1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00

tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-03-16 11:18:49 +13:00 committed by Andrew Bartlett
parent 223ef8b785
commit a85d26fd74
4 changed files with 108 additions and 3 deletions

View File

@ -775,8 +775,14 @@ class ClaimsTests(KDCBaseTest):
'additional_details': self.freeze(details),
})
# Whether to specify claims support in PA-PAC-OPTIONS.
pac_options_claims = case.pop('pac-options:claims-support', None)
self.assertFalse(case, 'unexpected parameters in testcase')
if pac_options_claims is None:
pac_options_claims = True
if to_self:
service_creds = self.get_service_creds()
sname = self.PrincipalName_create(
@ -788,10 +794,16 @@ class ClaimsTests(KDCBaseTest):
sname = None
ticket_etype = None
if pac_options_claims:
pac_options = '1' # claims support
else:
pac_options = '0' # no claims support
self.get_tgt(creds,
sname=sname,
target_creds=service_creds,
ticket_etype=ticket_etype,
pac_options=pac_options,
expect_pac=True,
expect_client_claims=True,
expected_client_claims=expected_claims or None,
@ -829,6 +841,26 @@ class ClaimsTests(KDCBaseTest):
],
'class': 'user',
},
{
'name': 'no claims support in pac options',
'claims': [
{
# 2.5.5.12
'enabled': True,
'attribute': 'carLicense',
'single_valued': True,
'source_type': 'AD',
'for_classes': ['user'],
'value_type': claims.CLAIM_TYPE_STRING,
'values': ('foo',),
# We still get claims in the PAC even if we don't specify
# claims support in PA-PAC-OPTIONS.
'expected': True,
},
],
'class': 'user',
'pac-options:claims-support': False,
},
{
# Note: The order of these DNs may differ on Windows.
'name': 'dn string syntax',
@ -1515,6 +1547,9 @@ class ClaimsTests(KDCBaseTest):
tgs_expected = case.pop('tgs:expected', None)
tgs_device_expected = case.pop('tgs:device:expected', None)
# Whether to specify claims support in PA-PAC-OPTIONS.
pac_options_claims = case.pop('pac-options:claims-support', None)
all_claims = case.pop('claims')
# There should be no parameters remaining in the testcase.
@ -1561,6 +1596,9 @@ class ClaimsTests(KDCBaseTest):
'specified TGS-REQ reset user flags, but no '
'accompanying machine SIDs provided')
if pac_options_claims is None:
pac_options_claims = True
(details, mod_msg,
expected_claims,
unexpected_claims) = self.setup_claims(all_claims)
@ -1673,7 +1711,10 @@ class ClaimsTests(KDCBaseTest):
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
kdc_options = '0'
pac_options = '1' # claims support
if pac_options_claims:
pac_options = '1' # claims support
else:
pac_options = '0' # no claims support
requester_sid = None
if tgs_to_krbtgt:
@ -1851,6 +1892,62 @@ class ClaimsTests(KDCBaseTest):
frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
},
},
{
# Make a TGS request containing claims to a service, but don't
# specify support for claims in PA-PAC-OPTIONS. We still expect the
# final PAC to contain claims.
'test': 'device to service no claims support in pac options',
'groups': {
'foo': (GroupType.DOMAIN_LOCAL, {mach}),
'bar': (GroupType.DOMAIN_LOCAL, {mach}),
},
'claims': [
{
# 2.5.5.10
'enabled': True,
'attribute': 'middleName',
'single_valued': True,
'source_type': 'AD',
'for_classes': ['computer'],
'value_type': claims.CLAIM_TYPE_STRING,
'values': ('foo',),
'expected': True,
'mod_values': ['bar'],
},
],
'as:expected': {
(asserted_identity, SidType.EXTRA_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
},
'as:mach:expected': {
(asserted_identity, SidType.EXTRA_SID, default_attrs),
(security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
(security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
},
'tgs:to_krbtgt': False,
# Claims are unsupported.
'pac-options:claims-support': False,
'tgs:expected': {
(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, SidType.EXTRA_SID, default_attrs),
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
(security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
},
'tgs:device:expected': {
(security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
(security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
frozenset([
('foo', SidType.RESOURCE_SID, resource_attrs),
('bar', SidType.RESOURCE_SID, resource_attrs),
]),
(asserted_identity, SidType.EXTRA_SID, default_attrs),
frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
},
},
]

View File

@ -2285,6 +2285,7 @@ class KDCBaseTest(RawKerberosTest):
unexpected_groups=None,
pac_request=True, expect_pac=True,
expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
pac_options=None,
expect_requester_sid=None,
rc4_support=True,
expect_edata=None,
@ -2297,7 +2298,7 @@ class KDCBaseTest(RawKerberosTest):
else:
user_name = creds.get_username()
cache_key = (user_name, to_rodc, kdc_options, pac_request,
cache_key = (user_name, to_rodc, kdc_options, pac_request, pac_options,
client_name_type,
ticket_etype,
str(expected_flags), str(unexpected_flags),
@ -2361,7 +2362,8 @@ class KDCBaseTest(RawKerberosTest):
'renewable-ok')
kdc_options = krb5_asn1.KDCOptions(kdc_options)
pac_options = '1' # supports claims
if pac_options is None:
pac_options = '1' # supports claims
rep, kdc_exchange_dict = self._test_as_exchange(
cname=cname,

View File

@ -107,6 +107,8 @@
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
@ -141,6 +143,7 @@
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc

View File

@ -511,6 +511,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
@ -545,6 +547,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc