1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

4497 Commits

Author SHA1 Message Date
Rob van der Linde
837e1d9fda python: getopt: subclass OptionParser to populate option_class
The option_class needs to be set correctly for OptionGroups that use self.add_option

Override OptionParser `__init__` to change the default Option class to the samba one.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
6943a58bff netcmd: tests: stop checking for ERROR prefix from CommandError
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
fb058e7f2c python: netcmd: remove OptionError alias to OptionValueError
The other methods in this file already raise optparse.OptionValueError
directly, except for two older ones.

They are using an alias which changes the name to OptionError, the
confusing part about this is that optparse.OptionError actually does
exist, so the incorrect alias needs to be removed.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
14b2129868 python: netcmd: catch parent exception class OptParseError instead
This covers both OptionError and OptionValueError

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
f77064c822 python: getopt: rename SambaOption to Option
* Nothing uses SambaOption directly, everything imports it through samba.netcmd.Option
 * Avoid an unnecessary rename on import

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
d54f52b847 python: netcmd: parser class in getSamDB should set option_class
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
b7a1946d8b python: netcmd: fix import grouping and sorting in base first
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
5f8c46d1de python: netcmd: remove redundant Option subclass
Instead, just import SambaOption as Option, so all the existing commands don't need changing.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
32032937ed python: netcmd: SUPPRESS_HELP constant has no effect here
Where it is used, on a few options, the constant should be used
directly instead.

This means that in the following commit, the Option subclass of
SambaOption can be removed, as it will become redundant.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
a930456f0c python: netcmd: dbcheck: fix import grouping and order
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
3a5a5cae3a python: netcmd: ntacl: fix import grouping and order
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
0f93e1d17f python: add docstrings to Validator and ValidationError
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
dc513a82a6 python: move Validator base class and ValidationError to getopt
It makes more sense for these to exist in the top package, because they are used by SambaOption.

validators.py can still exist in netcmd, just not the base class and exception.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
29c9991594 python: getopt: move validators logic to parent class
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
bdad257a31 netcmd: don't turn exception into CommandError in run_validators
It's the wrong place to do it.

Instead, let it raise the original exception, capture it in _run, and
call existing show_command_error method.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
99c93c1e89 netcmd: PEP8: minor whitespace fix, file did not pass PEP8
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
c3876242fd netcmd: move comment above class to docstring
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
8b57561297 netcmd: correctly pass Samba option class to OptionParser
On OptionGroups it will set option_class and then this gets used by self.add_option

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
96959b7267 python: getopt: move SambaOption to the top of the file
This is needed for the next commit

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
c688e73358 python: getopt: correctly group and sort imports
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
1f8b4913c6 python: getopt: update super calls to python3 style
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
e209b8d79c python: move comment for check_bytes to docstring
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
22316fea33 python: PEP8 fixup whitespace in getopt.py first
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
029e0457cc netcmd: tests: make check_run and related methods classmethod for consistency
Before that only run_command was turned into a @classmethod, but not
the other related methods which were left unchanged, this made it
inconsistent.

Some of these methods need to be called from setUpTestData so they
really need to be @classmethod anyway.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Rob van der Linde
b543874abc tests: minor indentation and whitespace fixes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 23:31:29 +00:00
Joseph Sutton
eb21ac8777 tests/krb5: Test whether the device belongs to some default groups
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 00:54:31 +00:00
Joseph Sutton
0f5033a1e7 tests/krb5: Work around Samba’s incorrect krbtgt principal handling
These tests fail only because they are using the ‘krbtgt@REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 00:54:31 +00:00
Joseph Sutton
4e8fb9706e tests/krb5: Remove unnecessary target_creds variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 00:54:31 +00:00
Joseph Sutton
053292a7e8 tests/krb5: Delete connection variable
This avoids a ‘variable set but unused’ warning.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
7ea71c4882 tests/krb5: Make ‘services’ parameter required
We use it unconditionally without a check for None.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
ea10d01bfd tests/krb5: Remove unreachable exception handlers
‘IOError’ is a subclass of ‘error’, which has already been handled.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
e48eb621cd tests/krb5: Fix RC4‐only Protected Users tests
We forgot to actually use the ‘supported_enctypes’ parameter.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
f1babf2f3d tests/krb5: Remove unnecessary f‐strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
137499aef6 tests/krb5: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
d363c7bf55 tests/krb5: Fix DES3CBC random_to_key()
Because ‘keybytes’ is an immutable bytes object, ‘keybytes[7] = …’ has
no hope of working.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
a0d32a3980 tests/krb5: Make ‘keybytes’ a bytes object rather than a list
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
69db1b5888 tests/krb5: Don’t expect edata if no error is expected
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
ee43eed635 tests/krb5: Add parameter to _tgs() specifying whether FAST is to be used
View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
991e8f5a7f tests/krb5: Use None for the default values of parameters
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
2ddd8ca3c7 tests/krb5: Move assignments closer to where the variables are used
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
7f860d1cba tests/krb5: Remove incorrect functional level check
RBCD has no relevance to a method called _tgs().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
11835ed5bb tests/krb5: Update method names to be consistent with other tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
88d5ae3218 tests/krb5: Have _modify_tgt() accept only keyword arguments
to prevent further accidents.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
59f7052295 tests/krb5: Correctly pass arguments to _modify_tgt()
We were passing the new realm as the ‘renewable’ parameter!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
a365f04d0f tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
fc475b2e20 tests/krb5: Add ‘expect_edata’ parameter to _user2user()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
fcdc010122 tests/krb5: Fix comment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
879e7a3c3e tests/krb5: Remove marker
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Stefan Metzmacher
09daeba696 libcli/util: let win_errstr() fallback to hresult_errstr()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 19:20:38 +00:00
Joseph Sutton
c15a9af8e5 tests/krb5: Fix ASN.1 source
It currently fails to compile.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Joseph Sutton
1712449aa6 tests/krb5: Don’t expect groups if we’re expecting an error
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Joseph Sutton
a8a186868e tests/krb5: Fix tests that crash Windows
Expect an actual error code or an outcome, not CRASHES_WINDOWS.

I don’t know which error codes Windows might be expected to produce, so
I’ve chosen some that seem plausible.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Joseph Sutton
52ea480543 tests/krb5: Expect a status code with policy errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Joseph Sutton
b5b8b16a50 tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD
If we’re verifying that a ticket was permitted to be issued by an RODC,
and not trusting the group SIDs in the ticket, is there any reason to
ban its use with RBCD?

A client with a ticket issued by an RODC that happens to select a DC to
direct an RBCD request at should not have the request mysteriously fail.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Stefan Metzmacher
c99fe118fd tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 14:39:33 +00:00
Stefan Metzmacher
97e4aab1a6 CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 14:39:33 +00:00
Stefan Metzmacher
7058606112 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 14:39:33 +00:00
Stefan Metzmacher
0c329a0fda CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 14:39:33 +00:00
Stefan Metzmacher
3be190dcf7 CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.

Only the auto inherited SACL is available via a ldap search.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 14:39:33 +00:00
David Mulder
b76e184c07 gpdupate: Implement Drive Maps Client Side Extension
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 00:59:32 +00:00
David Mulder
42d03da306 gpupdate: Test Drive Maps Client Side Extension
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 00:59:32 +00:00
Joseph Sutton
1a4ec25b32 tests/krb5: Fix assertion messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
2f5833cbb3 tests/krb5: Use assertEqual() instead of assertEquals()
assertEquals() was removed in Python 3.12.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
f7009e2a35 python:tests: Use now() instead of utcnow()
utcnow() is deprecated and will be removed in a future version of Python.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
af61444d7a python:tests: Remove semicolons
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
7efe6b0ab4 python:tests: Correct search expression
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
ed97b15fe9 python:tests: Fix comment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
d2196545bb python:tests: Fix exception message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
2fa838d439 python:tests: Use assertEqual() instead of assertEquals()
assertEquals() was removed in Python 3.12.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
08dbb35e7e python:subunit: Use now() instead of utcnow()
utcnow() is deprecated and will be removed in a future version of Python.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
7c89c5880e python:colour: Fix exception message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
43cce1d190 tests/krb5: Correctly test services that do not support Compound Identity
These two tests now pass against Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Volker Lendecke
23deb79a28 tests: Add reproducer for bug 15487
Show that smbd crashes if asked to return full information on close of a
stream handle with delete on close disposition set.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 08:19:29 +00:00
Joseph Sutton
7b6c17359b tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Sun Oct  1 23:46:44 UTC 2023 on atb-devel-224
2023-10-01 23:46:44 +00:00
Joseph Sutton
46c08652f8 tests/krb5: Add Device Restriction tests for silos and authentication policies in the KDC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
989fb00985 tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
849ee95984 tests/krb5: Add method to perform an armored AS‐REQ
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
eba1ab0c84 tests/krb5: Initialize variable
This avoids the following exception:

Exception: Traceback (most recent call last):
  File "/samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 2500, in test_renew_pac_request_false
    tgt = self._modify_tgt(tgt, renewable=True)
  File "samba/bin/python/samba/tests/krb5/kdc_tgs_tests.py", line 3014, in _modify_tgt
    return self.modified_ticket(
  File "/samba/bin/python/samba/tests/krb5/raw_testcase.py", line 5694, in modified_ticket
    auth_data, new_pac,
UnboundLocalError: local variable 'new_pac' referenced before assignment

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Kacper
90ba53eee4 samba-tool: Fix for gpo restore not working without --tmpdir
cmd_restore depends on cmd_create but the later cleans up
required temp files for cmd_restore to function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15462

RN: Fix for gpo restore not working without --tmpdir

Signed-off-by: Kacper Boström <kacper@kacper.se>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Sep 29 03:15:18 UTC 2023 on atb-devel-224
2023-09-29 03:15:18 +00:00
Rob van der Linde
12a98ab4fc netcmd: tests: add some tests for valid and invalid SDDL in cli commands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
645b77342f netcmd: auth: add new SDDL fields to create and modify auth policy commands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
385029fbc6 netcmd: models: add SDDL fields to AuthenticationPolicy model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
1325e01303 netcmd: models: add SDDL model field
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
83d321e764 netcmd: models: add FieldError subclass which stores the field
This is so that errors on the CLI show the field name

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
950a70a190 netcmd: models: field to_db_value needs ldb param
Required by SDDL field type added in next commit

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
27cd598208 netcmd: tests: modify auth silo cli tests setup their own test data
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
2a33355459 netcmd: tests: modify auth policy cli tests setup their own test data
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
c01e943127 netcmd: tests: modify claim cli tests setup their own test data
Initially the test data was created in setUp, but it was moved to setUpClass.

The problem with this is tests modifying objects, which could affect the next test.

Create all required data in the test itself for clarity (and also is faster)

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
f1d5f93f3d netcmd: tests: test that create objects make use of addCleanup
Since the samdb connection is on the class and hangs around between tests, we need to clean up what we created.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
91fa5088b5 netcmd: tests: tests tidyup and make use of setUpTestData
Still only load the test data once per test class, but much easier to read.

Made several methods static for creating/deleting claims, policies and silos.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
16c19c470e netcmd: tests: make _run a classmethod in SambaToolCmdTest
So that it can be called from setUpClass as well

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
71c191ca9f python: tests: implement setUpTestData overridable class method
On Python 3.6 and 3.7 the addClassCleanup method needs to be implemented, and tearDownClass must be called by setupClass if any exception is raised.

On Python 3.8 and higher, unittest already calls tearDownClass, even if it raises an exception in setUpClass.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Rob van der Linde
7f4db71025 netcmd: tests: avoid the need to create a random command in GetSamDB
Also the code that looks over kwargs is somewhat confusing and unnecessary.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-29 02:18:34 +00:00
Joseph Sutton
08b9d5c7b9 tests/krb5: Add samba.tests.krb5.conditional_ace_tests
This is a test using conditional ACEs and claims to confirm that we understand
the full end-to-end network behaviour of these all the way from the PAC to the
application in the access check of the KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 28 04:35:05 UTC 2023 on atb-devel-224
2023-09-28 04:35:05 +00:00
Joseph Sutton
0e7e46c396 tests/krb5: Add method to replace client or device claims in a PAC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
6f5368dd32 tests/krb5: Add method to replace the device SIDs in a PAC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
2d0bdb5ce9 tests/krb5: Have set_pac_sids() accept lone RIDs as well as full SIDs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
cc1dd00d0f tests/krb5: Make optional ‘domain_sid’ parameter to set_pac_sids()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
9fb0380cb8 tests/krb5: Make optional ‘user_rid’ parameter to set_pac_sids()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
34e721030d tests/krb5: Make set_pac_sids() parameters keyword‐only
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
d6ec0e4f40 tests/krb5: Allow passing mapping=None to map_to_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
dfd2027d7e tests/krb5: Don’t bother regenerating the PAC if modify_pac_fn or update_pac_checksums are false
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
d054f583ea tests/krb5: Allow multiple ticket modification functions
This means that callers can specify a stack of possible modifications.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
60e479d855 tests/krb5: Allow filter for tests that crash Windows
Set CRASH_WINDOWS=0 when running against a Windows DC.  These crashes are
only possible because we can modify the PAC, but having these tests allows
us to lock down Samba behaviour, so we include them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
939a74e39b tests/krb5: Allow variation in PADATA_PW_SALT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
c33ce17454 tests/krb5: Sort imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-28 03:33:38 +00:00
Joseph Sutton
37a32d3b40 python:tests: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
26ff87dcfe python:tests: Fix invalid escape sequences
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
c0795c807a tests/krb5: Match filter after transforming test name
If you just want to rerun a single test that failed, this removes the
need to successfully guess its untransformed name.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Andrew Bartlett
d9e268db0c python: Change the generic merge_nt_token() to being specific to the system_token
This allows us to punt on the question of merging the claims, as there are
none on the system token.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
e2cc29d132 libcli/security: Pass in claims evaluation state when building any security token
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
978a9e46bb pytest: conditional_ace assembler assembles full descriptor
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
1449294542 libcli/security: beginning of tests for conditional ACE bytes
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
15fe49a2f9 pytest: assembler for conditional ACEs
This is a helper module to construct conditional ACEs that can't be
created from SDDL.

There is a semi-infinite number of valid conditional ACEs that don't
have SDDL representations, and an even larger number of invalid (or
borderline invalid) ACEs.

This allows us to create those ACEs without having to deal with too
many array of numbers.

The next commit provides an example of its use.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
b65ac10096 pytest:conditional_ace_claims: ease export of failing tests to C
When a test fails, this prints a little stanza like

static void test_something(void **state)
{
       INIT();
       USER_SIDS("WD", "AA");
       DEVICE_SIDS("BA", "BG");
       SD("D:(XA;;0x1f;;;AA;(! Member_of{SID(AA)}))");
       DENY_CHECK(0x10);
}

which is exactly right for copying into
libcli/security/tests/test_run_conditional_ace.c
which is much easier to iterate over with compiling and debugging.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
30e6249d22 pytest: tests for conditional ACEs with security tokens
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
044370a0e1 pytest: tools for creating security tokens
Sometimes we need security tokens for tests, and the raw constructor
is not very ergonomic. This wraps it so you can do this:

from samba.tests.token_factory import token as Token
t = Token(['WD', 'AA'],
          privileges=['SEC_PRIV_DEBUG'],
          rights=0x840,
          device_claims={'wheels': 2, 'smelly': 'no'},
          device_sids=['BG'])

and get a security.token object with the expected qualities.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
fabc2f351e pytest: sddl tests with conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
2a4fc3fedf pytest: sddl strings dir can be defined in class
Before we had to do this in an environment variable. In that case we
are probably wanting to monitor changes, so we like it to print more
messages than we want to see in an autobuild run that will hopefully
never do anything interesting.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
2f30103f92 pytest: sddl tests can be only externally defined
Currently a test suite needs a strings list in order to import new
strings. This lets us avoid that and have the actual tests defined
only in external lists, making it easier to see we're testing the same
thing on Windows and reducing duplication.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
28d2337774 pytest:security_descriptors: test collected conditional ACEs
These tests were named in the superclass, but were not actually run,
nor was the file in git.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
a392b40328 pytest:security descriptors: hack to capture results as json
This makes it easy to separate a large number of examples into
successes and knownfails.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
901f77c543 pytest: security descriptors: test some conditional and RA ACEs
We have two sets of tests: one that will succeed, and one that is going
to remain a knownfail. The latter involves Resource Attribute ACEs that
have the TX type, meaning "byte string".

In MS-DTYP, a bytestring is defined like "#6869210a", with a hash,
followed by an even number of hex digits. In other places on the web, it
is mentioned that zeroes in the string can be replaced by hashes, like so
"#686921#a". We discover via indirect fuzzing that a TX RA ACE can also
take bare integers, like "6869210a" or "2023". As it would be tricky to
support this, and there is no evidence of this occurring in the wild, we
will probably leave this as a knownfail.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
7b9462faf0 pytest: security_descriptors: tests without revision number hack
ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset
of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2
ACL can be called revision 4 without any problem. But not vice versa:
a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The
extra ACE types relate to objects.

Samba currently simplifies things by calling all its ACLs revision 4,
even if (as is commonly the case) the ACLs contain only revision 2 ACEs.
On the other hand, Windows will use revision 2 whenever it can. In other
tests we skip past this by forcing Windows ACLs to v4 before comparison.
This test is to remind us of the incompatibility.

It would not be hard to fix.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
63be840120 pytest: security_descriptors test for repetitive ACLs
If there are multiple identical ACEs in an SDDL ACL, Windows will decode
them all and put extra trailing zeroes at the end of the ACL.

In contrast, Samba will decode the ACEs and not put extra zeroes at the
end.

The problem comes when Samba tries to read a binary ACL from Windows that
has the extra zeroes, because Samba's ACL size calculation is based on
the size of its constituent ACEs, not the ACL size field.

There is no good reason for an ACL to have repeated ACEs, but they could
be added accidentally.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
5569c17741 pytest: security_descriptors comparison is quieter
This matters when we have a millions failures.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Volker Lendecke
b3cae8dcf1 conf: Remove "smb3 unix extensions" parameter
Always offer it, it's a client thing to ask for it or not.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 21 17:43:23 UTC 2023 on atb-devel-224
2023-09-21 17:43:23 +00:00
Volker Lendecke
56df75d447 tests: Add reproducer for BZ15481
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-20 21:48:36 +00:00
Joseph Sutton
e4a81f268d tests/krb5: Rename ‘client_claims’ to ‘claims_metadata’
This variable is used not only for client claims, but for device claims
as well.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
bd8c3afe10 python:tests: Fix invalid escape sequence
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
3fca94cd69 python:tests: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
ba1750082a claims.idl: Be more lenient in our expectations for the compression of claims
384 bytes is not a strict threshold below which claims are never to be
compressed. Windows has been known to compress claims a mere 368 bytes
in size.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
9f5667032c python:tests: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
bb79de4cbe python:tests: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Volker Lendecke
c9a000be41 tests: Add test_symlink_reparse_data_buffer_parse
The blob was taken from a smbclient allinfo command for a Windows
symlink. Show that reparse_data_buffer_parse() is broken.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-08 16:27:39 +00:00
Volker Lendecke
03ce770e8d tests: Create symlinks using posix extensions
This way we can run the tests and more easily put them into knownfail
individually. Before this, everything went into the error category,
which was not so easy to catch in something like knownfail.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-08 16:27:39 +00:00
Douglas Bagnall
1de2af9f30 pytests:security: don't use invalid domain SID S-2-0-0
The '2' is a version number, but there is not yet a version 2, so we
can't even say what the rest of the string should look like.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-07 04:53:41 +00:00
Joseph Sutton
357b520b37 tests/krb5: Have modified_ticket() not modify its arguments
Inexplicable behaviour could result when the same arguments were passed
in across multiple calls.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
b4a2e64110 tests/krb5: Add KerberosCredentials.get_rid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
7b4b03e5e7 tests/krb5: Re-raise any LdbError other than ERR_ENTRY_ALREADY_EXISTS
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
3f01cf9169 tests/krb5: Correctly assert that we found a LOGON_INFO PAC buffer
Because ‘found_logon_info’ was invariably true, we would miss the case
in which set_pac_sids() failed to accomplish anything, having been
unable to find the LOGON_INFO PAC buffer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
04cdb13c08 tests/krb5: Remove local variable
This seems a bit clearer to me.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
1def8f04f3 tests/krb5: Move KDC TGT tests to new file
We can now rely on having MIT Kerberos 1.20 available.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
e390e674ec tests/krb5: Remove test of pre-1.20 MIT Kerberos behaviour
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
2b566979ac gp: Use read_file() instead of readfp()
readfp() is deprecated and could be removed in a future version of
Python.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
34042677b7 gp: Fix resource leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
928f2bbc6b gp: Use assertEqual() instead of assertEquals()
assertEquals() is deprecated and could be removed in a future version of
Python.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
953bc91851 gp: Check correct variables
We were intending to check the keys, not the certificates.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
036a523e51 gp: Prefer ‘x not in y’ to ‘not x in y’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
94afa3b194 gp: Don’t shadow imports
Rename a variable that shadows an import of ‘gp_ext’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
5755b4a490 gp: Add missing import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
de04333b4d pytest/dns_aging: Assert that the name of the node to search for is a string
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
472d80c1c9 pytest/dns_aging: Correctly check that record is tombstoned
We were passing in as the name parameter to assert_tombstoned() an NDR
Python object, rather than a string. This meant that the LDAP search
filter would look something like this:

(&(objectClass=dnsNode)(name=<dnsp.DnssrvRpcRecord talloc based object at 0x29abee0>))

and we would fail to find any records.

These searches should have a better chance of working if we pass in the
name of the record instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
8e5c998b1d pytest/dns_aging: Check value of ‘dtime’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
d3bc6faa7a python:tests: Rename test method so as not to mask previously-defined method
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
bbd0e35f11 python:tests: Complete assertion messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
c4e0d4fbd1 python:tests: Fix usage line
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
83230577ec python: Fix reference to undefined name ‘samba’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
5c5045eeb4 samba-tool: Remove useless return
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
b076cad4b2 python:join: Fix references to undefined variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
b068592dd0 python: Fix invalid escape sequences
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
12f1c7825d python: Remove redundant backslashes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
fce882ab67 python: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
6c6db88dda python: Fix spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Gabriel Nagy
7dc181757c gp: Send list of keys instead of dict to remove
`cache_get_all_attribute_values` returns a dict whereas we need to pass
a list of keys to `remove`. These will be interpolated in the gpdb search.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224
2023-08-28 03:01:22 +00:00
Gabriel Nagy
ee814f7707 gp: Test disabled enrollment unapplies policy
For this we need to stage a Registry.pol file with certificate
autoenrollment enabled, but with checkboxes unticked.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
2a6ae997f2 gp: Template changes should invalidate cache
If certificate templates are added or removed, the autoenroll extension
should react to this and reapply the policy. Previously this wasn't
taken into account.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
2d6943a864 gp: Test adding new cert templates enforces changes
Ensure that cepces-submit reporting additional templates and re-applying
will enforce the updated policy.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
157335ee93 gp: Convert CA certificates to base64
I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
to a string fails with the following:

'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte

We found a fix to be encoding the certificate to base64 when
constructing the CA list.

Section 4.4.5.2 of MS-CAESO also suggests that the content of
`cACertificate` is binary (OCTET string).

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
1ef722cf66 gp: Test with binary content for certificate data
This fails all GPO-related tests that call `gpupdate --rsop`.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
bce3a89204 gp: Change root cert extension suffix
On Ubuntu, certificates must end in '.crt' in order to be considered by
the `update-ca-certificates` helper.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
fa80d1d864 gp: Support update-ca-trust helper
This is used on RHEL/Fedora instead of update-ca-certificates. They
behave similarly so it's enough to change the command name.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
a1b285e485 gp: Support more global trust directories
In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).

To determine the correct directory to use, we iterate over the variants
and stop at the first which is a directory.

In case none is found, fallback to the first option which will produce a
warning as it did previously.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Joseph Sutton
776597bce9 samba-tool: Allow LDB URL to be None
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15458

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-28 02:04:36 +00:00
Douglas Bagnall
882ad16138 pytest: compare Samba vs Windows SDDL security descriptors
Can Samba understand Windows security descriptors? Does it parse SDDL
the same way?

Here we test on over 7000 SDDL/descriptor pairs and find the answer
is pleasing. In later commits we will add more tests using different
classes of ACE.

The test cases are derived from fuzz seeds, exported to Windows via
the script in the last commit, with the Windows descriptor bytes found
using libcli/security/tests/windows/windows-sddl-test.py.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
f58372cca5 python/colour: add a colour diff helper
Sometimes colour can help show what is different between two strings.

This is roughly the same as

`git diff --no-index --color-words=. <a> <b>`.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
4a1848a1f5 pytest/sddl: tests for more invalid or weird cases
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
a8a0ae89c5 pytest/sddl: add option for case-insensitive tests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
5b9f42b391 pytest/sddl: environment option for exporting as fuzz seeds
We want realistic examples for sddl fuzzing seeds, and we want
realistic examples for sddl tests, so hopefully we only need to get
it right once.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
7796727453 pytest/sddl: replace/export tests based on environment vars
We had a stupid system involving test functions with side-effects,
that needed to be enabled by editing the file. Now you get the same
effects by setting environment variables, the names of which you can
only learn by reading the file closely.

This works better because some stuff needs to happen at class-time
rather than instance-time.

Also the environment variables specify the import and export locations.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
59a2d74107 pytests: add helper to grab a directory from environment
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Joseph Sutton
683dab1102 python:tests: Save files with intended contents
We presumably here meant to use the variable ‘contents’, not
‘test_contents’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
2d6b10da22 python:tests: Fix spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
981c341389 python:tests: Reuse policies and silos created by setUp() across all tests
We now create the claims in setUp() only once, preserving them so as to
reuse them across all of the tests using this class. Then we finally
delete them all in tearDownClass().

addClassCleanup() could make this cleaner, but it’s available only in
Python 3.8 and above.

This change reduces the time taken by my machine to run
samba.tests.samba_tool.domain_auth_policy from two minutes to ten
seconds.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
f71893c1a3 python:tests: Reuse claims created by setUp() across all tests
We now create the claims in setUp() only once, preserving them so as to
reuse them across all of the tests in this class. Then we finally delete
them all in tearDownClass().

addClassCleanup() could make this cleaner, but it’s available only in
Python 3.8 and above.

This change reduces the time taken by my machine to run these tests from
four minutes to twenty seconds.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
a985873c46 python:tests: Make getSamDB() a static method
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
b7e0068010 python:subunit: Use ‘is’ to compare variables with singletons
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
c052b17556 python:subunit: Fix docstring
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
859bbef472 python:netcmd: Remove semicolon
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
d40293e0df python:netcmd: Add missing newlines to error messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-21 23:37:29 +00:00
Joseph Sutton
37fdd79cc0 tests/krb5: Remove incorrect comments
Now that the INT64 claim IDL definition has been corrected, these tests
should pass against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug 15 19:41:50 UTC 2023 on atb-devel-224
2023-08-15 19:41:50 +00:00
Joseph Sutton
631e26e1d6 tests/krb5: Add a test decoding INT64 PAC claims issued by Windows
Our NDR code currently handles INT64 claims incorrectly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-15 18:46:33 +00:00
Joseph Sutton
0cce616843 tests/krb5: Shorten long lines
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-15 18:46:33 +00:00
Joseph Sutton
2c915e743d tests/krb5: Remove unused import
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15452

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-15 18:46:33 +00:00
Joseph Sutton
7026b08e23 tests/krb5: Test that neither forwardable nor proxiable tickets are issued to Protected Users
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
c9d6a3dd66 tests/krb5: Allow specifying KDC options when requesting a TGT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
da89b86e52 tests/krb5: Allow specifying additional details for a test account
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
a5492d76d3 tests/krb5: Split out new AuthnPolicyBaseTests class
This class provides a useful base for other tests to build upon.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
55c09c91ea tests/krb5: Move some functions round to prepare for splitting the class
No effective code change.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
942cc0b626 tests/krb5: Keep claim types for subsequent tests
We want to be able to reuse them across several tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00