python/samba/tests/krb5/rodc_tests.py

   1 #!/usr/bin/env python3
   2 # Unix SMB/CIFS implementation.
   3 # Copyright (C) Stefan Metzmacher 2020
   4 #
   5 # This program is free software; you can redistribute it and/or modify
   6 # it under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # This program is distributed in the hope that it will be useful,
  11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 import sys
  20 import os
  21
  22 from samba.tests.krb5.kdc_base_test import KDCBaseTest
  23
  24 sys.path.insert(0, "bin/python")
  25 os.environ["PYTHONUNBUFFERED"] = "1"
  26
  27 global_asn1_print = False
  28 global_hexdump = False
  29
  30
  31 class RodcKerberosTests(KDCBaseTest):
  32
  33     def setUp(self):
  34         super().setUp()
  35         self.do_asn1_print = global_asn1_print
  36         self.do_hexdump = global_hexdump
  37
  38     # Ensure that an RODC correctly issues tickets signed with its krbtgt key
  39     # and including the RODCIdentifier.
  40     def test_rodc_ticket_signature(self):
  41         user_creds = self.get_cached_creds(
  42             account_type=self.AccountType.USER,
  43             opts={
  44                 'allowed_replication': True,
  45                 'revealed_to_rodc': True
  46             })
  47         target_creds = self.get_cached_creds(
  48             account_type=self.AccountType.COMPUTER,
  49             opts={
  50                 'allowed_replication': True,
  51                 'revealed_to_rodc': True
  52             })
  53
  54         krbtgt_creds = self.get_rodc_krbtgt_creds()
  55         rodc_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
  56
  57         # Get a TGT from the RODC.
  58         tgt = self.get_tgt(user_creds, to_rodc=True)
  59
  60         # Ensure the PAC contains the expected checksums.
  61         self.verify_ticket(tgt, rodc_key, service_ticket=False)
  62
  63         # Get a service ticket from the RODC.
  64         service_ticket = self.get_service_ticket(tgt, target_creds,
  65                                                  to_rodc=True)
  66
  67         # Ensure the PAC contains the expected checksums.
  68         self.verify_ticket(service_ticket, rodc_key, service_ticket=True)
  69
  70
  71 if __name__ == "__main__":
  72     global_asn1_print = False
  73     global_hexdump = False
  74     import unittest
  75     unittest.main()