sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-25 17:57:42 +03:00
Code

tests/krb5: Fix tests that crash Windows

Browse Source 
Expect an actual error code or an outcome, not CRASHES_WINDOWS.

I don’t know which error codes Windows might be expected to produce, so
I’ve chosen some that seem plausible.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-10-02 12:20:48 +13:00 committed by Andrew Bartlett
parent 52ea480543
commit a8a186868e
2 changed files with 67 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
python/samba/tests/krb5/conditional_ace_tests.py
View File

@ -1350,7 +1350,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
('{a}', claims.CLAIM_TYPE_BOOLEAN, [2]),
('{b}', claims.CLAIM_TYPE_BOOLEAN, [3]),
]),
], '{a} == {b}', CRASHES_WINDOWS),
], '{a} == {b}', (None, CRASHES_WINDOWS)),
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{a}', claims.CLAIM_TYPE_BOOLEAN, [1]),
@ -1469,7 +1469,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{larger_claim}', claims.CLAIM_TYPE_STRING, ['z' * 100000]),
]),
], '{larger_claim} > "z"', CRASHES_WINDOWS),
], '{larger_claim} > "z"', (True, CRASHES_WINDOWS)),
# Test a great number of claims. Windows does not appear to like
# receiving this many claims.
([
@ -1477,7 +1477,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
('{many_claims}', claims.CLAIM_TYPE_UINT64,
list(range(0, 100000))),
]),
], '{many_claims} Any_of "99999"', CRASHES_WINDOWS),
], '{many_claims} Any_of "99999"', (True, CRASHES_WINDOWS)),
# Test a claim with a very long name. Much larger than this, and
# conditional_ace_encode_binary() will refuse to encode the conditions.
([
@ -1565,18 +1565,18 @@ class ConditionalAceTests(ConditionalAceBaseTests):
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{invalid_sid}', 5, []),
]),
], '{invalid_sid} == {invalid_sid}', CRASHES_WINDOWS),
], '{invalid_sid} == {invalid_sid}', (None, CRASHES_WINDOWS)),
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{invalid_octet_string}', 16, []),
]),
], '{invalid_octet_string} == {invalid_octet_string}', CRASHES_WINDOWS),
], '{invalid_octet_string} == {invalid_octet_string}', (None, CRASHES_WINDOWS)),
# Sending an empty string will crash Windows.
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
('{empty_string}', claims.CLAIM_TYPE_STRING, ['']),
]),
], '{empty_string}', CRASHES_WINDOWS),
], '{empty_string}', (None, CRASHES_WINDOWS)),
# But sending empty arrays is OK.
([
(claims.CLAIMS_SOURCE_TYPE_AD, [
@ -1595,8 +1595,13 @@ class ConditionalAceTests(ConditionalAceBaseTests):
outcome):
self.assertIsInstance(expression, str)
if outcome is CRASHES_WINDOWS and not self.crash_windows:
try:
outcome, crashes_windows = outcome
self.assertIs(crashes_windows, CRASHES_WINDOWS)
if not self.crash_windows:
self.skipTest('test crashes Windows servers')
except TypeError:
self.assertIsNot(outcome, CRASHES_WINDOWS)
if claim_map is None:
claim_map = {}
@ -2145,7 +2150,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
def test_rbcd_device_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
device_from_rodc=True,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def test_rbcd_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
@ -2156,7 +2161,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._rbcd('Member_of SID({service_sid})',
service_from_rodc=True,
device_from_rodc=True,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def test_rbcd_client_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
@ -2167,7 +2172,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True,
device_from_rodc=True,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def test_rbcd_client_and_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
@ -2180,7 +2185,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
client_from_rodc=True,
service_from_rodc=True,
device_from_rodc=True,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def _rbcd(self,
rbcd_expression=None,
@ -2203,8 +2208,13 @@ class ConditionalAceTests(ConditionalAceBaseTests):
expected_groups=None,
expected_device_groups=None,
expected_claims=None):
if code is CRASHES_WINDOWS and not self.crash_windows:
try:
code, crashes_windows = code
self.assertIs(crashes_windows, CRASHES_WINDOWS)
if not self.crash_windows:
self.skipTest('test crashes Windows servers')
except TypeError:
self.assertIsNot(code, CRASHES_WINDOWS)
samdb = self.get_samdb()
functional_level = self.get_domain_functional_level(samdb)
@ -2419,7 +2429,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_without_aa_asserted_identity_both_from_rodc(self):
client_sids = {
@ -2432,7 +2446,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_with_aa_asserted_identity(self):
client_sids = {
@ -2468,7 +2486,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def test_tgs_with_aa_asserted_identity_both_from_rodc(self):
client_sids = {
@ -2482,7 +2500,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def test_tgs_without_service_asserted_identity(self):
client_sids = {
@ -2525,7 +2543,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_without_service_asserted_identity_both_from_rodc(self):
client_sids = {
@ -2538,7 +2560,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_with_service_asserted_identity(self):
client_sids = {
@ -2574,7 +2600,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def test_tgs_with_service_asserted_identity_both_from_rodc(self):
client_sids = {
@ -2588,7 +2614,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def test_tgs_without_claims_valid(self):
client_sids = {
@ -2631,7 +2657,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_without_claims_valid_both_from_rodc(self):
client_sids = {
@ -2644,7 +2674,11 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(KDC_ERR_POLICY, CRASHES_WINDOWS),
status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
def test_tgs_with_claims_valid(self):
client_sids = {
@ -2680,7 +2714,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def test_tgs_with_claims_valid_both_from_rodc(self):
client_sids = {
@ -2694,7 +2728,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
device_from_rodc=True,
client_sids=client_sids,
expected_groups=client_sids,
code=CRASHES_WINDOWS)
code=(0, CRASHES_WINDOWS))
def _tgs(self,
target_policy=None,
@ -2713,8 +2747,13 @@ class ConditionalAceTests(ConditionalAceBaseTests):
expected_groups=None,
expected_device_groups=None,
expected_claims=None):
if code is CRASHES_WINDOWS and not self.crash_windows:
try:
code, crashes_windows = code
self.assertIs(crashes_windows, CRASHES_WINDOWS)
if not self.crash_windows:
self.skipTest('test crashes Windows servers')
except TypeError:
self.assertIsNot(code, CRASHES_WINDOWS)
samdb = self.get_samdb()
functional_level = self.get_domain_functional_level(samdb)

16
selftest/knownfail_heimdal_kdc
View File

@ -111,12 +111,8 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_or_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_2_b_6_3___a_equals_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_6_1___b_or_b_or_b_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_empty_string_3___empty_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_and_true_boolean_6_0_1___false_and_true_boolean_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_boolean_6_0___false_boolean_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_octet_string_16___invalid_octet_string_equals_invalid_octet_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_sid_5___invalid_sid_equals_invalid_sid_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_larger_claim_3_zzzzzzzzzzzzzzzzzzz
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_many_claims_2_0_1_2_3_4_5_6_7_8_9_10
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_non_empty_string_3_foo_bar___non_empty_string_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_nonzero_int_1_1___nonzero_int_\(ad_dc\)
@ -129,30 +125,18 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_device_from_rodc\(ad_dc\)
#
# Conditional ACE device restrictions
#