From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 9 Oct 2023 01:08:43 +0000 (+1300)
Subject: tests/krb5: Correctly test services that do not support Compound Identity
X-Git-Tag: tevent-0.16.0~99
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43cce1d190ddd3cf831cb5709816ccc03bf805d2;p=thirdparty%2Fsamba.git

tests/krb5: Correctly test services that do not support Compound Identity

These two tests now pass against Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py
index 348ea99ec0d..074147e5afe 100755
--- a/python/samba/tests/krb5/claims_tests.py
+++ b/python/samba/tests/krb5/claims_tests.py
@@ -1722,7 +1722,7 @@ class ClaimsTests(KDCBaseTest):
         if tgs_to_krbtgt:
             requester_sid = user_sid
 
-        if tgs_to_krbtgt:
+        if not tgs_compound_id:
             expected_claims = None
             unexpected_claims = None
 
@@ -1758,9 +1758,9 @@ class ClaimsTests(KDCBaseTest):
             unexpected_groups=None,
             expect_client_claims=True,
             expected_client_claims=None,
-            expect_device_info=not tgs_to_krbtgt,
+            expect_device_info=bool(tgs_compound_id),
             expected_device_groups=tgs_device_expected_mapped,
-            expect_device_claims=not tgs_to_krbtgt,
+            expect_device_claims=bool(tgs_compound_id),
             expected_device_claims=expected_claims,
             unexpected_device_claims=unexpected_claims)
 
@@ -1841,7 +1841,7 @@ class ClaimsTests(KDCBaseTest):
         },
         {
             # Make a TGS request containing claims to a service that lacks
-            # support for compound identity. The claims are still propagated to
+            # support for compound identity. The claims are not propagated to
             # the final ticket.
             'test': 'device to service no compound id',
             'groups': {
@@ -1880,20 +1880,10 @@ class ClaimsTests(KDCBaseTest):
             'tgs:expected': {
                 (security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, SidType.EXTRA_SID, default_attrs),
                 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
-                (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, default_attrs),
+                # The Compounded Authentication SID should not be present.
                 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
                 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
             },
-            'tgs:device:expected': {
-                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
-                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
-                frozenset([
-                    ('foo', SidType.RESOURCE_SID, resource_attrs),
-                    ('bar', SidType.RESOURCE_SID, resource_attrs),
-                ]),
-                (asserted_identity, SidType.EXTRA_SID, default_attrs),
-                frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
-            },
         },
         {
             # Make a TGS request containing claims to a service, but don't
diff --git a/python/samba/tests/krb5/device_tests.py b/python/samba/tests/krb5/device_tests.py
index 87b65735a03..43efc7b0fb2 100755
--- a/python/samba/tests/krb5/device_tests.py
+++ b/python/samba/tests/krb5/device_tests.py
@@ -208,16 +208,9 @@ class DeviceTests(KDCBaseTest):
                 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
                 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
                 (asserted_identity, SidType.EXTRA_SID, default_attrs),
-                (compounded_auth, SidType.EXTRA_SID, default_attrs),
+                # The Compounded Authentication SID should not be present.
                 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
             },
-            # The device info is still generated.
-            'tgs:device:expected': {
-                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
-                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
-                (asserted_identity, SidType.EXTRA_SID, default_attrs),
-                frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
-            },
         },
         {
             'test': 'universal groups to krbtgt',
@@ -2102,7 +2095,7 @@ class DeviceTests(KDCBaseTest):
             expected_groups=tgs_expected_mapped,
             unexpected_groups=None,
             expect_device_claims=None,
-            expect_device_info=not tgs_to_krbtgt,
+            expect_device_info=bool(tgs_compound_id),
             expected_device_groups=tgs_device_expected_mapped)
 
         rep = self._generic_kdc_exchange(kdc_exchange_dict,
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index e5c9a841bd3..fb42060b98f 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -268,3 +268,8 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\)
+#
+# Tests for services without support for Compound Identity
+#
+^samba\.tests\.krb5\.claims_tests\.samba\.tests\.krb5\.claims_tests\.ClaimsTests\.test_device_claims_device_to_service_no_compound_id\(ad_dc\)$
+^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_device_to_service_no_compound_id\(ad_dc\)$