mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
223ef8b785
commit
a85d26fd74
python/samba/tests/krb5
selftest
@ -775,8 +775,14 @@ class ClaimsTests(KDCBaseTest):
|
||||
'additional_details': self.freeze(details),
|
||||
})
|
||||
|
||||
# Whether to specify claims support in PA-PAC-OPTIONS.
|
||||
pac_options_claims = case.pop('pac-options:claims-support', None)
|
||||
|
||||
self.assertFalse(case, 'unexpected parameters in testcase')
|
||||
|
||||
if pac_options_claims is None:
|
||||
pac_options_claims = True
|
||||
|
||||
if to_self:
|
||||
service_creds = self.get_service_creds()
|
||||
sname = self.PrincipalName_create(
|
||||
@ -788,10 +794,16 @@ class ClaimsTests(KDCBaseTest):
|
||||
sname = None
|
||||
ticket_etype = None
|
||||
|
||||
if pac_options_claims:
|
||||
pac_options = '1' # claims support
|
||||
else:
|
||||
pac_options = '0' # no claims support
|
||||
|
||||
self.get_tgt(creds,
|
||||
sname=sname,
|
||||
target_creds=service_creds,
|
||||
ticket_etype=ticket_etype,
|
||||
pac_options=pac_options,
|
||||
expect_pac=True,
|
||||
expect_client_claims=True,
|
||||
expected_client_claims=expected_claims or None,
|
||||
@ -829,6 +841,26 @@ class ClaimsTests(KDCBaseTest):
|
||||
],
|
||||
'class': 'user',
|
||||
},
|
||||
{
|
||||
'name': 'no claims support in pac options',
|
||||
'claims': [
|
||||
{
|
||||
# 2.5.5.12
|
||||
'enabled': True,
|
||||
'attribute': 'carLicense',
|
||||
'single_valued': True,
|
||||
'source_type': 'AD',
|
||||
'for_classes': ['user'],
|
||||
'value_type': claims.CLAIM_TYPE_STRING,
|
||||
'values': ('foo',),
|
||||
# We still get claims in the PAC even if we don't specify
|
||||
# claims support in PA-PAC-OPTIONS.
|
||||
'expected': True,
|
||||
},
|
||||
],
|
||||
'class': 'user',
|
||||
'pac-options:claims-support': False,
|
||||
},
|
||||
{
|
||||
# Note: The order of these DNs may differ on Windows.
|
||||
'name': 'dn string syntax',
|
||||
@ -1515,6 +1547,9 @@ class ClaimsTests(KDCBaseTest):
|
||||
tgs_expected = case.pop('tgs:expected', None)
|
||||
tgs_device_expected = case.pop('tgs:device:expected', None)
|
||||
|
||||
# Whether to specify claims support in PA-PAC-OPTIONS.
|
||||
pac_options_claims = case.pop('pac-options:claims-support', None)
|
||||
|
||||
all_claims = case.pop('claims')
|
||||
|
||||
# There should be no parameters remaining in the testcase.
|
||||
@ -1561,6 +1596,9 @@ class ClaimsTests(KDCBaseTest):
|
||||
'specified TGS-REQ reset user flags, but no '
|
||||
'accompanying machine SIDs provided')
|
||||
|
||||
if pac_options_claims is None:
|
||||
pac_options_claims = True
|
||||
|
||||
(details, mod_msg,
|
||||
expected_claims,
|
||||
unexpected_claims) = self.setup_claims(all_claims)
|
||||
@ -1673,7 +1711,10 @@ class ClaimsTests(KDCBaseTest):
|
||||
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
|
||||
|
||||
kdc_options = '0'
|
||||
pac_options = '1' # claims support
|
||||
if pac_options_claims:
|
||||
pac_options = '1' # claims support
|
||||
else:
|
||||
pac_options = '0' # no claims support
|
||||
|
||||
requester_sid = None
|
||||
if tgs_to_krbtgt:
|
||||
@ -1851,6 +1892,62 @@ class ClaimsTests(KDCBaseTest):
|
||||
frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
|
||||
},
|
||||
},
|
||||
{
|
||||
# Make a TGS request containing claims to a service, but don't
|
||||
# specify support for claims in PA-PAC-OPTIONS. We still expect the
|
||||
# final PAC to contain claims.
|
||||
'test': 'device to service no claims support in pac options',
|
||||
'groups': {
|
||||
'foo': (GroupType.DOMAIN_LOCAL, {mach}),
|
||||
'bar': (GroupType.DOMAIN_LOCAL, {mach}),
|
||||
},
|
||||
'claims': [
|
||||
{
|
||||
# 2.5.5.10
|
||||
'enabled': True,
|
||||
'attribute': 'middleName',
|
||||
'single_valued': True,
|
||||
'source_type': 'AD',
|
||||
'for_classes': ['computer'],
|
||||
'value_type': claims.CLAIM_TYPE_STRING,
|
||||
'values': ('foo',),
|
||||
'expected': True,
|
||||
'mod_values': ['bar'],
|
||||
},
|
||||
],
|
||||
'as:expected': {
|
||||
(asserted_identity, SidType.EXTRA_SID, default_attrs),
|
||||
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
|
||||
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
|
||||
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
|
||||
},
|
||||
'as:mach:expected': {
|
||||
(asserted_identity, SidType.EXTRA_SID, default_attrs),
|
||||
(security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
|
||||
(security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
|
||||
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
|
||||
},
|
||||
'tgs:to_krbtgt': False,
|
||||
# Claims are unsupported.
|
||||
'pac-options:claims-support': False,
|
||||
'tgs:expected': {
|
||||
(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, SidType.EXTRA_SID, default_attrs),
|
||||
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
|
||||
(security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, default_attrs),
|
||||
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
|
||||
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
|
||||
},
|
||||
'tgs:device:expected': {
|
||||
(security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
|
||||
(security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
|
||||
frozenset([
|
||||
('foo', SidType.RESOURCE_SID, resource_attrs),
|
||||
('bar', SidType.RESOURCE_SID, resource_attrs),
|
||||
]),
|
||||
(asserted_identity, SidType.EXTRA_SID, default_attrs),
|
||||
frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
|
||||
},
|
||||
},
|
||||
]
|
||||
|
||||
|
||||
|
@ -2285,6 +2285,7 @@ class KDCBaseTest(RawKerberosTest):
|
||||
unexpected_groups=None,
|
||||
pac_request=True, expect_pac=True,
|
||||
expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
|
||||
pac_options=None,
|
||||
expect_requester_sid=None,
|
||||
rc4_support=True,
|
||||
expect_edata=None,
|
||||
@ -2297,7 +2298,7 @@ class KDCBaseTest(RawKerberosTest):
|
||||
else:
|
||||
user_name = creds.get_username()
|
||||
|
||||
cache_key = (user_name, to_rodc, kdc_options, pac_request,
|
||||
cache_key = (user_name, to_rodc, kdc_options, pac_request, pac_options,
|
||||
client_name_type,
|
||||
ticket_etype,
|
||||
str(expected_flags), str(unexpected_flags),
|
||||
@ -2361,7 +2362,8 @@ class KDCBaseTest(RawKerberosTest):
|
||||
'renewable-ok')
|
||||
kdc_options = krb5_asn1.KDCOptions(kdc_options)
|
||||
|
||||
pac_options = '1' # supports claims
|
||||
if pac_options is None:
|
||||
pac_options = '1' # supports claims
|
||||
|
||||
rep, kdc_exchange_dict = self._test_as_exchange(
|
||||
cname=cname,
|
||||
|
@ -107,6 +107,8 @@
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
|
||||
@ -141,6 +143,7 @@
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc
|
||||
|
@ -511,6 +511,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
|
||||
@ -545,6 +547,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
|
||||
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc
|
||||
|
Loading…
Reference in New Issue
Block a user