o

eF�cU��@s 
dd
lZdd
l
Z
ej�dd�
de
jd<dd
lZddlmZmZ
ddl	m
Z
mZ
ddlm
Z

ddlmZmZ
dd	lmZ
dd
lmZmZ
ddlmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$
dd
l%m&
m'
m(Z)
dZ*dZ+Gd
d�de�Z,e-dkr�dZ*dZ+dd
l.Z.e.�/�
d
Sd
S)�Nz
bin/python�
1�PYTHONUNBUFFERED)�dsdb�ntstatus)�krb5pac�lsa)
�env_get_var_value)�	Cksumtype�Enctype)
�KDCBaseTest)�RodcPacEncryptionKey�ZeroedChecksumKey)�AES256_CTS_HMAC_SHA1_96�ARCFOUR_HMAC_MD5�KDC_ERR_BADMATCH�KDC_ERR_BADOPTION�KDC_ERR_BAD_INTEGRITY�KDC_ERR_GENERIC�KDC_ERR_INAPP_CKSUM�KDC_ERR_MODIFIED�KDC_ERR_SUMTYPE_NOSUPP�KDC_ERR_TGT_REVOKED�KU_PA_ENC_TIMESTAMP�KU_AS_REP_ENC_PART�KU_TGS_REP_ENC_PART_SUB_KEY�NT_PRINCIPALFcs:eZ
dZ�f
d
d�Zd�dd�
Zdd�Zdd	�Zd
d�Zdd
�Zdd�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Zd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Zd:d;�Zd<d=�Z d>d?�Z!d@dA�Z"dBdC�Z#dDdE�Z$dFdG�Z%dHdI�Z&dJdK�Z'dLdM�Z(dNdO�Z)dPdQ�Z*dRdS�Z+dTdU�Z,dVdW�Z-dXdY�Z.dZd[�Z/d\d]�Z0d^d_�Z1d`da�Z2dbdc�Z3ddde�Z4dfdg�Z5dhdi�Z6djdk�Z7e8j9e8j:e8j;hZ<dldm�Z=dndo�Z>dpdq�Z?drds�Z@dtdu�ZAdvdw�ZBdxdy�ZCdzd{�ZDd|d}�ZEd~d�ZFd�d�d��
ZGd�d�d��
ZHd�d��ZI�ZJS)��S4UKerberosTestsc

stt
|���
t|_t|_dS�
N)�superr�setUp�global_asn1_print�
do_asn1_print�global_hexdump�
do_hexdump�
�self�
�	__class__��</usr/lib/python3/dist-packages/samba/tests/krb5/s4u_tests.pyr=s



zS4UKerberosTests.setUpNcCs\|��}|�
�}|��}|jd
|g
d�}|jdd|gd�}|jdd�
}t�d�
}d}	d}
|j|	t|�
|||d|dd	|
ddd
�}|�	|�
}|�
|�

|�|dd�
|�|d
d�
|j|dt�
�d�}
|
D]}|ddkrt|d}
n
qf|j|t��d�}|�||d�}|��\}}|�||�}|j|t��d�}|�|t|�}|j|t��d�}|�d|�}t�d�
}|g
}	|j|	t|�
|||d|dd	|
ddd
�}|�	|�
}|�
|�

|d}|�|d�
|�t|dd�}z|j|t��d�}Wnt�
y


|j|t��d�}Yn
w|}td�
}|jd
|g
d�}t�d�
}|jdd�
}|d}|�|d�
}|j||||
d�}|g
}	|� |j!�
}|��\}}|j"d0id|	�
d|�
d|�
d|�
dt|�
�
d |�
d!|�
d"|�
d#d�
d$|�
d%d�
d&d'�
d(|
�
d)d�
d*d�
d+d�
d,d�
d-|�
d.|�
�
}|�	|�
}|�
|�

|d}|d/k�
r�|�t#|dd�}|j|t��d�}|S)1N�
��	name_type�names��krbtgti��)
�offset�forwardable)���i���)�padata�kdc_options�cname�realm�sname�	from_time�	till_time�
renew_time�nonce�etypes�	addresses�additional_ticketszmsg-type�z
error-code�ze-data)
�asn1Speczpadata-type�zpadata-valuer
�zenc-part�cipher�FOR_USER�ticket�key��namer8�tgt_session_key�ctyper5�cusec�ctimer6r7r8r9r:r;r<r=i���r>r?�EncAuthorizationData�EncAuthorizationData_keyr@�ticket_session_key�authenticator_subkey�
r()$�get_service_creds�get_username�	get_realm�PrincipalName_create�get_KerberosTime�	krb5_asn1�
KDCOptions�
AS_REQ_create�str�send_recv_transaction�assertIsNotNone�assertEqual�
der_decode�METHOD_DATA�ETYPE_INFO2�PasswordKey_from_etype_info2�get_KerberosTimeWithUsec�PA_ENC_TS_ENC_create�
der_encode�
PA_ENC_TS_ENC�EncryptedData_creater�
EncryptedData�PA_DATA_create�decryptr�EncASRepPart�	Exception�
EncTGSRepPartr�EncryptionKey_import�PA_S4U2Self_create�	RandomKey�etype�TGS_REQ_creater)r%�pa_s4u2self_ctype�
service_creds�servicer8r7r9�tillr6r5r>�req�rep�
rep_padata�pa�etype_info2rI�patime�pausec�pa_ts�msg_type�	enc_part2�
for_user_name�unamerHrR�pa_s4u�subkeyrOrNr(r(r)�_test_s4u2selfBs

















�





�


�
�















�






�


��







�
��������	�
���
������






�
�zS4UKerberosTests._test_s4u2selfc
Cs|��}
|�
|
d
�
dS)NrT)r�r`�r%r�r(r(r)�
test_s4u2self�s

zS4UKerberosTests.test_s4u2selfc
C�|jt
jd
�
}
|�|
d�
dS)N�
rurT)r�r	�HMAC_MD5r`r�r(r(r)�test_s4u2self_hmac_md5_checksum��

z0S4UKerberosTests.test_s4u2self_hmac_md5_checksumc
Cr��Nr�rA)r�r	�MD5r`r�r(r(r)�"test_s4u2self_md5_unkeyed_checksum�r�z3S4UKerberosTests.test_s4u2self_md5_unkeyed_checksumc
Cr�r�)r�r	�SHA1r`r�r(r(r)�#test_s4u2self_sha1_unkeyed_checksum�r�z4S4UKerberosTests.test_s4u2self_sha1_unkeyed_checksumc
Cr�r�)r�r	�CRC32r`r�r(r(r)�$test_s4u2self_crc32_unkeyed_checksum�r�z5S4UKerberosTests.test_s4u2self_crc32_unkeyed_checksumcs||
�d
d�}�j
�jj|d�}|
�dd�}�j
�jj|d�}��|�
�|
�dd�}|du
r1|��
�|��}�jt|g
d����	�}|�
�}	��||	�}
|
�dd�}|dur]|��dd�}�jtd|gd�}|���
|
�d	d�}
|
du
ryt
�|
�
}
|
�d
d�}|du
r�t
�|�
}|
�dd�}|
�d
d�}|r��j}d}n
d}�j}��|�

|
�dd�}t
�|�
}��|�
}��tj�
}|
�dttf�}|
�dd�}��
��fdd�}�jd'id�
�
d��
d�
�
d|�
d|�
d|
�
d	|
�
d
|�
d|�
dd�
d|�
d|�
d|�
d �j�
d|�
d
|�
d!��
d"|�
dt|�
�
d#d$�
d|�
�
}�j|d�
||d%�
|�
s6|d&}��|�
}��|�

��i|
�
dS)(N�client_opts��account_type�opts�service_opts�modify_service_tgt_fnr+�service_name����host�expected_flags�unexpected_flags�expected_error_moder
�expected_statusr6�
0r>�expect_edatacs�j��
�j
dd
�}|g
|fS)NrJ)rq�session_key)�_kdc_exchange_dict�_callback_dict�req_bodyr���client_cnamer8r%�service_tgtr(r)�generate_s4u2self_padata 
s



�
zES4UKerberosTests._run_s4u2self_test.<locals>.generate_s4u2self_padata�expected_crealm�expected_cname�expected_srealm�expected_sname�expected_account_name�expected_sid�ticket_decryption_key�expect_ticket_checksumT�generate_padata_fn�check_error_fn�check_rep_fn�check_kdc_private_fn�tgtrS�
expect_claimsF)r7r8r9r>�rep_ticket_credsr() �pop�get_cached_creds�AccountType�USER�COMPUTER�get_tgtrVrXr�	get_samdb�get_dn�
get_objectSidrWrZ�TicketFlags�generic_check_kdc_error�generic_check_kdc_rep�assertIsNoner[�TicketDecryptionKey_from_credsrrr
�AES256rr�tgs_exchange_dict�generic_check_kdc_privater]�_generic_kdc_exchange�get_ticket_pacr_r`)r%�kdc_dictr��client_credsr�rvr��client_name�samdb�	client_dn�sidr��
service_snamer�r�r�r�r�r�r6�service_decryption_keyrSr>r�r��kdc_exchange_dictrH�pacr(r�r)�_run_s4u2self_test�s�



�


�





�





�














�
�

��������	�
���
���������



�


z#S4UKerberosTests._run_s4u2self_testc

Cs(|�d
di
dt
j|jdd�dd��

dS)N�
not_delegatedFr1T�
�flag)r�r6r�r��r��	functools�partial�set_ticket_forwardabler$r(r(r)�test_s4u2self_forwardableT
�
�

���z*S4UKerberosTests.test_s4u2self_forwardablec
	s,�f
d
d�}
��t
ddi
d|
ddd��

dS)Nc

s�j|d
d�}��
|�
S)NTr�)r��remove_ticket_pac)
rHr$r(r)�forwardable_no_pacc
s


zAS4UKerberosTests.test_s4u2self_no_pac.<locals>.forwardable_no_pacr�Fr1)r�r�r6r�r�r�)r�r)r%r�r(r$r)�test_s4u2self_no_pacb
s
�


��z%S4UKerberosTests.test_s4u2self_no_pacc

Cs&|�d
di
t
j|jdd�dd��

dS)Nr�FTr�r1)r�r�r�r�r$r(r(r)�!test_s4u2self_without_forwardableu
s
�
���z2S4UKerberosTests.test_s4u2self_without_forwardablec

C�(|�d
di
dt
j|jdd�dd��

dS)Nr�Fr1r��r�r6r�r�r�r$r(r(r)�test_s4u2self_not_forwardable�
r�z.S4UKerberosTests.test_s4u2self_not_forwardablec

Cr�)Nr�Tr1r�r�r�r$r(r(r)�"test_s4u2self_client_not_delegated�
r�z3S4UKerberosTests.test_s4u2self_client_not_delegatedc

	C�0|�d
di
ddd�dt
j|jdd�dd��

dS)	Nr�Fr(��trusted_to_auth_for_delegation�delegation_to_spnr1Tr��r�r�r6r�r�r�r$r(r(r)�'test_s4u2self_not_trusted_empty_allowed�
�
�
�

���z8S4UKerberosTests.test_s4u2self_not_trusted_empty_allowedc

	Cr�)	Nr�F�
�testr�r1Tr�)r�r�r6r�r�r�r$r(r(r)�*test_s4u2self_not_trusted_nonempty_allowed�
r�z;S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowedc

	C�0|�d
di
ddd�dt
j|jdd�dd��

dS)	Nr�FTr(r�r1r�r�r�r$r(r(r)�#test_s4u2self_trusted_empty_allowed�
r�z4S4UKerberosTests.test_s4u2self_trusted_empty_allowedc

	Cr�)	Nr�FTr�r�r1r�r�r�r$r(r(r)�&test_s4u2self_trusted_nonempty_allowed�
r�z7S4UKerberosTests.test_s4u2self_trusted_nonempty_allowedc
CsZ|j|j
jd
dd�d�}
|
��dd�}|�tdddi
dd
i
|d	tj|jd
d
�d��

dS)NTr
)r��idr�r�Fr�r�r1r�)r�r�r�r�r�r6r�)	r�r�r�rVr�rr�r�r�)r%�other_creds�other_snamer(r(r)�test_s4u2self_wrong_sname�
s*


��
��


���z*S4UKerberosTests.test_s4u2self_wrong_snamec

	Cs0|�d
di
ddd�dt
j|jdd�dd��

dS)Nr�FT)r��no_auth_data_requiredr1r�r�r�r$r(r(r)�#test_s4u2self_no_auth_data_requiredr�z4S4UKerberosTests.test_s4u2self_no_auth_data_requiredc0Cs�|
�d
d�}|j
|jj|d�}|��}|��}|�||�}|
�di�}|
�di�}|
�dd�}	|
�dd�}
|�|	o:|
�

|
r_|j
|jj|d�}|�	d|�
t
|���
|d<|j
|jj|d�}n |j
|jj|d�}|	rv|�	d	|�
|��|d	<|j
|jj|d�}|
�d
d�}
t�
|
�
}|j||
|d�}|j|||
|d�}|�|�
}|
�d
d�}|du
r�||�
}|jg
}|
�dd�}|du
r�||�
}|
�dd�}|dur�t
t�d�
�
}|��}|��}|jt|g
d�}|��dd�}|��}|��dd�}|��}d}|jt||gd�}|�|�
}|j} |
�d�
}!|
�dd�}"|!�
r |j}#d}$n
d}#|j}$|�|"�

|
�dd�}%|%du
�
r:|�|!�

|
�dd�}&|�tj�
}'|
�dtt f�}(|��})|
�dg�}*d|�d|��}+|*�!|+�

|
�dd�},|j"d0id|�
d|�
d |�
d!|�
d"|�
d#|�
d$| �
d%|�
d&|#�
d'|$�
d(|j#�
d|!�
d|"�
d)i�
d*|�
d+|'�
d|�
d|&�
d|%�
d,|)�
d|*�
d|,�
�
}-|j$|-d|||(|d-�
|!�
s�|-d.}.|j%|.|,d/�}/|,�
r�|�&|/�

n|�|/�

|�'i|
�
dS)1Nr�r��
service1_opts�
service2_opts�allow_delegationF�
allow_rbcd�delegation_from_dnr��client_tkt_optionsr1)r6r��modify_client_tkt_fnr�r6zcname-in-addl-tktr+r�r�r�r�r��pac_optionsr>�expected_transited_serviceszhost/�
@�
expect_pacTr�r�r�r�r�r��expected_supported_etypesr�r�r�r��
callback_dictr�rS�expected_proxy_target)r7r8r9r>r@r�)
r
r()(r�r�r�r�r�r�r��assertFalser��assertNotInr]�get_spnrZr�r��get_service_ticketrHr[rVrWrXrr��tgs_supported_enctypesr�r�r��
assertTruerrr
r�rr�appendr�r�r�r�r_r`)0r%r�r�r�r�r�r�r�r�r
r

�service1_creds�service2_credsr
r��
client_tgt�client_service_tkt�service1_tgtr
r@r�r6�client_username�client_realmr��
service1_name�service1_realm�
service2_name�service2_realm�service2_service�service2_sname�service2_decryption_key�service2_etypesr�r�r�r�r�r
rSr>r
r
�transited_servicer
r�rHr�r(r(r)�_run_delegation_tests>




�







�


�

�



�



�



�









�





��
�











�
�



��������	�
���
����������




�



z%S4UKerberosTests._run_delegation_testc
Cs.|��}
|�
|
�
}|tjkr|�d
�

dSdS)NzRBCD requires FL2008)r��get_domain_functional_levelr�DS_DOMAIN_FUNCTION_2008�skipTest)r%r��functional_levelr(r(r)�skip_unless_fl2008�s





�z#S4UKerberosTests.skip_unless_fl2008c

Cs|�d
dd��

dS)Nr
T)r�r
�
r#
r$r(r(r)�test_constrained_delegation�s

��z,S4UKerberosTests.test_constrained_delegationc

Cs|�d
dddi
dd��

dS)Nr
Tr�F)r�r
r�r
r)
r$r(r(r)�1test_constrained_delegation_no_auth_data_required�s
���zBS4UKerberosTests.test_constrained_delegation_no_auth_data_requiredc
Cs,gd
�
}
|�ddt
j|j|
d�|
d��

dS)N��service1�service2�service3r
T�
�services)r�r
r
r
)r#
r�r��add_delegation_info�r%r1
r(r(r)�4test_constrained_delegation_existing_delegation_info�s


���zES4UKerberosTests.test_constrained_delegation_existing_delegation_infoc

Cs|�t
tjd
d��

dS)NF)r�r�r
)r#
rr�NT_STATUS_NOT_SUPPORTEDr$r(r(r)�'test_constrained_delegation_not_allowed�s

��z8S4UKerberosTests.test_constrained_delegation_not_allowedc

Cs|�t
tfd
|jdd��

dS)NTF�r�r
r
r�)r#
rrr�r$r(r(r)�)test_constrained_delegation_no_client_pac�s
�

��z:S4UKerberosTests.test_constrained_delegation_no_client_pacc

Cs|�t
d
|jdd��

dS)NTF)r�r
r�r��r#
rr�r$r(r(r)�*test_constrained_delegation_no_service_pac�s


��z;S4UKerberosTests.test_constrained_delegation_no_service_pacc

Cs$|�t
tfd
|jddd
i
d��

dS)NTFr�)r�r
r
r�r�)r#
rrr�r$r(r(r)�?test_constrained_delegation_no_client_pac_no_auth_data_requireds
�

���zPS4UKerberosTests.test_constrained_delegation_no_client_pac_no_auth_data_requiredc

	Cs"|�t
d
|jdd
i
ddd��

dS)NTr�F)r�r
r�r�r
r�r9
r$r(r(r)�@test_constrained_delegation_no_service_pac_no_auth_data_requireds

�
��zQS4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_requiredc

	Cs&|�t
tjd
tj|jdd�d��

dS)NTFr�)r�r�r
r
)r#
rr�NT_STATUS_ACCOUNT_RESTRICTIONr�r�r�r$r(r(r)�+test_constrained_delegation_non_forwardable s



���z<S4UKerberosTests.test_constrained_delegation_non_forwardablec

Cs|�d
ddd��

dS)Nr
�0001T)r�r
r
r)
r$r(r(r)�,test_constrained_delegation_pac_options_rbcd+s

��z=S4UKerberosTests.test_constrained_delegation_pac_options_rbcdc

Cs&|��
|�
d
ddddi
dd��

dS)Nr
Tr?
r�F)r�r

r
r�r
)r(
r#
r$r(r(r)�test_rbcd_no_auth_data_required5s


���z0S4UKerberosTests.test_rbcd_no_auth_data_requiredc
	Cs6|��
gd
�
}
|�
dddtj|j|
d�|
d��

dS)Nr,
r
Tr?
r0
)r�r

r
r
r
)r(
r#
r�r�r2
r3
r(r(r)�"test_rbcd_existing_delegation_infoCs




���z3S4UKerberosTests.test_rbcd_existing_delegation_infoc

Cs|�t
tjd
dd��

dS)NFr?
�r�r�r

r
)r#
rr�NT_STATUS_NOT_FOUNDr$r(r(r)�test_rbcd_not_allowedUs


��z&S4UKerberosTests.test_rbcd_not_allowedc

Cs&|��
|�
ttjd
d|jd��

dS�NTr?
�r�r�r

r
r
�r(
r#
rrr5
r�r$r(r(r)�test_rbcd_no_client_pac_a`s




��z*S4UKerberosTests.test_rbcd_no_client_pac_ac

	Cs,|��
|�
ttjd
d|jddi
d��

dS)NTr?
r��	host/test)r�r�r

r
r
r��r(
r#
rr�NT_STATUS_NO_MATCHr�r$r(r(r)�test_rbcd_no_client_pac_bn�




���z*S4UKerberosTests.test_rbcd_no_client_pac_bc

Cs$|��
|�
td
d|jdd��

dS)NTr?
F)r�r

r
r�r��r(
r#
rr�r$r(r(r)�test_rbcd_no_service_pacs




��z)S4UKerberosTests.test_rbcd_no_service_pacc

	Cs,|��
|�
ttjd
d|jdd
i
d��

dS)NTr?
r�)r�r�r

r
r
r�rH
r$r(r(r)�/test_rbcd_no_client_pac_no_auth_data_required_a�rN
z@S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_ac


Cs2|��
|�
ttjd
d|jddi
dd
i
d��

dS)NTr?
r�rJ
r�)r�r�r

r
r
r�r�rK
r$r(r(r)�/test_rbcd_no_client_pac_no_auth_data_required_b�s




����z@S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_bc

	Cs*|��
|�
td
d|jdd
i
dd��

dS)NTr?
r�F)r�r

r
r�r�r�rO
r$r(r(r)�.test_rbcd_no_service_pac_no_auth_data_required�s



���z?S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_requiredc


Cs0|��
|�
ttjd
dtj|jdd�d��

dS)NTr?
Fr�rG
)r(
r#
rrr=
r�r�r�r$r(r(r)�test_rbcd_non_forwardable�s





���z*S4UKerberosTests.test_rbcd_non_forwardablec

Cs"|��
|�
ttjd
dd��

dS)NTrrC
)r(
r#
rrr5
r$r(r(r)�test_rbcd_no_pac_options_a�s



��z+S4UKerberosTests.test_rbcd_no_pac_options_ac

Cs(|��
|�
ttjd
dddi
d��

dS)NTrr�rJ
)r�r�r

r
r�)r(
r#
rrrL
r$r(r(r)�test_rbcd_no_pac_options_b�s



���z+S4UKerberosTests.test_rbcd_no_pac_options_bc


Cs,|�t
tfd
dtj|jd
dd�dd��

dS)NTr�F�r��update_pac_checksums)r�r
r
r
r�)r#
rrr�r�r�r$r(r(r)�3test_bronze_bit_constrained_delegation_old_checksum�s
�



���zDS4UKerberosTests.test_bronze_bit_constrained_delegation_old_checksumc

Cs8|��
|�
ttftjd
ddtj|jd
dd�d��

dS)NTr?
r�FrW
)r�r�r

r
r
r
)	r(
r#
rrrr5
r�r�r�r$r(r(r)�!test_bronze_bit_rbcd_old_checksum�s

�





���z2S4UKerberosTests.test_bronze_bit_rbcd_old_checksumc

Cst|jD]4}
|j
|
d
�
�$
|
tjkrttf}nt}|�|dtj	|j
|
d
�dd��

Wd�
n1s2w



Y
qdS�N�
�checksumTFr7
)�pac_checksum_types�subTestr�PAC_TYPE_TICKET_CHECKSUMrrrr#
r�r��remove_pac_checksum�r%r]
r�r(r(r)�3test_constrained_delegation_missing_client_checksums&





�


������zDS4UKerberosTests.test_constrained_delegation_missing_client_checksumc
Csdtj
tjfD])}
|j|
d
�
�
|�ttjdtj	|j
|
d
�d��

Wd�
n1s*w



Y
qdS)Nr\
T�r�r�r
r�)r�PAC_TYPE_SRV_CHECKSUM�PAC_TYPE_KDC_CHECKSUMr_
r#
rr� NT_STATUS_INSUFFICIENT_RESOURCESr�r�ra
�r%r]
r(r(r)�4test_constrained_delegation_missing_service_checksum"s 
�



������zES4UKerberosTests.test_constrained_delegation_missing_service_checksumc
Cs||��
|j
D]4}
|j|
d
�
�$
|
tjkrt}nt}|�|tj	ddt
j|j|
d
�d��

Wd�
n1s6w



Y
qdS�Nr\
Tr?
rG
)
r(
r^
r_
rr`
rrr#
rr5
r�r�ra
rb
r(r(r)�!test_rbcd_missing_client_checksum1s&









������z2S4UKerberosTests.test_rbcd_missing_client_checksumc
Csn|��
t
jt
jfD]*}
|j|
d
�
�
|�ttjddt	j
|j|
d
�d��

Wd�
n1s/w



Y
q
dS)Nr\
Tr?
�r�r�r

r
r�)r(
rre
rf
r_
r#
rrrg
r�r�ra
rh
r(r(r)�"test_rbcd_missing_service_checksumGs$

�




������z3S4UKerberosTests.test_rbcd_missing_service_checksumc

Cs`|jD]*}
|j
|
d
�
�
|�ttfdtj|j|
d
�dd��

Wd�
n1s(w



Y
qdSr[
)r^
r_
r#
rrr�r��zeroed_pac_checksumrh
r(r(r)�2test_constrained_delegation_zeroed_client_checksumYs 



�

������zCS4UKerberosTests.test_constrained_delegation_zeroed_client_checksumc
Cs~|jD]9}
|j
|
d
�
�)
|
tjkrttf}tj}nd}d}|�||dt	j
|j|
d
�d��

Wd�
n1s7w



Y
qdS)Nr\
r
Trd
)r^
r_
rre
rrr�NT_STATUS_WRONG_PASSWORDr#
r�r�rn
�r%r]
r�r�r(r(r)�3test_constrained_delegation_zeroed_service_checksumgs*





�




������zDS4UKerberosTests.test_constrained_delegation_zeroed_service_checksumc
Csh|��
|j
D]*}
|j|
d
�
�
|�ttjddtj|j	|
d
�d��

Wd�
n1s,w



Y
qdSrj
)
r(
r^
r_
r#
rrr5
r�r�rn
rh
r(r(r)� test_rbcd_zeroed_client_checksum|s 







������z1S4UKerberosTests.test_rbcd_zeroed_client_checksumc
Cs�|��
|j
D]8}
|j|
d
�
�(
|
tjkrt}tj}nd}d}|�||ddt	j
|j|
d
�d��

Wd�
n1s:w



Y
qdS)Nr\
r
Tr?
rl
)r(
r^
r_
rre
rrrp
r#
r�r�rn
rq
r(r(r)�!test_rbcd_zeroed_service_checksum�s*












������z2S4UKerberosTests.test_rbcd_zeroed_service_checksumc
Cs�|jD]C}
|j
D]=}|j|
|d
��,
|
tjkr!|tjkr!ttf}nt	tf}|�
|dtj|j
|
|d
�dd��

Wd�
n1s@w



Y
qqdS)N�r]
rMTFr7
)r^
�unkeyed_ctypesr_
rre
r	r�rrrr#
r�r��unkeyed_pac_checksum�r%r]
rMr�r(r(r)�3test_constrained_delegation_unkeyed_client_checksum�s2









�
�



�������zDS4UKerberosTests.test_constrained_delegation_unkeyed_client_checksumc

Cs�|jD]N}
|j
D]H}|j|
|d
��7
|
tjkr,|tjkr$ttf}t	j
}nttf}t	j}nd}d}|�
||dtj|j|
|d
�d��

Wd�
n1sKw



Y
qqdS)Nru
r
Trd
)r^
rv
r_
rre
r	r�rrr�NT_STATUS_LOGON_FAILURErrg
r#
r�r�rw
�r%r]
rMr�r�r(r(r)�4test_constrained_delegation_unkeyed_service_checksum�s<









�
��





�������zES4UKerberosTests.test_constrained_delegation_unkeyed_service_checksumc
Cs�|��
|j
D]A}
|jD];}|j|
|d
��*
|
tjkr#|tjkr#t}nt	}|�
|tjddt
j|j|
|d
�d��

Wd�
n1sBw



Y
qqdS)Nru
Tr?
rG
)r(
r^
rv
r_
rre
r	r�rrr#
rr5
r�r�rw
rx
r(r(r)�!test_rbcd_unkeyed_client_checksum�s.














�������z2S4UKerberosTests.test_rbcd_unkeyed_client_checksumc
Cs�|��
|j
D]K}
|jD]E}|j|
|d
��4
|
tjkr,|tjkr&t}t	j
}n
t}t	j}nd}d}|�
||ddtj|j|
|d
�d��

Wd�
n1sLw



Y
qqdS)Nru
r
Tr?
rl
)r(
r^
rv
r_
rre
r	r�rrrz
rrg
r#
r�r�rw
r{
r(r(r)�"test_rbcd_unkeyed_service_checksum�s8










�






�������z3S4UKerberosTests.test_rbcd_unkeyed_service_checksumc
CsL|��}
|�
|
�
}|tjkrttf}d
}nd}d}|�|d|j|d��

dS)NFr
Tr7
)r�r$
rr%
rrr#
�rc4_pac_checksums)r%r�r'
r�r�r(r(r)�/test_constrained_delegation_rc4_client_checksums 




�



��z@S4UKerberosTests.test_constrained_delegation_rc4_client_checksumc
Cs.|��
t
tf}
|�|
tjd
d|jd��

dSrF
)r(
rrr#
rr5
r
)r%r�r(r(r)�test_rbcd_rc4_client_checksum&s

�



��z.S4UKerberosTests.test_rbcd_rc4_client_checksumcCs|��}|j
|
||d
i
d�S)NF��
checksum_keys�include_checksums��get_krbtgt_checksum_key�modified_ticket)r%rHr]
r�
r(r(r)ra
6s



�z$S4UKerberosTests.remove_pac_checksumcCsh|��}|�
|�
}|
j}tj|tj|tj|i}|tjkr|}n|}t|j|j	�||<|j
|
||d
i
d�S�NTr�
)�get_krbtgt_credsr��decryption_keyrre
rf
r`
r
rI�kvnor�
)r%rHr]
�krbtgt_creds�
krbtgt_key�
server_keyr�
�
zeroed_keyr(r(r)rn
=s"




�


�

�z$S4UKerberosTests.zeroed_pac_checksumc
Csl|��}|�
|�
}|
j}tj|tj|tj|tj|i}||}t|j	|j
�}	||	_|	||<|j|
||d
i
d�Sr�
)
r�
r�r�
rre
rf
r`
�PAC_TYPE_FULL_CHECKSUMrrIr�
rMr�
)
r%rHr]
rMr�
r�
r�
r�
rI�new_keyr(r(r)rw
Us 





�




�z%S4UKerberosTests.unkeyed_pac_checksumcCsf|��}|j
|tjd
�}|
j}tj|tj|tj|tj	|i}tjdtjdtjdtj	di}|j
|
||d�S)N)
rsTr�
)r�
r�r
�RC4r�
rre
rf
r`
r�
r�
)r%rHr�
�rc4_krbtgt_keyr�
r�
r�
r(r(r)r
ls&


�


�


�

�z"S4UKerberosTests.rc4_pac_checksumscs&��
fd
d�}���}�j
|
||d�S)Nc
s�|j}
��
tjd
d�|
D�
�
tttj�
��
}t��}t�d�
|_	||_
t|�
|_t�
�}||_t��}tj|_||_|
�|�

|
|_|jd7_|S)Nc
ss�|]}
|
jV
qdSr)
�type)�.0�bufferr(r(r)�	<genexpr>�s�zNS4UKerberosTests.add_delegation_info.<locals>.modify_pac_fn.<locals>.<genexpr>�test_proxy_targetr*)�buffersr

r�PAC_TYPE_CONSTRAINED_DELEGATION�list�mapr�String�PAC_CONSTRAINED_DELEGATION�proxy_target�transited_services�len�num_transited_services�PAC_CONSTRAINED_DELEGATION_CTR�info�
PAC_BUFFERr�
r
�num_buffers)r��pac_buffersr�
�
delegationr�
�
pac_bufferr3
r(r)�
modify_pac_fn�s$


�








z;S4UKerberosTests.add_delegation_info.<locals>.modify_pac_fn)r�
r�
r�
)r%rHr1
r�
r�
r(r3
r)r2
�s


�z$S4UKerberosTests.add_delegation_infoTcCs6tj
|jd
|d�}|r|��}nd}|j|
|||d�S)Nr1)r��value)�	modify_fnr�
rX
)r�r��modify_ticket_flagr�
r�
)r%rHr�rX
r�
r�
r(r(r)r��s


�




�z'S4UKerberosTests.set_ticket_forwardablecCs|j|
d
d�S)NT)
�exclude_pac)
r�
)r%rHr(r(r)r��s

�z"S4UKerberosTests.remove_ticket_pacr)
T)K�__name__�
__module__�__qualname__rr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r#
r(
r*
r+
r4
r6
r8
r:
r;
r<
r>
r@
rA
rB
rE
rI
rM
rP
rQ
rR
rS
rT
rU
rV
rY
rZ
rc
ri
rk
rm
ro
rr
rs
rt
r	r�r�r�rv
ry
r|
r}
r~
r�
r�
ra
rn
rw
r
r2
r�r��
__classcell__r(r(r&r)r;s�

t
#




!r�__main__)0�sys�os�path�insert�environr��sambarr�samba.dcerpcrr�samba.testsr�samba.tests.krb5.kcryptor	r
�samba.tests.krb5.kdc_base_testr�samba.tests.krb5.raw_testcaserr
�"samba.tests.krb5.rfc4120_constantsrrrrrrrrrrrrrr�samba.tests.krb5.rfc4120_pyasn1�tests�krb5�rfc4120_pyasn1rZr r"rr�
�unittest�mainr(r(r(r)�<module>
sB






@





�