CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN

If an account has an SPN that requires Write Property to set, we should
still be able to delete it with just Validated Write.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/selftest/knownfail.d/acl-spn-delete b/selftest/knownfail.d/acl-spn-delete
new file mode 100644 (file)
index 0000000..3201841
--- /dev/null
+++ b/selftest/knownfail.d/acl-spn-delete
@@ -0,0 +1 @@
+^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\(

diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index df0fe12bf29d2cd79bbb08f806037cce96c3803f..d90d3b3923f522063ee50e74eb076825430cb73f 100755 (executable)
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -2286,6 +2286,32 @@ class AclSPNTests(AclTests):
         else:
             self.fail(f'able to add disallowed SPN {not_allowed_spn}')
 
+    def test_delete_disallowed_spn(self):
+        # Grant Validated-SPN property.
+        mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})'
+        self.sd_utils.dacl_add_ace(self.computerdn, mod)
+
+        spn_base = f'HOST/{self.computername}'
+
+        not_allowed_spn = f'{spn_base}/{self.dcctx.get_domain_name()}'
+
+        # Add a disallowed SPN as admin.
+        msg = Message(Dn(self.ldb_admin, self.computerdn))
+        msg['servicePrincipalName'] = MessageElement(not_allowed_spn,
+                                                     FLAG_MOD_ADD,
+                                                     'servicePrincipalName')
+        self.ldb_admin.modify(msg)
+
+        # Ensure we are able to delete a disallowed SPN.
+        msg = Message(Dn(self.ldb_user1, self.computerdn))
+        msg['servicePrincipalName'] = MessageElement(not_allowed_spn,
+                                                     FLAG_MOD_DELETE,
+                                                     'servicePrincipalName')
+        try:
+            self.ldb_user1.modify(msg)
+        except LdbError:
+            self.fail(f'unable to delete disallowed SPN {not_allowed_spn}')
+
 
 # tests SEC_ADS_LIST vs. SEC_ADS_LIST_OBJECT
 @DynamicTestCase