Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added…
… SPN

This test currently fails, as re-adding an SPN means that later checks
do not run.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
  • Loading branch information
josephsutton1 authored and metze-samba committed Jan 31, 2022
1 parent 6063e80 commit c58ede4
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
7 changes: 7 additions & 0 deletions python/samba/tests/ldap_spn.py
Expand Up @@ -268,6 +268,8 @@ def _test_spn_with_args(self, rows, doc):
for k in ('dNSHostName', 'servicePrincipalName'):
if isinstance(m.get(k), str):
m[k] = m[k].format(dnsname=f"x.{REALM}")
elif isinstance(m.get(k), list):
m[k] = [x.format(dnsname=f"x.{REALM}") for x in m[k]]

msg = ldb.Message.from_dict(samdb, m, op)

Expand Down Expand Up @@ -727,6 +729,11 @@ class LdapSpnSambaOnlyTest(LdapSpnTestBase):
('user:C', 'host/{dnsname}', '*', ok),
('user:D', 'www/{dnsname}', 'D', denied),
),
("add a conflict, along with a re-added SPN",
('A', 'cifs/{dnsname}', '*', ok),
('B', 'cifs/heeble.example.net', 'B', ok),
('B', ['cifs/heeble.example.net', 'host/{dnsname}'], 'B', constraint),
),

("changing dNSHostName after host",
('A', {'dNSHostName': '{dnsname}'}, '*', ok),
Expand Down
1 change: 1 addition & 0 deletions selftest/knownfail.d/ldap_spn
@@ -1 +1,2 @@
samba.tests.ldap_spn.+LdapSpnTest.test_spn_dodgy_spns
samba.tests.ldap_spn.+LdapSpnSambaOnlyTest.test_spn_add_a_conflict_along_with_a_re_added_SPN

0 comments on commit c58ede4

Please sign in to comment.