CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/ldap b/selftest/knownfail.d/ldap
index 0331d3687d41a6e27f52505aca16d3edf1da7305..545dc93db8e77aa34559311e240845ea2e727560 100644 (file)
--- a/selftest/knownfail.d/ldap
+++ b/selftest/knownfail.d/ldap
@@ -1,3 +1,4 @@
 # the attributes too long test returns the wrong error
 ^samba4.ldap.python.+test_attribute_ranges_too_long
 samba4.ldap.python\(ad_dc_default\).*__main__.BasicTests.test_ldapSearchNoAttributes
+^samba4.ldap.python.+test_objectclasses

diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index bd30faeb1d9c4a96bad96ea9ba3631124f5da40e..9d79f90a306ab0494d8a932090a6b1cd756b255e 100755 (executable)
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -436,33 +436,41 @@ class BasicTests(samba.tests.TestCase):
             (num, _) = e.args
             self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
 
-        # Add a new top-most structural class "inetOrgPerson" and remove it
-        # afterwards
+        # Try to add a new top-most structural class "inetOrgPerson"
         m = Message()
         m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
         m["objectClass"] = MessageElement("inetOrgPerson", FLAG_MOD_ADD,
                                           "objectClass")
-        ldb.modify(m)
+        try:
+            ldb.modify(m)
+            self.fail()
+        except LdbError as e:
+            (num, _) = e.args
+            self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
 
+        # Try to remove the structural class "user"
         m = Message()
         m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
-        m["objectClass"] = MessageElement("inetOrgPerson", FLAG_MOD_DELETE,
+        m["objectClass"] = MessageElement("user", FLAG_MOD_DELETE,
                                           "objectClass")
-        ldb.modify(m)
+        try:
+            ldb.modify(m)
+            self.fail()
+        except LdbError as e:
+            (num, _) = e.args
+            self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
 
-        # Replace top-most structural class to "inetOrgPerson" and reset it
-        # back to "user"
+        # Try to replace top-most structural class to "inetOrgPerson"
         m = Message()
         m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
         m["objectClass"] = MessageElement("inetOrgPerson", FLAG_MOD_REPLACE,
                                           "objectClass")
-        ldb.modify(m)
-
-        m = Message()
-        m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
-        m["objectClass"] = MessageElement("user", FLAG_MOD_REPLACE,
-                                          "objectClass")
-        ldb.modify(m)
+        try:
+            ldb.modify(m)
+            self.fail()
+        except LdbError as e:
+            (num, _) = e.args
+            self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
 
         # Add a new auxiliary object class "posixAccount" to "ldaptestuser"
         m = Message()