1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

tests/krb5: Fix checking for presence of error data

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2021-09-29 15:48:58 +13:00 committed by Andrew Bartlett
parent 7fba83c6c6
commit ab92dc16d2
4 changed files with 48 additions and 25 deletions

View File

@ -107,7 +107,8 @@ class FAST_Tests(KDCBaseTest):
'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN),
'use_fast': False,
'sname': None,
'expected_sname': expected_sname
'expected_sname': expected_sname,
'expect_edata': False
}
])
@ -121,7 +122,8 @@ class FAST_Tests(KDCBaseTest):
'use_fast': False,
'gen_tgt_fn': self.get_user_tgt,
'sname': None,
'expected_sname': expected_sname
'expected_sname': expected_sname,
'expect_edata': False
}
])
@ -206,6 +208,7 @@ class FAST_Tests(KDCBaseTest):
'expected_error_mode': KDC_ERR_NOT_US,
'use_fast': False,
'gen_tgt_fn': self.get_user_service_ticket,
'expect_edata': False
}
])
@ -216,6 +219,7 @@ class FAST_Tests(KDCBaseTest):
'expected_error_mode': KDC_ERR_NOT_US,
'use_fast': False,
'gen_tgt_fn': self.get_mach_service_ticket,
'expect_edata': False
}
])
@ -328,7 +332,8 @@ class FAST_Tests(KDCBaseTest):
'expected_error_mode': KDC_ERR_ETYPE_NOSUPP,
'use_fast': False,
'gen_tgt_fn': self.get_mach_tgt,
'etypes': ()
'etypes': (),
'expect_edata': False
}
])
@ -376,7 +381,8 @@ class FAST_Tests(KDCBaseTest):
'use_fast': True,
'gen_fast_fn': self.generate_empty_fast,
'fast_armor': None,
'gen_armor_tgt_fn': self.get_mach_tgt
'gen_armor_tgt_fn': self.get_mach_tgt,
'expect_edata': False
}
])
@ -399,7 +405,8 @@ class FAST_Tests(KDCBaseTest):
'expected_error_mode': KDC_ERR_GENERIC,
'use_fast': True,
'fast_armor': None, # no armor,
'gen_armor_tgt_fn': self.get_mach_tgt
'gen_armor_tgt_fn': self.get_mach_tgt,
'expect_edata': False
}
])
@ -858,7 +865,8 @@ class FAST_Tests(KDCBaseTest):
# should be KRB_APP_ERR_MODIFIED
'use_fast': False,
'gen_authdata_fn': self.generate_fast_used_auth_data,
'gen_tgt_fn': self.get_user_tgt
'gen_tgt_fn': self.get_user_tgt,
'expect_edata': False
}
])
@ -885,7 +893,8 @@ class FAST_Tests(KDCBaseTest):
'gen_authdata_fn': self.generate_fast_armor_auth_data,
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,
'expected_sname': expected_sname
'expected_sname': expected_sname,
'expect_edata': False
}
])
@ -935,7 +944,8 @@ class FAST_Tests(KDCBaseTest):
'use_fast': True,
'gen_tgt_fn': self.gen_tgt_fast_armor_auth_data,
'fast_armor': None,
'expected_sname': expected_sname
'expected_sname': expected_sname,
'expect_edata': False
}
])
@ -1007,7 +1017,8 @@ class FAST_Tests(KDCBaseTest):
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,
'include_subkey': False,
'expected_sname': expected_sname
'expected_sname': expected_sname,
'expect_edata': False
}
])
@ -1258,6 +1269,10 @@ class FAST_Tests(KDCBaseTest):
else:
tgt_cname = client_cname
expect_edata = kdc_dict.pop('expect_edata', None)
if expect_edata is not None:
self.assertTrue(expected_error_mode)
expected_cname = kdc_dict.pop('expected_cname', tgt_cname)
expected_anon = kdc_dict.pop('expected_anon',
False)
@ -1392,7 +1407,8 @@ class FAST_Tests(KDCBaseTest):
inner_req=inner_req,
outer_req=outer_req,
pac_request=True,
pac_options=pac_options)
pac_options=pac_options,
expect_edata=expect_edata)
else: # KRB_TGS_REP
kdc_exchange_dict = self.tgs_exchange_dict(
expected_crealm=expected_crealm,
@ -1425,7 +1441,8 @@ class FAST_Tests(KDCBaseTest):
inner_req=inner_req,
outer_req=outer_req,
pac_request=None,
pac_options=pac_options)
pac_options=pac_options,
expect_edata=expect_edata)
repeat = kdc_dict.pop('repeat', 1)
for _ in range(repeat):

View File

@ -1162,7 +1162,8 @@ class KDCBaseTest(RawKerberosTest):
def tgs_req(self, cname, sname, realm, ticket, key, etypes,
expected_error_mode=0, padata=None, kdc_options=0,
to_rodc=False, service_creds=None, expect_pac=True):
to_rodc=False, service_creds=None, expect_pac=True,
expect_edata=None):
'''Send a TGS-REQ, returns the response and the decrypted and
decoded enc-part
'''
@ -1209,6 +1210,7 @@ class KDCBaseTest(RawKerberosTest):
tgt=tgt,
authenticator_subkey=subkey,
kdc_options=str(kdc_options),
expect_edata=expect_edata,
expect_pac=expect_pac,
to_rodc=to_rodc)

View File

@ -85,7 +85,8 @@ class KdcTgsTests(KDCBaseTest):
names=["host", samdb.host_dns_name()])
(rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype,
expected_error_mode=KDC_ERR_BADMATCH)
expected_error_mode=KDC_ERR_BADMATCH,
expect_edata=False)
self.assertIsNone(
enc_part,

View File

@ -1959,6 +1959,7 @@ class RawKerberosTest(TestCaseInTempDir):
outer_req=None,
pac_request=None,
pac_options=None,
expect_edata=None,
expect_pac=True,
to_rodc=False):
if expected_error_mode == 0:
@ -2005,6 +2006,7 @@ class RawKerberosTest(TestCaseInTempDir):
'outer_req': outer_req,
'pac_request': pac_request,
'pac_options': pac_options,
'expect_edata': expect_edata,
'expect_pac': expect_pac,
'to_rodc': to_rodc
}
@ -2046,6 +2048,7 @@ class RawKerberosTest(TestCaseInTempDir):
outer_req=None,
pac_request=None,
pac_options=None,
expect_edata=None,
expect_pac=True,
to_rodc=False):
if expected_error_mode == 0:
@ -2091,6 +2094,7 @@ class RawKerberosTest(TestCaseInTempDir):
'outer_req': outer_req,
'pac_request': pac_request,
'pac_options': pac_options,
'expect_edata': expect_edata,
'expect_pac': expect_pac,
'to_rodc': to_rodc
}
@ -2477,20 +2481,20 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertElementEqualUTF8(rep, 'realm', expected_srealm)
self.assertElementEqualPrincipal(rep, 'sname', expected_sname)
self.assertElementMissing(rep, 'e-text')
if (error_code == KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS
or (rep_msg_type == KRB_TGS_REP
and not sent_fast)
or (sent_fast and fast_armor_type is not None
and fast_armor_type != FX_FAST_ARMOR_AP_REQUEST)
or inner):
expected_status = kdc_exchange_dict['expected_status']
expect_edata = kdc_exchange_dict['expect_edata']
if expect_edata is None:
expect_edata = (error_code != KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS
and (not sent_fast or fast_armor_type is None
or fast_armor_type == FX_FAST_ARMOR_AP_REQUEST)
and not inner)
if not expect_edata:
self.assertIsNone(expected_status)
self.assertElementMissing(rep, 'e-data')
return rep
edata = self.getElementValue(rep, 'e-data')
if self.strict_checking:
if error_code != KDC_ERR_GENERIC:
# Predicting whether an ERR_GENERIC error contains e-data is
# more complicated.
self.assertIsNotNone(edata)
self.assertIsNotNone(edata)
if edata is not None:
if rep_msg_type == KRB_TGS_REP and not sent_fast:
error_data = self.der_decode(
@ -2506,12 +2510,11 @@ class RawKerberosTest(TestCaseInTempDir):
status = int.from_bytes(extended_error[:4], 'little')
flags = int.from_bytes(extended_error[8:], 'little')
expected_status = kdc_exchange_dict['expected_status']
self.assertEqual(expected_status, status)
self.assertEqual(3, flags)
else:
self.assertIsNone(kdc_exchange_dict['expected_status'])
self.assertIsNone(expected_status)
rep_padata = self.der_decode(edata,
asn1Spec=krb5_asn1.METHOD_DATA())