mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
tests/krb5: Add method to perform an armored AS‐REQ
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
eba1ab0c84
commit
849ee95984
python/samba/tests/krb5
@ -36,6 +36,7 @@ from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
|
||||
from samba.tests.krb5.rfc4120_constants import (
|
||||
AES256_CTS_HMAC_SHA1_96,
|
||||
ARCFOUR_HMAC_MD5,
|
||||
FX_FAST_ARMOR_AP_REQUEST,
|
||||
KRB_ERROR,
|
||||
KDC_ERR_BADKEYVER,
|
||||
KDC_ERR_BADMATCH,
|
||||
@ -169,6 +170,122 @@ class KdcTgsBaseTests(KDCBaseTest):
|
||||
self.check_as_reply(rep)
|
||||
return kdc_exchange_dict['rep_ticket_creds']
|
||||
|
||||
def _armored_as_req(self,
|
||||
client_creds,
|
||||
target_creds,
|
||||
armor_tgt,
|
||||
*,
|
||||
expected_error=0,
|
||||
expected_sname=None,
|
||||
expect_edata=None,
|
||||
expect_status=None,
|
||||
expected_status=None,
|
||||
expected_groups=None,
|
||||
expect_device_info=None,
|
||||
expected_device_groups=None,
|
||||
expect_device_claims=None,
|
||||
expected_device_claims=None):
|
||||
client_username = client_creds.get_username()
|
||||
client_realm = client_creds.get_realm()
|
||||
client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
|
||||
names=[client_username])
|
||||
|
||||
target_name = target_creds.get_username()
|
||||
target_sname = self.PrincipalName_create(
|
||||
name_type=NT_PRINCIPAL, names=[target_name])
|
||||
target_realm = target_creds.get_realm()
|
||||
target_decryption_key = self.TicketDecryptionKey_from_creds(
|
||||
target_creds)
|
||||
target_etypes = target_creds.tgs_supported_enctypes
|
||||
|
||||
authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
|
||||
armor_key = self.generate_armor_key(authenticator_subkey,
|
||||
armor_tgt.session_key)
|
||||
|
||||
preauth_key = self.PasswordKey_from_creds(client_creds,
|
||||
kcrypto.Enctype.AES256)
|
||||
|
||||
client_challenge_key = (
|
||||
self.generate_client_challenge_key(armor_key, preauth_key))
|
||||
fast_padata = [self.get_challenge_pa_data(client_challenge_key)]
|
||||
|
||||
def _generate_fast_padata(kdc_exchange_dict,
|
||||
_callback_dict,
|
||||
req_body):
|
||||
return list(fast_padata), req_body
|
||||
|
||||
etypes = kcrypto.Enctype.AES256, kcrypto.Enctype.RC4
|
||||
|
||||
if expected_error:
|
||||
check_error_fn = self.generic_check_kdc_error
|
||||
check_rep_fn = None
|
||||
else:
|
||||
check_error_fn = None
|
||||
check_rep_fn = self.generic_check_kdc_rep
|
||||
|
||||
pac_options = '1' # claims support
|
||||
|
||||
samdb = self.get_samdb()
|
||||
domain_sid_str = samdb.get_domain_sid()
|
||||
|
||||
if expected_groups is not None:
|
||||
expected_groups = self.map_sids(expected_groups, None, domain_sid_str)
|
||||
|
||||
if expected_device_groups is not None:
|
||||
expected_device_groups = self.map_sids(expected_device_groups, None, domain_sid_str)
|
||||
|
||||
if expected_sname is None:
|
||||
expected_sname = target_sname
|
||||
|
||||
kdc_exchange_dict = self.as_exchange_dict(
|
||||
creds=client_creds,
|
||||
expected_crealm=client_realm,
|
||||
expected_cname=client_cname,
|
||||
expected_srealm=target_realm,
|
||||
expected_sname=expected_sname,
|
||||
expected_supported_etypes=target_etypes,
|
||||
ticket_decryption_key=target_decryption_key,
|
||||
generate_fast_fn=self.generate_simple_fast,
|
||||
generate_fast_armor_fn=self.generate_ap_req,
|
||||
generate_fast_padata_fn=_generate_fast_padata,
|
||||
fast_armor_type=FX_FAST_ARMOR_AP_REQUEST,
|
||||
check_error_fn=check_error_fn,
|
||||
check_rep_fn=check_rep_fn,
|
||||
check_kdc_private_fn=self.generic_check_kdc_private,
|
||||
expected_error_mode=expected_error,
|
||||
expected_salt=client_creds.get_salt(),
|
||||
expect_edata=expect_edata,
|
||||
expect_status=expect_status,
|
||||
expected_status=expected_status,
|
||||
expected_groups=expected_groups,
|
||||
expect_device_info=expect_device_info,
|
||||
expected_device_domain_sid=domain_sid_str,
|
||||
expected_device_groups=expected_device_groups,
|
||||
expect_device_claims=expect_device_claims,
|
||||
expected_device_claims=expected_device_claims,
|
||||
authenticator_subkey=authenticator_subkey,
|
||||
preauth_key=preauth_key,
|
||||
armor_key=armor_key,
|
||||
armor_tgt=armor_tgt,
|
||||
armor_subkey=authenticator_subkey,
|
||||
kdc_options='0',
|
||||
pac_options=pac_options,
|
||||
# PA-DATA types are not important for these tests.
|
||||
check_patypes=False)
|
||||
|
||||
rep = self._generic_kdc_exchange(
|
||||
kdc_exchange_dict,
|
||||
cname=client_cname,
|
||||
realm=client_realm,
|
||||
sname=target_sname,
|
||||
etypes=etypes)
|
||||
if expected_error:
|
||||
self.check_error_rep(rep, expected_error)
|
||||
return None
|
||||
else:
|
||||
self.check_as_reply(rep)
|
||||
return kdc_exchange_dict['rep_ticket_creds']
|
||||
|
||||
def _tgs_req(self, tgt, expected_error, creds, target_creds, *,
|
||||
armor_tgt=None,
|
||||
kdc_options='0',
|
||||
|
@ -3007,6 +3007,7 @@ class RawKerberosTest(TestCase):
|
||||
expected_sid=None,
|
||||
expected_requester_sid=None,
|
||||
expected_domain_sid=None,
|
||||
expected_device_domain_sid=None,
|
||||
expected_supported_etypes=None,
|
||||
expected_flags=None,
|
||||
unexpected_flags=None,
|
||||
@ -3085,6 +3086,7 @@ class RawKerberosTest(TestCase):
|
||||
'expected_sid': expected_sid,
|
||||
'expected_requester_sid': expected_requester_sid,
|
||||
'expected_domain_sid': expected_domain_sid,
|
||||
'expected_device_domain_sid': expected_device_domain_sid,
|
||||
'expected_supported_etypes': expected_supported_etypes,
|
||||
'expected_flags': expected_flags,
|
||||
'unexpected_flags': unexpected_flags,
|
||||
|
Loading…
Reference in New Issue
Block a user