mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
tests/krb5: Test that neither forwardable nor proxiable tickets are issued to Protected Users
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
c9d6a3dd66
commit
7026b08e23
@ -1612,6 +1612,77 @@ class AuthnPolicyTests(AuthnPolicyBaseTests):
|
|||||||
|
|
||||||
self.check_as_log(client_creds)
|
self.check_as_log(client_creds)
|
||||||
|
|
||||||
|
# This variant of the test is adapted to the behaviour of Windows and MIT
|
||||||
|
# Kerberos. It asserts that tickets issued to Protected Users are neither
|
||||||
|
# forwardable nor proxiable.
|
||||||
|
def test_authn_policy_protected_flags_without_policy_error(self):
|
||||||
|
# Create an authentication policy with a TGT lifetime set.
|
||||||
|
lifetime = 6 * 60 * 60 # 6 hours
|
||||||
|
policy = self.create_authn_policy(enforced=True,
|
||||||
|
user_tgt_lifetime=lifetime)
|
||||||
|
|
||||||
|
# Create a user account with the assigned policy, belonging to the
|
||||||
|
# Protected Users group.
|
||||||
|
client_creds = self._get_creds(account_type=self.AccountType.USER,
|
||||||
|
protected=True,
|
||||||
|
assigned_policy=policy)
|
||||||
|
|
||||||
|
# Request a Kerberos ticket with a lifetime of eight hours, and request
|
||||||
|
# that it be renewable, forwardable and proxiable. Show that the
|
||||||
|
# returned ticket for the protected user is only renewable.
|
||||||
|
till = self.get_KerberosTime(offset=8 * 60 * 60) # 8 hours
|
||||||
|
tgt = self._get_tgt(
|
||||||
|
client_creds,
|
||||||
|
till=till,
|
||||||
|
kdc_options=str(krb5_asn1.KDCOptions(
|
||||||
|
'renewable,forwardable,proxiable')),
|
||||||
|
expected_flags=krb5_asn1.TicketFlags('renewable'),
|
||||||
|
unexpected_flags=krb5_asn1.TicketFlags('forwardable,proxiable'))
|
||||||
|
self.check_ticket_times(tgt, expected_life=lifetime,
|
||||||
|
expected_renew_life=lifetime)
|
||||||
|
|
||||||
|
self.check_as_log(client_creds)
|
||||||
|
|
||||||
|
# This variant of the test is adapted to the behaviour of Heimdal
|
||||||
|
# Kerberos. It asserts that we get a policy error when requesting a
|
||||||
|
# proxiable ticket.
|
||||||
|
def test_authn_policy_protected_flags_with_policy_error(self):
|
||||||
|
# Create an authentication policy with a TGT lifetime set.
|
||||||
|
lifetime = 6 * 60 * 60 # 6 hours
|
||||||
|
policy = self.create_authn_policy(enforced=True,
|
||||||
|
user_tgt_lifetime=lifetime)
|
||||||
|
|
||||||
|
# Create a user account with the assigned policy, belonging to the
|
||||||
|
# Protected Users group.
|
||||||
|
client_creds = self._get_creds(account_type=self.AccountType.USER,
|
||||||
|
protected=True,
|
||||||
|
assigned_policy=policy)
|
||||||
|
|
||||||
|
# Request a Kerberos ticket with a lifetime of eight hours, and request
|
||||||
|
# that it be renewable and forwardable. Show that the returned ticket
|
||||||
|
# for the protected user is only renewable.
|
||||||
|
till = self.get_KerberosTime(offset=8 * 60 * 60) # 8 hours
|
||||||
|
tgt = self._get_tgt(
|
||||||
|
client_creds,
|
||||||
|
till=till,
|
||||||
|
kdc_options=str(krb5_asn1.KDCOptions('renewable,forwardable')),
|
||||||
|
expected_flags=krb5_asn1.TicketFlags('renewable'),
|
||||||
|
unexpected_flags=krb5_asn1.TicketFlags('forwardable'))
|
||||||
|
self.check_ticket_times(tgt, expected_life=lifetime,
|
||||||
|
expected_renew_life=lifetime)
|
||||||
|
|
||||||
|
self.check_as_log(client_creds)
|
||||||
|
|
||||||
|
# Request that the Kerberos ticket be proxiable. Show that we get a
|
||||||
|
# policy error.
|
||||||
|
self._get_tgt(client_creds,
|
||||||
|
till=till,
|
||||||
|
kdc_options=str(krb5_asn1.KDCOptions('proxiable')),
|
||||||
|
expected_error=KDC_ERR_POLICY)
|
||||||
|
|
||||||
|
self.check_as_log(client_creds,
|
||||||
|
status=ntstatus.NT_STATUS_INVALID_WORKSTATION)
|
||||||
|
|
||||||
def test_authn_policy_tgt_lifetime_zero_protected(self):
|
def test_authn_policy_tgt_lifetime_zero_protected(self):
|
||||||
# Create an authentication policy with the TGT lifetime set to zero.
|
# Create an authentication policy with the TGT lifetime set to zero.
|
||||||
policy = self.create_authn_policy(enforced=True,
|
policy = self.create_authn_policy(enforced=True,
|
||||||
|
@ -63,6 +63,8 @@
|
|||||||
#
|
#
|
||||||
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc
|
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc
|
||||||
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
|
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc
|
||||||
|
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc
|
||||||
|
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc
|
||||||
#
|
#
|
||||||
# PK-INIT tests
|
# PK-INIT tests
|
||||||
#
|
#
|
||||||
|
@ -72,6 +72,8 @@
|
|||||||
#
|
#
|
||||||
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc
|
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc
|
||||||
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_s4u2self_constrained_delegation.ad_dc
|
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_s4u2self_constrained_delegation.ad_dc
|
||||||
|
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc
|
||||||
|
^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc
|
||||||
#
|
#
|
||||||
# PK-INIT tests
|
# PK-INIT tests
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user