From: Joseph Sutton Date: Fri, 4 Mar 2022 03:23:32 +0000 (+1300) Subject: tests/krb5: Add claims tests X-Git-Tag: talloc-2.4.0~1102 X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=dadd32238822c6f2ee10cd55442c88e2034fb11a;hp=8b8a268084b494e61a8e41e0ee11916474cc3bbd;p=samba.git tests/krb5: Add claims tests Based on tests originally written by Stefan Metzmacher Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 9 01:11:05 UTC 2022 on sn-devel-184 --- diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py new file mode 100755 index 00000000000..717f773327c --- /dev/null +++ b/python/samba/tests/krb5/claims_tests.py @@ -0,0 +1,1319 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) Catalyst.Net Ltd 2022 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import re +import sys + +import ldb + +from samba.dcerpc import claims, krb5pac, security + +from samba.tests import DynamicTestCase, env_get_var_value +from samba.tests.krb5 import kcrypto +from samba.tests.krb5.kcrypto import Enctype +from samba.tests.krb5.kdc_base_test import KDCBaseTest +from samba.tests.krb5.raw_testcase import Krb5EncryptionKey +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KRB_TGS_REP, + NT_PRINCIPAL, + NT_SRV_INST, +) +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' + +global_asn1_print = False +global_hexdump = False + + +class UnorderedList(list): + def __eq__(self, other): + if isinstance(other, UnorderedList): + return sorted(self) == sorted(other) + else: + return False + + +@DynamicTestCase +class ClaimsTests(KDCBaseTest): + @classmethod + def setUpClass(cls): + super().setUpClass() + + cls._search_iterator = None + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def get_sample_dn(self): + if self._search_iterator is None: + samdb = self.get_samdb() + type(self)._search_iterator = samdb.search_iterator() + + return str(next(self._search_iterator).dn) + + def get_binary_dn(self): + return 'B:8:01010101:' + self.get_sample_dn() + + def remove_client_claims(self, ticket): + def modify_pac_fn(pac): + pac_buffers = pac.buffers + for pac_buffer in pac_buffers: + if pac_buffer.type == krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO: + pac.num_buffers -= 1 + pac_buffers.remove(pac_buffer) + + break + else: + self.fail('expected client claims in PAC') + + pac.buffers = pac_buffers + + return pac + + return self.modified_ticket( + ticket, + modify_pac_fn=modify_pac_fn, + checksum_keys=self.get_krbtgt_checksum_key()) + + def test_delegation_claims(self): + self.run_delegation_test(remove_claims=False) + + def test_delegation_claims_remove_claims(self): + self.run_delegation_test(remove_claims=True) + + def run_delegation_test(self, remove_claims): + service_creds = self.get_service_creds() + service_spn = service_creds.get_spn() + + user_name = self.get_new_username() + mach_name = self.get_new_username() + + samdb = self.get_samdb() + user_creds, user_dn = self.create_account( + samdb, + user_name, + self.AccountType.USER, + additional_details={ + 'middleName': 'user_old', + }) + mach_creds, mach_dn = self.create_account( + samdb, + mach_name, + self.AccountType.COMPUTER, + spn=f'host/{mach_name}', + additional_details={ + 'middleName': 'mach_old', + 'msDS-AllowedToDelegateTo': service_spn, + }) + + claim_id = self.get_new_username() + self.create_claim(claim_id, + enabled=True, + attribute='middleName', + single_valued=True, + source_type='AD', + for_classes=['user', 'computer'], + value_type=claims.CLAIM_TYPE_STRING) + + options = 'forwardable' + expected_flags = krb5_asn1.TicketFlags(options) + + expected_claims_user = { + claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': claims.CLAIM_TYPE_STRING, + 'values': ['user_old'], + }, + } + expected_claims_mac = { + claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': claims.CLAIM_TYPE_STRING, + 'values': ['mach_old'], + }, + } + + user_tgt = self.get_tgt(user_creds, + kdc_options=options, + expect_pac=True, + expected_flags=expected_flags, + expect_client_claims=True, + expected_client_claims=expected_claims_user) + user_ticket = self.get_service_ticket( + user_tgt, + mach_creds, + kdc_options=options, + expect_pac=True, + expected_flags=expected_flags, + expect_client_claims=True, + expected_client_claims=expected_claims_user) + + mach_tgt = self.get_tgt(mach_creds, + expect_pac=True, + expect_client_claims=True, + expected_client_claims=expected_claims_mac) + + if remove_claims: + user_ticket = self.remove_client_claims(user_ticket) + mach_tgt = self.remove_client_claims(mach_tgt) + + # Change the value of the attributes used for the claim. + msg = ldb.Message(ldb.Dn(samdb, user_dn)) + msg['middleName'] = ldb.MessageElement('user_new', + ldb.FLAG_MOD_REPLACE, + 'middleName') + samdb.modify(msg) + + # Change the value of the attributes used for the claim. + msg = ldb.Message(ldb.Dn(samdb, mach_dn)) + msg['middleName'] = ldb.MessageElement('mach_new', + ldb.FLAG_MOD_REPLACE, + 'middleName') + samdb.modify(msg) + + additional_tickets = [user_ticket.ticket] + options = str(krb5_asn1.KDCOptions('cname-in-addl-tkt')) + + user_realm = user_creds.get_realm() + user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[user_name]) + + user_sid = self.get_objectSid(samdb, user_dn) + + mach_realm = mach_creds.get_realm() + + service_name = service_creds.get_username()[:-1] + service_realm = service_creds.get_realm() + service_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=['host', service_name]) + service_decryption_key = self.TicketDecryptionKey_from_creds( + service_creds) + service_etypes = service_creds.tgs_supported_enctypes + + expected_proxy_target = service_creds.get_spn() + expected_transited_services = [f'host/{mach_name}@{mach_realm}'] + + authenticator_subkey = self.RandomKey(Enctype.AES256) + + etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + + expected_claims = expected_claims_user if not remove_claims else None + + kdc_exchange_dict = self.tgs_exchange_dict( + expected_crealm=user_realm, + expected_cname=user_cname, + expected_srealm=service_realm, + expected_sname=service_sname, + expected_account_name=user_name, + expected_sid=user_sid, + expected_supported_etypes=service_etypes, + ticket_decryption_key=service_decryption_key, + check_rep_fn=self.generic_check_kdc_rep, + check_kdc_private_fn=self.generic_check_kdc_private, + tgt=mach_tgt, + authenticator_subkey=authenticator_subkey, + kdc_options=options, + expected_proxy_target=expected_proxy_target, + expected_transited_services=expected_transited_services, + expect_client_claims=not remove_claims, + expected_client_claims=expected_claims, + expect_pac=True) + + self._generic_kdc_exchange(kdc_exchange_dict, + cname=None, + realm=service_realm, + sname=service_sname, + etypes=etypes, + additional_tickets=additional_tickets) + + def test_tgs_claims(self): + self.run_tgs_test(remove_claims=False, to_krbtgt=False) + + def test_tgs_claims_remove_claims(self): + self.run_tgs_test(remove_claims=True, to_krbtgt=False) + + def test_tgs_claims_to_krbtgt(self): + self.run_tgs_test(remove_claims=False, to_krbtgt=True) + + def test_tgs_claims_remove_claims_to_krbtgt(self): + self.run_tgs_test(remove_claims=True, to_krbtgt=True) + + def run_tgs_test(self, remove_claims, to_krbtgt): + samdb = self.get_samdb() + user_creds, user_dn = self.create_account(samdb, + self.get_new_username(), + additional_details={ + 'middleName': 'foo', + }) + + claim_id = self.get_new_username() + self.create_claim(claim_id, + enabled=True, + attribute='middleName', + single_valued=True, + source_type='AD', + for_classes=['user'], + value_type=claims.CLAIM_TYPE_STRING) + + expected_claims = { + claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + } + + # Get a TGT for the user. + tgt = self.get_tgt(user_creds, expect_pac=True, + expect_client_claims=True, + expected_client_claims=expected_claims) + + if remove_claims: + tgt = self.remove_client_claims(tgt) + + # Change the value of the attribute used for the claim. + msg = ldb.Message(ldb.Dn(samdb, user_dn)) + msg['middleName'] = ldb.MessageElement('bar', + ldb.FLAG_MOD_REPLACE, + 'middleName') + samdb.modify(msg) + + if to_krbtgt: + target_creds = self.get_krbtgt_creds() + srealm = target_creds.get_realm() + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=[target_creds.get_username(), srealm]) + else: + target_creds = self.get_service_creds() + sname = None + + # Get a service ticket for the user. The value should not have changed. + self.get_service_ticket( + tgt, target_creds, + sname=sname, + expect_pac=True, + expect_client_claims=not remove_claims, + expected_client_claims=(expected_claims + if not remove_claims else None)) + + def test_device_info(self): + self._run_device_info_test(to_krbtgt=False) + + def test_device_info_to_krbtgt(self): + self._run_device_info_test(to_krbtgt=True) + + def _run_device_info_test(self, to_krbtgt): + user_creds = self.get_cached_creds( + account_type=self.AccountType.USER) + user_tgt = self.get_tgt(user_creds) + + mach_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER) + mach_tgt = self.get_tgt(mach_creds) + + samdb = self.get_samdb() + expected_sid = self.get_objectSid(samdb, user_creds.get_dn()) + + subkey = self.RandomKey(user_tgt.session_key.etype) + + armor_subkey = self.RandomKey(subkey.etype) + explicit_armor_key = self.generate_armor_key(armor_subkey, + mach_tgt.session_key) + armor_key = kcrypto.cf2(explicit_armor_key.key, + subkey.key, + b'explicitarmor', + b'tgsarmor') + armor_key = Krb5EncryptionKey(armor_key, None) + + if to_krbtgt: + target_creds = self.get_krbtgt_creds() + + srealm = target_creds.get_realm() + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=[target_creds.get_username(), srealm]) + else: + target_enctypes = security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED + target_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={ + 'supported_enctypes': target_enctypes, + }) + + srealm = target_creds.get_realm() + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=['host', target_creds.get_username()[:-1]]) + + decryption_key = self.TicketDecryptionKey_from_creds( + target_creds) + + etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + + kdc_options = '0' + pac_options = '1' # claims support + + kdc_exchange_dict = self.tgs_exchange_dict( + expected_crealm=user_tgt.crealm, + expected_cname=user_tgt.cname, + expected_srealm=srealm, + expected_sname=sname, + ticket_decryption_key=decryption_key, + generate_fast_fn=self.generate_simple_fast, + generate_fast_armor_fn=self.generate_ap_req, + check_rep_fn=self.generic_check_kdc_rep, + check_kdc_private_fn=self.generic_check_kdc_private, + tgt=user_tgt, + armor_key=armor_key, + armor_tgt=mach_tgt, + armor_subkey=armor_subkey, + pac_options=pac_options, + authenticator_subkey=subkey, + kdc_options=kdc_options, + expect_pac=True, + expect_pac_attrs=to_krbtgt, + expect_pac_attrs_pac_request=to_krbtgt, + expected_sid=expected_sid, + expect_device_claims=not to_krbtgt, + expect_device_info=not to_krbtgt) + + rep = self._generic_kdc_exchange(kdc_exchange_dict, + cname=None, + realm=srealm, + sname=sname, + etypes=etypes) + self.check_reply(rep, KRB_TGS_REP) + + def test_device_claims(self): + self._run_device_claims_test(to_krbtgt=False) + + def test_device_claims_to_krbtgt(self): + self._run_device_claims_test(to_krbtgt=True) + + def _run_device_claims_test(self, to_krbtgt): + user_creds = self.get_cached_creds( + account_type=self.AccountType.USER) + user_tgt = self.get_tgt(user_creds) + + samdb = self.get_samdb() + mach_creds, mach_dn = self.create_account( + samdb, + self.get_new_username(), + account_type=self.AccountType.COMPUTER, + additional_details={ + 'middleName': 'foo', + }) + + claim_id = self.get_new_username() + self.create_claim(claim_id, + enabled=True, + attribute='middleName', + single_valued=True, + source_type='AD', + for_classes=['computer'], + value_type=claims.CLAIM_TYPE_STRING) + + expected_claims = { + claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + } + + # Get a TGT for the computer. + mach_tgt = self.get_tgt(mach_creds, expect_pac=True, + expect_client_claims=True, + expected_client_claims=expected_claims) + + # Change the value of the attribute used for the claim. + msg = ldb.Message(ldb.Dn(samdb, mach_dn)) + msg['middleName'] = ldb.MessageElement('bar', + ldb.FLAG_MOD_REPLACE, + 'middleName') + samdb.modify(msg) + + # Get a service ticket for the user, using the computer's TGT as an + # armor TGT. The value should not have changed. + + expected_sid = self.get_objectSid(samdb, user_creds.get_dn()) + + subkey = self.RandomKey(user_tgt.session_key.etype) + + armor_subkey = self.RandomKey(subkey.etype) + explicit_armor_key = self.generate_armor_key(armor_subkey, + mach_tgt.session_key) + armor_key = kcrypto.cf2(explicit_armor_key.key, + subkey.key, + b'explicitarmor', + b'tgsarmor') + armor_key = Krb5EncryptionKey(armor_key, None) + + if to_krbtgt: + target_creds = self.get_krbtgt_creds() + + srealm = target_creds.get_realm() + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=[target_creds.get_username(), srealm]) + else: + target_enctypes = security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED + target_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={ + 'supported_enctypes': target_enctypes, + }) + + srealm = target_creds.get_realm() + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=['host', target_creds.get_username()[:-1]]) + + decryption_key = self.TicketDecryptionKey_from_creds( + target_creds) + + etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + + kdc_options = '0' + pac_options = '1' # claims support + + kdc_exchange_dict = self.tgs_exchange_dict( + expected_crealm=user_tgt.crealm, + expected_cname=user_tgt.cname, + expected_srealm=srealm, + expected_sname=sname, + ticket_decryption_key=decryption_key, + generate_fast_fn=self.generate_simple_fast, + generate_fast_armor_fn=self.generate_ap_req, + check_rep_fn=self.generic_check_kdc_rep, + check_kdc_private_fn=self.generic_check_kdc_private, + tgt=user_tgt, + armor_key=armor_key, + armor_tgt=mach_tgt, + armor_subkey=armor_subkey, + pac_options=pac_options, + authenticator_subkey=subkey, + kdc_options=kdc_options, + expect_pac=True, + expect_pac_attrs=to_krbtgt, + expect_pac_attrs_pac_request=to_krbtgt, + expected_sid=expected_sid, + expect_device_info=not to_krbtgt, + expect_device_claims=not to_krbtgt, + expected_device_claims=expected_claims if not to_krbtgt else None) + + rep = self._generic_kdc_exchange(kdc_exchange_dict, + cname=None, + realm=srealm, + sname=sname, + etypes=etypes) + self.check_reply(rep, KRB_TGS_REP) + + @classmethod + def setUpDynamicTestCases(cls): + FILTER = env_get_var_value('FILTER', allow_missing=True) + for case in cls.cases: + name = case.pop('name') + if FILTER and not re.search(FILTER, name): + continue + name = re.sub(r'\W+', '_', name) + + # Run tests making requests both to the krbtgt and to our own + # account. + cls.generate_dynamic_test('test_claims', name, + dict(case), False) + cls.generate_dynamic_test('test_claims', name + '_to_self', + dict(case), True) + + def _test_claims_with_args(self, case, to_self): + account_class = case.pop('class') + if account_class == 'user': + account_type = self.AccountType.USER + elif account_class == 'computer': + account_type = self.AccountType.COMPUTER + else: + self.fail(f'Unknown class "{account_class}"') + + expected_claims = {} + unexpected_claims = set() + + details = {} + + all_claims = case.pop('claims') + for claim in all_claims: + # Make a copy to avoid modifying the original. + claim = dict(claim) + + claim_id = self.get_new_username() + + expected = claim.pop('expected', False) + expected_values = claim.pop('expected_values', None) + if not expected: + self.assertIsNone(expected_values, + 'claim not expected, ' + 'but expected values provided') + + values = claim.pop('values', None) + if values is not None: + def get_placeholder(val): + if val is self.sample_dn: + return self.get_sample_dn() + elif val is self.binary_dn: + return self.get_binary_dn() + else: + return val + + def ldb_transform(val): + if val is True: + return 'TRUE' + elif val is False: + return 'FALSE' + elif isinstance(val, int): + return str(val) + else: + return val + + values_type = type(values) + values = values_type(map(get_placeholder, values)) + transformed_values = values_type(map(ldb_transform, values)) + + attribute = claim['attribute'] + if attribute in details: + self.assertEqual(details[attribute], transformed_values, + 'conflicting values set for attribute') + details[attribute] = transformed_values + + if expected_values is None: + expected_values = values + + if expected: + self.assertIsNotNone(expected_values, + 'expected claim, but no value(s) set') + value_type = claim['value_type'] + + expected_claims[claim_id] = { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': value_type, + 'values': expected_values, + } + else: + unexpected_claims.add(claim_id) + + self.create_claim(claim_id, **claim) + + details = ((k, v) for k, v in details.items()) + creds = self.get_cached_creds(account_type=account_type, + opts={ + 'additional_details': details, + }) + + self.assertFalse(case, 'unexpected parameters in testcase') + + if to_self: + service_creds = self.get_service_creds() + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[service_creds.get_username()]) + ticket_etype = Enctype.RC4 + else: + service_creds = None + sname = None + ticket_etype = None + + self.get_tgt(creds, + sname=sname, + target_creds=service_creds, + ticket_etype=ticket_etype, + expect_pac=True, + expect_client_claims=True, + expected_client_claims=expected_claims or None, + unexpected_client_claims=unexpected_claims or None) + + sample_dn = object() + binary_dn = object() + security_descriptor = (b'\x01\x00\x04\x80\x14\x00\x00\x00\x00\x00\x00\x00' + b'\x00\x00\x00\x00$\x00\x00\x00\x01\x02\x00\x00\x00' + b'\x00\x00\x05 \x00\x00\x00 \x02\x00\x00\x04\x00' + b'\x1c\x00\x01\x00\x00\x00\x00\x00\x14\x00\xff\x01' + b'\x0f\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00' + b'\x00\x00') + + cases = [ + { + 'name': 'no claims', + 'claims': [], + 'class': 'user', + }, + { + 'name': 'simple AD-sourced claim', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + # Note: The order of these DNs may differ on Windows. + 'name': 'dn string syntax', + 'claims': [ + { + # 2.5.5.1 + 'enabled': True, + 'attribute': 'msDS-AuthenticatedAtDC', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': UnorderedList([sample_dn, sample_dn, sample_dn]), + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'dn string syntax, wrong value type', + 'claims': [ + { + # 2.5.5.1 + 'enabled': True, + 'attribute': 'msDS-AuthenticatedAtDC', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_BOOLEAN, + 'values': UnorderedList([sample_dn, sample_dn, sample_dn]), + }, + ], + 'class': 'user', + }, + { + 'name': 'oid syntax', + 'claims': [ + { + # 2.5.5.2 + 'enabled': True, + 'attribute': 'objectClass', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_UINT64, + 'expected_values': [655369, 65543, 65542, 65536], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'oid syntax 2', + 'claims': [ + { + # 2.5.5.2 + 'enabled': True, + 'attribute': 'objectClass', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['computer'], + 'value_type': claims.CLAIM_TYPE_UINT64, + 'expected_values': [196638, 655369, 65543, 65542, 65536], + 'expected': True, + }, + ], + 'class': 'computer', + }, + { + 'name': 'oid syntax, wrong value type', + 'claims': [ + { + # 2.5.5.2 + 'enabled': True, + 'attribute': 'objectClass', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_INT64, + }, + ], + 'class': 'user', + }, + { + 'name': 'boolean syntax, true', + 'claims': [ + { + # 2.5.5.8 + 'enabled': True, + 'attribute': 'msTSAllowLogon', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_BOOLEAN, + 'values': [True], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'boolean syntax, false', + 'claims': [ + { + # 2.5.5.8 + 'enabled': True, + 'attribute': 'msTSAllowLogon', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_BOOLEAN, + 'values': [False], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'boolean syntax, wrong value type', + 'claims': [ + { + # 2.5.5.8 + 'enabled': True, + 'attribute': 'msTSAllowLogon', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': [True], + }, + ], + 'class': 'user', + }, + { + 'name': 'integer syntax', + 'claims': [ + { + # 2.5.5.9 + 'enabled': True, + 'attribute': 'localeID', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_INT64, + 'values': [3, 42, -999, 1000, 20000], + 'expected_values': [3 << 32, + 42 << 32, + -999 << 32, + 1000 << 32 | 0xffffffff, + 20000 << 32], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'integer syntax, wrong value type', + 'claims': [ + { + # 2.5.5.9 + 'enabled': True, + 'attribute': 'localeID', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_UINT64, + 'values': [3, 42, -999, 1000], + }, + ], + 'class': 'user', + }, + { + 'name': 'security descriptor syntax', + 'claims': [ + { + # 2.5.5.15 + 'enabled': True, + 'attribute': 'msDS-AllowedToActOnBehalfOfOtherIdentity', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['computer'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': [security_descriptor], + 'expected_values': ['O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;' + ';;S-1-0-0)'], + 'expected': True, + }, + ], + 'class': 'computer', + }, + { + 'name': 'security descriptor syntax, wrong value type', + 'claims': [ + { + # 2.5.5.15 + 'enabled': True, + 'attribute': 'msDS-AllowedToActOnBehalfOfOtherIdentity', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['computer'], + 'value_type': claims.CLAIM_TYPE_UINT64, + 'values': [security_descriptor], + }, + ], + 'class': 'computer', + }, + { + 'name': 'case insensitive string syntax (invalid)', + 'claims': [ + { + # 2.5.5.4 + 'enabled': True, + 'attribute': 'networkAddress', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo', 'bar'], + }, + ], + 'class': 'user', + }, + { + 'name': 'printable string syntax (invalid)', + 'claims': [ + { + # 2.5.5.5 + 'enabled': True, + 'attribute': 'displayNamePrintable', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'numeric string syntax (invalid)', + 'claims': [ + { + # 2.5.5.6 + 'enabled': True, + 'attribute': 'internationalISDNNumber', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo', 'bar'], + }, + ], + 'class': 'user', + }, + { + 'name': 'dn binary syntax (invalid)', + 'claims': [ + { + # 2.5.5.7 + 'enabled': True, + 'attribute': 'msDS-RevealedUsers', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': [binary_dn, binary_dn, binary_dn], + }, + ], + 'class': 'computer', + }, + { + 'name': 'octet string syntax (invalid)', + 'claims': [ + { + # 2.5.5.10 + 'enabled': True, + 'attribute': 'jpegPhoto', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo', 'bar'], + }, + ], + 'class': 'user', + }, + { + 'name': 'utc time syntax (invalid)', + 'claims': [ + { + # 2.5.5.11 + 'enabled': True, + 'attribute': 'msTSExpireDate2', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['19700101000000.0Z'], + }, + ], + 'class': 'user', + }, + { + 'name': 'access point syntax (invalid)', + 'claims': [ + { + # 2.5.5.17 + 'enabled': True, + 'attribute': 'mS-DS-CreatorSID', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + }, + ], + 'class': 'user', + }, + { + 'name': 'no value set', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + }, + ], + 'class': 'user', + }, + { + 'name': 'multi-valued claim', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo', 'bar', 'baz'], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'missing attribute', + 'claims': [ + { + 'enabled': True, + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + }, + ], + 'class': 'user', + }, + { + 'name': 'invalid attribute', + 'claims': [ + { + # 2.5.5.10 + 'enabled': True, + 'attribute': 'unicodePwd', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + }, + ], + 'class': 'user', + }, + { + 'name': 'incorrect value type', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_INT64, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'invalid value type', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': 0, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'missing value type', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'duplicate claim', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + 'expected': True, + }, + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'multiple claims', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo', 'bar', 'baz'], + 'expected': True, + }, + { + # 2.5.5.8 + 'enabled': True, + 'attribute': 'msTSAllowLogon', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_BOOLEAN, + 'values': [True], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'case difference for source type', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'ad', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + 'expected': True, + }, + ], + 'class': 'user', + }, + { + 'name': 'unhandled source type', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': '', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'disabled claim', + 'claims': [ + { + # 2.5.5.12 + 'enabled': False, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'not enabled claim', + 'claims': [ + { + # 2.5.5.12 + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'not applicable to any class', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'not applicable to class', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + ], + 'class': 'computer', + }, + { + 'name': 'applicable to class', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['user', 'computer'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + 'expected': True, + }, + ], + 'class': 'computer', + }, + { + 'name': 'applicable to base class', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['top'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + { + 'name': 'applicable to base class 2', + 'claims': [ + { + # 2.5.5.12 + 'enabled': True, + 'attribute': 'carLicense', + 'single_valued': True, + 'source_type': 'AD', + 'for_classes': ['organizationalPerson'], + 'value_type': claims.CLAIM_TYPE_STRING, + 'values': ['foo'], + }, + ], + 'class': 'user', + }, + ] + + +if __name__ == '__main__': + global_asn1_print = False + global_hexdump = False + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 15ff97764e0..a7d51eab2b5 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -113,6 +113,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/protected_users_tests.py', 'python/samba/tests/krb5/nt_hash_tests.py', 'python/samba/tests/krb5/kpasswd_tests.py', + 'python/samba/tests/krb5/claims_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 4ae27eacb09..99f687e3212 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -54,3 +54,91 @@ ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected.ad_dc # ^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc +# +# Claims tests +# +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_duplicate_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_duplicate_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_to_krbtgt.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_info.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 8601da3d79a..e336ae4ea94 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -439,3 +439,92 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc +# +# Claims tests +# +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_access_point_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_2_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_base_class_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_applicable_to_class_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_false_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_true_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_boolean_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_difference_for_source_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_case_insensitive_string_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_disabled_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_binary_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_dn_string_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_duplicate_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_duplicate_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_incorrect_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_integer_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_attribute_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_invalid_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_attribute_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_missing_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_class_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_enabled_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_numeric_string_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_octet_string_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_2_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_oid_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_printable_string_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_security_descriptor_syntax_wrong_value_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_simple_AD_sourced_claim_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_unhandled_source_type_to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid_.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_to_krbtgt.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_info.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_info_to_krbtgt.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20 index 4a47ab974ae..8c42a54bdae 100644 --- a/selftest/knownfail_mit_kdc_1_20 +++ b/selftest/knownfail_mit_kdc_1_20 @@ -7,3 +7,7 @@ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self\( ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_none\( ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_true\( +# +# Claims tests +# +^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_to_self.ad_dc diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 54906ae589c..eeb8f75534c 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1727,6 +1727,10 @@ planoldpythontestsuite( 'ad_dc', 'samba.tests.krb5.kpasswd_tests', environ=krb5_environ) +planoldpythontestsuite( + 'ad_dc', + 'samba.tests.krb5.claims_tests', + environ=krb5_environ) for env in [ 'vampire_dc',