The branch, master has been updated via 403598b3076 s4-dsdb:tests: Correctly handle LdbError via 38468aa6e8f s4-dsdb:tests: Fix AD DC performance tests via d5f053711bd ldb: Make ldb_msg_remove_attr O(n) via 598eaa34741 tests/krb5: Remove old device info and device claims tests via 0153f6c1f4d tests/krb5: Add tests for device claims via 0ac800d0081 tests/krb5: Add tests for device info via 24ee602acb2 tests/krb5: Overhaul check_device_info() via fa3d693b28f tests/krb5: Allow creating a target server account with or without compound ID support via 53400a6dfeb tests/krb5: Don't specify extra enctypes for the krbtgt via 77188f48824 tests/krb5: Allow adding members to a group and changing its type in a single operation via 75154702d2f tests/krb5: Add test for compressed claim via 5c744ff9f79 tests/krb5: Test we get correct values for integer syntax claims via 3550173c804 tests/krb5: Require domain_sid to be non-None when passing a RID to map_to_sid() via d95b4303ea3 tests/krb5: Allow group_setup to be None in setup_groups() via 98393d7bfa0 tests/krb5: Test more descriptive security descriptor via 567f30c5740 tests/krb5: Document and tidy up existing claims tests via 23ce6f30e28 tests/krb5: Allow creating accounts supporting claims or compound identity separately via ad19dd100f6 tests/krb5: Make arguments to get_target() keyword arguments via 644c4ae8d0f tests/krb5: Split out device info checking into new method via 60c07a49d76 tests/krb5: Fix typo via 662639e8ee3 tests/krb5: Move some claims tests around via cbd0955bbd7 tests/krb5: Add type to expect a value is one of a set of possible types via 2c6ff2ad07d tests/krb5: Allow comparing UnorderedLists only with one another via 3c333037cd2 tests/krb5: Unconditionally check compressed claims via 04fd475b434 tests/krb5: Remove unused import from a1780ed8d1b rpcd: With npa->need_idle_server we can have more than 256 servers
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 403598b3076896287c84059a93569f0e0f3efb80 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Feb 17 16:32:42 2023 +1300 s4-dsdb:tests: Correctly handle LdbError Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Mar 8 05:37:08 UTC 2023 on atb-devel-224 commit 38468aa6e8fd8db3aec9c860ab5c8edf1be83e3c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Feb 17 11:46:09 2023 +1300 s4-dsdb:tests: Fix AD DC performance tests Calling cmd._run() directly would fail due to the 'command_name' attribute being absent, so these tests would fail to run. Fix this by using the samba.netcmd.main.samba_tool helper function. Check the return code as well for good measure. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d5f053711bd5b78f2eff035b4b287995ae286901 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jan 27 08:06:47 2023 +1300 ldb: Make ldb_msg_remove_attr O(n) Previously it was O(n²). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 598eaa3474191d29ab2f1a356a26e479a441a198 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 11:33:15 2023 +1300 tests/krb5: Remove old device info and device claims tests They have been made superfluous by newer declarative tests in claims_tests.py and device_tests.py. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0153f6c1f4dfc56608e767ec4a8ad25c0f1b1867 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 12:20:38 2023 +1300 tests/krb5: Add tests for device claims These test the interaction between claims and groups in the PAC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0ac800d0081fb893effaa555d3117102556a7b75 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 11:48:22 2023 +1300 tests/krb5: Add tests for device info These tests verify that the groups in the device info structure in the PAC are exactly as expected under various scenarios. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 24ee602acb2ec5aea1c52edce8740a1982fb12be Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 13:41:19 2023 +1300 tests/krb5: Overhaul check_device_info() With expected_device_groups, tests can now specify particular group arrangements they expect to see. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fa3d693b28f3079e1f813dcbcd74007f238df56f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 13:24:17 2023 +1300 tests/krb5: Allow creating a target server account with or without compound ID support Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 53400a6dfebb748dde4fe90bb2a9f34c2b1905bf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 13:22:09 2023 +1300 tests/krb5: Don't specify extra enctypes for the krbtgt Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 77188f4882448733d75b50c4add59841eef3838f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 13:20:31 2023 +1300 tests/krb5: Allow adding members to a group and changing its type in a single operation This is needed in order to get some specific group setups for tests. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 75154702d2fcf5c593d9be43f7871333b05217f3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 13:17:49 2023 +1300 tests/krb5: Add test for compressed claim Create a claim large enough to cause it to be compressed. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5c744ff9f79aaa0576809b656cd973fc0c94f092 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 13:10:14 2023 +1300 tests/krb5: Test we get correct values for integer syntax claims Windows erroneously shifts integer syntax claim values four bytes to the right, resulting in incorrect values (if only one claim is present) or corrupt claims data that cannot be unpacked (if other claims are present). There's no reason to emulate such broken behaviour. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3550173c8042c4c6b98194a6d6cda8d83f9aa1aa Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 13:04:09 2023 +1300 tests/krb5: Require domain_sid to be non-None when passing a RID to map_to_sid() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d95b4303ea3c5c16afdad92850512d4a18ff8aee Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 12:32:06 2023 +1300 tests/krb5: Allow group_setup to be None in setup_groups() 'git show -b' shows that not much actually changes. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 98393d7bfa0a291743d6a2ce9308287c3426f85d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 12:25:06 2023 +1300 tests/krb5: Test more descriptive security descriptor This one has more flags set, so we can test whether we're getting our string representation right. Samba prints the flags in a different order from Windows, but fixing that now would be too risky and involve far too much churn for minimal benefit. (Consider how many tests verify security descriptors against string constants...) Instead, allow one of two possible security descriptors. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 567f30c574098433141de031398bac7ab96e9c0d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 12:22:35 2023 +1300 tests/krb5: Document and tidy up existing claims tests Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 23ce6f30e289fcc5ebc4e54a2cd0dd3e47adda6e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 12:20:06 2023 +1300 tests/krb5: Allow creating accounts supporting claims or compound identity separately Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ad19dd100f6a6e2d4b80ac761902a4aed992935b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 12:02:35 2023 +1300 tests/krb5: Make arguments to get_target() keyword arguments This avoids mistakes by ensuring that passed-in arguments go to their intended destinations. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 644c4ae8d0fbe0b20488a0b06654920c3d7ca8d6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 11:55:42 2023 +1300 tests/krb5: Split out device info checking into new method Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 60c07a49d762d247b2b0b81800d96e5b6bdc73e3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 11:42:23 2023 +1300 tests/krb5: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 662639e8ee37ca83e379a64cb3ba7a8d11af084c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 11:29:29 2023 +1300 tests/krb5: Move some claims tests around It's helpful to have the test declarations be together for better locality and ease of reading. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cbd0955bbd70df9e48a439c5be25b15c03819171 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 11:19:02 2023 +1300 tests/krb5: Add type to expect a value is one of a set of possible types This is useful for cases where we differ from Windows in some minor detail, and where the effort required to reach parity is unjustifiably high. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2c6ff2ad07d71c79bb3564428c9751f2ce2a5451 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 11:20:46 2023 +1300 tests/krb5: Allow comparing UnorderedLists only with one another Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3c333037cd25687237b7cb0024f31ebaeae5e5cd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 11:39:55 2023 +1300 tests/krb5: Unconditionally check compressed claims not only if STRICT_CHECKING=1. This also fixes a bug where the call to huffman_decompress() was indented incorrectly. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 04fd475b434d95cdfe3f771386b8d00bde836abf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 3 13:45:21 2023 +1300 tests/krb5: Remove unused import Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/ldb/common/ldb_msg.c | 13 +- python/samba/tests/krb5/claims_tests.py | 864 ++++++--- python/samba/tests/krb5/device_tests.py | 2045 ++++++++++++++++++++ python/samba/tests/krb5/fast_tests.py | 2 + python/samba/tests/krb5/group_tests.py | 6 +- python/samba/tests/krb5/kdc_base_test.py | 119 +- python/samba/tests/krb5/raw_testcase.py | 195 +- python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 48 +- selftest/knownfail_mit_kdc | 62 +- .../dsdb/tests/python/ad_dc_medley_performance.py | 18 +- source4/dsdb/tests/python/ad_dc_performance.py | 16 +- .../tests/python/ad_dc_provision_performance.py | 10 +- source4/selftest/tests.py | 4 + 14 files changed, 2972 insertions(+), 431 deletions(-) create mode 100755 python/samba/tests/krb5/device_tests.py Changeset truncated at 500 lines: diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index 9cd7998e21c..4146de185d7 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -1464,11 +1464,18 @@ void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element */ void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr) { - struct ldb_message_element *el; + unsigned int i; + unsigned int num_del = 0; - while ((el = ldb_msg_find_element(msg, attr)) != NULL) { - ldb_msg_remove_element(msg, el); + for (i = 0; i < msg->num_elements; ++i) { + if (ldb_attr_cmp(msg->elements[i].name, attr) == 0) { + ++num_del; + } else if (num_del) { + msg->elements[i - num_del] = msg->elements[i]; + } } + + msg->num_elements -= num_del; } /* diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py index 9d5121e69ec..78c78476e0c 100755 --- a/python/samba/tests/krb5/claims_tests.py +++ b/python/samba/tests/krb5/claims_tests.py @@ -31,31 +31,77 @@ from samba.dcerpc import claims, krb5pac, security from samba.tests import DynamicTestCase, env_get_var_value from samba.tests.krb5 import kcrypto from samba.tests.krb5.kcrypto import Enctype -from samba.tests.krb5.kdc_base_test import KDCBaseTest -from samba.tests.krb5.raw_testcase import Krb5EncryptionKey +from samba.tests.krb5.kdc_base_test import GroupType, KDCBaseTest, Principal +from samba.tests.krb5.raw_testcase import Krb5EncryptionKey, RawKerberosTest from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, KRB_TGS_REP, NT_PRINCIPAL, - NT_SRV_INST, ) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +SidType = RawKerberosTest.SidType + global_asn1_print = False global_hexdump = False class UnorderedList(list): def __eq__(self, other): - if isinstance(other, UnorderedList): - return sorted(self) == sorted(other) - else: + if not isinstance(other, UnorderedList): + raise AssertionError('unexpected comparison attempt') + return sorted(self) == sorted(other) + + +# Use this to assert that each element of a list belongs to a set() of +# acceptable elements. +class OneOf(list): + def __eq__(self, other): + if not isinstance(other, OneOf): + raise AssertionError('unexpected comparison attempt') + + # Lists are of different lengths, so we're trivially done. + if len(self) != len(other): return False + # Now we know that the lists are of equal length, we can compare their + # elements. These can be normal elements, or set()s to allow any one of + # the members of the set to match. + + def elem_eq(this, that): + if isinstance(this, set): + if isinstance(that, set): + raise AssertionError('both sides unexpectedly sets') + # Is 'that' contained in the set() of acceptable values, + # 'this'? + return that in this + + if isinstance(that, set): + # Is 'this' contained in the set() of acceptable values, + # 'that'? + return this in that + + # Neither element is a set(). Compare elements directly. + return this == that + + # Are all the elements equal? + return all(map(elem_eq, self, other)) + @DynamicTestCase class ClaimsTests(KDCBaseTest): + # Placeholder objects that represent accounts undergoing testing. + user = object() + mach = object() + + # Constants for group SID attributes. + default_attrs = security.SE_GROUP_DEFAULT_FLAGS + resource_attrs = default_attrs | security.SE_GROUP_RESOURCE + + asserted_identity = security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY + compounded_auth = security.SID_COMPOUNDED_AUTHENTICATION + @classmethod def setUpClass(cls): super().setUpClass() @@ -178,12 +224,95 @@ class ClaimsTests(KDCBaseTest): modify_pac_fn=modify_pac_fn, checksum_keys=self.get_krbtgt_checksum_key()) + def test_tgs_claims(self): + self.run_tgs_test(remove_claims=False, to_krbtgt=False) + + def test_tgs_claims_remove_claims(self): + self.run_tgs_test(remove_claims=True, to_krbtgt=False) + + def test_tgs_claims_to_krbtgt(self): + self.run_tgs_test(remove_claims=False, to_krbtgt=True) + + def test_tgs_claims_remove_claims_to_krbtgt(self): + self.run_tgs_test(remove_claims=True, to_krbtgt=True) + def test_delegation_claims(self): self.run_delegation_test(remove_claims=False) def test_delegation_claims_remove_claims(self): self.run_delegation_test(remove_claims=True) + # Create a user account with an applicable claim for the 'middleName' + # attribute. After obtaining a TGT, from which we optionally remove the + # claims, change the middleName attribute values for the account in the + # database to a different value. By which we may observe, when examining + # the reply to our following Kerberos TGS request, whether the claims + # contained therein are taken directly from the ticket, or obtained fresh + # from the database. + def run_tgs_test(self, remove_claims, to_krbtgt): + samdb = self.get_samdb() + user_creds, user_dn = self.create_account(samdb, + self.get_new_username(), + additional_details={ + 'middleName': 'foo', + }) + + claim_id = self.get_new_username() + self.create_claim(claim_id, + enabled=True, + attribute='middleName', + single_valued=True, + source_type='AD', + for_classes=['user'], + value_type=claims.CLAIM_TYPE_STRING) + + expected_claims = { + claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + } + + # Get a TGT for the user. + tgt = self.get_tgt(user_creds, expect_pac=True, + expect_client_claims=True, + expected_client_claims=expected_claims) + + if remove_claims: + tgt = self.remove_client_claims(tgt) + + # Change the value of the attribute used for the claim. + msg = ldb.Message(ldb.Dn(samdb, user_dn)) + msg['middleName'] = ldb.MessageElement('bar', + ldb.FLAG_MOD_REPLACE, + 'middleName') + samdb.modify(msg) + + if to_krbtgt: + target_creds = self.get_krbtgt_creds() + sname = self.get_krbtgt_sname() + else: + target_creds = self.get_service_creds() + sname = None + + # Get a service ticket for the user. The claim value should not have + # changed, indicating that the client claims are propagated straight + # through. + self.get_service_ticket( + tgt, target_creds, + sname=sname, + expect_pac=True, + expect_client_claims=not remove_claims, + expected_client_claims=(expected_claims + if not remove_claims else None)) + + # Perform a test similar to that preceeding. This time, create both a user + # and a computer account, each having an applicable claim. After obtaining + # tickets, from which the claims are optionally removed, change the claim + # attribute of each account to a different value. Then perform constrained + # delegation with the user's service ticket, verifying that the user's + # claims are carried into the resulting ticket. def run_delegation_test(self, remove_claims): service_creds = self.get_service_creds() service_spn = service_creds.get_spn() @@ -228,7 +357,7 @@ class ClaimsTests(KDCBaseTest): 'values': ['user_old'], }, } - expected_claims_mac = { + expected_claims_mach = { claim_id: { 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, 'type': claims.CLAIM_TYPE_STRING, @@ -254,20 +383,20 @@ class ClaimsTests(KDCBaseTest): mach_tgt = self.get_tgt(mach_creds, expect_pac=True, expect_client_claims=True, - expected_client_claims=expected_claims_mac) + expected_client_claims=expected_claims_mach) if remove_claims: user_ticket = self.remove_client_claims(user_ticket) mach_tgt = self.remove_client_claims(mach_tgt) - # Change the value of the attributes used for the claim. + # Change the value of the attribute used for the user claim. msg = ldb.Message(ldb.Dn(samdb, user_dn)) msg['middleName'] = ldb.MessageElement('user_new', ldb.FLAG_MOD_REPLACE, 'middleName') samdb.modify(msg) - # Change the value of the attributes used for the claim. + # Change the value of the attribute used for the machine claim. msg = ldb.Message(ldb.Dn(samdb, mach_dn)) msg['middleName'] = ldb.MessageElement('mach_new', ldb.FLAG_MOD_REPLACE, @@ -300,8 +429,11 @@ class ClaimsTests(KDCBaseTest): etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + # The user's claims are propagated into the new ticket, while the + # machine's claims are dispensed with. expected_claims = expected_claims_user if not remove_claims else None + # Perform constrained delegation. kdc_exchange_dict = self.tgs_exchange_dict( expected_crealm=user_realm, expected_cname=user_cname, @@ -320,264 +452,15 @@ class ClaimsTests(KDCBaseTest): expected_transited_services=expected_transited_services, expect_client_claims=not remove_claims, expected_client_claims=expected_claims, + expect_device_claims=False, expect_pac=True) - self._generic_kdc_exchange(kdc_exchange_dict, - cname=None, - realm=service_realm, - sname=service_sname, - etypes=etypes, - additional_tickets=additional_tickets) - - def test_tgs_claims(self): - self.run_tgs_test(remove_claims=False, to_krbtgt=False) - - def test_tgs_claims_remove_claims(self): - self.run_tgs_test(remove_claims=True, to_krbtgt=False) - - def test_tgs_claims_to_krbtgt(self): - self.run_tgs_test(remove_claims=False, to_krbtgt=True) - - def test_tgs_claims_remove_claims_to_krbtgt(self): - self.run_tgs_test(remove_claims=True, to_krbtgt=True) - - def run_tgs_test(self, remove_claims, to_krbtgt): - samdb = self.get_samdb() - user_creds, user_dn = self.create_account(samdb, - self.get_new_username(), - additional_details={ - 'middleName': 'foo', - }) - - claim_id = self.get_new_username() - self.create_claim(claim_id, - enabled=True, - attribute='middleName', - single_valued=True, - source_type='AD', - for_classes=['user'], - value_type=claims.CLAIM_TYPE_STRING) - - expected_claims = { - claim_id: { - 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, - 'type': claims.CLAIM_TYPE_STRING, - 'values': ['foo'], - }, - } - - # Get a TGT for the user. - tgt = self.get_tgt(user_creds, expect_pac=True, - expect_client_claims=True, - expected_client_claims=expected_claims) - - if remove_claims: - tgt = self.remove_client_claims(tgt) - - # Change the value of the attribute used for the claim. - msg = ldb.Message(ldb.Dn(samdb, user_dn)) - msg['middleName'] = ldb.MessageElement('bar', - ldb.FLAG_MOD_REPLACE, - 'middleName') - samdb.modify(msg) - - if to_krbtgt: - target_creds = self.get_krbtgt_creds() - sname = self.get_krbtgt_sname() - else: - target_creds = self.get_service_creds() - sname = None - - # Get a service ticket for the user. The value should not have changed. - self.get_service_ticket( - tgt, target_creds, - sname=sname, - expect_pac=True, - expect_client_claims=not remove_claims, - expected_client_claims=(expected_claims - if not remove_claims else None)) - - def test_device_info(self): - self._run_device_info_test(to_krbtgt=False) - - def test_device_info_to_krbtgt(self): - self._run_device_info_test(to_krbtgt=True) - - def _run_device_info_test(self, to_krbtgt): - user_creds = self.get_cached_creds( - account_type=self.AccountType.USER) - user_tgt = self.get_tgt(user_creds) - - mach_creds = self.get_cached_creds( - account_type=self.AccountType.COMPUTER) - mach_tgt = self.get_tgt(mach_creds) - - samdb = self.get_samdb() - expected_sid = self.get_objectSid(samdb, user_creds.get_dn()) - - subkey = self.RandomKey(user_tgt.session_key.etype) - - armor_subkey = self.RandomKey(subkey.etype) - explicit_armor_key = self.generate_armor_key(armor_subkey, - mach_tgt.session_key) - armor_key = kcrypto.cf2(explicit_armor_key.key, - subkey.key, - b'explicitarmor', - b'tgsarmor') - armor_key = Krb5EncryptionKey(armor_key, None) - - target_creds, sname = self.get_target( - to_krbtgt, - extra_enctypes=security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED) - srealm = target_creds.get_realm() - - decryption_key = self.TicketDecryptionKey_from_creds( - target_creds) - - etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - - kdc_options = '0' - pac_options = '1' # claims support - - kdc_exchange_dict = self.tgs_exchange_dict( - expected_crealm=user_tgt.crealm, - expected_cname=user_tgt.cname, - expected_srealm=srealm, - expected_sname=sname, - ticket_decryption_key=decryption_key, - generate_fast_fn=self.generate_simple_fast, - generate_fast_armor_fn=self.generate_ap_req, - check_rep_fn=self.generic_check_kdc_rep, - check_kdc_private_fn=self.generic_check_kdc_private, - tgt=user_tgt, - armor_key=armor_key, - armor_tgt=mach_tgt, - armor_subkey=armor_subkey, - pac_options=pac_options, - authenticator_subkey=subkey, - kdc_options=kdc_options, - expect_pac=True, - expect_pac_attrs=to_krbtgt, - expect_pac_attrs_pac_request=to_krbtgt, - expected_sid=expected_sid, - expect_device_claims=not to_krbtgt, - expect_device_info=not to_krbtgt) - rep = self._generic_kdc_exchange(kdc_exchange_dict, cname=None, - realm=srealm, - sname=sname, - etypes=etypes) - self.check_reply(rep, KRB_TGS_REP) - - def test_device_claims(self): - self._run_device_claims_test(to_krbtgt=False) - - def test_device_claims_to_krbtgt(self): - self._run_device_claims_test(to_krbtgt=True) - - def _run_device_claims_test(self, to_krbtgt): - user_creds = self.get_cached_creds( - account_type=self.AccountType.USER) - user_tgt = self.get_tgt(user_creds) - - samdb = self.get_samdb() - mach_creds, mach_dn = self.create_account( - samdb, - self.get_new_username(), - account_type=self.AccountType.COMPUTER, - additional_details={ - 'middleName': 'foo', - }) - - claim_id = self.get_new_username() - self.create_claim(claim_id, - enabled=True, - attribute='middleName', - single_valued=True, - source_type='AD', - for_classes=['computer'], - value_type=claims.CLAIM_TYPE_STRING) - - expected_claims = { - claim_id: { - 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, - 'type': claims.CLAIM_TYPE_STRING, - 'values': ['foo'], - }, - } - - # Get a TGT for the computer. - mach_tgt = self.get_tgt(mach_creds, expect_pac=True, - expect_client_claims=True, - expected_client_claims=expected_claims) - - # Change the value of the attribute used for the claim. - msg = ldb.Message(ldb.Dn(samdb, mach_dn)) - msg['middleName'] = ldb.MessageElement('bar', - ldb.FLAG_MOD_REPLACE, - 'middleName') - samdb.modify(msg) - - # Get a service ticket for the user, using the computer's TGT as an - # armor TGT. The value should not have changed. - - expected_sid = self.get_objectSid(samdb, user_creds.get_dn()) - - subkey = self.RandomKey(user_tgt.session_key.etype) - - armor_subkey = self.RandomKey(subkey.etype) - explicit_armor_key = self.generate_armor_key(armor_subkey, - mach_tgt.session_key) - armor_key = kcrypto.cf2(explicit_armor_key.key, - subkey.key, - b'explicitarmor', - b'tgsarmor') - armor_key = Krb5EncryptionKey(armor_key, None) - - target_creds, sname = self.get_target( - to_krbtgt, - extra_enctypes=security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED) - srealm = target_creds.get_realm() - - decryption_key = self.TicketDecryptionKey_from_creds( - target_creds) - - etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - - kdc_options = '0' - pac_options = '1' # claims support - - kdc_exchange_dict = self.tgs_exchange_dict( - expected_crealm=user_tgt.crealm, - expected_cname=user_tgt.cname, - expected_srealm=srealm, - expected_sname=sname, - ticket_decryption_key=decryption_key, - generate_fast_fn=self.generate_simple_fast, - generate_fast_armor_fn=self.generate_ap_req, - check_rep_fn=self.generic_check_kdc_rep, - check_kdc_private_fn=self.generic_check_kdc_private, - tgt=user_tgt, - armor_key=armor_key, -- Samba Shared Repository