CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors

This favors a test that confirms we got an error over getting exactly
the right error, at least for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/selftest/knownfail.d/uac_objectclass_restrict b/selftest/knownfail.d/uac_objectclass_restrict
index ac6f4857bf497822fda348b24f1875dea7b99a1c..1d72442f8a8e3083d007d6c22fc3848f170d89ee 100644 (file)
--- a/selftest/knownfail.d/uac_objectclass_restrict
+++ b/selftest/knownfail.d/uac_objectclass_restrict
@@ -22,10 +22,6 @@
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_mod_lock_UF_WORKSTATION_TRUST_ACCOUNT_computer_replace\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_NORMAL_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_WORKSTATION_TRUST_ACCOUNT\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_deladd_priv\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_deladd_wp\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_replace_priv\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_replace_wp\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_INTERDOMAIN_TRUST_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_NORMAL_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_NORMAL_ACCOUNT_UF_PASSWD_NOTREQD\(ad_dc_default\)

diff --git a/selftest/knownfail.d/user_account_control b/selftest/knownfail.d/user_account_control
deleted file mode 100644 (file)
index ad3af67..0000000
--- a/selftest/knownfail.d/user_account_control
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_add_computer_cc_normal_bare.ad_dc_default

diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py
index ed68a683e69f6a07e6e99396f9cdd0614d0c1702..f99f370679b83506f7a790ab3d1e3704c6c923fb 100755 (executable)
--- a/source4/dsdb/tests/python/user_account_control.py
+++ b/source4/dsdb/tests/python/user_account_control.py
@@ -484,7 +484,8 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_NORMAL_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+        self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                   ldb.ERR_UNWILLING_TO_PERFORM],
                                   f"Unexpectedly able to set userAccountControl to be an Normal "
                                   "account without |UF_PASSWD_NOTREQD Unexpectedly able to "
                                   "set userAccountControl to be a workstation on {m.dn}",
@@ -1204,12 +1205,14 @@ class UserAccountControlTests(samba.tests.TestCase):
             samdb.modify(m)
         elif (account_type == UF_NORMAL_ACCOUNT) and \
                (account_type2 == UF_SERVER_TRUST_ACCOUNT) and not priv:
-                self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                           ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS],
                                           f"Should have been unable to change {account_type_str} to {account_type2_str}",
                                           samdb.modify, m)
         elif (account_type == UF_NORMAL_ACCOUNT) and \
                (account_type2 == UF_SERVER_TRUST_ACCOUNT) and priv:
-                self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+                self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                           ldb.ERR_UNWILLING_TO_PERFORM],
                                           f"Should have been unable to change {account_type_str} to {account_type2_str}",
                                           samdb.modify, m)
         elif (account_type == UF_WORKSTATION_TRUST_ACCOUNT) and \
@@ -1282,7 +1285,8 @@ class UserAccountControlTests(samba.tests.TestCase):
             m["1objectclass"] = ldb.MessageElement(new_objectclass,
                                                    ldb.FLAG_MOD_ADD, "objectclass")
 
-        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+        self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                   ldb.ERR_UNWILLING_TO_PERFORM],
                                   "Should have been unable Able to change objectclass of a {objectclass}",
                                   self.admin_samdb.modify, m)