From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 25 Mar 2024 21:28:38 +0000 (+1300)
Subject: dsdb: Add API tests for new_gkdi_root_key()
X-Git-Tag: tdb-1.4.11~1352
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=06912de3b2ae84c795f5d3e7ee03872937260ee4;p=thirdparty%2Fsamba.git

dsdb: Add API tests for new_gkdi_root_key()

These show that the new root key should be based on the server
configuration object, not just hardcoded defaults.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/python/samba/tests/dsdb_quiet_provision_tests.py b/python/samba/tests/dsdb_quiet_provision_tests.py
index 81ef3ceb74f..f6bdf1705f3 100644
--- a/python/samba/tests/dsdb_quiet_provision_tests.py
+++ b/python/samba/tests/dsdb_quiet_provision_tests.py
@@ -67,3 +67,214 @@ class DsdbQuietProvisionTests(TestCase):
                                 expression=f"(&(objectClass = msKds-ProvRootKey)(msKds-UseStartTime<={min_use_start_time}))")
 
         self.assertGreater(len(res), 0)
+
+    def test_gkdi_create_root_key_wrong_version(self):
+
+        server_config_dn = self.samdb.get_config_basedn()
+        server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
+                                   "CN=Server Configuration," +
+                                   "CN=Group Key Distribution Service," +
+                                   "CN=Services")
+        res = self.samdb.search(base=server_config_dn,
+                                scope=ldb.SCOPE_BASE,
+                                attrs=["msKds-Version"])
+
+        self.assertEqual(len(res), 1)
+
+        msg = res[0]
+        version = int(msg["msKds-Version"][0])
+        self.assertEqual(version, 1)
+
+        self.addCleanup(self.samdb.modify,
+                        ldb.Message.from_dict(self.samdb,
+                                              {"dn": msg["dn"],
+                                               "msKds-Version": [str(version)]},
+                                              ldb.FLAG_MOD_REPLACE))
+        self.samdb.modify(ldb.Message.from_dict(self.samdb,
+                                                {"dn": msg["dn"],
+                                                 "msKds-Version": ["2"]},
+                                                ldb.FLAG_MOD_REPLACE))
+
+        try:
+            self.samdb.new_gkdi_root_key()
+            self.fail("Creating key with invalid version should fail")
+        except ldb.LdbError as e:
+            (enum, estr) = e.args
+            self.assertEqual(enum, ldb.ERR_CONSTRAINT_VIOLATION)
+
+    def test_gkdi_create_root_key_4096(self):
+
+        server_config_dn = self.samdb.get_config_basedn()
+        server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
+                                   "CN=Server Configuration," +
+                                   "CN=Group Key Distribution Service," +
+                                   "CN=Services")
+        res = self.samdb.search(base=server_config_dn,
+                                scope=ldb.SCOPE_BASE,
+                                attrs=["msKds-PublicKeyLength"])
+
+        self.assertEqual(len(res), 1)
+
+        msg = res[0]
+        if "msKds-PublicKeyLength" in msg:
+            keylen = msg[0]["msKds-PublicKeyLength"]
+            # Ensure test still tests something in the future, if the default changes
+            self.assertNotEqual(keylen, 4096)
+            self.addCleanup(self.samdb.modify,
+                            ldb.Message.from_dict(self.samdb,
+                                                  {"dn": msg["dn"],
+                                                   "msKds-PublicKeyLength": [str(keylen)]},
+                                                  ldb.FLAG_MOD_REPLACE))
+        else:
+            self.addCleanup(self.samdb.modify,
+                            ldb.Message.from_dict(self.samdb,
+                                                  {"dn": msg["dn"],
+                                                   "msKds-PublicKeyLength": []},
+                                                  ldb.FLAG_MOD_DELETE))
+
+        self.samdb.modify(ldb.Message.from_dict(self.samdb,
+                                                {"dn": msg["dn"],
+                                                 "msKds-PublicKeyLength": ["4096"]},
+                                                ldb.FLAG_MOD_REPLACE))
+
+        dn = self.samdb.new_gkdi_root_key()
+
+        root_key_res = self.samdb.search(base=dn,
+                                         scope=ldb.SCOPE_BASE)
+        self.assertEqual(len(root_key_res), 1)
+        root_key = root_key_res[0]
+
+        self.assertEqual(int(root_key["msKds-PublicKeyLength"][0]), 4096)
+        self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
+        self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
+        self.assertEqual(int(root_key["msKds-Version"][0]), 1)
+
+    def test_gkdi_create_root_key_priv_1024(self):
+
+        server_config_dn = self.samdb.get_config_basedn()
+        server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
+                                   "CN=Server Configuration," +
+                                   "CN=Group Key Distribution Service," +
+                                   "CN=Services")
+        res = self.samdb.search(base=server_config_dn,
+                                scope=ldb.SCOPE_BASE,
+                                attrs=["msKds-PrivateKeyLength"])
+
+        self.assertEqual(len(res), 1)
+
+        msg = res[0]
+        if "msKds-PrivateKeyLength" in msg:
+            keylen = msg["msKds-PrivateKeyLength"]
+            # Ensure test still tests something in the future, if the default changes
+            self.assertNotEqual(keylen, 1024)
+            self.addCleanup(self.samdb.modify,
+                            ldb.Message.from_dict(self.samdb,
+                                                  {"dn": msg["dn"],
+                                                   "msKds-PrivateKeyLength": [str(keylen)]},
+                                                  ldb.FLAG_MOD_REPLACE))
+        else:
+            self.addCleanup(self.samdb.modify,
+                            ldb.Message.from_dict(self.samdb,
+                                                  {"dn": msg["dn"],
+                                                   "msKds-PrivateKeyLength": []},
+                                                  ldb.FLAG_MOD_DELETE))
+
+        self.samdb.modify(ldb.Message.from_dict(self.samdb,
+                                                {"dn": msg["dn"],
+                                                 "msKds-PrivateKeyLength": ["1024"]},
+                                                ldb.FLAG_MOD_REPLACE))
+
+        dn = self.samdb.new_gkdi_root_key()
+
+        root_key_res = self.samdb.search(base=dn,
+                                         scope=ldb.SCOPE_BASE)
+        self.assertEqual(len(root_key_res), 1)
+        root_key = root_key_res[0]
+
+        self.assertEqual(int(root_key["msKds-PrivateKeyLength"][0]), 1024)
+        self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
+        self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
+        self.assertEqual(int(root_key["msKds-Version"][0]), 1)
+
+    def test_gkdi_create_root_key_bad_alg(self):
+        server_config_dn = self.samdb.get_config_basedn()
+        server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
+                                   "CN=Server Configuration," +
+                                   "CN=Group Key Distribution Service," +
+                                   "CN=Services")
+        res = self.samdb.search(base=server_config_dn,
+                                scope=ldb.SCOPE_BASE,
+                                attrs=["msKds-KDFAlgorithmID"])
+
+        self.assertEqual(len(res), 1)
+
+        msg = res[0]
+        if "msKds-KDFAlgorithmID" in msg:
+            alg = msg["msKds-KDFAlgorithmID"][0]
+            self.addCleanup(self.samdb.modify,
+                            ldb.Message.from_dict(self.samdb,
+                                                  {"dn": msg["dn"],
+                                                   "msKds-KDFAlgorithmID": [alg]},
+                                                  ldb.FLAG_MOD_REPLACE))
+        else:
+            self.addCleanup(self.samdb.modify,
+                            ldb.Message.from_dict(self.samdb,
+                                                  {"dn": msg["dn"],
+                                                   "msKds-KDFAlgorithmID": []},
+                                                  ldb.FLAG_MOD_DELETE))
+
+        self.samdb.modify(ldb.Message.from_dict(self.samdb,
+                                                {"dn": msg["dn"],
+                                                 "msKds-KDFAlgorithmID": ["NO_AN_ALG"]},
+                                                ldb.FLAG_MOD_REPLACE))
+
+        try:
+            self.samdb.new_gkdi_root_key()
+            self.fail("Creating key with invalid algorithm should fail")
+        except ldb.LdbError as e:
+            (enum, estr) = e.args
+            self.assertEqual(enum, ldb.ERR_CONSTRAINT_VIOLATION)
+
+    def test_gkdi_create_root_key_good_alg(self):
+        server_config_dn = self.samdb.get_config_basedn()
+        server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
+                                   "CN=Server Configuration," +
+                                   "CN=Group Key Distribution Service," +
+                                   "CN=Services")
+        res = self.samdb.search(base=server_config_dn,
+                                scope=ldb.SCOPE_BASE,
+                                attrs=["msKds-KDFAlgorithmID"])
+
+        self.assertEqual(len(res), 1)
+
+        msg = res[0]
+        if "msKds-KDFAlgorithmID" in msg:
+            alg = msg["msKds-KDFAlgorithmID"][0]
+            self.addCleanup(self.samdb.modify,
+                            ldb.Message.from_dict(self.samdb,
+                                                  {"dn": msg["dn"],
+                                                   "msKds-KDFAlgorithmID": [alg]},
+                                                  ldb.FLAG_MOD_REPLACE))
+        else:
+            self.addCleanup(self.samdb.modify,
+                            ldb.Message.from_dict(self.samdb,
+                                                  {"dn": msg["dn"],
+                                                   "msKds-KDFAlgorithmID": []},
+                                                  ldb.FLAG_MOD_DELETE))
+
+        self.samdb.modify(ldb.Message.from_dict(self.samdb,
+                                                {"dn": msg["dn"],
+                                                 "msKds-KDFAlgorithmID": ["SP800_108_CTR_HMAC"]},
+                                                ldb.FLAG_MOD_REPLACE))
+
+        dn = self.samdb.new_gkdi_root_key()
+
+        root_key_res = self.samdb.search(base=dn,
+                                         scope=ldb.SCOPE_BASE)
+        self.assertEqual(len(root_key_res), 1)
+        root_key = root_key_res[0]
+
+        self.assertEqual(int(root_key["msKds-PublicKeyLength"][0]), 2048)
+        self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
+        self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
+        self.assertEqual(int(root_key["msKds-Version"][0]), 1)
diff --git a/selftest/knownfail.d/gkdi b/selftest/knownfail.d/gkdi
index fbea302922f..387bbfa2774 100644
--- a/selftest/knownfail.d/gkdi
+++ b/selftest/knownfail.d/gkdi
@@ -17,3 +17,7 @@
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_default_seed_key\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_l0_seed_key\(ad_dc\)$
 ^samba\.tests\.krb5\.gkdi_tests\.samba\.tests\.krb5\.gkdi_tests\.GkdiImplicitRootKeyTests\.test_request_l1_seed_key\(ad_dc\)$
+^samba.tests.dsdb_quiet_provision_tests.samba.tests.dsdb_quiet_provision_tests.DsdbQuietProvisionTests.test_gkdi_create_root_key_4096
+^samba.tests.dsdb_quiet_provision_tests.samba.tests.dsdb_quiet_provision_tests.DsdbQuietProvisionTests.test_gkdi_create_root_key_bad_alg
+^samba.tests.dsdb_quiet_provision_tests.samba.tests.dsdb_quiet_provision_tests.DsdbQuietProvisionTests.test_gkdi_create_root_key_priv_1024
+^samba.tests.dsdb_quiet_provision_tests.samba.tests.dsdb_quiet_provision_tests.DsdbQuietProvisionTests.test_gkdi_create_root_key_wrong_version