1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

tests/krb5: Make use of gmsa_series_for_account() method

This allows us to replace a call to
expected_current_gmsa_password_blob() with one to
expected_gmsa_password_blob(), a method which allows us to specify the
exact key we expect.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Jo Sutton 2024-04-24 17:20:14 +12:00 committed by Andrew Bartlett
parent 577aa79042
commit 41e71406a1

View File

@ -300,6 +300,16 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
self.future_gkid(), gkdi_rollover_interval(managed_password_interval)
)
def gmsa_series_for_account(
self, samdb: SamDB, creds: KerberosCredentials, managed_password_interval: int
) -> GmsaSeries:
gmsa_object = self.get_gmsa_object(samdb, creds.get_dn())
current_nt_time = self.current_nt_time(samdb)
gkid = Gkid.from_nt_time(
self.account_quantized_time(gmsa_object, current_nt_time)
)
return GmsaSeries(gkid, gkdi_rollover_interval(managed_password_interval))
def quantized_time(
self, key_start_time: NtTime, time: NtTime, gkdi_rollover_interval: NtTimeDelta
) -> NtTime:
@ -311,6 +321,16 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
)
return NtTime(key_start_time + quantized_time_since_key_start)
def account_quantized_time(self, gmsa_object: Gmsa, time: NtTime) -> NtTime:
pwd_id_blob = gmsa_object.get("msDS-ManagedPasswordId", idx=0)
self.assertIsNotNone(pwd_id_blob, "SAM should have initialized password ID")
pwd_id = ndr_unpack(gkdi.KeyEnvelope, pwd_id_blob)
key_start_time = Gkid.from_key_envelope(pwd_id).start_nt_time()
gkdi_rollover_interval = self.gmsa_rollover_interval(gmsa_object)
return self.quantized_time(key_start_time, time, gkdi_rollover_interval)
def expected_gmsa_password_blob(
self,
samdb: SamDB,
@ -1010,8 +1030,14 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
# Calculate the password with which to authenticate.
managed_pwd = self.expected_current_gmsa_password_blob(
samdb, creds, future_key_is_acceptable=False
current_series = self.gmsa_series_for_account(
local_samdb, creds, password_interval
)
managed_pwd = self.expected_gmsa_password_blob(
local_samdb,
creds,
current_series.interval_gkid(0),
query_expiration_gkid=current_series.interval_gkid(1),
)
# Set the new password.