From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 3 Mar 2023 00:10:14 +0000 (+1300)
Subject: tests/krb5: Test we get correct values for integer syntax claims
X-Git-Tag: talloc-2.4.1~1464
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c744ff9f79aaa0576809b656cd973fc0c94f092;p=thirdparty%2Fsamba.git

tests/krb5: Test we get correct values for integer syntax claims

Windows erroneously shifts integer syntax claim values four bytes to the
right, resulting in incorrect values (if only one claim is present) or
corrupt claims data that cannot be unpacked (if other claims are
present). There's no reason to emulate such broken behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py
index 00a4363dfb8..8b3282c9e3a 100755
--- a/python/samba/tests/krb5/claims_tests.py
+++ b/python/samba/tests/krb5/claims_tests.py
@@ -855,6 +855,8 @@ class ClaimsTests(KDCBaseTest):
             'class': 'user',
         },
         {
+            # This test fails on Windows, which for an integer syntax claim
+            # issues corrupt data shifted four bytes to the right.
             'name': 'integer syntax',
             'claims': [
                 {
@@ -866,16 +868,30 @@ class ClaimsTests(KDCBaseTest):
                     'for_classes': ['user'],
                     'value_type': claims.CLAIM_TYPE_INT64,
                     'values': [3, 42, -999, 1000, 20000],
-                    'expected_values': [3 << 32,
-                                        42 << 32,
-                                        -999 << 32,
-                                        1000 << 32 | 0xffffffff,
-                                        20000 << 32],
                     'expected': True,
                 },
             ],
             'class': 'user',
         },
+        {
+            # This test fails on Windows, which for an integer syntax claim
+            # issues corrupt data that cannot be NDR unpacked.
+            'name': 'integer syntax, duplicate claim',
+            'claims': [
+                {
+                    # 2.5.5.9
+                    'enabled': True,
+                    'attribute': 'localeID',
+                    'single_valued': True,
+                    'source_type': 'AD',
+                    'for_classes': ['user'],
+                    'value_type': claims.CLAIM_TYPE_INT64,
+                    'values': [3, 42, -999, 1000, 20000],
+                    'expected': True,
+                },
+            ] * 2,  # Create two integer syntax claims.
+            'class': 'user',
+        },
         {
             'name': 'integer syntax, wrong value type',
             'claims': [
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 77576599d6e..5b943bf08e5 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -86,6 +86,8 @@
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index c095e0b187f..e5f2d121f0b 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -490,6 +490,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_duplicate_claim_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc