diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-12-02 16:51:26 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2021-12-06 22:08:32 +0000 |
| commit | 3fc9dc2395ebc292087ae050bd721747e851056d (patch) | |
| tree | e57b3887a5d166d6f89b86d22f1bf8825e0d0283 /python | |
| parent | 10983779bc5d50cdb69b64656cbc56f0250e3f23 (diff) | |
| download | samba-3fc9dc2395ebc292087ae050bd721747e851056d.tar.gz | |
tests/krb5: Check logon name in PAC for canonicalization tests
This allows us to ensure that the correct name makes it through to the
PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python')
| -rwxr-xr-x | python/samba/tests/krb5/as_canonicalization_tests.py | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 7c64ce19bb7..700a03622e1 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -28,7 +28,9 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.credentials import DONT_USE_KERBEROS +from samba.dcerpc import krb5pac from samba.dcerpc.misc import SEC_CHAN_WKSTA +from samba.ndr import ndr_unpack from samba.tests import DynamicTestCase from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, @@ -39,6 +41,7 @@ from samba.tests.krb5.rfc4120_constants import ( KU_AS_REP_ENC_PART, KRB_ERROR, KU_PA_ENC_TIMESTAMP, + KU_TICKET, PADATA_ENC_TIMESTAMP, NT_ENTERPRISE_PRINCIPAL, NT_PRINCIPAL, @@ -229,6 +232,38 @@ class KerberosASCanonicalizationTests(KDCBaseTest): srealm = as_rep['srealm'].decode('ascii') self.check_srealm(srealm, data) + if TestOptions.AsReqSelf.is_set(data.options): + ticket_creds = creds + else: + ticket_creds = self.get_krbtgt_creds() + ticket_key = self.TicketDecryptionKey_from_creds(ticket_creds) + + ticket_encpart = rep['ticket']['enc-part'] + self.assertElementEqual(ticket_encpart, 'etype', + ticket_key.etype) + self.assertElementEqual(ticket_encpart, 'kvno', + ticket_key.kvno) + ticket_decpart = ticket_key.decrypt(KU_TICKET, + ticket_encpart['cipher']) + ticket_private = self.der_decode( + ticket_decpart, + asn1Spec=krb5_asn1.EncTicketPart()) + + pac_data = self.get_pac(ticket_private['authorization-data']) + pac = ndr_unpack(krb5pac.PAC_DATA, pac_data) + + for pac_buffer in pac.buffers: + if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME: + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_username() + else: + expected = data.user_name + + self.assertEqual(expected, pac_buffer.info.account_name) + break + else: + self.fail('PAC_TYPE_LOGON_NAME not found') + def as_req(self, data): user_creds = data.user_creds realm = data.realm |