user_tgt,
- armor_key=armor_key,
--
Samba Shared Repository
More information about the samba-cvs
mailing list