From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 22 Oct 2021 09:54:52 +0000 (+1300)
Subject: CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
X-Git-Tag: samba-4.13.14~189
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17c4928b2d3242aa621d13412e6c55ab534c674c;p=thirdparty%2Fsamba.git

CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors

This favors a test that confirms we got an error over getting exactly
the right error, at least for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/uac_objectclass_restrict b/selftest/knownfail.d/uac_objectclass_restrict
index ac6f4857bf4..1d72442f8a8 100644
--- a/selftest/knownfail.d/uac_objectclass_restrict
+++ b/selftest/knownfail.d/uac_objectclass_restrict
@@ -22,10 +22,6 @@
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_mod_lock_UF_WORKSTATION_TRUST_ACCOUNT_computer_replace\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_NORMAL_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_WORKSTATION_TRUST_ACCOUNT\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_deladd_priv\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_deladd_wp\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_replace_priv\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_replace_wp\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_INTERDOMAIN_TRUST_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_NORMAL_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_add_UF_NORMAL_ACCOUNT_UF_PASSWD_NOTREQD\(ad_dc_default\)
diff --git a/selftest/knownfail.d/user_account_control b/selftest/knownfail.d/user_account_control
deleted file mode 100644
index ad3af678708..00000000000
--- a/selftest/knownfail.d/user_account_control
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_add_computer_cc_normal_bare.ad_dc_default
diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py
index ed68a683e69..f99f370679b 100755
--- a/source4/dsdb/tests/python/user_account_control.py
+++ b/source4/dsdb/tests/python/user_account_control.py
@@ -484,7 +484,8 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_NORMAL_ACCOUNT),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+        self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                   ldb.ERR_UNWILLING_TO_PERFORM],
                                   f"Unexpectedly able to set userAccountControl to be an Normal "
                                   "account without |UF_PASSWD_NOTREQD Unexpectedly able to "
                                   "set userAccountControl to be a workstation on {m.dn}",
@@ -1204,12 +1205,14 @@ class UserAccountControlTests(samba.tests.TestCase):
             samdb.modify(m)
         elif (account_type == UF_NORMAL_ACCOUNT) and \
                (account_type2 == UF_SERVER_TRUST_ACCOUNT) and not priv:
-                self.assertRaisesLdbError(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                           ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS],
                                           f"Should have been unable to change {account_type_str} to {account_type2_str}",
                                           samdb.modify, m)
         elif (account_type == UF_NORMAL_ACCOUNT) and \
                (account_type2 == UF_SERVER_TRUST_ACCOUNT) and priv:
-                self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+                self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                           ldb.ERR_UNWILLING_TO_PERFORM],
                                           f"Should have been unable to change {account_type_str} to {account_type2_str}",
                                           samdb.modify, m)
         elif (account_type == UF_WORKSTATION_TRUST_ACCOUNT) and \
@@ -1282,7 +1285,8 @@ class UserAccountControlTests(samba.tests.TestCase):
             m["1objectclass"] = ldb.MessageElement(new_objectclass,
                                                    ldb.FLAG_MOD_ADD, "objectclass")
 
-        self.assertRaisesLdbError(ldb.ERR_UNWILLING_TO_PERFORM,
+        self.assertRaisesLdbError([ldb.ERR_OBJECT_CLASS_VIOLATION,
+                                   ldb.ERR_UNWILLING_TO_PERFORM],
                                   "Should have been unable Able to change objectclass of a {objectclass}",
                                   self.admin_samdb.modify, m)