tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime

This demonstrates that we use the correct authtime
when doing constrained delegation.

The actual fix for the problem is already in place via
commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc
third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)

The related patch is:
006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 4620070c8e6c244c30ea76de75fcf68cc03a0926..fbd32d00dd12aad8ea4aa30f5fa500ea26afe5c4 100755 (executable)
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -23,6 +23,7 @@ sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 
 import functools
+import time
 
 from samba import dsdb, ntstatus
 from samba.dcerpc import krb5pac, lsa, security
@@ -562,6 +563,8 @@ class S4UKerberosTests(KDCBaseTest):
     def _run_delegation_test(self, kdc_dict):
         s4u2self = kdc_dict.pop('s4u2self', False)
 
+        authtime_delay = kdc_dict.pop('authtime_delay', 0)
+
         client_opts = kdc_dict.pop('client_opts', None)
         client_creds = self.get_cached_creds(
             account_type=self.AccountType.USER,
@@ -601,6 +604,8 @@ class S4UKerberosTests(KDCBaseTest):
                 opts=service1_opts)
 
         service1_tgt = self.get_tgt(service1_creds)
+        self.assertElementPresent(service1_tgt.ticket_private, 'authtime')
+        service1_tgt_authtime = self.getElementValue(service1_tgt.ticket_private, 'authtime')
 
         client_username = client_creds.get_username()
         client_realm = client_creds.get_realm()
@@ -628,6 +633,8 @@ class S4UKerberosTests(KDCBaseTest):
                                          ARCFOUR_HMAC_MD5))
 
         if s4u2self:
+            self.assertEqual(authtime_delay, 0)
+
             def generate_s4u2self_padata(_kdc_exchange_dict,
                                          _callback_dict,
                                          req_body):
@@ -673,19 +680,32 @@ class S4UKerberosTests(KDCBaseTest):
 
             client_service_tkt = s4u2self_kdc_exchange_dict['rep_ticket_creds']
         else:
+            if authtime_delay != 0:
+                time.sleep(authtime_delay)
+                fresh = True
+            else:
+                fresh = False
+
             client_tgt = self.get_tgt(client_creds,
                                       kdc_options=client_tkt_options,
-                                      expected_flags=expected_flags)
+                                      expected_flags=expected_flags,
+                                      fresh=fresh)
             client_service_tkt = self.get_service_ticket(
                 client_tgt,
                 service1_creds,
                 kdc_options=client_tkt_options,
-                expected_flags=expected_flags)
+                expected_flags=expected_flags,
+                fresh=fresh)
 
         modify_client_tkt_fn = kdc_dict.pop('modify_client_tkt_fn', None)
         if modify_client_tkt_fn is not None:
             client_service_tkt = modify_client_tkt_fn(client_service_tkt)
 
+        self.assertElementPresent(client_service_tkt.ticket_private, 'authtime')
+        expected_authtime = self.getElementValue(client_service_tkt.ticket_private, 'authtime')
+        if authtime_delay > 1:
+            self.assertNotEqual(expected_authtime, service1_tgt_authtime)
+
         additional_tickets = [client_service_tkt.ticket]
 
         modify_service_tgt_fn = kdc_dict.pop('modify_service_tgt_fn', None)
@@ -792,6 +812,7 @@ class S4UKerberosTests(KDCBaseTest):
         if not expected_error_mode:
             # Check whether the ticket contains a PAC.
             ticket = kdc_exchange_dict['rep_ticket_creds']
+            self.assertElementEqual(ticket.ticket_private, 'authtime', expected_authtime)
             pac = self.get_ticket_pac(ticket, expect_pac=expect_pac)
             ticket_auth_data = ticket.ticket_private.get('authorization-data')
             expected_num_ticket_auth_data = 0
@@ -842,6 +863,15 @@ class S4UKerberosTests(KDCBaseTest):
                 'allow_delegation': True
             })
 
+    def test_constrained_delegation_authtime(self):
+        # Test constrained delegation.
+        self._run_delegation_test(
+            {
+                'expected_error_mode': 0,
+                'allow_delegation': True,
+                'authtime_delay': 2,
+            })
+
     def test_constrained_delegation_with_enc_auth_data_subkey(self):
         # Test constrained delegation.
         EncAuthorizationData = []