From 598eaa3474191d29ab2f1a356a26e479a441a198 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 3 Mar 2023 11:33:15 +1300 Subject: [PATCH] tests/krb5: Remove old device info and device claims tests They have been made superfluous by newer declarative tests in claims_tests.py and device_tests.py. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/claims_tests.py | 191 ------------------------ selftest/knownfail_heimdal_kdc | 3 - selftest/knownfail_mit_kdc | 4 - 3 files changed, 198 deletions(-) diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py index 8d663476635..78c78476e0c 100755 --- a/python/samba/tests/krb5/claims_tests.py +++ b/python/samba/tests/krb5/claims_tests.py @@ -242,18 +242,6 @@ class ClaimsTests(KDCBaseTest): def test_delegation_claims_remove_claims(self): self.run_delegation_test(remove_claims=True) - def test_device_info(self): - self._run_device_info_test(to_krbtgt=False) - - def test_device_info_to_krbtgt(self): - self._run_device_info_test(to_krbtgt=True) - - def test_device_claims(self): - self._run_device_claims_test(to_krbtgt=False) - - def test_device_claims_to_krbtgt(self): - self._run_device_claims_test(to_krbtgt=True) - # Create a user account with an applicable claim for the 'middleName' # attribute. After obtaining a TGT, from which we optionally remove the # claims, change the middleName attribute values for the account in the @@ -475,185 +463,6 @@ class ClaimsTests(KDCBaseTest): additional_tickets=additional_tickets) self.check_reply(rep, KRB_TGS_REP) - def _run_device_info_test(self, to_krbtgt): - user_creds = self.get_cached_creds( - account_type=self.AccountType.USER) - user_tgt = self.get_tgt(user_creds) - - mach_creds = self.get_cached_creds( - account_type=self.AccountType.COMPUTER) - mach_tgt = self.get_tgt(mach_creds) - - samdb = self.get_samdb() - expected_sid = self.get_objectSid(samdb, user_creds.get_dn()) - - subkey = self.RandomKey(user_tgt.session_key.etype) - - armor_subkey = self.RandomKey(subkey.etype) - explicit_armor_key = self.generate_armor_key(armor_subkey, - mach_tgt.session_key) - armor_key = kcrypto.cf2(explicit_armor_key.key, - subkey.key, - b'explicitarmor', - b'tgsarmor') - armor_key = Krb5EncryptionKey(armor_key, None) - - if to_krbtgt: - extra_enctypes = None - else: - extra_enctypes = security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED - target_creds, sname = self.get_target( - to_krbtgt, - extra_enctypes=extra_enctypes) - srealm = target_creds.get_realm() - - decryption_key = self.TicketDecryptionKey_from_creds( - target_creds) - - etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - - kdc_options = '0' - pac_options = '1' # claims support - - kdc_exchange_dict = self.tgs_exchange_dict( - expected_crealm=user_tgt.crealm, - expected_cname=user_tgt.cname, - expected_srealm=srealm, - expected_sname=sname, - ticket_decryption_key=decryption_key, - generate_fast_fn=self.generate_simple_fast, - generate_fast_armor_fn=self.generate_ap_req, - check_rep_fn=self.generic_check_kdc_rep, - check_kdc_private_fn=self.generic_check_kdc_private, - tgt=user_tgt, - armor_key=armor_key, - armor_tgt=mach_tgt, - armor_subkey=armor_subkey, - pac_options=pac_options, - authenticator_subkey=subkey, - kdc_options=kdc_options, - expect_pac=True, - expect_pac_attrs=to_krbtgt, - expect_pac_attrs_pac_request=to_krbtgt, - expected_sid=expected_sid, - expect_device_claims=not to_krbtgt, - expect_device_info=not to_krbtgt) - - rep = self._generic_kdc_exchange(kdc_exchange_dict, - cname=None, - realm=srealm, - sname=sname, - etypes=etypes) - self.check_reply(rep, KRB_TGS_REP) - - def _run_device_claims_test(self, to_krbtgt): - user_creds = self.get_cached_creds( - account_type=self.AccountType.USER) - user_tgt = self.get_tgt(user_creds) - - samdb = self.get_samdb() - mach_creds, mach_dn = self.create_account( - samdb, - self.get_new_username(), - account_type=self.AccountType.COMPUTER, - additional_details={ - 'middleName': 'foo', - }) - - claim_id = self.get_new_username() - self.create_claim(claim_id, - enabled=True, - attribute='middleName', - single_valued=True, - source_type='AD', - for_classes=['computer'], - value_type=claims.CLAIM_TYPE_STRING) - - expected_claims = { - claim_id: { - 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, - 'type': claims.CLAIM_TYPE_STRING, - 'values': ['foo'], - }, - } - - # Get a TGT for the computer. - mach_tgt = self.get_tgt(mach_creds, expect_pac=True, - expect_client_claims=True, - expected_client_claims=expected_claims) - - # Change the value of the attribute used for the claim. - msg = ldb.Message(ldb.Dn(samdb, mach_dn)) - msg['middleName'] = ldb.MessageElement('bar', - ldb.FLAG_MOD_REPLACE, - 'middleName') - samdb.modify(msg) - - # Get a service ticket for the user, using the computer's TGT as an - # armor TGT. The value should not have changed. - - expected_sid = self.get_objectSid(samdb, user_creds.get_dn()) - - subkey = self.RandomKey(user_tgt.session_key.etype) - - armor_subkey = self.RandomKey(subkey.etype) - explicit_armor_key = self.generate_armor_key(armor_subkey, - mach_tgt.session_key) - armor_key = kcrypto.cf2(explicit_armor_key.key, - subkey.key, - b'explicitarmor', - b'tgsarmor') - armor_key = Krb5EncryptionKey(armor_key, None) - - if to_krbtgt: - extra_enctypes = None - else: - extra_enctypes = security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED - target_creds, sname = self.get_target( - to_krbtgt, - extra_enctypes=extra_enctypes) - srealm = target_creds.get_realm() - - decryption_key = self.TicketDecryptionKey_from_creds( - target_creds) - - etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - - kdc_options = '0' - pac_options = '1' # claims support - - kdc_exchange_dict = self.tgs_exchange_dict( - expected_crealm=user_tgt.crealm, - expected_cname=user_tgt.cname, - expected_srealm=srealm, - expected_sname=sname, - ticket_decryption_key=decryption_key, - generate_fast_fn=self.generate_simple_fast, - generate_fast_armor_fn=self.generate_ap_req, - check_rep_fn=self.generic_check_kdc_rep, - check_kdc_private_fn=self.generic_check_kdc_private, - tgt=user_tgt, - armor_key=armor_key, - armor_tgt=mach_tgt, - armor_subkey=armor_subkey, - pac_options=pac_options, - authenticator_subkey=subkey, - kdc_options=kdc_options, - expect_pac=True, - expect_pac_attrs=to_krbtgt, - expect_pac_attrs_pac_request=to_krbtgt, - expected_sid=expected_sid, - expect_device_info=not to_krbtgt, - expect_device_claims=not to_krbtgt, - expected_device_claims=expected_claims if not to_krbtgt else None) - - rep = self._generic_kdc_exchange(kdc_exchange_dict, - cname=None, - realm=srealm, - sname=sname, - etypes=etypes) - self.check_reply(rep, KRB_TGS_REP) - @classmethod def setUpDynamicTestCases(cls): FILTER = env_get_var_value('FILTER', allow_missing=True) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 3312ae68155..e46310f7f41 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -139,11 +139,8 @@ ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc -^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc -^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_to_krbtgt.ad_dc -^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_info.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 61df87678e7..1bf672d4178 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -543,12 +543,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_claims_utc_time_syntax_invalid__to_self.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_delegation_claims_remove_claims.ad_dc -^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_claims_valid_sid.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_device_to_service_no_compound_id.ad_dc -^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_claims_to_krbtgt.ad_dc -^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_info.ad_dc -^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_device_info_to_krbtgt.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc -- 2.34.1