1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

netcmd: silo command uses more consistent naming for policy args

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Rob van der Linde 2023-10-17 16:31:53 +13:00 committed by Andrew Bartlett
parent c22400fd8e
commit 15fb8a5f2e
5 changed files with 119 additions and 97 deletions

View File

@ -1101,21 +1101,21 @@
</para></listitem>
</varlistentry>
<varlistentry>
<term>--user-policy</term>
<term>--user-authentication-policy</term>
<listitem><para>
User account policy.
User account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--service-policy</term>
<term>--service-authentication-policy</term>
<listitem><para>
Managed Service Account policy.
Managed service account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--computer-policy</term>
<term>--computer-authentication-policy</term>
<listitem><para>
Computer Account policy.
Computer authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
@ -1188,21 +1188,21 @@
</para></listitem>
</varlistentry>
<varlistentry>
<term>--user-policy</term>
<term>--user-authentication-policy</term>
<listitem><para>
User account policy.
User account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--service-policy</term>
<term>--service-authentication-policy</term>
<listitem><para>
Managed Service Account policy.
Managed service account authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--computer-policy</term>
<term>--computer-authentication-policy</term>
<listitem><para>
Computer Account policy.
Computer authentication policy.
</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -115,15 +115,15 @@ class cmd_domain_auth_silo_create(Command):
Option("--description",
help="Optional description for authentication silo.",
dest="description", action="store", type=str),
Option("--user-policy",
help="User account policy.",
dest="user_policy", action="store", type=str),
Option("--service-policy",
help="Managed Service Account policy.",
dest="service_policy", action="store", type=str),
Option("--computer-policy",
help="Computer account policy.",
dest="computer_policy", action="store", type=str),
Option("--user-authentication-policy",
help="User account authentication policy.",
dest="user_authentication_policy", action="store", type=str),
Option("--service-authentication-policy",
help="Managed service account authentication policy.",
dest="service_authentication_policy", action="store", type=str),
Option("--computer-authentication-policy",
help="Computer authentication policy.",
dest="computer_authentication_policy", action="store", type=str),
Option("--protect",
help="Protect authentication silo from accidental deletion.",
dest="protect", action="store_true"),
@ -150,10 +150,13 @@ class cmd_domain_auth_silo_create(Command):
except (LookupError, ValueError) as e:
raise CommandError(e)
def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
description=None, user_policy=None, service_policy=None,
computer_policy=None, protect=None, unprotect=None, audit=None,
enforce=None):
def run(self, hostopts=None, sambaopts=None, credopts=None,
name=None, description=None,
user_authentication_policy=None,
service_authentication_policy=None,
computer_authentication_policy=None,
protect=None, unprotect=None,
audit=None, enforce=None):
if protect and unprotect:
raise CommandError("--protect and --unprotect cannot be used together.")
@ -175,16 +178,19 @@ class cmd_domain_auth_silo_create(Command):
silo = AuthenticationSilo(cn=name, description=description)
# Set user policy
if user_policy:
silo.user_policy = self.get_policy(ldb, user_policy).dn
if user_authentication_policy:
silo.user_authentication_policy = \
self.get_policy(ldb, user_authentication_policy).dn
# Set service policy
if service_policy:
silo.service_policy = self.get_policy(ldb, service_policy).dn
if service_authentication_policy:
silo.service_authentication_policy = \
self.get_policy(ldb, service_authentication_policy).dn
# Set computer policy
if computer_policy:
silo.computer_policy = self.get_policy(ldb, computer_policy).dn
if computer_authentication_policy:
silo.computer_authentication_policy = \
self.get_policy(ldb, computer_authentication_policy).dn
# Either --enforce will be set or --audit but never both.
# The default if both are missing is enforce=True.
@ -223,15 +229,15 @@ class cmd_domain_auth_silo_modify(Command):
Option("--description",
help="Optional description for authentication silo.",
dest="description", action="store", type=str),
Option("--user-policy",
help="Set User account policy.",
dest="user_policy", action="store", type=str),
Option("--service-policy",
help="Set Managed Service Account policy.",
dest="service_policy", action="store", type=str),
Option("--computer-policy",
help="Set Computer Account policy.",
dest="computer_policy", action="store", type=str),
Option("--user-authentication-policy",
help="User account authentication policy.",
dest="user_authentication_policy", action="store", type=str),
Option("--service-authentication-policy",
help="Managed service account authentication policy.",
dest="service_authentication_policy", action="store", type=str),
Option("--computer-authentication-policy",
help="Computer authentication policy.",
dest="computer_authentication_policy", action="store", type=str),
Option("--protect",
help="Protect authentication silo from accidental deletion.",
dest="protect", action="store_true"),
@ -258,10 +264,13 @@ class cmd_domain_auth_silo_modify(Command):
except (LookupError, ModelError, ValueError) as e:
raise CommandError(e)
def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
description=None, user_policy=None, service_policy=None,
computer_policy=None, protect=None, unprotect=None, audit=None,
enforce=None):
def run(self, hostopts=None, sambaopts=None, credopts=None,
name=None, description=None,
user_authentication_policy=None,
service_authentication_policy=None,
computer_authentication_policy=None,
protect=None, unprotect=None,
audit=None, enforce=None):
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
@ -290,22 +299,25 @@ class cmd_domain_auth_silo_modify(Command):
silo.description = description
# Set or unset user policy.
if user_policy == "":
silo.user_policy = None
elif user_policy:
silo.user_policy = self.get_policy(ldb, user_policy).dn
if user_authentication_policy == "":
silo.user_authentication_policy = None
elif user_authentication_policy:
silo.user_authentication_policy = \
self.get_policy(ldb, user_authentication_policy).dn
# Set or unset service policy.
if service_policy == "":
silo.service_policy = None
elif service_policy:
silo.service_policy = self.get_policy(ldb, service_policy).dn
if service_authentication_policy == "":
silo.service_authentication_policy = None
elif service_authentication_policy:
silo.service_authentication_policy = \
self.get_policy(ldb, service_authentication_policy).dn
# Set or unset computer policy.
if computer_policy == "":
silo.computer_policy = None
elif computer_policy:
silo.computer_policy = self.get_policy(ldb, computer_policy).dn
if computer_authentication_policy == "":
silo.computer_authentication_policy = None
elif computer_authentication_policy:
silo.computer_authentication_policy = \
self.get_policy(ldb, computer_authentication_policy).dn
# Update silo
try:

View File

@ -30,9 +30,9 @@ from .model import Model
class AuthenticationSilo(Model):
description = StringField("description")
enforced = BooleanField("msDS-AuthNPolicySiloEnforced")
user_policy = DnField("msDS-UserAuthNPolicy")
service_policy = DnField("msDS-ServiceAuthNPolicy")
computer_policy = DnField("msDS-ComputerAuthNPolicy")
user_authentication_policy = DnField("msDS-UserAuthNPolicy")
service_authentication_policy = DnField("msDS-ServiceAuthNPolicy")
computer_authentication_policy = DnField("msDS-ComputerAuthNPolicy")
members = DnField("msDS-AuthNPolicySiloMembers", many=True)
@staticmethod

View File

@ -44,17 +44,20 @@ class BaseAuthCmdTest(SambaToolCmdTest):
cls.create_authentication_policy(name="Service Policy")
cls.create_authentication_policy(name="Computer Policy")
cls.create_authentication_silo(name="Developers",
description="Developers, Developers",
user_policy="User Policy")
cls.create_authentication_silo(name="Managers",
description="Managers",
user_policy="User Policy")
cls.create_authentication_silo(name="QA",
description="Quality Assurance",
user_policy="User Policy",
service_policy="Service Policy",
computer_policy="Computer Policy")
cls.create_authentication_silo(
name="Developers",
description="Developers, Developers",
user_authentication_policy="User Policy")
cls.create_authentication_silo(
name="Managers",
description="Managers",
user_authentication_policy="User Policy")
cls.create_authentication_silo(
name="QA",
description="Quality Assurance",
user_authentication_policy="User Policy",
service_authentication_policy="Service Policy",
computer_authentication_policy="Computer Policy")
def get_services_dn(self):
"""Returns Services DN."""
@ -147,21 +150,25 @@ class BaseAuthCmdTest(SambaToolCmdTest):
@classmethod
def create_authentication_silo(cls, name, description=None,
user_policy=None, service_policy=None,
computer_policy=None, audit=False,
protect=False):
user_authentication_policy=None,
service_authentication_policy=None,
computer_authentication_policy=None,
audit=False, protect=False):
"""Create an authentication silo using the samba-tool command."""
# Base command for create authentication policy.
cmd = ["domain", "auth", "silo", "create", "--name", name]
# Authentication policies.
if user_policy:
cmd += ["--user-policy", user_policy]
if service_policy:
cmd += ["--service-policy", service_policy]
if computer_policy:
cmd += ["--computer-policy", computer_policy]
if user_authentication_policy:
cmd += ["--user-authentication-policy",
user_authentication_policy]
if service_authentication_policy:
cmd += ["--service-authentication-policy",
service_authentication_policy]
if computer_authentication_policy:
cmd += ["--computer-authentication-policy",
computer_authentication_policy]
# Other optional attributes.
if description is not None:

View File

@ -94,7 +94,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "singlePolicy",
"--user-policy", "User Policy")
"--user-authentication-policy", "User Policy")
self.assertIsNone(result, msg=err)
# Check silo that was created
@ -110,9 +110,12 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "multiplePolicies",
"--user-policy", "User Policy",
"--service-policy", "Service Policy",
"--computer-policy", "Computer Policy")
"--user-authentication-policy",
"User Policy",
"--service-authentication-policy",
"Service Policy",
"--computer-authentication-policy",
"Computer Policy")
self.assertIsNone(result, msg=err)
# Check silo that was created.
@ -132,7 +135,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "singlePolicyDN",
"--user-policy", policy["dn"])
"--user-authentication-policy", policy["dn"])
self.assertIsNone(result, msg=err)
# Check silo that was created
@ -145,14 +148,14 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
"""Test creating a new authentication silo that already exists."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "Developers",
"--user-policy", "User Policy")
"--user-authentication-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Authentication silo Developers already exists.", err)
def test_authentication_silo_create_name_missing(self):
"""Test create authentication silo without --name argument."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--user-policy", "User Policy")
"--user-authentication-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Argument --name is required.", err)
@ -163,7 +166,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "auditPolicies",
"--user-policy", "User Policy",
"--user-authentication-policy", "User Policy",
"--audit")
self.assertIsNone(result, msg=err)
@ -178,7 +181,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "enforcePolicies",
"--user-policy", "User Policy",
"--user-authentication-policy", "User Policy",
"--enforce")
self.assertIsNone(result, msg=err)
@ -190,7 +193,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
"""Test create authentication silo using both --audit and --enforce."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "enforceTogether",
"--user-policy", "User Policy",
"--user-authentication-policy", "User Policy",
"--audit", "--enforce")
self.assertEqual(result, -1)
self.assertIn("--audit and --enforce cannot be used together.", err)
@ -199,7 +202,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
"""Test create authentication silo using --protect and --unprotect."""
result, out, err = self.runcmd("domain", "auth", "silo",
"create", "--name", "protectTogether",
"--user-policy", "User Policy",
"--user-authentication-policy", "User Policy",
"--protect", "--unprotect")
self.assertEqual(result, -1)
self.assertIn("--protect and --unprotect cannot be used together.", err)
@ -208,7 +211,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
"""Test create authentication silo with a policy that doesn't exist."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "policyNotFound",
"--user-policy", "Invalid Policy")
"--user-authentication-policy", "Invalid Policy")
self.assertEqual(result, -1)
self.assertIn("Authentication policy Invalid Policy not found.", err)
@ -219,7 +222,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
add_mock.side_effect = ModelError("Custom error message")
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "createFails",
"--user-policy", "User Policy")
"--user-authentication-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Custom error message", err)
@ -341,7 +344,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create non-protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteTest",
"--user-policy", "User Policy")
"--user-authentication-policy", "User Policy")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteTest")
self.assertIsNotNone(silo)
@ -360,7 +363,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteProtected",
"--user-policy", "User Policy",
"--user-authentication-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteProtected")
@ -402,7 +405,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteForceFail",
"--user-policy", "User Policy",
"--user-authentication-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteForceFail")
@ -423,7 +426,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create regular authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=regularSilo",
"--user-policy", "User Policy")
"--user-authentication-policy", "User Policy")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("regularSilo")
self.assertIsNotNone(silo)
@ -444,7 +447,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=protectedSilo",
"--user-policy", "User Policy",
"--user-authentication-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("protectedSilo")