From aa2e583fdea4fd93e4e71c54630e32a1035d1e2a Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 29 Sep 2021 16:15:26 +1300
Subject: [PATCH] tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 librpc/idl/krb5pac.idl                  |  3 ++
 python/samba/tests/krb5/raw_testcase.py | 52 +++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 3239d7656b6..515150ab9cd 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -113,6 +113,9 @@ interface krb5pac
 		PAC_TYPE_LOGON_NAME = 10,
 		PAC_TYPE_CONSTRAINED_DELEGATION = 11,
 		PAC_TYPE_UPN_DNS_INFO = 12,
+		PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
+		PAC_TYPE_DEVICE_INFO = 14,
+		PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
 		PAC_TYPE_TICKET_CHECKSUM = 16
 	} PAC_TYPE;
 
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 0415f1ff6e6..320de0a4dbe 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2340,6 +2340,13 @@ class RawKerberosTest(TestCaseInTempDir):
             self.assertElementPresent(ticket_private, 'authorization-data',
                                       expect_empty=not expect_pac)
 
+            if expect_pac:
+                authorization_data = self.getElementValue(ticket_private,
+                                                          'authorization-data')
+                pac_data = self.get_pac(authorization_data)
+
+                self.check_pac_buffers(pac_data, kdc_exchange_dict)
+
         encpart_session_key = None
         if encpart_private is not None:
             self.assertElementPresent(encpart_private, 'key')
@@ -2446,6 +2453,47 @@ class RawKerberosTest(TestCaseInTempDir):
 
         kdc_exchange_dict['rep_ticket_creds'] = ticket_creds
 
+    def check_pac_buffers(self, pac_data, kdc_exchange_dict):
+        pac = ndr_unpack(krb5pac.PAC_DATA, pac_data)
+
+        rep_msg_type = kdc_exchange_dict['rep_msg_type']
+        armor_tgt = kdc_exchange_dict['armor_tgt']
+
+        expected_sname = kdc_exchange_dict['expected_sname']
+        expect_claims = kdc_exchange_dict['expect_claims']
+
+        expected_types = [krb5pac.PAC_TYPE_LOGON_INFO,
+                          krb5pac.PAC_TYPE_SRV_CHECKSUM,
+                          krb5pac.PAC_TYPE_KDC_CHECKSUM,
+                          krb5pac.PAC_TYPE_LOGON_NAME,
+                          krb5pac.PAC_TYPE_UPN_DNS_INFO]
+
+        kdc_options = kdc_exchange_dict['kdc_options']
+        pos = len(tuple(krb5_asn1.KDCOptions('cname-in-addl-tkt'))) - 1
+        constrained_delegation = (pos < len(kdc_options)
+                                  and kdc_options[pos] == '1')
+        if constrained_delegation:
+            expected_types.append(krb5pac.PAC_TYPE_CONSTRAINED_DELEGATION)
+
+        if self.kdc_fast_support:
+            if expect_claims:
+                expected_types.append(krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO)
+
+            if (rep_msg_type == KRB_TGS_REP
+                    and armor_tgt is not None):
+                expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO)
+                expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO)
+
+        if not self.is_tgs(expected_sname):
+            expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
+
+        if self.strict_checking:
+            buffer_types = [pac_buffer.type
+                            for pac_buffer in pac.buffers]
+            self.assertCountEqual(expected_types, buffer_types,
+                                  f'expected: {expected_types} '
+                                  f'got: {buffer_types}')
+
     def generic_check_kdc_error(self,
                                 kdc_exchange_dict,
                                 callback_dict,
@@ -3397,6 +3445,10 @@ class RawKerberosTest(TestCaseInTempDir):
 
         return new_auth_data, old_pac
 
+    def get_pac(self, auth_data, expect_pac=True):
+        _, pac = self.replace_pac(auth_data, None, expect_pac)
+        return pac
+
     def get_krbtgt_checksum_key(self):
         krbtgt_creds = self.get_krbtgt_creds()
         krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
-- 
2.47.3