From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 21 Oct 2021 01:03:05 +0000 (+1300)
Subject: CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
X-Git-Tag: samba-4.13.14~195
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c212f3fe50ca985a26ed2a02398028f5235cca27;p=thirdparty%2Fsamba.git

CVE-2020-25722 selftest: Split test_userAccountControl into unit tests

The parts that create and delete a single object can be
safely split out into an individual test.

At this point the parts that fail against Windows 2019 are:

error: __main__.SamTests.test_userAccountControl_computer_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_computer_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_0_uac [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_add_normal [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')
error: __main__.SamTests.test_userAccountControl_user_modify [
_ldb.LdbError: (53, 'LDAP error 53 LDAP_UNWILLING_TO_PERFORM -  <0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0\n> <>')

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/uac_objectclass_restrict b/selftest/knownfail.d/uac_objectclass_restrict
index d093c631bd3..ac7befffb1b 100644
--- a/selftest/knownfail.d/uac_objectclass_restrict
+++ b/selftest/knownfail.d/uac_objectclass_restrict
@@ -3,10 +3,12 @@
 #
 # All these tests need to be fixed and the entries here removed
 
-^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_userAccountControl\(fl2008r2dc\)
+^samba4.sam.python\(.*\).__main__.SamTests.test_userAccountControl_computer_add_0_uac
+^samba4.sam.python\(.*\).__main__.SamTests.test_userAccountControl_computer_add_trust
+^samba4.sam.python\(.*\).__main__.SamTests.test_userAccountControl_computer_modify
+^samba4.sam.python\(.*\).__main__.SamTests.test_userAccountControl_user_modify
 ^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_users_groups\(fl2008r2dc\)
 ^samba4.ldap.python\(ad_dc_default\).__main__.BasicTests.test_all\(ad_dc_default\)
-^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_userAccountControl\(ad_dc_default\)
 ^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_users_groups\(ad_dc_default\)
 ^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-DC_add_CC_WP_user\(ad_dc_default\)
 ^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-DC_add_CC_default_user\(ad_dc_default\)
diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index 67e2f7b23c3..077a1a86e90 100755
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -1885,7 +1885,7 @@ class SamTests(samba.tests.TestCase):
 
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
-    def test_userAccountControl(self):
+    def test_userAccountControl_user_add_0_uac(self):
         """Test the userAccountControl behaviour"""
         print("Testing userAccountControl behaviour\n")
 
@@ -1913,12 +1913,15 @@ class SamTests(samba.tests.TestCase):
         self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0)
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_userAccountControl_user_add_normal(self):
+        """Test the userAccountControl behaviour"""
         ldb.add({
             "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
             "objectclass": "user",
             "userAccountControl": str(UF_NORMAL_ACCOUNT)})
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_userAccountControl_user_add_normal_pwnotreq(self):
         ldb.add({
             "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
             "objectclass": "user",
@@ -1933,6 +1936,7 @@ class SamTests(samba.tests.TestCase):
         self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_userAccountControl_user_add_normal_pwnotreq_lockout_expired(self):
         ldb.add({
             "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
             "objectclass": "user",
@@ -1952,6 +1956,7 @@ class SamTests(samba.tests.TestCase):
         self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0)
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_userAccountControl_user_add_temp_dup(self):
         try:
             ldb.add({
                 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
@@ -1963,6 +1968,7 @@ class SamTests(samba.tests.TestCase):
             self.assertEqual(num, ERR_OTHER)
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_userAccountControl_user_add_server(self):
         try:
             ldb.add({
                 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
@@ -1974,6 +1980,7 @@ class SamTests(samba.tests.TestCase):
             self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_userAccountControl_user_add_workstation(self):
         try:
             ldb.add({
                 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
@@ -1984,6 +1991,7 @@ class SamTests(samba.tests.TestCase):
             self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_userAccountControl_user_add_rodc(self):
         try:
             ldb.add({
                 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
@@ -1994,6 +2002,7 @@ class SamTests(samba.tests.TestCase):
             self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
         delete_force(self.ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
 
+    def test_userAccountControl_user_add_trust(self):
         try:
             ldb.add({
                 "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
@@ -2007,6 +2016,7 @@ class SamTests(samba.tests.TestCase):
 
         # Modify operation
 
+    def test_userAccountControl_user_modify(self):
         ldb.add({
             "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
             "objectclass": "user"})
@@ -2177,6 +2187,7 @@ class SamTests(samba.tests.TestCase):
             (num, _) = e69.args
             self.assertEqual(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
 
+    def test_userAccountControl_computer_add_0_uac(self):
         # With a computer object
 
         # Add operation
@@ -2201,12 +2212,14 @@ class SamTests(samba.tests.TestCase):
         self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_PASSWD_NOTREQD == 0)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_userAccountControl_computer_add_normal(self):
         ldb.add({
             "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
             "objectclass": "computer",
             "userAccountControl": str(UF_NORMAL_ACCOUNT)})
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_userAccountControl_computer_add_normal_pwnotreqd(self):
         ldb.add({
             "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
             "objectclass": "computer",
@@ -2221,6 +2234,7 @@ class SamTests(samba.tests.TestCase):
         self.assertTrue(int(res1[0]["userAccountControl"][0]) & UF_ACCOUNTDISABLE == 0)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_userAccountControl_computer_add_normal_pwnotreqd_lockout_expired(self):
         ldb.add({
             "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
             "objectclass": "computer",
@@ -2240,6 +2254,7 @@ class SamTests(samba.tests.TestCase):
         self.assertTrue(int(res1[0]["pwdLastSet"][0]) == 0)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_userAccountControl_computer_add_temp_dup(self):
         try:
             ldb.add({
                 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
@@ -2251,6 +2266,7 @@ class SamTests(samba.tests.TestCase):
             self.assertEqual(num, ERR_OTHER)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_userAccountControl_computer_add_server(self):
         ldb.add({
             "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
             "objectclass": "computer",
@@ -2263,6 +2279,7 @@ class SamTests(samba.tests.TestCase):
                           ATYPE_WORKSTATION_TRUST)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_userAccountControl_computer_add_workstation(self):
         try:
             ldb.add({
                 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
@@ -2273,6 +2290,7 @@ class SamTests(samba.tests.TestCase):
             self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_userAccountControl_computer_add_trust(self):
         try:
             ldb.add({
                 "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
@@ -2284,6 +2302,7 @@ class SamTests(samba.tests.TestCase):
             self.assertEqual(num, ERR_INSUFFICIENT_ACCESS_RIGHTS)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_userAccountControl_computer_modify(self):
         # Modify operation
 
         ldb.add({