Skip to content

Commit

Permalink
tests/krb5: Align PAC buffer checking to more closely match Windows w…
Browse files Browse the repository at this point in the history 
…ith PacRequestorEnforcement=2

We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.

Signed-off-by: Joseph Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
  • Loading branch information
@jsutton24 @abartlet
jsutton24 authored and abartlet committed Nov 30, 2021
1 parent ec823c2 commit ebc9137
Show file tree
Hide file tree
Showing 5 changed files with 168 additions and 65 deletions.
121 changes: 84 additions & 37 deletions python/samba/tests/krb5/kdc_tgs_tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -497,12 +497,18 @@ def test_tgs_req(self):
def test_renew_req(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, renewable=True)
self._renew_tgt(tgt, expected_error=0)
self._renew_tgt(tgt, expected_error=0,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=True,
expect_requester_sid=True)

def test_validate_req(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, invalid=True)
self._validate_tgt(tgt, expected_error=0)
self._validate_tgt(tgt, expected_error=0,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=True,
expect_requester_sid=True)

def test_s4u2self_req(self):
creds = self._get_creds()
Expand Down Expand Up @@ -774,13 +780,17 @@ def test_renew_rodc_revealed(self):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
self._renew_tgt(tgt, expected_error=0)
self._renew_tgt(tgt, expected_error=0,
expect_pac_attrs=False,
expect_requester_sid=True)

def test_validate_rodc_revealed(self):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
self._validate_tgt(tgt, expected_error=0)
self._validate_tgt(tgt, expected_error=0,
expect_pac_attrs=False,
expect_requester_sid=True)

def test_s4u2self_rodc_revealed(self):
creds = self._get_creds(replication_allowed=True,
Expand Down Expand Up @@ -1434,7 +1444,8 @@ def test_pac_attrs_renew_none(self):
self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=None)
expect_pac_attrs_pac_request=None,
expect_requester_sid=True)

def test_pac_attrs_renew_false(self):
creds = self._get_creds()
Expand All @@ -1447,7 +1458,8 @@ def test_pac_attrs_renew_false(self):
self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=False)
expect_pac_attrs_pac_request=False,
expect_requester_sid=True)

def test_pac_attrs_renew_true(self):
creds = self._get_creds()
Expand All @@ -1460,7 +1472,8 @@ def test_pac_attrs_renew_true(self):
self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=True)
expect_pac_attrs_pac_request=True,
expect_requester_sid=True)

def test_pac_attrs_rodc_renew_none(self):
creds = self._get_creds(replication_allowed=True,
Expand All @@ -1473,8 +1486,8 @@ def test_pac_attrs_rodc_renew_none(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=None)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_pac_attrs_rodc_renew_false(self):
creds = self._get_creds(replication_allowed=True,
Expand All @@ -1487,8 +1500,8 @@ def test_pac_attrs_rodc_renew_false(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=False)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_pac_attrs_rodc_renew_true(self):
creds = self._get_creds(replication_allowed=True,
Expand All @@ -1501,8 +1514,8 @@ def test_pac_attrs_rodc_renew_true(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=True)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_pac_attrs_missing_renew_none(self):
creds = self._get_creds()
Expand All @@ -1515,7 +1528,8 @@ def test_pac_attrs_missing_renew_none(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=False)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_pac_attrs_missing_renew_false(self):
creds = self._get_creds()
Expand All @@ -1528,7 +1542,8 @@ def test_pac_attrs_missing_renew_false(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=False)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_pac_attrs_missing_renew_true(self):
creds = self._get_creds()
Expand All @@ -1541,7 +1556,8 @@ def test_pac_attrs_missing_renew_true(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=False)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_pac_attrs_missing_rodc_renew_none(self):
creds = self._get_creds(replication_allowed=True,
Expand All @@ -1555,7 +1571,8 @@ def test_pac_attrs_missing_rodc_renew_none(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=False)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_pac_attrs_missing_rodc_renew_false(self):
creds = self._get_creds(replication_allowed=True,
Expand All @@ -1569,7 +1586,8 @@ def test_pac_attrs_missing_rodc_renew_false(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=False)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_pac_attrs_missing_rodc_renew_true(self):
creds = self._get_creds(replication_allowed=True,
Expand All @@ -1583,7 +1601,8 @@ def test_pac_attrs_missing_rodc_renew_true(self):

self._renew_tgt(tgt, expected_error=0,
expect_pac=True,
expect_pac_attrs=False)
expect_pac_attrs=False,
expect_requester_sid=True)

def test_tgs_pac_attrs_none(self):
creds = self._get_creds()
Expand All @@ -1593,8 +1612,7 @@ def test_tgs_pac_attrs_none(self):
expect_pac_attrs_pac_request=None)

self._run_tgs(tgt, expected_error=0, expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=None)
expect_pac_attrs=False)

def test_tgs_pac_attrs_false(self):
creds = self._get_creds()
Expand All @@ -1603,7 +1621,8 @@ def test_tgs_pac_attrs_false(self):
expect_pac_attrs=True,
expect_pac_attrs_pac_request=False)

self._run_tgs(tgt, expected_error=0, expect_pac=False)
self._run_tgs(tgt, expected_error=0, expect_pac=False,
expect_pac_attrs=False)

def test_tgs_pac_attrs_true(self):
creds = self._get_creds()
Expand All @@ -1613,8 +1632,7 @@ def test_tgs_pac_attrs_true(self):
expect_pac_attrs_pac_request=True)

self._run_tgs(tgt, expected_error=0, expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=True)
expect_pac_attrs=False)

def test_as_requester_sid(self):
creds = self._get_creds()
Expand All @@ -1639,8 +1657,7 @@ def test_tgs_requester_sid(self):
expect_requester_sid=True)

self._run_tgs(tgt, expected_error=0, expect_pac=True,
expected_sid=sid,
expect_requester_sid=True)
expect_requester_sid=False)

def test_tgs_requester_sid_renew(self):
creds = self._get_creds()
Expand All @@ -1655,6 +1672,8 @@ def test_tgs_requester_sid_renew(self):
tgt = self._modify_tgt(tgt, renewable=True)

self._renew_tgt(tgt, expected_error=0, expect_pac=True,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=None,
expected_sid=sid,
expect_requester_sid=True)

Expand All @@ -1672,6 +1691,7 @@ def test_tgs_requester_sid_rodc_renew(self):
tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)

self._renew_tgt(tgt, expected_error=0, expect_pac=True,
expect_pac_attrs=False,
expected_sid=sid,
expect_requester_sid=True)

Expand Down Expand Up @@ -1738,7 +1758,10 @@ def test_renew_pac_request_none(self):
tgt = self.get_tgt(creds, pac_request=None)
tgt = self._modify_tgt(tgt, renewable=True)

tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None)
tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=None,
expect_requester_sid=True)

ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True)

Expand All @@ -1750,7 +1773,10 @@ def test_renew_pac_request_false(self):
tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
tgt = self._modify_tgt(tgt, renewable=True)

tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None)
tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=False,
expect_requester_sid=True)

ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False)

Expand All @@ -1762,7 +1788,10 @@ def test_renew_pac_request_true(self):
tgt = self.get_tgt(creds, pac_request=True)
tgt = self._modify_tgt(tgt, renewable=True)

tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None)
tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=True,
expect_requester_sid=True)

ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True)

Expand All @@ -1774,7 +1803,10 @@ def test_validate_pac_request_none(self):
tgt = self.get_tgt(creds, pac_request=None)
tgt = self._modify_tgt(tgt, invalid=True)

tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None)
tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=None,
expect_requester_sid=True)

ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True)

Expand All @@ -1786,7 +1818,10 @@ def test_validate_pac_request_false(self):
tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
tgt = self._modify_tgt(tgt, invalid=True)

tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None)
tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=False,
expect_requester_sid=True)

ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False)

Expand All @@ -1798,7 +1833,10 @@ def test_validate_pac_request_true(self):
tgt = self.get_tgt(creds, pac_request=True)
tgt = self._modify_tgt(tgt, invalid=True)

tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None)
tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None,
expect_pac_attrs=True,
expect_pac_attrs_pac_request=True,
expect_requester_sid=True)

ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True)

Expand Down Expand Up @@ -1946,7 +1984,7 @@ def test_tgs_rodc_pac_request_false(self):

ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True)

pac = self.get_ticket_pac(ticket, expect_pac=False)
pac = self.get_ticket_pac(ticket)
self.assertIsNotNone(pac)

def test_tgs_rodc_pac_request_true(self):
Expand Down Expand Up @@ -2279,12 +2317,21 @@ def _renew_tgt(self, tgt, expected_error, expect_pac=True,
expect_requester_sid=expect_requester_sid,
expected_sid=expected_sid)

def _validate_tgt(self, tgt, expected_error, expect_pac=True):
def _validate_tgt(self, tgt, expected_error, expect_pac=True,
expect_pac_attrs=None,
expect_pac_attrs_pac_request=None,
expect_requester_sid=None,
expected_sid=None):
krbtgt_creds = self.get_krbtgt_creds()
kdc_options = str(krb5_asn1.KDCOptions('validate'))
return self._tgs_req(tgt, expected_error, krbtgt_creds,
kdc_options=kdc_options,
expect_pac=expect_pac)
return self._tgs_req(
tgt, expected_error, krbtgt_creds,
kdc_options=kdc_options,
expect_pac=expect_pac,
expect_pac_attrs=expect_pac_attrs,
expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
expect_requester_sid=expect_requester_sid,
expected_sid=expected_sid)

def _s4u2self(self, tgt, tgt_creds, expected_error, expect_pac=True,
expect_edata=False, expected_status=None):
Expand Down
Loading

0 comments on commit ebc9137

Please sign in to comment.