tests/krb5: Add tests for RODC-issued armor tickets

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index 302fc98edf1200696ef4465dbc3a830d442029d2..4126c24785c438f76adfde142ae21b8a7d45438e 100755 (executable)
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -192,6 +192,47 @@ class FAST_Tests(KDCBaseTest):
             }
         ])
 
+    def test_fast_rodc_issued_armor(self):
+        self._run_test_sequence([
+            {
+                'rep_type': KRB_AS_REP,
+                'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+                'use_fast': True,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'gen_armor_tgt_fn': self.get_rodc_issued_mach_tgt,
+            },
+            {
+                'rep_type': KRB_AS_REP,
+                # Test that RODC-issued armor tickets are permitted.
+                'expected_error_mode': 0,
+                'use_fast': True,
+                'gen_padata_fn': self.generate_enc_challenge_padata,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+                'gen_armor_tgt_fn': self.get_rodc_issued_mach_tgt,
+            }
+        ],
+        armor_opts={
+            'allowed_replication_mock': True,
+            'revealed_to_mock_rodc': True,
+        })
+
+    def test_fast_tgs_rodc_issued_armor(self):
+        self._run_test_sequence([
+            {
+                'rep_type': KRB_TGS_REP,
+                # Test that RODC-issued armor tickets are not permitted.
+                'expected_error_mode': 0,
+                'use_fast': True,
+                'gen_tgt_fn': self.get_user_tgt,
+                'gen_armor_tgt_fn': self.get_rodc_issued_mach_tgt,
+                'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+            }
+        ],
+        armor_opts={
+            'allowed_replication_mock': True,
+            'revealed_to_mock_rodc': True,
+        })
+
     def test_simple_enc_pa_rep(self):
         self._run_test_sequence([
             {
@@ -1930,6 +1971,9 @@ class FAST_Tests(KDCBaseTest):
             })
         return self.get_tgt(mach_creds)
 
+    def get_rodc_issued_mach_tgt(self, opts):
+        return self.issued_by_rodc(self.get_mach_tgt(opts))
+
     def get_user_tgt(self, opts):
         user_creds = self.get_cached_creds(
             account_type=self.AccountType.USER,

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 9168afacb66c9cc1f93f16f466e44c3dfa95f21d..e790f2906681cbfedc45b58d03d30f18b4aafd85 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -247,10 +247,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_rodc_issued_armor.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_session_key.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_rodc_issued_armor.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_no_auth_data.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc
 ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc