Merge pull request #277 from dotnet/bugfix/tgt-flags-carry

Bugfix/tgt flags carry
dotnet · Jan 8, 2022 · bb10bd9 · bb10bd9
2 parents 5be1571 + 404bef2
commit bb10bd9
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 6 deletions.
diff --git a/Bruce/CommandLine/KerberosInitCommand.cs b/Bruce/CommandLine/KerberosInitCommand.cs
@@ -219,6 +219,7 @@ private void SetClientProperties(KerberosClient client)
             SetClientProperty(this.Renew, client, AuthenticationOptions.Renew);
             SetClientProperty(this.Renewable, client, AuthenticationOptions.Renewable);
             SetClientProperty(this.Canonicalize, client, AuthenticationOptions.Canonicalize);
+            SetClientProperty(this.Forward, client, AuthenticationOptions.Forwardable);
 
             if (this.RenewLifetime.HasValue)
             {

diff --git a/Bruce/CommandLine/KerberosListCommand.cs b/Bruce/CommandLine/KerberosListCommand.cs
@@ -54,6 +54,9 @@ public KerberosListCommand(CommandLineParameters parameters)
         [CommandLineParameter("tgt", Description = "ShowTgt")]
         public bool ShowTgt { get; set; }
 
+        [CommandLineParameter("renew", Description = "RenewTicket")]
+        public bool RenewTgt { get; set; }
+
         public override async Task<bool> Execute()
         {
             if (await base.Execute())
@@ -90,6 +93,11 @@ public override async Task<bool> Execute()
                 await this.DumpServiceTicket(client);
             }
 
+            if (this.RenewTgt)
+            {
+                await this.RenewServiceTicket(client);
+            }
+
             this.ListTickets(client.Configuration.Defaults.DefaultCCacheName);
 
             if (this.DescribeClient)
@@ -105,6 +113,14 @@ public override async Task<bool> Execute()
             return true;
         }
 
+        private async Task RenewServiceTicket(KerberosClient client)
+        {
+            await ExecuteWithErrorHandling(
+                client,
+                async c => await c.RenewTicket()
+            );
+        }
+
         private async Task DumpServiceTicket(KerberosClient client)
         {
             var rep = await client.GetServiceTicket(this.DumpServicePrincipalName);
@@ -154,11 +170,11 @@ private void DescribeClientDetails(KerberosClient client)
             this.IO.ListProperties(client);
         }
 
-        private async Task GetServiceTicket(KerberosClient client)
+        private async Task ExecuteWithErrorHandling(KerberosClient client, Func<KerberosClient, Task> function)
         {
             try
             {
-                await client.GetServiceTicket(this.ServicePrincipalName);
+                await function(client);
             }
             catch (AggregateException aex)
             {
@@ -193,6 +209,14 @@ private async Task GetServiceTicket(KerberosClient client)
             }
         }
 
+        private async Task GetServiceTicket(KerberosClient client)
+        {
+            await ExecuteWithErrorHandling(
+                client,
+                async c => await c.GetServiceTicket(this.ServicePrincipalName)
+            );
+        }
+
         private void ListTickets(string cache)
         {
             TicketCacheBase.TryParseCacheType(cache, out _, out string path);

diff --git a/Kerberos.NET/Client/KerberosClient.cs b/Kerberos.NET/Client/KerberosClient.cs
@@ -567,6 +567,7 @@ public async Task<ApplicationSessionContext> GetServiceTicket(
                         var tgtEntry = this.CopyTicket(tgtCacheName);
 
                         rst.Realm = ResolveKdcTarget(tgtEntry);
+                        rst.KdcOptions = ReconcileKdcFlags(rst.KdcOptions, tgtEntry.Flags);
 
                         serviceTicketCacheEntry = await this.RequestTgs(rst, tgtEntry, cancellation).ConfigureAwait(false);
 
@@ -687,6 +688,28 @@ out KrbAuthenticator authenticator
             }
         }
 
+        private static KdcOptions ReconcileKdcFlags(KdcOptions options, TicketFlags ticketFlags)
+        {
+            SetKdcOptionsFlag(ticketFlags, TicketFlags.Forwardable, KdcOptions.Forwardable, ref options);
+            SetKdcOptionsFlag(ticketFlags, TicketFlags.Forwarded, KdcOptions.Forwarded, ref options);
+            SetKdcOptionsFlag(ticketFlags, TicketFlags.Renewable, KdcOptions.Renewable, ref options);
+
+            return options;
+        }
+
+        private static void SetKdcOptionsFlag(
+            TicketFlags ticketFlags,
+            TicketFlags ticketFlag,
+            KdcOptions kdcFlag,
+            ref KdcOptions options
+        )
+        {
+            if ((ticketFlags & ticketFlag) == 0)
+            {
+                options &= ~kdcFlag;
+            }
+        }
+
         private void SetupCache()
         {
             if (this.cacheSet || this.CacheInMemory)
@@ -1017,7 +1040,7 @@ public async Task RenewTicket(string spn = null)
                 new RequestServiceTicket
                 {
                     ServicePrincipalName = spn,
-                    KdcOptions = this.KdcOptions | KdcOptions.Renew | KdcOptions.RenewableOk,
+                    KdcOptions = ReconcileKdcFlags(this.KdcOptions, entry.Flags) | KdcOptions.Renew | KdcOptions.RenewableOk,
                     Realm = ResolveKdcTarget(entry)
                 },
                 entry.SessionKey,

diff --git a/Kerberos.NET/Entities/Pac/PrivilegedAttributeCertificate.cs b/Kerberos.NET/Entities/Pac/PrivilegedAttributeCertificate.cs
@@ -126,6 +126,7 @@ private void ParsePacType(PacType type, ReadOnlyMemory<byte> pacInfoBuffer, out
 
             if (!KnownTypes.TryGetValue(type, out Type pacObjectType))
             {
+                this.Attributes[type] = new UnknownPacObject(type, pacInfoBuffer);
                 return;
             }
 

diff --git a/Kerberos.NET/Ndr/PacObject.cs b/Kerberos.NET/Ndr/PacObject.cs
@@ -7,6 +7,29 @@
 
 namespace Kerberos.NET.Entities.Pac
 {
+    internal sealed class UnknownPacObject : PacObject
+    {
+        public UnknownPacObject(PacType type, ReadOnlyMemory<byte> blob)
+        {
+            this.PacType = type;
+            this.Blob = blob;
+        }
+
+        public override PacType PacType { get; }
+
+        public ReadOnlyMemory<byte> Blob { get; private set; }
+
+        public override ReadOnlyMemory<byte> Marshal()
+        {
+            return this.Blob;
+        }
+
+        public override void Unmarshal(ReadOnlyMemory<byte> bytes)
+        {
+            this.Blob = bytes;
+        }
+    }
+
     public abstract class PacObject // not NDR thing
     {
         public abstract PacType PacType { get; }

diff --git a/Tests/Tests.Kerberos.NET/Crypto/BaseCryptoTest.cs b/Tests/Tests.Kerberos.NET/Crypto/BaseCryptoTest.cs
@@ -12,9 +12,9 @@ namespace Tests.Kerberos.NET
 {
     public class BaseCryptoTest
     {
-        protected static byte[] HexToByte(string hex)
+        public static byte[] HexToByte(string hex)
         {
-            hex = hex?.Replace(" ", string.Empty).Replace("0x", string.Empty).Replace(",", string.Empty);
+            hex = hex?.Replace(" ", string.Empty).Replace(Environment.NewLine, string.Empty).Replace("0x", string.Empty).Replace(",", string.Empty).Trim();
 
             return Enumerable.Range(0, hex.Length)
                      .Where(x => x % 2 == 0)
@@ -37,4 +37,4 @@ protected static ReadOnlyMemory<byte> UnicodeBytesToUtf8(byte[] str)
             return Encoding.Convert(Encoding.Unicode, Encoding.UTF8, str, 0, str?.Length ?? 0);
         }
     }
-}
+}
-Original file line number
+Diff line change
@@ Expand Up @@
                 if (!KnownTypes.TryGetValue(type, out Type pacObjectType))
                 {
+                    this.Attributes[type] = new UnknownPacObject(type, pacInfoBuffer);
                     return;
                 }
@@ Expand Down @@