From: Joseph Sutton Date: Wed, 25 Oct 2023 03:38:57 +0000 (+1300) Subject: tests/krb5: Add tests to see how SIDs are conveyed from PACs X-Git-Tag: talloc-2.4.2~937 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7ba4bb81645be100ac2e871de6cf92a79a29fbe5;p=thirdparty%2Fsamba.git tests/krb5: Add tests to see how SIDs are conveyed from PACs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index c5fc8a6ae76..8381ce46286 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -2602,6 +2602,204 @@ class ConditionalAceTests(ConditionalAceBaseTests): event=event, reason=reason) + def test_tgs_claims_valid_missing(self): + """Test that the Claims Valid SID is not added to the PAC when + performing a TGS‐REQ.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_sids=client_sids, + expected_groups=client_sids) + + def test_tgs_claims_valid_missing_from_rodc(self): + """Test that the Claims Valid SID *is* added to the PAC when + performing a TGS‐REQ with an RODC‐issued TGT.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs), + } + + expected_groups = client_sids | { + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_from_rodc=True, + client_sids=client_sids, + expected_groups=expected_groups) + + def test_tgs_aa_asserted_identity(self): + """Test performing a TGS‐REQ with the Authentication Identity Asserted + Identity SID present.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_sids=client_sids, + expected_groups=client_sids) + + def test_tgs_aa_asserted_identity_no_attrs(self): + """Test performing a TGS‐REQ with the Authentication Identity Asserted + Identity SID present, albeit without any attributes.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + # Put the Asserted Identity SID in the PAC without any flags set. + (self.aa_asserted_identity, SidType.EXTRA_SID, 0), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_sids=client_sids, + expected_groups=client_sids) + + def test_tgs_aa_asserted_identity_from_rodc(self): + """Test that the Authentication Identity Asserted Identity SID in an + RODC‐issued PAC is preserved when performing a TGS‐REQ.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_from_rodc=True, + client_sids=client_sids, + expected_groups=client_sids) + + def test_tgs_aa_asserted_identity_from_rodc_no_attrs_from_rodc(self): + """Test that the Authentication Identity Asserted Identity SID without + attributes in an RODC‐issued PAC is preserved when performing a + TGS‐REQ.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + # Put the Asserted Identity SID in the PAC without any flags set. + (self.aa_asserted_identity, SidType.EXTRA_SID, 0), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + expected_groups = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + # The SID in the resulting PAC has the default attributes. + (self.aa_asserted_identity, SidType.EXTRA_SID, self.default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_from_rodc=True, + client_sids=client_sids, + expected_groups=expected_groups) + + def test_tgs_compound_authentication(self): + """Test performing a TGS‐REQ with the Compounded Authentication SID + present.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_sids=client_sids, + expected_groups=client_sids) + + def test_tgs_compound_authentication_from_rodc(self): + """Test that the Compounded Authentication SID in an + RODC‐issued PAC is not preserved when performing a TGS‐REQ.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, self.default_attrs), + } + + expected_groups = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_from_rodc=True, + client_sids=client_sids, + expected_groups=expected_groups) + + def test_tgs_asserted_identity_missing(self): + """Test that the Authentication Identity Asserted Identity SID is not + added to the PAC when performing a TGS‐REQ.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_sids=client_sids, + expected_groups=client_sids) + + def test_tgs_asserted_identity_missing_from_rodc(self): + """Test that the Authentication Identity Asserted Identity SID is not + added to an RODC‐issued PAC when performing a TGS‐REQ.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_from_rodc=True, + client_sids=client_sids, + expected_groups=client_sids) + + def test_tgs_service_asserted_identity(self): + """Test performing a TGS‐REQ with the Service Asserted Identity SID + present.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (self.service_asserted_identity, SidType.EXTRA_SID, self.default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_sids=client_sids, + expected_groups=client_sids) + + def test_tgs_service_asserted_identity_from_rodc(self): + """Test that the Service Asserted Identity SID in an + RODC‐issued PAC is not preserved when performing a TGS‐REQ.""" + client_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (self.service_asserted_identity, SidType.EXTRA_SID, self.default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + expected_groups = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + # Don’t expect the Service Asserted Identity SID. + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs), + } + + self._tgs(use_fast=False, + client_from_rodc=True, + client_sids=client_sids, + expected_groups=expected_groups) + def test_tgs_without_aa_asserted_identity(self): client_sids = { (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 6bfde1aa536..92eba18901f 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -132,6 +132,12 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\) ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_aa_asserted_identity_from_rodc_no_attrs_from_rodc\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_aa_asserted_identity_from_rodc\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_asserted_identity_missing_from_rodc\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_claims_valid_missing_from_rodc\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_compound_authentication_from_rodc\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_service_asserted_identity_from_rodc\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)$ diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 56a3b3a81d4..5870ca734d8 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -4078,6 +4078,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_device_in_network_group_rbcd\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_device_in_service_asserted_identity_rbcd\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_device_in_world_group_rbcd\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_aa_asserted_identity_from_rodc_no_attrs_from_rodc\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_aa_asserted_identity_from_rodc\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_asserted_identity_missing_from_rodc\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_claims_valid_missing_from_rodc\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_compound_authentication_from_rodc\(ad_dc\)$ +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_service_asserted_identity_from_rodc\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_aa_asserted_identity\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_authenticated_users\(ad_dc\)$ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_claims_valid\(ad_dc\)$