From: Joseph Sutton Date: Thu, 2 Nov 2023 02:29:32 +0000 (+1300) Subject: tests/krb5: Add tests for PACs containing extraneous buffers X-Git-Tag: talloc-2.4.2~860 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=622ac53f2229c005a7f35779298af8405549c0d4;p=thirdparty%2Fsamba.git tests/krb5: Add tests for PACs containing extraneous buffers Test that the KDC removes these buffers from RODC‐issued PACs. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 6271c9fea13..7a1479edc05 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1930,6 +1930,29 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest): return pac + def add_extra_pac_buffers(self, pac, *, buffers=None): + if buffers is None: + buffers = [] + + pac_buffers = pac.buffers + for pac_buffer_type in buffers: + info = krb5pac.DATA_BLOB_REM() + # Having an empty PAC buffer will trigger an assertion failure in + # the MIT KDC’s k5_pac_locate_buffer(), so we need at least one + # byte. + info.remaining = b'0' + + pac_buffer = krb5pac.PAC_BUFFER() + pac_buffer.type = pac_buffer_type + pac_buffer.info = info + + pac_buffers.append(pac_buffer) + + pac.buffers = pac_buffers + pac.num_buffers = len(pac_buffers) + + return pac + def get_cached_creds(self, *, account_type, opts=None, diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index db26386f763..9472b1a12a3 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -23,6 +23,8 @@ import os sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" +from functools import partial + import ldb from samba import dsdb, ntstatus @@ -327,6 +329,7 @@ class KdcTgsBaseTests(KDCBaseTest): expected_status=None, expected_proxy_target=None, expected_transited_services=None, + expected_extra_pac_buffers=None, check_patypes=True): if srealm is False: srealm = None @@ -445,6 +448,7 @@ class KdcTgsBaseTests(KDCBaseTest): expected_device_claims=expected_device_claims, expected_proxy_target=expected_proxy_target, expected_transited_services=expected_transited_services, + expected_extra_pac_buffers=expected_extra_pac_buffers, check_patypes=check_patypes) rep = self._generic_kdc_exchange(kdc_exchange_dict, @@ -1155,6 +1159,28 @@ class KdcTgsTests(KdcTgsBaseTests): self._run_tgs(tgt, creds, expected_error=0, expect_pac=True, expect_pac_attrs=False) + def test_tgs_req_extra_pac_buffers(self): + extra_pac_buffers = [123, 456, 789] + + creds = self._get_creds() + tgt = self._get_tgt(creds, extra_pac_buffers=extra_pac_buffers) + + # Expect that the extra PAC buffers are retained in the TGT. + self._run_tgs(tgt, creds, expected_error=0, + expected_extra_pac_buffers=extra_pac_buffers) + + def test_tgs_req_from_rodc_extra_pac_buffers(self): + extra_pac_buffers = [123, 456, 789] + + creds = self._get_creds(replication_allowed=True, + revealed_to_rodc=True) + tgt = self._get_tgt(creds, from_rodc=True, + extra_pac_buffers=extra_pac_buffers) + + # Expect that the extra PAC buffers are removed from the RODC‐issued + # TGT. + self._run_tgs(tgt, creds, expected_error=0) + # Test making a request without a PAC. def test_tgs_no_pac(self): creds = self._get_creds() @@ -3027,7 +3053,8 @@ class KdcTgsTests(KdcTgsBaseTests): remove_pac_attrs=False, remove_requester_sid=False, etype=None, - cksum_etype=None): + cksum_etype=None, + extra_pac_buffers=None): self.assertFalse(renewable and invalid) if remove_pac: @@ -3048,7 +3075,8 @@ class KdcTgsTests(KdcTgsBaseTests): remove_pac_attrs=remove_pac_attrs, remove_requester_sid=remove_requester_sid, etype=etype, - cksum_etype=cksum_etype) + cksum_etype=cksum_etype, + extra_pac_buffers=extra_pac_buffers) def _modify_tgt(self, tgt, @@ -3066,7 +3094,8 @@ class KdcTgsTests(KdcTgsBaseTests): remove_pac_attrs=False, remove_requester_sid=False, etype=None, - cksum_etype=None): + cksum_etype=None, + extra_pac_buffers=None): if from_rodc: krbtgt_creds = self.get_mock_rodc_krbtgt_creds() else: @@ -3157,6 +3186,10 @@ class KdcTgsTests(KdcTgsBaseTests): modify_pac_fns.append(change_cname_fn) + if extra_pac_buffers is not None: + modify_pac_fns.append(partial(self.add_extra_pac_buffers, + buffers=extra_pac_buffers)) + return self.modified_ticket( tgt, new_ticket_key=krbtgt_key, @@ -3279,7 +3312,8 @@ class KdcTgsTests(KdcTgsBaseTests): def _run_tgs(self, tgt, creds, expected_error, *, expect_pac=True, expect_pac_attrs=None, expect_pac_attrs_pac_request=None, expect_requester_sid=None, expected_sid=None, - expect_edata=False, expect_status=None, expected_status=None): + expect_edata=False, expect_status=None, expected_status=None, + expected_extra_pac_buffers=None): target_creds = self.get_service_creds() return self._tgs_req( tgt, expected_error, creds, target_creds, @@ -3290,7 +3324,8 @@ class KdcTgsTests(KdcTgsBaseTests): expected_sid=expected_sid, expect_edata=expect_edata, expect_status=expect_status, - expected_status=expected_status) + expected_status=expected_status, + expected_extra_pac_buffers=expected_extra_pac_buffers) # These tests fail against Windows, which does not implement ticket # renewal. diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index b163fc01856..f77dd582949 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -3088,6 +3088,7 @@ class RawKerberosTest(TestCase): unexpected_device_claims=None, expect_resource_groups_flag=None, expected_device_groups=None, + expected_extra_pac_buffers=None, to_rodc=False): if expected_error_mode == 0: expected_error_mode = () @@ -3167,6 +3168,7 @@ class RawKerberosTest(TestCase): 'unexpected_device_claims': unexpected_device_claims, 'expect_resource_groups_flag': expect_resource_groups_flag, 'expected_device_groups': expected_device_groups, + 'expected_extra_pac_buffers': expected_extra_pac_buffers, 'to_rodc': to_rodc } if callback_dict is None: @@ -3241,6 +3243,7 @@ class RawKerberosTest(TestCase): unexpected_device_claims=None, expect_resource_groups_flag=None, expected_device_groups=None, + expected_extra_pac_buffers=None, to_rodc=False): if expected_error_mode == 0: expected_error_mode = () @@ -3319,6 +3322,7 @@ class RawKerberosTest(TestCase): 'unexpected_device_claims': unexpected_device_claims, 'expect_resource_groups_flag': expect_resource_groups_flag, 'expected_device_groups': expected_device_groups, + 'expected_extra_pac_buffers': expected_extra_pac_buffers, 'to_rodc': to_rodc } if callback_dict is None: @@ -4482,6 +4486,10 @@ class RawKerberosTest(TestCase): if sent_pk_as_req: expected_types.append(krb5pac.PAC_TYPE_CREDENTIAL_INFO) + expected_extra_pac_buffers = kdc_exchange_dict['expected_extra_pac_buffers'] + if expected_extra_pac_buffers is not None: + expected_types.extend(expected_extra_pac_buffers) + buffer_types = [pac_buffer.type for pac_buffer in pac.buffers] self.assertSequenceElementsEqual( diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 97ec5cc5ab3..94f083c745d 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -35,6 +35,10 @@ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed # +# Extra PAC buffers tests +# +^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_tgs_req_from_rodc_extra_pac_buffers\(ad_dc\)$ +# # Protected Users tests # # This test fails, which is fine, as we have an alternate test that considers a policy error as successful. diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index f2df39dee9d..1aa8e5c4243 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -251,6 +251,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required\(ad_dc\) ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac\(ad_dc\) # +# Extra PAC buffers tests +# +^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_tgs_req_from_rodc_extra_pac_buffers\(ad_dc\)$ +# # MIT currently fails the following MS-KILE tests. # ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3