a )&i@sddlZddlZddlZejdddejd<ddlmZddlm Z m Z ddl m Z ddl mZmZdd lmZdd lmZmZdd lmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#ddl$m%m&m'Z(d Z)d Z*Gd ddeZ+e,dkrd Z)d Z*ddl-Z-e-.dS)Nz bin/python1ZPYTHONUNBUFFERED)ntstatus)krb5paclsa)env_get_var_value) CksumtypeEnctype) KDCBaseTest)RodcPacEncryptionKeyZeroedChecksumKey)AES256_CTS_HMAC_SHA1_96ARCFOUR_HMAC_MD5KDC_ERR_BADMATCHKDC_ERR_BADOPTIONKDC_ERR_BAD_INTEGRITYKDC_ERR_GENERICKDC_ERR_INAPP_CKSUMKDC_ERR_MODIFIEDKDC_ERR_SUMTYPE_NOSUPPKDC_ERR_TGT_REVOKEDKU_PA_ENC_TIMESTAMPKU_AS_REP_ENC_PARTKU_TGS_REP_ENC_PART_SUB_KEY NT_PRINCIPALFcseZdZfddZdddZddZdd Zd d Zd d ZddZ ddZ ddZ ddZ ddZ ddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Zdd?Z!d@dAZ"dBdCZ#dDdEZ$dFdGZ%dHdIZ&dJdKZ'dLdMZ(dNdOZ)dPdQZ*dRdSZ+dTdUZ,dVdWZ-dXdYZ.dZd[Z/d\d]Z0d^d_Z1d`daZ2dbdcZ3dddeZ4dfdgZ5dhdiZ6e7j8e7j9e7j:hZ;djdkZdpdqZ?drdsZ@dtduZAdvdwZBddxdyZCdd{d|ZDd}d~ZEZFS)S4UKerberosTestscstt|t|_t|_dSN)superrsetUpglobal_asn1_printZ do_asn1_printglobal_hexdumpZ do_hexdumpself __class__.generate_s4u2self_padataTF)expected_crealmexpected_cnameexpected_srealmexpected_snameexpected_account_name expected_sidrmrnticket_decryption_keyZexpect_ticket_checksumZgenerate_padata_fncheck_error_fn check_rep_fncheck_kdc_private_fnrorptgtrGr0Z expect_claimsrr)r1r2r3r8rep_ticket_creds) popget_cached_creds AccountTypeUSERCOMPUTERget_tgtrIrKr get_samdbget_dn get_objectSidrJrL TicketFlagsgeneric_check_kdc_errorgeneric_check_kdc_rep assertIsNonerMTicketDecryptionKey_from_credsrSrAES256r r tgs_exchange_dictgeneric_check_kdc_privaterN_generic_kdc_exchangeget_ticket_pacrOrP)r!kdc_dictrf client_credsrhrVriZ client_namesamdb client_dnsidrjZ service_snamermrnrorpr}r~r0Zservice_decryption_keyrGr8rrrukdc_exchange_dictr?pacr$rsr%_run_s4u2self_tests                     z#S4UKerberosTests._run_s4u2self_testcCs(|ddidtj|jdddddS)N not_delegatedFr+Tflag)rfr0rirmr functoolspartialset_ticket_forwardabler r$r$r%test_s4u2self_forwardableSsz*S4UKerberosTests.test_s4u2self_forwardablec s,fdd}tddid|ddddS)Ncsj|dd}|S)NTr)rremove_ticket_pac)r?r r$r%forwardable_no_pacbszAS4UKerberosTests.test_s4u2self_no_pac..forwardable_no_pacrFr+)rorfr0rirmrr)rr)r!rr$r r%test_s4u2self_no_pacas z%S4UKerberosTests.test_s4u2self_no_paccCs&|dditj|jdddddS)NrFTrr+)rfrirnrr r$r$r%!test_s4u2self_without_forwardabletsz2S4UKerberosTests.test_s4u2self_without_forwardablecCs(|ddidtj|jdddddS)NrFr+rrfr0rirnrr r$r$r%test_s4u2self_not_forwardablesz.S4UKerberosTests.test_s4u2self_not_forwardablecCs(|ddidtj|jdddddS)NrTr+rrrr r$r$r%"test_s4u2self_client_not_delegatedsz3S4UKerberosTests.test_s4u2self_client_not_delegatedc Cs0|ddiddddtj|jdddddS) NrFr$trusted_to_auth_for_delegationdelegation_to_spnr+Trrfrhr0rirmrr r$r$r%'test_s4u2self_not_trusted_empty_allowedsz8S4UKerberosTests.test_s4u2self_not_trusted_empty_allowedc Cs0|ddiddddtj|jdddddS) NrFtestrr+Tr)rfrhr0rirnrr r$r$r%*test_s4u2self_not_trusted_nonempty_allowedsz;S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowedc Cs0|ddiddddtj|jdddddS) NrFTr$rr+rrrr r$r$r%#test_s4u2self_trusted_empty_allowedsz4S4UKerberosTests.test_s4u2self_trusted_empty_allowedc Cs0|ddiddddtj|jdddddS) NrFTrrr+rrrr r$r$r%&test_s4u2self_trusted_nonempty_allowedsz7S4UKerberosTests.test_s4u2self_trusted_nonempty_allowedc CsZ|j|jjdddd}|dd}|tdddiddi|d tj|jdd d dS) NTr)ridrgrkFrrr+r)rorrrfrhrjr0ri) rrrrIrrrrr)r!Z other_credsZ other_snamer$r$r%test_s4u2self_wrong_snames*z*S4UKerberosTests.test_s4u2self_wrong_snamec Cs0|ddiddddtj|jdddddS)NrFT)rno_auth_data_requiredr+rrrr r$r$r%#test_s4u2self_no_auth_data_requiredsz4S4UKerberosTests.test_s4u2self_no_auth_data_requiredc0Csr|dd}|j|jj|d}|}|}|||}|di}|di}|dd} |dd} || ot| | r|j|jj|d} | d|t | |d<|j|jj|d} n@|j|jj|d} | r| d || |d <|j|jj|d} |d d } t | }|j|| |d }|j|| | |d }|| }|d d}|dur^||}|jg}|dd}|dur||}|dd}|durt t d}|}|}|jt|gd}| dd}| }| dd}| }d}|jt||gd}|| }| j} |d}!|dd}"|!rF|j}#d}$nd}#|j}$||"|dd}%|%durz||!|dd}&|tj}'|dtt f}(| })|dg}*d|d|}+|*!|+|dd},|j"||||||| ||#|$|j#|!|"i||'||&|%|)|*|,d}-|j$|-d|||(|d|!sb|-d }.|j%|.|,d!}/|,rX|&|/n ||/|'i|dS)"Nrfrg service1_opts service2_optsallow_delegationF allow_rbcdZdelegation_from_dnrclient_tkt_optionsr+)r0rmmodify_client_tkt_fnrir0zcname-in-addl-tktr'rkrlrorprr pac_optionsr8expected_transited_serviceszhost/@ expect_pacT)rvrwrxryrzr{Zexpected_supported_etypesr|r}r~rrorpZ callback_dictrrGr0rrrexpected_proxy_targetrr)r1r2r3r8r:r)r)(rrrrrrrZ assertFalser assertNotInrNZget_spnrLrrZget_service_ticketr?rMrIrJrKrrZtgs_supported_enctypesrrrZ assertTruerSrrr r appendrrrrrOrP)0r!rrfrrrrrrrrZservice1_credsZservice2_credsrrmZ client_tgtZclient_service_tktZ service1_tgtrr:rir0Zclient_usernameZ client_realmrtZ service1_nameZservice1_realmZ service2_nameZservice2_realmZservice2_serviceZservice2_snameZservice2_decryption_keyZservice2_etypesrorpr}r~rrrrGr8rrZtransited_servicerrr?rr$r$r%_run_delegation_tests                              z%S4UKerberosTests._run_delegation_testcCs|ddddS)NrT)rorrr r$r$r%test_constrained_delegations z,S4UKerberosTests.test_constrained_delegationcCs|ddddidddS)NrTrF)rorrrrr r$r$r%1test_constrained_delegation_no_auth_data_requiredszBS4UKerberosTests.test_constrained_delegation_no_auth_data_requiredcCs,gd}|ddtj|j|d|ddS)NZservice1Zservice2Zservice3rTservices)rorrrrrradd_delegation_infor!rr$r$r%4test_constrained_delegation_existing_delegation_infoszES4UKerberosTests.test_constrained_delegation_existing_delegation_infocCs|ttjdddS)NF)rorprrrrNT_STATUS_NOT_SUPPORTEDr r$r$r%'test_constrained_delegation_not_alloweds z8S4UKerberosTests.test_constrained_delegation_not_allowedcCs|ttfd|jdddS)NTFrorrrr)rrrrr r$r$r%)test_constrained_delegation_no_client_pacsz:S4UKerberosTests.test_constrained_delegation_no_client_paccCs|td|jdddS)NTF)rorrirrrrrr r$r$r%*test_constrained_delegation_no_service_pacsz;S4UKerberosTests.test_constrained_delegation_no_service_paccCs$|ttfd|jdddiddS)NTFr)rorrrrr)rrrrr r$r$r%?test_constrained_delegation_no_client_pac_no_auth_data_requiredszPS4UKerberosTests.test_constrained_delegation_no_client_pac_no_auth_data_requiredc Cs"|td|jddiddddS)NTrF)rorrirrrrrr r$r$r%@test_constrained_delegation_no_service_pac_no_auth_data_required szQS4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_requiredc Cs&|ttjdtj|jddddS)NTFr)rorprrrrrZNT_STATUS_ACCOUNT_RESTRICTIONrrrr r$r$r%+test_constrained_delegation_non_forwardableszzWS4UKerberosTests.test_constrained_delegation_missing_service_checksum..rTrorprri filterrrrrr NT_STATUS_INSUFFICIENT_RESOURCESrrrr!rr$r$r%4test_constrained_delegation_missing_service_checksumszES4UKerberosTests.test_constrained_delegation_missing_service_checksumc Cst|jD]h}|j|dH|tjkr(t}nt}||tjddt j |j |ddWdq1sd0YqdSNrTrr) rrrrrrrrrrrrrr$r$r%!test_rbcd_missing_client_checksums  z2S4UKerberosTests.test_rbcd_missing_client_checksumc Csjtdd|jD]T}|j|d4|ttjddtj|j |ddWdq1sZ0YqdS)NcSs |tjkSrrrr$r$r%r&rzES4UKerberosTests.test_rbcd_missing_service_checksum..rTrrorprrrirrr$r$r%"test_rbcd_missing_service_checksum$sz3S4UKerberosTests.test_rbcd_missing_service_checksumc Cs`|jD]T}|j|d4|ttfdtj|j|dddWdq1sP0YqdSr)rrrrrrrzeroed_pac_checksumrr$r$r%2test_constrained_delegation_zeroed_client_checksum4s zCS4UKerberosTests.test_constrained_delegation_zeroed_client_checksumc Cs~|jD]r}|j|dR|tjkr2ttf}tj}nd}d}|||dt j |j |ddWdq1sn0YqdS)NrrTr) rrrPAC_TYPE_SRV_CHECKSUMrrrNT_STATUS_WRONG_PASSWORDrrrr r!rrorpr$r$r%3test_constrained_delegation_zeroed_service_checksumBs$  zDS4UKerberosTests.test_constrained_delegation_zeroed_service_checksumc Cs`|jD]T}|j|d4|ttjddtj|j|ddWdq1sP0YqdSr ) rrrrrrrrr rr$r$r% test_rbcd_zeroed_client_checksumWs z1S4UKerberosTests.test_rbcd_zeroed_client_checksumc Cs||jD]p}|j|dP|tjkr.t}tj}nd}d}|||ddtj |j |ddWdq1sl0YqdS)NrrTrr ) rrrrrrrrrrr rr$r$r%!test_rbcd_zeroed_service_checksumfs"  z2S4UKerberosTests.test_rbcd_zeroed_service_checksumc Cs|jD]}|jD]z}|j||dX|tjkrB|tjkrBttf}nt tf}| |dt j |j ||dddWdq1s0YqqdS)NrrCTFr)runkeyed_ctypesrrrrrbrrrrrrunkeyed_pac_checksumr!rrCror$r$r%3test_constrained_delegation_unkeyed_client_checksum}s,   zDS4UKerberosTests.test_constrained_delegation_unkeyed_client_checksumc Cs|jD]}|jD]}|j||dn|tjkrX|tjkrHttf}t j }q`t tf}t j }nd}d}| ||dtj|j||ddWdq1s0YqqdS)NrrTr)rrrrrrrbrrrNT_STATUS_LOGON_FAILURErrrrrrr!rrCrorpr$r$r%4test_constrained_delegation_unkeyed_service_checksums4    zES4UKerberosTests.test_constrained_delegation_unkeyed_service_checksumcCs|jD]}|jD]v}|j||dT|tjkr>|tjkr>t}nt}| |t j ddt j |j||ddWdq1s|0YqqdS)NrTrr)rrrrrrrbrrrrrrrrrr$r$r%!test_rbcd_unkeyed_client_checksums&   z2S4UKerberosTests.test_rbcd_unkeyed_client_checksumcCs|jD]}|jD]}|j||dh|tjkrP|tjkrDt}tj }qXt }tj }nd}d}| ||ddt j|j||ddWdq1s0YqqdS)NrrTrr )rrrrrrrbrrrrrrrrrrr$r$r%"test_rbcd_unkeyed_service_checksums.    z3S4UKerberosTests.test_rbcd_unkeyed_service_checksumcCs|}|j|||didS)NF checksum_keysZinclude_checksumsget_krbtgt_checksum_keymodified_ticket)r!r?rr r$r$r%rs z$S4UKerberosTests.remove_pac_checksumcCsh|}||}|j}tj|tj|tj|i}|tjkr>|}n|}t|j|j ||<|j |||didSNTr) get_krbtgt_credsrdecryption_keyrrPAC_TYPE_KDC_CHECKSUMrr r@kvnor#)r!r?r krbtgt_creds krbtgt_key server_keyr Z zeroed_keyr$r$r%r s"  z$S4UKerberosTests.zeroed_pac_checksumc Csf|}||}|j}tj|tj|tj|i}||}t|j|j } || _ | ||<|j |||didSr$) r%rr&rrr'rr r@r(rCr#) r!r?rrCr)r*r+r r@Znew_keyr$r$r%rs z%S4UKerberosTests.unkeyed_pac_checksumcs&fdd}}j|||dS)Ncs|j}tjdd|Dtttj}t}td|_ ||_ t ||_ t }||_t}tj|_||_||||_|jd7_|S)Ncss|] }|jVqdSr)type).0bufferr$r$r% rzNS4UKerberosTests.add_delegation_info..modify_pac_fn..Ztest_proxy_targetr&)ZbuffersrrZPAC_TYPE_CONSTRAINED_DELEGATIONlistmaprStringZPAC_CONSTRAINED_DELEGATIONZ proxy_targettransited_serviceslenZnum_transited_servicesZPAC_CONSTRAINED_DELEGATION_CTRinfoZ PAC_BUFFERr,rZ num_buffers)rZ pac_buffersr3Z delegationr5Z pac_bufferrr$r% modify_pac_fns$    z;S4UKerberosTests.add_delegation_info..modify_pac_fn)r r6r!)r!r?rr6r r$rr%rs z$S4UKerberosTests.add_delegation_infoTcCs6tj|jd|d}|r |}nd}|j||||dS)Nr+)rvalue) modify_fnr r)rrZmodify_ticket_flagr"r#)r!r?rrr8r r$r$r%r:s z'S4UKerberosTests.set_ticket_forwardablecCs|j|ddS)NT)Z exclude_pac)r#)r!r?r$r$r%rIsz"S4UKerberosTests.remove_ticket_pac)N)N)T)G__name__ __module__ __qualname__rrZr\r^rarcrerrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r rrrrrr`rbrdrrrrrrr rrrr __classcell__r$r$r"r%r:s   t #             ! r__main__)/sysosrpathinsertenvironZsambarZ samba.dcerpcrrZ samba.testsrZsamba.tests.krb5.kcryptorrZsamba.tests.krb5.kdc_base_testr Zsamba.tests.krb5.raw_testcaser r Z"samba.tests.krb5.rfc4120_constantsr r rrrrrrrrrrrrZsamba.tests.krb5.rfc4120_pyasn1ZtestsZkrb5Zrfc4120_pyasn1rLrrrr9Zunittestmainr$r$r$r%s<    @