From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 10 Mar 2025 19:51:22 +0000 (+0100)
Subject: python:tests/krb5: let check_device_info() handle EXTRA_DOMAIN_SID
X-Git-Tag: tevent-0.17.0~381
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82ecf6e31ed51539d68b4cf77ca2ec6c3e525f43;p=thirdparty%2Fsamba.git

python:tests/krb5: let check_device_info() handle EXTRA_DOMAIN_SID

device info does not really have RESOURCE_SID,
so we need to map RESOURCE_SID as well as EXTRA_SID (with a S-1-5-21-
prefix) to EXTRA_DOMAIN_SID.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index df49652a725..23167595fa4 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -729,6 +729,7 @@ class RawKerberosTest(TestCase):
         EXTRA_SID = object()  # in info3.sids
         RESOURCE_SID = object()  # in resource_groups
         PRIMARY_GID = object()  # the (sole) primary group
+        EXTRA_DOMAIN_SID = object()  # in device_info.extra_domain
 
         def __repr__(self):
             return self.__str__()
@@ -4590,19 +4591,31 @@ class RawKerberosTest(TestCase):
                     got_sid = f'{resource_group_sid}-{resource_group.rid}'
 
                     device_sid = (got_sid,
-                                  self.SidType.RESOURCE_SID,
+                                  self.SidType.EXTRA_DOMAIN_SID,
                                   resource_group.attributes)
-                    self.assertNotIn(device_sid, got_domain_sids, 'got duplicated SID')
-                    got_domain_sids.add(device_sid)
-
-                got_domain_sids = frozenset(got_domain_sids)
-                self.assertNotIn(got_domain_sids, got_sids)
-                got_sids.add(got_domain_sids)
+                    self.assertNotIn(device_sid, got_sids, 'got duplicated SID')
+                    got_sids.add(device_sid)
 
         # Compare the aggregated device SIDs against the set of expected device
         # SIDs.
         if expected_device_groups is not None:
-            self.assertEqual(expected_device_groups, got_sids,
+            _expected_device_groups = set()
+            for _g in expected_device_groups:
+                if isinstance(_g, frozenset):
+                    gset = _g
+                else:
+                    gset = frozenset([_g])
+                for g in gset:
+                    stype = g[1]
+                    if g[1] == self.SidType.RESOURCE_SID:
+                        stype = self.SidType.EXTRA_DOMAIN_SID
+                    elif g[1] == self.SidType.EXTRA_SID and g[0].startswith('S-1-5-21-'):
+                        tsid = security.dom_sid(g[0])
+                        if tsid.num_auths == 5:
+                            stype = self.SidType.EXTRA_DOMAIN_SID
+                    tmp_extra = (g[0], stype, g[2])
+                    _expected_device_groups.add(tmp_extra)
+            self.assertEqual(_expected_device_groups, got_sids,
                              'expected != got')
 
     def check_pac_buffers(self, pac_data, kdc_exchange_dict):