CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

python/samba/tests/__init__.py

@@ -21,6 +21,7 @@ from __future__ import print_function
 import os
 import tempfile
 import warnings
+import collections
 import ldb
 import samba
 from samba import param
@@ -196,23 +197,32 @@ class TestCase(unittest.TestCase):
             f(*args, **kwargs)
         except ldb.LdbError as e:
             (num, msg) = e.args
-            if num != errcode:
+            if isinstance(errcode, collections.abc.Container):
+                found = num in errcode
+            else:
+                found = num == errcode
+            if not found:
                 lut = {v: k for k, v in vars(ldb).items()
                        if k.startswith('ERR_') and isinstance(v, int)}
-                self.fail("%s, expected "
-                          "LdbError %s, (%d) "
-                          "got %s (%d) "
-                          "%s" % (message,
-                                  lut.get(errcode), errcode,
-                                  lut.get(num), num,
-                                  msg))
+                if isinstance(errcode, collections.abc.Container):
+                    errcode_name = ' '.join(lut.get(x) for x in errcode)
+                else:
+                    errcode_name = lut.get(errcode)
+                self.fail(f"{message}, expected "
+                          f"LdbError {errcode_name}, {errcode} "
+                          f"got {lut.get(num)} ({num}) "
+                          f"{msg}")
         else:
             lut = {v: k for k, v in vars(ldb).items()
                    if k.startswith('ERR_') and isinstance(v, int)}
+            if isinstance(errcode, collections.abc.Container):
+                errcode_name = ' '.join(lut.get(x) for x in errcode)
+            else:
+                errcode_name = lut.get(errcode)
             self.fail("%s, expected "
-                      "LdbError %s, (%d) "
+                      "LdbError %s, (%s) "
                       "but we got success" % (message,
-                                              lut.get(errcode),
+                                              errcode_name,
                                               errcode))
 
 

selftest/knownfail.d/uac_objectclass_restrict

@@ -20,8 +20,6 @@
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_mod_lock_UF_NORMAL_ACCOUNT_user_replace\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_mod_lock_UF_SERVER_TRUST_ACCOUNT_computer_replace\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_mod_lock_UF_WORKSTATION_TRUST_ACCOUNT_computer_replace\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_SERVER_TRUST_ACCOUNT\(ad_dc_default\)
-^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_set_UF_WORKSTATION_TRUST_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_NORMAL_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_uac_bits_unrelated_modify_UF_WORKSTATION_TRUST_ACCOUNT\(ad_dc_default\)
 ^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_objectclass_uac_mod_lock_UF_NORMAL_ACCOUNT_UF_SERVER_TRUST_ACCOUNT_deladd_priv\(ad_dc_default\)

source4/dsdb/tests/python/user_account_control.py

@@ -594,6 +594,9 @@ class UserAccountControlTests(samba.tests.TestCase):
             if (bit in priv_bits):
                 self.fail("Unexpectedly able to set userAccountControl bit 0x%08X (%s), on %s"
                           % (bit, bit_str, m.dn))
+            if (bit in account_types and bit != UF_NORMAL_ACCOUNT):
+                self.fail("Unexpectedly able to set userAccountControl bit 0x%08X (%s), on %s"
+                          % (bit, bit_str, m.dn))
         except LdbError as e:
             (enum, estr) = e.args
             if bit in invalid_bits:
@@ -601,6 +604,8 @@ class UserAccountControlTests(samba.tests.TestCase):
                                  ldb.ERR_OTHER,
                                  "was not able to set 0x%08X (%s) on %s"
                                  % (bit, bit_str, m.dn))
+            elif (bit in account_types):
+                self.assertIn(enum, [ldb.ERR_OBJECT_CLASS_VIOLATION, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS])
             elif (bit in priv_bits):
                 self.assertEqual(ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS, enum)
             else: