]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
tests/krb5: Check logon name in PAC for canonicalization tests
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Thu, 2 Dec 2021 03:51:26 +0000 (16:51 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Mon, 6 Dec 2021 22:08:32 +0000 (22:08 +0000)
This allows us to ensure that the correct name makes it through to the
PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python/samba/tests/krb5/as_canonicalization_tests.py

index 7c64ce19bb7503f6e7b6abc3b6ca99045981b036..700a03622e1d129ef23213418798501effa5e0f6 100755 (executable)
@@ -28,7 +28,9 @@ os.environ["PYTHONUNBUFFERED"] = "1"
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 from samba.credentials import DONT_USE_KERBEROS
+from samba.dcerpc import krb5pac
 from samba.dcerpc.misc import SEC_CHAN_WKSTA
+from samba.ndr import ndr_unpack
 from samba.tests import DynamicTestCase
 from samba.tests.krb5.rfc4120_constants import (
     AES256_CTS_HMAC_SHA1_96,
@@ -39,6 +41,7 @@ from samba.tests.krb5.rfc4120_constants import (
     KU_AS_REP_ENC_PART,
     KRB_ERROR,
     KU_PA_ENC_TIMESTAMP,
+    KU_TICKET,
     PADATA_ENC_TIMESTAMP,
     NT_ENTERPRISE_PRINCIPAL,
     NT_PRINCIPAL,
@@ -229,6 +232,38 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
             srealm = as_rep['srealm'].decode('ascii')
             self.check_srealm(srealm, data)
 
+            if TestOptions.AsReqSelf.is_set(data.options):
+                ticket_creds = creds
+            else:
+                ticket_creds = self.get_krbtgt_creds()
+            ticket_key = self.TicketDecryptionKey_from_creds(ticket_creds)
+
+            ticket_encpart = rep['ticket']['enc-part']
+            self.assertElementEqual(ticket_encpart, 'etype',
+                                    ticket_key.etype)
+            self.assertElementEqual(ticket_encpart, 'kvno',
+                                    ticket_key.kvno)
+            ticket_decpart = ticket_key.decrypt(KU_TICKET,
+                                                ticket_encpart['cipher'])
+            ticket_private = self.der_decode(
+                ticket_decpart,
+                asn1Spec=krb5_asn1.EncTicketPart())
+
+            pac_data = self.get_pac(ticket_private['authorization-data'])
+            pac = ndr_unpack(krb5pac.PAC_DATA, pac_data)
+
+            for pac_buffer in pac.buffers:
+                if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME:
+                    if TestOptions.Canonicalize.is_set(data.options):
+                        expected = data.user_creds.get_username()
+                    else:
+                        expected = data.user_name
+
+                    self.assertEqual(expected, pac_buffer.info.account_name)
+                    break
+            else:
+                self.fail('PAC_TYPE_LOGON_NAME not found')
+
     def as_req(self, data):
         user_creds = data.user_creds
         realm = data.realm