if tgs_to_krbtgt:
requester_sid = user_sid
- if tgs_to_krbtgt:
+ if not tgs_compound_id:
expected_claims = None
unexpected_claims = None
unexpected_groups=None,
expect_client_claims=True,
expected_client_claims=None,
- expect_device_info=not tgs_to_krbtgt,
+ expect_device_info=bool(tgs_compound_id),
expected_device_groups=tgs_device_expected_mapped,
- expect_device_claims=not tgs_to_krbtgt,
+ expect_device_claims=bool(tgs_compound_id),
expected_device_claims=expected_claims,
unexpected_device_claims=unexpected_claims)
},
{
# Make a TGS request containing claims to a service that lacks
- # support for compound identity. The claims are still propagated to
+ # support for compound identity. The claims are not propagated to
# the final ticket.
'test': 'device to service no compound id',
'groups': {
'tgs:expected': {
(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, SidType.EXTRA_SID, default_attrs),
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
- (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, default_attrs),
+ # The Compounded Authentication SID should not be present.
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
},
- 'tgs:device:expected': {
- (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
- (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
- frozenset([
- ('foo', SidType.RESOURCE_SID, resource_attrs),
- ('bar', SidType.RESOURCE_SID, resource_attrs),
- ]),
- (asserted_identity, SidType.EXTRA_SID, default_attrs),
- frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
- },
},
{
# Make a TGS request containing claims to a service, but don't
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
(asserted_identity, SidType.EXTRA_SID, default_attrs),
- (compounded_auth, SidType.EXTRA_SID, default_attrs),
+ # The Compounded Authentication SID should not be present.
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
},
- # The device info is still generated.
- 'tgs:device:expected': {
- (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
- (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
- (asserted_identity, SidType.EXTRA_SID, default_attrs),
- frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
- },
},
{
'test': 'universal groups to krbtgt',
expected_groups=tgs_expected_mapped,
unexpected_groups=None,
expect_device_claims=None,
- expect_device_info=not tgs_to_krbtgt,
+ expect_device_info=bool(tgs_compound_id),
expected_device_groups=tgs_device_expected_mapped)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\)
+#
+# Tests for services without support for Compound Identity
+#
+^samba\.tests\.krb5\.claims_tests\.samba\.tests\.krb5\.claims_tests\.ClaimsTests\.test_device_claims_device_to_service_no_compound_id\(ad_dc\)$
+^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_device_to_service_no_compound_id\(ad_dc\)$
projects / thirdparty / samba.git / commitdiff
