mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
316a84a597
commit
2cbacad82d
@ -116,16 +116,6 @@ class ServiceOptions(options.OptionGroup):
|
||||
type=str, dest="allowed_to_authenticate_to",
|
||||
action="callback", callback=self.set_option,
|
||||
metavar="SDDL")
|
||||
self.add_option("--service-allowed-to-authenticate-to-by-group",
|
||||
help="The target service requires the connecting user to be in GROUP",
|
||||
type=str, dest="allowed_to_authenticate_to_by_group",
|
||||
action="callback", callback=self.set_option,
|
||||
metavar="GROUP")
|
||||
self.add_option("--service-allowed-to-authenticate-to-by-silo",
|
||||
help="The target service requires the connecting user to be in SILO",
|
||||
type=str, dest="allowed_to_authenticate_to_by_silo",
|
||||
action="callback", callback=self.set_option,
|
||||
metavar="SILO")
|
||||
|
||||
|
||||
class ComputerOptions(options.OptionGroup):
|
||||
@ -272,10 +262,6 @@ class cmd_domain_auth_policy_create(Command):
|
||||
[serviceopts.allowed_to_authenticate_from,
|
||||
serviceopts.allowed_to_authenticate_from_device_group,
|
||||
serviceopts.allowed_to_authenticate_from_device_silo])
|
||||
check_similar_args("--service-allowed-to-authenticate-to",
|
||||
[serviceopts.allowed_to_authenticate_to,
|
||||
serviceopts.allowed_to_authenticate_to_by_group,
|
||||
serviceopts.allowed_to_authenticate_to_by_silo])
|
||||
|
||||
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
|
||||
|
||||
@ -303,18 +289,6 @@ class cmd_domain_auth_policy_create(Command):
|
||||
ldb, cn=serviceopts.allowed_to_authenticate_from_device_silo)
|
||||
serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl()
|
||||
|
||||
# Generate SDDL for authenticating service accounts to a group
|
||||
if serviceopts.allowed_to_authenticate_to_by_group:
|
||||
group = Group.get(
|
||||
ldb, cn=serviceopts.allowed_to_authenticate_to_by_group)
|
||||
serviceopts.allowed_to_authenticate_to = group.get_authentication_sddl()
|
||||
|
||||
# Generate SDDL for authenticating service accounts to a silo
|
||||
if serviceopts.allowed_to_authenticate_to_by_silo:
|
||||
silo = AuthenticationSilo.get(
|
||||
ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
|
||||
serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
|
||||
|
||||
try:
|
||||
policy = AuthenticationPolicy.get(ldb, cn=name)
|
||||
except ModelError as e:
|
||||
@ -418,10 +392,6 @@ class cmd_domain_auth_policy_modify(Command):
|
||||
[serviceopts.allowed_to_authenticate_from,
|
||||
serviceopts.allowed_to_authenticate_from_device_group,
|
||||
serviceopts.allowed_to_authenticate_from_device_silo])
|
||||
check_similar_args("--service-allowed-to-authenticate-to",
|
||||
[serviceopts.allowed_to_authenticate_to,
|
||||
serviceopts.allowed_to_authenticate_to_by_group,
|
||||
serviceopts.allowed_to_authenticate_to_by_silo])
|
||||
|
||||
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
|
||||
|
||||
@ -449,18 +419,6 @@ class cmd_domain_auth_policy_modify(Command):
|
||||
ldb, cn=serviceopts.allowed_to_authenticate_from_device_silo)
|
||||
serviceopts.allowed_to_authenticate_from = silo.get_authentication_sddl()
|
||||
|
||||
# Generate SDDL for authenticating service accounts to a group
|
||||
if serviceopts.allowed_to_authenticate_to_by_group:
|
||||
group = Group.get(
|
||||
ldb, cn=serviceopts.allowed_to_authenticate_to_by_group)
|
||||
serviceopts.allowed_to_authenticate_to = group.get_authentication_sddl()
|
||||
|
||||
# Generate SDDL for authenticating service accounts to a silo
|
||||
if serviceopts.allowed_to_authenticate_to_by_silo:
|
||||
silo = AuthenticationSilo.get(
|
||||
ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
|
||||
serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
|
||||
|
||||
try:
|
||||
policy = AuthenticationPolicy.get(ldb, cn=name)
|
||||
except ModelError as e:
|
||||
|
@ -275,47 +275,6 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
sddl,
|
||||
'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))')
|
||||
|
||||
def test_create__service_allowed_to_authenticate_to_by_group(self):
|
||||
"""Tests the --service-allowed-to-authenticate-to-by-group shortcut."""
|
||||
name = self.unique_name()
|
||||
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
|
||||
self.device_group.object_sid)
|
||||
|
||||
# Create a user with authenticate to by group attribute.
|
||||
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
|
||||
result, out, err = self.runcmd(
|
||||
"domain", "auth", "policy", "create", "--name", name,
|
||||
"--service-allowed-to-authenticate-to-by-group",
|
||||
self.device_group.name)
|
||||
self.assertIsNone(result, msg=err)
|
||||
|
||||
# Check user allowed to authenticate to field was modified.
|
||||
policy = self.get_authentication_policy(name)
|
||||
self.assertEqual(str(policy["cn"]), name)
|
||||
desc = policy["msDS-ServiceAllowedToAuthenticateTo"][0]
|
||||
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
|
||||
self.assertEqual(sddl, expected)
|
||||
|
||||
def test_create__service_allowed_to_authenticate_to_by_silo(self):
|
||||
"""Tests the --service-allowed-to-authenticate-to-by-silo shortcut."""
|
||||
name = self.unique_name()
|
||||
expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
|
||||
'AuthenticationSilo == "Managers"))')
|
||||
|
||||
# Create a user with authenticate to by silo attribute.
|
||||
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
|
||||
result, out, err = self.runcmd(
|
||||
"domain", "auth", "policy", "create", "--name", name,
|
||||
"--service-allowed-to-authenticate-to-by-silo", "Managers")
|
||||
self.assertIsNone(result, msg=err)
|
||||
|
||||
# Check user allowed to authenticate to field was modified.
|
||||
policy = self.get_authentication_policy(name)
|
||||
self.assertEqual(str(policy["cn"]), name)
|
||||
desc = policy["msDS-ServiceAllowedToAuthenticateTo"][0]
|
||||
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
|
||||
self.assertEqual(sddl, expected)
|
||||
|
||||
def test_create__computer_tgt_lifetime_mins(self):
|
||||
"""Test create a new authentication policy with --computer-tgt-lifetime-mins.
|
||||
|
||||
@ -648,24 +607,27 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
self.assertEqual(result, -1)
|
||||
self.assertIn("--service-allowed-to-authenticate-from argument repeated 2 times.", err)
|
||||
|
||||
def test_create__service_allowed_to_authenticate_to_repeated(self):
|
||||
def test_service_allowed_to_authenticate_to__set_repeated(self):
|
||||
"""Test repeating similar arguments doesn't make sense to use together.
|
||||
|
||||
--service-allowed-to-authenticate-to
|
||||
--service-allowed-to-authenticate-to-by-silo
|
||||
service-allowed-to-authenticate-to set --by-group
|
||||
service-allowed-to-authenticate-to set --by-silo
|
||||
"""
|
||||
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))'
|
||||
name = self.unique_name()
|
||||
|
||||
result, out, err = self.runcmd("domain", "auth", "policy", "create",
|
||||
"--name", name,
|
||||
"--service-allowed-to-authenticate-to",
|
||||
sddl,
|
||||
"--service-allowed-to-authenticate-to-by-silo",
|
||||
self.runcmd("domain", "auth", "policy", "create", "--name", name)
|
||||
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
|
||||
|
||||
result, out, err = self.runcmd("domain", "auth", "policy",
|
||||
"service-allowed-to-authenticate-to",
|
||||
"set", "--name", name,
|
||||
"--by-group",
|
||||
self.device_group.name,
|
||||
"--by-silo",
|
||||
"QA")
|
||||
|
||||
self.assertEqual(result, -1)
|
||||
self.assertIn("--service-allowed-to-authenticate-to argument repeated 2 times.", err)
|
||||
self.assertIn("Cannot have both --by-group and --by-silo options.", err)
|
||||
|
||||
def test_computer_allowed_to_authenticate_to__set_repeated(self):
|
||||
"""Test repeating similar arguments doesn't make sense to use together.
|
||||
@ -1086,8 +1048,8 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
|
||||
self.assertEqual(sddl, expected)
|
||||
|
||||
def test_modify__service_allowed_to_authenticate_to_by_group(self):
|
||||
"""Tests the --service-allowed-to-authenticate-to-by-group shortcut."""
|
||||
def test_service_allowed_to_authenticate_to__set_by_group(self):
|
||||
"""Tests the service-allowed-to-authenticate-to set --by-group shortcut."""
|
||||
name = self.unique_name()
|
||||
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
|
||||
self.device_group.object_sid)
|
||||
@ -1097,10 +1059,10 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
self.runcmd("domain", "auth", "policy", "create", "--name", name)
|
||||
|
||||
# Modify user allowed to authenticate to field
|
||||
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
|
||||
"--name", name,
|
||||
"--service-allowed-to-authenticate-to-by-group",
|
||||
self.device_group.name)
|
||||
result, out, err = self.runcmd("domain", "auth", "policy",
|
||||
"service-allowed-to-authenticate-to",
|
||||
"set", "--name", name,
|
||||
"--by-group", self.device_group.name)
|
||||
self.assertIsNone(result, msg=err)
|
||||
|
||||
# Check user allowed to authenticate to field was modified.
|
||||
@ -1110,8 +1072,8 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
|
||||
self.assertEqual(sddl, expected)
|
||||
|
||||
def test_modify__service_allowed_to_authenticate_to_by_silo(self):
|
||||
"""Tests the --service-allowed-to-authenticate-to-by-silo shortcut."""
|
||||
def test_service_allowed_to_authenticate_to__set_by_silo(self):
|
||||
"""Tests the service-allowed-to-authenticate-to set --by-silo shortcut."""
|
||||
name = self.unique_name()
|
||||
expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
|
||||
'AuthenticationSilo == "QA"))')
|
||||
@ -1121,10 +1083,10 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
self.runcmd("domain", "auth", "policy", "create", "--name", name)
|
||||
|
||||
# Modify user allowed to authenticate to field
|
||||
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
|
||||
"--name", name,
|
||||
"--service-allowed-to-authenticate-to-by-silo",
|
||||
"QA")
|
||||
result, out, err = self.runcmd("domain", "auth", "policy",
|
||||
"service-allowed-to-authenticate-to",
|
||||
"set", "--name", name,
|
||||
"--by-silo", "QA")
|
||||
self.assertIsNone(result, msg=err)
|
||||
|
||||
# Check user allowed to authenticate to field was modified.
|
||||
|
Loading…
Reference in New Issue
Block a user