a )&i@sddlZddlZddlmZddlmZmZddlmZm Z ddl m Z ddl m Z ddlmZmZmZmZmZmZmZmZmZmZmZejddd ejd <d Zd ZGd d d e Ze dkrd Zd Zddl!Z!e!"dS)N)partial)generate_random_password unix2nttime)krb5pacsecurity)SDUtils) KDCBaseTest) KDC_ERR_TGT_REVOKEDKDC_ERR_TKT_EXPIREDKPASSWD_ACCESSDENIEDKPASSWD_AUTHERRORKPASSWD_HARDERRORKPASSWD_INITIAL_FLAG_NEEDEDKPASSWD_MALFORMEDKPASSWD_SOFTERRORKPASSWD_SUCCESS NT_PRINCIPAL NT_SRV_INSTz bin/python1ZPYTHONUNBUFFEREDFcseZdZfddZdDddZddZdd Zd d Zd d ZddZ ddZ ddZ ddZ ddZ ddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Zdd?Z!d@dAZ"dBdCZ#Z$S)E KpasswdTestscsbtt|_t|_|}|}||j || d| }||j || ddS)NZ 0000000010) supersetUpglobal_asn1_printZ do_asn1_printglobal_hexdumpZ do_hexdump get_samdbZget_dsheuristicsZ addCleanupZset_dsheuristicsZ get_minPwdAgeZ set_minPwdAge)selfsamdbZ dsheuristicsZ minPwdAge __class__@/usr/lib/python3/dist-packages/samba/tests/krb5/kpasswd_tests.pyr7s  zKpasswdTests.setUpFcCs d|i}|j|jj|dd}|S)NZexpired_passwordF) account_typeopts use_cache)get_cached_creds AccountTypeZUSER)rexpiredr#credsr r r! _get_credsQs zKpasswdTests._get_credscCs,|}||}tj|i}|j|||dS)Nnew_ticket_key checksum_keys)Zget_mock_rodc_krbtgt_credsTicketDecryptionKey_from_credsrPAC_TYPE_KDC_CHECKSUMmodified_ticket)rticket krbtgt_creds krbtgt_keyr,r r r!issued_by_rodc]s zKpasswdTests.issued_by_rodccCs|jtddgdS)NkadminchangepwZ name_typenames)PrincipalName_creater)rr r r!get_kpasswd_snamejszKpasswdTests.get_kpasswd_snamecCs>|j}|d}|d|}|d}||}||}||SNauthtime starttimeendtime)Zticket_privategetget_EpochFromKerberosTime)rr0enc_partr;r<r=r r r!get_ticket_lifetimens   z KpasswdTests.get_ticket_lifetimecCsn|j}dd|D}|tj|t}t||_t}tj|_ ||_ | |||_|j d7_ |S)NcSsg|] }|jqSr )type).0 pac_bufferr r r! }z2KpasswdTests.add_requester_sid..) buffersZ assertNotInrZPAC_TYPE_REQUESTER_SIDZPAC_REQUESTER_SIDrZdom_sidsidZ PAC_BUFFERrBinfoappendZ num_buffers)rpacrI pac_buffersZ buffer_typesZ requester_sidZrequester_sid_bufferr r r!add_requester_sidzs  zKpasswdTests.add_requester_sidcCsb|}|j||dd}t}d}tdd}|j|||||jjd|||j|dddSNrsname kdc_optionsPassword changed modeTfresh) r)get_tgtr9rrkpasswd_exchange KpasswdModeSETupdate_passwordrr(r0 expected_code expected_msg new_passwordr r r!test_kpasswd_sets   zKpasswdTests.test_kpasswd_setcCsb|}|j||dd}t}d}tdd}|j|||||jjd|||j|dddSrO) r)rYr9rrrZr[CHANGEr]r^r r r!test_kpasswd_changes   z KpasswdTests.test_kpasswd_changecCs|}|}|j||dd}t}d}tdd}|j|||||jjd|||j||dd}tdd}|j|||||jj ddS)NrrPrSrTrU) r)r9rYrrrZr[r\r]rc)rr(rQr0r_r`rar r r!test_kpasswd_no_canonicalizes2   z)KpasswdTests.test_kpasswd_no_canonicalizecCs|}|}|}|j|||dd}t}d}tdd}|j|||||jj d| ||j|||dd}tdd}|j|||||jj ddS)NrrQrealmrRrSrTrU r)r9 get_realm capitalizerYrrrZr[r\r]rcrr(rQrgr0r_r`rar r r!'test_kpasswd_no_canonicalize_realm_cases8    z4KpasswdTests.test_kpasswd_no_canonicalize_realm_casecCs|}|j||dd}t}d}tdd}|j|||||jjd|||j||dd}tdd}|j|||||jj ddS)N canonicalizerPrSrTrU) r)rYr9rrrZr[r\r]rcr^r r r!test_kpasswd_canonicalize s0     z&KpasswdTests.test_kpasswd_canonicalizecCs|}|}|}|j|||dd}t}d}tdd}|j|||||jj d| ||j|||dd}tdd}|j|||||jj ddS)NrmrfrSrTrUrhrkr r r!$test_kpasswd_canonicalize_realm_case.s8    z1KpasswdTests.test_kpasswd_canonicalize_realm_casecCs\|}|j||dd}t}d}d}|j|||||jjd|j|||||jjddS)NrrPs.Password does not meet complexity requirementsZpasswordrU)r)rYr9rrZr[r\rcr^r r r!test_kpasswd_too_weakVs& z"KpasswdTests.test_kpasswd_too_weakcCsh|}|j||dd}ttf}d}d}|j|||||jjdt}d}|j|||||jjddS)NrrP)s@Password too short, password must be at least 7 characters long.String conversion failed!rUrq) r)rYr9rr rZr[r\rcr^r r r!test_kpasswd_emptyqs* zKpasswdTests.test_kpasswd_emptycCsf|}|j||dd}t}d}tdd}|j|||||jjdd|j|||||jjdddS)NrrPs/gensec_unwrap failed - NT_STATUS_ACCESS_DENIED rTF)rVZsend_seq_number) r)rYr9r rrZr[r\rcr^r r r!test_kpasswd_no_seq_numbers*  z'KpasswdTests.test_kpasswd_no_seq_numbercCsl|}|j||dd}||}t}d}tdd}|j|||||jjd|j|||||jj ddS)NrrP/gensec_update failed - NT_STATUS_LOGON_FAILURE rTrU) r)rYr9r3r rrZr[r\rcr^r r r!test_kpasswd_from_rodcs(   z#KpasswdTests.test_kpasswd_from_rodccCsh|}|}|jt|dd}|j||dd}t}d}tdd}|j |||||j j |ddS)N/r6rrP)<Realm and principal must be both present, or neither presentFailed to decode packetrT)rV target_princ) r) get_usernamer8rsplitrYr9rrrZr[r\rr(usernamecnamer0r_r`rar r r!"test_kpasswd_set_target_princ_onlys$  z/KpasswdTests.test_kpasswd_set_target_princ_onlycCsT|}|j||dd}ttf}d}tdd}|j|||||jj| ddS)NrrP)rxrys#No such user when changing passwordrT)rV target_realm) r)rYr9rr rrZr[r\rir^r r r!"test_kpasswd_set_target_realm_onlys  z/KpasswdTests.test_kpasswd_set_target_realm_onlyc Csn|}|}|jt|dd}|j||dd}t}d}tdd}|j |||||j j || ddS)Nrwr6rrPs Not permitted to change passwordrTrVrzr) r)r{r8rr|rYr9r rrZr[r\rir}r r r!1test_kpasswd_set_target_princ_and_realm_no_accesss&  z>KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_accessc Cs|}|}||}|jt|dd}|}t|}|}| ||}d|d} | || | } |j || dddd} t } d } td d }|j| || | |jj||d dS) Nrwr6z (A;;CR;;;)r4r5rservice target_namerRrSrTr)r)r{rYr8rr|rrget_dn get_objectSidZ dacl_add_aceget_krbtgt_credsget_service_ticketrrrZr[r\ri)rr(r~tgtrrZsd_utilsuser_dnuser_sidZacer1r0r_r`rar r r!.test_kpasswd_set_target_princ_and_realm_accesss<     z;KpasswdTests.test_kpasswd_set_target_princ_and_realm_accesscCsN|jdd}|j||dd}t}d}tdd}|j|||||jjddSNT)r'rrPrSrTrU)r)rYr9rrrZr[r\r^r r r!!test_kpasswd_set_expired_passwordGs   z.KpasswdTests.test_kpasswd_set_expired_passwordcCsN|jdd}|j||dd}t}d}tdd}|j|||||jjddSr)r)rYr9rrrZr[rcr^r r r!$test_kpasswd_change_expired_password[s   z1KpasswdTests.test_kpasswd_change_expired_passwordcCs6|}|j||dd}||}|d|dS)NrrPx)r)rYr9rAZ assertEqual)rr(r0lifetimer r r!test_kpasswd_ticket_lifetimeos   z)KpasswdTests.test_kpasswd_ticket_lifetimecCsb|}|j||dd}|}|jtd|gd}|||}|j|||t t fddS)NrrPkrbtgtr6Z expect_error) get_client_credsrYr9rir8r set_snameget_service_creds_make_tgs_requestr r )rr(r0rg krbtgt_sname service_credsr r r!test_kpasswd_ticket_tgs|s   z$KpasswdTests.test_kpasswd_ticket_tgsc st}|}tj|i}jddj|dfdd}fddfdd}j|||||d S) Ni)offsetcs$|d<d|vr|d<|d<|Sr:r )r@)end_time start_timer r!modify_ticket_timess zCKpasswdTests.modify_requester_sid_time..modify_ticket_timescsJ|j}|D]*}|jtjkr }t||j_q@q d||_|S)Nz$failed to find LOGON_NAME PAC buffer) rHrBrZPAC_TYPE_LOGON_NAMEr?rrJ logon_timeZfail)rLrMrDr)rrr r!modify_pac_times    z?KpasswdTests.modify_requester_sid_time..modify_pac_timecsj|d}|}|S)N)rI)rN)rL)rrrIr r! modify_pac_fnsz=KpasswdTests.modify_requester_sid_time..modify_pac_fn)r+ modify_fnrr,)rr-rr.Zget_KerberosTimer/) rr0rIrr1r2r,rrr )rrrrIrr!modify_requester_sid_times    z&KpasswdTests.modify_requester_sid_timec Cs|}|j||dd}|}|jtd|gd}|||}|}| ||}|j ||dd}| }|j |||t ddS)NrrPrr6rrIrr)rrYr9rir8rrrrrrrrr rr(r0rgrrrrrr r r!%test_kpasswd_ticket_requester_sid_tgss(    z2KpasswdTests.test_kpasswd_ticket_requester_sid_tgsc Cs|}|j||dd}|}|jtd|gd}|||}|}| ||}|j ||dd}| }|j |||dddS) NrrPrr6rFr) rrYr9rir8rrrrrrrrrr r r!.test_kpasswd_ticket_requester_sid_lifetime_tgss(    z;KpasswdTests.test_kpasswd_ticket_requester_sid_lifetime_tgscCsf|}||}||t}d}tdd}|j|||||jjd|j|||||jj ddS)Ns,A TGT may not be used as a ticket to kpasswdrTrU) r)rYrr9r rrZr[r\rc)rr(rr_r`rar r r!test_kpasswd_tgts$  zKpasswdTests.test_kpasswd_tgtcCst|}||}|}|j||dddd}t}d}tdd}|j|||||jjd|j|||||jj ddS)Nr4r5rrsExpected an initial ticketrTrU) r)rYrrrrrZr[r\rc)rr(rr1r0r_r`rar r r!test_kpasswd_non_initial+s0  z%KpasswdTests.test_kpasswd_non_initialcsfdd}t}d}|}tdd}j||||jjd||}tdd}j||||jjddS)NcsLjdd}j|ddddd}tjddd}}j|||d S) NTrWr4r5r)rrrRrXinitial)flagvalue)rr,)rYrrZmodify_ticket_flagZget_krbtgt_checksum_keyr/)rr0Zset_initial_flagr,r(r1rr r! get_ticketSs z5KpasswdTests.test_kpasswd_initial..get_ticketrSrTrU) r)rrrrZr[r\r]rc)rrr_r`r0rar rr!test_kpasswd_initialLs,   z!KpasswdTests.test_kpasswd_initialc Cs|}|}|j||dd}|}||}||jdtj|i}|j |||d}|j t dgd}| |t }d} tdd} |j|| || |jjd |j|| || |jjd dS) NrrP7a kvno is required to tell the DB which key to look up.r*Z Administratorr6rurTrU)r)r9rYZget_admin_credsr-assertIsNotNonekvnorr.r/r8rrr rrZr[r\rc) rr(rQr0Z admin_credsZ admin_keyr,Z admin_snamer_r`rar r r!test_kpasswd_wrong_keysF   z#KpasswdTests.test_kpasswd_wrong_keyc Cs|j|jjdd}|}|j||dd}||}||jdtj |i}|j |||d}| }|j t |dd}||t}d }td d } |j|| |||jjd |j|| |||jjd dS) NF)r"r$rrPrr*rwr6rurTrU)r%r&ZCOMPUTERr9rYr-rrrr.r/r{r8rr|rr rrZr[r\rc) rr(rQr0Zour_keyr,r~r_r`rar r r!test_kpasswd_wrong_key_servicesJ    z+KpasswdTests.test_kpasswd_wrong_key_servicec Cs|}|}|j||dd}|}||}||jdtj|i}|j |||d}| }|j t | dd}||t} d} tdd} |j|| | | |jjd |j|| | | |jjd dS) NrrPrr*rwr6rurTrU)r)r9rYZ get_dc_credsr-rrrr.r/r{r8rr|rr rrZr[r\rc) rr(rQr0Zdc_credsZdc_keyr,Z dc_usernameZdc_snamer_r`rar r r!test_kpasswd_wrong_key_serversH   z*KpasswdTests.test_kpasswd_wrong_key_server)F)%__name__ __module__ __qualname__rr)r3r9rArNrbrdrerlrnrorprsrtrvrrrrrrrrrrrrrrrrr __classcell__r r rr!r5sB    %'#(!* <"!!403r__main__)#ossys functoolsrZsambarrZ samba.dcerpcrrZsamba.sd_utilsrZsamba.tests.krb5.kdc_base_testrZ"samba.tests.krb5.rfc4120_constantsr r r r r rrrrrrpathinsertenvironrrrrZunittestmainr r r r!s0   4 g