From: Andreas Schneider <asn@samba.org>
Date: Mon, 24 Jan 2022 12:03:36 +0000 (+0100)
Subject: s4:torture: let remote_pac test for asserted identity sids
X-Git-Tag: talloc-2.3.4~367
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6a2c3c38f2aef3a79da2fc154d1f19ec5efb2b0;p=thirdparty%2Fsamba.git

s4:torture: let remote_pac test for asserted identity sids

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/selftest/knownfail.d/rpc.pac b/selftest/knownfail.d/rpc.pac
new file mode 100644
index 00000000000..165f3d8316e
--- /dev/null
+++ b/selftest/knownfail.d/rpc.pac
@@ -0,0 +1,8 @@
+^samba4.rpc.pac.*ncacn_np.netr-bdc-arcfour.s4u2self-arcfour
+^samba4.rpc.pac.*ncacn_np.netr-bcd-aes.s4u2self-aes
+^samba4.rpc.pac.*ncacn_np.netr-mem-arcfour.s4u2self-arcfour
+^samba4.rpc.pac.*ncacn_np.netr-mem-aes.s4u2self-aes
+^samba4.blackbox.pkinit_pac.STEP1.remote.pac.verification
+^samba4.blackbox.pkinit_pac.netr-bcd-aes.s4u2self-aes
+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2self-arcfour
+^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2self-aes
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 4744f48aba4..83c13243c08 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -739,6 +739,12 @@ static bool test_S4U2Self(struct torture_context *tctx,
 
 	struct dom_sid *builtin_domain;
 
+	struct dom_sid *ai_auth_authority = NULL;
+	struct dom_sid *ai_service = NULL;
+	size_t ai_auth_authority_count = 0;
+	size_t ai_service_count = 0;
+	bool ok;
+
 	TALLOC_CTX *tmp_ctx = talloc_new(tctx);
 
 	torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
@@ -976,12 +982,64 @@ static bool test_S4U2Self(struct torture_context *tctx,
 				 s4u2self_session_info->info->account_name, "Account name differs for S4U2Self");
 	torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, kinit_session_info->info->full_name, "Full name differs for kinit-based PAC");
 	torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, s4u2self_session_info->info->full_name, "Full name differs for S4U2Self");
-	torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids, "Different numbers of domain groups for kinit-based PAC");
-	torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids, "Different numbers of domain groups for S4U2Self");
 
 	builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
 
+	/* KRB5 might have an additional sid, the asserted identity */
+	ai_auth_authority = dom_sid_parse_talloc(
+			tmp_ctx,
+			SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY);
+
+	ai_service = dom_sid_parse_talloc(
+			tmp_ctx,
+			SID_SERVICE_ASSERTED_IDENTITY);
+
+	ai_auth_authority_count = 0;
+	ai_service_count = 0;
 	for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
+		ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i],
+				   ai_auth_authority);
+		if (ok) {
+			ai_auth_authority_count++;
+		}
+
+		ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i],
+				   ai_service);
+		if (ok) {
+			ai_service_count++;
+		}
+	}
+
+	torture_assert_int_equal(tctx, ai_auth_authority_count, 1,
+		"Kinit authority asserted identity should be (1)");
+	torture_assert_int_equal(tctx, ai_service_count, 0,
+		"Kinit service asserted identity should be (0)");
+
+	ai_auth_authority_count = 0;
+	ai_service_count = 0;
+	for (i = 0; i < s4u2self_session_info->torture->num_dc_sids; i++) {
+		ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i],
+				   ai_auth_authority);
+		if (ok) {
+			ai_auth_authority_count++;
+		}
+
+		ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i],
+				   ai_service);
+		if (ok) {
+			ai_service_count++;
+		}
+	}
+
+	torture_assert_int_equal(tctx, ai_auth_authority_count, 0,
+		"S4U2Self authority asserted identity should be (0)");
+	torture_assert_int_equal(tctx, ai_service_count, 1,
+		"S4U2Self service asserted identity should be (1)");
+
+	torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids - 1, "Different numbers of domain groups for kinit-based PAC");
+	torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids - 1, "Different numbers of domain groups for S4U2Self");
+
+	for (i = 0; i < netlogon_user_info_dc->num_sids; i++) {
 		torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[i]), "Different domain groups for kinit-based PAC");
 		torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s4u2self_session_info->torture->dc_sids[i]), "Different domain groups for S4U2Self");
 		torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s4u2self_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups for S4U2Self");