tests/krb5: Always specify expected error code

Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python/samba/tests/krb5/as_req_tests.py

@@ -24,8 +24,10 @@ os.environ["PYTHONUNBUFFERED"] = "1"
 
 from samba.tests import DynamicTestCase
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
+import samba.tests.krb5.kcrypto as kcrypto
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 from samba.tests.krb5.rfc4120_constants import (
+    KDC_ERR_ETYPE_NOSUPP,
     KDC_ERR_PREAUTH_REQUIRED,
     KU_PA_ENC_TIMESTAMP,
     NT_PRINCIPAL,
@@ -68,13 +70,20 @@ class AsReqKerberosTests(KDCBaseTest):
         sname = self.PrincipalName_create(name_type=NT_SRV_INST,
                                           names=[krbtgt_account, realm])
 
-        expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
         expected_crealm = realm
         expected_cname = cname
         expected_srealm = realm
         expected_sname = sname
         expected_salt = client_creds.get_forced_salt()
 
+        if any(etype in client_as_etypes and etype in initial_etypes
+               for etype in (kcrypto.Enctype.AES256,
+                             kcrypto.Enctype.AES128,
+                             kcrypto.Enctype.RC4)):
+            expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
+        else:
+            expected_error_mode = KDC_ERR_ETYPE_NOSUPP
+
         def _generate_padata_copy(_kdc_exchange_dict,
                                   _callback_dict,
                                   req_body):

python/samba/tests/krb5/raw_testcase.py

@@ -40,9 +40,7 @@ from samba.tests import TestCaseInTempDir
 
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 from samba.tests.krb5.rfc4120_constants import (
-    KDC_ERR_ETYPE_NOSUPP,
     KDC_ERR_GENERIC,
-    KDC_ERR_PREAUTH_REQUIRED,
     KRB_AP_REQ,
     KRB_AS_REP,
     KRB_AS_REQ,
@@ -1524,7 +1522,7 @@ class RawKerberosTest(TestCaseInTempDir):
                          check_padata_fn=None,
                          check_kdc_private_fn=None,
                          callback_dict=None,
-                         expected_error_mode=None,
+                         expected_error_mode=0,
                          client_as_etypes=None,
                          expected_salt=None):
         kdc_exchange_dict = {
@@ -1809,13 +1807,11 @@ class RawKerberosTest(TestCaseInTempDir):
         if expected_rc4_type != 0:
             expect_etype_info2 += (expected_rc4_type,)
 
-        expected_error = KDC_ERR_ETYPE_NOSUPP
         expected_patypes = ()
         if expect_etype_info:
             self.assertGreater(len(expect_etype_info2), 0)
             expected_patypes += (PADATA_ETYPE_INFO,)
         if len(expect_etype_info2) != 0:
-            expected_error = KDC_ERR_PREAUTH_REQUIRED
             expected_patypes += (PADATA_ETYPE_INFO2,)
 
         expected_patypes += (PADATA_ENC_TIMESTAMP,)
@@ -1824,7 +1820,7 @@ class RawKerberosTest(TestCaseInTempDir):
 
         self.assertElementEqual(rep, 'pvno', 5)
         self.assertElementEqual(rep, 'msg-type', KRB_ERROR)
-        self.assertElementEqual(rep, 'error-code', expected_error)
+        self.assertElementEqual(rep, 'error-code', expected_error_mode)
         self.assertElementMissing(rep, 'ctime')
         self.assertElementMissing(rep, 'cusec')
         self.assertElementPresent(rep, 'stime')
@@ -1889,7 +1885,10 @@ class RawKerberosTest(TestCaseInTempDir):
                 self.assertEqual(len(pk_as_rep19), 0)
                 continue
 
-        if expected_error == KDC_ERR_ETYPE_NOSUPP:
+        if all(etype not in client_as_etypes or etype not in proposed_etypes
+               for etype in (kcrypto.Enctype.AES256,
+                             kcrypto.Enctype.AES128,
+                             kcrypto.Enctype.RC4)):
             self.assertIsNone(etype_info2)
             self.assertIsNone(etype_info)
             if self.strict_checking: