CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN

If an account has an SPN that requires Write Property to set, we should still be able to delete it with just Validated Write. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2022-06-21 15:37:15 +1200
committer: Jule Anger <janger@samba.org> 2022-07-24 11:41:53 +0200
commit: 51cbeff886fe01db463448f8655a43d10040dc8b (patch)
tree: d7aba51415d373c470f5433f6f80321ed030223f
parent: 5d958156c7e5d6c1da61d18fe4fd105b22639b56 (diff)
download: samba-51cbeff886fe01db463448f8655a43d10040dc8b.tar.gz
2 files changed, 27 insertions, 0 deletions
diff --git a/selftest/knownfail.d/acl-spn-delete b/selftest/knownfail.d/acl-spn-delete
new file mode 100644
index 00000000000..32018413c49
--- /dev/null
+++ b/selftest/knownfail.d/acl-spn-delete
@@ -0,0 +1 @@
+^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\(
diff --git a/source4/dsdb/tests/python/acl.py b/source4/dsdb/tests/python/acl.py
index df0fe12bf29..d90d3b3923f 100755
--- a/source4/dsdb/tests/python/acl.py
+++ b/source4/dsdb/tests/python/acl.py
@@ -2286,6 +2286,32 @@ class AclSPNTests(AclTests):
         else:
             self.fail(f'able to add disallowed SPN {not_allowed_spn}')
 
+    def test_delete_disallowed_spn(self):
+        # Grant Validated-SPN property.
+        mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})'
+        self.sd_utils.dacl_add_ace(self.computerdn, mod)
+
+        spn_base = f'HOST/{self.computername}'
+
+        not_allowed_spn = f'{spn_base}/{self.dcctx.get_domain_name()}'
+
+        # Add a disallowed SPN as admin.
+        msg = Message(Dn(self.ldb_admin, self.computerdn))
+        msg['servicePrincipalName'] = MessageElement(not_allowed_spn,
+                                                     FLAG_MOD_ADD,
+                                                     'servicePrincipalName')
+        self.ldb_admin.modify(msg)
+
+        # Ensure we are able to delete a disallowed SPN.
+        msg = Message(Dn(self.ldb_user1, self.computerdn))
+        msg['servicePrincipalName'] = MessageElement(not_allowed_spn,
+                                                     FLAG_MOD_DELETE,
+                                                     'servicePrincipalName')
+        try:
+            self.ldb_user1.modify(msg)
+        except LdbError:
+            self.fail(f'unable to delete disallowed SPN {not_allowed_spn}')
+
 
 # tests SEC_ADS_LIST vs. SEC_ADS_LIST_OBJECT
 @DynamicTestCase
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2022-06-21 15:37:15 +1200
committer	Jule Anger <janger@samba.org>	2022-07-24 11:41:53 +0200
commit	51cbeff886fe01db463448f8655a43d10040dc8b (patch)
tree	d7aba51415d373c470f5433f6f80321ed030223f
parent	5d958156c7e5d6c1da61d18fe4fd105b22639b56 (diff)
download	samba-51cbeff886fe01db463448f8655a43d10040dc8b.tar.gz