From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 15 Mar 2023 22:25:24 +0000 (+1300)
Subject: tests/krb5: Test that denied attributes are still issued in claims
X-Git-Tag: talloc-2.4.1~1387
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c8fbeb61e6e5ce99a5b000bfe37a74ff456d449;p=thirdparty%2Fsamba.git

tests/krb5: Test that denied attributes are still issued in claims

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py
index 573f928cd02..5cdd1f4a361 100755
--- a/python/samba/tests/krb5/claims_tests.py
+++ b/python/samba/tests/krb5/claims_tests.py
@@ -27,6 +27,7 @@ import re
 import ldb
 
 from samba.dcerpc import claims, krb5pac, security
+from samba.ndr import ndr_pack
 
 from samba.tests import DynamicTestCase, env_get_var_value
 from samba.tests.krb5 import kcrypto
@@ -132,6 +133,7 @@ class ClaimsTests(KDCBaseTest):
 
         details = {}
         mod_msg = ldb.Message()
+        security_desc = None
 
         for claim in all_claims:
             # Make a copy to avoid modifying the original.
@@ -176,6 +178,22 @@ class ClaimsTests(KDCBaseTest):
                                      'conflicting values set for attribute')
                 details[attribute] = transformed_values
 
+                readable = claim.pop('readable', True)
+                if not readable:
+                    if security_desc is None:
+                        security_desc = security.descriptor()
+
+                    # Deny all read property access to the attribute.
+                    ace = security.ace()
+                    ace.type = security.SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
+                    ace.access_mask = security.SEC_ADS_READ_PROP
+                    ace.trustee = security.dom_sid(security.SID_WORLD)
+                    ace.object.flags |= security.SEC_ACE_OBJECT_TYPE_PRESENT
+                    ace.object.type = self.get_schema_id_guid_from_attribute(
+                        attribute)
+
+                    security_desc.dacl_add(ace)
+
                 if expected_values is None:
                     expected_values = values
 
@@ -202,6 +220,10 @@ class ClaimsTests(KDCBaseTest):
 
             self.create_claim(claim_id, **claim)
 
+        if security_desc is not None:
+            self.assertNotIn('nTSecurityDescriptor', details)
+            details['nTSecurityDescriptor'] = ndr_pack(security_desc)
+
         return details, mod_msg, expected_claims, unexpected_claims
 
     def modify_pac_remove_client_claims(self, pac):
@@ -863,6 +885,26 @@ class ClaimsTests(KDCBaseTest):
             'class': 'user',
             'pac-options:claims-support': False,
         },
+        {
+            'name': 'deny RP',
+            'claims': [
+                {
+                    # 2.5.5.12
+                    'enabled': True,
+                    'attribute': 'carLicense',
+                    'single_valued': True,
+                    'source_type': 'AD',
+                    'for_classes': ['user'],
+                    'value_type': claims.CLAIM_TYPE_STRING,
+                    'values': ('foo',),
+                    # Deny read access to the attribute. It still shows up in
+                    # the claim.
+                    'readable': False,
+                    'expected': True,
+                },
+            ],
+            'class': 'user',
+        },
         {
             # Note: The order of these DNs may differ on Windows.
             'name': 'dn string syntax',
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index fd7ab468ce1..53bec3f17fd 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -77,6 +77,8 @@
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 72e3ac992bb..3ce97bf3f2f 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -481,6 +481,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_deny_RP_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc