netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/samba/netcmd/domain/auth/policy/__init__.py

@@ -22,6 +22,9 @@
 
 from samba.netcmd import SuperCommand
 
+from .computer_allowed_to_authenticate_to import (
+    cmd_domain_auth_policy_computer_allowed_to_authenticate_to,
+)
 from .policy import (
     cmd_domain_auth_policy_create,
     cmd_domain_auth_policy_delete,
@@ -40,4 +43,6 @@ class cmd_domain_auth_policy(SuperCommand):
         "create": cmd_domain_auth_policy_create(),
         "modify": cmd_domain_auth_policy_modify(),
         "delete": cmd_domain_auth_policy_delete(),
+        "computer-allowed-to-authenticate-to":
+            cmd_domain_auth_policy_computer_allowed_to_authenticate_to(),
     }

python/samba/netcmd/domain/auth/policy/computer_allowed_to_authenticate_to.py

@@ -0,0 +1,125 @@
+# Unix SMB/CIFS implementation.
+#
+# authentication policy - manage computer-allowed-to-authenticate-to property
+#
+# Copyright (C) Catalyst.Net Ltd. 2024
+#
+# Written by Rob van der Linde <rob@catalyst.net.nz>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from samba.domain.models import AuthenticationPolicy, AuthenticationSilo, Group
+from samba.domain.models.exceptions import ModelError
+from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions
+from samba.netcmd import Command, CommandError, SuperCommand
+
+
+class cmd_domain_auth_policy_computer_allowed_to_authenticate_to_set(Command):
+    """Set the computer-allowed-to-authenticate-to property based on scenario.
+
+    --by-group:
+
+        The computer account (server, workstation) service requires the
+        connecting user to be in GROUP.
+
+    --by-silo:
+
+        The computer account (server, workstation) service requires the
+        connecting user to be in SILO.
+
+    The options above are mutually exclusive, only one can be set at a time.
+    """
+
+    synopsis = "%prog -H <URL> [options]"
+
+    takes_optiongroups = {
+        "sambaopts": SambaOptions,
+        "credopts": CredentialsOptions,
+        "hostopts": HostOptions,
+    }
+
+    takes_options = [
+        Option("--name",
+               help="Name of authentication policy to view (required).",
+               dest="name", action="store", type=str, required=True),
+        Option("--by-group",
+               help="The computer account (server, workstation) service "
+                    "requires the connecting user to be in GROUP.",
+               dest="groupname", action="store", type=str),
+        Option("--by-silo",
+               help="The computer account (server, workstation) service "
+                    "requires the connecting user to be in SILO.",
+               dest="siloname", action="store", type=str),
+    ]
+
+    def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
+            groupname=None, siloname=None):
+
+        if groupname and siloname:
+            raise CommandError("Cannot have both --by-group and --by-silo options.")
+
+        ldb = self.ldb_connect(hostopts, sambaopts, credopts)
+
+        try:
+            policy = AuthenticationPolicy.get(ldb, cn=name)
+        except ModelError as e:
+            raise CommandError(e)
+
+        if policy is None:
+            raise CommandError(f"Authentication policy {name} not found.")
+
+        if groupname:
+            try:
+                group = Group.get(ldb, cn=groupname)
+            except ModelError as e:
+                raise CommandError(e)
+
+            if group is None:
+                raise CommandError(f"Group {groupname} not found.")
+
+            sddl = group.get_authentication_sddl()
+
+        elif siloname:
+            try:
+                silo = AuthenticationSilo.get(ldb, cn=siloname)
+            except ModelError as e:
+                raise CommandError(e)
+
+            if silo is None:
+                raise CommandError(f"Authentication silo {siloname} not found.")
+
+            sddl = silo.get_authentication_sddl()
+
+        else:
+            raise CommandError("Either --by-group or --by-silo expected.")
+
+        policy.computer_allowed_to_authenticate_to = sddl
+
+        try:
+            policy.save(ldb)
+        except ModelError as e:
+            raise CommandError(e)
+
+        # Authentication policy updated successfully.
+        print(f"Updated authentication policy: {name}", file=self.outf)
+        print(f"Updated SDDL: {sddl}", file=self.outf)
+
+
+class cmd_domain_auth_policy_computer_allowed_to_authenticate_to(SuperCommand):
+    """Manage the computer-allowed-to-authenticate-to property."""
+
+    subcommands = {
+        "set": cmd_domain_auth_policy_computer_allowed_to_authenticate_to_set(),
+    }