sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group

Browse Source 
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Rob van der Linde 2024-03-20 22:31:48 +13:00 committed by Andrew Bartlett
parent 86d3706bd2
commit 49c3bca803
3 changed files with 30 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
python/samba/netcmd/domain/auth/policy/policy.py
View File

@ -154,16 +154,6 @@ class ComputerOptions(options.OptionGroup):
type=str, dest="allowed_to_authenticate_to",
action="callback", callback=self.set_option,
metavar="SDDL")
self.add_option("--computer-allowed-to-authenticate-to-by-group",
help="The computer account (server, workstation) service requires the connecting user to be in GROUP",
type=str, dest="allowed_to_authenticate_to_by_group",
action="callback", callback=self.set_option,
metavar="GROUP")
self.add_option("--computer-allowed-to-authenticate-to-by-silo",
help="The computer account (server, workstation) service requires the connecting user to be in SILO",
type=str, dest="allowed_to_authenticate_to_by_silo",
action="callback", callback=self.set_option,
metavar="SILO")
class cmd_domain_auth_policy_list(Command):
@ -300,10 +290,6 @@ class cmd_domain_auth_policy_create(Command):
[serviceopts.allowed_to_authenticate_to,
serviceopts.allowed_to_authenticate_to_by_group,
serviceopts.allowed_to_authenticate_to_by_silo])
check_similar_args("--computer-allowed-to-authenticate-to",
[computeropts.allowed_to_authenticate_to,
computeropts.allowed_to_authenticate_to_by_group,
computeropts.allowed_to_authenticate_to_by_silo])
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
@ -355,18 +341,6 @@ class cmd_domain_auth_policy_create(Command):
ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
# Generate SDDL for authenticating computer accounts to a group
if computeropts.allowed_to_authenticate_to_by_group:
group = Group.get(
ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
# Generate SDDL for authenticating computer accounts to a silo
if computeropts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
ldb, cn=computeropts.allowed_to_authenticate_to_by_silo)
computeropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
try:
policy = AuthenticationPolicy.get(ldb, cn=name)
except ModelError as e:
@ -478,10 +452,6 @@ class cmd_domain_auth_policy_modify(Command):
[serviceopts.allowed_to_authenticate_to,
serviceopts.allowed_to_authenticate_to_by_group,
serviceopts.allowed_to_authenticate_to_by_silo])
check_similar_args("--computer-allowed-to-authenticate-to",
[computeropts.allowed_to_authenticate_to,
computeropts.allowed_to_authenticate_to_by_group,
computeropts.allowed_to_authenticate_to_by_silo])
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
@ -533,18 +503,6 @@ class cmd_domain_auth_policy_modify(Command):
ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
# Generate SDDL for authenticating computer accounts to a group
if computeropts.allowed_to_authenticate_to_by_group:
group = Group.get(
ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
# Generate SDDL for authenticating computer accounts to a silo
if computeropts.allowed_to_authenticate_to_by_silo:
silo = AuthenticationSilo.get(
ldb, cn=computeropts.allowed_to_authenticate_to_by_silo)
computeropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
try:
policy = AuthenticationPolicy.get(ldb, cn=name)
except ModelError as e:

13
python/samba/tests/blackbox/claims.py
View File

@ -245,8 +245,9 @@ class ClaimsSupportTests(BlackboxTestCase):
# Likewise, if there are services running in user accounts, we need
# --user-allowed-to-authenticate-to
self.check_run("domain auth policy modify --name=allowed-devices-only-pol "
"--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo "
"--computer-allowed-to-authenticate-to-by-silo=allowed-devices-only-silo")
"--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo")
self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
"--name=allowed-devices-only-pol --by-silo=allowed-devices-only-silo")
# Grant access to silo.
self.check_run(r"domain auth silo member grant --name=allowed-devices-only-silo --member=claims-device\$")
@ -350,8 +351,8 @@ class ClaimsSupportTests(BlackboxTestCase):
self.addCleanup(self.run_command, "group delete server-access-group")
# Set allowed to authenticate to.
self.check_run("domain auth policy modify --name=restricted-servers-pol "
"--computer-allowed-to-authenticate-to-by-group=server-access-group")
self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
"--name=restricted-servers-pol --by-group=server-access-group")
self.check_run(r"user auth policy assign claims-server\$ --policy=restricted-servers-pol")
@ -409,8 +410,8 @@ class ClaimsSupportTests(BlackboxTestCase):
"domain auth silo delete --name=restricted-servers-silo")
# Set allowed to authenticate to.
self.check_run("domain auth policy modify --name=restricted-servers-pol "
"--computer-allowed-to-authenticate-to-by-silo=restricted-servers-silo")
self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
"--name=restricted-servers-pol --by-silo=restricted-servers-silo")
# Grant access to silo.
self.check_run(r"domain auth silo member grant --name=restricted-servers-silo --member=claims-server\$")

84
python/samba/tests/samba_tool/domain_auth_policy.py
View File

@ -391,47 +391,6 @@ class AuthPolicyCmdTestCase(SiloTest):
self.assertIn("--computer-tgt-lifetime-mins must be between 45 and 2147483647",
err)
def test_create__computer_allowed_to_authenticate_to_by_group(self):
"""Tests the --computer-allowed-to-authenticate-to-by-group shortcut."""
name = self.unique_name()
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
self.device_group.object_sid)
# Create a user with authenticate to by group attribute.
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
result, out, err = self.runcmd(
"domain", "auth", "policy", "create", "--name", name,
"--computer-allowed-to-authenticate-to-by-group",
self.device_group.name)
self.assertIsNone(result, msg=err)
# Check user allowed to authenticate to field was modified.
policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name)
desc = policy["msDS-ComputerAllowedToAuthenticateTo"][0]
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
def test_create__computer_allowed_to_authenticate_to_by_silo(self):
"""Tests the --computer-allowed-to-authenticate-to-by-silo shortcut."""
name = self.unique_name()
expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
'AuthenticationSilo == "QA"))')
# Create a user with authenticate to by silo attribute.
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
result, out, err = self.runcmd(
"domain", "auth", "policy", "create", "--name", name,
"--computer-allowed-to-authenticate-to-by-silo", "QA")
self.assertIsNone(result, msg=err)
# Check user allowed to authenticate to field was modified.
policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name)
desc = policy["msDS-ComputerAllowedToAuthenticateTo"][0]
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
def test_create__valid_sddl(self):
"""Test creating a new authentication policy with valid SDDL in a field."""
name = self.unique_name()
@ -746,24 +705,27 @@ class AuthPolicyCmdTestCase(SiloTest):
self.assertEqual(result, -1)
self.assertIn("--service-allowed-to-authenticate-to argument repeated 2 times.", err)
def test_create__computer_allowed_to_authenticate_to_repeated(self):
def test_computer_allowed_to_authenticate_to__set_repeated(self):
"""Test repeating similar arguments doesn't make sense to use together.
--computer-allowed-to-authenticate-to
--computer-allowed-to-authenticate-to-by-silo
computer-allowed-to-authenticate-to set --by-group
computer-allowed-to-authenticate-to set --by-silo
"""
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))'
name = self.unique_name()
result, out, err = self.runcmd("domain", "auth", "policy", "create",
"--name", name,
"--computer-allowed-to-authenticate-to",
sddl,
"--computer-allowed-to-authenticate-to-by-silo",
self.runcmd("domain", "auth", "policy", "create", "--name", name)
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
result, out, err = self.runcmd("domain", "auth", "policy",
"computer-allowed-to-authenticate-to",
"set", "--name", name,
"--by-group",
self.device_group.name,
"--by-silo",
"QA")
self.assertEqual(result, -1)
self.assertIn("--computer-allowed-to-authenticate-to argument repeated 2 times.", err)
self.assertIn("Cannot have both --by-group and --by-silo options.", err)
def test_create__fails(self):
"""Test creating an authentication policy, but it fails."""
@ -1233,8 +1195,8 @@ class AuthPolicyCmdTestCase(SiloTest):
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
def test_modify__computer_allowed_to_authenticate_to_by_group(self):
"""Tests the --computer-allowed-to-authenticate-to-by-group shortcut."""
def test_computer_allowed_to_authenticate_to__set_by_group(self):
"""Tests the computer-allowed-to-authenticate-to set --by-group shortcut."""
name = self.unique_name()
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
self.device_group.object_sid)
@ -1244,9 +1206,9 @@ class AuthPolicyCmdTestCase(SiloTest):
self.runcmd("domain", "auth", "policy", "create", "--name", name)
# Modify user allowed to authenticate to field
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
"--name", name,
"--computer-allowed-to-authenticate-to-by-group",
result, out, err = self.runcmd("domain", "auth", "policy",
"computer-allowed-to-authenticate-to",
"set", "--name", name, "--by-group",
self.device_group.name)
self.assertIsNone(result, msg=err)
@ -1257,8 +1219,8 @@ class AuthPolicyCmdTestCase(SiloTest):
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
def test_modify__computer_allowed_to_authenticate_to_by_silo(self):
"""Tests the --computer-allowed-to-authenticate-to-by-silo shortcut."""
def test_computer_allowed_to_authenticate_to__set_by_silo(self):
"""Tests the computer-allowed-to-authenticate-to set --by-silo shortcut."""
name = self.unique_name()
expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
'AuthenticationSilo == "QA"))')
@ -1268,9 +1230,9 @@ class AuthPolicyCmdTestCase(SiloTest):
self.runcmd("domain", "auth", "policy", "create", "--name", name)
# Modify user allowed to authenticate to field
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
"--name", name,
"--computer-allowed-to-authenticate-to-by-silo",
result, out, err = self.runcmd("domain", "auth", "policy",
"computer-allowed-to-authenticate-to",
"set", "--name", name, "--by-silo",
"QA")
self.assertIsNone(result, msg=err)