CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATI...

Objects with objectclass computer now have UF_WORKSTATION_TRUST_ACCOUNT
by default and so this test must adapt.

The changes to this test passes against Windows 2019 except for
the new behaviour around the UF_WORKSTATION_TRUST_ACCOUNT default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/selftest/knownfail.d/sam-isCriticalSystemObject b/selftest/knownfail.d/sam-isCriticalSystemObject
new file mode 100644 (file)
index 0000000..a6351a8
--- /dev/null
+++ b/selftest/knownfail.d/sam-isCriticalSystemObject
@@ -0,0 +1 @@
+^samba4.sam.python\(.*\).__main__.SamTests.test_isCriticalSystemObject_user
\ No newline at end of file

diff --git a/selftest/knownfail.d/uac_objectclass_restrict b/selftest/knownfail.d/uac_objectclass_restrict
index 32d8a99f950c83d4cde388a2da964ad79fd062f5..d093c631bd372a3d01ef0ad6bf7b9d28a9400d9b 100644 (file)
--- a/selftest/knownfail.d/uac_objectclass_restrict
+++ b/selftest/knownfail.d/uac_objectclass_restrict
@@ -3,11 +3,9 @@
 #
 # All these tests need to be fixed and the entries here removed
 
-^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_isCriticalSystemObject\(fl2008r2dc\)
 ^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_userAccountControl\(fl2008r2dc\)
 ^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_users_groups\(fl2008r2dc\)
 ^samba4.ldap.python\(ad_dc_default\).__main__.BasicTests.test_all\(ad_dc_default\)
-^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_isCriticalSystemObject\(ad_dc_default\)
 ^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_userAccountControl\(ad_dc_default\)
 ^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_users_groups\(ad_dc_default\)
 ^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-DC_add_CC_WP_user\(ad_dc_default\)

diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index 8220cf8b44f51ea9e6be974d4285e6d273321b14..67e2f7b23c3e7489ed29dcf394de1035b36084e4 100755 (executable)
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -2926,6 +2926,39 @@ class SamTests(samba.tests.TestCase):
 
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_isCriticalSystemObject_user(self):
+        """Test the isCriticalSystemObject behaviour"""
+        print("Testing isCriticalSystemObject behaviour\n")
+
+        # Add tests (of a user)
+
+        ldb.add({
+            "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
+            "objectclass": "user"})
+
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE,
+                          attrs=["isCriticalSystemObject"])
+        self.assertTrue(len(res1) == 1)
+        self.assertTrue("isCriticalSystemObject" not in res1[0])
+
+        # Modification tests
+        m = Message()
+
+        m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+        m["userAccountControl"] = MessageElement(str(UF_WORKSTATION_TRUST_ACCOUNT),
+                                                 FLAG_MOD_REPLACE, "userAccountControl")
+        ldb.modify(m)
+
+        res1 = ldb.search("cn=ldaptestuser,cn=users," + self.base_dn,
+                          scope=SCOPE_BASE,
+                          attrs=["isCriticalSystemObject"])
+        self.assertTrue(len(res1) == 1)
+        self.assertTrue("isCriticalSystemObject" in res1[0])
+        self.assertEqual(str(res1[0]["isCriticalSystemObject"][0]), "FALSE")
+
+        delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
+
     def test_isCriticalSystemObject(self):
         """Test the isCriticalSystemObject behaviour"""
         print("Testing isCriticalSystemObject behaviour\n")
@@ -2940,7 +2973,8 @@ class SamTests(samba.tests.TestCase):
                           scope=SCOPE_BASE,
                           attrs=["isCriticalSystemObject"])
         self.assertTrue(len(res1) == 1)
-        self.assertTrue("isCriticalSystemObject" not in res1[0])
+        self.assertTrue("isCriticalSystemObject" in res1[0])
+        self.assertEqual(str(res1[0]["isCriticalSystemObject"][0]), "FALSE")
 
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)