mirror of
https://github.com/samba-team/samba.git
synced 2025-01-24 02:04:21 +03:00
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> (cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
This commit is contained in:
parent
d1e0ee0ba7
commit
13eac83bc6
@ -228,7 +228,7 @@ class AclAddTests(AclTests):
|
||||
self.assertEqual(len(res), 0)
|
||||
|
||||
def test_add_u1(self):
|
||||
"""Testing OU with the rights of Doman Admin not creator of the OU """
|
||||
"""Testing OU with the rights of Domain Admin not creator of the OU """
|
||||
self.assert_top_ou_deleted()
|
||||
# Change descriptor for top level OU
|
||||
self.ldb_owner.create_ou("OU=test_add_ou1," + self.base_dn)
|
||||
@ -241,7 +241,7 @@ class AclAddTests(AclTests):
|
||||
self.ldb_notowner.newgroup("test_add_group1", groupou="OU=test_add_ou2,OU=test_add_ou1",
|
||||
grouptype=samba.dsdb.GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP)
|
||||
# Make sure we HAVE created the two objects -- user and group
|
||||
# !!! We should not be able to do that, but however beacuse of ACE ordering our inherited Deny ACE
|
||||
# !!! We should not be able to do that, but however because of ACE ordering our inherited Deny ACE
|
||||
# !!! comes after explicit (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) that comes from somewhere
|
||||
res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s,%s)" % ("CN=test_add_user1,OU=test_add_ou2,OU=test_add_ou1", self.base_dn))
|
||||
self.assertTrue(len(res) > 0)
|
||||
@ -302,7 +302,7 @@ class AclAddTests(AclTests):
|
||||
self.assertEqual(len(res), 0)
|
||||
|
||||
def test_add_u4(self):
|
||||
""" 4 Testing OU with the rights of Doman Admin creator of the OU"""
|
||||
""" 4 Testing OU with the rights of Domain Admin creator of the OU"""
|
||||
self.assert_top_ou_deleted()
|
||||
self.ldb_owner.create_ou("OU=test_add_ou1," + self.base_dn)
|
||||
self.ldb_owner.create_ou("OU=test_add_ou2,OU=test_add_ou1," + self.base_dn)
|
||||
@ -4298,7 +4298,7 @@ class AclDeleteTests(AclTests):
|
||||
self.assertEqual(len(res), 0)
|
||||
|
||||
def test_delete_u3(self):
|
||||
"""User indentified by SID has RIGHT_DELETE to another User object"""
|
||||
"""User identified by SID has RIGHT_DELETE to another User object"""
|
||||
user_dn = self.get_user_dn("test_delete_user1")
|
||||
# Create user that we try to delete
|
||||
self.ldb_admin.newuser("test_delete_user1", self.user_pass)
|
||||
@ -4589,7 +4589,7 @@ class AclCARTests(AclTests):
|
||||
minPwdAge = self.ldb_admin.get_minPwdAge()
|
||||
# Reset the "minPwdAge" as it was before
|
||||
self.addCleanup(self.ldb_admin.set_minPwdAge, minPwdAge)
|
||||
# Set it temporarely to "0"
|
||||
# Set it temporarily to "0"
|
||||
self.ldb_admin.set_minPwdAge("0")
|
||||
|
||||
self.user_with_wp = "acl_car_user1"
|
||||
@ -5045,7 +5045,7 @@ class AclUndeleteTests(AclTests):
|
||||
self.sd_utils.dacl_add_ace(self.deleted_dn2, mod)
|
||||
self.undelete_deleted(self.deleted_dn2, self.testuser2_dn)
|
||||
|
||||
# attempt undelete with simultanious addition of url, WP to which is denied
|
||||
# attempt undelete with simultaneous addition of url, WP to which is denied
|
||||
mod = "(OD;;WP;9a9a0221-4a5b-11d1-a9c3-0000f80367c1;;%s)" % str(self.sid)
|
||||
self.sd_utils.dacl_add_ace(self.deleted_dn3, mod)
|
||||
try:
|
||||
|
@ -180,7 +180,7 @@ class UserTests(samba.tests.TestCase):
|
||||
maybe_not = ['!(', '']
|
||||
joiners = ['&', '|']
|
||||
|
||||
# The number of permuations is 18432, which is not huge but
|
||||
# The number of permutations is 18432, which is not huge but
|
||||
# would take hours to search. So we take a sample.
|
||||
all_permutations = list(itertools.product(joiners,
|
||||
classes, classes,
|
||||
|
@ -722,7 +722,7 @@ class ConfidentialAttrTestDirsync(ConfidentialAttrCommon):
|
||||
|
||||
self.attr_filters = [None, ["*"], ["name"]]
|
||||
|
||||
# Note dirsync behaviour is slighty different for the attribute under
|
||||
# Note dirsync behaviour is slightly different for the attribute under
|
||||
# test - when you have full access rights, it only returns the objects
|
||||
# that actually have this attribute (i.e. it doesn't return an empty
|
||||
# message with just the DN). So we add the 'name' attribute into the
|
||||
|
@ -338,7 +338,7 @@ class SimpleDirsyncTests(DirsyncBaseTests):
|
||||
self.assertEqual(len(res.msgs[0]), 3)
|
||||
|
||||
def test_dirsync_othernc(self):
|
||||
"""Check that dirsync return information for entries that are normaly referrals (ie. other NCs)"""
|
||||
"""Check that dirsync return information for entries that are normally referrals (ie. other NCs)"""
|
||||
res = self.ldb_admin.search(self.base_dn,
|
||||
expression="(objectclass=configuration)",
|
||||
attrs=["name"],
|
||||
@ -459,7 +459,7 @@ class SimpleDirsyncTests(DirsyncBaseTests):
|
||||
delete_force(self.ldb_admin, ouname)
|
||||
|
||||
def test_dirsync_linkedattributes(self):
|
||||
"""Check that dirsync returnd deleted objects too"""
|
||||
"""Check that dirsync returned deleted objects too"""
|
||||
# Let's search for members
|
||||
self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
|
||||
res = self.ldb_simple.search(self.base_dn,
|
||||
@ -541,7 +541,7 @@ class SimpleDirsyncTests(DirsyncBaseTests):
|
||||
self.assertEqual(len(res[0].get("member")), 0)
|
||||
|
||||
def test_dirsync_deleted_items(self):
|
||||
"""Check that dirsync returnd deleted objects too"""
|
||||
"""Check that dirsync returned deleted objects too"""
|
||||
# Let's create an OU
|
||||
ouname = "OU=testou3,%s" % self.base_dn
|
||||
self.ouname = ouname
|
||||
@ -712,7 +712,7 @@ class ExtendedDirsyncTests(SimpleDirsyncTests):
|
||||
self.assertIn(b">;<SID=010500000000000515", resEX0[0]["member"][0])
|
||||
|
||||
def test_dirsync_deleted_items(self):
|
||||
"""Check that dirsync returnd deleted objects too"""
|
||||
"""Check that dirsync returned deleted objects too"""
|
||||
# Let's create an OU
|
||||
self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
|
||||
ouname = "OU=testou3,%s" % self.base_dn
|
||||
|
@ -155,7 +155,7 @@ class BasicTests(samba.tests.TestCase):
|
||||
(num, _) = e.args
|
||||
self.assertEqual(num, ERR_CONSTRAINT_VIOLATION)
|
||||
|
||||
# We cannot instanciate from an abstract object class ("connectionPoint"
|
||||
# We cannot instantiate from an abstract object class ("connectionPoint"
|
||||
# or "leaf"). In the first case we use "connectionPoint" (subclass of
|
||||
# "leaf") to prevent a naming violation - this returns us a
|
||||
# "ERR_UNWILLING_TO_PERFORM" since it is not structural. In the second
|
||||
@ -178,7 +178,7 @@ class BasicTests(samba.tests.TestCase):
|
||||
(num, _) = e.args
|
||||
self.assertEqual(num, ERR_OBJECT_CLASS_VIOLATION)
|
||||
|
||||
# Objects instanciated using "satisfied" abstract classes (concrete
|
||||
# Objects instantiated using "satisfied" abstract classes (concrete
|
||||
# subclasses) are allowed
|
||||
self.ldb.add({
|
||||
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
|
||||
@ -214,7 +214,7 @@ class BasicTests(samba.tests.TestCase):
|
||||
"objectClass": "person"})
|
||||
|
||||
# We can remove derivation classes of the structural objectclass
|
||||
# but they're going to be readded afterwards
|
||||
# but they're going to be re-added afterwards
|
||||
m = Message()
|
||||
m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn)
|
||||
m["objectClass"] = MessageElement("top", FLAG_MOD_DELETE,
|
||||
@ -1824,7 +1824,7 @@ delete: description
|
||||
delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
|
||||
|
||||
def test_groupType_int32(self):
|
||||
"""Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparsion)"""
|
||||
"""Test groupType (int32) behaviour (should appear to be casted to a 32 bit signed integer before comparison)"""
|
||||
|
||||
res1 = ldb.search(base=self.base_dn, scope=SCOPE_SUBTREE,
|
||||
attrs=["groupType"], expression="groupType=2147483653")
|
||||
@ -2158,7 +2158,7 @@ servicePrincipalName: host/ldaptest2computer29
|
||||
"givenname": "testy",
|
||||
"sn": "ldap user2"})
|
||||
|
||||
# Testing Ambigious Name Resolution
|
||||
# Testing Ambiguous Name Resolution
|
||||
# Testing ldb.search for (&(anr=ldap testy)(objectClass=user))
|
||||
res = ldb.search(expression="(&(anr=ldap testy)(objectClass=user))")
|
||||
self.assertEqual(len(res), 3, "Found only %d of 3 for (&(anr=ldap testy)(objectClass=user))" % len(res))
|
||||
@ -2402,7 +2402,7 @@ member: cn=ldaptestuser2,cn=users,""" + self.base_dn + """
|
||||
|
||||
# Testing ldb.search for (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)) to check subtree renames and linked attributes"
|
||||
res = ldb.search(self.base_dn, expression="(&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group))", scope=SCOPE_SUBTREE)
|
||||
self.assertEqual(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistant with subtree renames?")
|
||||
self.assertEqual(len(res), 1, "Could not find (&(member=CN=ldaptestuser4,CN=ldaptestcontainer2," + self.base_dn + ")(objectclass=group)), perhaps linked attributes are not consistent with subtree renames?")
|
||||
|
||||
# Testing ldb.rename (into itself) of cn=ldaptestcontainer2," + self.base_dn + " to cn=ldaptestcontainer,cn=ldaptestcontainer2," + self.base_dn
|
||||
try:
|
||||
@ -3002,7 +3002,7 @@ nTSecurityDescriptor: """ + sddl
|
||||
delete_force(self.ldb, user_dn)
|
||||
#
|
||||
# Test modify_ldif() with SDDL security descriptor input
|
||||
# New desctiptor test
|
||||
# New descriptor test
|
||||
#
|
||||
try:
|
||||
self.ldb.add_ldif("""
|
||||
|
@ -101,7 +101,7 @@ class ModifyOrderTests(samba.tests.TestCase):
|
||||
|
||||
clusters = {}
|
||||
for i, attrs in enumerate(permutations(mod_attrs)):
|
||||
# for each permuation we construct a string describing the
|
||||
# for each permutation we construct a string describing the
|
||||
# requested operations, and a string describing the result
|
||||
# (which may be an exception). The we cluster the
|
||||
# attribute strings by their results.
|
||||
@ -249,7 +249,7 @@ class ModifyOrderTests(samba.tests.TestCase):
|
||||
self._test_modify_order(start_attrs, mod_attrs)
|
||||
|
||||
def test_modify_order_inapplicable(self):
|
||||
#attrbutes that don't go on a user
|
||||
#attributes that don't go on a user
|
||||
start_attrs = [("objectclass", "user"),
|
||||
("givenName", "a")]
|
||||
|
||||
|
@ -210,7 +210,7 @@ name: """ + object_name + """
|
||||
expression="(%s=S:5:ABCDE)" % self.dn_string_attribute)
|
||||
self.assertEqual(len(res), 0)
|
||||
|
||||
# search by DN+Stirng
|
||||
# search by DN+String
|
||||
res = self.ldb.search(base=self.base_dn,
|
||||
scope=SCOPE_SUBTREE,
|
||||
expression="(%s=S:5:ABCDE:%s)" % (self.dn_string_attribute, self.base_dn))
|
||||
@ -293,7 +293,7 @@ name: """ + object_name + """
|
||||
self.assertEqual(num, ERR_CONSTRAINT_VIOLATION)
|
||||
|
||||
def test_dn_binary(self):
|
||||
# add obeject with correct value
|
||||
# add object with correct value
|
||||
object_name1 = "obj-DN-Binary1" + time.strftime("%s", time.gmtime())
|
||||
ldif = self._get_object_ldif(object_name1, self.dn_binary_class_name, self.dn_binary_class_ldap_display_name,
|
||||
self.dn_binary_attribute, ": B:4:1234:" + self.base_dn)
|
||||
|
@ -75,7 +75,7 @@ class BasicUserAuthTests(BasePasswordTestCase):
|
||||
ldap_url = self.host_url
|
||||
print("Performs a lockout attempt against LDAP using NTLM")
|
||||
|
||||
# get the intial logon values for this user
|
||||
# get the initial logon values for this user
|
||||
res = self._check_account(userdn,
|
||||
badPwdCount=0,
|
||||
badPasswordTime=("greater", 0),
|
||||
|
@ -300,7 +300,7 @@ class PasswordSettingsTestCase(PasswordTestCase):
|
||||
self.set_attribute(group2, "member", group1)
|
||||
self.assert_PSO_applied(user, group2_pso)
|
||||
|
||||
# add another level to the group heirachy & check this PSO takes effect
|
||||
# add another level to the group hierarchy & check this PSO takes effect
|
||||
self.set_attribute(group3, "member", group2)
|
||||
self.assert_PSO_applied(user, group3_pso)
|
||||
|
||||
@ -727,7 +727,7 @@ class PasswordSettingsTestCase(PasswordTestCase):
|
||||
# the msDS-ResultantPSO attribute on a user that doesn't exist yet (it
|
||||
# won't have any group membership or PSOs applied directly against it yet).
|
||||
# In theory it's possible to still get an applicable PSO via the user's
|
||||
# primaryGroupID (i.e. 'Domain Users' by default). However, testing aginst
|
||||
# primaryGroupID (i.e. 'Domain Users' by default). However, testing against
|
||||
# Windows shows that the PSO doesn't take effect during the user add
|
||||
# operation. (However, the Windows GUI tools presumably adds the user in 2
|
||||
# steps, because it does enforce the PSO for users added via the GUI).
|
||||
|
@ -1365,12 +1365,12 @@ userPassword: thatsAcomplPASS4
|
||||
def test_zero_length(self):
|
||||
# Get the old "minPwdLength"
|
||||
minPwdLength = self.ldb.get_minPwdLength()
|
||||
# Set it temporarely to "0"
|
||||
# Set it temporarily to "0"
|
||||
self.ldb.set_minPwdLength("0")
|
||||
|
||||
# Get the old "pwdProperties"
|
||||
pwdProperties = self.ldb.get_pwdProperties()
|
||||
# Set them temporarely to "0" (to deactivate eventually the complexity)
|
||||
# Set them temporarily to "0" (to deactivate eventually the complexity)
|
||||
self.ldb.set_pwdProperties("0")
|
||||
|
||||
self.ldb.setpassword("(sAMAccountName=testuser)", "")
|
||||
|
@ -3775,7 +3775,7 @@ class SamTests(samba.tests.TestCase):
|
||||
def test_protected_sid_objects(self):
|
||||
"""Test deletion of objects with RID < 1000"""
|
||||
# a list of some well-known sids
|
||||
# objects in Builtin are aready covered by objectclass
|
||||
# objects in Builtin are already covered by objectclass
|
||||
protected_list = [
|
||||
["CN=Domain Admins", "CN=Users,"],
|
||||
["CN=Schema Admins", "CN=Users,"],
|
||||
|
@ -684,7 +684,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
|
||||
|
||||
# Tests for SCHEMA
|
||||
|
||||
# Defalt descriptor tests ##################################################################
|
||||
# Default descriptor tests ##################################################################
|
||||
|
||||
def test_130(self):
|
||||
user_name = "testuser1"
|
||||
@ -941,7 +941,7 @@ class OwnerGroupDescriptorTests(DescriptorTests):
|
||||
|
||||
# Tests for CONFIGURATION
|
||||
|
||||
# Defalt descriptor tests ##################################################################
|
||||
# Default descriptor tests ##################################################################
|
||||
|
||||
def test_160(self):
|
||||
user_name = "testuser1"
|
||||
@ -2022,7 +2022,7 @@ class RightsAttributesTests(DescriptorTests):
|
||||
_ldb = self.get_ldb_connection("testuser_attr", "samba123@")
|
||||
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
|
||||
attrs=["sDRightsEffective"])
|
||||
# user whould have no rights at all
|
||||
# user should have no rights at all
|
||||
self.assertEqual(len(res), 1)
|
||||
self.assertEqual(str(res[0]["sDRightsEffective"][0]), "0")
|
||||
# give the user Write DACL and see what happens
|
||||
@ -2030,7 +2030,7 @@ class RightsAttributesTests(DescriptorTests):
|
||||
self.sd_utils.dacl_add_ace(object_dn, mod)
|
||||
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
|
||||
attrs=["sDRightsEffective"])
|
||||
# user whould have DACL_SECURITY_INFORMATION
|
||||
# user should have DACL_SECURITY_INFORMATION
|
||||
self.assertEqual(len(res), 1)
|
||||
self.assertEqual(str(res[0]["sDRightsEffective"][0]), ("%d") % SECINFO_DACL)
|
||||
# give the user Write Owners and see what happens
|
||||
@ -2038,14 +2038,14 @@ class RightsAttributesTests(DescriptorTests):
|
||||
self.sd_utils.dacl_add_ace(object_dn, mod)
|
||||
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
|
||||
attrs=["sDRightsEffective"])
|
||||
# user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
|
||||
# user should have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
|
||||
self.assertEqual(len(res), 1)
|
||||
self.assertEqual(str(res[0]["sDRightsEffective"][0]), ("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER))
|
||||
# no way to grant security privilege bu adding ACE's so we use a memeber of Domain Admins
|
||||
# no way to grant security privilege bu adding ACE's so we use a member of Domain Admins
|
||||
_ldb = self.get_ldb_connection("testuser_attr2", "samba123@")
|
||||
res = _ldb.search(base=object_dn, expression="", scope=SCOPE_BASE,
|
||||
attrs=["sDRightsEffective"])
|
||||
# user whould have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
|
||||
# user should have DACL_SECURITY_INFORMATION, OWNER_SECURITY_INFORMATION, GROUP_SECURITY_INFORMATION
|
||||
self.assertEqual(len(res), 1)
|
||||
self.assertEqual(str(res[0]["sDRightsEffective"][0]),
|
||||
("%d") % (SECINFO_DACL | SECINFO_GROUP | SECINFO_OWNER | SECINFO_SACL))
|
||||
|
@ -151,7 +151,7 @@ class StaticTokenTest(samba.tests.TestCase):
|
||||
extra_sidset = set(extra_sids)
|
||||
|
||||
if len(missing_sidset.symmetric_difference(extra_sidset)):
|
||||
print("dn token sids unexpeted")
|
||||
print("dn token sids unexpected")
|
||||
print("tokengroups: %s" % dn_tokengroups)
|
||||
print("user sids: %s" % self.user_sids)
|
||||
print("actual difference: %s" % missing_sidset)
|
||||
@ -423,7 +423,7 @@ class DynamicTokenTest(samba.tests.TestCase):
|
||||
extra_sidset = set(extra_sids)
|
||||
|
||||
if len(missing_sidset.symmetric_difference(extra_sidset)):
|
||||
print("dn token sids unexpeted")
|
||||
print("dn token sids unexpected")
|
||||
print("tokengroups: %s" % dn_tokengroups)
|
||||
print("user sids: %s" % self.user_sids)
|
||||
print("actual difference: %s" % missing_sidset)
|
||||
|
@ -852,7 +852,7 @@ class UserAccountControlTests(samba.tests.TestCase):
|
||||
self.add_computer_ldap(computername, others={"userAccountControl": [str(bit_add)]})
|
||||
delete_force(self.admin_samdb, "CN=%s,%s" % (computername, self.OU))
|
||||
if bit in priv_bits:
|
||||
self.fail("Unexpectdly able to set userAccountControl bit 0x%08X (%s) on %s"
|
||||
self.fail("Unexpectedly able to set userAccountControl bit 0x%08X (%s) on %s"
|
||||
% (bit, bit_str, computername))
|
||||
|
||||
except LdbError as e4:
|
||||
|
Loading…
x
Reference in New Issue
Block a user