python:tests: Add support for unexpected groups in krb5 tests

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index b5682ff7815ec147e85acb09b8d64b8e9003e4b8..7f9d9d1764011b6ce5ef4aea14c0a23b7790fa40 100644 (file)
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2050,6 +2050,7 @@ class RawKerberosTest(TestCaseInTempDir):
                          expected_sname=None,
                          expected_account_name=None,
                          expected_groups=None,
+                         unexpected_groups=None,
                          expected_upn_name=None,
                          expected_sid=None,
                          expected_supported_etypes=None,
@@ -2111,6 +2112,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'expected_sname': expected_sname,
             'expected_account_name': expected_account_name,
             'expected_groups': expected_groups,
+            'unexpected_groups': unexpected_groups,
             'expected_upn_name': expected_upn_name,
             'expected_sid': expected_sid,
             'expected_supported_etypes': expected_supported_etypes,
@@ -2168,6 +2170,7 @@ class RawKerberosTest(TestCaseInTempDir):
                           expected_sname=None,
                           expected_account_name=None,
                           expected_groups=None,
+                          unexpected_groups=None,
                           expected_upn_name=None,
                           expected_sid=None,
                           expected_supported_etypes=None,
@@ -2230,6 +2233,7 @@ class RawKerberosTest(TestCaseInTempDir):
             'expected_sname': expected_sname,
             'expected_account_name': expected_account_name,
             'expected_groups': expected_groups,
+            'unexpected_groups': unexpected_groups,
             'expected_upn_name': expected_upn_name,
             'expected_sid': expected_sid,
             'expected_supported_etypes': expected_supported_etypes,
@@ -2805,6 +2809,7 @@ class RawKerberosTest(TestCaseInTempDir):
 
         expected_account_name = kdc_exchange_dict['expected_account_name']
         expected_groups = kdc_exchange_dict['expected_groups']
+        unexpected_groups = kdc_exchange_dict['unexpected_groups']
         expected_sid = kdc_exchange_dict['expected_sid']
 
         expect_upn_dns_info_ex = kdc_exchange_dict['expect_upn_dns_info_ex']
@@ -2862,6 +2867,16 @@ class RawKerberosTest(TestCaseInTempDir):
                                 match_count += 1
                     self.assertEqual(match_count, len(expected_groups))
 
+                if unexpected_groups is not None:
+                    match_count = 0
+
+                    for g in unexpected_groups:
+                        self.assertIsNotNone(info3.sids)
+                        for sid_attr in info3.sids:
+                            if g == str(sid_attr.sid):
+                                match_count += 1
+                    self.assertEqual(match_count, 0)
+
             elif pac_buffer.type == krb5pac.PAC_TYPE_UPN_DNS_INFO:
                 upn_dns_info = pac_buffer.info
                 upn_dns_info_ex = upn_dns_info.ex
@@ -3964,6 +3979,7 @@ class RawKerberosTest(TestCaseInTempDir):
                           renew_time=None,
                           expected_account_name=None,
                           expected_groups=None,
+                          unexpected_groups=None,
                           expected_upn_name=None,
                           expected_sid=None,
                           expected_flags=None,
@@ -4005,6 +4021,7 @@ class RawKerberosTest(TestCaseInTempDir):
             expected_sname=expected_sname,
             expected_account_name=expected_account_name,
             expected_groups=expected_groups,
+            unexpected_groups=unexpected_groups,
             expected_upn_name=expected_upn_name,
             expected_sid=expected_sid,
             expected_supported_etypes=expected_supported_etypes,

diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index d2d9566b9204f93e825b660608dfcf18a57af04c..81fbf31836fca0e07ed35d673fb74af689ae375f 100755 (executable)
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -284,6 +284,7 @@ class S4UKerberosTests(KDCBaseTest):
 
         expect_edata = kdc_dict.pop('expect_edata', None)
         expected_groups = kdc_dict.pop('expected_groups', None)
+        unexpected_groups = kdc_dict.pop('unexpected_groups', None)
 
         def generate_s4u2self_padata(_kdc_exchange_dict,
                                      _callback_dict,
@@ -302,7 +303,7 @@ class S4UKerberosTests(KDCBaseTest):
             expected_srealm=realm,
             expected_sname=service_sname,
             expected_account_name=client_name,
-            expected_groups=expected_groups,
+            unexpected_groups=unexpected_groups,
             expected_sid=sid,
             expected_flags=expected_flags,
             unexpected_flags=unexpected_flags,
@@ -573,6 +574,7 @@ class S4UKerberosTests(KDCBaseTest):
                 opts=service1_opts)
 
         expected_groups = kdc_dict.pop('expected_groups', None)
+        unexpected_groups = kdc_dict.pop('unexpected_groups', None)
 
         client_tkt_options = kdc_dict.pop('client_tkt_options', 'forwardable')
         expected_flags = krb5_asn1.TicketFlags(client_tkt_options)
@@ -659,6 +661,7 @@ class S4UKerberosTests(KDCBaseTest):
             expected_sname=service2_sname,
             expected_account_name=client_username,
             expected_groups=expected_groups,
+            unexpected_groups=unexpected_groups,
             expected_sid=sid,
             expected_supported_etypes=service2_etypes,
             ticket_decryption_key=service2_decryption_key,