('{a}', claims.CLAIM_TYPE_BOOLEAN, [2]),
('{b}', claims.CLAIM_TYPE_BOOLEAN, [3]),
]),
- ], '{a} == {b}', CRASHES_WINDOWS),
+ ], '{a} == {b}', (None, CRASHES_WINDOWS)),
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{a}', claims.CLAIM_TYPE_BOOLEAN, [1]),
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{larger_claim}', claims.CLAIM_TYPE_STRING, ['z' * 100000]),
]),
- ], '{larger_claim} > "z"', CRASHES_WINDOWS),
+ ], '{larger_claim} > "z"', (True, CRASHES_WINDOWS)),
# Test a great number of claims. Windows does not appear to like
# receiving this many claims.
([
('{many_claims}', claims.CLAIM_TYPE_UINT64,
list(range(0, 100000))),
]),
- ], '{many_claims} Any_of "99999"', CRASHES_WINDOWS),
+ ], '{many_claims} Any_of "99999"', (True, CRASHES_WINDOWS)),
# Test a claim with a very long name. Much larger than this, and
# conditional_ace_encode_binary() will refuse to encode the conditions.
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{invalid_sid}', 5, []),
]),
- ], '{invalid_sid} == {invalid_sid}', CRASHES_WINDOWS),
+ ], '{invalid_sid} == {invalid_sid}', (None, CRASHES_WINDOWS)),
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{invalid_octet_string}', 16, []),
]),
- ], '{invalid_octet_string} == {invalid_octet_string}', CRASHES_WINDOWS),
+ ], '{invalid_octet_string} == {invalid_octet_string}', (None, CRASHES_WINDOWS)),
# Sending an empty string will crash Windows.
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{empty_string}', claims.CLAIM_TYPE_STRING, ['']),
]),
- ], '{empty_string}', CRASHES_WINDOWS),
+ ], '{empty_string}', (None, CRASHES_WINDOWS)),
# But sending empty arrays is OK.
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
outcome):
self.assertIsInstance(expression, str)
- if outcome is CRASHES_WINDOWS and not self.crash_windows:
- self.skipTest('test crashes Windows servers')
+ try:
+ outcome, crashes_windows = outcome
+ self.assertIs(crashes_windows, CRASHES_WINDOWS)
+ if not self.crash_windows:
+ self.skipTest('test crashes Windows servers')
+ except TypeError:
+ self.assertIsNot(outcome, CRASHES_WINDOWS)
if claim_map is None:
claim_map = {}
def test_rbcd_device_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
device_from_rodc=True,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_rbcd_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
self._rbcd('Member_of SID({service_sid})',
service_from_rodc=True,
device_from_rodc=True,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_rbcd_client_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True,
device_from_rodc=True,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_rbcd_client_and_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True,
service_from_rodc=True,
device_from_rodc=True,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def _rbcd(self,
rbcd_expression=None,
expected_groups=None,
expected_device_groups=None,
expected_claims=None):
- if code is CRASHES_WINDOWS and not self.crash_windows:
- self.skipTest('test crashes Windows servers')
+ try:
+ code, crashes_windows = code
+ self.assertIs(crashes_windows, CRASHES_WINDOWS)
+ if not self.crash_windows:
+ self.skipTest('test crashes Windows servers')
+ except TypeError:
+ self.assertIsNot(code, CRASHES_WINDOWS)
samdb = self.get_samdb()
functional_level = self.get_domain_functional_level(samdb)
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_without_aa_asserted_identity_both_from_rodc(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_with_aa_asserted_identity(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_with_aa_asserted_identity_both_from_rodc(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_without_service_asserted_identity(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_without_service_asserted_identity_both_from_rodc(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_with_service_asserted_identity(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_with_service_asserted_identity_both_from_rodc(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_without_claims_valid(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_without_claims_valid_both_from_rodc(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
+ status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ reason=AuditReason.ACCESS_DENIED,
+ edata=self.expect_padata_outer)
def test_tgs_with_claims_valid(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def test_tgs_with_claims_valid_both_from_rodc(self):
client_sids = {
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
- code=CRASHES_WINDOWS)
+ code=(0, CRASHES_WINDOWS))
def _tgs(self,
target_policy=None,
expected_groups=None,
expected_device_groups=None,
expected_claims=None):
- if code is CRASHES_WINDOWS and not self.crash_windows:
- self.skipTest('test crashes Windows servers')
+ try:
+ code, crashes_windows = code
+ self.assertIs(crashes_windows, CRASHES_WINDOWS)
+ if not self.crash_windows:
+ self.skipTest('test crashes Windows servers')
+ except TypeError:
+ self.assertIsNot(code, CRASHES_WINDOWS)
samdb = self.get_samdb()
functional_level = self.get_domain_functional_level(samdb)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_or_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_2_b_6_3___a_equals_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_6_1___b_or_b_or_b_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_empty_string_3___empty_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_and_true_boolean_6_0_1___false_and_true_boolean_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_boolean_6_0___false_boolean_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_octet_string_16___invalid_octet_string_equals_invalid_octet_string_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_sid_5___invalid_sid_equals_invalid_sid_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_larger_claim_3_zzzzzzzzzzzzzzzzzzz
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_many_claims_2_0_1_2_3_4_5_6_7_8_9_10
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_non_empty_string_3_foo_bar___non_empty_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_nonzero_int_1_1___nonzero_int_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_both_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_device_from_rodc\(ad_dc\)
#
# Conditional ACE device restrictions
#
projects / thirdparty / samba.git / commitdiff
