1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-09-29 13:21:01 +13:00 committed by Joseph Sutton
parent 849ee95984
commit 989fb00985
2 changed files with 37 additions and 0 deletions

View File

@ -1163,6 +1163,11 @@ class KdcTgsTests(KdcTgsBaseTests):
self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
expected_sname=self.get_krbtgt_sname())
def test_fast_as_req_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True)
self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
# Test making a request with authdata and without a PAC.
def test_tgs_authdata_no_pac(self):
creds = self._get_creds()
@ -1199,6 +1204,11 @@ class KdcTgsTests(KdcTgsBaseTests):
self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
expected_sname=self.get_krbtgt_sname())
def test_fast_as_req_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
# Test changing the SID in the PAC to that of another account.
def test_tgs_sid_mismatch_existing(self):
creds = self._get_creds()
@ -1240,6 +1250,13 @@ class KdcTgsTests(KdcTgsBaseTests):
expected_error=KDC_ERR_TGT_REVOKED,
expected_sname=self.get_krbtgt_sname())
def test_fast_as_req_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid)
self._fast_as_req(tgt, creds,
expected_error=KDC_ERR_TGT_REVOKED)
def test_requester_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
@ -1304,6 +1321,13 @@ class KdcTgsTests(KdcTgsBaseTests):
expected_error=KDC_ERR_TGT_REVOKED,
expected_sname=self.get_krbtgt_sname())
def test_fast_as_req_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
self._fast_as_req(tgt, creds,
expected_error=KDC_ERR_TGT_REVOKED)
def test_requester_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
@ -3207,6 +3231,15 @@ class KdcTgsTests(KdcTgsBaseTests):
expect_pac=expect_pac,
expect_edata=expect_edata)
def _fast_as_req(self, armor_tgt, armor_tgt_creds, expected_error):
user_creds = self._get_mach_creds()
target_creds = self.get_service_creds()
return self._armored_as_req(user_creds, target_creds, armor_tgt,
expected_error=expected_error,
expected_sname=self.get_krbtgt_sname(),
expect_edata=False)
if __name__ == "__main__":
global_asn1_print = False

View File

@ -329,6 +329,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
#
# KDC TGT tests
#
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_sid_mismatch_existing
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_sid_mismatch_nonexisting
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_false