From 3b72dde2027fe7bffa03f6022fd2a5aef26845fa Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 Apr 2023 13:24:12 +1200 Subject: tests/krb5: Add tests for constructed (authentication silo) claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/claims_tests.py | 84 +++++++++++++++++++++++++++++++++ selftest/knownfail.d/constructed-claims | 1 + 2 files changed, 85 insertions(+) create mode 100644 selftest/knownfail.d/constructed-claims diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py index af04ed077f8..022224eb6f1 100755 --- a/python/samba/tests/krb5/claims_tests.py +++ b/python/samba/tests/krb5/claims_tests.py @@ -1958,6 +1958,90 @@ class ClaimsTests(KDCBaseTest): }, ] + def test_auth_silo_claim(self): + self.run_auth_silo_claim_test() + + def test_auth_silo_claim_unenforced(self): + # The claim is not present if the silo is unenforced. + self.run_auth_silo_claim_test(enforced=False, + expect_claim=False) + + def test_auth_silo_claim_not_a_member(self): + # The claim is not present if the user is not a member of the silo. + self.run_auth_silo_claim_test(add_to_silo=False, + expect_claim=False) + + def test_auth_silo_claim_unassigned(self): + # The claim is not present if the user is not assigned to the silo. + self.run_auth_silo_claim_test(assigned=False, + expect_claim=False) + + def test_auth_silo_claim_assigned_to_wrong_dn(self): + samdb = self.get_samdb() + + # The claim is not present if the user is assigned to some other DN. + self.run_auth_silo_claim_test(assigned=self.get_server_dn(samdb), + expect_claim=False) + + def run_auth_silo_claim_test(self, *, + enforced=True, + add_to_silo=True, + assigned=True, + expect_claim=True): + # Create a new authentication silo. + silo_id = self.get_new_username() + silo_dn = self.create_auth_silo(silo_id, enforced=enforced) + + account_options = None + if assigned is not False: + if assigned is True: + assigned = silo_dn + + account_options = { + 'additional_details': self.freeze({ + # The user is assigned to the authentication silo we just + # created, or to some DN specified by a test. + 'msDS-AssignedAuthNPolicySilo': str(assigned), + }), + } + + # Create the user account. + creds = self.get_cached_creds( + account_type=self.AccountType.USER, + opts=account_options) + + if add_to_silo: + # Add the account to the silo. + self.add_to_group(str(creds.get_dn()), + silo_dn, + 'msDS-AuthNPolicySiloMembers', + expect_attr=False) + + claim_id = self.create_auth_silo_claim_id() + + if expect_claim: + expected_claims = { + claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': claims.CLAIM_TYPE_STRING, + # Expect a claim containing the name of the silo. + 'values': (silo_id,), + }, + } + unexpected_claims = None + expect_client_claims = True + else: + expected_claims = None + expect_client_claims = None + unexpected_claims = {claim_id} + + # Get a TGT and check whether the claim is present or missing. + self.get_tgt(creds, + expect_pac=True, + expect_client_claims=True, + expected_client_claims=expected_claims, + unexpected_client_claims=unexpected_claims) + if __name__ == '__main__': global_asn1_print = False diff --git a/selftest/knownfail.d/constructed-claims b/selftest/knownfail.d/constructed-claims new file mode 100644 index 00000000000..b4966d723cd --- /dev/null +++ b/selftest/knownfail.d/constructed-claims @@ -0,0 +1 @@ +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_auth_silo_claim.ad_dc -- cgit v1.2.1