From: Joseph Sutton Date: Thu, 24 Aug 2023 02:11:45 +0000 (+1200) Subject: tests/krb5: Move KDC TGT tests to new file X-Git-Tag: tevent-0.16.0~761 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1def8f04f34f26529f73f4bbf8b0d077ed0e233a;p=thirdparty%2Fsamba.git tests/krb5: Move KDC TGT tests to new file We can now rely on having MIT Kerberos 1.20 available. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 869e8b7caff..edf19798766 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -120,54 +120,6 @@ class CompatabilityTests(KDCBaseTest): self.fail( "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption") - # This tests also passes again Samba AD built with MIT Kerberos 1.20 which - # is not released yet. - # - # FIXME: Should be moved to to a new kdc_tgt_tests.py once MIT KRB5 1.20 - # is released. - def test_ticket_signature(self): - # Ensure that a DC correctly issues tickets signed with its krbtgt key. - user_creds = self.get_client_creds() - target_creds = self.get_service_creds() - - krbtgt_creds = self.get_krbtgt_creds() - key = self.TicketDecryptionKey_from_creds(krbtgt_creds) - - # Get a TGT from the DC. - tgt = self.get_tgt(user_creds) - - # Ensure the PAC contains the expected checksums. - self.verify_ticket(tgt, key, service_ticket=False) - - # Get a service ticket from the DC. - service_ticket = self.get_service_ticket(tgt, target_creds) - - # Ensure the PAC contains the expected checksums. - self.verify_ticket(service_ticket, key, service_ticket=True, - expect_ticket_checksum=True) - - def test_full_signature(self): - # Ensure that a DC correctly issues tickets signed with its krbtgt key. - user_creds = self.get_client_creds() - target_creds = self.get_service_creds() - - krbtgt_creds = self.get_krbtgt_creds() - key = self.TicketDecryptionKey_from_creds(krbtgt_creds) - - # Get a TGT from the DC. - tgt = self.get_tgt(user_creds) - - # Ensure the PAC contains the expected checksums. - self.verify_ticket(tgt, key, service_ticket=False) - - # Get a service ticket from the DC. - service_ticket = self.get_service_ticket(tgt, target_creds) - - # Ensure the PAC contains the expected checksums. - self.verify_ticket(service_ticket, key, service_ticket=True, - expect_ticket_checksum=True, - expect_full_checksum=True) - def as_pre_auth_req(self, creds, etypes): user = creds.get_username() realm = creds.get_realm() diff --git a/python/samba/tests/krb5/kdc_tgt_tests.py b/python/samba/tests/krb5/kdc_tgt_tests.py new file mode 100755 index 00000000000..5a52a95f0ea --- /dev/null +++ b/python/samba/tests/krb5/kdc_tgt_tests.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +global_asn1_print = False +global_hexdump = False + + +class KdcTgtTests(KDCBaseTest): + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_ticket_signature(self): + # Ensure that a DC correctly issues tickets signed with its krbtgt key. + user_creds = self.get_client_creds() + target_creds = self.get_service_creds() + + krbtgt_creds = self.get_krbtgt_creds() + key = self.TicketDecryptionKey_from_creds(krbtgt_creds) + + # Get a TGT from the DC. + tgt = self.get_tgt(user_creds) + + # Ensure the PAC contains the expected checksums. + self.verify_ticket(tgt, key, service_ticket=False) + + # Get a service ticket from the DC. + service_ticket = self.get_service_ticket(tgt, target_creds) + + # Ensure the PAC contains the expected checksums. + self.verify_ticket(service_ticket, key, service_ticket=True, + expect_ticket_checksum=True) + + def test_full_signature(self): + # Ensure that a DC correctly issues tickets signed with its krbtgt key. + user_creds = self.get_client_creds() + target_creds = self.get_service_creds() + + krbtgt_creds = self.get_krbtgt_creds() + key = self.TicketDecryptionKey_from_creds(krbtgt_creds) + + # Get a TGT from the DC. + tgt = self.get_tgt(user_creds) + + # Ensure the PAC contains the expected checksums. + self.verify_ticket(tgt, key, service_ticket=False) + + # Get a service ticket from the DC. + service_ticket = self.get_service_ticket(tgt, target_creds) + + # Ensure the PAC contains the expected checksums. + self.verify_ticket(service_ticket, key, service_ticket=True, + expect_ticket_checksum=True, + expect_full_checksum=True) + + +if __name__ == "__main__": + global_asn1_print = False + global_hexdump = False + import unittest + unittest.main()