From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 20 Sep 2021 02:08:16 +0000 (+1200)
Subject: tests/krb5: Fix checking for presence of authorization data
X-Git-Tag: ldb-2.5.0~566
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9284d8517edd9ffd96f0c24166a16366f97de8f;p=thirdparty%2Fsamba.git

tests/krb5: Fix checking for presence of authorization data

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 5de9907d02b..b4d3739aa11 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1126,7 +1126,7 @@ class KDCBaseTest(RawKerberosTest):
 
     def tgs_req(self, cname, sname, realm, ticket, key, etypes,
                 expected_error_mode=0, padata=None, kdc_options=0,
-                to_rodc=False, service_creds=None):
+                to_rodc=False, service_creds=None, expect_pac=True):
         '''Send a TGS-REQ, returns the response and the decrypted and
            decoded enc-part
         '''
@@ -1173,6 +1173,7 @@ class KDCBaseTest(RawKerberosTest):
             tgt=tgt,
             authenticator_subkey=subkey,
             kdc_options=str(kdc_options),
+            expect_pac=expect_pac,
             to_rodc=to_rodc)
 
         rep = self._generic_kdc_exchange(kdc_exchange_dict,
diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
index 99c842701ea..64ebe15ad70 100755
--- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
@@ -321,7 +321,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,
+            expect_pac=False)
         self.check_tgs_reply(rep)
 
         # Check the contents of the service ticket
@@ -695,7 +696,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,
+            expect_pac=False)
         self.check_tgs_reply(rep)
 
         # Check the contents of the service ticket
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index c6bc3e553ad..b531e33041d 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -944,12 +944,15 @@ class RawKerberosTest(TestCaseInTempDir):
         v = self.getElementValue(obj, elem)
         self.assertIsNone(v)
 
-    def assertElementPresent(self, obj, elem):
+    def assertElementPresent(self, obj, elem, expect_empty=False):
         v = self.getElementValue(obj, elem)
         self.assertIsNotNone(v)
         if self.strict_checking:
             if isinstance(v, collections.abc.Container):
-                self.assertNotEqual(0, len(v))
+                if expect_empty:
+                    self.assertEqual(0, len(v))
+                else:
+                    self.assertNotEqual(0, len(v))
 
     def assertElementEqual(self, obj, elem, value):
         v = self.getElementValue(obj, elem)
@@ -1907,6 +1910,7 @@ class RawKerberosTest(TestCaseInTempDir):
                          outer_req=None,
                          pac_request=None,
                          pac_options=None,
+                         expect_pac=True,
                          to_rodc=False):
         if expected_error_mode == 0:
             expected_error_mode = ()
@@ -1952,6 +1956,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'outer_req': outer_req,
             'pac_request': pac_request,
             'pac_options': pac_options,
+            'expect_pac': expect_pac,
             'to_rodc': to_rodc
         }
         if callback_dict is None:
@@ -1992,6 +1997,7 @@ class RawKerberosTest(TestCaseInTempDir):
                           outer_req=None,
                           pac_request=None,
                           pac_options=None,
+                          expect_pac=True,
                           to_rodc=False):
         if expected_error_mode == 0:
             expected_error_mode = ()
@@ -2036,6 +2042,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'outer_req': outer_req,
             'pac_request': pac_request,
             'pac_options': pac_options,
+            'expect_pac': expect_pac,
             'to_rodc': to_rodc
         }
         if callback_dict is None:
@@ -2236,6 +2243,8 @@ class RawKerberosTest(TestCaseInTempDir):
             armor_key = kdc_exchange_dict['armor_key']
             self.verify_ticket_checksum(ticket, ticket_checksum, armor_key)
 
+        expect_pac = kdc_exchange_dict['expect_pac']
+
         ticket_session_key = None
         if ticket_private is not None:
             self.assertElementFlags(ticket_private, 'flags',
@@ -2265,7 +2274,8 @@ class RawKerberosTest(TestCaseInTempDir):
                 self.assertElementMissing(ticket_private, 'renew-till')
             if self.strict_checking:
                 self.assertElementEqual(ticket_private, 'caddr', [])
-            self.assertElementPresent(ticket_private, 'authorization-data')
+            self.assertElementPresent(ticket_private, 'authorization-data',
+                                      expect_empty=not expect_pac)
 
         encpart_session_key = None
         if encpart_private is not None: