diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-05-04 14:44:11 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2023-05-18 01:03:37 +0000 |
commit | f9b666297cbbe5d475b570a9d268df1f3fce048e (patch) | |
tree | b23a0d462e68a57012463b8b10887cf03f93b582 /python | |
parent | 53b62429f894cc6d8689d38acc59e8d6ca4ddff9 (diff) | |
download | samba-f9b666297cbbe5d475b570a9d268df1f3fce048e.tar.gz |
tests/krb5: Allow specifying whether PA-DATA types are to be checked
Not all tests are intended to test that the correct PA-DATA types are
returned. This parameter allows us to skip checking for cases where we
don’t care.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python')
-rwxr-xr-x | python/samba/tests/krb5/kdc_tgs_tests.py | 6 | ||||
-rw-r--r-- | python/samba/tests/krb5/raw_testcase.py | 105 |
2 files changed, 61 insertions, 50 deletions
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 24392ceba30..b0c1394b76e 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -194,7 +194,8 @@ class KdcTgsBaseTests(KDCBaseTest): expect_status=None, expected_status=None, expected_proxy_target=None, - expected_transited_services=None): + expected_transited_services=None, + check_patypes=True): if srealm is False: srealm = None elif srealm is None: @@ -300,7 +301,8 @@ class KdcTgsBaseTests(KDCBaseTest): expect_requester_sid=expect_requester_sid, expected_sid=expected_sid, expected_proxy_target=expected_proxy_target, - expected_transited_services=expected_transited_services) + expected_transited_services=expected_transited_services, + check_patypes=check_patypes) rep = self._generic_kdc_exchange(kdc_exchange_dict, cname=None, diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 22062c5ec8c..4677151e5c0 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2512,6 +2512,7 @@ class RawKerberosTest(TestCaseInTempDir): check_error_fn=None, check_rep_fn=None, check_kdc_private_fn=None, + check_patypes=True, callback_dict=None, expected_error_mode=0, expect_status=None, @@ -2586,6 +2587,7 @@ class RawKerberosTest(TestCaseInTempDir): 'check_error_fn': check_error_fn, 'check_rep_fn': check_rep_fn, 'check_kdc_private_fn': check_kdc_private_fn, + 'check_patypes': check_patypes, 'callback_dict': callback_dict, 'expected_error_mode': expected_error_mode, 'expect_status': expect_status, @@ -2657,6 +2659,7 @@ class RawKerberosTest(TestCaseInTempDir): check_error_fn=None, check_rep_fn=None, check_kdc_private_fn=None, + check_patypes=True, expected_error_mode=0, expect_status=None, expected_status=None, @@ -2734,6 +2737,7 @@ class RawKerberosTest(TestCaseInTempDir): 'check_error_fn': check_error_fn, 'check_rep_fn': check_rep_fn, 'check_kdc_private_fn': check_kdc_private_fn, + 'check_patypes': check_patypes, 'callback_dict': callback_dict, 'expected_error_mode': expected_error_mode, 'expect_status': expect_status, @@ -4031,58 +4035,63 @@ class RawKerberosTest(TestCaseInTempDir): if expected_aes is None: expect_etype_info = True - expected_patypes = () - if sent_fast and error_code != 0: - expected_patypes += (PADATA_FX_ERROR,) - expected_patypes += (PADATA_FX_COOKIE,) - - if rep_msg_type == KRB_TGS_REP: - sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict) - if ('1' in sent_pac_options - and error_code not in (0, KDC_ERR_GENERIC)): - expected_patypes += (PADATA_PAC_OPTIONS,) - elif error_code != KDC_ERR_GENERIC: - if expect_etype_info: - self.assertGreater(len(expect_etype_info2), 0) - expected_patypes += (PADATA_ETYPE_INFO,) - if len(expect_etype_info2) != 0: - expected_patypes += (PADATA_ETYPE_INFO2,) - - if error_code not in (KDC_ERR_PREAUTH_FAILED, KDC_ERR_SKEW, - KDC_ERR_POLICY, KDC_ERR_CLIENT_REVOKED): - if sent_fast: - expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) - else: - expected_patypes += (PADATA_ENC_TIMESTAMP,) + if expect_etype_info: + self.assertGreater(len(expect_etype_info2), 0) - if not sent_enc_challenge: - expected_patypes += (PADATA_PK_AS_REQ,) - expected_patypes += (PADATA_PK_AS_REP_19,) + sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict) - if (self.kdc_fast_support - and not sent_fast - and not sent_enc_challenge): - expected_patypes += (PADATA_FX_FAST,) + check_patypes = kdc_exchange_dict['check_patypes'] + if check_patypes: + expected_patypes = () + if sent_fast and error_code != 0: + expected_patypes += (PADATA_FX_ERROR,) expected_patypes += (PADATA_FX_COOKIE,) - require_strict = {PADATA_FX_COOKIE, - PADATA_FX_FAST, - PADATA_PAC_OPTIONS, - PADATA_PK_AS_REP_19, - PADATA_PK_AS_REQ, - PADATA_PKINIT_KX, - PADATA_GSS} - strict_edata_checking = kdc_exchange_dict['strict_edata_checking'] - if not strict_edata_checking: - require_strict.add(PADATA_ETYPE_INFO2) - require_strict.add(PADATA_ENCRYPTED_CHALLENGE) - - got_patypes = tuple(pa['padata-type'] for pa in rep_padata) - self.assertSequenceElementsEqual(expected_patypes, got_patypes, - require_strict=require_strict) - - if not expected_patypes: - return None + if rep_msg_type == KRB_TGS_REP: + if ('1' in sent_pac_options + and error_code not in (0, KDC_ERR_GENERIC)): + expected_patypes += (PADATA_PAC_OPTIONS,) + elif error_code != KDC_ERR_GENERIC: + if expect_etype_info: + expected_patypes += (PADATA_ETYPE_INFO,) + if len(expect_etype_info2) != 0: + expected_patypes += (PADATA_ETYPE_INFO2,) + + if error_code not in (KDC_ERR_PREAUTH_FAILED, KDC_ERR_SKEW, + KDC_ERR_POLICY, KDC_ERR_CLIENT_REVOKED): + if sent_fast: + expected_patypes += (PADATA_ENCRYPTED_CHALLENGE,) + else: + expected_patypes += (PADATA_ENC_TIMESTAMP,) + + if not sent_enc_challenge: + expected_patypes += (PADATA_PK_AS_REQ,) + expected_patypes += (PADATA_PK_AS_REP_19,) + + if (self.kdc_fast_support + and not sent_fast + and not sent_enc_challenge): + expected_patypes += (PADATA_FX_FAST,) + expected_patypes += (PADATA_FX_COOKIE,) + + require_strict = {PADATA_FX_COOKIE, + PADATA_FX_FAST, + PADATA_PAC_OPTIONS, + PADATA_PK_AS_REP_19, + PADATA_PK_AS_REQ, + PADATA_PKINIT_KX, + PADATA_GSS} + strict_edata_checking = kdc_exchange_dict['strict_edata_checking'] + if not strict_edata_checking: + require_strict.add(PADATA_ETYPE_INFO2) + require_strict.add(PADATA_ENCRYPTED_CHALLENGE) + + got_patypes = tuple(pa['padata-type'] for pa in rep_padata) + self.assertSequenceElementsEqual(expected_patypes, got_patypes, + require_strict=require_strict) + + if not expected_patypes: + return None pa_dict = self.get_pa_dict(rep_padata) |