-
Notifications
You must be signed in to change notification settings - Fork 93
/
Copy pathAuthorizationsTests.cs
140 lines (116 loc) · 4.78 KB
/
AuthorizationsTests.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
// -----------------------------------------------------------------------
// Licensed to The .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// -----------------------------------------------------------------------
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Kerberos.NET;
using Kerberos.NET.Crypto;
using Kerberos.NET.Entities;
using Microsoft.VisualStudio.TestTools.UnitTesting;
namespace Tests.Kerberos.NET
{
[TestClass]
public class AuthorizationsTests : BaseTest
{
private static async Task<KerberosIdentity> GenerateAuthZ()
{
var authenticator = new KerberosAuthenticator(new KerberosValidator(new KerberosKey("P@ssw0rd!"))
{
ValidateAfterDecrypt = DefaultActions
});
var authenticated = await authenticator.Authenticate(Convert.FromBase64String(TicketContainingDelegation));
Assert.IsNotNull(authenticated);
var identity = authenticated as KerberosIdentity;
Assert.IsNotNull(identity);
return identity;
}
private static IEnumerable<T> AssertAllAreRestrictionType<T>(KerberosIdentity identity, AuthorizationDataType type, int expectedCount)
where T : Restriction
{
if (identity.Restrictions.TryGetValue(type, out IEnumerable<Restriction> restrictions))
{
Assert.IsNotNull(restrictions);
}
Assert.AreEqual(expectedCount, restrictions.Count());
var typedRestrictions = restrictions.Select(r => r as T).Where(r => r != null);
Assert.AreEqual(expectedCount, typedRestrictions.Count());
return typedRestrictions;
}
[TestMethod]
public async Task RestrictionType_ETypeNegotiation()
{
var restrictionsSet = AssertAllAreRestrictionType<ETypeNegotiationRestriction>(
await GenerateAuthZ(),
AuthorizationDataType.AdETypeNegotiation,
1
);
foreach (var etype in restrictionsSet)
{
Assert.IsNotNull(etype);
Assert.AreEqual(3, etype.ETypes.Count());
Assert.AreEqual(EncryptionType.AES256_CTS_HMAC_SHA1_96, etype.ETypes.ElementAt(0));
Assert.AreEqual(EncryptionType.AES128_CTS_HMAC_SHA1_96, etype.ETypes.ElementAt(1));
Assert.AreEqual(EncryptionType.RC4_HMAC_NT, etype.ETypes.ElementAt(2));
}
}
[TestMethod]
public async Task RestrictionType_TokenRestrictions()
{
var restrictionsSet = AssertAllAreRestrictionType<KerbAuthDataTokenRestriction>(
await GenerateAuthZ(),
AuthorizationDataType.KerbAuthDataTokenRestrictions,
2
);
foreach (var restrictions in restrictionsSet)
{
Assert.AreEqual(0, restrictions.RestrictionType);
Assert.IsNotNull(restrictions.Restriction);
Assert.AreEqual(IntegrityLevels.High, restrictions.Restriction.TokenIntegrityLevel);
Assert.AreEqual(TokenTypes.Full, restrictions.Restriction.Flags);
Assert.IsNotNull(restrictions.Restriction.MachineId);
}
}
[TestMethod]
public async Task RestrictionType_KerbLocal()
{
var restrictionsSet = AssertAllAreRestrictionType<KerbLocalRestriction>(
await GenerateAuthZ(),
AuthorizationDataType.KerbLocal,
2
);
foreach (var local in restrictionsSet)
{
Assert.IsNotNull(local.Value);
}
}
[TestMethod]
public async Task RestrictionType_ApOptions()
{
var restrictionsSet = AssertAllAreRestrictionType<KerbApOptionsRestriction>(
await GenerateAuthZ(),
AuthorizationDataType.KerbApOptions,
1
);
foreach (var options in restrictionsSet)
{
Assert.AreEqual(ApOptions.ChannelBindingSupported, options.Options);
}
}
[TestMethod]
public async Task RestrictionType_KerbServiceTarget()
{
var restrictionsSet = AssertAllAreRestrictionType<KerbServiceTargetRestriction>(
await GenerateAuthZ(),
AuthorizationDataType.KerbServiceTarget,
1
);
foreach (var serviceName in restrictionsSet)
{
Assert.AreEqual("host/[email protected]", serviceName.ServiceName);
}
}
}
}