From: Joseph Sutton Date: Fri, 29 Sep 2023 00:21:01 +0000 (+1300) Subject: tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets X-Git-Tag: tevent-0.16.0~266 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=989fb009852e8b80691f71fd784c93bb29a58465;p=thirdparty%2Fsamba.git tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 6619081a844..7dccdf2479f 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -1163,6 +1163,11 @@ class KdcTgsTests(KdcTgsBaseTests): self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, expected_sname=self.get_krbtgt_sname()) + def test_fast_as_req_no_pac(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, remove_pac=True) + self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) + # Test making a request with authdata and without a PAC. def test_tgs_authdata_no_pac(self): creds = self._get_creds() @@ -1199,6 +1204,11 @@ class KdcTgsTests(KdcTgsBaseTests): self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, expected_sname=self.get_krbtgt_sname()) + def test_fast_as_req_authdata_no_pac(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) + self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) + # Test changing the SID in the PAC to that of another account. def test_tgs_sid_mismatch_existing(self): creds = self._get_creds() @@ -1240,6 +1250,13 @@ class KdcTgsTests(KdcTgsBaseTests): expected_error=KDC_ERR_TGT_REVOKED, expected_sname=self.get_krbtgt_sname()) + def test_fast_as_req_sid_mismatch_existing(self): + creds = self._get_creds() + existing_rid = self._get_existing_rid() + tgt = self._get_tgt(creds, new_rid=existing_rid) + self._fast_as_req(tgt, creds, + expected_error=KDC_ERR_TGT_REVOKED) + def test_requester_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() @@ -1304,6 +1321,13 @@ class KdcTgsTests(KdcTgsBaseTests): expected_error=KDC_ERR_TGT_REVOKED, expected_sname=self.get_krbtgt_sname()) + def test_fast_as_req_sid_mismatch_nonexisting(self): + creds = self._get_creds() + nonexistent_rid = self._get_non_existent_rid() + tgt = self._get_tgt(creds, new_rid=nonexistent_rid) + self._fast_as_req(tgt, creds, + expected_error=KDC_ERR_TGT_REVOKED) + def test_requester_sid_mismatch_nonexisting(self): creds = self._get_creds() nonexistent_rid = self._get_non_existent_rid() @@ -3207,6 +3231,15 @@ class KdcTgsTests(KdcTgsBaseTests): expect_pac=expect_pac, expect_edata=expect_edata) + def _fast_as_req(self, armor_tgt, armor_tgt_creds, expected_error): + user_creds = self._get_mach_creds() + target_creds = self.get_service_creds() + + return self._armored_as_req(user_creds, target_creds, armor_tgt, + expected_error=expected_error, + expected_sname=self.get_krbtgt_sname(), + expect_edata=False) + if __name__ == "__main__": global_asn1_print = False diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index d241b615811..b36aad83acd 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -329,6 +329,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # # KDC TGT tests # +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_authdata_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_sid_mismatch_nonexisting ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_false