CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control...

This changes most of the simple pattern with self.samdb.modify()
to use the wrapper.  Some other calls still need to be converted, while
the complex decision tree tests should remain as-is for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct  4 21:55:43 UTC 2021 on sn-devel-184

(cherry picked from commit b45190bdac7bd9dcefd5ed88be4bd9a97a712664)

diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py
index efb83b2dcfffff018d0a22c8a72b50451c6da299..c9b50b83e9daf6f1f7146dbdbbb79f6c446effc4 100755 (executable)
--- a/source4/dsdb/tests/python/user_account_control.py
+++ b/source4/dsdb/tests/python/user_account_control.py
@@ -245,35 +245,27 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_SERVER_TRUST_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        try:
-            self.samdb.modify(m)
-            self.fail("Unexpectedly able to set userAccountControl to be a DC on %s" % m.dn)
-        except LdbError as e5:
-            (enum, estr) = e5.args
-            self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
+        self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                                  f"Unexpectedly able to set userAccountControl to be a DC on {m.dn}",
+                                  self.samdb.modify, m)
 
         m = ldb.Message()
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT |
                                                          samba.dsdb.UF_PARTIAL_SECRETS_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        try:
-            self.samdb.modify(m)
-            self.fail("Unexpectedly able to set userAccountControl to be an RODC on %s" % m.dn)
-        except LdbError as e6:
-            (enum, estr) = e6.args
-            self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
+
+        self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                                  f"Unexpectedly able to set userAccountControl to be a RODC on {m.dn}",
+                                  self.samdb.modify, m)
 
         m = ldb.Message()
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        try:
-            self.samdb.modify(m)
-            self.fail("Unexpectedly able to set userAccountControl to be an Workstation on %s" % m.dn)
-        except LdbError as e7:
-            (enum, estr) = e7.args
-            self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
+        self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                                  f"Unexpectedly able to set userAccountControl to be a Workstation on {m.dn}",
+                                  self.samdb.modify, m)
 
         m = ldb.Message()
         m.dn = res[0].dn
@@ -285,13 +277,10 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["primaryGroupID"] = ldb.MessageElement(str(security.DOMAIN_RID_ADMINS),
                                                  ldb.FLAG_MOD_REPLACE, "primaryGroupID")
-        try:
-            self.samdb.modify(m)
-        except LdbError as e8:
-            (enum, estr) = e8.args
-            self.assertEqual(ldb.ERR_UNWILLING_TO_PERFORM, enum)
-            return
-        self.fail()
+        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+                                  f"Unexpectedly able to set primaryGroupID on {m.dn}",
+                                  self.samdb.modify, m)
+
 
     def test_mod_computer_cc(self):
         user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
@@ -321,24 +310,17 @@ class UserAccountControlTests(samba.tests.TestCase):
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT |
                                                          samba.dsdb.UF_PARTIAL_SECRETS_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        try:
-            self.samdb.modify(m)
-            self.fail("Unexpectedly able to set userAccountControl on %s" % m.dn)
-        except LdbError as e9:
-            (enum, estr) = e9.args
-            self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
+        self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                                  f"Unexpectedly able to set userAccountControl as RODC on {m.dn}",
+                                  self.samdb.modify, m)
 
         m = ldb.Message()
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_SERVER_TRUST_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        try:
-            self.samdb.modify(m)
-            self.fail()
-        except LdbError as e10:
-            (enum, estr) = e10.args
-            self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
-
+        self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                                  f"Unexpectedly able to set userAccountControl as DC on {m.dn}",
+                                  self.samdb.modify, m)
 
         m = ldb.Message()
         m.dn = res[0].dn
@@ -350,12 +332,10 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        try:
-            self.samdb.modify(m)
-            self.fail("Unexpectedly able to set userAccountControl to be an Workstation on %s" % m.dn)
-        except LdbError as e11:
-            (enum, estr) = e11.args
-            self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
+        self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                                  f"Unexpectedly able to set userAccountControl to be a workstation on {m.dn}",
+                                  self.samdb.modify, m)
+
 
     def test_add_computer_cc_normal_bare(self):
         user_sid = self.sd_utils.get_object_sid(self.unpriv_user_dn)
@@ -393,12 +373,11 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_NORMAL_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        try:
-            self.samdb.modify(m)
-            self.fail("Unexpectedly able to set userAccountControl to be an Normal account without |UF_PASSWD_NOTREQD on %s" % m.dn)
-        except LdbError as e7:
-            (enum, estr) = e7.args
-            self.assertEqual(ldb.ERR_UNWILLING_TO_PERFORM, enum)
+        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+                                  f"Unexpectedly able to set userAccountControl to be an Normal "
+                                  "account without |UF_PASSWD_NOTREQD Unexpectedly able to "
+                                  "set userAccountControl to be a workstation on {m.dn}",
+                                  self.samdb.modify, m)
 
 
     def test_admin_mod_uac(self):
@@ -420,12 +399,11 @@ class UserAccountControlTests(samba.tests.TestCase):
                                                          UF_PARTIAL_SECRETS_ACCOUNT |
                                                          UF_TRUSTED_FOR_DELEGATION),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        try:
-            self.admin_samdb.modify(m)
-            self.fail("Unexpectedly able to set userAccountControl to UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT|UF_TRUSTED_FOR_DELEGATION on %s" % m.dn)
-        except LdbError as e12:
-            (enum, estr) = e12.args
-            self.assertEqual(ldb.ERR_OTHER, enum)
+        self.assertRaisesLdbError(ldb.ERR_OTHER,
+                                  f"Unexpectedly able to set userAccountControl to "
+                                  "UF_WORKSTATION_TRUST_ACCOUNT|UF_PARTIAL_SECRETS_ACCOUNT|"
+                                  "UF_TRUSTED_FOR_DELEGATION on {m.dn}",
+                                  self.admin_samdb.modify, m)
 
         m = ldb.Message()
         m.dn = res[0].dn
@@ -835,14 +813,10 @@ class UserAccountControlTests(samba.tests.TestCase):
         m["primaryGroupID"] = ldb.MessageElement(
             [str(security.DOMAIN_RID_USERS)], ldb.FLAG_MOD_REPLACE,
             "primaryGroupID")
-        try:
-            self.admin_samdb.modify(m)
 
-            # When creating a new object, you can not ever set the primaryGroupID
-            self.fail("Unexpectedly able to set primaryGroupID to be other than DCS on %s" % computername)
-        except LdbError as e15:
-            (enum, estr) = e15.args
-            self.assertEqual(enum, ldb.ERR_UNWILLING_TO_PERFORM)
+        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+                                  f"Unexpectedly able to set primaryGroupID to be other than DCS on {m.dn}",
+                                  self.admin_samdb.modify, m)
 
     def test_primarygroupID_priv_user_modify(self):
         computername = self.computernames[0]