python/samba/tests/dsdb_quiet_env_tests.py

   1 # Unix SMB/CIFS implementation. Tests for dsdb
   2 # Copyright (C) Andrew Bartlett <abartlet@samba.org> 2024
   3 #
   4 # This program is free software; you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation; either version 3 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16 #
  17
  18 """These tests want to be run on a freshly provisioned domain that has
  19 not been greatly modified by other tests (which at the time of writing
  20 probably means 'chgdcpass').
  21
  22 Tests here should only read the database.
  23
  24 This is to avoid flapping tests.
  25 """
  26
  27 from samba.credentials import Credentials
  28 from samba.samdb import SamDB
  29 from samba.auth import system_session
  30 from samba.tests import TestCase
  31 import ldb
  32 import samba
  33
  34 class DsdbQuietEnvTests(TestCase):
  35
  36     @classmethod
  37     def setUpClass(cls):
  38         super().setUpClass()
  39         cls.lp = samba.tests.env_loadparm()
  40         cls.creds = Credentials()
  41         cls.creds.guess(cls.lp)
  42         cls.session = system_session()
  43         cls.samdb = SamDB(session_info=cls.session,
  44                           credentials=cls.creds,
  45                           lp=cls.lp)
  46
  47     def test_gkdi_create_root_key_wrong_version(self):
  48
  49         server_config_dn = self.samdb.get_config_basedn()
  50         server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
  51                                    "CN=Server Configuration," +
  52                                    "CN=Group Key Distribution Service," +
  53                                    "CN=Services")
  54         res = self.samdb.search(base=server_config_dn,
  55                                 scope=ldb.SCOPE_BASE,
  56                                 attrs=["msKds-Version"])
  57
  58         self.assertEqual(len(res), 1)
  59
  60         msg = res[0]
  61         version = int(msg["msKds-Version"][0])
  62         self.assertEqual(version, 1)
  63
  64         self.addCleanup(self.samdb.modify,
  65                         ldb.Message.from_dict(self.samdb,
  66                                               {"dn": msg["dn"],
  67                                                "msKds-Version": [str(version)]},
  68                                               ldb.FLAG_MOD_REPLACE))
  69         self.samdb.modify(ldb.Message.from_dict(self.samdb,
  70                                                 {"dn": msg["dn"],
  71                                                  "msKds-Version": ["2"]},
  72                                                 ldb.FLAG_MOD_REPLACE))
  73
  74         try:
  75             self.samdb.new_gkdi_root_key()
  76             self.fail("Creating key with invalid version should fail")
  77         except ldb.LdbError as e:
  78             (enum, estr) = e.args
  79             self.assertEqual(enum, ldb.ERR_CONSTRAINT_VIOLATION)
  80
  81     def test_gkdi_create_root_key_4096(self):
  82
  83         server_config_dn = self.samdb.get_config_basedn()
  84         server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
  85                                    "CN=Server Configuration," +
  86                                    "CN=Group Key Distribution Service," +
  87                                    "CN=Services")
  88         res = self.samdb.search(base=server_config_dn,
  89                                 scope=ldb.SCOPE_BASE,
  90                                 attrs=["msKds-PublicKeyLength"])
  91
  92         self.assertEqual(len(res), 1)
  93
  94         msg = res[0]
  95         if "msKds-PublicKeyLength" in msg:
  96             keylen = msg[0]["msKds-PublicKeyLength"]
  97             # Ensure test still tests something in the future, if the default changes
  98             self.assertNotEqual(keylen, 4096)
  99             self.addCleanup(self.samdb.modify,
 100                             ldb.Message.from_dict(self.samdb,
 101                                                   {"dn": msg["dn"],
 102                                                    "msKds-PublicKeyLength": [str(keylen)]},
 103                                                   ldb.FLAG_MOD_REPLACE))
 104         else:
 105             self.addCleanup(self.samdb.modify,
 106                             ldb.Message.from_dict(self.samdb,
 107                                                   {"dn": msg["dn"],
 108                                                    "msKds-PublicKeyLength": []},
 109                                                   ldb.FLAG_MOD_DELETE))
 110
 111         self.samdb.modify(ldb.Message.from_dict(self.samdb,
 112                                                 {"dn": msg["dn"],
 113                                                  "msKds-PublicKeyLength": ["4096"]},
 114                                                 ldb.FLAG_MOD_REPLACE))
 115
 116         dn = self.samdb.new_gkdi_root_key()
 117
 118         root_key_res = self.samdb.search(base=dn,
 119                                          scope=ldb.SCOPE_BASE)
 120         self.assertEqual(len(root_key_res), 1)
 121         root_key = root_key_res[0]
 122
 123         self.assertEqual(int(root_key["msKds-PublicKeyLength"][0]), 4096)
 124         self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
 125         self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
 126         self.assertEqual(int(root_key["msKds-Version"][0]), 1)
 127
 128     def test_gkdi_create_root_key_priv_1024(self):
 129
 130         server_config_dn = self.samdb.get_config_basedn()
 131         server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
 132                                    "CN=Server Configuration," +
 133                                    "CN=Group Key Distribution Service," +
 134                                    "CN=Services")
 135         res = self.samdb.search(base=server_config_dn,
 136                                 scope=ldb.SCOPE_BASE,
 137                                 attrs=["msKds-PrivateKeyLength"])
 138
 139         self.assertEqual(len(res), 1)
 140
 141         msg = res[0]
 142         if "msKds-PrivateKeyLength" in msg:
 143             keylen = msg["msKds-PrivateKeyLength"]
 144             # Ensure test still tests something in the future, if the default changes
 145             self.assertNotEqual(keylen, 1024)
 146             self.addCleanup(self.samdb.modify,
 147                             ldb.Message.from_dict(self.samdb,
 148                                                   {"dn": msg["dn"],
 149                                                    "msKds-PrivateKeyLength": [str(keylen)]},
 150                                                   ldb.FLAG_MOD_REPLACE))
 151         else:
 152             self.addCleanup(self.samdb.modify,
 153                             ldb.Message.from_dict(self.samdb,
 154                                                   {"dn": msg["dn"],
 155                                                    "msKds-PrivateKeyLength": []},
 156                                                   ldb.FLAG_MOD_DELETE))
 157
 158         self.samdb.modify(ldb.Message.from_dict(self.samdb,
 159                                                 {"dn": msg["dn"],
 160                                                  "msKds-PrivateKeyLength": ["1024"]},
 161                                                 ldb.FLAG_MOD_REPLACE))
 162
 163         dn = self.samdb.new_gkdi_root_key()
 164
 165         root_key_res = self.samdb.search(base=dn,
 166                                          scope=ldb.SCOPE_BASE)
 167         self.assertEqual(len(root_key_res), 1)
 168         root_key = root_key_res[0]
 169
 170         self.assertEqual(int(root_key["msKds-PrivateKeyLength"][0]), 1024)
 171         self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
 172         self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
 173         self.assertEqual(int(root_key["msKds-Version"][0]), 1)
 174
 175     def test_gkdi_create_root_key_bad_alg(self):
 176         server_config_dn = self.samdb.get_config_basedn()
 177         server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
 178                                    "CN=Server Configuration," +
 179                                    "CN=Group Key Distribution Service," +
 180                                    "CN=Services")
 181         res = self.samdb.search(base=server_config_dn,
 182                                 scope=ldb.SCOPE_BASE,
 183                                 attrs=["msKds-KDFAlgorithmID"])
 184
 185         self.assertEqual(len(res), 1)
 186
 187         msg = res[0]
 188         if "msKds-KDFAlgorithmID" in msg:
 189             alg = msg["msKds-KDFAlgorithmID"][0]
 190             self.addCleanup(self.samdb.modify,
 191                             ldb.Message.from_dict(self.samdb,
 192                                                   {"dn": msg["dn"],
 193                                                    "msKds-KDFAlgorithmID": [alg]},
 194                                                   ldb.FLAG_MOD_REPLACE))
 195         else:
 196             self.addCleanup(self.samdb.modify,
 197                             ldb.Message.from_dict(self.samdb,
 198                                                   {"dn": msg["dn"],
 199                                                    "msKds-KDFAlgorithmID": []},
 200                                                   ldb.FLAG_MOD_DELETE))
 201
 202         self.samdb.modify(ldb.Message.from_dict(self.samdb,
 203                                                 {"dn": msg["dn"],
 204                                                  "msKds-KDFAlgorithmID": ["NO_AN_ALG"]},
 205                                                 ldb.FLAG_MOD_REPLACE))
 206
 207         try:
 208             self.samdb.new_gkdi_root_key()
 209             self.fail("Creating key with invalid algorithm should fail")
 210         except ldb.LdbError as e:
 211             (enum, estr) = e.args
 212             self.assertEqual(enum, ldb.ERR_CONSTRAINT_VIOLATION)
 213
 214     def test_gkdi_create_root_key_good_alg(self):
 215         server_config_dn = self.samdb.get_config_basedn()
 216         server_config_dn.add_child("CN=Group Key Distribution Service Server Configuration," +
 217                                    "CN=Server Configuration," +
 218                                    "CN=Group Key Distribution Service," +
 219                                    "CN=Services")
 220         res = self.samdb.search(base=server_config_dn,
 221                                 scope=ldb.SCOPE_BASE,
 222                                 attrs=["msKds-KDFAlgorithmID"])
 223
 224         self.assertEqual(len(res), 1)
 225
 226         msg = res[0]
 227         if "msKds-KDFAlgorithmID" in msg:
 228             alg = msg["msKds-KDFAlgorithmID"][0]
 229             self.addCleanup(self.samdb.modify,
 230                             ldb.Message.from_dict(self.samdb,
 231                                                   {"dn": msg["dn"],
 232                                                    "msKds-KDFAlgorithmID": [alg]},
 233                                                   ldb.FLAG_MOD_REPLACE))
 234         else:
 235             self.addCleanup(self.samdb.modify,
 236                             ldb.Message.from_dict(self.samdb,
 237                                                   {"dn": msg["dn"],
 238                                                    "msKds-KDFAlgorithmID": []},
 239                                                   ldb.FLAG_MOD_DELETE))
 240
 241         self.samdb.modify(ldb.Message.from_dict(self.samdb,
 242                                                 {"dn": msg["dn"],
 243                                                  "msKds-KDFAlgorithmID": ["SP800_108_CTR_HMAC"]},
 244                                                 ldb.FLAG_MOD_REPLACE))
 245
 246         dn = self.samdb.new_gkdi_root_key()
 247
 248         root_key_res = self.samdb.search(base=dn,
 249                                          scope=ldb.SCOPE_BASE)
 250         self.assertEqual(len(root_key_res), 1)
 251         root_key = root_key_res[0]
 252
 253         self.assertEqual(int(root_key["msKds-PublicKeyLength"][0]), 2048)
 254         self.assertEqual(str(root_key["msKds-KDFAlgorithmID"][0]), "SP800_108_CTR_HMAC")
 255         self.assertEqual(str(root_key["msKds-SecretAgreementAlgorithmID"][0]), "DH")
 256         self.assertEqual(int(root_key["msKds-Version"][0]), 1)