tests/krb5: Add tests to see how SIDs are conveyed from PACs

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index c5fc8a6ae76693b25cb7618cc5da2460a18b96c4..8381ce46286e81003d674e795f83e001b552d734 100755 (executable)
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2602,6 +2602,204 @@ class ConditionalAceTests(ConditionalAceBaseTests):
                            event=event,
                            reason=reason)
 
+    def test_tgs_claims_valid_missing(self):
+        """Test that the Claims Valid SID is not added to the PAC when
+        performing a TGS‐REQ."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_sids=client_sids,
+                  expected_groups=client_sids)
+
+    def test_tgs_claims_valid_missing_from_rodc(self):
+        """Test that the Claims Valid SID *is* added to the PAC when
+        performing a TGS‐REQ with an RODC‐issued TGT."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        expected_groups = client_sids | {
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_from_rodc=True,
+                  client_sids=client_sids,
+                  expected_groups=expected_groups)
+
+    def test_tgs_aa_asserted_identity(self):
+        """Test performing a TGS‐REQ with the Authentication Identity Asserted
+        Identity SID present."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_sids=client_sids,
+                  expected_groups=client_sids)
+
+    def test_tgs_aa_asserted_identity_no_attrs(self):
+        """Test performing a TGS‐REQ with the Authentication Identity Asserted
+        Identity SID present, albeit without any attributes."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            # Put the Asserted Identity SID in the PAC without any flags set.
+            (self.aa_asserted_identity, SidType.EXTRA_SID, 0),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_sids=client_sids,
+                  expected_groups=client_sids)
+
+    def test_tgs_aa_asserted_identity_from_rodc(self):
+        """Test that the Authentication Identity Asserted Identity SID in an
+        RODC‐issued PAC is preserved when performing a TGS‐REQ."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_from_rodc=True,
+                  client_sids=client_sids,
+                  expected_groups=client_sids)
+
+    def test_tgs_aa_asserted_identity_from_rodc_no_attrs_from_rodc(self):
+        """Test that the Authentication Identity Asserted Identity SID without
+        attributes in an RODC‐issued PAC is preserved when performing a
+        TGS‐REQ."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            # Put the Asserted Identity SID in the PAC without any flags set.
+            (self.aa_asserted_identity, SidType.EXTRA_SID, 0),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        expected_groups = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            # The SID in the resulting PAC has the default attributes.
+            (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_from_rodc=True,
+                  client_sids=client_sids,
+                  expected_groups=expected_groups)
+
+    def test_tgs_compound_authentication(self):
+        """Test performing a TGS‐REQ with the Compounded Authentication SID
+        present."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+            (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_sids=client_sids,
+                  expected_groups=client_sids)
+
+    def test_tgs_compound_authentication_from_rodc(self):
+        """Test that the Compounded Authentication SID in an
+        RODC‐issued PAC is not preserved when performing a TGS‐REQ."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+            (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        expected_groups = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_from_rodc=True,
+                  client_sids=client_sids,
+                  expected_groups=expected_groups)
+
+    def test_tgs_asserted_identity_missing(self):
+        """Test that the Authentication Identity Asserted Identity SID is not
+        added to the PAC when performing a TGS‐REQ."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_sids=client_sids,
+                  expected_groups=client_sids)
+
+    def test_tgs_asserted_identity_missing_from_rodc(self):
+        """Test that the Authentication Identity Asserted Identity SID is not
+        added to an RODC‐issued PAC when performing a TGS‐REQ."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_from_rodc=True,
+                  client_sids=client_sids,
+                  expected_groups=client_sids)
+
+    def test_tgs_service_asserted_identity(self):
+        """Test performing a TGS‐REQ with the Service Asserted Identity SID
+        present."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (self.service_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_sids=client_sids,
+                  expected_groups=client_sids)
+
+    def test_tgs_service_asserted_identity_from_rodc(self):
+        """Test that the Service Asserted Identity SID in an
+        RODC‐issued PAC is not preserved when performing a TGS‐REQ."""
+        client_sids = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            (self.service_asserted_identity, SidType.EXTRA_SID, self.default_attrs),
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        expected_groups = {
+            (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+            (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            # Don’t expect the Service Asserted Identity SID.
+            (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
+        }
+
+        self._tgs(use_fast=False,
+                  client_from_rodc=True,
+                  client_sids=client_sids,
+                  expected_groups=expected_groups)
+
     def test_tgs_without_aa_asserted_identity(self):
         client_sids = {
             (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 6bfde1aa53640463633534855fd83a274d1bf282..92eba18901f7f7e63642363a6f632954df8415a9 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -132,6 +132,12 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_aa_asserted_identity_from_rodc_no_attrs_from_rodc\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_aa_asserted_identity_from_rodc\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_asserted_identity_missing_from_rodc\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_claims_valid_missing_from_rodc\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_compound_authentication_from_rodc\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_service_asserted_identity_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)$

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 56a3b3a81d416c773063afeb20b6f20780b22ea8..5870ca734d887b8150809e13982538b564bd7725 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -4078,6 +4078,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_device_in_network_group_rbcd\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_device_in_service_asserted_identity_rbcd\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_device_in_world_group_rbcd\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_aa_asserted_identity_from_rodc_no_attrs_from_rodc\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_aa_asserted_identity_from_rodc\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_asserted_identity_missing_from_rodc\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_claims_valid_missing_from_rodc\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_compound_authentication_from_rodc\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_service_asserted_identity_from_rodc\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_aa_asserted_identity\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_authenticated_users\(ad_dc\)$
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_claims_valid\(ad_dc\)$