tests/krb5: Add more tests of the device belonging to certain groups

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index 89ea8d4432e84116f9928b66cc9dbdf20221c89e..c51319ebdfe8c4ffbae498d7da631fd78f6a1b49 100755 (executable)
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -3450,6 +3450,19 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
     def test_device_in_authenticated_users(self):
         self._check_device_in_group(security.SID_NT_AUTHENTICATED_USERS)
 
+    def test_device_in_aa_asserted_identity(self):
+        self._check_device_in_group(
+            security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)
+
+    def test_device_in_service_asserted_identity(self):
+        self._check_device_not_in_group(security.SID_SERVICE_ASSERTED_IDENTITY)
+
+    def test_device_in_compounded_authentication(self):
+        self._check_device_not_in_group(security.SID_COMPOUNDED_AUTHENTICATION)
+
+    def test_device_in_claims_valid(self):
+        self._check_device_in_group(security.SID_CLAIMS_VALID)
+
     def _check_device_in_group(self, group):
         self._check_device_membership(group, expect_in_group=True)
 
@@ -4444,6 +4457,19 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
     def test_device_in_authenticated_users(self):
         self._check_device_in_group(security.SID_NT_AUTHENTICATED_USERS)
 
+    def test_device_in_aa_asserted_identity(self):
+        self._check_device_in_group(
+            security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)
+
+    def test_device_in_service_asserted_identity(self):
+        self._check_device_not_in_group(security.SID_SERVICE_ASSERTED_IDENTITY)
+
+    def test_device_in_compounded_authentication(self):
+        self._check_device_not_in_group(security.SID_COMPOUNDED_AUTHENTICATION)
+
+    def test_device_in_claims_valid(self):
+        self._check_device_in_group(security.SID_CLAIMS_VALID)
+
     def _check_device_in_group(self, group):
         self._check_device_membership(group, expect_in_group=True)
 

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 5c051723914c414f4e3ebe457030515aa5d2de4f..ac4beec9721aab4607bf0d80b521389cce7321be 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -4064,8 +4064,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 # Conditional ACE device restrictions
 #
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_aa_asserted_identity\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_authenticated_users\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_claims_valid\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_compounded_authentication\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_network_group\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_service_asserted_identity\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_world_group\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_invalid\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_not_present\(ad_dc\)
@@ -4075,7 +4079,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_no_sid_compression\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_sid_compression\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_well_known_groups_not_present\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_aa_asserted_identity\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_authenticated_users\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_claims_valid\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_compounded_authentication\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_network_group\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_service_asserted_identity\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_world_group\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_and_target_policy\(ad_dc\)