1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Rob van der Linde 2024-03-21 09:48:25 +13:00 committed by Andrew Bartlett
parent e88be1aed9
commit 97c2ff19da
3 changed files with 31 additions and 114 deletions

View File

@ -61,16 +61,6 @@ class UserOptions(options.OptionGroup):
type=str, dest="allowed_to_authenticate_from",
action="callback", callback=self.set_option,
metavar="SDDL")
self.add_option("--user-allowed-to-authenticate-from-device-silo",
help="To authenticate, the user must log in from a device in SILO.",
type=str, dest="allowed_to_authenticate_from_device_silo",
action="callback", callback=self.set_option,
metavar="SILO")
self.add_option("--user-allowed-to-authenticate-from-device-group",
help="To authenticate, the user must log in from a device in GROUP.",
type=str, dest="allowed_to_authenticate_from_device_group",
action="callback", callback=self.set_option,
metavar="GROUP")
self.add_option("--user-allowed-to-authenticate-to",
help="A target service, on a user account, requires the connecting user to match SDDL",
type=str, dest="allowed_to_authenticate_to",
@ -254,10 +244,6 @@ class cmd_domain_auth_policy_create(Command):
raise CommandError("--audit and --enforce cannot be used together.")
# Check for repeated, similar arguments.
check_similar_args("--user-allowed-to-authenticate-from",
[useropts.allowed_to_authenticate_from,
useropts.allowed_to_authenticate_from_device_group,
useropts.allowed_to_authenticate_from_device_silo])
check_similar_args("--service-allowed-to-authenticate-from",
[serviceopts.allowed_to_authenticate_from,
serviceopts.allowed_to_authenticate_from_device_group,
@ -265,18 +251,6 @@ class cmd_domain_auth_policy_create(Command):
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
# Generate SDDL for authenticating users from a device in a group
if useropts.allowed_to_authenticate_from_device_group:
group = Group.get(
ldb, cn=useropts.allowed_to_authenticate_from_device_group)
useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
# Generate SDDL for authenticating users from a device in a silo
if useropts.allowed_to_authenticate_from_device_silo:
silo = AuthenticationSilo.get(
ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
# Generate SDDL for authenticating service accounts from a device in a group
if serviceopts.allowed_to_authenticate_from_device_group:
group = Group.get(
@ -384,10 +358,6 @@ class cmd_domain_auth_policy_modify(Command):
raise CommandError("--audit and --enforce cannot be used together.")
# Check for repeated, similar arguments.
check_similar_args("--user-allowed-to-authenticate-from",
[useropts.allowed_to_authenticate_from,
useropts.allowed_to_authenticate_from_device_group,
useropts.allowed_to_authenticate_from_device_silo])
check_similar_args("--service-allowed-to-authenticate-from",
[serviceopts.allowed_to_authenticate_from,
serviceopts.allowed_to_authenticate_from_device_group,
@ -395,18 +365,6 @@ class cmd_domain_auth_policy_modify(Command):
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
# Generate SDDL for authenticating users from a device in a group
if useropts.allowed_to_authenticate_from_device_group:
group = Group.get(
ldb, cn=useropts.allowed_to_authenticate_from_device_group)
useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
# Generate SDDL for authenticating users from a device in a silo
if useropts.allowed_to_authenticate_from_device_silo:
silo = AuthenticationSilo.get(
ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
# Generate SDDL for authenticating users from a device a device in a group
if serviceopts.allowed_to_authenticate_from_device_group:
group = Group.get(

View File

@ -75,8 +75,8 @@ class ClaimsSupportTests(BlackboxTestCase):
self.addCleanup(self.run_command, "group delete allowed-devices")
# Set allowed to authenticate from.
self.check_run("domain auth policy modify --name=device-restricted-users-pol "
"--user-allowed-to-authenticate-from-device-group=allowed-devices")
self.check_run("domain auth policy user-allowed-to-authenticate-from set "
"--name=device-restricted-users-pol --device-group=allowed-devices")
self.check_run("user auth policy assign claimstestuser --policy=device-restricted-users-pol")
@ -144,8 +144,8 @@ class ClaimsSupportTests(BlackboxTestCase):
# Set allowed to authenticate from (where the login can happen) and to
# (server requires silo that in term has this rule, so knows the user
# was required to authenticate from).
self.check_run("domain auth policy modify --name=allowed-devices-only-pol "
"--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo")
self.check_run("domain auth policy user-allowed-to-authenticate-from set "
"--name=allowed-devices-only-pol --device-silo=allowed-devices-only-silo")
# Grant access to silo.
self.check_run(r"domain auth silo member grant --name=allowed-devices-only-silo --member=claims-device\$")
@ -244,8 +244,8 @@ class ClaimsSupportTests(BlackboxTestCase):
# --service-allowed-to-authenticate-to/from options as well.
# Likewise, if there are services running in user accounts, we need
# --user-allowed-to-authenticate-to
self.check_run("domain auth policy modify --name=allowed-devices-only-pol "
"--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo")
self.check_run("domain auth policy user-allowed-to-authenticate-from set "
"--name=allowed-devices-only-pol --device-silo=allowed-devices-only-silo")
self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
"--name=allowed-devices-only-pol --by-silo=allowed-devices-only-silo")

View File

@ -153,50 +153,6 @@ class AuthPolicyCmdTestCase(SiloTest):
self.assertIn("--user-tgt-lifetime-mins must be between 45 and 2147483647",
err)
def test_create__user_allowed_to_authenticate_from_device_group(self):
"""Tests the --user-allowed-to-authenticate-from-device-group shortcut."""
name = self.unique_name()
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
self.device_group.object_sid)
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
result, out, err = self.runcmd("domain", "auth", "policy", "create",
"--name", name,
"--user-allowed-to-authenticate-from-device-group",
self.device_group.name)
self.assertIsNone(result, msg=err)
# Check policy fields.
policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name)
# Check generated SDDL.
desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
def test_create__user_allowed_to_authenticate_from_device_silo(self):
"""Tests the --user-allowed-to-authenticate-from-device-silo shortcut."""
name = self.unique_name()
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
result, out, err = self.runcmd("domain", "auth", "policy", "create",
"--name", name,
"--user-allowed-to-authenticate-from-device-silo",
"Developers")
self.assertIsNone(result, msg=err)
# Check policy fields.
policy = self.get_authentication_policy(name)
self.assertEqual(str(policy["cn"]), name)
# Check generated SDDL.
desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(
sddl,
'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))')
def test_create__service_tgt_lifetime_mins(self):
"""Test create a new authentication policy with --service-tgt-lifetime-mins.
@ -547,24 +503,27 @@ class AuthPolicyCmdTestCase(SiloTest):
self.assertEqual(result, -1)
self.assertIn("--protect and --unprotect cannot be used together.", err)
def test_create__user_allowed_to_authenticate_from_repeated(self):
def test_user_allowed_to_authenticate_from__set_repeated(self):
"""Test repeating similar arguments doesn't make sense to use together.
--user-allowed-to-authenticate-from
--user-allowed-to-authenticate-from-device-silo
user-allowed-to-authenticate-from set --device-group
user-allowed-to-authenticate-from set --device-silo
"""
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))'
name = self.unique_name()
result, out, err = self.runcmd("domain", "auth", "policy", "create",
"--name", name,
"--user-allowed-to-authenticate-from",
sddl,
"--user-allowed-to-authenticate-from-device-silo",
self.runcmd("domain", "auth", "policy", "create", "--name", name)
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
result, out, err = self.runcmd("domain", "auth", "policy",
"user-allowed-to-authenticate-from",
"set", "--name", name,
"--device-group",
self.device_group.name,
"--device-silo",
"Managers")
self.assertEqual(result, -1)
self.assertIn("--user-allowed-to-authenticate-from argument repeated 2 times.", err)
self.assertIn("Cannot have both --device-group and --device-silo options.", err)
def test_user_allowed_to_authenticate_to__set_repeated(self):
"""Test repeating similar arguments doesn't make sense to use together.
@ -839,8 +798,8 @@ class AuthPolicyCmdTestCase(SiloTest):
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
def test_modify__user_allowed_to_authenticate_from_device_group(self):
"""Test the --user-allowed-to-authenticate-from-device-group shortcut."""
def test_user_allowed_to_authenticate_from__set_device_group(self):
"""Tests the user-allowed-to-authenticate-from set --device-group shortcut."""
name = self.unique_name()
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
self.device_group.object_sid)
@ -850,10 +809,10 @@ class AuthPolicyCmdTestCase(SiloTest):
self.runcmd("domain", "auth", "policy", "create", "--name", name)
# Modify user allowed to authenticate from silo field
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
"--name", name,
"--user-allowed-to-authenticate-from-device-group",
self.device_group.name)
result, out, err = self.runcmd("domain", "auth", "policy",
"user-allowed-to-authenticate-from",
"set", "--name", name,
"--device-group", self.device_group.name)
self.assertIsNone(result, msg=err)
# Check generated SDDL.
@ -862,8 +821,8 @@ class AuthPolicyCmdTestCase(SiloTest):
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
self.assertEqual(sddl, expected)
def test_modify__user_allowed_to_authenticate_from_device_silo(self):
"""Test the --user-allowed-to-authenticate-from-device-silo shortcut."""
def test_user_allowed_to_authenticate_from__set_device_silo(self):
"""Tests the user-allowed-to-authenticate-from set --device-silo shortcut."""
name = self.unique_name()
# Create a policy to modify for this test.
@ -871,10 +830,10 @@ class AuthPolicyCmdTestCase(SiloTest):
self.runcmd("domain", "auth", "policy", "create", "--name", name)
# Modify user allowed to authenticate from silo field
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
"--name", name,
"--user-allowed-to-authenticate-from-device-silo",
"QA")
result, out, err = self.runcmd("domain", "auth", "policy",
"user-allowed-to-authenticate-from",
"set", "--name", name,
"--device-silo", "QA")
self.assertIsNone(result, msg=err)
# Check generated SDDL.