tests/krb5: Ensure PAC is not present if expect_pac is false

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf)

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index 0790ac13f99a42d2c230aeb95df0e19b35b89d30..0b9fe8e7a046bbccab9159ec5b4298dba04dafd2 100644 (file)
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2385,13 +2385,6 @@ class RawKerberosTest(TestCaseInTempDir):
             self.assertElementPresent(ticket_private, 'authorization-data',
                                       expect_empty=not expect_pac)
 
-            if expect_pac:
-                authorization_data = self.getElementValue(ticket_private,
-                                                          'authorization-data')
-                pac_data = self.get_pac(authorization_data)
-
-                self.check_pac_buffers(pac_data, kdc_exchange_dict)
-
         encpart_session_key = None
         if encpart_private is not None:
             self.assertElementPresent(encpart_private, 'key')
@@ -2493,6 +2486,13 @@ class RawKerberosTest(TestCaseInTempDir):
             ticket_private=ticket_private,
             encpart_private=encpart_private)
 
+        if ticket_private is not None:
+            pac_data = self.get_ticket_pac(ticket_creds, expect_pac=expect_pac)
+            if expect_pac:
+                self.check_pac_buffers(pac_data, kdc_exchange_dict)
+            else:
+                self.assertIsNone(pac_data)
+
         expect_ticket_checksum = kdc_exchange_dict['expect_ticket_checksum']
         if expect_ticket_checksum:
             self.assertIsNotNone(ticket_decryption_key)