HEX
Server: Apache/2.4.52 (Ubuntu)
System: Linux spn-python 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64
User: arjun (1000)
PHP: 8.1.2-1ubuntu2.20
Disabled: NONE
Upload Files
File: //lib/python3/dist-packages/samba/tests/krb5/__pycache__/kpasswd_tests.cpython-310.pyc
o

eF�c���@s�ddlZddlZej�dd�dejd<ddlmZddlmZm	Z	ddl
mZmZddl
mZdd	lmZdd
lmZmZmZmZmZmZmZmZmZmZmZdZdZGdd
�d
e�Ze dkrndZdZddl!Z!e!�"�dSdS)�Nz
bin/python�1�PYTHONUNBUFFERED)�partial)�generate_random_password�unix2nttime)�krb5pac�security)�SDUtils)�KDCBaseTest)�KDC_ERR_TGT_REVOKED�KDC_ERR_TKT_EXPIRED�KPASSWD_ACCESSDENIED�KPASSWD_AUTHERROR�KPASSWD_HARDERROR�KPASSWD_INITIAL_FLAG_NEEDED�KPASSWD_MALFORMED�KPASSWD_SOFTERROR�KPASSWD_SUCCESS�NT_PRINCIPAL�NT_SRV_INSTFcseZdZ�fdd�ZdDdd�Zdd�Zdd	�Zd
d�Zdd
�Zdd�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Zd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Zd:d;�Zd<d=�Z d>d?�Z!d@dA�Z"dBdC�Z#�Z$S)E�KpasswdTestscsbt���t|_t|_|��}|��}|�|j	|�|�	d�|�
�}|�|j|�|�d�dS)N�	000000001�0)�super�setUp�global_asn1_print�
do_asn1_print�global_hexdump�
do_hexdump�	get_samdb�get_dsheuristics�
addCleanup�set_dsheuristics�
get_minPwdAge�
set_minPwdAge)�self�samdb�dsheuristics�	minPwdAge��	__class__��@/usr/lib/python3/dist-packages/samba/tests/krb5/kpasswd_tests.pyr7s

zKpasswdTests.setUpFcCs d|i}|j|jj|dd�}|S)N�expired_passwordF)�account_type�opts�	use_cache)�get_cached_creds�AccountType�USER)r%�expiredr/�credsr+r+r,�
_get_credsQs�
�zKpasswdTests._get_credscCs,|��}|�|�}tj|i}|j|||d�S)N��new_ticket_key�
checksum_keys)�get_mock_rodc_krbtgt_creds�TicketDecryptionKey_from_credsr�PAC_TYPE_KDC_CHECKSUM�modified_ticket)r%�ticket�krbtgt_creds�
krbtgt_keyr9r+r+r,�issued_by_rodc]s
��zKpasswdTests.issued_by_rodccCs|jtddgd�S)N�kadmin�changepw��	name_type�names)�PrincipalName_creater)r%r+r+r,�get_kpasswd_snamejs�zKpasswdTests.get_kpasswd_snamecCs>|j}|d}|�d|�}|d}|�|�}|�|�}||S�N�authtime�	starttime�endtime)�ticket_private�get�get_EpochFromKerberosTime)r%r>�enc_partrJrKrLr+r+r,�get_ticket_lifetimens

z KpasswdTests.get_ticket_lifetimecCsn|j}dd�|D�}|�tj|�t��}t�|�|_t��}tj|_	||_
|�|�||_|jd7_|S)NcSsg|]}|j�qSr+)�type)�.0�
pac_bufferr+r+r,�
<listcomp>}sz2KpasswdTests.add_requester_sid.<locals>.<listcomp>�)
�buffers�assertNotInr�PAC_TYPE_REQUESTER_SID�PAC_REQUESTER_SIDr�dom_sid�sid�
PAC_BUFFERrR�info�append�num_buffers)r%�pacr\�pac_buffers�buffer_types�
requester_sid�requester_sid_bufferr+r+r,�add_requester_sidzs
zKpasswdTests.add_requester_sidcC�b|��}|j||��dd�}t}d}tdd�}|j|||||jjd�|�|�|j|dd�dS�Nr��sname�kdc_options�Password changed� ��modeT��fresh)	r6�get_tgtrHrr�kpasswd_exchange�KpasswdMode�SET�update_password�r%r5r>�
expected_code�expected_msg�new_passwordr+r+r,�test_kpasswd_set���
�
zKpasswdTests.test_kpasswd_setcCrgrh)	r6rrrHrrrsrt�CHANGErvrwr+r+r,�test_kpasswd_change�r|z KpasswdTests.test_kpasswd_changecCs�|��}|��}|j||dd�}t}d}tdd�}|j|||||jjd�|�|�|j||dd�}tdd�}|j|||||jj	d�dS)Nrrirlrmrn)
r6rHrrrrrsrtrurvr})r%r5rjr>rxryrzr+r+r,�test_kpasswd_no_canonicalize�s2�
�
�

�z)KpasswdTests.test_kpasswd_no_canonicalizecC�|��}|��}|����}|j|||dd�}t}d}tdd�}|j|||||jj	d�|�
|�|j|||dd�}tdd�}|j|||||jjd�dS)Nr�rj�realmrkrlrmrn�r6rH�	get_realm�
capitalizerrrrrsrtrurvr}�r%r5rjr�r>rxryrzr+r+r,�'test_kpasswd_no_canonicalize_realm_case��8�
�
�

�z4KpasswdTests.test_kpasswd_no_canonicalize_realm_casecCs�|��}|j||��dd�}t}d}tdd�}|j|||||jjd�|�|�|j||��dd�}tdd�}|j|||||jj	d�dS)N�canonicalizerirlrmrn)
r6rrrHrrrsrtrurvr}rwr+r+r,�test_kpasswd_canonicalizes0�
�
�

�z&KpasswdTests.test_kpasswd_canonicalizecCr�)Nr�r�rlrmrnr�r�r+r+r,�$test_kpasswd_canonicalize_realm_case.r�z1KpasswdTests.test_kpasswd_canonicalize_realm_casecCs\|��}|j||��dd�}t}d}d}|j|||||jjd�|j|||||jjd�dS)Nrris.Password does not meet complexity requirements�passwordrn)r6rrrHrrsrtrur}rwr+r+r,�test_kpasswd_too_weakVs&��
�z"KpasswdTests.test_kpasswd_too_weakcCsh|��}|j||��dd�}ttf}d}d}|j|||||jjd�t}d}|j|||||jjd�dS)Nrri)s@Password too short, password must be at least 7 characters long.�String conversion failed!�rnr�)	r6rrrHrrrsrtrur}rwr+r+r,�test_kpasswd_emptyqs*��
�zKpasswdTests.test_kpasswd_emptycCsf|��}|j||��dd�}t}d}tdd�}|j|||||jjdd�|j|||||jjdd�dS)Nrris/gensec_unwrap failed - NT_STATUS_ACCESS_DENIED
rmF)ro�send_seq_number)	r6rrrHrrrsrtrur}rwr+r+r,�test_kpasswd_no_seq_number�s*�
�
�z'KpasswdTests.test_kpasswd_no_seq_numbercCsl|��}|j||��dd�}|�|�}t}d}tdd�}|j|||||jjd�|j|||||jj	d�dS)Nrri�/gensec_update failed - NT_STATUS_LOGON_FAILURE
rmrn)
r6rrrHrArrrsrtrur}rwr+r+r,�test_kpasswd_from_rodc�s(�

�
�z#KpasswdTests.test_kpasswd_from_rodccCsh|��}|��}|jt|�d�d�}|j||��dd�}t}d}tdd�}|j	|||||j
j|d�dS)N�/rDrri)�<Realm and principal must be both present, or neither present�Failed to decode packetrm)ro�target_princ)r6�get_usernamerGr�splitrrrHrrrsrtru�r%r5�username�cnamer>rxryrzr+r+r,�"test_kpasswd_set_target_princ_only�s$��

�z/KpasswdTests.test_kpasswd_set_target_princ_onlycCsT|��}|j||��dd�}ttf}d}tdd�}|j|||||jj|�	�d�dS)Nrri)r�r�s#No such user when changing passwordrm)ro�target_realm)
r6rrrHrr
rrsrtrur�rwr+r+r,�"test_kpasswd_set_target_realm_only�s�

�z/KpasswdTests.test_kpasswd_set_target_realm_onlyc	Csn|��}|��}|jt|�d�d�}|j||��dd�}t}d}tdd�}|j	|||||j
j||��d�dS)Nr�rDrris Not permitted to change passwordrm�ror�r�)
r6r�rGrr�rrrHr
rrsrtrur�r�r+r+r,�1test_kpasswd_set_target_princ_and_realm_no_accesss&��

�z>KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_accessc	Cs�|��}|��}|�|�}|jt|�d�d�}|��}t|�}|��}|�	||�}d|�d�}	|�
||	�|��}
|j||
dddd�}t
}d	}
td
d
�}|j||||
|jj||��d�dS)Nr�rDz	(A;;CR;;;�)rBrCr��service�target_namerkrlrmr�)r6r�rrrGrr�rr	�get_dn�
get_objectSid�dacl_add_ace�get_krbtgt_creds�get_service_ticketrrrsrtrur�)r%r5r��tgtr�r&�sd_utils�user_dn�user_sid�acer?r>rxryrzr+r+r,�.test_kpasswd_set_target_princ_and_realm_accesss<
��

�z;KpasswdTests.test_kpasswd_set_target_princ_and_realm_accesscC�N|jdd�}|j||��dd�}t}d}tdd�}|j|||||jjd�dS�NT)r4rrirlrmrn)r6rrrHrrrsrtrurwr+r+r,�!test_kpasswd_set_expired_passwordG��

�z.KpasswdTests.test_kpasswd_set_expired_passwordcCr�r�)r6rrrHrrrsrtr}rwr+r+r,�$test_kpasswd_change_expired_password[r�z1KpasswdTests.test_kpasswd_change_expired_passwordcCs6|��}|j||��dd�}|�|�}|�d|�dS)Nrri�x)r6rrrHrQ�assertEqual)r%r5r>�lifetimer+r+r,�test_kpasswd_ticket_lifetimeos�
z)KpasswdTests.test_kpasswd_ticket_lifetimecCsb|��}|j||��dd�}|��}|jtd|gd�}|�|�|��}|j|||t	t
fd�dS)Nrri�krbtgtrD��expect_error)�get_client_credsrrrHr�rGr�	set_sname�get_service_creds�_make_tgs_requestrr)r%r5r>r��krbtgt_sname�
service_credsr+r+r,�test_kpasswd_ticket_tgs|s��

�
�z$KpasswdTests.test_kpasswd_ticket_tgsc	st���}��|�}tj|i}�jdd���j|d����fdd�}��fdd�����fdd�}�j|||||d	�S)
Ni��)�offsetcs$�|d<d|vr�|d<�|d<|SrIr+)rP)�end_time�
start_timer+r,�modify_ticket_times�s
zCKpasswdTests.modify_requester_sid_time.<locals>.modify_ticket_timescsJ|j}|D]}|jtjkr����}t|�|j_nq��d�||_|S)Nz$failed to find LOGON_NAME PAC buffer)	rWrRr�PAC_TYPE_LOGON_NAMErOrr^�
logon_time�fail)rarbrTr�)r%r�r+r,�modify_pac_time�s
�
z?KpasswdTests.modify_requester_sid_time.<locals>.modify_pac_timecs�j|�d�}�|�}|S)N)r\)rf)ra)r�r%r\r+r,�
modify_pac_fn�sz=KpasswdTests.modify_requester_sid_time.<locals>.modify_pac_fn)r8�	modify_fnr�r9)r�r;rr<�get_KerberosTimer=)	r%r>r\r�r?r@r9r�r�r+)r�r�r%r\r�r,�modify_requester_sid_time�s
��z&KpasswdTests.modify_requester_sid_timec	Cs�|��}|j||��dd�}|��}|jtd|gd�}|�|�|��}|��}|�	||�}|j
||dd�}|��}|j|||t
d�dS)Nrrir�rDr��r\r�r�)r�rrrHr�rGrr�rr�r�r�r�r�r�	r%r5r>r�r�r&r�r�r�r+r+r,�%test_kpasswd_ticket_requester_sid_tgs��(��
�

�z2KpasswdTests.test_kpasswd_ticket_requester_sid_tgsc	Cs�|��}|j||��dd�}|��}|jtd|gd�}|�|�|��}|��}|�	||�}|j
||dd�}|��}|j|||dd�dS)	Nrrir�rD�r�Fr�)
r�rrrHr�rGrr�rr�r�r�r�r�r�r+r+r,�.test_kpasswd_ticket_requester_sid_lifetime_tgs�r�z;KpasswdTests.test_kpasswd_ticket_requester_sid_lifetime_tgscCsf|��}|�|�}|�|���t}d}tdd�}|j|||||jjd�|j|||||jj	d�dS)Ns,A TGT may not be used as a ticket to kpasswdrmrn)
r6rrr�rHrrrsrtrur})r%r5r�rxryrzr+r+r,�test_kpasswd_tgts$

�
�zKpasswdTests.test_kpasswd_tgtcCst|��}|�|�}|��}|j||dddd�}t}d}tdd�}|j|||||jjd�|j|||||jj	d�dS)NrBrCrr�sExpected an initial ticketrmrn)
r6rrr�r�rrrsrtrur})r%r5r�r?r>rxryrzr+r+r,�test_kpasswd_non_initial+s0
�
�
�z%KpasswdTests.test_kpasswd_non_initialcs������������fdd�}t}d}|�}tdd�}�j||||�jjd���|�|�}tdd�}�j||||�jjd�dS)NcsL�j�dd�}�j|�ddddd�}t�jddd�}���}�j|||d	�S)
NTrprBrCr)r�r�rkrq�initial)�flag�value)r�r9)rrr�r�modify_ticket_flag�get_krbtgt_checksum_keyr=)r�r>�set_initial_flagr9�r5r?r%r+r,�
get_ticketSs ���z5KpasswdTests.test_kpasswd_initial.<locals>.get_ticketrlrmrn)	r6r�rrrsrtrurvr})r%r�rxryr>rzr+r�r,�test_kpasswd_initialLs,
�


�z!KpasswdTests.test_kpasswd_initialcCs�|��}|��}|j||dd�}|��}|�|�}|�|jd�tj|i}|j	|||d�}|j
tdgd�}|�|�t
}d}	tdd�}
|j||
||	|jjd	�|j||
||	|jjd	�dS)
Nrri�7a kvno is required to tell the DB which key to look up.r7�
AdministratorrDr�rmrn)r6rHrr�get_admin_credsr;�assertIsNotNone�kvnorr<r=rGrr�rrrsrtrur})r%r5rjr>�admin_creds�	admin_keyr9�admin_snamerxryrzr+r+r,�test_kpasswd_wrong_key�sF�
����

�
�z#KpasswdTests.test_kpasswd_wrong_keyc
Cs�|j|jjdd�}|��}|j||dd�}|�|�}|�|jd�tj	|i}|j
|||d�}|��}|jt
|�d�d�}|�|�t}d	}td
d
�}	|j||	|||jjd�|j||	|||jjd�dS)NF)r.r0rrir�r7r�rDr�rmrn)r1r2�COMPUTERrHrrr;r�r�rr<r=r�rGrr�r�rrrsrtrur})
r%r5rjr>�our_keyr9r�rxryrzr+r+r,�test_kpasswd_wrong_key_service�sJ
��
����

�
�z+KpasswdTests.test_kpasswd_wrong_key_servicecCs�|��}|��}|j||dd�}|��}|�|�}|�|jd�tj|i}|j	|||d�}|�
�}|jt|�
d�d�}|�|�t}	d}
tdd�}|j|||	|
|jjd	�|j|||	|
|jjd	�dS)
Nrrir�r7r�rDr�rmrn)r6rHrr�get_dc_credsr;r�r�rr<r=r�rGrr�r�rrrsrtrur})r%r5rjr>�dc_creds�dc_keyr9�dc_username�dc_snamerxryrzr+r+r,�test_kpasswd_wrong_key_server�sH�
����

�
�z*KpasswdTests.test_kpasswd_wrong_key_server)F)%�__name__�
__module__�__qualname__rr6rArHrQrfr{r~rr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r��
__classcell__r+r+r)r,r5sD

%'#(!*
<"!!403r�__main__)#�sys�os�path�insert�environ�	functoolsr�sambarr�samba.dcerpcrr�samba.sd_utilsr	�samba.tests.krb5.kdc_base_testr
�"samba.tests.krb5.rfc4120_constantsrrr
rrrrrrrrrrrr��unittest�mainr+r+r+r,�<module>s4
4g�