From 6a77c2b93315503008627ce786388f281bd6bb87 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 15 Jun 2021 16:55:02 +1200 Subject: [PATCH] tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds This allows us to require encryption keys in the case that a password would not be required, such as for the krbtgt account. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Joseph Sutton Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/as_req_tests.py | 2 +- python/samba/tests/krb5/raw_testcase.py | 53 +++++++++++++++++++++++++-------- python/samba/tests/krb5/simple_tests.py | 2 +- 3 files changed, 42 insertions(+), 15 deletions(-) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 3ad37c6bdf2..3099c224c18 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -58,7 +58,7 @@ class AsReqKerberosTests(RawKerberosTest): client_creds = self.get_client_creds() client_account = client_creds.get_username() client_as_etypes = client_creds.get_as_krb5_etypes() - krbtgt_creds = self.get_krbtgt_creds() + krbtgt_creds = self.get_krbtgt_creds(require_keys=False) krbtgt_account = krbtgt_creds.get_username() realm = krbtgt_creds.get_realm() diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 7d9f0cd94f9..9c0f5800b42 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -444,6 +444,7 @@ class RawKerberosTest(TestCaseInTempDir): def _get_krb5_creds(self, prefix, default_username=None, allow_missing_password=False, + allow_missing_keys=True, require_strongest_key=False): c = KerberosCredentials() c.guess() @@ -486,8 +487,8 @@ class RawKerberosTest(TestCaseInTempDir): else: aes256_allow_missing = True else: - kvno_allow_missing = True - aes256_allow_missing = True + kvno_allow_missing = allow_missing_keys + aes256_allow_missing = allow_missing_keys kvno = self.env_get_var('KVNO', prefix, fallback_default=False, allow_missing=kvno_allow_missing) @@ -506,37 +507,63 @@ class RawKerberosTest(TestCaseInTempDir): fallback_default=False, allow_missing=True) if rc4_key is not None: c.set_forced_key(kcrypto.Enctype.RC4, rc4_key) + + if not allow_missing_keys: + self.assertTrue(c.forced_keys, + 'Please supply %s encryption keys ' + 'in environment' % prefix) + return c - def get_user_creds(self, allow_missing_password=False): + def get_user_creds(self, + allow_missing_password=False, + allow_missing_keys=True): c = self._get_krb5_creds(prefix=None, - allow_missing_password=allow_missing_password) + allow_missing_password=allow_missing_password, + allow_missing_keys=allow_missing_keys) return c - def get_service_creds(self, allow_missing_password=False): + def get_service_creds(self, + allow_missing_password=False, + allow_missing_keys=True): c = self._get_krb5_creds(prefix='SERVICE', - allow_missing_password=allow_missing_password) + allow_missing_password=allow_missing_password, + allow_missing_keys=allow_missing_keys) return c - def get_client_creds(self, allow_missing_password=False): + def get_client_creds(self, + allow_missing_password=False, + allow_missing_keys=True): c = self._get_krb5_creds(prefix='CLIENT', - allow_missing_password=allow_missing_password) + allow_missing_password=allow_missing_password, + allow_missing_keys=allow_missing_keys) return c - def get_server_creds(self, allow_missing_password=False): + def get_server_creds(self, + allow_missing_password=False, + allow_missing_keys=True): c = self._get_krb5_creds(prefix='SERVER', - allow_missing_password=allow_missing_password) + allow_missing_password=allow_missing_password, + allow_missing_keys=allow_missing_keys) return c - def get_admin_creds(self, allow_missing_password=False): + def get_admin_creds(self, + allow_missing_password=False, + allow_missing_keys=True): c = self._get_krb5_creds(prefix='ADMIN', - allow_missing_password=allow_missing_password) + allow_missing_password=allow_missing_password, + allow_missing_keys=allow_missing_keys) return c - def get_krbtgt_creds(self, require_strongest_key=False): + def get_krbtgt_creds(self, + require_keys=True, + require_strongest_key=False): + if require_strongest_key: + self.assertTrue(require_keys) c = self._get_krb5_creds(prefix='KRBTGT', default_username='krbtgt', allow_missing_password=True, + allow_missing_keys=not require_keys, require_strongest_key=require_strongest_key) return c diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index 2da76a3cf5e..9650702c6c6 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -44,7 +44,7 @@ class SimpleKerberosTests(RawKerberosTest): def test_simple(self): user_creds = self.get_user_creds() user = user_creds.get_username() - krbtgt_creds = self.get_krbtgt_creds() + krbtgt_creds = self.get_krbtgt_creds(require_keys=False) krbtgt_account = krbtgt_creds.get_username() realm = krbtgt_creds.get_realm() -- 2.11.4.GIT