CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/selftest/knownfail.d/spn_uniqueness b/selftest/knownfail.d/spn_uniqueness
new file mode 100644 (file)
index 0000000..3f6c2f0
--- /dev/null
+++ b/selftest/knownfail.d/spn_uniqueness
@@ -0,0 +1,2 @@
+^samba4.sam.python\(ad_dc_default\).__main__.SamTests.test_service_principal_name_uniqueness\(ad_dc_default\)
+^samba4.sam.python\(fl2008r2dc\).__main__.SamTests.test_service_principal_name_uniqueness\(fl2008r2dc\)

diff --git a/source4/dsdb/tests/python/sam.py b/source4/dsdb/tests/python/sam.py
index c794a3cfce18240952dec7bff164200d6d96902f..d99247d18b1784b12299724b34111e902bb3fd0d 100755 (executable)
--- a/source4/dsdb/tests/python/sam.py
+++ b/source4/dsdb/tests/python/sam.py
@@ -89,6 +89,7 @@ class SamTests(samba.tests.TestCase):
         delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
         delete_force(self.ldb, "cn=ldaptest\,specialuser,cn=users," + self.base_dn)
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
+        delete_force(self.ldb, "cn=ldaptestcomputer2,cn=computers," + self.base_dn)
         delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
         delete_force(self.ldb, "cn=ldaptestgroup2,cn=users," + self.base_dn)
 
@@ -3500,6 +3501,26 @@ class SamTests(samba.tests.TestCase):
 
         delete_force(self.ldb, "cn=ldaptestcomputer,cn=computers," + self.base_dn)
 
+    def test_service_principal_name_uniqueness(self):
+        """Test the servicePrincipalName uniqueness behaviour"""
+        print("Testing servicePrincipalName uniqueness behaviour")
+
+        ldb.add({
+            "dn": "cn=ldaptestcomputer,cn=computers," + self.base_dn,
+            "objectclass": "computer",
+            "servicePrincipalName": "HOST/testname.testdom"})
+
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestcomputer2,cn=computers," + self.base_dn,
+                "objectclass": "computer",
+                "servicePrincipalName": "HOST/testname.testdom"})
+        except LdbError as e:
+            num, _ = e.args
+            self.assertEqual(num, ERR_CONSTRAINT_VIOLATION)
+        else:
+            self.fail()
+
     def test_sam_description_attribute(self):
         """Test SAM description attribute"""
         print("Test SAM description attribute")