CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control...

This will allow these to be listed in a knownfail shortly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py
index 246a869e6c1af3fcc4e4d83cf8793001e259b4c2..ae457fd26f7761601478ce59240efb06d2250973 100755 (executable)
--- a/source4/dsdb/tests/python/user_account_control.py
+++ b/source4/dsdb/tests/python/user_account_control.py
@@ -305,7 +305,11 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        self.samdb.modify(m)
+        try:
+            self.samdb.modify(m)
+        except LdbError as e:
+            (enum, estr) = e.args
+            self.fail(f"got {estr} setting userAccountControl to UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD")
 
         m = ldb.Message()
         m.dn = res[0].dn
@@ -360,7 +364,11 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(samba.dsdb.UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        self.samdb.modify(m)
+        try:
+            self.samdb.modify(m)
+        except LdbError as e:
+            (enum, estr) = e.args
+            self.fail(f"got {estr} setting userAccountControl to UF_NORMAL_ACCOUNT|UF_PASSWD_NOTREQD")
 
         m = ldb.Message()
         m.dn = res[0].dn
@@ -457,7 +465,11 @@ class UserAccountControlTests(samba.tests.TestCase):
         m.dn = res[0].dn
         m["userAccountControl"] = ldb.MessageElement(str(UF_ACCOUNTDISABLE),
                                                      ldb.FLAG_MOD_REPLACE, "userAccountControl")
-        self.admin_samdb.modify(m)
+        try:
+            self.admin_samdb.modify(m)
+        except LdbError as e:
+            (enum, estr) = e.args
+            self.fail(f"got {estr} setting userAccountControl to UF_ACCOUNTDISABLE (as admin)")
 
         res = self.admin_samdb.search("%s" % self.base_dn,
                                       expression="(&(objectClass=computer)(samAccountName=%s$))" % computername,
@@ -578,7 +590,11 @@ class UserAccountControlTests(samba.tests.TestCase):
             m.dn = res[0].dn
             m["userAccountControl"] = ldb.MessageElement(str(orig_uac),
                                                          ldb.FLAG_MOD_REPLACE, "userAccountControl")
-            self.admin_samdb.modify(m)
+            try:
+                self.admin_samdb.modify(m)
+            except LdbError as e:
+                (enum, estr) = e.args
+                self.fail(f"got {estr} resetting userAccountControl to initial value {orig_uac:#08x}")
 
             res = self.admin_samdb.search("%s" % self.base_dn,
                                           expression="(&(objectClass=computer)(samAccountName=%s$))" % computername,
@@ -897,7 +913,12 @@ class UserAccountControlTests(samba.tests.TestCase):
             and account_type == UF_NORMAL_ACCOUNT):
             self.admin_samdb.add(msg_dict)
         elif objectclass == "computer":
-            self.admin_samdb.add(msg_dict)
+            try:
+                self.admin_samdb.add(msg_dict)
+            except ldb.LdbError as e:
+                (num, msg) = e.args
+                self.fail("Failed to create {objectclass} account "
+                          "with {account_type_string}")
         else:
             self.assertRaisesLdbError(ldb.ERR_OBJECT_CLASS_VIOLATION,
                                       "Should have been unable to {account_type_str} on {objectclass}",