import ldb
from samba.dcerpc import claims, krb5pac, security
+from samba.ndr import ndr_pack
from samba.tests import DynamicTestCase, env_get_var_value
from samba.tests.krb5 import kcrypto
details = {}
mod_msg = ldb.Message()
+ security_desc = None
for claim in all_claims:
# Make a copy to avoid modifying the original.
'conflicting values set for attribute')
details[attribute] = transformed_values
+ readable = claim.pop('readable', True)
+ if not readable:
+ if security_desc is None:
+ security_desc = security.descriptor()
+
+ # Deny all read property access to the attribute.
+ ace = security.ace()
+ ace.type = security.SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
+ ace.access_mask = security.SEC_ADS_READ_PROP
+ ace.trustee = security.dom_sid(security.SID_WORLD)
+ ace.object.flags |= security.SEC_ACE_OBJECT_TYPE_PRESENT
+ ace.object.type = self.get_schema_id_guid_from_attribute(
+ attribute)
+
+ security_desc.dacl_add(ace)
+
if expected_values is None:
expected_values = values
self.create_claim(claim_id, **claim)
+ if security_desc is not None:
+ self.assertNotIn('nTSecurityDescriptor', details)
+ details['nTSecurityDescriptor'] = ndr_pack(security_desc)
+
return details, mod_msg, expected_claims, unexpected_claims
def modify_pac_remove_client_claims(self, pac):
'class': 'user',
'pac-options:claims-support': False,
},
+ {
+ 'name': 'deny RP',
+ 'claims': [
+ {
+ # 2.5.5.12
+ 'enabled': True,
+ 'attribute': 'carLicense',
+ 'single_valued': True,
+ 'source_type': 'AD',
+ 'for_classes': ['user'],
+ 'value_type': claims.CLAIM_TYPE_STRING,
+ 'values': ('foo',),
+ # Deny read access to the attribute. It still shows up in
+ # the claim.
+ 'readable': False,
+ 'expected': True,
+ },
+ ],
+ 'class': 'user',
+ },
{
# Note: The order of these DNs may differ on Windows.
'name': 'dn string syntax',
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc
projects / thirdparty / samba.git / commitdiff
