search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Improve update and listing code
[samba4-gss.git] / python / samba / tests / krb5 / device_tests.py
blobec2fce654b3009a65f7b26b361d3ac95bc456a58
1 #!/usr/bin/env python3
2 # Unix SMB/CIFS implementation.
3 # Copyright (C) Stefan Metzmacher 2020
4 # Copyright (C) Catalyst.Net Ltd 2022
5 #
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
10 #
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 #
19
20 import sys
21 import os
22
23 sys.path.insert(0, 'bin/python')
24 os.environ['PYTHONUNBUFFERED'] = '1'
25
26 import random
27 import re
28
29 from samba.dcerpc import netlogon, security
30 from samba.tests import DynamicTestCase, env_get_var_value
31 from samba.tests.krb5 import kcrypto
32 from samba.tests.krb5.kdc_base_test import GroupType, KDCBaseTest, Principal
33 from samba.tests.krb5.raw_testcase import Krb5EncryptionKey, RawKerberosTest
34 from samba.tests.krb5.rfc4120_constants import (
35 AES256_CTS_HMAC_SHA1_96,
36 ARCFOUR_HMAC_MD5,
37 KRB_TGS_REP,
38 )
39
40 SidType = RawKerberosTest.SidType
41
42 global_asn1_print = False
43 global_hexdump = False
44
45
46 @DynamicTestCase
47 class DeviceTests(KDCBaseTest):
48 # Placeholder objects that represent accounts undergoing testing.
49 user = object()
50 mach = object()
51 trust_user = object()
52 trust_mach = object()
53
54 # Constants for group SID attributes.
55 default_attrs = security.SE_GROUP_DEFAULT_FLAGS
56 resource_attrs = default_attrs | security.SE_GROUP_RESOURCE
57
58 asserted_identity = security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY
59 compounded_auth = security.SID_COMPOUNDED_AUTHENTICATION
60
61 user_trust_domain = 'S-1-5-21-123-456-111'
62 mach_trust_domain = 'S-1-5-21-123-456-222'
63
64 def setUp(self):
65 super().setUp()
66 self.do_asn1_print = global_asn1_print
67 self.do_hexdump = global_hexdump
68
69 # Some general information on how Windows handles device info:
70
71 # All the SIDs in the computer's info3.sids end up in device.domain_groups
72 # (if they are in any domain), or in device.sids (if they are not). Even if
73 # netlogon.NETLOGON_EXTRA_SIDS is not set.
74
75 # The remainder of the SIDs in device.domain_groups come from an LDAP
76 # search of the computer's domain-local groups.
77
78 # None of the SIDs in the computer's logon_info.resource_groups.groups go
79 # anywhere. Even if netlogon.NETLOGON_RESOURCE_GROUPS is set.
80
81 # In summary:
82 # info3.base.groups => device.groups
83 # info3.sids => device.sids (if not in a domain)
84 # info3.sids => device.domain_groups (if in a domain)
85 # searched-for domain-local groups => device.domain_groups
86
87 # These searched-for domain-local groups are based on _all_ the groups in
88 # info3.base.groups and info3.sids. So if the account is no longer a member
89 # of a (universal or global) group that belongs to a domain-local group,
90 # but has that universal or global group in info3.base.groups or
91 # info3.sids, then the domain-local group will still get added to the
92 # PAC. But the resource groups don't affect this (presumably, they are
93 # being filtered out). Also, those groups the search is based on do not go
94 # in themselves, even if they are domain-local groups.
95
96 cases = [
97 {
98 # Make a TGS request to the krbtgt.
99 'test': 'basic to krbtgt',
100 'as:expected': {
101 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
102 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
103 (asserted_identity, SidType.EXTRA_SID, default_attrs),
104 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
105 },
106 'as:mach:expected': {
107 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
108 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
109 (asserted_identity, SidType.EXTRA_SID, default_attrs),
110 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
111 },
112 # Indicate this request is to the krbtgt.
113 'tgs:to_krbtgt': True,
114 'tgs:expected': {
115 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
116 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
117 (asserted_identity, SidType.EXTRA_SID, default_attrs),
118 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
119 },
120 },
121 {
122 # Make a TGS request to a service that supports SID compression.
123 'test': 'device to service compressed',
124 'as:expected': {
125 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
126 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
127 (asserted_identity, SidType.EXTRA_SID, default_attrs),
128 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
129 },
130 'as:mach:expected': {
131 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
132 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
133 (asserted_identity, SidType.EXTRA_SID, default_attrs),
134 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
135 },
136 'tgs:to_krbtgt': False,
137 'tgs:compression': True,
138 'tgs:expected': {
139 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
140 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
141 (asserted_identity, SidType.EXTRA_SID, default_attrs),
142 # The compounded authentication SID indicates that we used FAST
143 # with a device's TGT.
144 (compounded_auth, SidType.EXTRA_SID, default_attrs),
145 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
146 },
147 'tgs:device:expected': {
148 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
149 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
150 (asserted_identity, SidType.EXTRA_SID, default_attrs),
151 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
152 },
153 },
154 {
155 # Make a TGS request to a service that lacks support for SID
156 # compression.
157 'test': 'device to service uncompressed',
158 'as:expected': {
159 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
160 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
161 (asserted_identity, SidType.EXTRA_SID, default_attrs),
162 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
163 },
164 'as:mach:expected': {
165 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
166 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
167 (asserted_identity, SidType.EXTRA_SID, default_attrs),
168 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
169 },
170 'tgs:to_krbtgt': False,
171 # SID compression is unsupported.
172 'tgs:compression': False,
173 # There is no change in the reply PAC.
174 'tgs:expected': {
175 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
176 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
177 (asserted_identity, SidType.EXTRA_SID, default_attrs),
178 (compounded_auth, SidType.EXTRA_SID, default_attrs),
179 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
180 },
181 'tgs:device:expected': {
182 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
183 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
184 (asserted_identity, SidType.EXTRA_SID, default_attrs),
185 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
186 },
187 },
188 {
189 # Make a TGS request to a service that lacks support for compound
190 # identity.
191 'test': 'device to service no compound id',
192 'as:expected': {
193 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
194 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
195 (asserted_identity, SidType.EXTRA_SID, default_attrs),
196 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
197 },
198 'as:mach:expected': {
199 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
200 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
201 (asserted_identity, SidType.EXTRA_SID, default_attrs),
202 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
203 },
204 'tgs:to_krbtgt': False,
205 # Compound identity is unsupported.
206 'tgs:compound_id': False,
207 'tgs:expected': {
208 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
209 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
210 (asserted_identity, SidType.EXTRA_SID, default_attrs),
211 # The Compounded Authentication SID should not be present.
212 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
213 },
214 },
215 {
216 'test': 'universal groups to krbtgt',
217 'groups': {
218 # The user and computer each belong to a couple of universal
219 # groups.
220 'group0': (GroupType.UNIVERSAL, {'group1'}),
221 'group1': (GroupType.UNIVERSAL, {user}),
222 'group2': (GroupType.UNIVERSAL, {'group3'}),
223 'group3': (GroupType.UNIVERSAL, {mach}),
224 },
225 'as:expected': {
226 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
227 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
228 # The user's groups appear in the PAC of the TGT.
229 ('group0', SidType.BASE_SID, default_attrs),
230 ('group1', SidType.BASE_SID, default_attrs),
231 (asserted_identity, SidType.EXTRA_SID, default_attrs),
232 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
233 },
234 'as:mach:expected': {
235 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
236 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
237 # So too for the computer's groups.
238 ('group2', SidType.BASE_SID, default_attrs),
239 ('group3', SidType.BASE_SID, default_attrs),
240 (asserted_identity, SidType.EXTRA_SID, default_attrs),
241 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
242 },
243 'tgs:to_krbtgt': True,
244 'tgs:expected': {
245 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
246 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
247 # The user's groups appear in the TGS reply PAC.
248 ('group0', SidType.BASE_SID, default_attrs),
249 ('group1', SidType.BASE_SID, default_attrs),
250 (asserted_identity, SidType.EXTRA_SID, default_attrs),
251 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
252 },
253 },
254 {
255 'test': 'universal groups to service',
256 'groups': {
257 'group0': (GroupType.UNIVERSAL, {'group1'}),
258 'group1': (GroupType.UNIVERSAL, {user}),
259 'group2': (GroupType.UNIVERSAL, {'group3'}),
260 'group3': (GroupType.UNIVERSAL, {mach}),
261 },
262 'as:expected': {
263 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
264 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
265 ('group0', SidType.BASE_SID, default_attrs),
266 ('group1', SidType.BASE_SID, default_attrs),
267 (asserted_identity, SidType.EXTRA_SID, default_attrs),
268 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
269 },
270 'as:mach:expected': {
271 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
272 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
273 ('group2', SidType.BASE_SID, default_attrs),
274 ('group3', SidType.BASE_SID, default_attrs),
275 (asserted_identity, SidType.EXTRA_SID, default_attrs),
276 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
277 },
278 'tgs:to_krbtgt': False,
279 'tgs:expected': {
280 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
281 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
282 ('group0', SidType.BASE_SID, default_attrs),
283 ('group1', SidType.BASE_SID, default_attrs),
284 (asserted_identity, SidType.EXTRA_SID, default_attrs),
285 (compounded_auth, SidType.EXTRA_SID, default_attrs),
286 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
287 },
288 'tgs:device:expected': {
289 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
290 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
291 # The computer's groups appear in the device info structure of
292 # the TGS reply PAC.
293 ('group2', SidType.BASE_SID, default_attrs),
294 ('group3', SidType.BASE_SID, default_attrs),
295 (asserted_identity, SidType.EXTRA_SID, default_attrs),
296 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
297 },
298 },
299 {
300 'test': 'domain-local groups to krbtgt',
301 'groups': {
302 # The user and computer each belong to a couple of domain-local
303 # groups.
304 'group0': (GroupType.DOMAIN_LOCAL, {'group1'}),
305 'group1': (GroupType.DOMAIN_LOCAL, {user}),
306 'group2': (GroupType.DOMAIN_LOCAL, {'group3'}),
307 'group3': (GroupType.DOMAIN_LOCAL, {mach}),
308 },
309 'as:expected': {
310 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
311 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
312 # The user's domain-local group memberships do not appear.
313 (asserted_identity, SidType.EXTRA_SID, default_attrs),
314 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
315 },
316 'as:mach:expected': {
317 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
318 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
319 # Nor do the computer's.
320 (asserted_identity, SidType.EXTRA_SID, default_attrs),
321 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
322 },
323 'tgs:to_krbtgt': True,
324 'tgs:expected': {
325 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
326 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
327 # The user's groups do not appear in the TGS reply PAC.
328 (asserted_identity, SidType.EXTRA_SID, default_attrs),
329 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
330 },
331 },
332 {
333 'test': 'domain-local groups to service compressed',
334 'groups': {
335 'group0': (GroupType.DOMAIN_LOCAL, {'group1'}),
336 'group1': (GroupType.DOMAIN_LOCAL, {user}),
337 'group2': (GroupType.DOMAIN_LOCAL, {'group3'}),
338 'group3': (GroupType.DOMAIN_LOCAL, {mach}),
339 },
340 'as:expected': {
341 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
342 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
343 (asserted_identity, SidType.EXTRA_SID, default_attrs),
344 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
345 },
346 'as:mach:expected': {
347 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
348 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
349 (asserted_identity, SidType.EXTRA_SID, default_attrs),
350 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
351 },
352 'tgs:to_krbtgt': False,
353 'tgs:compression': True,
354 'tgs:expected': {
355 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
356 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
357 # These groups appear as resource SIDs.
358 ('group0', SidType.RESOURCE_SID, resource_attrs),
359 ('group1', SidType.RESOURCE_SID, resource_attrs),
360 (asserted_identity, SidType.EXTRA_SID, default_attrs),
361 (compounded_auth, SidType.EXTRA_SID, default_attrs),
362 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
363 },
364 'tgs:device:expected': {
365 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
366 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
367 # The computer's groups appear together as resource SIDs.
368 frozenset([
369 ('group2', SidType.RESOURCE_SID, resource_attrs),
370 ('group3', SidType.RESOURCE_SID, resource_attrs),
371 ]),
372 (asserted_identity, SidType.EXTRA_SID, default_attrs),
373 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
374 },
375 },
376 {
377 'test': 'domain-local groups to service uncompressed',
378 'groups': {
379 'group0': (GroupType.DOMAIN_LOCAL, {'group1'}),
380 'group1': (GroupType.DOMAIN_LOCAL, {user}),
381 'group2': (GroupType.DOMAIN_LOCAL, {'group3'}),
382 'group3': (GroupType.DOMAIN_LOCAL, {mach}),
383 },
384 'as:expected': {
385 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
386 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
387 (asserted_identity, SidType.EXTRA_SID, default_attrs),
388 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
389 },
390 'as:mach:expected': {
391 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
392 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
393 (asserted_identity, SidType.EXTRA_SID, default_attrs),
394 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
395 },
396 'tgs:to_krbtgt': False,
397 'tgs:compression': False,
398 'tgs:expected': {
399 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
400 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
401 # The user's groups now appear as extra SIDs.
402 ('group0', SidType.EXTRA_SID, resource_attrs),
403 ('group1', SidType.EXTRA_SID, resource_attrs),
404 (asserted_identity, SidType.EXTRA_SID, default_attrs),
405 (compounded_auth, SidType.EXTRA_SID, default_attrs),
406 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
407 },
408 'tgs:device:expected': {
409 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
410 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
411 # The computer's groups are still resource SIDs.
412 frozenset([
413 ('group2', SidType.RESOURCE_SID, resource_attrs),
414 ('group3', SidType.RESOURCE_SID, resource_attrs),
415 ]),
416 (asserted_identity, SidType.EXTRA_SID, default_attrs),
417 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
418 },
419 },
420 # Test what happens if the computer is removed from a group prior to
421 # the TGS request.
422 {
423 'test': 'remove transitive domain-local groups to krbtgt',
424 'groups': {
425 # The computer is transitively a member of a couple of
426 # domain-local groups...
427 'dom-local-outer-0': (GroupType.DOMAIN_LOCAL, {'dom-local-inner'}),
428 'dom-local-outer-1': (GroupType.DOMAIN_LOCAL, {'universal-inner'}),
429 # ...via another domain-local group and a universal group.
430 'dom-local-inner': (GroupType.DOMAIN_LOCAL, {mach}),
431 'universal-inner': (GroupType.UNIVERSAL, {mach}),
432 },
433 # Just prior to the TGS request, the computer is removed from both
434 # inner groups. Domain-local groups will have not been added to the
435 # PAC at this point.
436 'tgs:mach:removed': {
437 'dom-local-inner',
438 'universal-inner',
439 },
440 'as:mach:expected': {
441 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
442 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
443 # Only the universal group appears in the PAC.
444 ('universal-inner', SidType.BASE_SID, default_attrs),
445 (asserted_identity, SidType.EXTRA_SID, default_attrs),
446 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
447 },
448 'tgs:to_krbtgt': True,
449 'tgs:expected': {
450 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
451 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
452 (asserted_identity, SidType.EXTRA_SID, default_attrs),
453 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
454 },
455 },
456 {
457 'test': 'remove transitive domain-local groups to service compressed',
458 'groups': {
459 'dom-local-outer-0': (GroupType.DOMAIN_LOCAL, {'dom-local-inner'}),
460 'dom-local-outer-1': (GroupType.DOMAIN_LOCAL, {'universal-inner'}),
461 'dom-local-inner': (GroupType.DOMAIN_LOCAL, {mach}),
462 'universal-inner': (GroupType.UNIVERSAL, {mach}),
463 },
464 'tgs:mach:removed': {
465 'dom-local-inner',
466 'universal-inner',
467 },
468 'as:mach:expected': {
469 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
470 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
471 ('universal-inner', SidType.BASE_SID, default_attrs),
472 (asserted_identity, SidType.EXTRA_SID, default_attrs),
473 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
474 },
475 'tgs:to_krbtgt': False,
476 'tgs:compression': True,
477 'tgs:expected': {
478 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
479 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
480 (asserted_identity, SidType.EXTRA_SID, default_attrs),
481 (compounded_auth, SidType.EXTRA_SID, default_attrs),
482 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
483 },
484 'tgs:device:expected': {
485 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
486 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
487 # The universal group appears in the device info...
488 ('universal-inner', SidType.BASE_SID, default_attrs),
489 # ...along with the second domain-local group, even though the
490 # computer no longer belongs to it.
491 frozenset([
492 ('dom-local-outer-1', SidType.RESOURCE_SID, resource_attrs),
493 ]),
494 (asserted_identity, SidType.EXTRA_SID, default_attrs),
495 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
496 },
497 },
498 {
499 'test': 'remove transitive domain-local groups to service uncompressed',
500 'groups': {
501 'dom-local-outer-0': (GroupType.DOMAIN_LOCAL, {'dom-local-inner'}),
502 'dom-local-outer-1': (GroupType.DOMAIN_LOCAL, {'universal-inner'}),
503 'dom-local-inner': (GroupType.DOMAIN_LOCAL, {mach}),
504 'universal-inner': (GroupType.UNIVERSAL, {mach}),
505 },
506 'tgs:mach:removed': {
507 'dom-local-inner',
508 'universal-inner',
509 },
510 'as:mach:expected': {
511 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
512 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
513 ('universal-inner', SidType.BASE_SID, default_attrs),
514 (asserted_identity, SidType.EXTRA_SID, default_attrs),
515 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
516 },
517 'tgs:to_krbtgt': False,
518 'tgs:compression': False,
519 'tgs:expected': {
520 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
521 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
522 (asserted_identity, SidType.EXTRA_SID, default_attrs),
523 (compounded_auth, SidType.EXTRA_SID, default_attrs),
524 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
525 },
526 'tgs:device:expected': {
527 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
528 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
529 ('universal-inner', SidType.BASE_SID, default_attrs),
530 frozenset([
531 ('dom-local-outer-1', SidType.RESOURCE_SID, resource_attrs),
532 ]),
533 (asserted_identity, SidType.EXTRA_SID, default_attrs),
534 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
535 },
536 },
537 # Test what happens if the computer is added to a group prior to the
538 # TGS request.
539 {
540 'test': 'add transitive domain-local groups to krbtgt',
541 'groups': {
542 # We create a pair of groups, to be used presently.
543 'dom-local-outer': (GroupType.DOMAIN_LOCAL, {'universal-inner'}),
544 'universal-inner': (GroupType.UNIVERSAL, {}),
545 },
546 # Just prior to the TGS request, the computer is added to the inner
547 # group.
548 'tgs:mach:added': {
549 'universal-inner',
550 },
551 'as:mach:expected': {
552 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
553 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
554 (asserted_identity, SidType.EXTRA_SID, default_attrs),
555 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
556 },
557 'tgs:to_krbtgt': True,
558 'tgs:expected': {
559 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
560 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
561 (asserted_identity, SidType.EXTRA_SID, default_attrs),
562 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
563 },
564 },
565 {
566 'test': 'add transitive domain-local groups to service compressed',
567 'groups': {
568 'dom-local-outer': (GroupType.DOMAIN_LOCAL, {'universal-inner'}),
569 'universal-inner': (GroupType.UNIVERSAL, {}),
570 },
571 'tgs:mach:added': {
572 'universal-inner',
573 },
574 'as:mach:expected': {
575 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
576 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
577 (asserted_identity, SidType.EXTRA_SID, default_attrs),
578 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
579 },
580 'tgs:to_krbtgt': False,
581 'tgs:compression': True,
582 'tgs:expected': {
583 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
584 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
585 (asserted_identity, SidType.EXTRA_SID, default_attrs),
586 (compounded_auth, SidType.EXTRA_SID, default_attrs),
587 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
588 },
589 'tgs:device:expected': {
590 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
591 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
592 # The computer was not a member of the universal group at the
593 # time of obtaining a TGT, and said group did not make it into
594 # the PAC. Group expansion is only concerned with domain-local
595 # groups, none of which the machine currently belongs
596 # to. Therefore, neither group is present in the device info
597 # structure.
598 (asserted_identity, SidType.EXTRA_SID, default_attrs),
599 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
600 },
601 },
602 {
603 'test': 'add transitive domain-local groups to service uncompressed',
604 'groups': {
605 'dom-local-outer': (GroupType.DOMAIN_LOCAL, {'universal-inner'}),
606 'universal-inner': (GroupType.UNIVERSAL, {}),
607 },
608 'tgs:mach:added': {
609 'universal-inner',
610 },
611 'as:mach:expected': {
612 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
613 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
614 (asserted_identity, SidType.EXTRA_SID, default_attrs),
615 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
616 },
617 'tgs:to_krbtgt': False,
618 'tgs:compression': False,
619 'tgs:expected': {
620 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
621 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
622 (asserted_identity, SidType.EXTRA_SID, default_attrs),
623 (compounded_auth, SidType.EXTRA_SID, default_attrs),
624 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
625 },
626 'tgs:device:expected': {
627 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
628 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
629 (asserted_identity, SidType.EXTRA_SID, default_attrs),
630 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
631 },
632 },
633 # Simulate a machine ticket coming in over a trust.
634 {
635 'test': 'from trust domain-local groups to service compressed',
636 'groups': {
637 # The machine belongs to a couple of domain-local groups in our
638 # domain.
639 'foo': (GroupType.DOMAIN_LOCAL, {trust_mach}),
640 'bar': (GroupType.DOMAIN_LOCAL, {'foo'}),
641 },
642 'tgs:to_krbtgt': False,
643 'tgs:compression': True,
644 # The machine SID is from a different domain.
645 'tgs:mach_sid': trust_mach,
646 'tgs:mach:sids': {
647 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
648 (asserted_identity, SidType.EXTRA_SID, default_attrs),
649 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
650 # This dummy resource SID comes from the trusted domain.
651 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
652 },
653 'tgs:expected': {
654 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
655 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
656 (asserted_identity, SidType.EXTRA_SID, default_attrs),
657 (compounded_auth, SidType.EXTRA_SID, default_attrs),
658 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
659 },
660 'tgs:device:expected': {
661 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
662 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
663 # The domain-local groups end up in the device info.
664 frozenset([
665 ('foo', SidType.RESOURCE_SID, resource_attrs),
666 ('bar', SidType.RESOURCE_SID, resource_attrs),
667 ]),
668 (asserted_identity, SidType.EXTRA_SID, default_attrs),
669 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
670 },
671 },
672 {
673 'test': 'from trust domain-local groups to service uncompressed',
674 'groups': {
675 'foo': (GroupType.DOMAIN_LOCAL, {trust_mach}),
676 'bar': (GroupType.DOMAIN_LOCAL, {'foo'}),
677 },
678 'tgs:to_krbtgt': False,
679 'tgs:compression': False,
680 'tgs:mach_sid': trust_mach,
681 'tgs:mach:sids': {
682 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
683 (asserted_identity, SidType.EXTRA_SID, default_attrs),
684 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
685 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
686 },
687 'tgs:expected': {
688 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
689 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
690 (asserted_identity, SidType.EXTRA_SID, default_attrs),
691 (compounded_auth, SidType.EXTRA_SID, default_attrs),
692 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
693 },
694 'tgs:device:expected': {
695 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
696 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
697 frozenset([
698 ('foo', SidType.RESOURCE_SID, resource_attrs),
699 ('bar', SidType.RESOURCE_SID, resource_attrs),
700 ]),
701 (asserted_identity, SidType.EXTRA_SID, default_attrs),
702 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
703 },
704 },
705 # Simulate the user ticket coming in over a trust.
706 {
707 'test': 'user from trust domain-local groups to krbtgt',
708 'groups': {
709 # The user belongs to a couple of domain-local groups in our
710 # domain.
711 'group0': (GroupType.DOMAIN_LOCAL, {trust_user}),
712 'group1': (GroupType.DOMAIN_LOCAL, {'group0'}),
713 },
714 'tgs:to_krbtgt': True,
715 # Both SIDs are from a different domain.
716 'tgs:user_sid': trust_user,
717 'tgs:user:sids': {
718 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
719 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
720 (asserted_identity, SidType.EXTRA_SID, default_attrs),
721 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
722 # This dummy resource SID comes from the trusted domain.
723 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
724 },
725 'tgs:expected': {
726 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
727 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
728 (asserted_identity, SidType.EXTRA_SID, default_attrs),
729 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
730 # The dummy resource SID remains in the PAC.
731 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
732 },
733 },
734 {
735 'test': 'user from trust domain-local groups to service compressed',
736 'groups': {
737 'group0': (GroupType.DOMAIN_LOCAL, {trust_user}),
738 'group1': (GroupType.DOMAIN_LOCAL, {'group0'}),
739 },
740 'tgs:to_krbtgt': False,
741 'tgs:compression': True,
742 'tgs:user_sid': trust_user,
743 'tgs:user:sids': {
744 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
745 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
746 (asserted_identity, SidType.EXTRA_SID, default_attrs),
747 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
748 # This dummy resource SID comes from the trusted domain.
749 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
750 },
751 'tgs:expected': {
752 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
753 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
754 (asserted_identity, SidType.EXTRA_SID, default_attrs),
755 (compounded_auth, SidType.EXTRA_SID, default_attrs),
756 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
757 ('group0', SidType.RESOURCE_SID, resource_attrs),
758 ('group1', SidType.RESOURCE_SID, resource_attrs),
759 },
760 'tgs:device:expected': {
761 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
762 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
763 (asserted_identity, SidType.EXTRA_SID, default_attrs),
764 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
765 },
766 },
767 {
768 'test': 'user from trust domain-local groups to service uncompressed',
769 'groups': {
770 'group0': (GroupType.DOMAIN_LOCAL, {trust_user}),
771 'group1': (GroupType.DOMAIN_LOCAL, {'group0'}),
772 },
773 'tgs:to_krbtgt': False,
774 'tgs:compression': False,
775 'tgs:user_sid': trust_user,
776 'tgs:user:sids': {
777 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
778 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
779 (asserted_identity, SidType.EXTRA_SID, default_attrs),
780 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
781 # This dummy resource SID comes from the trusted domain.
782 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
783 },
784 'tgs:expected': {
785 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
786 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
787 (asserted_identity, SidType.EXTRA_SID, default_attrs),
788 (compounded_auth, SidType.EXTRA_SID, default_attrs),
789 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
790 ('group0', SidType.EXTRA_SID, resource_attrs),
791 ('group1', SidType.EXTRA_SID, resource_attrs),
792 },
793 'tgs:device:expected': {
794 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
795 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
796 (asserted_identity, SidType.EXTRA_SID, default_attrs),
797 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
798 },
799 },
800 # Simulate both tickets coming in over a trust.
801 {
802 'test': 'both from trust domain-local groups to krbtgt',
803 'groups': {
804 # The user and machine each belong to a couple of domain-local
805 # groups in our domain.
806 'group0': (GroupType.DOMAIN_LOCAL, {trust_user}),
807 'group1': (GroupType.DOMAIN_LOCAL, {'group0'}),
808 'group2': (GroupType.DOMAIN_LOCAL, {trust_mach}),
809 'group3': (GroupType.DOMAIN_LOCAL, {'group2'}),
810 },
811 'tgs:to_krbtgt': True,
812 # Both SIDs are from a different domain.
813 'tgs:user_sid': trust_user,
814 'tgs:mach_sid': trust_mach,
815 'tgs:user:sids': {
816 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
817 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
818 (asserted_identity, SidType.EXTRA_SID, default_attrs),
819 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
820 # This dummy resource SID comes from the trusted domain.
821 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
822 },
823 'tgs:mach:sids': {
824 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
825 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
826 (asserted_identity, SidType.EXTRA_SID, default_attrs),
827 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
828 # This dummy resource SID comes from the trusted domain.
829 (f'{mach_trust_domain}-444', SidType.RESOURCE_SID, resource_attrs),
830 },
831 'tgs:expected': {
832 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
833 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
834 (asserted_identity, SidType.EXTRA_SID, default_attrs),
835 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
836 # The dummy resource SID remains in the PAC.
837 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
838 },
839 },
840 {
841 'test': 'both from trust domain-local groups to service compressed',
842 'groups': {
843 # The machine belongs to a couple of domain-local groups in our
844 # domain.
845 'group0': (GroupType.DOMAIN_LOCAL, {trust_user}),
846 'group1': (GroupType.DOMAIN_LOCAL, {'group0'}),
847 'group2': (GroupType.DOMAIN_LOCAL, {trust_mach}),
848 'group3': (GroupType.DOMAIN_LOCAL, {'group2'}),
849 },
850 'tgs:to_krbtgt': False,
851 'tgs:compression': True,
852 'tgs:user_sid': trust_user,
853 'tgs:mach_sid': trust_mach,
854 'tgs:user:sids': {
855 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
856 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
857 (asserted_identity, SidType.EXTRA_SID, default_attrs),
858 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
859 # This dummy resource SID comes from the trusted domain.
860 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
861 },
862 'tgs:mach:sids': {
863 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
864 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
865 (asserted_identity, SidType.EXTRA_SID, default_attrs),
866 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
867 # This dummy resource SID comes from the trusted domain.
868 (f'{mach_trust_domain}-444', SidType.RESOURCE_SID, resource_attrs),
869 },
870 'tgs:expected': {
871 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
872 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
873 (asserted_identity, SidType.EXTRA_SID, default_attrs),
874 (compounded_auth, SidType.EXTRA_SID, default_attrs),
875 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
876 ('group0', SidType.RESOURCE_SID, resource_attrs),
877 ('group1', SidType.RESOURCE_SID, resource_attrs),
878 },
879 'tgs:device:expected': {
880 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
881 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
882 # The domain-local groups end up in the device info.
883 frozenset([
884 ('group2', SidType.RESOURCE_SID, resource_attrs),
885 ('group3', SidType.RESOURCE_SID, resource_attrs),
886 ]),
887 (asserted_identity, SidType.EXTRA_SID, default_attrs),
888 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
889 },
890 },
891 {
892 'test': 'both from trust domain-local groups to service uncompressed',
893 'groups': {
894 'group0': (GroupType.DOMAIN_LOCAL, {trust_user}),
895 'group1': (GroupType.DOMAIN_LOCAL, {'group0'}),
896 'group2': (GroupType.DOMAIN_LOCAL, {trust_mach}),
897 'group3': (GroupType.DOMAIN_LOCAL, {'group2'}),
898 },
899 'tgs:to_krbtgt': False,
900 'tgs:compression': False,
901 'tgs:user_sid': trust_user,
902 'tgs:mach_sid': trust_mach,
903 'tgs:user:sids': {
904 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
905 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
906 (asserted_identity, SidType.EXTRA_SID, default_attrs),
907 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
908 # This dummy resource SID comes from the trusted domain.
909 (f'{mach_trust_domain}-333', SidType.RESOURCE_SID, resource_attrs),
910 },
911 'tgs:mach:sids': {
912 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
913 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
914 (asserted_identity, SidType.EXTRA_SID, default_attrs),
915 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
916 # This dummy resource SID comes from the trusted domain.
917 (f'{mach_trust_domain}-444', SidType.RESOURCE_SID, resource_attrs),
918 },
919 'tgs:expected': {
920 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
921 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
922 (asserted_identity, SidType.EXTRA_SID, default_attrs),
923 (compounded_auth, SidType.EXTRA_SID, default_attrs),
924 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
925 ('group0', SidType.EXTRA_SID, resource_attrs),
926 ('group1', SidType.EXTRA_SID, resource_attrs),
927 },
928 'tgs:device:expected': {
929 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
930 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
931 frozenset([
932 ('group2', SidType.RESOURCE_SID, resource_attrs),
933 ('group3', SidType.RESOURCE_SID, resource_attrs),
934 ]),
935 (asserted_identity, SidType.EXTRA_SID, default_attrs),
936 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
937 },
938 },
939 # Test how resource SIDs are propagated into the device info structure.
940 {
941 'test': 'mach resource sids',
942 'tgs:mach:sids': {
943 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
944 # Of these SIDs, the Base SIDs and Extra SIDs are all
945 # propagated into the device info structure, regardless of
946 # their attrs, while the Resource SIDs are all dropped.
947 (123, SidType.BASE_SID, default_attrs),
948 (333, SidType.BASE_SID, default_attrs),
949 (333, SidType.BASE_SID, resource_attrs),
950 (1000, SidType.BASE_SID, resource_attrs),
951 (497, SidType.EXTRA_SID, resource_attrs), # the Claims Valid RID.
952 (333, SidType.RESOURCE_SID, default_attrs),
953 (498, SidType.RESOURCE_SID, resource_attrs),
954 (99999, SidType.RESOURCE_SID, default_attrs),
955 (12345678, SidType.RESOURCE_SID, resource_attrs),
956 (asserted_identity, SidType.EXTRA_SID, default_attrs),
957 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
958 },
959 'tgs:to_krbtgt': False,
960 'tgs:expected': {
961 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
962 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
963 (asserted_identity, SidType.EXTRA_SID, default_attrs),
964 (compounded_auth, SidType.EXTRA_SID, default_attrs),
965 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
966 },
967 'tgs:device:expected': {
968 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
969 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
970 (123, SidType.BASE_SID, default_attrs),
971 (333, SidType.BASE_SID, default_attrs),
972 (333, SidType.BASE_SID, resource_attrs),
973 (1000, SidType.BASE_SID, resource_attrs),
974 frozenset({
975 (497, SidType.RESOURCE_SID, resource_attrs),
976 }),
977 (asserted_identity, SidType.EXTRA_SID, default_attrs),
978 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
979 },
980 },
981 # Add a Base SID to the user's PAC, and confirm it is propagated into
982 # the PAC of the service ticket.
983 {
984 'test': 'base sid to krbtgt',
985 'tgs:user:sids': {
986 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
987 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
988 (123, SidType.BASE_SID, default_attrs),
989 (asserted_identity, SidType.EXTRA_SID, default_attrs),
990 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
991 },
992 'tgs:to_krbtgt': True,
993 'tgs:expected': {
994 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
995 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
996 (123, SidType.BASE_SID, default_attrs),
997 (asserted_identity, SidType.EXTRA_SID, default_attrs),
998 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
999 },
1000 },
1001 {
1002 'test': 'base sid to service',
1003 'tgs:user:sids': {
1004 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1005 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1006 (123, SidType.BASE_SID, default_attrs),
1007 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1008 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1009 },
1010 'tgs:to_krbtgt': False,
1011 'tgs:expected': {
1012 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1013 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1014 (123, SidType.BASE_SID, default_attrs),
1015 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1016 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1017 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1018 },
1019 'tgs:device:expected': {
1020 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1021 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1022 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1023 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1024 },
1025 },
1026 # Add a Base SID with resource attrs to the user's PAC, and confirm it
1027 # is propagated into the PAC of the service ticket.
1028 {
1029 'test': 'base sid resource attrs to krbtgt',
1030 'tgs:user:sids': {
1031 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1032 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1033 (123, SidType.BASE_SID, resource_attrs),
1034 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1035 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1036 },
1037 'tgs:to_krbtgt': True,
1038 'tgs:expected': {
1039 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1040 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1041 (123, SidType.BASE_SID, resource_attrs),
1042 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1043 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1044 },
1045 },
1046 {
1047 'test': 'base sid resource attrs to service',
1048 'tgs:user:sids': {
1049 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1050 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1051 (123, SidType.BASE_SID, resource_attrs),
1052 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1053 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1054 },
1055 'tgs:to_krbtgt': False,
1056 'tgs:expected': {
1057 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1058 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1059 (123, SidType.BASE_SID, resource_attrs),
1060 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1061 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1062 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1063 },
1064 'tgs:device:expected': {
1065 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1066 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1067 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1068 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1069 },
1070 },
1071 # Add a couple of Extra SIDs to the user's PAC, and confirm they are
1072 # propagated into the PAC of the service ticket.
1073 {
1074 'test': 'extra sids to krbtgt',
1075 'tgs:user:sids': {
1076 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1077 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1078 ('S-1-5-2-3-4', SidType.EXTRA_SID, default_attrs),
1079 ('S-1-5-2-3-5', SidType.EXTRA_SID, resource_attrs),
1080 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1081 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1082 },
1083 'tgs:to_krbtgt': True,
1084 'tgs:expected': {
1085 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1086 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1087 ('S-1-5-2-3-4', SidType.EXTRA_SID, default_attrs),
1088 ('S-1-5-2-3-5', SidType.EXTRA_SID, resource_attrs),
1089 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1090 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1091 },
1092 },
1093 {
1094 'test': 'extra sids to service',
1095 'tgs:user:sids': {
1096 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1097 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1098 ('S-1-5-2-3-4', SidType.EXTRA_SID, default_attrs),
1099 ('S-1-5-2-3-5', SidType.EXTRA_SID, resource_attrs),
1100 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1101 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1102 },
1103 'tgs:to_krbtgt': False,
1104 'tgs:expected': {
1105 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1106 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1107 ('S-1-5-2-3-4', SidType.EXTRA_SID, default_attrs),
1108 ('S-1-5-2-3-5', SidType.EXTRA_SID, resource_attrs),
1109 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1110 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1111 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1112 },
1113 'tgs:device:expected': {
1114 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1115 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1116 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1117 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1118 },
1119 },
1120 # Test what happens if we remove the CLAIMS_VALID and ASSERTED_IDENTITY
1121 # SIDs from either of the PACs, so we can see at what point these SIDs
1122 # are added.
1123 {
1124 'test': 'removed special sids to krbtgt',
1125 'tgs:user:sids': {
1126 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1127 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1128 ('S-1-5-2-3-4', SidType.EXTRA_SID, default_attrs),
1129 # We don't specify asserted identity or claims valid SIDs for
1130 # the user...
1131 },
1132 'tgs:mach:sids': {
1133 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1134 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1135 # ...nor for the computer.
1136 },
1137 'tgs:to_krbtgt': True,
1138 'tgs:expected': {
1139 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1140 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1141 ('S-1-5-2-3-4', SidType.EXTRA_SID, default_attrs),
1142 # They don't show up in the service ticket.
1143 },
1144 },
1145 {
1146 'test': 'removed special sids to service',
1147 'tgs:user:sids': {
1148 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1149 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1150 ('S-1-5-2-3-4', SidType.EXTRA_SID, default_attrs),
1151 },
1152 'tgs:mach:sids': {
1153 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1154 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1155 },
1156 'tgs:to_krbtgt': False,
1157 'tgs:expected': {
1158 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1159 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1160 ('S-1-5-2-3-4', SidType.EXTRA_SID, default_attrs),
1161 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1162 },
1163 'tgs:device:expected': {
1164 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1165 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1166 # These special SIDs don't show up in the device info either.
1167 },
1168 },
1169 # Test a group being the primary one for the user and machine.
1170 {
1171 'test': 'primary universal to krbtgt',
1172 'groups': {
1173 'primary-user': (GroupType.UNIVERSAL, {user}),
1174 'primary-mach': (GroupType.UNIVERSAL, {mach}),
1175 },
1176 # Set these groups as the account's primary groups.
1177 'primary_group': 'primary-user',
1178 'mach:primary_group': 'primary-mach',
1179 'as:expected': {
1180 # They appear in the PAC as normal.
1181 ('primary-user', SidType.BASE_SID, default_attrs),
1182 ('primary-user', SidType.PRIMARY_GID, None),
1183 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1184 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1185 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1186 },
1187 'as:mach:expected': {
1188 ('primary-mach', SidType.BASE_SID, default_attrs),
1189 ('primary-mach', SidType.PRIMARY_GID, None),
1190 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1191 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1192 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1193 },
1194 'tgs:to_krbtgt': True,
1195 'tgs:expected': {
1196 ('primary-user', SidType.BASE_SID, default_attrs),
1197 ('primary-user', SidType.PRIMARY_GID, None),
1198 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1199 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1200 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1201 },
1202 },
1203 {
1204 'test': 'primary universal to service compressed',
1205 'groups': {
1206 'primary-user': (GroupType.UNIVERSAL, {user}),
1207 'primary-mach': (GroupType.UNIVERSAL, {mach}),
1208 },
1209 'primary_group': 'primary-user',
1210 'mach:primary_group': 'primary-mach',
1211 'as:expected': {
1212 ('primary-user', SidType.BASE_SID, default_attrs),
1213 ('primary-user', SidType.PRIMARY_GID, None),
1214 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1215 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1216 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1217 },
1218 'as:mach:expected': {
1219 ('primary-mach', SidType.BASE_SID, default_attrs),
1220 ('primary-mach', SidType.PRIMARY_GID, None),
1221 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1222 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1223 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1224 },
1225 'tgs:to_krbtgt': False,
1226 'tgs:compression': True,
1227 'tgs:expected': {
1228 ('primary-user', SidType.BASE_SID, default_attrs),
1229 ('primary-user', SidType.PRIMARY_GID, None),
1230 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1231 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1232 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1233 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1234 },
1235 'tgs:device:expected': {
1236 ('primary-mach', SidType.BASE_SID, default_attrs),
1237 ('primary-mach', SidType.PRIMARY_GID, None),
1238 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1239 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1240 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1241 },
1242 },
1243 {
1244 'test': 'primary universal to service uncompressed',
1245 'groups': {
1246 'primary-user': (GroupType.UNIVERSAL, {user}),
1247 'primary-mach': (GroupType.UNIVERSAL, {mach}),
1248 },
1249 'primary_group': 'primary-user',
1250 'mach:primary_group': 'primary-mach',
1251 'as:expected': {
1252 ('primary-user', SidType.BASE_SID, default_attrs),
1253 ('primary-user', SidType.PRIMARY_GID, None),
1254 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1255 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1256 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1257 },
1258 'as:mach:expected': {
1259 ('primary-mach', SidType.BASE_SID, default_attrs),
1260 ('primary-mach', SidType.PRIMARY_GID, None),
1261 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1262 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1263 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1264 },
1265 'tgs:to_krbtgt': False,
1266 # SID compression is unsupported.
1267 'tgs:compression': False,
1268 'tgs:expected': {
1269 ('primary-user', SidType.BASE_SID, default_attrs),
1270 ('primary-user', SidType.PRIMARY_GID, None),
1271 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1272 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1273 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1274 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1275 },
1276 'tgs:device:expected': {
1277 ('primary-mach', SidType.BASE_SID, default_attrs),
1278 ('primary-mach', SidType.PRIMARY_GID, None),
1279 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1280 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1281 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1282 },
1283 },
1284 # Test domain-local primary groups.
1285 {
1286 'test': 'primary domain-local to krbtgt',
1287 'groups': {
1288 'primary-user': (GroupType.DOMAIN_LOCAL, {user}),
1289 'primary-mach': (GroupType.DOMAIN_LOCAL, {mach}),
1290 },
1291 # Though Windows normally disallows setting domain-locals group as
1292 # primary groups, Samba does not.
1293 'primary_group': 'primary-user',
1294 'mach:primary_group': 'primary-mach',
1295 'as:expected': {
1296 # The domain-local groups appear as our primary GIDs, but do
1297 # not appear in the base SIDs.
1298 ('primary-user', SidType.PRIMARY_GID, None),
1299 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1300 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1301 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1302 },
1303 'as:mach:expected': {
1304 ('primary-mach', SidType.PRIMARY_GID, None),
1305 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1306 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1307 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1308 },
1309 'tgs:to_krbtgt': True,
1310 'tgs:expected': {
1311 ('primary-user', SidType.PRIMARY_GID, None),
1312 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1313 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1314 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1315 },
1316 },
1317 {
1318 'test': 'primary domain-local to service compressed',
1319 'groups': {
1320 'primary-user': (GroupType.DOMAIN_LOCAL, {user}),
1321 'primary-mach': (GroupType.DOMAIN_LOCAL, {mach}),
1322 },
1323 'primary_group': 'primary-user',
1324 'mach:primary_group': 'primary-mach',
1325 'as:expected': {
1326 ('primary-user', SidType.PRIMARY_GID, None),
1327 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1328 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1329 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1330 },
1331 'as:mach:expected': {
1332 ('primary-mach', SidType.PRIMARY_GID, None),
1333 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1334 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1335 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1336 },
1337 'tgs:to_krbtgt': False,
1338 'tgs:compression': True,
1339 'tgs:expected': {
1340 ('primary-user', SidType.PRIMARY_GID, None),
1341 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1342 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1343 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1344 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1345 },
1346 'tgs:device:expected': {
1347 ('primary-mach', SidType.PRIMARY_GID, None),
1348 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1349 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1350 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1351 },
1352 },
1353 {
1354 'test': 'primary domain-local to service uncompressed',
1355 'groups': {
1356 'primary-user': (GroupType.DOMAIN_LOCAL, {user}),
1357 'primary-mach': (GroupType.DOMAIN_LOCAL, {mach}),
1358 },
1359 'primary_group': 'primary-user',
1360 'mach:primary_group': 'primary-mach',
1361 'as:expected': {
1362 ('primary-user', SidType.PRIMARY_GID, None),
1363 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1364 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1365 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1366 },
1367 'as:mach:expected': {
1368 ('primary-mach', SidType.PRIMARY_GID, None),
1369 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1370 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1371 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1372 },
1373 'tgs:to_krbtgt': False,
1374 # SID compression is unsupported.
1375 'tgs:compression': False,
1376 'tgs:expected': {
1377 ('primary-user', SidType.PRIMARY_GID, None),
1378 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1379 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1380 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1381 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1382 },
1383 'tgs:device:expected': {
1384 ('primary-mach', SidType.PRIMARY_GID, None),
1385 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1386 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1387 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1388 },
1389 },
1390 # Test the scenario where we belong to a now-domain-local group, and
1391 # possess an old TGT issued when the group was still our primary one.
1392 {
1393 'test': 'old primary domain-local to krbtgt',
1394 'groups': {
1395 # Domain-local groups to which the accounts belong.
1396 'primary-user': (GroupType.DOMAIN_LOCAL, {user}),
1397 'primary-mach': (GroupType.DOMAIN_LOCAL, {mach}),
1398 },
1399 'tgs:user:sids': {
1400 # In the PACs, the groups have the attributes of an ordinary
1401 # group...
1402 ('primary-user', SidType.BASE_SID, default_attrs),
1403 # ...and remain our primary ones.
1404 ('primary-user', SidType.PRIMARY_GID, None),
1405 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1406 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1407 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1408 },
1409 'tgs:mach:sids': {
1410 ('primary-mach', SidType.BASE_SID, default_attrs),
1411 ('primary-mach', SidType.PRIMARY_GID, None),
1412 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1413 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1414 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1415 },
1416 'tgs:to_krbtgt': True,
1417 'tgs:expected': {
1418 # The groups don't change.
1419 ('primary-user', SidType.BASE_SID, default_attrs),
1420 ('primary-user', SidType.PRIMARY_GID, None),
1421 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1422 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1423 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1424 },
1425 },
1426 {
1427 'test': 'old primary domain-local to service compressed',
1428 'groups': {
1429 'primary-user': (GroupType.DOMAIN_LOCAL, {user}),
1430 'primary-mach': (GroupType.DOMAIN_LOCAL, {mach}),
1431 },
1432 'tgs:user:sids': {
1433 ('primary-user', SidType.BASE_SID, default_attrs),
1434 ('primary-user', SidType.PRIMARY_GID, None),
1435 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1436 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1437 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1438 },
1439 'tgs:mach:sids': {
1440 ('primary-mach', SidType.BASE_SID, default_attrs),
1441 ('primary-mach', SidType.PRIMARY_GID, None),
1442 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1443 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1444 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1445 },
1446 'tgs:to_krbtgt': False,
1447 'tgs:compression': True,
1448 'tgs:expected': {
1449 ('primary-user', SidType.BASE_SID, default_attrs),
1450 ('primary-user', SidType.PRIMARY_GID, None),
1451 # The groups are added a second time to the PAC, now as
1452 # resource groups.
1453 ('primary-user', SidType.RESOURCE_SID, resource_attrs),
1454 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1455 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1456 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1457 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1458 },
1459 'tgs:device:expected': {
1460 ('primary-mach', SidType.BASE_SID, default_attrs),
1461 ('primary-mach', SidType.PRIMARY_GID, None),
1462 frozenset([('primary-mach', SidType.RESOURCE_SID, resource_attrs)]),
1463 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1464 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1465 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1466 },
1467 },
1468 {
1469 'test': 'old primary domain-local to service uncompressed',
1470 'groups': {
1471 'primary-user': (GroupType.DOMAIN_LOCAL, {user}),
1472 'primary-mach': (GroupType.DOMAIN_LOCAL, {mach}),
1473 },
1474 'tgs:user:sids': {
1475 ('primary-user', SidType.BASE_SID, default_attrs),
1476 ('primary-user', SidType.PRIMARY_GID, None),
1477 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1478 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1479 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1480 },
1481 'tgs:mach:sids': {
1482 ('primary-mach', SidType.BASE_SID, default_attrs),
1483 ('primary-mach', SidType.PRIMARY_GID, None),
1484 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1485 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1486 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1487 },
1488 'tgs:to_krbtgt': False,
1489 # SID compression is unsupported.
1490 'tgs:compression': False,
1491 'tgs:expected': {
1492 ('primary-user', SidType.BASE_SID, default_attrs),
1493 ('primary-user', SidType.PRIMARY_GID, None),
1494 # This time, the group is added to Extra SIDs.
1495 ('primary-user', SidType.EXTRA_SID, resource_attrs),
1496 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1497 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1498 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1499 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1500 },
1501 'tgs:device:expected': {
1502 ('primary-mach', SidType.BASE_SID, default_attrs),
1503 ('primary-mach', SidType.PRIMARY_GID, None),
1504 frozenset([('primary-mach', SidType.RESOURCE_SID, resource_attrs)]),
1505 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1506 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1507 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1508 },
1509 },
1510 # Test the scenario where each account possesses an old TGT issued when
1511 # a now-domain-local group was still its primary one. The accounts no
1512 # longer belong to those groups, which themselves belong to other
1513 # domain-local groups.
1514 {
1515 'test': 'old primary domain-local transitive to krbtgt',
1516 'groups': {
1517 'user-outer': (GroupType.DOMAIN_LOCAL, {'user-inner'}),
1518 'user-inner': (GroupType.DOMAIN_LOCAL, {}),
1519 'mach-outer': (GroupType.DOMAIN_LOCAL, {'mach-inner'}),
1520 'mach-inner': (GroupType.DOMAIN_LOCAL, {}),
1521 },
1522 'tgs:user:sids': {
1523 # In the PACs, the groups have the attributes of an ordinary
1524 # group...
1525 ('user-inner', SidType.BASE_SID, default_attrs),
1526 # ...and remain our primary ones.
1527 ('user-inner', SidType.PRIMARY_GID, None),
1528 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1529 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1530 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1531 },
1532 'tgs:mach:sids': {
1533 ('mach-inner', SidType.BASE_SID, default_attrs),
1534 ('mach-inner', SidType.PRIMARY_GID, None),
1535 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1536 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1537 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1538 },
1539 'tgs:to_krbtgt': True,
1540 'tgs:expected': {
1541 # The groups don't change.
1542 ('user-inner', SidType.BASE_SID, default_attrs),
1543 ('user-inner', SidType.PRIMARY_GID, None),
1544 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1545 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1546 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1547 },
1548 },
1549 {
1550 'test': 'old primary domain-local transitive to service compressed',
1551 'groups': {
1552 'user-outer': (GroupType.DOMAIN_LOCAL, {'user-inner'}),
1553 'user-inner': (GroupType.DOMAIN_LOCAL, {}),
1554 'mach-outer': (GroupType.DOMAIN_LOCAL, {'mach-inner'}),
1555 'mach-inner': (GroupType.DOMAIN_LOCAL, {}),
1556 },
1557 'tgs:user:sids': {
1558 ('user-inner', SidType.BASE_SID, default_attrs),
1559 ('user-inner', SidType.PRIMARY_GID, None),
1560 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1561 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1562 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1563 },
1564 'tgs:mach:sids': {
1565 ('mach-inner', SidType.BASE_SID, default_attrs),
1566 ('mach-inner', SidType.PRIMARY_GID, None),
1567 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1568 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1569 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1570 },
1571 'tgs:to_krbtgt': False,
1572 'tgs:compression': True,
1573 'tgs:expected': {
1574 ('user-inner', SidType.BASE_SID, default_attrs),
1575 ('user-inner', SidType.PRIMARY_GID, None),
1576 # The second resource groups are added a second time to the PAC
1577 # as resource groups.
1578 ('user-outer', SidType.RESOURCE_SID, resource_attrs),
1579 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1580 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1581 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1582 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1583 },
1584 'tgs:device:expected': {
1585 ('mach-inner', SidType.BASE_SID, default_attrs),
1586 ('mach-inner', SidType.PRIMARY_GID, None),
1587 frozenset([('mach-outer', SidType.RESOURCE_SID, resource_attrs)]),
1588 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1589 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1590 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1591 },
1592 },
1593 {
1594 'test': 'old primary domain-local transitive to service uncompressed',
1595 'groups': {
1596 'user-outer': (GroupType.DOMAIN_LOCAL, {'user-inner'}),
1597 'user-inner': (GroupType.DOMAIN_LOCAL, {}),
1598 'mach-outer': (GroupType.DOMAIN_LOCAL, {'mach-inner'}),
1599 'mach-inner': (GroupType.DOMAIN_LOCAL, {}),
1600 },
1601 'tgs:user:sids': {
1602 ('user-inner', SidType.BASE_SID, default_attrs),
1603 ('user-inner', SidType.PRIMARY_GID, None),
1604 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1605 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1606 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1607 },
1608 'tgs:mach:sids': {
1609 ('mach-inner', SidType.BASE_SID, default_attrs),
1610 ('mach-inner', SidType.PRIMARY_GID, None),
1611 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1612 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1613 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1614 },
1615 'tgs:to_krbtgt': False,
1616 # SID compression is unsupported.
1617 'tgs:compression': False,
1618 'tgs:expected': {
1619 ('user-inner', SidType.BASE_SID, default_attrs),
1620 ('user-inner', SidType.PRIMARY_GID, None),
1621 # This time, the group is added to Extra SIDs.
1622 ('user-outer', SidType.EXTRA_SID, resource_attrs),
1623 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1624 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1625 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1626 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1627 },
1628 'tgs:device:expected': {
1629 ('mach-inner', SidType.BASE_SID, default_attrs),
1630 ('mach-inner', SidType.PRIMARY_GID, None),
1631 frozenset([('mach-outer', SidType.RESOURCE_SID, resource_attrs)]),
1632 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1633 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1634 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1635 },
1636 },
1637 # Test how the various categories of SIDs are propagated into the
1638 # device info structure.
1639 {
1640 'test': 'device info sid grouping',
1641 'tgs:mach:sids': {
1642 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1643 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1644 # These base SIDs are simply propagated into the device info,
1645 # irrespective of whatever attributes they have.
1646 (1, SidType.BASE_SID, default_attrs),
1647 (2, SidType.BASE_SID, 12345),
1648 # Extra SIDs not from a domain are also propagated.
1649 ('S-1-5-2-3-4', SidType.EXTRA_SID, 789),
1650 ('S-1-5-20', SidType.EXTRA_SID, 999),
1651 ('S-1-5-21', SidType.EXTRA_SID, 999),
1652 ('S-1-6-0', SidType.EXTRA_SID, 999),
1653 ('S-1-6-2-3-4', SidType.EXTRA_SID, 789),
1654 # Extra SIDs from our own domain are collated into a group.
1655 (3, SidType.EXTRA_SID, default_attrs),
1656 (4, SidType.EXTRA_SID, 12345),
1657 # Extra SIDs from other domains are collated into separate groups.
1658 ('S-1-5-21-0-0-0-490', SidType.EXTRA_SID, 5),
1659 ('S-1-5-21-0-0-0-491', SidType.EXTRA_SID, 6),
1660 ('S-1-5-21-0-0-1-492', SidType.EXTRA_SID, 7),
1661 ('S-1-5-21-0-0-1-493', SidType.EXTRA_SID, 8),
1662 ('S-1-5-21-0-0-1-494', SidType.EXTRA_SID, 9),
1663 # A non-domain SID (too few subauths), ...
1664 ('S-1-5-21-242424-12345-2', SidType.EXTRA_SID, 1111111111),
1665 # ... a domain SID, ...
1666 ('S-1-5-21-242424-12345-321321-2', SidType.EXTRA_SID, 1111111111),
1667 # ... and a non-domain SID (too many subauths).
1668 ('S-1-5-21-242424-12345-321321-654321-2', SidType.EXTRA_SID, default_attrs),
1669 # Special SIDs.
1670 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1671 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1672 },
1673 'tgs:to_krbtgt': False,
1674 'tgs:expected': {
1675 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1676 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1677 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1678 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1679 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1680 },
1681 'tgs:device:expected': {
1682 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1683 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1684 # Base SIDs.
1685 (1, SidType.BASE_SID, default_attrs),
1686 (2, SidType.BASE_SID, 12345),
1687 # Extra SIDs from other domains.
1688 ('S-1-5-2-3-4', SidType.EXTRA_SID, 789),
1689 ('S-1-5-20', SidType.EXTRA_SID, 999),
1690 ('S-1-5-21', SidType.EXTRA_SID, 999),
1691 ('S-1-6-0', SidType.EXTRA_SID, 999),
1692 ('S-1-6-2-3-4', SidType.EXTRA_SID, 789),
1693 # Extra SIDs from our own domain.
1694 frozenset({
1695 (3, SidType.RESOURCE_SID, default_attrs),
1696 (4, SidType.RESOURCE_SID, 12345),
1697 }),
1698 # Extra SIDs from other domains.
1699 frozenset({
1700 ('S-1-5-21-0-0-0-490', SidType.RESOURCE_SID, 5),
1701 ('S-1-5-21-0-0-0-491', SidType.RESOURCE_SID, 6),
1702 # These SIDs end up placed with the CLAIMS_VALID SID.
1703 (security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs),
1704 }),
1705 frozenset({
1706 ('S-1-5-21-0-0-1-492', SidType.RESOURCE_SID, 7),
1707 ('S-1-5-21-0-0-1-493', SidType.RESOURCE_SID, 8),
1708 ('S-1-5-21-0-0-1-494', SidType.RESOURCE_SID, 9),
1709 }),
1710 # Non-domain SID.
1711 ('S-1-5-21-242424-12345-2', SidType.EXTRA_SID, 1111111111),
1712 # Domain SID.
1713 frozenset({
1714 ('S-1-5-21-242424-12345-321321-2', SidType.RESOURCE_SID, 1111111111),
1715 }),
1716 # Non-domain SID.
1717 ('S-1-5-21-242424-12345-321321-654321-2', SidType.EXTRA_SID, default_attrs),
1718 # Special SIDs.
1719 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1720 },
1721 },
1722 {
1723 # Test RODC-issued device claims.
1724 'test': 'rodc-issued device claims attack',
1725 'groups': {
1726 # A couple of groups to which the machine belongs.
1727 'dom-local': (GroupType.DOMAIN_LOCAL, {mach}),
1728 'universal': (GroupType.UNIVERSAL, {mach}),
1729 },
1730 'as:expected': {
1731 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1732 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1733 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1734 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1735 },
1736 'tgs:mach:sids': {
1737 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1738 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1739 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1740 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1741 # Try to sneak a few extra SIDs into the machine's RODC-issued
1742 # PAC.
1743 (security.BUILTIN_RID_ADMINISTRATORS, SidType.BASE_SID, default_attrs),
1744 (security.DOMAIN_RID_ENTERPRISE_READONLY_DCS, SidType.BASE_SID, default_attrs),
1745 (security.DOMAIN_RID_KRBTGT, SidType.BASE_SID, default_attrs),
1746 (security.DOMAIN_RID_CERT_ADMINS, SidType.RESOURCE_SID, resource_attrs),
1747 (security.SID_NT_SYSTEM, SidType.EXTRA_SID, default_attrs),
1748 # Don't include the groups of which the machine is a member.
1749 },
1750 # The armor ticket was issued by an RODC.
1751 'tgs:mach:from_rodc': True,
1752 'tgs:to_krbtgt': False,
1753 'tgs:compression': True,
1754 'tgs:expected': {
1755 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1756 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1757 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1758 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1759 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1760 },
1761 'tgs:device:expected': {
1762 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1763 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1764 # The machine's groups are now included.
1765 ('universal', SidType.BASE_SID, default_attrs),
1766 frozenset([
1767 ('dom-local', SidType.RESOURCE_SID, resource_attrs),
1768 # Note that we're not considered a "member" of 'Allowed
1769 # RODC Password Replication Group'.
1770 ]),
1771 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1772 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1773 # The device groups should have been regenerated, our extra
1774 # SIDs removed, and our elevation of privilege attack foiled.
1775 },
1776 },
1777 {
1778 'test': 'rodc-issued without claims valid',
1779 'as:expected': {
1780 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1781 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1782 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1783 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1784 },
1785 'tgs:mach:sids': {
1786 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1787 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1788 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1789 # The Claims Valid SID is missing.
1790 },
1791 # The armor ticket was issued by an RODC.
1792 'tgs:mach:from_rodc': True,
1793 'tgs:to_krbtgt': False,
1794 'tgs:compression': True,
1795 'tgs:expected': {
1796 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1797 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1798 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1799 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1800 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1801 },
1802 'tgs:device:expected': {
1803 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1804 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1805 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1806 # The Claims Valid SID is still added to the device info.
1807 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1808 },
1809 },
1810 {
1811 'test': 'rodc-issued without asserted identity',
1812 'as:expected': {
1813 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1814 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1815 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1816 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1817 },
1818 'tgs:mach:sids': {
1819 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1820 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1821 # The Asserted Identity SID is missing.
1822 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1823 },
1824 # The armor ticket was issued by an RODC.
1825 'tgs:mach:from_rodc': True,
1826 'tgs:to_krbtgt': False,
1827 'tgs:compression': True,
1828 'tgs:expected': {
1829 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1830 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1831 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1832 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1833 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1834 },
1835 'tgs:device:expected': {
1836 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1837 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1838 # The Asserted Identity SID is not added to the device info.
1839 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1840 },
1841 },
1842 {
1843 'test': 'rodc-issued asserted identity without attributes',
1844 'as:expected': {
1845 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1846 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1847 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1848 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1849 },
1850 'tgs:mach:sids': {
1851 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1852 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1853 # The Asserted Identity SID has no attributes set.
1854 (asserted_identity, SidType.EXTRA_SID, 0),
1855 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1856 },
1857 # The armor ticket was issued by an RODC.
1858 'tgs:mach:from_rodc': True,
1859 'tgs:to_krbtgt': False,
1860 'tgs:compression': True,
1861 'tgs:expected': {
1862 (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
1863 (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
1864 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1865 (compounded_auth, SidType.EXTRA_SID, default_attrs),
1866 (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
1867 },
1868 'tgs:device:expected': {
1869 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
1870 (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
1871 # The Asserted Identity SID appears in the device info with its
1872 # attributes as normal.
1873 (asserted_identity, SidType.EXTRA_SID, default_attrs),
1874 frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
1875 },
1876 },
1877 ]
1878
1879 @classmethod
1880 def setUpDynamicTestCases(cls):
1881 FILTER = env_get_var_value('FILTER', allow_missing=True)
1882 SKIP_INVALID = env_get_var_value('SKIP_INVALID', allow_missing=True)
1883
1884 for case in cls.cases:
1885 invalid = case.pop('configuration_invalid', False)
1886 if SKIP_INVALID and invalid:
1887 # Some group setups are invalid on Windows, so we allow them to
1888 # be skipped.
1889 continue
1890 name = case.pop('test')
1891 name = re.sub(r'\W+', '_', name)
1892 if FILTER and not re.search(FILTER, name):
1893 continue
1894
1895 cls.generate_dynamic_test('test_device_info', name,
1896 dict(case))
1897
1898 def _test_device_info_with_args(self, case):
1899 # The group arrangement for the test.
1900 group_setup = case.pop('groups', None)
1901
1902 # Groups that should be the primary group for the user and machine
1903 # respectively.
1904 primary_group = case.pop('primary_group', None)
1905 mach_primary_group = case.pop('mach:primary_group', None)
1906
1907 # Whether the TGS-REQ should be directed to the krbtgt.
1908 tgs_to_krbtgt = case.pop('tgs:to_krbtgt', None)
1909
1910 # Whether the target server of the TGS-REQ should support compound
1911 # identity or resource SID compression.
1912 tgs_compound_id = case.pop('tgs:compound_id', None)
1913 tgs_compression = case.pop('tgs:compression', None)
1914
1915 # Optional SIDs to replace those in the PACs prior to a TGS-REQ.
1916 tgs_user_sids = case.pop('tgs:user:sids', None)
1917 tgs_mach_sids = case.pop('tgs:mach:sids', None)
1918
1919 # Whether the machine's TGT should be issued by an RODC.
1920 tgs_mach_from_rodc = case.pop('tgs:mach:from_rodc', None)
1921
1922 # Optional groups which the machine is added to or removed from prior
1923 # to a TGS-REQ, to test how the groups in the device PAC are expanded.
1924 tgs_mach_added = case.pop('tgs:mach:added', None)
1925 tgs_mach_removed = case.pop('tgs:mach:removed', None)
1926
1927 # Optional account SIDs to replace those in the PACs prior to a
1928 # TGS-REQ.
1929 tgs_user_sid = case.pop('tgs:user_sid', None)
1930 tgs_mach_sid = case.pop('tgs:mach_sid', None)
1931
1932 # User flags that may be set or reset in the PAC prior to a TGS-REQ.
1933 tgs_mach_set_user_flags = case.pop('tgs:mach:set_user_flags', None)
1934 tgs_mach_reset_user_flags = case.pop('tgs:mach:reset_user_flags', None)
1935
1936 # The SIDs we expect to see in the PAC after a AS-REQ or a TGS-REQ.
1937 as_expected = case.pop('as:expected', None)
1938 as_mach_expected = case.pop('as:mach:expected', None)
1939 tgs_expected = case.pop('tgs:expected', None)
1940 tgs_device_expected = case.pop('tgs:device:expected', None)
1941
1942 # There should be no parameters remaining in the testcase.
1943 self.assertFalse(case, 'unexpected parameters in testcase')
1944
1945 if as_expected is None:
1946 self.assertIsNotNone(tgs_expected,
1947 'no set of expected SIDs is provided')
1948
1949 if as_mach_expected is None:
1950 self.assertIsNotNone(tgs_expected,
1951 'no set of expected machine SIDs is provided')
1952
1953 if tgs_to_krbtgt is None:
1954 tgs_to_krbtgt = False
1955
1956 if tgs_compound_id is None and not tgs_to_krbtgt:
1957 # Assume the service supports compound identity by default.
1958 tgs_compound_id = True
1959
1960 if tgs_to_krbtgt:
1961 self.assertIsNone(tgs_device_expected,
1962 'device SIDs are not added for a krbtgt request')
1963
1964 self.assertIsNotNone(tgs_expected,
1965 'no set of expected TGS SIDs is provided')
1966
1967 if tgs_user_sid is not None:
1968 self.assertIsNotNone(tgs_user_sids,
1969 'specified TGS-REQ user SID, but no '
1970 'accompanying user SIDs provided')
1971
1972 if tgs_mach_sid is not None:
1973 self.assertIsNotNone(tgs_mach_sids,
1974 'specified TGS-REQ mach SID, but no '
1975 'accompanying machine SIDs provided')
1976
1977 if tgs_mach_set_user_flags is None:
1978 tgs_mach_set_user_flags = 0
1979 else:
1980 self.assertIsNotNone(tgs_mach_sids,
1981 'specified TGS-REQ set user flags, but no '
1982 'accompanying machine SIDs provided')
1983
1984 if tgs_mach_reset_user_flags is None:
1985 tgs_mach_reset_user_flags = 0
1986 else:
1987 self.assertIsNotNone(tgs_mach_sids,
1988 'specified TGS-REQ reset user flags, but no '
1989 'accompanying machine SIDs provided')
1990
1991 if tgs_mach_from_rodc is None:
1992 tgs_mach_from_rodc = False
1993
1994 user_use_cache = not group_setup and (
1995 not primary_group)
1996 mach_use_cache = not group_setup and (
1997 not mach_primary_group) and (
1998 not tgs_mach_added) and (
1999 not tgs_mach_removed)
2000
2001 samdb = self.get_samdb()
2002
2003 domain_sid = samdb.get_domain_sid()
2004
2005 # Create the user account. It needs to be freshly created rather than
2006 # cached if there is a possibility of adding it to one or more groups.
2007 user_creds = self.get_cached_creds(
2008 account_type=self.AccountType.USER,
2009 use_cache=user_use_cache)
2010 user_dn = user_creds.get_dn()
2011 user_sid = user_creds.get_sid()
2012 user_name = user_creds.get_username()
2013
2014 trust_user_rid = random.randint(2000, 0xfffffffe)
2015 trust_user_sid = f'{self.user_trust_domain}-{trust_user_rid}'
2016
2017 trust_mach_rid = random.randint(2000, 0xfffffffe)
2018 trust_mach_sid = f'{self.mach_trust_domain}-{trust_mach_rid}'
2019
2020 # Create the machine account. It needs to be freshly created rather
2021 # than cached if there is a possibility of adding it to one or more
2022 # groups.
2023 if tgs_mach_from_rodc:
2024 # If the machine's TGT is to be issued by an RODC, ensure the
2025 # machine account is allowed to replicate to an RODC.
2026 mach_opts = {
2027 'allowed_replication_mock': True,
2028 'revealed_to_mock_rodc': True,
2029 }
2030 else:
2031 mach_opts = None
2032 mach_creds = self.get_cached_creds(
2033 account_type=self.AccountType.COMPUTER,
2034 opts=mach_opts,
2035 use_cache=mach_use_cache)
2036 mach_dn = mach_creds.get_dn()
2037 mach_dn_str = str(mach_dn)
2038 mach_sid = mach_creds.get_sid()
2039
2040 user_principal = Principal(user_dn, user_sid)
2041 mach_principal = Principal(mach_dn, mach_sid)
2042 trust_user_principal = Principal(None, trust_user_sid)
2043 trust_mach_principal = Principal(None, trust_mach_sid)
2044 preexisting_groups = {
2045 self.user: user_principal,
2046 self.mach: mach_principal,
2047 self.trust_user: trust_user_principal,
2048 self.trust_mach: trust_mach_principal,
2049 }
2050 primary_groups = {}
2051 if primary_group is not None:
2052 primary_groups[user_principal] = primary_group
2053 if mach_primary_group is not None:
2054 primary_groups[mach_principal] = mach_primary_group
2055 groups = self.setup_groups(samdb,
2056 preexisting_groups,
2057 group_setup,
2058 primary_groups)
2059 del group_setup
2060
2061 if tgs_user_sid is None:
2062 tgs_user_sid = user_sid
2063 elif tgs_user_sid in groups:
2064 tgs_user_sid = groups[tgs_user_sid].sid
2065
2066 tgs_user_domain_sid, tgs_user_rid = tgs_user_sid.rsplit('-', 1)
2067
2068 if tgs_mach_sid is None:
2069 tgs_mach_sid = mach_sid
2070 elif tgs_mach_sid in groups:
2071 tgs_mach_sid = groups[tgs_mach_sid].sid
2072
2073 tgs_mach_domain_sid, tgs_mach_rid = tgs_mach_sid.rsplit('-', 1)
2074
2075 expected_groups = self.map_sids(as_expected, groups,
2076 domain_sid)
2077 mach_expected_groups = self.map_sids(as_mach_expected, groups,
2078 domain_sid)
2079 tgs_user_sids_mapped = self.map_sids(tgs_user_sids, groups,
2080 tgs_user_domain_sid)
2081 tgs_mach_sids_mapped = self.map_sids(tgs_mach_sids, groups,
2082 tgs_mach_domain_sid)
2083 tgs_expected_mapped = self.map_sids(tgs_expected, groups,
2084 tgs_user_domain_sid)
2085 tgs_device_expected_mapped = self.map_sids(tgs_device_expected, groups,
2086 tgs_mach_domain_sid)
2087
2088 user_tgt = self.get_tgt(user_creds,
2089 expected_groups=expected_groups,
2090 unexpected_groups=None)
2091
2092 mach_tgt = self.get_tgt(mach_creds,
2093 expected_groups=mach_expected_groups,
2094 unexpected_groups=None)
2095
2096 if tgs_user_sids is not None:
2097 # Replace the SIDs in the user's PAC with the ones provided by the
2098 # test.
2099 user_tgt = self.ticket_with_sids(user_tgt,
2100 tgs_user_sids_mapped,
2101 tgs_user_domain_sid,
2102 tgs_user_rid)
2103
2104 if tgs_mach_sids is not None:
2105 # Replace the SIDs in the machine's PAC with the ones provided by
2106 # the test.
2107 mach_tgt = self.ticket_with_sids(mach_tgt,
2108 tgs_mach_sids_mapped,
2109 tgs_mach_domain_sid,
2110 tgs_mach_rid,
2111 set_user_flags=tgs_mach_set_user_flags,
2112 reset_user_flags=tgs_mach_reset_user_flags,
2113 from_rodc=tgs_mach_from_rodc)
2114 elif tgs_mach_from_rodc:
2115 mach_tgt = self.issued_by_rodc(mach_tgt)
2116
2117 if tgs_mach_removed is not None:
2118 for removed in tgs_mach_removed:
2119 group_dn = self.map_to_dn(removed, groups, domain_sid=None)
2120 self.remove_from_group(mach_dn, group_dn)
2121
2122 if tgs_mach_added is not None:
2123 for added in tgs_mach_added:
2124 group_dn = self.map_to_dn(added, groups, domain_sid=None)
2125 self.add_to_group(mach_dn_str, group_dn, 'member',
2126 expect_attr=False)
2127
2128 subkey = self.RandomKey(user_tgt.session_key.etype)
2129
2130 armor_subkey = self.RandomKey(subkey.etype)
2131 explicit_armor_key = self.generate_armor_key(armor_subkey,
2132 mach_tgt.session_key)
2133 armor_key = kcrypto.cf2(explicit_armor_key.key,
2134 subkey.key,
2135 b'explicitarmor',
2136 b'tgsarmor')
2137 armor_key = Krb5EncryptionKey(armor_key, None)
2138
2139 target_creds, sname = self.get_target(
2140 to_krbtgt=tgs_to_krbtgt,
2141 compound_id=tgs_compound_id,
2142 compression=tgs_compression)
2143 srealm = target_creds.get_realm()
2144
2145 decryption_key = self.TicketDecryptionKey_from_creds(
2146 target_creds)
2147
2148 target_supported_etypes = target_creds.tgs_supported_enctypes
2149
2150 etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
2151
2152 kdc_options = '0'
2153 pac_options = '1' # claims support
2154
2155 requester_sid = None
2156 if tgs_to_krbtgt:
2157 requester_sid = user_sid
2158
2159 expect_resource_groups_flag = None
2160 if tgs_mach_reset_user_flags & netlogon.NETLOGON_RESOURCE_GROUPS:
2161 expect_resource_groups_flag = False
2162 elif tgs_mach_set_user_flags & netlogon.NETLOGON_RESOURCE_GROUPS:
2163 expect_resource_groups_flag = True
2164
2165 # Perform a TGS-REQ with the user account.
2166
2167 kdc_exchange_dict = self.tgs_exchange_dict(
2168 creds=user_creds,
2169 expected_crealm=user_tgt.crealm,
2170 expected_cname=user_tgt.cname,
2171 expected_srealm=srealm,
2172 expected_sname=sname,
2173 expected_account_name=user_name,
2174 ticket_decryption_key=decryption_key,
2175 generate_fast_fn=self.generate_simple_fast,
2176 generate_fast_armor_fn=self.generate_ap_req,
2177 check_rep_fn=self.generic_check_kdc_rep,
2178 check_kdc_private_fn=self.generic_check_kdc_private,
2179 tgt=user_tgt,
2180 armor_key=armor_key,
2181 armor_tgt=mach_tgt,
2182 armor_subkey=armor_subkey,
2183 pac_options=pac_options,
2184 authenticator_subkey=subkey,
2185 kdc_options=kdc_options,
2186 expect_pac=True,
2187 expect_pac_attrs=tgs_to_krbtgt,
2188 expect_pac_attrs_pac_request=tgs_to_krbtgt,
2189 expected_sid=tgs_user_sid,
2190 expected_requester_sid=requester_sid,
2191 expected_domain_sid=tgs_user_domain_sid,
2192 expected_device_domain_sid=tgs_mach_domain_sid,
2193 expected_supported_etypes=target_supported_etypes,
2194 expect_resource_groups_flag=expect_resource_groups_flag,
2195 expected_groups=tgs_expected_mapped,
2196 expect_device_info=bool(tgs_compound_id),
2197 expected_device_groups=tgs_device_expected_mapped)
2198
2199 rep = self._generic_kdc_exchange(kdc_exchange_dict,
2200 cname=None,
2201 realm=srealm,
2202 sname=sname,
2203 etypes=etypes)
2204 self.check_reply(rep, KRB_TGS_REP)
2205
2206
2207 if __name__ == '__main__':
2208 global_asn1_print = False
2209 global_hexdump = False
2210 import unittest
2211 unittest.main()
GSS-enabled samba4