diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-06-14 16:14:42 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2023-06-25 23:29:32 +0000 |
| commit | a5770669e1a0f68fe2ebec4cdab22376a5d40825 (patch) | |
| tree | 186bf38179ab5c1621aa3a04ab0f60d763e6ce93 /python/samba | |
| parent | 0cfa7f6cff978041665d8688567077a71fb32cc6 (diff) | |
| download | samba-a5770669e1a0f68fe2ebec4cdab22376a5d40825.tar.gz samba-a5770669e1a0f68fe2ebec4cdab22376a5d40825.tar.bz2 samba-a5770669e1a0f68fe2ebec4cdab22376a5d40825.zip | |
tests/krb5: Improve authentication policy creation
Don’t require passing in an ID to create an authentication policy.
Instead, have create_authn_policy() generate one for us.
We now return an actual AuthenticationPolicy object rather than just a
DN. This will give the tests more details to work with about the
policies.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python/samba')
| -rwxr-xr-x | python/samba/tests/krb5/authn_policy_tests.py | 1071 | ||||
| -rwxr-xr-x | python/samba/tests/krb5/claims_tests.py | 9 | ||||
| -rw-r--r-- | python/samba/tests/krb5/kdc_base_test.py | 31 |
3 files changed, 342 insertions, 769 deletions
diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py index e12faf0d483..58a6f3526ac 100755 --- a/python/samba/tests/krb5/authn_policy_tests.py +++ b/python/samba/tests/krb5/authn_policy_tests.py @@ -30,6 +30,7 @@ import ldb from samba import dsdb, ntstatus from samba.dcerpc import netlogon, security from samba.ndr import ndr_pack +from samba.netcmd.domain.models import AuthenticationPolicy, AuthenticationSilo import samba.tests.krb5.kcrypto as kcrypto from samba.tests.krb5.kdc_base_test import GroupType @@ -129,10 +130,10 @@ class AuthnPolicyTests(KdcTgsBaseTests): if member_of is not None: members += (member_of,) if assigned_policy is not None: - opts['assigned_policy'] = str(assigned_policy) + opts['assigned_policy'] = str(assigned_policy.dn) cached = False # Policies are rarely reused between accounts. if assigned_silo is not None: - opts['assigned_silo'] = str(assigned_silo) + opts['assigned_silo'] = str(assigned_silo.dn) cached = False # Silos are rarely reused between accounts. if allowed_rodc: opts['allowed_replication_mock'] = True @@ -150,9 +151,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) @@ -172,9 +171,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) @@ -195,9 +192,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) @@ -220,28 +215,22 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) # Create a second policy with different lifetimes, so we can verify the # correct policy is enforced. - wrong_policy_id = self.get_new_username() - wrong_policy = self.create_authn_policy(wrong_policy_id, - enforced=True, + wrong_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=444, computer_tgt_lifetime=555, service_tgt_lifetime=666) # Create an authentication silo with our existing policies. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(policy), - computer_policy=str(wrong_policy), - service_policy=str(wrong_policy), + silo = self.create_authn_silo(user_policy=policy, + computer_policy=wrong_policy, + service_policy=wrong_policy, enforced=True) # Create a user account assigned to the silo. @@ -250,7 +239,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours, and assert @@ -265,26 +255,20 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) - wrong_policy_id = self.get_new_username() - wrong_policy = self.create_authn_policy(wrong_policy_id, - enforced=True, + wrong_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=444, computer_tgt_lifetime=555, service_tgt_lifetime=666) # Create an authentication silo with our existing policies. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(wrong_policy), - computer_policy=str(policy), - service_policy=str(wrong_policy), + silo = self.create_authn_silo(user_policy=wrong_policy, + computer_policy=policy, + service_policy=wrong_policy, enforced=True) # Create a computer account assigned to the silo. @@ -293,7 +277,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the computer to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours, and assert @@ -308,26 +293,20 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) - wrong_policy_id = self.get_new_username() - wrong_policy = self.create_authn_policy(wrong_policy_id, - enforced=True, + wrong_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=444, computer_tgt_lifetime=555, service_tgt_lifetime=666) # Create an authentication silo with our existing policies. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(wrong_policy), - computer_policy=str(wrong_policy), - service_policy=str(policy), + silo = self.create_authn_silo(user_policy=wrong_policy, + computer_policy=wrong_policy, + service_policy=policy, enforced=True) # Create a managed service account assigned to the silo. @@ -337,7 +316,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the managed service account to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours, and assert @@ -355,28 +335,22 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) # Create a second policy with different lifetimes, so we can verify the # correct policy is enforced. - wrong_policy_id = self.get_new_username() - wrong_policy = self.create_authn_policy(wrong_policy_id, - enforced=True, + wrong_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=444, computer_tgt_lifetime=555, service_tgt_lifetime=666) # Create an authentication silo with our existing policies. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(policy), - computer_policy=str(wrong_policy), - service_policy=str(wrong_policy), + silo = self.create_authn_silo(user_policy=policy, + computer_policy=wrong_policy, + service_policy=wrong_policy, enforced=True) # Create a user account assigned to the silo, and also to a policy. @@ -386,7 +360,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours, and assert @@ -401,26 +376,20 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) - wrong_policy_id = self.get_new_username() - wrong_policy = self.create_authn_policy(wrong_policy_id, - enforced=True, + wrong_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=444, computer_tgt_lifetime=555, service_tgt_lifetime=666) # Create an authentication silo with our existing policies. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(wrong_policy), - computer_policy=str(policy), - service_policy=str(wrong_policy), + silo = self.create_authn_silo(user_policy=wrong_policy, + computer_policy=policy, + service_policy=wrong_policy, enforced=True) # Create a computer account assigned to the silo, and also to a policy. @@ -430,7 +399,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the computer to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours, and assert @@ -445,26 +415,20 @@ class AuthnPolicyTests(KdcTgsBaseTests): user_life = 111 computer_life = 222 service_life = 333 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=user_life, computer_tgt_lifetime=computer_life, service_tgt_lifetime=service_life) - wrong_policy_id = self.get_new_username() - wrong_policy = self.create_authn_policy(wrong_policy_id, - enforced=True, + wrong_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=444, computer_tgt_lifetime=555, service_tgt_lifetime=666) # Create an authentication silo with our existing policies. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(wrong_policy), - computer_policy=str(wrong_policy), - service_policy=str(policy), + silo = self.create_authn_silo(user_policy=wrong_policy, + computer_policy=wrong_policy, + service_policy=policy, enforced=True) # Create a managed service account assigned to the silo, and also to a @@ -476,7 +440,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the managed service account to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours, and assert @@ -492,9 +457,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): # lifetime set. INT64_MAX = 0x7fff_ffff_ffff_ffff max_lifetime = INT64_MAX // 10_000_000 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=max_lifetime) # Create a user account with the assigned policy. @@ -515,9 +478,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): # lifetime set. INT64_MIN = -0x8000_0000_0000_0000 min_lifetime = round(INT64_MIN / 10_000_000) - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=min_lifetime) # Create a user account with the assigned policy. @@ -535,9 +496,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_policy_tgt_lifetime_zero(self): # Create an authentication policy with the TGT lifetime set to zero. lifetime = 0 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account with the assigned policy. @@ -558,9 +517,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with the TGT lifetime set to one # second. lifetime = 1 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account with the assigned policy. @@ -579,9 +536,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with the TGT lifetime set to two # minutes (the lifetime of a kpasswd ticket). lifetime = 2 * 60 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account with the assigned policy. @@ -599,9 +554,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_policy_tgt_lifetime_short_protected(self): # Create an authentication policy with a short TGT lifetime set. lifetime = 111 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account with the assigned policy, belonging to the @@ -621,9 +574,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with a long TGT lifetime set. This # exceeds the lifetime of four hours enforced by Protected Users. lifetime = 6 * 60 * 60 # 6 hours - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account with the assigned policy, belonging to the @@ -642,9 +593,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_policy_tgt_lifetime_zero_protected(self): # Create an authentication policy with the TGT lifetime set to zero. - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=0) # Create a user account with the assigned policy, belonging to the @@ -663,9 +612,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_policy_tgt_lifetime_none_protected(self): # Create an authentication policy with no TGT lifetime set. - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True) + policy = self.create_authn_policy(enforced=True) # Create a user account with the assigned policy, belonging to the # Protected Users group. @@ -684,9 +631,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_policy_tgt_lifetime_unenforced_protected(self): # Create an unenforced authentication policy with a TGT lifetime set. lifetime = 123 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=False, + policy = self.create_authn_policy(enforced=False, user_tgt_lifetime=lifetime) # Create a user account with the assigned policy, belonging to the @@ -707,9 +652,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with the TGT lifetime set. The policy # is not enforced. lifetime = 123 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - user_tgt_lifetime=lifetime) + policy = self.create_authn_policy(user_tgt_lifetime=lifetime) # Create a user account with the assigned policy. client_creds = self._get_creds(account_type=self.AccountType.USER, @@ -729,9 +672,7 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with the TGT lifetime set. The policy # is set to be unenforced. lifetime = 123 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=False, + policy = self.create_authn_policy(enforced=False, user_tgt_lifetime=lifetime) # Create a user account with the assigned policy. @@ -751,16 +692,12 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_silo_not_enforced(self): # Create an authentication policy with the TGT lifetime set. lifetime = 123 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create an authentication silo with our existing policy. The silo is # not enforced. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(policy)) + silo = self.create_authn_silo(user_policy=policy) # Create a user account assigned to the silo. client_creds = self._get_creds(account_type=self.AccountType.USER, @@ -768,7 +705,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a ‘till’ time far in the @@ -784,16 +722,12 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_silo_unenforced(self): # Create an authentication policy with the TGT lifetime set. lifetime = 123 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create an authentication silo with our existing policy. The silo is # set to be unenforced. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(policy), + silo = self.create_authn_silo(user_policy=policy, enforced=False) # Create a user account assigned to the silo. @@ -802,7 +736,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a ‘till’ time far in the @@ -819,14 +754,10 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with the TGT lifetime set. The policy # is not enforced. lifetime = 123 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - user_tgt_lifetime=lifetime) + policy = self.create_authn_policy(user_tgt_lifetime=lifetime) # Create an authentication silo with our existing policy. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(policy), + silo = self.create_authn_silo(user_policy=policy, enforced=True) # Create a user account assigned to the silo. @@ -835,7 +766,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours. Despite the @@ -850,15 +782,11 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with the TGT lifetime set. The policy # is set to be unenforced. lifetime = 123 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=False, + policy = self.create_authn_policy(enforced=False, user_tgt_lifetime=lifetime) # Create an authentication silo with our existing policy. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(policy), + silo = self.create_authn_silo(user_policy=policy, enforced=True) # Create a user account assigned to the silo. @@ -867,7 +795,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours. Despite the @@ -881,23 +810,17 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_silo_not_enforced_and_assigned_policy(self): # Create an authentication policy with the TGT lifetime set. silo_lifetime = 123 - silo_policy_id = self.get_new_username() - silo_policy = self.create_authn_policy(silo_policy_id, - enforced=True, + silo_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=silo_lifetime) # Create an authentication silo with our existing policy. The silo is # not enforced. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(silo_policy)) + silo = self.create_authn_silo(user_policy=silo_policy) # Create a second policy with a different lifetime, so we can verify # the correct policy is enforced. lifetime = 456 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account assigned to the silo, and also to the policy. @@ -907,7 +830,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a ‘till’ time far in the @@ -924,24 +848,18 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_silo_unenforced_and_assigned_policy(self): # Create an authentication policy with the TGT lifetime set. silo_lifetime = 123 - silo_policy_id = self.get_new_username() - silo_policy = self.create_authn_policy(silo_policy_id, - enforced=True, + silo_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=silo_lifetime) # Create an authentication silo with our existing policy. The silo is # set to be unenforced. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(silo_policy), + silo = self.create_authn_silo(user_policy=silo_policy, enforced=False) # Create a second policy with a different lifetime, so we can verify # the correct policy is enforced. lifetime = 456 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account assigned to the silo, and also to the policy. @@ -951,7 +869,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a ‘till’ time far in the @@ -969,22 +888,16 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with the TGT lifetime set. The policy # is not enforced. silo_lifetime = 123 - silo_policy_id = self.get_new_username() - silo_policy = self.create_authn_policy(silo_policy_id, - user_tgt_lifetime=silo_lifetime) + silo_policy = self.create_authn_policy(user_tgt_lifetime=silo_lifetime) # Create an authentication silo with our existing policy. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(silo_policy), + silo = self.create_authn_silo(user_policy=silo_policy, enforced=True) # Create a second policy with a different lifetime, so we can verify # the correct policy is enforced. lifetime = 456 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account assigned to the silo, and also to the policy. @@ -994,7 +907,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours. Despite the @@ -1010,23 +924,17 @@ class AuthnPolicyTests(KdcTgsBaseTests): # Create an authentication policy with the TGT lifetime set. The policy # is set to be unenforced. silo_lifetime = 123 - silo_policy_id = self.get_new_username() - silo_policy = self.create_authn_policy(silo_policy_id, - enforced=False, + silo_policy = self.create_authn_policy(enforced=False, user_tgt_lifetime=silo_lifetime) # Create an authentication silo with our existing policy. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(silo_policy), + silo = self.create_authn_silo(user_policy=silo_policy, enforced=True) # Create a second policy with a different lifetime, so we can verify # the correct policy is enforced. lifetime = 456 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create a user account assigned to the silo, and also to the policy. @@ -1036,7 +944,8 @@ class AuthnPolicyTests(KdcTgsBaseTests): client_dn_str = str(client_creds.get_dn()) # Add the user to the silo as a member. - self.add_to_group(client_dn_str, silo, 'msDS-AuthNPolicySiloMembers', + self.add_to_group(client_dn_str, silo.dn, + 'msDS-AuthNPolicySiloMembers', expect_attr=False) # Request a Kerberos ticket with a lifetime of two hours. Despite the @@ -1051,15 +960,11 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_silo_not_a_member(self): # Create an authentication policy with the TGT lifetime set. lifetime = 123 - policy_id = self.get_new_username() - policy = self.create_authn_policy(policy_id, - enforced=True, + policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=lifetime) # Create an authentication silo with our existing policy. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - user_policy=str(policy), + silo = self.create_authn_silo(user_policy=policy, enforced=True) # Create a user account assigned to the silo. @@ -1081,23 +986,17 @@ class AuthnPolicyTests(KdcTgsBaseTests): def test_authn_silo_not_a_member_and_assigned_policy(self): # Create an authentication policy with the TGT lifetime set. silo_lifetime = 123 - silo_policy_id = self.get_new_username() - silo_policy = self.create_authn_policy(silo_policy_id, - enforced=True, + silo_policy = self.create_authn_policy(enforced=True, user_tgt_lifetime=silo_lifetime) # Create an authentication silo with our existing policy. - silo_id = self.get_new_username() - silo = self.create_authn_silo(silo_id, - |