HEX
Server: Apache/2.4.52 (Ubuntu)
System: Linux spn-python 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64
User: arjun (1000)
PHP: 8.1.2-1ubuntu2.20
Disabled: NONE
$ pwd: /usr/lib/python3/dist-packages/samba/tests/krb5/__pycache__/
Upload Files
File: //usr/lib/python3/dist-packages/samba/tests/krb5/__pycache__/kdc_base_test.cpython-310.pyc
o

eF�c#�@s8ddlZddlZej�dd�dejd<ddlmZmZddlZddlZddl	Z	ddl
Z
ddlmZm
Z
ddl	mZddlZddlmZdd	lmZdd
lmZddlmZmZmZddlmZmZmZmZmZmZdd
l m!Z!m"Z"ddl#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0ddl1m2Z2m3Z3m4Z4ddl5m6Z6ddl7m8Z8m9Z9ddlm:Z:ddl;m<Z<m=Z=ej>Z?ej@ZAddlBmCZCddlDmEmFmGZGddlHmIZImJZJmKZKddlLmEmFmMZNddlOmPZPmQZQmRZRmSZSmTZTmUZUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_m`Z`maZambZbdZcdZdGdd�deK�ZedS)�Nz
bin/python�1�PYTHONUNBUFFERED)�datetime�timezone)�Enum�auto)�
namedtuple)�
SCOPE_BASE)�generate_random_password)�system_session)�Credentials�	SPECIFIED�MUST_USE_KERBEROS)�drsblobs�drsuapi�misc�krb5pac�
krb5ccache�security)�
drs_Replicate�drsuapi_connect)
�DSDB_SYNTAX_BINARY_DN�DS_DOMAIN_FUNCTION_2000�DS_DOMAIN_FUNCTION_2008�DS_GUID_COMPUTERS_CONTAINER�$DS_GUID_DOMAIN_CONTROLLERS_CONTAINER�DS_GUID_USERS_CONTAINER�UF_WORKSTATION_TRUST_ACCOUNT�UF_NO_AUTH_DATA_REQUIRED�UF_NORMAL_ACCOUNT�UF_NOT_DELEGATED�UF_PARTIAL_SECRETS_ACCOUNT�UF_SERVER_TRUST_ACCOUNT�)UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION)�
SEC_CHAN_NULL�SEC_CHAN_WKSTA�SEC_CHAN_BDC)�
DCJoinContext)�ndr_pack�
ndr_unpack)�net)�SamDB�dsdb_Dn)�delete_force)�KerberosCredentials�KerberosTicketCreds�RawKerberosTest)�AD_IF_RELEVANT�AD_WIN2K_PAC�AES256_CTS_HMAC_SHA1_96�ARCFOUR_HMAC_MD5�KDC_ERR_PREAUTH_REQUIRED�KDC_ERR_TGT_REVOKED�
KRB_AS_REP�KRB_TGS_REP�	KRB_ERROR�KU_AS_REP_ENC_PART�KU_ENC_CHALLENGE_CLIENT�KU_PA_ENC_TIMESTAMP�	KU_TICKET�NT_PRINCIPAL�
NT_SRV_HST�NT_SRV_INST�PADATA_ENCRYPTED_CHALLENGE�PADATA_ENC_TIMESTAMP�PADATA_ETYPE_INFO2Fc	s�eZdZdZGdd�de�Ze�fdd��Ze�fdd��Z�fdd	�Z	d
d�Z
dd
�Zdd�Zdd�Z
dd�Zdd�Zdd�Zejddddddddf	dd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd|d&d'�Zd(d)�Zd}d*d+�Zd,d-�Z		d~d.d/�Z			dd0d1�Zd2d3�Zddd4�d5d6�Zd7d8�Zd9d:�Z 		d�d;d<�Z!		d�d=d>�Z"		d�d?d@�Z#		d�dAdB�Z$		d�dCdD�Z%		d�dEdF�Z&		d�dGdH�Z'		d�dIdJ�Z(d�dKdL�Z)dMdN�Z*d�dOdP�Z+d�dQdR�Z,d�dSdT�Z-dUdV�Z.dWdX�Z/dYdZ�Z0d[d\�Z1d]d^�Z2d_d`�Z3			d�dadb�Z4	c				d�ddde�Z5									d�dfdg�Z6					d�dhdi�Z7e8djdk�Z9dldm�Z:dndo�Z;dpdq�Z<drds�Z=dtdu�Z>dvdw�Z?dxdy�Z@	d�dzd{�ZA�ZBS)��KDCBaseTestz Base class for KDC tests.
    c@s$eZdZe�Ze�Ze�Ze�ZdS)zKDCBaseTest.AccountTypeN)�__name__�
__module__�__qualname__r�USER�COMPUTER�SERVER�RODC�rLrL�@/usr/lib/python3/dist-packages/samba/tests/krb5/kdc_base_test.py�AccountTypejs

rNcs^t���d|_d|_d|_d|_t�d��d�|_d|_	t
�|_i|_i|_
d|_g|_dS)N��_r)�super�
setUpClass�_lp�_ldb�	_rodc_ldb�_functional_level�secrets�	token_hex�account_base�
account_id�set�accounts�
account_cache�	tkt_cache�	_rodc_ctx�ldb_cleanups)�cls��	__class__rLrMrRps

zKDCBaseTest.setUpClassc	s||jdur+t|j�D]}z|j�|�Wq
tjyYq
w|jD]}t|j|�q"|jdur7|jj	dd�t
���dS)NT)�force)rT�reversedr`�modify�ldb�LdbErrorr\r-r_�cleanup_old_joinrQ�
tearDownClass)ra�cleanup�dnrbrLrMrj�s
�

zKDCBaseTest.tearDownClasscst���t|_t|_dS�N)rQ�setUp�global_asn1_print�
do_asn1_print�global_hexdump�
do_hexdump��selfrbrLrMrn�s

zKDCBaseTest.setUpcCs|jdur|��t|�_|jSrm)rS�get_loadparm�typersrLrLrM�get_lp�s
zKDCBaseTest.get_lpcCsB|jdur|��}|��}t�}td|j|||d�t|�_|jS)N�	ldap://%s��url�session_info�credentials�lp)rT�get_admin_credsrwrr+�dc_hostrv�rt�credsr}�sessionrLrLrM�	get_samdb�s

�zKDCBaseTest.get_samdbcCsD|jdur|��}|��}t�}td|j|||dd�t|�_|jS)NrxT)rzr{r|r}�am_rodc)rUr~rwrr+�hostrvr�rLrLrM�get_rodc_samdb�s

�zKDCBaseTest.get_rodc_samdbcCs>|��}|j|tjdgd�}t�||ddd�d��}|S)N�serverReference��base�scope�attrsr�utf8)�get_serverName�searchrgr	�Dn�decode)rt�samdb�server�resrlrLrLrM�
get_server_dn�s�zKDCBaseTest.get_server_dnc	CsR|jdur&|��}|��}d}d}t|j||||ddd�t|�_|�|j�|jS)N�KRB5RODCzDefault-First-Site-Name)r�r�r}�site�netbios_name�	targetdir�domain)r_r~rwr'rrv�create_rodc)rt�admin_credsr}�	rodc_name�	site_namerLrLrM�get_mock_rodc_ctx�s
�zKDCBaseTest.get_mock_rodc_ctxcCs\|jdur+|jdtdgd�}zt|ddd�}Wnty%t}Ynw|t|�_|jS)N��domainFunctionalityr�r)rVr�r	�int�KeyErrorrrv)rtrgr��functional_levelrLrLrM�get_domain_functional_level�s
��
z'KDCBaseTest.get_domain_functional_levelcCsD|��}|�|�}tjjh}|tkr |�tjj�|�tjj�|Srm)	r�r��kcrypto�Enctype�RC4r�add�AES256�AES128)rtr�r��default_enctypesrLrLrM�get_default_enctypes�s

z KDCBaseTest.get_default_enctypesNrTFc
s|dur ||jjur
t}n||jjurt}nt}|�|��|�}d||f}
t||
�|�t	}||jj
ur<d}|tO}n&d}|	rD�d7�||jjurQ|tO}t
}n||jjur^|tO}t}n|��tdd�}d|�d�}|
|�t|�|d	�}|dur�t|t�r�|j�d
�}nt�fdd�|D��}||d
<|dur�||d<|
r�d|d<|dur�|�|�|�|�d}|�r|��}|��}tj|||jd�}|����}tdd�}d|�d�}z|j |�|dd�|d7}Wnt!�y}z|�|�WYd}~nd}~wwt"�}|�#|���|�$|�%����|�&|�����|� |�|�'��||jj
u�r6|�(d�n|�(|�|�)|�|�*t+�,||
��|�-|�|�.|�|j/�|
�|�0|�|j1|
t+j2dgd�}|dj3ddd�}|du�r~|�4t5|�|�|�6|�||
fS)z�Create an account for testing.
           The dn of the created account is added to self.accounts,
           which is used by tearDownClass to clean up the created accounts.
        NzCN=%s,%s�user�computer�$� z"%s"z	utf-16-le)rl�objectclass�sAMAccountName�userAccountControl�
unicodePwd��accountc3s�|]	}|j�d�VqdS)r�N)�format)�.0�s��account_namerLrM�	<genexpr>2s�z-KDCBaseTest.create_account.<locals>.<genexpr>�servicePrincipalName�userPrincipalName�0�
pwdLastSet�)r�T)�newpasswordr��domain_name�
force_samr_18r��msDS-KeyVersionNumberr�r��idx)7rNrIrrJrr�get_wellknown_dn�get_default_basednr-r$rHrrr%r"r&�failr
�encode�str�
isinstancer��tuple�updater�r~rwr*�Netr�domain_netbios_name�upper�set_password�	Exceptionr.�guess�	set_realm�domain_dns_name�
set_domain�set_username�set_workstation�set_secure_channel_type�set_dnrgr��set_upn�set_spnr\�creds_set_enctypesr�r	�get�assertEqualr��set_kvno)rtr��name�account_type�spn�upn�additional_details�ou�account_control�
add_dollar�expired_password�force_nt4_hash�guidrl�secure_schannel_type�object_class�password�utf16pw�details�
expected_kvnor�r}�net_ctxr��er�r��kvnorLr�rM�create_account�s�


�



���






�

zKDCBaseTest.create_accountcCs�|��}|�||�}t�tj�}t��}tj|_t�|�|_t�	�}tj
|_|g|_d|_
t��}|jtjO_||_||_t|�S�Nr�)r��
get_objectSidr�dom_sid�SID_BUILTIN_ADMINISTRATORS�ace�SEC_ADS_GENERIC_ALL�access_mask�trustee�acl�SECURITY_ACL_REVISION_ADS�revision�aces�num_aces�
descriptorrv�SEC_DESC_DACL_PRESENT�	owner_sid�daclr()rtrlr��sidrr�r�
security_descrLrLrM�get_security_descriptornsz#KDCBaseTest.get_security_descriptorcCsN|j|j|jg|_|j|j|jg|_d|j�d|j��|_d|j�dtj	�d�dtj
�d�dtj�d�dtj�d�dtj
�d�g|_d|j�dtj�d�|_|��}d|�d�}||_ttBtB|_d|j��|_tj|_d|_tjtjBtj Btj!Btj"B|_#|j#tj$B|_%|�&�|�'�z|�(�WdSt)y�|�*�|�'��w)Nz
CN=krbtgt_z
,CN=Users,z<SID=�-�>zCN=RODC Connection (FRS),T)+�base_dn�	config_dn�	schema_dn�nc_list�full_nc_list�myname�	krbtgt_dn�domsidr�DOMAIN_RID_RODC_DENYr��SID_BUILTIN_SERVER_OPERATORS�SID_BUILTIN_BACKUP_OPERATORS�SID_BUILTIN_ACCOUNT_OPERATORS�never_reveal_sid�DOMAIN_RID_RODC_ALLOW�
reveal_sid�	get_mysid�	managedbyrr#r!r��ntds_dn�
connection_dnr�
SEC_CHAN_RODC�secure_channel_typerKr�DRSUAPI_DRS_INIT_SYNC�DRSUAPI_DRS_PER_SYNC�DRSUAPI_DRS_GET_ANC�DRSUAPI_DRS_NEVER_SYNCED�%DRSUAPI_DRS_SPECIAL_SECRET_PROCESSING�
replica_flags�DRSUAPI_DRS_CRITICAL_ONLY�domain_replica_flags�build_nc_listsri�join_add_objectsr��refresh_ldb_connection)rt�ctx�mysid�admin_dnrLrLrMr��sP��������zKDCBaseTest.create_rodcc
Cs*|��}|��}|���d|�d�}t��}t�|d�|_t�|tjd�|d<z|�	|�WdStj
y�}zX|j\}}|�|tj
�|�d|�|��}	t�}
|
�|	�|
�|	�tdt�|
|	d�}t�|���}td|j�d�|	|
||�}
t�|j�}|
j|||tjd	d
�WYd}~dSd}~ww)N�:z
:SECRETS_ONLYr��replicateSingleObjectz,rootdse_modify: unknown attribute to change!ryz
ncacn_ip_tcp:z[seal]T)�exop�rodc)r�r��get_dsServiceNamerg�Messager�rl�MessageElement�FLAG_MOD_REPLACErfrh�argsr��ERR_UNWILLING_TO_PERFORM�assertInrwrr��set_machine_accountr+rr�GUID�
get_ntds_GUIDrr�
invocation_id�	replicater�DRSUAPI_EXOP_REPL_SECRET)rtrlr��
rodc_samdb�repl_val�msg�err�enum�estrr}�
rodc_creds�local_samdb�destination_dsa_guid�repl�source_dsa_invocation_idrLrLrM�replicate_account_to_rodc�sN�
�

�����z%KDCBaseTest.replicate_account_to_rodccCs0|��}|��}|j|||jt�|j�d�dS)N�rJrL)r�r��get_secrets�	ntds_guidrr=r?)rtrlr��rodc_ctxrLrLrM�reveal_account_to_mock_rodc�s

�z'KDCBaseTest.reveal_account_to_mock_rodccs�|����j|tjdgd�}|d�d�}|dur |�|�dSt�fdd�|D��}|r7|�t|�|�dS|�	t|�|�dS)NzmsDS-RevealedUsersr�rc3s(�|]}tt�t|�td�j�VqdS))�
syntax_oidN)r�r,rrl)r�r��r�rLrMr��s����z-KDCBaseTest.check_revealed.<locals>.<genexpr>)
r�r�rgr	r��assertFalser[r;r��assertNotIn)rtrl�rodc_dn�revealedr��revealed_users�revealed_dnsrLrTrM�check_revealed�s�
�zKDCBaseTest.check_revealedcCs(|��}|��}t||��||jd�\}}}	t��}
||
_||
_t�	�}||_
||
_t��}d|_
d|_d|_||
_d|
_d|
_d|
_d|
_tj|
_tjtjg}
t��}d|_|
|_t|
�|_||
_d|
_d|
j _!d|
j _"|�#|d|
�\}	}|�$d|j%�|j&j'j(}|j&j'j)j*}|�$||j
�|||fS)N)�iprr�i�"�)+r~�
host_dns_namerrwrr�DsGetNCChangesRequest8rJrL�DsReplicaObjectIdentifierrl�naming_context�DsReplicaHighWaterMark�tmp_highest_usn�reserved_usn�highest_usn�
highwatermark�uptodateness_vectorr(�max_object_count�max_ndr_sizerA�extended_op�%DRSUAPI_ATTID_supplementalCredentials�DRSUAPI_ATTID_unicodePwd�DsPartialAttributeSet�version�attids�len�
num_attids�partial_attribute_set�partial_attribute_set_ex�mapping_ctr�num_mappings�mappings�DsGetNCChangesr��object_count�first_object�object�
identifier�
attribute_ctr�
attributes)rtr�rlrJrLr��dns_hostname�bind�handlerP�reqra�hwmrorr�ctrr{r}rLrLrMrOsP��


zKDCBaseTest.get_secretscCsZ|��}|j|t|�t�|���t��d�\}}}|j��d}t�	|�}	i}
|D]s}|j
tjkr�|	�
|||�|jjdkr?q)|jjdj}ttj|�}
|
jjD].}|jdkr~t�|j�}ttj|�}|jjD]}|j}|tj j!tj j"fvr}|j#�$�|
|<qgqPq)|j
tj%kr�|	�
|||�|jjdj}|�$�|
tj j&<q)|dur�|�'�}|�(||
�|
S)NrNr�rzPrimary:Kerberos-Newer-Keys))r~rOr�rr=r>r	�splitr*r��attidrrk�replicate_decrypt�	value_ctr�
num_values�values�blobr)r�supplementalCredentialsBlob�sub�packagesr��binascii�a2b_hex�data�package_PrimaryKerberosBlobr��keys�keytyper�r�r�r��value�hexrlr�r��assertCountEqual)rtr�rl�expected_etypesr�rr{r}�ridr�r��attr�attr_val�spl�pkg�krb5_new_keys_raw�
krb5_new_keys�keyr��pwdrLrLrM�get_keys=sV�
�
�����zKDCBaseTest.get_keyscCs.|dur|��D]\}}|�||�qdSdSrm)�items�set_forced_key)rtr�r��enctyper�rLrLrM�creds_set_keysls
�zKDCBaseTest.creds_set_keyscCs�|��}|j|��tjdgd�}|djddd�}|dur |j}|dur5|��}|�d�}|dkr5tt	B}t
|�}|durA||O}|durJ||M}|�|�|�|�|�
|�dS)N�msDS-SupportedEncryptionTypes�r�r�rr�z%kdc default domain supported enctypes)r�r��get_dnrgr	r��default_etypesrw�rc4_bit�
aes256_sk_bitr��set_as_supported_enctypes�set_tgs_supported_enctypes�set_ap_supported_enctypes)rtr��
extra_bits�remove_bitsr�r��supported_enctypesr}rLrLrMr�qs*
�



zKDCBaseTest.creds_set_enctypescCs^|��}t�|�}|r|tjO}|r|tjO}|r|tjO}|�|�|�|�|�	|�dSrm)
r�r.�etypes_to_bitsr�KERB_ENCTYPE_FAST_SUPPORTED�KERB_ENCTYPE_CLAIMS_SUPPORTED�(KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTEDr�r�r�)rtr��fast_support�claims_support�compound_id_supportr�r�rLrLrM�creds_set_default_enctypes�s�

�

z&KDCBaseTest.creds_set_default_enctypesc
Cs�|��}|j|tj|gd�}|d}|�||�t||�}|�|�t��}||_t�	|tj
|�||<|�||�}	|j�|	�|�
|�|	S)Nr�r)r�r�rgr	r;�list�appendr6rlr7r8�msg_diffr`rf)
rt�
account_dn�group_dn�
group_attrr�r��orig_msg�membersrDrkrLrLrM�add_to_group�s&�
�
zKDCBaseTest.add_to_group)�opts�	use_cachecCs�|duri}idd�dd�dd�dd�dd�dd�d	d�d
d�dd�dd�d
d�dd�dd�dd�dd�dd�dd�ddddd��}d|i|�|�}tt|����}|r`|j�|�}|dur`|S|jdi|��}|ro||j|<|S)N�name_prefix�name_suffixr�Tr�r��allowed_replicationF�allowed_replication_mock�denied_replication�denied_replication_mock�revealed_to_rodc�revealed_to_mock_rodc�no_auth_data_requiredr�r��
not_delegated�delegation_to_spn�delegation_from_dn)�trusted_to_auth_for_delegationr��idr�r�rL)r��sortedr�r]r��create_account_opts)rtr�r�r��opts_default�account_opts�	cache_keyr�rLrLrM�get_cached_creds�sr��������	�
���
���������
zKDCBaseTest.get_cached_credsc'Cs\||jjur|�|�|�|�|�|�|�|�n|�|�|��}|��}|dur0||}|dur8||7}d}|r@|tO}|rF|tO}|
rL|tO}i}|}|r[|pUd}|t	j
O}|duret|�|d<|rk||d<|rv|�|�}||d<|dur�||jjur�d|}|j
||||||||||d�
\}}d}|r�tjjh}|j|||d�} |�|| �|s�|r�|��}!|�|!�}"|�||"d�}#|r�|�|�|s�|�|#�|j||"|d	�|	r�|��}!|�|!�}"|�||"d
�|s�|�r|��}$t�||$j�}%|�||%d�}&|�r|�|�|�s|�|&�|j||%|d	�|
�r,|��}$t�||$j�}%|�||%d
�|S)Nrr�zmsDS-AllowedToDelegateToz(msDS-AllowedToActOnBehalfOfOtherIdentityzhost/)r�r�r�r�r�r�r�r�)r�zmsDS-RevealOnDemandGroup)rXzmsDS-NeverRevealGroup)rNrH�assertIsNonerUr��get_new_usernamer#r rr.�fast_supported_bitsr�rr�r�r�r�r�r�r�r�r�rMrfr[r�rgr��acct_dnrR)'rtr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r��	user_name�user_account_controlr��enctypes�security_descriptorr�rlr�r�rBrW�allowed_cleanuprQ�mock_rodc_dn�allowed_mock_cleanuprLrLrMr��s�




��
�


�

�

�

�zKDCBaseTest.create_account_optscCs&|jt|j�}t|�jd7_|Sr�)rYr�rZrv)rtr�rLrLrMr��szKDCBaseTest.get_new_usernamec�"�fdd�}�jd|||d�}|S)Ncs�j�jjd�S)N)r�)r�rNrHrLrsrLrM�create_client_account�sz;KDCBaseTest.get_client_creds.<locals>.create_client_account�CLIENT��prefix�allow_missing_password�allow_missing_keys�fallback_creds_fn��_get_krb5_creds)rtr�r�r��crLrsrM�get_client_creds�s�zKDCBaseTest.get_client_credscr�)Ncs �j�jjdtjtjBd�d�S)NT)r�r��r�r��r�rNrIr�KERB_ENCTYPE_RC4_HMAC_MD5�'KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SKrLrsrLrM�create_mach_account�s���z7KDCBaseTest.get_mach_creds.<locals>.create_mach_account�MACr�r�)rtr�r�r�r�rLrsrM�get_mach_creds�s�zKDCBaseTest.get_mach_credscr�)Ncs"�j�jjddtjtjBd�d�S)NT)r�r�r�r�r�rLrsrLrM�create_service_account�s���z=KDCBaseTest.get_service_creds.<locals>.create_service_account�SERVICEr�r�)rtr�r�r�r�rLrsrM�get_service_creds�s�zKDCBaseTest.get_service_credsc�4|r��|��fdd�}�jdd|||d�}|S)Ncs���}���}��|�}|j|tjdgd�}|ddd}|j|tjgd�d�}|dj}t|dd�}t�}|�	��
dd��|���
dd��|�|�t
|dd	d�}t
|dd
d�}|d>|B}	|�|	�|�|���||�}
��||
��j|�j�j�jd�|S)
NzmsDS-KrbTgtLinkr�r)r�r��msDS-SecondaryKrbTgtNumberr��DOMAIN�RODC_KRBTGT�REALMr�r���r�r�r�)r�r�r�r�rgr	rlr�r.r��env_get_varr�r�r�r�r�r�r�r��kdc_fast_support�kdc_claims_support�kdc_compound_id_support)r�rBrWr�r�usernamer�r��
krbtgt_number�	rodc_kvnor�rsrLrM�download_rodc_krbtgt_creds�s@
��



�zEKDCBaseTest.get_rodc_krbtgt_creds.<locals>.download_rodc_krbtgt_credsr�T�r�r�r��require_strongest_keyr���
assertTruer�)rt�require_keysr
rr�rLrsrM�get_rodc_krbtgt_creds�s
-�z!KDCBaseTest.get_rodc_krbtgt_credscr�)Nc
s���}���}|j}|jt�||�tjddgd�}|dj}t|j	�}t
�}|���dd��|�
��dd��|�|�t|ddd�}t|ddd�}|d>|B}	|�|	�|�|���||�}
��||
�tjtjB}tjtjB}�j|||d	�|S)
Nr�r�r�rr�r�r�r��r�r�)r�r��
new_krbtgt_dnr�rgr�r	rlr��krbtgt_namer.r�rr�r�r�r�r�r�r�r�$KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96�$KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96r�r�r�)
r�rQrr�rlrr�r�rrr�r�r�rsrLrM�create_rodc_krbtgt_accountsB��




���zJKDCBaseTest.get_mock_rodc_krbtgt_creds.<locals>.create_rodc_krbtgt_account�MOCK_RODC_KRBTGTTr	r)rtr
r
rr�rLrsrM�get_mock_rodc_krbtgt_creds�s
'�z&KDCBaseTest.get_mock_rodc_krbtgt_credscs6|r��|��fdd�}�jddd|||d�}|S)Nc	s����}tj}d|��|f}|jd|tjddgd�}|dj}t|dd�}t	�}|�
��dd��|���d	d��|�
|�t|ddd�}|�|�|�|���||�}��||��j|�j�j�jd
�|S)N�%s-%d�<SID=%s>r�r�r�rr��KRBTGTr�r)r�r�DOMAIN_RID_KRBTGT�get_domain_sidr�rgr	rlr�r.r�rr�r�r�r�r�r�r�r�rrr)	r��
krbtgt_rid�
krbtgt_sidr�rlrr�r�r�rsrLrM�download_krbtgt_creds6s6
��



�z;KDCBaseTest.get_krbtgt_creds.<locals>.download_krbtgt_credsr�krbtgtT)r��default_usernamer�r�r
r�r)rtr
r
rr�rLrsrM�get_krbtgt_creds0s
$�zKDCBaseTest.get_krbtgt_credscr�)Ncs����}d}d|��|f}|jd|tjddgd�}|dj}t|dd�}t�}|���	dd	��|�
��	d
d	��|�|�t|ddd�}|�
|�|�|dd��|�|���||�}��||�tjtjB}	tj}
�j||	|
d�|S)
Ni�rrr�r�r�rr��DCr����r)r�rr�rgr	rlr�r.r�rr�r�r�r�r�r�r�r�rrrr�r�)r��dc_rid�dc_sidr�rlrr�r�r�r�r�rsrLrM�download_dc_credshs<
��



��z3KDCBaseTest.get_dc_creds.<locals>.download_dc_credsr"Tr	r)rtr
r
r&r�rLrsrM�get_dc_credsbs
#�zKDCBaseTest.get_dc_credscr�)Nc	s����}|j|��d�j�d�j�d�tjddgd�}��dt|��|dj}t	|dd�}t
�}|���d	d
��|�
��dd
��|�|�t|ddd�}|�|�|�|���||�}��||�tjtjB}tj}�j|||d�|S)
Nz(|(sAMAccountName=z*)(dNSHostName=z))r�r�)r��
expressionr�r�r�rr�rJr�r)r�r�r�r�rg�
SCOPE_SUBTREEr�rprlr�r.r�rr�r�r�r�r�r�r�rrrr�r�)	r�r�rlrr�r�r�r�r�rsrLrM�download_server_creds�s>

���



��z;KDCBaseTest.get_server_creds.<locals>.download_server_credsrJTr	r)rtr
r
r*r�rLrsrM�get_server_creds�s
"�zKDCBaseTest.get_server_credsc
Cs@|jdd�}|j|t|�|||d|dd|ddd�}|�|�}	|	S)z?Send a Kerberos AS_REQ, returns the undecoded response
        頌��offsetNi���)�padata�kdc_options�cname�realm�sname�	from_time�	till_time�
renew_time�nonce�etypes�	addresses�additional_tickets)�get_KerberosTime�
AS_REQ_creater��send_recv_transaction)
rtr1r3r2r8r/r0�tillr��reprLrLrM�as_req�s �
zKDCBaseTest.as_reqcCsn|j|dt��d�}|D]}|dtkr|d}nq
|�d�|j|t��d�}|�||d|���}|S)z/Extract the session key from an AS-REP
        ze-data��asn1Speczpadata-typezpadata-valuezexpected to find ETYPE-INFO2r)�
der_decode�	krb5_asn1�METHOD_DATArCr��ETYPE_INFO2�PasswordKey_from_etype_info2�get_kvno)rtr�r?�
rep_padata�pa�padata_value�etype_info2r�rLrLrM�get_as_rep_key�s"��
��zKDCBaseTest.get_as_rep_keycCs|�||�}|j||d�S)z8generate the pa_data data element for an AS-REQ
        )�skew)rM�"get_enc_timestamp_pa_data_from_key)rtr�r?rNr�rLrLrM�get_enc_timestamp_pa_data�sz%KDCBaseTest.get_enc_timestamp_pa_datacC�^|j|d�\}}|�||�}|j|t��d�}|�|t|�}|j|t��d�}|�t	|�}|S�Nr-rA)
�get_KerberosTimeWithUsec�PA_ENC_TS_ENC_create�
der_encoderD�
PA_ENC_TS_ENC�EncryptedData_creater<�
EncryptedData�PA_DATA_createrB)rtr�rN�patime�pausecr/rLrLrMrO�sz.KDCBaseTest.get_enc_timestamp_pa_data_from_keycCrQrR)
rSrTrUrDrVrWr;rXrYrA)rt�client_challenge_keyrNrZr[r/rLrLrM�get_challenge_pa_data�s ����z!KDCBaseTest.get_challenge_pa_datacCsT|�t|dd�}z|j|t��d�}W|Sty)|j|t��d�}Y|Sw)z< Decrypt and Decode the encrypted data in an AS-REP
        �enc-part�cipherrA)�decryptr:rCrD�EncASRepPartr��
EncTGSRepPart)rtr�r?�enc_partrLrLrM�get_as_rep_enc_datas����zKDCBaseTest.get_as_rep_enc_datacCs|�|t�dS)zE Check that the kdc response was pre-authentication required
        N)�check_error_repr5�rtr?rLrLrM�check_pre_authenticationsz$KDCBaseTest.check_pre_authenticationcC�|j|td�dS)z� Check that the kdc response is an AS-REP and that the
            values for:
                msg-type
                pvno
                tkt-pvno
                kvno
            match the expected values
        ��msg_typeN)�check_replyr7rfrLrLrM�check_as_reply$�	zKDCBaseTest.check_as_replycCrh)z� Check that the kdc response is an TGS-REP and that the
            values for:
                msg-type
                pvno
                tkt-pvno
                kvno
            match the expected values
        riN)rkr8rfrLrLrM�check_tgs_reply/rmzKDCBaseTest.check_tgs_replycCs�|�|�|�|d|d|�t|d�}|�d|d|�t|dd�}|�d|d|�d|dvrKt|dd�}|�d	|d
@d|�dSdS)N�msg-type�
rep = {%s}�pvno��ticketztkt-vnor�r^rl�)�assertIsNotNoner�r�)rtr?rjrq�tkt_vnor�rLrLrMrk:s
�zKDCBaseTest.check_replycCsb|�|�|�|dtd|�t|tjj�r$|�|d|d|�dS|�|d|d|�dS)zg Check that the reply is an error message, with the expected
            error-code specified.
        rorpz
error-codeN)rtr�r9r��collections�abc�	Containerr;)rtr?�expectedrLrLrMrePs

zKDCBaseTest.check_error_repcs:|�|j�}|��\}}t||||d�}|dur!|�|�}|j}nd}d}|s-d}|j}n|j}d}�fdd�}|jdid|�d|�d|�d|�d	|�d
|�d|�d|�d
|�d|�d|j	�d|�d�durh|nd�d|�d|�dt
|	��d|
�d|�d|
��}|j|d|||d�}|r�d}||fS|d}|j}||fS)z_Send a TGS-REQ, returns the response and the decrypted and
           decoded enc-part
        )�crealmr1Ncs�|fSrmrL)�_kdc_exchange_dict�_callback_dict�req_body�r/rLrM�generate_padata{sz,KDCBaseTest.tgs_req.<locals>.generate_padata�expected_crealm�expected_cname�expected_srealm�expected_sname�expected_error_mode�expected_flags�unexpected_flags�expected_supported_etypes�check_error_fn�check_rep_fn�check_kdc_private_fn�ticket_decryption_key�generate_padata_fn�tgt�authenticator_subkeyr0�expect_edata�
expect_pac�to_rodc�r1r2r3r8�rep_ticket_credsrL)
�	RandomKey�etyperSr/�TicketDecryptionKey_from_creds�tgs_supported_enctypes�generic_check_kdc_rep�generic_check_kdc_error�tgs_exchange_dict�generic_check_kdc_privater��_generic_kdc_exchange�encpart_private)rtr1r3r2rsr�r8r�r/r0r��
service_credsr�r�r�r��subkey�ctime�cusecr��decryption_keyr�r�r�r�kdc_exchange_dictr?rc�ticket_credsrLr~rM�tgs_req[s���
��������	�
���
����������zKDCBaseTest.tgs_reqr�c
Cs�|jdd}|j}
|dur|��dd�}||||||	t|�t|�t|
�|
f
}|s6|j�|�}|dur6|Sttf}|dur@d}tt�	|��}|j
t||gd�}|��}|�
tjj�}|�|�}|jdid|j�d|j�d|�d	|�d
|j�d|�d|�d
|�d|j�d|j�d|�d|�d|�d|	�d|
�d|��}|j|d|||d�}|�|�|d}|r�|��}n|��}|�|�}|j||d|
|j|jd�||j|<|S)N�name-stringrr#r���	name_type�namesr�r�r�r�r�r�r�r�r�r�r�r�r0�pac_requestr�r�r�r�T)�service_ticketr��expect_ticket_checksum�expect_full_checksumrL)r1r3�get_usernamer�r^r�r3r4rD�
KDCOptions�PrincipalName_creater>�	get_realmr�r�r�r�r�r�rzr�r�r�r�rnrr!�
verify_ticket�tkt_sig_support�full_sig_support)rtr��target_creds�service�target_namer�r0r�r�r�r��freshr��ticket_snamer�rsr�r3�srealmr�r�r�r?�service_ticket_creds�krbtgt_creds�
krbtgt_keyrLrLrM�get_service_ticket�s�
��

��������	�
���
�����


�
zKDCBaseTest.get_service_ticketc%Cs�|��}||||t|�t|�|||t|	�t|
�||
||f}|s+|j�|�}|dur+|S|
dur3|��}
|��}ttf}|jt	|gd�}|	dur\|jt
d|
gd�}	|jt
d|
��gd�}n|	}|jdd�}|rk|�
�}n|��}|�|�}|j}|dur}d}t�|�}d}|jd)id|�d|
�d	|	�d
|�d|�dt�d
|
�d|�d|
�d|	�d|�d|�d|�d|�d|�d|�d|�d|�dd�d|�dd�d|�d|�d|�d|�d |
�d!|�d"|�d#d$�d%|��\}}|�|�|d&}|�||d'|���} |�||�}!|!g}"|
��}#|jd)id|�d|
�d	|	�d
|�d|�dd'�d
|#�d|�d|#�d|�d|�d|�d|�d|�d|�d|�d|�d|�d|"�d|�d| �d|�d|�d|�d|�d |
�d!|�d"|�d%|��\}}|�|�|d(}$|$|j|<|$S)*Nr�rr,r-z/forwardable,renewable,canonicalize,renewable-okrr1r2r3r>�client_as_etypesr�r�r�r�r��expected_account_name�expected_upn_name�expected_sid�
expected_saltr�r�r�r8r/r0�preauth_keyr�r��pac_optionsr��expect_pac_attrs�expect_pac_attrs_pac_request�expect_requester_sid�strict_etype_infoFr��preauth_etype_info2rr�rL)r�r�r^r�r��get_saltr3r4r�r>r@r�r;rr!r�r�rDr��_test_as_exchanger5rgrGrHrPrl)%rtr�r�r0r�r�r�r�r�r3r2r�r�r�r�r�r�r�r�r��saltr�r1r�r>r�r�r�r�r?r�rLr��
ts_enc_padatar/�expected_realmr�rLrLrM�get_tgt�sV	����
�

��������	�
���
������������������
�
��������	�
���
�����������������

zKDCBaseTest.get_tgtc
Csf|��}
|jt|
gd�}|��}|jt|gd�}
|��}|}|}|}|
}|j}ttf}tt�	d��}|�
|�}|�tj
j�}|rN|}|durHt}|j}d}nd}d}|j}|jdid|�d|�d|�d|�d	|�d
|�d|	�d|�d
|�d|�d|�d|j�d|�d|�d|�d|�d|�d|�dd��}|j||||
|d�}|r�|�||�dS|�|t�|dS)Nr��canonicalizeTrr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r0r�r�r�Fr�r�rL)r�r�r>r�r�r3r4r�rDr�r�r�r�r�r�r6r�r�r�r�r�rerkr8)rt�client_credsr�r�r�r��expect_errorr�r�r��client_accountr1�service_accountr3r2r�r�r�r�r�r8r0�target_decryption_keyr�r�r�r�r�r?rLrLrM�_make_tgs_request}s����
��������	�
���
��������zKDCBaseTest._make_tgs_request�PacDataz3account_name account_sid logon_name upn domain_namec
Cs�d}d}d}d}d}dd�|D�}|D]`}|j|dt��d�}	dd�|	D�D]K}
ttj|
d�}|jD]=}|jtjkrX|j	j	j
jj}t
|j	j	j
jj�dt
|j	j	j
jj�}q4|jtjkrc|j	j}q4|jtjkrq|j	j}|j	j}q4q'q|�|||||�S)zKDecode the PAC element contained in the authorization-data element
        Ncs� �|]}|dtkr|VqdS�zad-typeN)r1�r��xrLrLrMr��s��z+KDCBaseTest.get_pac_data.<locals>.<genexpr>zad-datarAcsr�r�)r2r�rLrLrMr��s�r)rCrDr1r)r�PAC_DATA�buffersrv�PAC_TYPE_LOGON_INFO�info�info3r�r�r��
domain_sidr��PAC_TYPE_LOGON_NAME�PAC_TYPE_UPN_DNS_INFO�upn_name�dns_domain_namer�)
rt�authorization_datar��user_sid�
logon_namer�r��ad_if_relevant_elements�dt�buf�ad�pb�pacrLrLrM�get_pac_data�sN��
����
����zKDCBaseTest.get_pac_datac	Cs�|��}|�d�r|dd�}|��}d||��|��f}|�|dd|��||dd�}|�t|dd�}|j	|t
��d	�}|S)
z,Decrypt and decode a service ticket
        r�Nr#z%s.%s@%sr^r�r�r_rA)r��endswithr��lowerr��PasswordKey_create�get_passwordr`r=rCrD�
EncTicketPart)	rtr�rsr�r2r�r�rc�enc_ticket_partrLrLrM�decode_service_ticket�s 


��z!KDCBaseTest.decode_service_ticketcCsr|�|t�t�|�}tt|��d}|d}|�|t|��|d|�tt|��||dd�}||d<|S)Nr��flags)	�assertIsInstance�boolrD�TicketFlagsrpr��assertLessEqualr�r�)rtrc�flagr��posr��	new_flagsrLrLrM�modify_ticket_flags
(zKDCBaseTest.modify_ticket_flagcCsL|j|tdgd�}|�t|�dkd|�|�d|ddd�}|�d�S)zM Get the objectSID for a DN
            Note: performs an Ldb query.
        �	objectSIDr�r�zdid not get objectSid for %srr�)r�r	rrp�schema_format_valuer�)rtr�rlr�r	rLrLrMr�s
zKDCBaseTest.get_objectSidc	C�Rt|t�r|}n|g}tj}t�||�}t�|�}t�|||�||<|�|�dSrm)r�r�rg�FLAG_MOD_ADDr�r6r7rf�	rtr��dn_strr�r�r�r�rlrDrLrLrM�
add_attribute"�

zKDCBaseTest.add_attributec	Crrm)r�r�rgr8r�r6r7rfrrLrLrM�modify_attribute.rzKDCBaseTest.modify_attributecCsjt��}d|_d|_t��}d|_||_t��}||_d|_t�	�}||_
|d}t��}	|d|	_t
|�|	_|d|	_||	_|d}
|
d}t��}|
d|_t
|�|_|d|_||_|�|d�}
|
��}t��}|d	|_|d
|_t��}d|_g|_t��}d|_g|_|j|t��d�}|d}|�d
|�}|d}t��}|	|_||_||_ |�!|�|_"|�!|�|_#|�!|�|_$|�%|j"dt&�'t(j)��*�d�|�%|j#dt&�'t(j)��*�d�|�+|j$dt&�'t(j)��*�d�|j$|_,d|_-t.|dd�|_/||_0||_1||_2d|_3t�4�}d|_5d|_6||_7|	|_8||_9t:|�}t;j<|j=dd�}|�>|�|�?�|S)zi Lay out a version 4 on-disk credentials cache, to be read using the
            FILE: protocol.
        rr��r�z	name-typer2r3r�r��keyvaluerA�authtime�	starttime�endtimei,z1Ticket not yet valid - clocks may be out of sync.izCTicket already expired/about to expire - clocks may be out of sync.r��rrrOF)�dir�delete)@r�
DELTATIME_TAG�kdc_sec_offset�kdc_usec_offset�V4TAG�tag�field�V4TAGS�further_tags�V4HEADER�v4tags�	PRINCIPALr�rp�component_countr2�
components�EncryptionKey_import�
export_obj�KEYBLOCKr�r��	ADDRESSES�count�AUTHDATArUrD�Ticketr��
CREDENTIAL�clientr��keyblock�get_EpochFromKerberosTimerr
r�
assertLessr�nowr�utc�	timestamp�
assertGreater�
renew_till�is_skeyr��ticket_flagsr9�authdatars�
second_ticket�CCACHErqrn�optional_header�	principal�credr(�tempfile�NamedTemporaryFile�tempdir�write�close)rtr1rsrcr�v4tagrr5�cname_string�
cprincipalr3�sname_string�
sprincipalr��key_datar(r9r2�ticket_datarr
rr7�ccache�result�	cachefilerLrLrM�
create_ccache:s�







���
zKDCBaseTest.create_ccachec
Cs�|��}|��}|jt|gd�}|�|�}	|j|	|||d�}
|s'|j|
dd�}
|�||
j|
j	�}t
�}|�t�|�
|t�|�|�|�|jt|���||fS)Nr�)r�r�T)�exclude_pac)r�r�r�r>r�r��modified_ticketrGrsr�r�set_kerberos_staterr�r
r��set_named_ccacher�rw)
rt�user_credentials�mach_credentialsr�r�r�r�r2r1r�rsrFr�rLrLrM�create_ccache_with_user�s*�
�
�

z#KDCBaseTest.create_ccache_with_user)Trm)NN)FFF)FT)TF)Nr)r)	rNrFNTNNN)	r�NFNNNTTF)FNNNNNNNNTTNNNF)NTFNNN)r�NT)CrErFrG�__doc__rrN�classmethodrRrjrnrwr�r�r�r�r�r�rHr�rr�rMrRr[rOr�r�r�r�r�r�r�r�r�r�r�rrr!r'r+r@rMrPrOr]rdrgrlrnrkrer�r�r�r�rr�r�r�rr�rr	rGrN�
__classcell__rLrLrbrMrDfs�



�r+1


</
� 
��2
�

�
�
�;
�5
�3
�1
�
/



�I
�K
�
�O�&	i�rD)f�sys�os�path�insert�environrrr8r�rvrWrFrrrrgr	�sambar
�
samba.authr�samba.credentialsrr
r�samba.dcerpcrrrrrr�samba.drs_utilsrr�
samba.dsdbrrrrrrrrrr r!r"r#�samba.dcerpc.miscr$r%r&�
samba.joinr'�	samba.ndrr(r)r*�samba.samdbr+r,r�r�r�r��samba.testsr-�samba.tests.krb5.kcrypto�tests�krb5r��samba.tests.krb5.raw_testcaser.r/r0�samba.tests.krb5.rfc4120_pyasn1�rfc4120_pyasn1rD�"samba.tests.krb5.rfc4120_constantsr1r2r3r4r5r6r7r8r9r:r;r<r=r>r?r@rArBrCrorqrDrLrLrLrM�<module>sD
 <T
@ Telegram