From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 28 Oct 2021 23:20:49 +0000 (+1300)
Subject: CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
X-Git-Tag: ldb-2.5.0~192
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=72840a972bcd36b7ab5bbe3713f4b05913215651;p=thirdparty%2Fsamba.git

CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail.d/ldap b/selftest/knownfail.d/ldap
index 0331d3687d4..545dc93db8e 100644
--- a/selftest/knownfail.d/ldap
+++ b/selftest/knownfail.d/ldap
@@ -1,3 +1,4 @@
 # the attributes too long test returns the wrong error
 ^samba4.ldap.python.+test_attribute_ranges_too_long
 samba4.ldap.python\(ad_dc_default\).*__main__.BasicTests.test_ldapSearchNoAttributes
+^samba4.ldap.python.+test_objectclasses
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index ce02d887792..a50a5f7b8d6 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -435,33 +435,41 @@ class BasicTests(samba.tests.TestCase):
             (num, _) = e.args
             self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
 
-        # Add a new top-most structural class "inetOrgPerson" and remove it
-        # afterwards
+        # Try to add a new top-most structural class "inetOrgPerson"
         m = Message()
         m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
         m["objectClass"] = MessageElement("inetOrgPerson", FLAG_MOD_ADD,
                                           "objectClass")
-        ldb.modify(m)
+        try:
+            ldb.modify(m)
+            self.fail()
+        except LdbError as e:
+            (num, _) = e.args
+            self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
 
+        # Try to remove the structural class "user"
         m = Message()
         m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
-        m["objectClass"] = MessageElement("inetOrgPerson", FLAG_MOD_DELETE,
+        m["objectClass"] = MessageElement("user", FLAG_MOD_DELETE,
                                           "objectClass")
-        ldb.modify(m)
+        try:
+            ldb.modify(m)
+            self.fail()
+        except LdbError as e:
+            (num, _) = e.args
+            self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
 
-        # Replace top-most structural class to "inetOrgPerson" and reset it
-        # back to "user"
+        # Try to replace top-most structural class to "inetOrgPerson"
         m = Message()
         m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
         m["objectClass"] = MessageElement("inetOrgPerson", FLAG_MOD_REPLACE,
                                           "objectClass")
-        ldb.modify(m)
-
-        m = Message()
-        m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
-        m["objectClass"] = MessageElement("user", FLAG_MOD_REPLACE,
-                                          "objectClass")
-        ldb.modify(m)
+        try:
+            ldb.modify(m)
+            self.fail()
+        except LdbError as e:
+            (num, _) = e.args
+            self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
 
         # Add a new auxiliary object class "posixAccount" to "ldaptestuser"
         m = Message()