From: Joseph Sutton Date: Wed, 15 Mar 2023 22:18:49 +0000 (+1300) Subject: tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set X-Git-Tag: talloc-2.4.1~1390 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a85d26fd741add9d9f2ea20fdbfb271ab0ceadea;p=thirdparty%2Fsamba.git tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py index 7c2c8370e3e..c308d8da01e 100755 --- a/python/samba/tests/krb5/claims_tests.py +++ b/python/samba/tests/krb5/claims_tests.py @@ -775,8 +775,14 @@ class ClaimsTests(KDCBaseTest): 'additional_details': self.freeze(details), }) + # Whether to specify claims support in PA-PAC-OPTIONS. + pac_options_claims = case.pop('pac-options:claims-support', None) + self.assertFalse(case, 'unexpected parameters in testcase') + if pac_options_claims is None: + pac_options_claims = True + if to_self: service_creds = self.get_service_creds() sname = self.PrincipalName_create( @@ -788,10 +794,16 @@ class ClaimsTests(KDCBaseTest): sname = None ticket_etype = None + if pac_options_claims: + pac_options = '1' # claims support + else: + pac_options = '0' # no claims support + self.get_tgt(creds, sname=sname, target_creds=service_creds, ticket_etype=ticket_etype, + pac_options=pac_options, expect_pac=True, expect_client_claims=True, expected_client_claims=expected_claims or None, @@ -829,6 +841,26 @@ class ClaimsTests(KDCBaseTest): ], 'class': 'user', }, + { + 'name': 'no claims support in pac options', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ('foo',), + # We still get claims in the PAC even if we don't specify + # claims support in PA-PAC-OPTIONS. + 'expected': True, + }, + ], + 'class': 'user', + 'pac-options:claims-support': False, + }, { # Note: The order of these DNs may differ on Windows. 'name': 'dn string syntax', @@ -1515,6 +1547,9 @@ class ClaimsTests(KDCBaseTest): tgs_expected = case.pop('tgs:expected', None) tgs_device_expected = case.pop('tgs:device:expected', None) + # Whether to specify claims support in PA-PAC-OPTIONS. + pac_options_claims = case.pop('pac-options:claims-support', None) + all_claims = case.pop('claims') # There should be no parameters remaining in the testcase. @@ -1561,6 +1596,9 @@ class ClaimsTests(KDCBaseTest): 'specified TGS-REQ reset user flags, but no ' 'accompanying machine SIDs provided') + if pac_options_claims is None: + pac_options_claims = True + (details, mod_msg, expected_claims, unexpected_claims) = self.setup_claims(all_claims) @@ -1673,7 +1711,10 @@ class ClaimsTests(KDCBaseTest): etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) kdc_options = '0' - pac_options = '1' # claims support + if pac_options_claims: + pac_options = '1' # claims support + else: + pac_options = '0' # no claims support requester_sid = None if tgs_to_krbtgt: @@ -1851,6 +1892,62 @@ class ClaimsTests(KDCBaseTest): frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]), }, }, + { + # Make a TGS request containing claims to a service, but don't + # specify support for claims in PA-PAC-OPTIONS. We still expect the + # final PAC to contain claims. + 'test': 'device to service no claims support in pac options', + 'groups': { + 'foo': (GroupType.DOMAIN_LOCAL, {mach}), + 'bar': (GroupType.DOMAIN_LOCAL, {mach}), + }, + 'claims': [ + { + # 2.5.5.10 + 'enabled': True, + 'attribute': 'middleName', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['computer'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ('foo',), + 'expected': True, + 'mod_values': ['bar'], + }, + ], + 'as:expected': { + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'as:mach:expected': { + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:to_krbtgt': False, + # Claims are unsupported. + 'pac-options:claims-support': False, + 'tgs:expected': { + (security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, SidType.EXTRA_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + }, + 'tgs:device:expected': { + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), + frozenset([ + ('foo', SidType.RESOURCE_SID, resource_attrs), + ('bar', SidType.RESOURCE_SID, resource_attrs), + ]), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]), + }, + }, ] diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 0f3ca5f0100..598a5e5574a 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -2285,6 +2285,7 @@ class KDCBaseTest(RawKerberosTest): unexpected_groups=None, pac_request=True, expect_pac=True, expect_pac_attrs=None, expect_pac_attrs_pac_request=None, + pac_options=None, expect_requester_sid=None, rc4_support=True, expect_edata=None, @@ -2297,7 +2298,7 @@ class KDCBaseTest(RawKerberosTest): else: user_name = creds.get_username() - cache_key = (user_name, to_rodc, kdc_options, pac_request, + cache_key = (user_name, to_rodc, kdc_options, pac_request, pac_options, client_name_type, ticket_etype, str(expected_flags), str(unexpected_flags), @@ -2361,7 +2362,8 @@ class KDCBaseTest(RawKerberosTest): 'renewable-ok') kdc_options = krb5_asn1.KDCOptions(kdc_options) - pac_options = '1' # supports claims + if pac_options is None: + pac_options = '1' # supports claims rep, kdc_exchange_dict = self._test_as_exchange( cname=cname, diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 37c66811d78..fd7ab468ce1 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -107,6 +107,8 @@ ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc @@ -141,6 +143,7 @@ ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index fbcbc9c919c..72e3ac992bb 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -511,6 +511,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc @@ -545,6 +547,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc