From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 8 Dec 2021 22:56:55 +0000 (+1300)
Subject: tests/krb5: Add tests for PAC buffer alignment
X-Git-Tag: tdb-1.4.6~291
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7dfcbc4e381080b3e3e1777134aecef5522d1f01;p=thirdparty%2Fsamba.git

tests/krb5: Add tests for PAC buffer alignment

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/pac_align_tests.py b/python/samba/tests/krb5/pac_align_tests.py
new file mode 100755
index 00000000000..ff8b608dde1
--- /dev/null
+++ b/python/samba/tests/krb5/pac_align_tests.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+from samba.dcerpc import krb5pac
+from samba.ndr import ndr_unpack
+from samba.tests import DynamicTestCase
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
+global_asn1_print = False
+global_hexdump = False
+
+
+@DynamicTestCase
+class PacAlignTests(KDCBaseTest):
+
+    base_name = 'krbpac'
+
+    @classmethod
+    def setUpDynamicTestCases(cls):
+        for length in range(len(cls.base_name), 21):
+            cls.generate_dynamic_test('test_pac_align',
+                                      f'{length}_chars',
+                                      length)
+
+    def setUp(self):
+        super().setUp()
+        self.do_asn1_print = global_asn1_print
+        self.do_hexdump = global_hexdump
+
+    def _test_pac_align_with_args(self, length):
+        samdb = self.get_samdb()
+
+        account_name = self.base_name + 'a' * (length - len(self.base_name))
+        creds, _ = self.create_account(samdb, account_name)
+
+        tgt = self.get_tgt(creds, expect_pac=True)
+
+        pac_data = self.get_ticket_pac(tgt)
+        self.assertIsNotNone(pac_data)
+
+        self.assertEqual(0, len(pac_data) & 7)
+
+        pac = ndr_unpack(krb5pac.PAC_DATA_RAW, pac_data)
+        for pac_buffer in pac.buffers:
+            buffer_type = pac_buffer.type
+            buffer_size = pac_buffer.ndr_size
+
+            with self.subTest(buffer_type=buffer_type):
+                if buffer_type == krb5pac.PAC_TYPE_LOGON_NAME:
+                    self.assertEqual(length * 2 + 10, buffer_size)
+                elif buffer_type == krb5pac.PAC_TYPE_REQUESTER_SID:
+                    self.assertEqual(28, buffer_size)
+                elif buffer_type in {krb5pac.PAC_TYPE_SRV_CHECKSUM,
+                                     krb5pac.PAC_TYPE_KDC_CHECKSUM,
+                                     krb5pac.PAC_TYPE_TICKET_CHECKSUM}:
+                    self.assertEqual(0, buffer_size & 3,
+                                     f'buffer type was: {buffer_type}, '
+                                     f'buffer size was: {buffer_size}')
+                else:
+                    self.assertEqual(0, buffer_size & 7,
+                                     f'buffer type was: {buffer_type}, '
+                                     f'buffer size was: {buffer_size}')
+
+                rounded_len = (buffer_size + 7) & ~7
+                self.assertEqual(rounded_len, len(pac_buffer.info.remaining))
+
+
+if __name__ == '__main__':
+    global_asn1_print = False
+    global_hexdump = False
+    import unittest
+    unittest.main()
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index cf66e0afe71..4b12bc29652 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -109,6 +109,7 @@ EXCLUDE_USAGE = {
     'python/samba/tests/krb5/alias_tests.py',
     'python/samba/tests/krb5/test_min_domain_uid.py',
     'python/samba/tests/krb5/test_idmap_nss.py',
+    'python/samba/tests/krb5/pac_align_tests.py',
 }
 
 EXCLUDE_HELP = {
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 79c1219e2d5..b4306940bec 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -548,3 +548,17 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_nonexisting
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting
+#
+# PAC alignment tests
+#
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_7_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_8_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_9_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_11_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_12_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_13_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_15_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_16_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_17_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_19_chars
+^samba.tests.krb5.pac_align_tests.samba.tests.krb5.pac_align_tests.PacAlignTests.test_pac_align_20_chars
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index b1ed661b784..ca6a0ae9a03 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1768,6 +1768,19 @@ planpythontestsuite(
         'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
         'CHECK_CNAME': check_cname
     })
+planoldpythontestsuite(
+    'ad_dc',
+    'samba.tests.krb5.pac_align_tests',
+    environ={
+        'ADMIN_USERNAME': '$DC_USERNAME',
+        'ADMIN_PASSWORD': '$DC_PASSWORD',
+        'STRICT_CHECKING': '0',
+        'FAST_SUPPORT': have_fast_support,
+        'TKT_SIG_SUPPORT': tkt_sig_support,
+        'EXPECT_PAC': expect_pac,
+        'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers,
+        'CHECK_CNAME': check_cname
+    })
 
 for env in [
         'vampire_dc',