torture-krb5: Add additional assertions for non-canon TGS-REP
authorAndrew Bartlett <abartlet@samba.org>
Tue, 3 Feb 2015 02:51:41 +0000 (15:51 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Sun, 8 Feb 2015 07:07:08 +0000 (08:07 +0100)
This confirms that the KDC does not modify the returned principal in a TGS-REP unconditionally.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
source4/torture/krb5/kdc-canon.c

index 8dbfd9374a5db83380e2c3dd9c6a54f086445eb8..d18905e64e2cd53c9f76734a3024a248f5cc49e8 100644 (file)
@@ -647,6 +647,15 @@ static bool torture_krb5_post_recv_self_trust_tgs_req_test(struct torture_krb5_c
                                 test_context->tgs_req.req_body.sname->name_type,
                                 "Mismatch in name_type between request and ticket response");
 
+       torture_assert_int_equal(test_context->tctx,
+                                test_context->tgs_rep.ticket.sname.name_string.len, 2,
+                                "Mismatch in name between request and expected request, expected krbtgt/realm");
+       torture_assert_str_equal(test_context->tctx,
+                                test_context->tgs_rep.ticket.sname.name_string.val[0], "krbtgt",
+                                "Mismatch in name between request and expected request, expected krbtgt");
+       torture_assert_str_equal(test_context->tctx,
+                                test_context->tgs_rep.ticket.sname.name_string.val[1], test_context->test_data->realm,
+                                "Mismatch in realm part of cross-realm request principal between response and expected request");
        /*
         * We can confirm that the correct proxy behaviour is
         * in use on the KDC by checking the KVNO of the