From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 4 Mar 2024 23:38:06 +0000 (+1300)
Subject: selftest: Assert that the provision KDS root key is already valid for use
X-Git-Tag: tdb-1.4.11~1527
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fb219d545bb3bd328200a3097b52594617fc246a;p=thirdparty%2Fsamba.git

selftest: Assert that the provision KDS root key is already valid for use

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---

diff --git a/python/samba/tests/dsdb_quiet_provision_tests.py b/python/samba/tests/dsdb_quiet_provision_tests.py
index da642a7a94d..81ef3ceb74f 100644
--- a/python/samba/tests/dsdb_quiet_provision_tests.py
+++ b/python/samba/tests/dsdb_quiet_provision_tests.py
@@ -28,6 +28,11 @@ from samba.credentials import Credentials
 from samba.samdb import SamDB
 from samba.auth import system_session
 from samba.tests import TestCase
+from samba.gkdi import (
+    KEY_CYCLE_DURATION,
+    MAX_CLOCK_SKEW
+)
+from samba.nt_time import nt_now
 import ldb
 import samba
 
@@ -48,12 +53,17 @@ class DsdbQuietProvisionTests(TestCase):
     def test_dsdb_dn_gkdi_gmsa_root_keys_exist(self):
         """In provision we set up a GKDI root key.
 
-        There should always be at least one.
+        There should always be at least one that is already valid
         """
+        current_time = nt_now()
+        # We need the GKDI key to be already available for use
+        min_use_start_time = current_time \
+            - KEY_CYCLE_DURATION - MAX_CLOCK_SKEW
+
         dn = self.samdb.get_config_basedn()
         dn.add_child("CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services")
         res = self.samdb.search(dn,
                                 scope=ldb.SCOPE_SUBTREE,
-                                expression="(objectClass = msKds-ProvRootKey)")
+                                expression=f"(&(objectClass = msKds-ProvRootKey)(msKds-UseStartTime<={min_use_start_time}))")
 
         self.assertGreater(len(res), 0)
diff --git a/selftest/knownfail.d/gkdi b/selftest/knownfail.d/gkdi
index fbea302922f..db82ad8c3aa 100644
--- a/selftest/knownfail.d/gkdi
+++ b/selftest/knownfail.d/gkdi
@@ -17,3 +17,4 @@
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_default_seed_key\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_l0_seed_key\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_l1_seed_key\(ad_dc\)$
+^samba.tests.dsdb_quiet_provision_tests.samba.tests.dsdb_quiet_provision_tests.DsdbQuietProvisionTests.test_dsdb_dn_gkdi_gmsa_root_keys_exist
\ No newline at end of file