From: Joseph Sutton Date: Wed, 25 Oct 2023 01:59:27 +0000 (+1300) Subject: tests/krb5: Add more tests of the device belonging to certain groups X-Git-Tag: talloc-2.4.2~1087 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49dca84731b0e5f045caf7bc73be6f521e735555;p=thirdparty%2Fsamba.git tests/krb5: Add more tests of the device belonging to certain groups Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index 89ea8d4432e..c51319ebdfe 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -3450,6 +3450,19 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): def test_device_in_authenticated_users(self): self._check_device_in_group(security.SID_NT_AUTHENTICATED_USERS) + def test_device_in_aa_asserted_identity(self): + self._check_device_in_group( + security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY) + + def test_device_in_service_asserted_identity(self): + self._check_device_not_in_group(security.SID_SERVICE_ASSERTED_IDENTITY) + + def test_device_in_compounded_authentication(self): + self._check_device_not_in_group(security.SID_COMPOUNDED_AUTHENTICATION) + + def test_device_in_claims_valid(self): + self._check_device_in_group(security.SID_CLAIMS_VALID) + def _check_device_in_group(self, group): self._check_device_membership(group, expect_in_group=True) @@ -4444,6 +4457,19 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): def test_device_in_authenticated_users(self): self._check_device_in_group(security.SID_NT_AUTHENTICATED_USERS) + def test_device_in_aa_asserted_identity(self): + self._check_device_in_group( + security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY) + + def test_device_in_service_asserted_identity(self): + self._check_device_not_in_group(security.SID_SERVICE_ASSERTED_IDENTITY) + + def test_device_in_compounded_authentication(self): + self._check_device_not_in_group(security.SID_COMPOUNDED_AUTHENTICATION) + + def test_device_in_claims_valid(self): + self._check_device_in_group(security.SID_CLAIMS_VALID) + def _check_device_in_group(self, group): self._check_device_membership(group, expect_in_group=True) diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 5c051723914..ac4beec9721 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -4064,8 +4064,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # # Conditional ACE device restrictions # +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_aa_asserted_identity\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_authenticated_users\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_claims_valid\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_compounded_authentication\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_network_group\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_service_asserted_identity\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_world_group\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_invalid\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_not_present\(ad_dc\) @@ -4075,7 +4079,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_no_sid_compression\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_sid_compression\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_well_known_groups_not_present\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_aa_asserted_identity\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_authenticated_users\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_claims_valid\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_compounded_authentication\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_network_group\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_service_asserted_identity\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_world_group\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_and_target_policy\(ad_dc\)