From 883d26428486b7b041b327e6d28b551d856059c1 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 16 Mar 2023 11:24:42 +1300
Subject: [PATCH] tests/krb5: Add remove_client_claims_tgt_from_rodc()

This method removes the PAC_CLIENT_CLAIMS_INFO buffer *and* makes it
appear as if a ticket were issued by an RODC. Because that's more
efficient than decrypting and modifying the ticket twice.

View with 'git show -b'.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/tests/krb5/claims_tests.py | 43 +++++++++++++++++--------
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py
index 5af23b9bfc7..13f7d229b33 100755
--- a/python/samba/tests/krb5/claims_tests.py
+++ b/python/samba/tests/krb5/claims_tests.py
@@ -204,26 +204,41 @@ class ClaimsTests(KDCBaseTest):
 
         return details, mod_msg, expected_claims, unexpected_claims
 
+    def modify_pac_remove_client_claims(self, pac):
+        pac_buffers = pac.buffers
+        for pac_buffer in pac_buffers:
+            if pac_buffer.type == krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO:
+                pac.num_buffers -= 1
+                pac_buffers.remove(pac_buffer)
+
+                break
+        else:
+            self.fail('expected client claims in PAC')
+
+        pac.buffers = pac_buffers
+
+        return pac
+
     def remove_client_claims(self, ticket):
-        def modify_pac_fn(pac):
-            pac_buffers = pac.buffers
-            for pac_buffer in pac_buffers:
-                if pac_buffer.type == krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO:
-                    pac.num_buffers -= 1
-                    pac_buffers.remove(pac_buffer)
+        return self.modified_ticket(
+            ticket,
+            modify_pac_fn=self.modify_pac_remove_client_claims,
+            checksum_keys=self.get_krbtgt_checksum_key())
 
-                    break
-            else:
-                self.fail('expected client claims in PAC')
+    def remove_client_claims_tgt_from_rodc(self, ticket):
+        rodc_krbtgt_creds = self.get_mock_rodc_krbtgt_creds()
+        rodc_krbtgt_key = self.TicketDecryptionKey_from_creds(
+            rodc_krbtgt_creds)
 
-            pac.buffers = pac_buffers
-
-            return pac
+        checksum_keys = {
+            krb5pac.PAC_TYPE_KDC_CHECKSUM: rodc_krbtgt_key
+        }
 
         return self.modified_ticket(
             ticket,
-            modify_pac_fn=modify_pac_fn,
-            checksum_keys=self.get_krbtgt_checksum_key())
+            new_ticket_key=rodc_krbtgt_key,
+            modify_pac_fn=self.modify_pac_remove_client_claims,
+            checksum_keys=checksum_keys)
 
     def test_tgs_claims(self):
         self.run_tgs_test(remove_claims=False, to_krbtgt=False)