tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py
index 7c2c8370e3ed77bd0e34b52330467939666be55f..c308d8da01e05261465292174a7862aa037878e2 100755 (executable)
--- a/python/samba/tests/krb5/claims_tests.py
+++ b/python/samba/tests/krb5/claims_tests.py
@@ -775,8 +775,14 @@ class ClaimsTests(KDCBaseTest):
                 'additional_details': self.freeze(details),
             })
 
+        # Whether to specify claims support in PA-PAC-OPTIONS.
+        pac_options_claims = case.pop('pac-options:claims-support', None)
+
         self.assertFalse(case, 'unexpected parameters in testcase')
 
+        if pac_options_claims is None:
+            pac_options_claims = True
+
         if to_self:
             service_creds = self.get_service_creds()
             sname = self.PrincipalName_create(
@@ -788,10 +794,16 @@ class ClaimsTests(KDCBaseTest):
             sname = None
             ticket_etype = None
 
+        if pac_options_claims:
+            pac_options = '1'  # claims support
+        else:
+            pac_options = '0'  # no claims support
+
         self.get_tgt(creds,
                      sname=sname,
                      target_creds=service_creds,
                      ticket_etype=ticket_etype,
+                     pac_options=pac_options,
                      expect_pac=True,
                      expect_client_claims=True,
                      expected_client_claims=expected_claims or None,
@@ -829,6 +841,26 @@ class ClaimsTests(KDCBaseTest):
             ],
             'class': 'user',
         },
+        {
+            'name': 'no claims support in pac options',
+            'claims': [
+                {
+                    # 2.5.5.12
+                    'enabled': True,
+                    'attribute': 'carLicense',
+                    'single_valued': True,
+                    'source_type': 'AD',
+                    'for_classes': ['user'],
+                    'value_type': claims.CLAIM_TYPE_STRING,
+                    'values': ('foo',),
+                    # We still get claims in the PAC even if we don't specify
+                    # claims support in PA-PAC-OPTIONS.
+                    'expected': True,
+                },
+            ],
+            'class': 'user',
+            'pac-options:claims-support': False,
+        },
         {
             # Note: The order of these DNs may differ on Windows.
             'name': 'dn string syntax',
@@ -1515,6 +1547,9 @@ class ClaimsTests(KDCBaseTest):
         tgs_expected = case.pop('tgs:expected', None)
         tgs_device_expected = case.pop('tgs:device:expected', None)
 
+        # Whether to specify claims support in PA-PAC-OPTIONS.
+        pac_options_claims = case.pop('pac-options:claims-support', None)
+
         all_claims = case.pop('claims')
 
         # There should be no parameters remaining in the testcase.
@@ -1561,6 +1596,9 @@ class ClaimsTests(KDCBaseTest):
                                  'specified TGS-REQ reset user flags, but no '
                                  'accompanying machine SIDs provided')
 
+        if pac_options_claims is None:
+            pac_options_claims = True
+
         (details, mod_msg,
          expected_claims,
          unexpected_claims) = self.setup_claims(all_claims)
@@ -1673,7 +1711,10 @@ class ClaimsTests(KDCBaseTest):
         etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
 
         kdc_options = '0'
-        pac_options = '1'  # claims support
+        if pac_options_claims:
+            pac_options = '1'  # claims support
+        else:
+            pac_options = '0'  # no claims support
 
         requester_sid = None
         if tgs_to_krbtgt:
@@ -1851,6 +1892,62 @@ class ClaimsTests(KDCBaseTest):
                 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
             },
         },
+        {
+            # Make a TGS request containing claims to a service, but don't
+            # specify support for claims in PA-PAC-OPTIONS. We still expect the
+            # final PAC to contain claims.
+            'test': 'device to service no claims support in pac options',
+            'groups': {
+                'foo': (GroupType.DOMAIN_LOCAL, {mach}),
+                'bar': (GroupType.DOMAIN_LOCAL, {mach}),
+            },
+            'claims': [
+                {
+                    # 2.5.5.10
+                    'enabled': True,
+                    'attribute': 'middleName',
+                    'single_valued': True,
+                    'source_type': 'AD',
+                    'for_classes': ['computer'],
+                    'value_type': claims.CLAIM_TYPE_STRING,
+                    'values': ('foo',),
+                    'expected': True,
+                    'mod_values': ['bar'],
+                },
+            ],
+            'as:expected': {
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'as:mach:expected': {
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:to_krbtgt': False,
+            # Claims are unsupported.
+            'pac-options:claims-support': False,
+            'tgs:expected': {
+                (security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, SidType.EXTRA_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+                (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+            },
+            'tgs:device:expected': {
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
+                frozenset([
+                    ('foo', SidType.RESOURCE_SID, resource_attrs),
+                    ('bar', SidType.RESOURCE_SID, resource_attrs),
+                ]),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
+            },
+        },
     ]
 
 

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 0f3ca5f01004248817edeeec5af1dd552064a1b8..598a5e5574a7781fdafcc78c79a6a334d689a539 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -2285,6 +2285,7 @@ class KDCBaseTest(RawKerberosTest):
                 unexpected_groups=None,
                 pac_request=True, expect_pac=True,
                 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
+                pac_options=None,
                 expect_requester_sid=None,
                 rc4_support=True,
                 expect_edata=None,
@@ -2297,7 +2298,7 @@ class KDCBaseTest(RawKerberosTest):
         else:
             user_name = creds.get_username()
 
-        cache_key = (user_name, to_rodc, kdc_options, pac_request,
+        cache_key = (user_name, to_rodc, kdc_options, pac_request, pac_options,
                      client_name_type,
                      ticket_etype,
                      str(expected_flags), str(unexpected_flags),
@@ -2361,7 +2362,8 @@ class KDCBaseTest(RawKerberosTest):
                            'renewable-ok')
         kdc_options = krb5_asn1.KDCOptions(kdc_options)
 
-        pac_options = '1'  # supports claims
+        if pac_options is None:
+            pac_options = '1'  # supports claims
 
         rep, kdc_exchange_dict = self._test_as_exchange(
             cname=cname,

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 37c66811d78e61a804121e0089ba58de717d2309..fd7ab468ce178c66e3d7e03cf6288146254b0110 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -107,6 +107,8 @@
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
@@ -141,6 +143,7 @@
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index fbcbc9c919c35eae28440e7f0a45d59fdf74dcd0..72e3ac992bb7e0671b3dee2c4ac895cf8d78e337 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -511,6 +511,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multi_valued_claim_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_multiple_claims_to_self.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_claims_support_in_pac_options_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_no_value_set_to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_not_applicable_to_any_class.ad_dc
@@ -545,6 +547,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc
+^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_support_in_pac_options.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_rodc_issued_claims_delete.ad_dc