]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
tests/krb5: Replace expected_cname_private with expected_anon parameter
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Wed, 1 Sep 2021 04:31:56 +0000 (16:31 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Mon, 13 Sep 2021 23:11:35 +0000 (23:11 +0000)
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
python/samba/tests/krb5/fast_tests.py
python/samba/tests/krb5/raw_testcase.py

index 392d19f59b364c2c98cf34c731e320440ab18613..5e6694df6f2471a5ea8e6dd63fd08b9c1a8f777a 100755 (executable)
@@ -49,7 +49,6 @@ from samba.tests.krb5.rfc4120_constants import (
     KU_TICKET,
     NT_PRINCIPAL,
     NT_SRV_INST,
-    NT_WELLKNOWN,
     PADATA_FX_COOKIE,
     PADATA_FX_FAST,
     PADATA_PAC_OPTIONS
@@ -1028,14 +1027,6 @@ class FAST_Tests(KDCBaseTest):
         ])
 
     def test_fast_hide_client_names(self):
-        user_creds = self.get_client_creds()
-        user_name = user_creds.get_username()
-        user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
-                                               names=[user_name])
-
-        expected_cname = self.PrincipalName_create(
-            name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS'])
-
         self._run_test_sequence([
             {
                 'rep_type': KRB_AS_REP,
@@ -1044,7 +1035,7 @@ class FAST_Tests(KDCBaseTest):
                 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
                 'gen_armor_tgt_fn': self.get_mach_tgt,
                 'fast_options': '01',  # hide client names
-                'expected_cname': expected_cname
+                'expected_anon': True
             },
             {
                 'rep_type': KRB_AS_REP,
@@ -1054,20 +1045,11 @@ class FAST_Tests(KDCBaseTest):
                 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
                 'gen_armor_tgt_fn': self.get_mach_tgt,
                 'fast_options': '01',  # hide client names
-                'expected_cname': expected_cname,
-                'expected_cname_private': user_cname
+                'expected_anon': True
             }
         ])
 
     def test_fast_tgs_hide_client_names(self):
-        user_creds = self.get_client_creds()
-        user_name = user_creds.get_username()
-        user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
-                                               names=[user_name])
-
-        expected_cname = self.PrincipalName_create(
-            name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS'])
-
         self._run_test_sequence([
             {
                 'rep_type': KRB_TGS_REP,
@@ -1076,8 +1058,7 @@ class FAST_Tests(KDCBaseTest):
                 'gen_tgt_fn': self.get_user_tgt,
                 'fast_armor': None,
                 'fast_options': '01',  # hide client names
-                'expected_cname': expected_cname,
-                'expected_cname_private': user_cname
+                'expected_anon': True
             }
         ])
 
@@ -1259,8 +1240,8 @@ class FAST_Tests(KDCBaseTest):
                 srealm = target_realm
 
             expected_cname = kdc_dict.pop('expected_cname', client_cname)
-            expected_cname_private = kdc_dict.pop('expected_cname_private',
-                                                  None)
+            expected_anon = kdc_dict.pop('expected_anon',
+                                         False)
             expected_crealm = kdc_dict.pop('expected_crealm', client_realm)
             expected_sname = kdc_dict.pop('expected_sname', sname)
             expected_srealm = kdc_dict.pop('expected_srealm', srealm)
@@ -1384,7 +1365,7 @@ class FAST_Tests(KDCBaseTest):
                 kdc_exchange_dict = self.as_exchange_dict(
                     expected_crealm=expected_crealm,
                     expected_cname=expected_cname,
-                    expected_cname_private=expected_cname_private,
+                    expected_anon=expected_anon,
                     expected_srealm=expected_srealm,
                     expected_sname=expected_sname,
                     ticket_decryption_key=krbtgt_decryption_key,
@@ -1413,7 +1394,7 @@ class FAST_Tests(KDCBaseTest):
                 kdc_exchange_dict = self.tgs_exchange_dict(
                     expected_crealm=expected_crealm,
                     expected_cname=expected_cname,
-                    expected_cname_private=expected_cname_private,
+                    expected_anon=expected_anon,
                     expected_srealm=expected_srealm,
                     expected_sname=expected_sname,
                     ticket_decryption_key=target_decryption_key,
index 0ec0f65c6d6db1559610ee095e65c63a49b52811..e4dbb10d1351db07f224d5d1a91c51756d2c00d4 100644 (file)
@@ -1721,7 +1721,7 @@ class RawKerberosTest(TestCaseInTempDir):
     def as_exchange_dict(self,
                          expected_crealm=None,
                          expected_cname=None,
-                         expected_cname_private=None,
+                         expected_anon=False,
                          expected_srealm=None,
                          expected_sname=None,
                          ticket_decryption_key=None,
@@ -1759,6 +1759,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'rep_encpart_asn1Spec': krb5_asn1.EncASRepPart,
             'expected_crealm': expected_crealm,
             'expected_cname': expected_cname,
+            'expected_anon': expected_anon,
             'expected_srealm': expected_srealm,
             'expected_sname': expected_sname,
             'ticket_decryption_key': ticket_decryption_key,
@@ -1784,10 +1785,6 @@ class RawKerberosTest(TestCaseInTempDir):
             'inner_req': inner_req,
             'outer_req': outer_req
         }
-        if expected_cname_private is not None:
-            kdc_exchange_dict['expected_cname_private'] = (
-                expected_cname_private)
-
         if callback_dict is None:
             callback_dict = {}
 
@@ -1796,7 +1793,7 @@ class RawKerberosTest(TestCaseInTempDir):
     def tgs_exchange_dict(self,
                           expected_crealm=None,
                           expected_cname=None,
-                          expected_cname_private=None,
+                          expected_anon=False,
                           expected_srealm=None,
                           expected_sname=None,
                           ticket_decryption_key=None,
@@ -1834,6 +1831,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'rep_encpart_asn1Spec': krb5_asn1.EncTGSRepPart,
             'expected_crealm': expected_crealm,
             'expected_cname': expected_cname,
+            'expected_anon': expected_anon,
             'expected_srealm': expected_srealm,
             'expected_sname': expected_sname,
             'ticket_decryption_key': ticket_decryption_key,
@@ -1859,10 +1857,6 @@ class RawKerberosTest(TestCaseInTempDir):
             'inner_req': inner_req,
             'outer_req': outer_req
         }
-        if expected_cname_private is not None:
-            kdc_exchange_dict['expected_cname_private'] = (
-                expected_cname_private)
-
         if callback_dict is None:
             callback_dict = {}
 
@@ -1874,7 +1868,7 @@ class RawKerberosTest(TestCaseInTempDir):
                               rep):
 
         expected_crealm = kdc_exchange_dict['expected_crealm']
-        expected_cname = kdc_exchange_dict['expected_cname']
+        expected_anon = kdc_exchange_dict['expected_anon']
         expected_srealm = kdc_exchange_dict['expected_srealm']
         expected_sname = kdc_exchange_dict['expected_sname']
         ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key']
@@ -1888,6 +1882,12 @@ class RawKerberosTest(TestCaseInTempDir):
         padata = self.getElementValue(rep, 'padata')
         if self.strict_checking:
             self.assertElementEqualUTF8(rep, 'crealm', expected_crealm)
+            if expected_anon:
+                expected_cname = self.PrincipalName_create(
+                    name_type=NT_WELLKNOWN,
+                    names=['WELLKNOWN', 'ANONYMOUS'])
+            else:
+                expected_cname = kdc_exchange_dict['expected_cname']
             self.assertElementEqualPrincipal(rep, 'cname', expected_cname)
         self.assertElementPresent(rep, 'ticket')
         ticket = self.getElementValue(rep, 'ticket')
@@ -2042,14 +2042,11 @@ class RawKerberosTest(TestCaseInTempDir):
                         and kdc_options[canon_pos] == '1')
 
         expected_crealm = kdc_exchange_dict['expected_crealm']
+        expected_cname = kdc_exchange_dict['expected_cname']
         expected_srealm = kdc_exchange_dict['expected_srealm']
         expected_sname = kdc_exchange_dict['expected_sname']
         ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key']
 
-        try:
-            expected_cname = kdc_exchange_dict['expected_cname_private']
-        except KeyError:
-            expected_cname = kdc_exchange_dict['expected_cname']
 
         ticket = self.getElementValue(rep, 'ticket')
 
@@ -2182,7 +2179,7 @@ class RawKerberosTest(TestCaseInTempDir):
 
         rep_msg_type = kdc_exchange_dict['rep_msg_type']
 
-        expected_cname = kdc_exchange_dict['expected_cname']
+        expected_anon = kdc_exchange_dict['expected_anon']
         expected_srealm = kdc_exchange_dict['expected_srealm']
         expected_sname = kdc_exchange_dict['expected_sname']
         expected_error_mode = kdc_exchange_dict['expected_error_mode']
@@ -2203,7 +2200,10 @@ class RawKerberosTest(TestCaseInTempDir):
         # error-code checked above
         if self.strict_checking:
             self.assertElementMissing(rep, 'crealm')
-            if expected_cname['name-type'] == NT_WELLKNOWN and not inner:
+            if expected_anon and not inner:
+                expected_cname = self.PrincipalName_create(
+                    name_type=NT_WELLKNOWN,
+                    names=['WELLKNOWN', 'ANONYMOUS'])
                 self.assertElementEqualPrincipal(rep, 'cname', expected_cname)
             else:
                 self.assertElementMissing(rep, 'cname')