CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the...

Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/tests/python/confidential_attr.py b/source4/dsdb/tests/python/confidential_attr.py
index 3997848f8f91348e98df8200f8180d032305c3e5..ee7f554a0080760089e370bc4292b623da3f7bd8 100755 (executable)
--- a/source4/dsdb/tests/python/confidential_attr.py
+++ b/source4/dsdb/tests/python/confidential_attr.py
@@ -136,10 +136,12 @@ class ConfidentialAttrCommon(samba.tests.TestCase):
 
         # sanity-check the flag is not already set (this'll cause problems if
         # previous test run didn't clean up properly)
-        search_flags = self.get_attr_search_flags(self.attr_dn)
-        self.assertEqual(0, int(search_flags) & SEARCH_FLAG_CONFIDENTIAL,
-                         "{0} searchFlags already {1}".format(self.conf_attr,
-                                                              search_flags))
+        search_flags = int(self.get_attr_search_flags(self.attr_dn))
+        if search_flags & SEARCH_FLAG_CONFIDENTIAL:
+            self.set_attr_search_flags(self.attr_dn, str(search_flags &~ SEARCH_FLAG_CONFIDENTIAL))
+        search_flags = int(self.get_attr_search_flags(self.attr_dn))
+        self.assertEqual(0, search_flags & SEARCH_FLAG_CONFIDENTIAL,
+                         f"{self.conf_attr} searchFlags did not reset to omit SEARCH_FLAG_CONFIDENTIAL ({search_flags})")
 
     def add_attr(self, dn, attr, value):
         m = Message()