mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
tests/krb5: Allow setting or resetting PAC flags
This lets us test what happens when the flags in the PAC, such as NETLOGON_RESOURCE_GROUPS, are given "interesting" values. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton
Andrew Bartlett
parent
0245a588f4
commit
9a362f99e0
@ -115,7 +115,9 @@ class GroupTests(KDCBaseTest):
|
||||
ticket,
|
||||
new_sids,
|
||||
domain_sid,
|
||||
user_rid):
|
||||
user_rid,
|
||||
set_user_flags=0,
|
||||
reset_user_flags=0):
|
||||
krbtgt_creds = self.get_krbtgt_creds()
|
||||
krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
|
||||
|
||||
@ -126,7 +128,9 @@ class GroupTests(KDCBaseTest):
|
||||
modify_pac_fn = partial(self.set_pac_sids,
|
||||
new_sids=new_sids,
|
||||
domain_sid=domain_sid,
|
||||
user_rid=user_rid)
|
||||
user_rid=user_rid,
|
||||
set_user_flags=set_user_flags,
|
||||
reset_user_flags=reset_user_flags)
|
||||
|
||||
return self.modified_ticket(ticket,
|
||||
modify_pac_fn=modify_pac_fn,
|
||||
@ -137,7 +141,9 @@ class GroupTests(KDCBaseTest):
|
||||
pac,
|
||||
new_sids,
|
||||
domain_sid,
|
||||
user_rid):
|
||||
user_rid,
|
||||
set_user_flags=0,
|
||||
reset_user_flags=0):
|
||||
base_sids = []
|
||||
extra_sids = []
|
||||
resource_sids = []
|
||||
@ -225,6 +231,9 @@ class GroupTests(KDCBaseTest):
|
||||
logon_info.info3.base.user_flags &= ~(
|
||||
netlogon.NETLOGON_RESOURCE_GROUPS)
|
||||
|
||||
logon_info.info3.base.user_flags |= set_user_flags
|
||||
logon_info.info3.base.user_flags &= ~reset_user_flags
|
||||
|
||||
found_logon_info = True
|
||||
|
||||
# Also replace the user's SID in the UPN DNS buffer.
|
||||
@ -1146,6 +1155,10 @@ class GroupTests(KDCBaseTest):
|
||||
# Optional user SID to replace that in the PAC prior to a TGS-REQ.
|
||||
tgs_user_sid = case.pop('tgs:user_sid', None)
|
||||
|
||||
# User flags that may be set or reset in the PAC prior to a TGS-REQ.
|
||||
tgs_set_user_flags = case.pop('tgs:set_user_flags', None)
|
||||
tgs_reset_user_flags = case.pop('tgs:reset_user_flags', None)
|
||||
|
||||
# The SIDs we expect to see in the PAC after a AS-REQ or a TGS-REQ.
|
||||
as_expected = case.pop('as:expected', None)
|
||||
tgs_expected = case.pop('tgs:expected', None)
|
||||
@ -1182,6 +1195,20 @@ class GroupTests(KDCBaseTest):
|
||||
'specified TGS-REQ user SID, but no '
|
||||
'accompanying SIDs provided')
|
||||
|
||||
if tgs_set_user_flags is None:
|
||||
tgs_set_user_flags = 0
|
||||
else:
|
||||
self.assertIsNotNone(tgs_sids,
|
||||
'specified TGS-REQ set user flags, but no '
|
||||
'accompanying SIDs provided')
|
||||
|
||||
if tgs_reset_user_flags is None:
|
||||
tgs_reset_user_flags = 0
|
||||
else:
|
||||
self.assertIsNotNone(tgs_sids,
|
||||
'specified TGS-REQ reset user flags, but no '
|
||||
'accompanying SIDs provided')
|
||||
|
||||
samdb = self.get_samdb()
|
||||
|
||||
domain_sid = samdb.get_domain_sid()
|
||||
@ -1280,7 +1307,9 @@ class GroupTests(KDCBaseTest):
|
||||
ticket = self.ticket_with_sids(ticket,
|
||||
tgs_sids_mapped,
|
||||
tgs_domain_sid,
|
||||
tgs_user_rid)
|
||||
tgs_user_rid,
|
||||
set_user_flags=tgs_set_user_flags,
|
||||
reset_user_flags=tgs_reset_user_flags)
|
||||
|
||||
target_creds, sname = self.get_target(tgs_to_krbtgt, tgs_compression)
|
||||
decryption_key = self.TicketDecryptionKey_from_creds(target_creds)
|
||||
@ -1291,6 +1320,12 @@ class GroupTests(KDCBaseTest):
|
||||
if tgs_to_krbtgt:
|
||||
requester_sid = user_sid
|
||||
|
||||
expect_resource_groups_flag = None
|
||||
if tgs_reset_user_flags & netlogon.NETLOGON_RESOURCE_GROUPS:
|
||||
expect_resource_groups_flag = False
|
||||
elif tgs_set_user_flags & netlogon.NETLOGON_RESOURCE_GROUPS:
|
||||
expect_resource_groups_flag = True
|
||||
|
||||
# Perform a TGS-REQ with the user account.
|
||||
|
||||
kdc_exchange_dict = self.tgs_exchange_dict(
|
||||
@ -1304,6 +1339,7 @@ class GroupTests(KDCBaseTest):
|
||||
expected_requester_sid=requester_sid,
|
||||
expected_domain_sid=tgs_domain_sid,
|
||||
expected_supported_etypes=target_supported_etypes,
|
||||
expect_resource_groups_flag=expect_resource_groups_flag,
|
||||
ticket_decryption_key=decryption_key,
|
||||
check_rep_fn=self.generic_check_kdc_rep,
|
||||
check_kdc_private_fn=self.generic_check_kdc_private,
|
||||
|
||||
@ -2505,6 +2505,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
unexpected_client_claims=None,
|
||||
expected_device_claims=None,
|
||||
unexpected_device_claims=None,
|
||||
expect_resource_groups_flag=None,
|
||||
to_rodc=False):
|
||||
if expected_error_mode == 0:
|
||||
expected_error_mode = ()
|
||||
@ -2576,6 +2577,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
'unexpected_client_claims': unexpected_client_claims,
|
||||
'expected_device_claims': expected_device_claims,
|
||||
'unexpected_device_claims': unexpected_device_claims,
|
||||
'expect_resource_groups_flag': expect_resource_groups_flag,
|
||||
'to_rodc': to_rodc
|
||||
}
|
||||
if callback_dict is None:
|
||||
@ -2644,6 +2646,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
unexpected_client_claims=None,
|
||||
expected_device_claims=None,
|
||||
unexpected_device_claims=None,
|
||||
expect_resource_groups_flag=None,
|
||||
to_rodc=False):
|
||||
if expected_error_mode == 0:
|
||||
expected_error_mode = ()
|
||||
@ -2716,6 +2719,7 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
'unexpected_client_claims': unexpected_client_claims,
|
||||
'expected_device_claims': expected_device_claims,
|
||||
'unexpected_device_claims': unexpected_device_claims,
|
||||
'expect_resource_groups_flag': expect_resource_groups_flag,
|
||||
'to_rodc': to_rodc
|
||||
}
|
||||
if callback_dict is None:
|
||||
@ -3233,11 +3237,26 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
pac_sids.add(pac_sid)
|
||||
|
||||
# Collect the Resource SIDs.
|
||||
expect_resource_groups_flag = kdc_exchange_dict[
|
||||
'expect_resource_groups_flag']
|
||||
expect_set_reason = ''
|
||||
expect_reset_reason = ''
|
||||
if expect_resource_groups_flag is None:
|
||||
expect_resource_groups_flag = (
|
||||
resource_groups.groups.rids is not None)
|
||||
expect_set_reason = 'resource groups present, but '
|
||||
expect_reset_reason = 'no resource groups present, but '
|
||||
|
||||
if expect_resource_groups_flag:
|
||||
self.assertTrue(
|
||||
logon_info.user_flags & netlogon.NETLOGON_RESOURCE_GROUPS,
|
||||
f'{expect_set_reason}RESOURCE_GROUPS flag unexpectedly reset')
|
||||
else:
|
||||
self.assertFalse(
|
||||
logon_info.user_flags & netlogon.NETLOGON_RESOURCE_GROUPS,
|
||||
f'{expect_reset_reason}RESOURCE_GROUPS flag unexpectedly set')
|
||||
|
||||
if resource_groups.groups.rids is not None:
|
||||
self.assertTrue(logon_info.user_flags & (
|
||||
netlogon.NETLOGON_RESOURCE_GROUPS),
|
||||
'resource groups present, but RESOURCE_GROUPS '
|
||||
'flag not set')
|
||||
self.assertTrue(resource_groups.groups.rids, 'got empty RIDs')
|
||||
|
||||
resource_group_sid = resource_groups.domain_sid
|
||||
@ -3251,11 +3270,6 @@ class RawKerberosTest(TestCaseInTempDir):
|
||||
resource_group.attributes)
|
||||
self.assertNotIn(pac_sid, pac_sids, 'got duplicated SID')
|
||||
pac_sids.add(pac_sid)
|
||||
else:
|
||||
self.assertFalse(logon_info.user_flags & (
|
||||
netlogon.NETLOGON_RESOURCE_GROUPS),
|
||||
'no resource groups present, but RESOURCE_GROUPS '
|
||||
'flag set')
|
||||
|
||||
# Compare the aggregated SIDs against the set of expected SIDs.
|
||||
if expected_groups is not None:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user