From e03665fb8cd3edac37c7346d160ddfdad2f6074f Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 21 Jan 2022 10:19:20 +0100 Subject: [PATCH] python:tests: Add support for unexpected groups in krb5 tests Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- python/samba/tests/krb5/raw_testcase.py | 17 +++++++++++++++++ python/samba/tests/krb5/s4u_tests.py | 5 ++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index b5682ff7815..7f9d9d17640 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2050,6 +2050,7 @@ class RawKerberosTest(TestCaseInTempDir): expected_sname=None, expected_account_name=None, expected_groups=None, + unexpected_groups=None, expected_upn_name=None, expected_sid=None, expected_supported_etypes=None, @@ -2111,6 +2112,7 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_sname': expected_sname, 'expected_account_name': expected_account_name, 'expected_groups': expected_groups, + 'unexpected_groups': unexpected_groups, 'expected_upn_name': expected_upn_name, 'expected_sid': expected_sid, 'expected_supported_etypes': expected_supported_etypes, @@ -2168,6 +2170,7 @@ class RawKerberosTest(TestCaseInTempDir): expected_sname=None, expected_account_name=None, expected_groups=None, + unexpected_groups=None, expected_upn_name=None, expected_sid=None, expected_supported_etypes=None, @@ -2230,6 +2233,7 @@ class RawKerberosTest(TestCaseInTempDir): 'expected_sname': expected_sname, 'expected_account_name': expected_account_name, 'expected_groups': expected_groups, + 'unexpected_groups': unexpected_groups, 'expected_upn_name': expected_upn_name, 'expected_sid': expected_sid, 'expected_supported_etypes': expected_supported_etypes, @@ -2805,6 +2809,7 @@ class RawKerberosTest(TestCaseInTempDir): expected_account_name = kdc_exchange_dict['expected_account_name'] expected_groups = kdc_exchange_dict['expected_groups'] + unexpected_groups = kdc_exchange_dict['unexpected_groups'] expected_sid = kdc_exchange_dict['expected_sid'] expect_upn_dns_info_ex = kdc_exchange_dict['expect_upn_dns_info_ex'] @@ -2862,6 +2867,16 @@ class RawKerberosTest(TestCaseInTempDir): match_count += 1 self.assertEqual(match_count, len(expected_groups)) + if unexpected_groups is not None: + match_count = 0 + + for g in unexpected_groups: + self.assertIsNotNone(info3.sids) + for sid_attr in info3.sids: + if g == str(sid_attr.sid): + match_count += 1 + self.assertEqual(match_count, 0) + elif pac_buffer.type == krb5pac.PAC_TYPE_UPN_DNS_INFO: upn_dns_info = pac_buffer.info upn_dns_info_ex = upn_dns_info.ex @@ -3964,6 +3979,7 @@ class RawKerberosTest(TestCaseInTempDir): renew_time=None, expected_account_name=None, expected_groups=None, + unexpected_groups=None, expected_upn_name=None, expected_sid=None, expected_flags=None, @@ -4005,6 +4021,7 @@ class RawKerberosTest(TestCaseInTempDir): expected_sname=expected_sname, expected_account_name=expected_account_name, expected_groups=expected_groups, + unexpected_groups=unexpected_groups, expected_upn_name=expected_upn_name, expected_sid=expected_sid, expected_supported_etypes=expected_supported_etypes, diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index d2d9566b920..81fbf31836f 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -284,6 +284,7 @@ class S4UKerberosTests(KDCBaseTest): expect_edata = kdc_dict.pop('expect_edata', None) expected_groups = kdc_dict.pop('expected_groups', None) + unexpected_groups = kdc_dict.pop('unexpected_groups', None) def generate_s4u2self_padata(_kdc_exchange_dict, _callback_dict, @@ -302,7 +303,7 @@ class S4UKerberosTests(KDCBaseTest): expected_srealm=realm, expected_sname=service_sname, expected_account_name=client_name, - expected_groups=expected_groups, + unexpected_groups=unexpected_groups, expected_sid=sid, expected_flags=expected_flags, unexpected_flags=unexpected_flags, @@ -573,6 +574,7 @@ class S4UKerberosTests(KDCBaseTest): opts=service1_opts) expected_groups = kdc_dict.pop('expected_groups', None) + unexpected_groups = kdc_dict.pop('unexpected_groups', None) client_tkt_options = kdc_dict.pop('client_tkt_options', 'forwardable') expected_flags = krb5_asn1.TicketFlags(client_tkt_options) @@ -659,6 +661,7 @@ class S4UKerberosTests(KDCBaseTest): expected_sname=service2_sname, expected_account_name=client_username, expected_groups=expected_groups, + unexpected_groups=unexpected_groups, expected_sid=sid, expected_supported_etypes=service2_etypes, ticket_decryption_key=service2_decryption_key, -- 2.11.4.GIT