From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 20 Sep 2021 02:54:03 +0000 (+1200)
Subject: CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_n... 
X-Git-Tag: samba-4.13.14~207
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ff11f2a955554b0b89c0e40b6e472d2720123cf;p=thirdparty%2Fsamba.git

CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()

This allows future patches to restrict changing the account type
without triggering an error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/source4/dsdb/tests/python/password_settings.py b/source4/dsdb/tests/python/password_settings.py
index fcb671690c3..e1c49d7bffb 100644
--- a/source4/dsdb/tests/python/password_settings.py
+++ b/source4/dsdb/tests/python/password_settings.py
@@ -594,19 +594,27 @@ class PasswordSettingsTestCase(PasswordTestCase):
         dummy_pso.apply_to(user.dn)
         self.assertTrue(user.get_resultant_PSO() == dummy_pso.dn)
 
-        # now clear the ADS_UF_NORMAL_ACCOUNT flag for the user, which should
-        # mean a resultant PSO is no longer returned (we're essentially turning
-        # the user into a DC here, which is a little overkill but tests
-        # behaviour as per the Windows specification)
-        self.set_attribute(user.dn, "userAccountControl",
-                           str(dsdb.UF_WORKSTATION_TRUST_ACCOUNT),
-                           operation=FLAG_MOD_REPLACE)
+        try:
+            # now clear the ADS_UF_NORMAL_ACCOUNT flag for the user, which should
+            # mean a resultant PSO is no longer returned (we're essentially turning
+            # the user into a DC here, which is a little overkill but tests
+            # behaviour as per the Windows specification)
+            self.set_attribute(user.dn, "userAccountControl",
+                               str(dsdb.UF_WORKSTATION_TRUST_ACCOUNT),
+                               operation=FLAG_MOD_REPLACE)
+        except ldb.LdbError as e:
+            (num, msg) = e.args
+            self.fail("Failed to change user into a workstation: {msg}")
         self.assertIsNone(user.get_resultant_PSO())
 
-        # reset it back to a normal user account
-        self.set_attribute(user.dn, "userAccountControl",
-                           str(dsdb.UF_NORMAL_ACCOUNT),
-                           operation=FLAG_MOD_REPLACE)
+        try:
+            # reset it back to a normal user account
+            self.set_attribute(user.dn, "userAccountControl",
+                               str(dsdb.UF_NORMAL_ACCOUNT),
+                               operation=FLAG_MOD_REPLACE)
+        except ldb.LdbError as e:
+            (num, msg) = e.args
+            self.fail("Failed to change user back into a user: {msg}")
         self.assertTrue(user.get_resultant_PSO() == dummy_pso.dn)
 
         # no PSO should be returned if RID is equal to DOMAIN_USER_RID_KRBTGT