diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2024-03-05 12:38:06 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2024-03-05 02:54:36 +0000 |
| commit | fb219d545bb3bd328200a3097b52594617fc246a (patch) | |
| tree | 891f2a32b1e70c55759cf0e9e04536a334e43462 /python | |
| parent | 9b0330ea3f5d5b41f84356ec54a2e5a6ecbbaccd (diff) | |
| download | samba-fb219d545bb3bd328200a3097b52594617fc246a.tar.gz samba-fb219d545bb3bd328200a3097b52594617fc246a.tar.bz2 samba-fb219d545bb3bd328200a3097b52594617fc246a.zip | |
selftest: Assert that the provision KDS root key is already valid for use
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Diffstat (limited to 'python')
| -rw-r--r-- | python/samba/tests/dsdb_quiet_provision_tests.py | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/python/samba/tests/dsdb_quiet_provision_tests.py b/python/samba/tests/dsdb_quiet_provision_tests.py index da642a7a94d..81ef3ceb74f 100644 --- a/python/samba/tests/dsdb_quiet_provision_tests.py +++ b/python/samba/tests/dsdb_quiet_provision_tests.py @@ -28,6 +28,11 @@ from samba.credentials import Credentials from samba.samdb import SamDB from samba.auth import system_session from samba.tests import TestCase +from samba.gkdi import ( + KEY_CYCLE_DURATION, + MAX_CLOCK_SKEW +) +from samba.nt_time import nt_now import ldb import samba @@ -48,12 +53,17 @@ class DsdbQuietProvisionTests(TestCase): def test_dsdb_dn_gkdi_gmsa_root_keys_exist(self): """In provision we set up a GKDI root key. - There should always be at least one. + There should always be at least one that is already valid """ + current_time = nt_now() + # We need the GKDI key to be already available for use + min_use_start_time = current_time \ + - KEY_CYCLE_DURATION - MAX_CLOCK_SKEW + dn = self.samdb.get_config_basedn() dn.add_child("CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services") res = self.samdb.search(dn, scope=ldb.SCOPE_SUBTREE, - expression="(objectClass = msKds-ProvRootKey)") + expression=f"(&(objectClass = msKds-ProvRootKey)(msKds-UseStartTime<={min_use_start_time}))") self.assertGreater(len(res), 0) |