From: Joseph Sutton Date: Wed, 29 Dec 2021 04:35:09 +0000 (+1300) Subject: tests/krb5: Add AS-REQ PAC tests X-Git-Tag: tdb-1.4.6~79 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=775bfc72509bf98f3c637ca22cc5edf0e7fae794;p=thirdparty%2Fsamba.git tests/krb5: Add AS-REQ PAC tests Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher --- diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index e8cdf152655..7e69d6c83df 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -113,6 +113,84 @@ class FAST_Tests(KDCBaseTest): } ], client_account=self.AccountType.COMPUTER) + def test_simple_as_req_self_no_auth_data(self): + self._run_test_sequence( + [ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False, + 'as_req_self': True + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_timestamp_padata, + 'as_req_self': True, + 'expect_pac': True + } + ], + client_account=self.AccountType.COMPUTER, + client_opts={'no_auth_data_required': True}) + + def test_simple_as_req_self_pac_request_false(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False, + 'as_req_self': True + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_timestamp_padata, + 'as_req_self': True, + 'pac_request': False, + 'expect_pac': False + } + ], client_account=self.AccountType.COMPUTER) + + def test_simple_as_req_self_pac_request_none(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False, + 'as_req_self': True + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_timestamp_padata, + 'as_req_self': True, + 'pac_request': None, + 'expect_pac': True + } + ], client_account=self.AccountType.COMPUTER) + + def test_simple_as_req_self_pac_request_true(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False, + 'as_req_self': True + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_timestamp_padata, + 'as_req_self': True, + 'pac_request': True, + 'expect_pac': True + } + ], client_account=self.AccountType.COMPUTER) + def test_simple_tgs(self): self._run_test_sequence([ { @@ -1381,14 +1459,16 @@ class FAST_Tests(KDCBaseTest): return fast_padata def _run_test_sequence(self, test_sequence, - client_account=KDCBaseTest.AccountType.USER): + client_account=KDCBaseTest.AccountType.USER, + client_opts=None): if self.strict_checking: self.check_kdc_fast_support() kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,' 'canonicalize')) - client_creds = self.get_cached_creds(account_type=client_account) + client_creds = self.get_cached_creds(account_type=client_account, + opts=client_opts) target_creds = self.get_service_creds() krbtgt_creds = self.get_krbtgt_creds() @@ -1564,6 +1644,9 @@ class FAST_Tests(KDCBaseTest): padata): return list(padata), req_body + pac_request = kdc_dict.pop('pac_request', None) + expect_pac = kdc_dict.pop('expect_pac', True) + pac_options = kdc_dict.pop('pac_options', '1') # claims support kdc_options = kdc_dict.pop('kdc_options', kdc_options_default) @@ -1666,7 +1749,8 @@ class FAST_Tests(KDCBaseTest): kdc_options=kdc_options, inner_req=inner_req, outer_req=outer_req, - pac_request=True, + expect_pac=expect_pac, + pac_request=pac_request, pac_options=pac_options, fast_ap_options=fast_ap_options, strict_edata_checking=strict_edata_checking, @@ -1702,7 +1786,8 @@ class FAST_Tests(KDCBaseTest): kdc_options=kdc_options, inner_req=inner_req, outer_req=outer_req, - pac_request=None, + expect_pac=expect_pac, + pac_request=pac_request, pac_options=pac_options, fast_ap_options=fast_ap_options, strict_edata_checking=strict_edata_checking, @@ -1724,6 +1809,14 @@ class FAST_Tests(KDCBaseTest): fast_cookie = None preauth_etype_info2 = None + + # Check whether the ticket contains a PAC. + ticket = kdc_exchange_dict['rep_ticket_creds'] + pac = self.get_ticket_pac(ticket, expect_pac=expect_pac) + if expect_pac: + self.assertIsNotNone(pac) + else: + self.assertIsNone(pac) else: self.check_error_rep(rep, expected_error_mode) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 961b1cb19c3..25fba9d46f7 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -52,6 +52,7 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_realm.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_till.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_false ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_unarmored_as_req.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 3fa30d1b54c..0bef057b3b5 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -353,6 +353,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_session_key.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_no_auth_data.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc