sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-09 08:58:35 +03:00
Code

tests/krb5: Add support to test framework for existing device info or claims buffers

Browse Source 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-11-01 10:16:57 +13:00 committed by Andrew Bartlett
parent e468a7d627
commit 014c939bdd
1 changed files with 53 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
python/samba/tests/krb5/conditional_ace_tests.py
View File

@ -4261,7 +4261,11 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
def test_pac_device_info_no_claims_valid(self):
self._run_pac_device_info_test(device_claims_valid=False)
def _run_pac_device_info_test(self, compound_id_support=True, device_claims_valid=True):
def _run_pac_device_info_test(self, *,
compound_id_support=True,
device_claims_valid=True,
existing_device_claims=False,
existing_device_info=False):
"""Test the groups of the client and the device after performing a
FASTarmored TGSREQ.
"""
@ -4292,7 +4296,24 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
]),
]
if compound_id_support:
existing_claim_id = 'the name of an existing device claim'
existing_claim_value = 'the value of an existing device claim'
existing_claims = [
(claims.CLAIMS_SOURCE_TYPE_CERTIFICATE, [
(existing_claim_id, claims.CLAIM_TYPE_STRING, [existing_claim_value]),
]),
]
if existing_device_info and existing_device_claims:
expected_device_claims = {
existing_claim_id: {
'source_type': claims.CLAIMS_SOURCE_TYPE_CERTIFICATE,
'type': claims.CLAIM_TYPE_STRING,
'values': (existing_claim_value,),
},
}
elif compound_id_support and not existing_device_info and not existing_device_claims:
expected_device_claims = {
device_claim_id: {
'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
@ -4343,15 +4364,32 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER)
client_tgt = self.get_tgt(client_creds)
client_modify_pac_fns = [
partial(self.set_pac_sids,
new_sids=client_sids),
partial(self.set_pac_claims, client_claims=client_claims),
]
if existing_device_claims:
client_modify_pac_fns.append(
partial(self.set_pac_claims, device_claims=existing_claims))
if existing_device_info:
existing_sids = {
(security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
# These are different from the SIDs in the devices TGT.
('S-1-7-8-9', SidType.EXTRA_SID, self.resource_attrs),
('S-1-9-8-7', SidType.EXTRA_SID, self.resource_attrs),
}
client_modify_pac_fns.append(partial(
self.set_pac_device_sids, new_sids=existing_sids, user_rid=mach_creds.get_rid()))
# Modify the clients TGT to contain only the SID of the clients
# primary group.
client_tgt = self.modified_ticket(
client_tgt,
modify_pac_fn=[
partial(self.set_pac_sids,
new_sids=client_sids),
partial(self.set_pac_claims, client_claims=client_claims),
],
modify_pac_fn=client_modify_pac_fns,
checksum_keys=self.get_krbtgt_checksum_key())
# Indicate that Compound Identity is supported.
@ -4365,7 +4403,14 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
# Claims Valid SIDs.
}
if compound_id_support:
if existing_device_info:
expected_device_sids = {
(security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
('S-1-7-8-9', SidType.EXTRA_SID, self.resource_attrs),
('S-1-9-8-7', SidType.EXTRA_SID, self.resource_attrs),
}
elif compound_id_support and not existing_device_claims:
expected_sids.add((security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, self.default_attrs))
expected_device_sids = {