tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets

author Joseph Sutton <josephsutton@catalyst.net.nz>

Fri, 29 Sep 2023 00:21:01 +0000 (13:21 +1300)

committer Joseph Sutton <jsutton@samba.org>

Sun, 1 Oct 2023 22:45:38 +0000 (22:45 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Fri, 29 Sep 2023 00:21:01 +0000 (13:21 +1300)
committer Joseph Sutton <jsutton@samba.org>
Sun, 1 Oct 2023 22:45:38 +0000 (22:45 +0000)
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py

index 6619081a844b3806e04ce3e134afdde81898d4bd..7dccdf2479ff634f8baa7b66d25e6f1c769d5df7 100755 (executable)
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -1163,6 +1163,11 @@ class KdcTgsTests(KdcTgsBaseTests):
          self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
                     expected_sname=self.get_krbtgt_sname())
  
+    def test_fast_as_req_no_pac(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, remove_pac=True)
+        self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
+
      # Test making a request with authdata and without a PAC.
      def test_tgs_authdata_no_pac(self):
          creds = self._get_creds()
@@ -1199,6 +1204,11 @@ class KdcTgsTests(KdcTgsBaseTests):
          self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
                     expected_sname=self.get_krbtgt_sname())
  
+    def test_fast_as_req_authdata_no_pac(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
+        self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
+
      # Test changing the SID in the PAC to that of another account.
      def test_tgs_sid_mismatch_existing(self):
          creds = self._get_creds()
@@ -1240,6 +1250,13 @@ class KdcTgsTests(KdcTgsBaseTests):
                     expected_error=KDC_ERR_TGT_REVOKED,
                     expected_sname=self.get_krbtgt_sname())
  
+    def test_fast_as_req_sid_mismatch_existing(self):
+        creds = self._get_creds()
+        existing_rid = self._get_existing_rid()
+        tgt = self._get_tgt(creds, new_rid=existing_rid)
+        self._fast_as_req(tgt, creds,
+                          expected_error=KDC_ERR_TGT_REVOKED)
+
      def test_requester_sid_mismatch_existing(self):
          creds = self._get_creds()
          existing_rid = self._get_existing_rid()
@@ -1304,6 +1321,13 @@ class KdcTgsTests(KdcTgsBaseTests):
                     expected_error=KDC_ERR_TGT_REVOKED,
                     expected_sname=self.get_krbtgt_sname())
  
+    def test_fast_as_req_sid_mismatch_nonexisting(self):
+        creds = self._get_creds()
+        nonexistent_rid = self._get_non_existent_rid()
+        tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
+        self._fast_as_req(tgt, creds,
+                          expected_error=KDC_ERR_TGT_REVOKED)
+
      def test_requester_sid_mismatch_nonexisting(self):
          creds = self._get_creds()
          nonexistent_rid = self._get_non_existent_rid()
@@ -3207,6 +3231,15 @@ class KdcTgsTests(KdcTgsBaseTests):
                               expect_pac=expect_pac,
                               expect_edata=expect_edata)
  
+    def _fast_as_req(self, armor_tgt, armor_tgt_creds, expected_error):
+        user_creds = self._get_mach_creds()
+        target_creds = self.get_service_creds()
+
+        return self._armored_as_req(user_creds, target_creds, armor_tgt,
+                                    expected_error=expected_error,
+                                    expected_sname=self.get_krbtgt_sname(),
+                                    expect_edata=False)
+
  
  if __name__ == "__main__":
      global_asn1_print = False
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc

index d241b61581104c007003c9d2173e63125ae5689d..b36aad83acdcdea5c3ab12fa5f284d90517cbf40 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -329,6 +329,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
  #
  # KDC TGT tests
  #
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_sid_mismatch_nonexisting
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_false
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Fri, 29 Sep 2023 00:21:01 +0000 (13:21 +1300)
committer	Joseph Sutton <jsutton@samba.org>
	Sun, 1 Oct 2023 22:45:38 +0000 (22:45 +0000)
python/samba/tests/krb5/kdc_tgs_tests.py		patch \| blob \| blame \| history
selftest/knownfail_mit_kdc		patch \| blob \| blame \| history