mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
849ee95984
commit
989fb00985
@ -1163,6 +1163,11 @@ class KdcTgsTests(KdcTgsBaseTests):
|
||||
self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
|
||||
expected_sname=self.get_krbtgt_sname())
|
||||
|
||||
def test_fast_as_req_no_pac(self):
|
||||
creds = self._get_creds()
|
||||
tgt = self._get_tgt(creds, remove_pac=True)
|
||||
self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
|
||||
|
||||
# Test making a request with authdata and without a PAC.
|
||||
def test_tgs_authdata_no_pac(self):
|
||||
creds = self._get_creds()
|
||||
@ -1199,6 +1204,11 @@ class KdcTgsTests(KdcTgsBaseTests):
|
||||
self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
|
||||
expected_sname=self.get_krbtgt_sname())
|
||||
|
||||
def test_fast_as_req_authdata_no_pac(self):
|
||||
creds = self._get_creds()
|
||||
tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
|
||||
self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
|
||||
|
||||
# Test changing the SID in the PAC to that of another account.
|
||||
def test_tgs_sid_mismatch_existing(self):
|
||||
creds = self._get_creds()
|
||||
@ -1240,6 +1250,13 @@ class KdcTgsTests(KdcTgsBaseTests):
|
||||
expected_error=KDC_ERR_TGT_REVOKED,
|
||||
expected_sname=self.get_krbtgt_sname())
|
||||
|
||||
def test_fast_as_req_sid_mismatch_existing(self):
|
||||
creds = self._get_creds()
|
||||
existing_rid = self._get_existing_rid()
|
||||
tgt = self._get_tgt(creds, new_rid=existing_rid)
|
||||
self._fast_as_req(tgt, creds,
|
||||
expected_error=KDC_ERR_TGT_REVOKED)
|
||||
|
||||
def test_requester_sid_mismatch_existing(self):
|
||||
creds = self._get_creds()
|
||||
existing_rid = self._get_existing_rid()
|
||||
@ -1304,6 +1321,13 @@ class KdcTgsTests(KdcTgsBaseTests):
|
||||
expected_error=KDC_ERR_TGT_REVOKED,
|
||||
expected_sname=self.get_krbtgt_sname())
|
||||
|
||||
def test_fast_as_req_sid_mismatch_nonexisting(self):
|
||||
creds = self._get_creds()
|
||||
nonexistent_rid = self._get_non_existent_rid()
|
||||
tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
|
||||
self._fast_as_req(tgt, creds,
|
||||
expected_error=KDC_ERR_TGT_REVOKED)
|
||||
|
||||
def test_requester_sid_mismatch_nonexisting(self):
|
||||
creds = self._get_creds()
|
||||
nonexistent_rid = self._get_non_existent_rid()
|
||||
@ -3207,6 +3231,15 @@ class KdcTgsTests(KdcTgsBaseTests):
|
||||
expect_pac=expect_pac,
|
||||
expect_edata=expect_edata)
|
||||
|
||||
def _fast_as_req(self, armor_tgt, armor_tgt_creds, expected_error):
|
||||
user_creds = self._get_mach_creds()
|
||||
target_creds = self.get_service_creds()
|
||||
|
||||
return self._armored_as_req(user_creds, target_creds, armor_tgt,
|
||||
expected_error=expected_error,
|
||||
expected_sname=self.get_krbtgt_sname(),
|
||||
expect_edata=False)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
global_asn1_print = False
|
||||
|
@ -329,6 +329,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
#
|
||||
# KDC TGT tests
|
||||
#
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_authdata_no_pac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_no_pac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_sid_mismatch_existing
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_as_req_sid_mismatch_nonexisting
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac
|
||||
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_false
|
||||
|
Loading…
Reference in New Issue
Block a user