From 15fb8a5f2efec250acbd60b2855459c888859e20 Mon Sep 17 00:00:00 2001 From: Rob van der Linde Date: Tue, 17 Oct 2023 16:31:53 +1300 Subject: [PATCH] netcmd: silo command uses more consistent naming for policy args Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- docs-xml/manpages/samba-tool.8.xml | 24 ++--- python/samba/netcmd/domain/auth/silo.py | 100 ++++++++++-------- .../samba/netcmd/domain/models/auth_silo.py | 6 +- .../tests/samba_tool/domain_auth_base.py | 47 ++++---- .../tests/samba_tool/domain_auth_silo.py | 39 +++---- 5 files changed, 119 insertions(+), 97 deletions(-) diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 9e90c2335c0..852152c00f2 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -1101,21 +1101,21 @@ - --user-policy + --user-authentication-policy - User account policy. + User account authentication policy. - --service-policy + --service-authentication-policy - Managed Service Account policy. + Managed service account authentication policy. - --computer-policy + --computer-authentication-policy - Computer Account policy. + Computer authentication policy. @@ -1188,21 +1188,21 @@ - --user-policy + --user-authentication-policy - User account policy. + User account authentication policy. - --service-policy + --service-authentication-policy - Managed Service Account policy. + Managed service account authentication policy. - --computer-policy + --computer-authentication-policy - Computer Account policy. + Computer authentication policy. diff --git a/python/samba/netcmd/domain/auth/silo.py b/python/samba/netcmd/domain/auth/silo.py index 945fef7785f..b1e2ef0a0ae 100644 --- a/python/samba/netcmd/domain/auth/silo.py +++ b/python/samba/netcmd/domain/auth/silo.py @@ -115,15 +115,15 @@ class cmd_domain_auth_silo_create(Command): Option("--description", help="Optional description for authentication silo.", dest="description", action="store", type=str), - Option("--user-policy", - help="User account policy.", - dest="user_policy", action="store", type=str), - Option("--service-policy", - help="Managed Service Account policy.", - dest="service_policy", action="store", type=str), - Option("--computer-policy", - help="Computer account policy.", - dest="computer_policy", action="store", type=str), + Option("--user-authentication-policy", + help="User account authentication policy.", + dest="user_authentication_policy", action="store", type=str), + Option("--service-authentication-policy", + help="Managed service account authentication policy.", + dest="service_authentication_policy", action="store", type=str), + Option("--computer-authentication-policy", + help="Computer authentication policy.", + dest="computer_authentication_policy", action="store", type=str), Option("--protect", help="Protect authentication silo from accidental deletion.", dest="protect", action="store_true"), @@ -150,10 +150,13 @@ class cmd_domain_auth_silo_create(Command): except (LookupError, ValueError) as e: raise CommandError(e) - def run(self, hostopts=None, sambaopts=None, credopts=None, name=None, - description=None, user_policy=None, service_policy=None, - computer_policy=None, protect=None, unprotect=None, audit=None, - enforce=None): + def run(self, hostopts=None, sambaopts=None, credopts=None, + name=None, description=None, + user_authentication_policy=None, + service_authentication_policy=None, + computer_authentication_policy=None, + protect=None, unprotect=None, + audit=None, enforce=None): if protect and unprotect: raise CommandError("--protect and --unprotect cannot be used together.") @@ -175,16 +178,19 @@ class cmd_domain_auth_silo_create(Command): silo = AuthenticationSilo(cn=name, description=description) # Set user policy - if user_policy: - silo.user_policy = self.get_policy(ldb, user_policy).dn + if user_authentication_policy: + silo.user_authentication_policy = \ + self.get_policy(ldb, user_authentication_policy).dn # Set service policy - if service_policy: - silo.service_policy = self.get_policy(ldb, service_policy).dn + if service_authentication_policy: + silo.service_authentication_policy = \ + self.get_policy(ldb, service_authentication_policy).dn # Set computer policy - if computer_policy: - silo.computer_policy = self.get_policy(ldb, computer_policy).dn + if computer_authentication_policy: + silo.computer_authentication_policy = \ + self.get_policy(ldb, computer_authentication_policy).dn # Either --enforce will be set or --audit but never both. # The default if both are missing is enforce=True. @@ -223,15 +229,15 @@ class cmd_domain_auth_silo_modify(Command): Option("--description", help="Optional description for authentication silo.", dest="description", action="store", type=str), - Option("--user-policy", - help="Set User account policy.", - dest="user_policy", action="store", type=str), - Option("--service-policy", - help="Set Managed Service Account policy.", - dest="service_policy", action="store", type=str), - Option("--computer-policy", - help="Set Computer Account policy.", - dest="computer_policy", action="store", type=str), + Option("--user-authentication-policy", + help="User account authentication policy.", + dest="user_authentication_policy", action="store", type=str), + Option("--service-authentication-policy", + help="Managed service account authentication policy.", + dest="service_authentication_policy", action="store", type=str), + Option("--computer-authentication-policy", + help="Computer authentication policy.", + dest="computer_authentication_policy", action="store", type=str), Option("--protect", help="Protect authentication silo from accidental deletion.", dest="protect", action="store_true"), @@ -258,10 +264,13 @@ class cmd_domain_auth_silo_modify(Command): except (LookupError, ModelError, ValueError) as e: raise CommandError(e) - def run(self, hostopts=None, sambaopts=None, credopts=None, name=None, - description=None, user_policy=None, service_policy=None, - computer_policy=None, protect=None, unprotect=None, audit=None, - enforce=None): + def run(self, hostopts=None, sambaopts=None, credopts=None, + name=None, description=None, + user_authentication_policy=None, + service_authentication_policy=None, + computer_authentication_policy=None, + protect=None, unprotect=None, + audit=None, enforce=None): if audit and enforce: raise CommandError("--audit and --enforce cannot be used together.") @@ -290,22 +299,25 @@ class cmd_domain_auth_silo_modify(Command): silo.description = description # Set or unset user policy. - if user_policy == "": - silo.user_policy = None - elif user_policy: - silo.user_policy = self.get_policy(ldb, user_policy).dn + if user_authentication_policy == "": + silo.user_authentication_policy = None + elif user_authentication_policy: + silo.user_authentication_policy = \ + self.get_policy(ldb, user_authentication_policy).dn # Set or unset service policy. - if service_policy == "": - silo.service_policy = None - elif service_policy: - silo.service_policy = self.get_policy(ldb, service_policy).dn + if service_authentication_policy == "": + silo.service_authentication_policy = None + elif service_authentication_policy: + silo.service_authentication_policy = \ + self.get_policy(ldb, service_authentication_policy).dn # Set or unset computer policy. - if computer_policy == "": - silo.computer_policy = None - elif computer_policy: - silo.computer_policy = self.get_policy(ldb, computer_policy).dn + if computer_authentication_policy == "": + silo.computer_authentication_policy = None + elif computer_authentication_policy: + silo.computer_authentication_policy = \ + self.get_policy(ldb, computer_authentication_policy).dn # Update silo try: diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py index e3228d5607b..6e624449d31 100644 --- a/python/samba/netcmd/domain/models/auth_silo.py +++ b/python/samba/netcmd/domain/models/auth_silo.py @@ -30,9 +30,9 @@ from .model import Model class AuthenticationSilo(Model): description = StringField("description") enforced = BooleanField("msDS-AuthNPolicySiloEnforced") - user_policy = DnField("msDS-UserAuthNPolicy") - service_policy = DnField("msDS-ServiceAuthNPolicy") - computer_policy = DnField("msDS-ComputerAuthNPolicy") + user_authentication_policy = DnField("msDS-UserAuthNPolicy") + service_authentication_policy = DnField("msDS-ServiceAuthNPolicy") + computer_authentication_policy = DnField("msDS-ComputerAuthNPolicy") members = DnField("msDS-AuthNPolicySiloMembers", many=True) @staticmethod diff --git a/python/samba/tests/samba_tool/domain_auth_base.py b/python/samba/tests/samba_tool/domain_auth_base.py index 505674d7d91..2bf619c7bd9 100644 --- a/python/samba/tests/samba_tool/domain_auth_base.py +++ b/python/samba/tests/samba_tool/domain_auth_base.py @@ -44,17 +44,20 @@ class BaseAuthCmdTest(SambaToolCmdTest): cls.create_authentication_policy(name="Service Policy") cls.create_authentication_policy(name="Computer Policy") - cls.create_authentication_silo(name="Developers", - description="Developers, Developers", - user_policy="User Policy") - cls.create_authentication_silo(name="Managers", - description="Managers", - user_policy="User Policy") - cls.create_authentication_silo(name="QA", - description="Quality Assurance", - user_policy="User Policy", - service_policy="Service Policy", - computer_policy="Computer Policy") + cls.create_authentication_silo( + name="Developers", + description="Developers, Developers", + user_authentication_policy="User Policy") + cls.create_authentication_silo( + name="Managers", + description="Managers", + user_authentication_policy="User Policy") + cls.create_authentication_silo( + name="QA", + description="Quality Assurance", + user_authentication_policy="User Policy", + service_authentication_policy="Service Policy", + computer_authentication_policy="Computer Policy") def get_services_dn(self): """Returns Services DN.""" @@ -147,21 +150,25 @@ class BaseAuthCmdTest(SambaToolCmdTest): @classmethod def create_authentication_silo(cls, name, description=None, - user_policy=None, service_policy=None, - computer_policy=None, audit=False, - protect=False): + user_authentication_policy=None, + service_authentication_policy=None, + computer_authentication_policy=None, + audit=False, protect=False): """Create an authentication silo using the samba-tool command.""" # Base command for create authentication policy. cmd = ["domain", "auth", "silo", "create", "--name", name] # Authentication policies. - if user_policy: - cmd += ["--user-policy", user_policy] - if service_policy: - cmd += ["--service-policy", service_policy] - if computer_policy: - cmd += ["--computer-policy", computer_policy] + if user_authentication_policy: + cmd += ["--user-authentication-policy", + user_authentication_policy] + if service_authentication_policy: + cmd += ["--service-authentication-policy", + service_authentication_policy] + if computer_authentication_policy: + cmd += ["--computer-authentication-policy", + computer_authentication_policy] # Other optional attributes. if description is not None: diff --git a/python/samba/tests/samba_tool/domain_auth_silo.py b/python/samba/tests/samba_tool/domain_auth_silo.py index 632609fcd3f..88bc4a9bb90 100644 --- a/python/samba/tests/samba_tool/domain_auth_silo.py +++ b/python/samba/tests/samba_tool/domain_auth_silo.py @@ -94,7 +94,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "singlePolicy", - "--user-policy", "User Policy") + "--user-authentication-policy", "User Policy") self.assertIsNone(result, msg=err) # Check silo that was created @@ -110,9 +110,12 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "multiplePolicies", - "--user-policy", "User Policy", - "--service-policy", "Service Policy", - "--computer-policy", "Computer Policy") + "--user-authentication-policy", + "User Policy", + "--service-authentication-policy", + "Service Policy", + "--computer-authentication-policy", + "Computer Policy") self.assertIsNone(result, msg=err) # Check silo that was created. @@ -132,7 +135,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "singlePolicyDN", - "--user-policy", policy["dn"]) + "--user-authentication-policy", policy["dn"]) self.assertIsNone(result, msg=err) # Check silo that was created @@ -145,14 +148,14 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): """Test creating a new authentication silo that already exists.""" result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "Developers", - "--user-policy", "User Policy") + "--user-authentication-policy", "User Policy") self.assertEqual(result, -1) self.assertIn("Authentication silo Developers already exists.", err) def test_authentication_silo_create_name_missing(self): """Test create authentication silo without --name argument.""" result, out, err = self.runcmd("domain", "auth", "silo", "create", - "--user-policy", "User Policy") + "--user-authentication-policy", "User Policy") self.assertEqual(result, -1) self.assertIn("Argument --name is required.", err) @@ -163,7 +166,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "auditPolicies", - "--user-policy", "User Policy", + "--user-authentication-policy", "User Policy", "--audit") self.assertIsNone(result, msg=err) @@ -178,7 +181,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "enforcePolicies", - "--user-policy", "User Policy", + "--user-authentication-policy", "User Policy", "--enforce") self.assertIsNone(result, msg=err) @@ -190,7 +193,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): """Test create authentication silo using both --audit and --enforce.""" result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "enforceTogether", - "--user-policy", "User Policy", + "--user-authentication-policy", "User Policy", "--audit", "--enforce") self.assertEqual(result, -1) self.assertIn("--audit and --enforce cannot be used together.", err) @@ -199,7 +202,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): """Test create authentication silo using --protect and --unprotect.""" result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "protectTogether", - "--user-policy", "User Policy", + "--user-authentication-policy", "User Policy", "--protect", "--unprotect") self.assertEqual(result, -1) self.assertIn("--protect and --unprotect cannot be used together.", err) @@ -208,7 +211,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): """Test create authentication silo with a policy that doesn't exist.""" result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "policyNotFound", - "--user-policy", "Invalid Policy") + "--user-authentication-policy", "Invalid Policy") self.assertEqual(result, -1) self.assertIn("Authentication policy Invalid Policy not found.", err) @@ -219,7 +222,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): add_mock.side_effect = ModelError("Custom error message") result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name", "createFails", - "--user-policy", "User Policy") + "--user-authentication-policy", "User Policy") self.assertEqual(result, -1) self.assertIn("Custom error message", err) @@ -341,7 +344,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): # Create non-protected authentication silo. result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name=deleteTest", - "--user-policy", "User Policy") + "--user-authentication-policy", "User Policy") self.assertIsNone(result, msg=err) silo = self.get_authentication_silo("deleteTest") self.assertIsNotNone(silo) @@ -360,7 +363,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): # Create protected authentication silo. result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name=deleteProtected", - "--user-policy", "User Policy", + "--user-authentication-policy", "User Policy", "--protect") self.assertIsNone(result, msg=err) silo = self.get_authentication_silo("deleteProtected") @@ -402,7 +405,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): # Create protected authentication silo. result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name=deleteForceFail", - "--user-policy", "User Policy", + "--user-authentication-policy", "User Policy", "--protect") self.assertIsNone(result, msg=err) silo = self.get_authentication_silo("deleteForceFail") @@ -423,7 +426,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): # Create regular authentication silo. result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name=regularSilo", - "--user-policy", "User Policy") + "--user-authentication-policy", "User Policy") self.assertIsNone(result, msg=err) silo = self.get_authentication_silo("regularSilo") self.assertIsNotNone(silo) @@ -444,7 +447,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest): # Create protected authentication silo. result, out, err = self.runcmd("domain", "auth", "silo", "create", "--name=protectedSilo", - "--user-policy", "User Policy", + "--user-authentication-policy", "User Policy", "--protect") self.assertIsNone(result, msg=err) silo = self.get_authentication_silo("protectedSilo")