mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
e88be1aed9
commit
97c2ff19da
@ -61,16 +61,6 @@ class UserOptions(options.OptionGroup):
|
||||
type=str, dest="allowed_to_authenticate_from",
|
||||
action="callback", callback=self.set_option,
|
||||
metavar="SDDL")
|
||||
self.add_option("--user-allowed-to-authenticate-from-device-silo",
|
||||
help="To authenticate, the user must log in from a device in SILO.",
|
||||
type=str, dest="allowed_to_authenticate_from_device_silo",
|
||||
action="callback", callback=self.set_option,
|
||||
metavar="SILO")
|
||||
self.add_option("--user-allowed-to-authenticate-from-device-group",
|
||||
help="To authenticate, the user must log in from a device in GROUP.",
|
||||
type=str, dest="allowed_to_authenticate_from_device_group",
|
||||
action="callback", callback=self.set_option,
|
||||
metavar="GROUP")
|
||||
self.add_option("--user-allowed-to-authenticate-to",
|
||||
help="A target service, on a user account, requires the connecting user to match SDDL",
|
||||
type=str, dest="allowed_to_authenticate_to",
|
||||
@ -254,10 +244,6 @@ class cmd_domain_auth_policy_create(Command):
|
||||
raise CommandError("--audit and --enforce cannot be used together.")
|
||||
|
||||
# Check for repeated, similar arguments.
|
||||
check_similar_args("--user-allowed-to-authenticate-from",
|
||||
[useropts.allowed_to_authenticate_from,
|
||||
useropts.allowed_to_authenticate_from_device_group,
|
||||
useropts.allowed_to_authenticate_from_device_silo])
|
||||
check_similar_args("--service-allowed-to-authenticate-from",
|
||||
[serviceopts.allowed_to_authenticate_from,
|
||||
serviceopts.allowed_to_authenticate_from_device_group,
|
||||
@ -265,18 +251,6 @@ class cmd_domain_auth_policy_create(Command):
|
||||
|
||||
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
|
||||
|
||||
# Generate SDDL for authenticating users from a device in a group
|
||||
if useropts.allowed_to_authenticate_from_device_group:
|
||||
group = Group.get(
|
||||
ldb, cn=useropts.allowed_to_authenticate_from_device_group)
|
||||
useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
|
||||
|
||||
# Generate SDDL for authenticating users from a device in a silo
|
||||
if useropts.allowed_to_authenticate_from_device_silo:
|
||||
silo = AuthenticationSilo.get(
|
||||
ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
|
||||
useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
|
||||
|
||||
# Generate SDDL for authenticating service accounts from a device in a group
|
||||
if serviceopts.allowed_to_authenticate_from_device_group:
|
||||
group = Group.get(
|
||||
@ -384,10 +358,6 @@ class cmd_domain_auth_policy_modify(Command):
|
||||
raise CommandError("--audit and --enforce cannot be used together.")
|
||||
|
||||
# Check for repeated, similar arguments.
|
||||
check_similar_args("--user-allowed-to-authenticate-from",
|
||||
[useropts.allowed_to_authenticate_from,
|
||||
useropts.allowed_to_authenticate_from_device_group,
|
||||
useropts.allowed_to_authenticate_from_device_silo])
|
||||
check_similar_args("--service-allowed-to-authenticate-from",
|
||||
[serviceopts.allowed_to_authenticate_from,
|
||||
serviceopts.allowed_to_authenticate_from_device_group,
|
||||
@ -395,18 +365,6 @@ class cmd_domain_auth_policy_modify(Command):
|
||||
|
||||
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
|
||||
|
||||
# Generate SDDL for authenticating users from a device in a group
|
||||
if useropts.allowed_to_authenticate_from_device_group:
|
||||
group = Group.get(
|
||||
ldb, cn=useropts.allowed_to_authenticate_from_device_group)
|
||||
useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
|
||||
|
||||
# Generate SDDL for authenticating users from a device in a silo
|
||||
if useropts.allowed_to_authenticate_from_device_silo:
|
||||
silo = AuthenticationSilo.get(
|
||||
ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
|
||||
useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
|
||||
|
||||
# Generate SDDL for authenticating users from a device a device in a group
|
||||
if serviceopts.allowed_to_authenticate_from_device_group:
|
||||
group = Group.get(
|
||||
|
@ -75,8 +75,8 @@ class ClaimsSupportTests(BlackboxTestCase):
|
||||
self.addCleanup(self.run_command, "group delete allowed-devices")
|
||||
|
||||
# Set allowed to authenticate from.
|
||||
self.check_run("domain auth policy modify --name=device-restricted-users-pol "
|
||||
"--user-allowed-to-authenticate-from-device-group=allowed-devices")
|
||||
self.check_run("domain auth policy user-allowed-to-authenticate-from set "
|
||||
"--name=device-restricted-users-pol --device-group=allowed-devices")
|
||||
|
||||
self.check_run("user auth policy assign claimstestuser --policy=device-restricted-users-pol")
|
||||
|
||||
@ -144,8 +144,8 @@ class ClaimsSupportTests(BlackboxTestCase):
|
||||
# Set allowed to authenticate from (where the login can happen) and to
|
||||
# (server requires silo that in term has this rule, so knows the user
|
||||
# was required to authenticate from).
|
||||
self.check_run("domain auth policy modify --name=allowed-devices-only-pol "
|
||||
"--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo")
|
||||
self.check_run("domain auth policy user-allowed-to-authenticate-from set "
|
||||
"--name=allowed-devices-only-pol --device-silo=allowed-devices-only-silo")
|
||||
|
||||
# Grant access to silo.
|
||||
self.check_run(r"domain auth silo member grant --name=allowed-devices-only-silo --member=claims-device\$")
|
||||
@ -244,8 +244,8 @@ class ClaimsSupportTests(BlackboxTestCase):
|
||||
# --service-allowed-to-authenticate-to/from options as well.
|
||||
# Likewise, if there are services running in user accounts, we need
|
||||
# --user-allowed-to-authenticate-to
|
||||
self.check_run("domain auth policy modify --name=allowed-devices-only-pol "
|
||||
"--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo")
|
||||
self.check_run("domain auth policy user-allowed-to-authenticate-from set "
|
||||
"--name=allowed-devices-only-pol --device-silo=allowed-devices-only-silo")
|
||||
self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
|
||||
"--name=allowed-devices-only-pol --by-silo=allowed-devices-only-silo")
|
||||
|
||||
|
@ -153,50 +153,6 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
self.assertIn("--user-tgt-lifetime-mins must be between 45 and 2147483647",
|
||||
err)
|
||||
|
||||
def test_create__user_allowed_to_authenticate_from_device_group(self):
|
||||
"""Tests the --user-allowed-to-authenticate-from-device-group shortcut."""
|
||||
name = self.unique_name()
|
||||
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
|
||||
self.device_group.object_sid)
|
||||
|
||||
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
|
||||
result, out, err = self.runcmd("domain", "auth", "policy", "create",
|
||||
"--name", name,
|
||||
"--user-allowed-to-authenticate-from-device-group",
|
||||
self.device_group.name)
|
||||
self.assertIsNone(result, msg=err)
|
||||
|
||||
# Check policy fields.
|
||||
policy = self.get_authentication_policy(name)
|
||||
self.assertEqual(str(policy["cn"]), name)
|
||||
|
||||
# Check generated SDDL.
|
||||
desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
|
||||
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
|
||||
self.assertEqual(sddl, expected)
|
||||
|
||||
def test_create__user_allowed_to_authenticate_from_device_silo(self):
|
||||
"""Tests the --user-allowed-to-authenticate-from-device-silo shortcut."""
|
||||
name = self.unique_name()
|
||||
|
||||
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
|
||||
result, out, err = self.runcmd("domain", "auth", "policy", "create",
|
||||
"--name", name,
|
||||
"--user-allowed-to-authenticate-from-device-silo",
|
||||
"Developers")
|
||||
self.assertIsNone(result, msg=err)
|
||||
|
||||
# Check policy fields.
|
||||
policy = self.get_authentication_policy(name)
|
||||
self.assertEqual(str(policy["cn"]), name)
|
||||
|
||||
# Check generated SDDL.
|
||||
desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
|
||||
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
|
||||
self.assertEqual(
|
||||
sddl,
|
||||
'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))')
|
||||
|
||||
def test_create__service_tgt_lifetime_mins(self):
|
||||
"""Test create a new authentication policy with --service-tgt-lifetime-mins.
|
||||
|
||||
@ -547,24 +503,27 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
self.assertEqual(result, -1)
|
||||
self.assertIn("--protect and --unprotect cannot be used together.", err)
|
||||
|
||||
def test_create__user_allowed_to_authenticate_from_repeated(self):
|
||||
def test_user_allowed_to_authenticate_from__set_repeated(self):
|
||||
"""Test repeating similar arguments doesn't make sense to use together.
|
||||
|
||||
--user-allowed-to-authenticate-from
|
||||
--user-allowed-to-authenticate-from-device-silo
|
||||
user-allowed-to-authenticate-from set --device-group
|
||||
user-allowed-to-authenticate-from set --device-silo
|
||||
"""
|
||||
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))'
|
||||
name = self.unique_name()
|
||||
|
||||
result, out, err = self.runcmd("domain", "auth", "policy", "create",
|
||||
"--name", name,
|
||||
"--user-allowed-to-authenticate-from",
|
||||
sddl,
|
||||
"--user-allowed-to-authenticate-from-device-silo",
|
||||
self.runcmd("domain", "auth", "policy", "create", "--name", name)
|
||||
self.addCleanup(self.delete_authentication_policy, name=name, force=True)
|
||||
|
||||
result, out, err = self.runcmd("domain", "auth", "policy",
|
||||
"user-allowed-to-authenticate-from",
|
||||
"set", "--name", name,
|
||||
"--device-group",
|
||||
self.device_group.name,
|
||||
"--device-silo",
|
||||
"Managers")
|
||||
|
||||
self.assertEqual(result, -1)
|
||||
self.assertIn("--user-allowed-to-authenticate-from argument repeated 2 times.", err)
|
||||
self.assertIn("Cannot have both --device-group and --device-silo options.", err)
|
||||
|
||||
def test_user_allowed_to_authenticate_to__set_repeated(self):
|
||||
"""Test repeating similar arguments doesn't make sense to use together.
|
||||
@ -839,8 +798,8 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
|
||||
self.assertEqual(sddl, expected)
|
||||
|
||||
def test_modify__user_allowed_to_authenticate_from_device_group(self):
|
||||
"""Test the --user-allowed-to-authenticate-from-device-group shortcut."""
|
||||
def test_user_allowed_to_authenticate_from__set_device_group(self):
|
||||
"""Tests the user-allowed-to-authenticate-from set --device-group shortcut."""
|
||||
name = self.unique_name()
|
||||
expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
|
||||
self.device_group.object_sid)
|
||||
@ -850,10 +809,10 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
self.runcmd("domain", "auth", "policy", "create", "--name", name)
|
||||
|
||||
# Modify user allowed to authenticate from silo field
|
||||
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
|
||||
"--name", name,
|
||||
"--user-allowed-to-authenticate-from-device-group",
|
||||
self.device_group.name)
|
||||
result, out, err = self.runcmd("domain", "auth", "policy",
|
||||
"user-allowed-to-authenticate-from",
|
||||
"set", "--name", name,
|
||||
"--device-group", self.device_group.name)
|
||||
self.assertIsNone(result, msg=err)
|
||||
|
||||
# Check generated SDDL.
|
||||
@ -862,8 +821,8 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
sddl = ndr_unpack(security.descriptor, desc).as_sddl()
|
||||
self.assertEqual(sddl, expected)
|
||||
|
||||
def test_modify__user_allowed_to_authenticate_from_device_silo(self):
|
||||
"""Test the --user-allowed-to-authenticate-from-device-silo shortcut."""
|
||||
def test_user_allowed_to_authenticate_from__set_device_silo(self):
|
||||
"""Tests the user-allowed-to-authenticate-from set --device-silo shortcut."""
|
||||
name = self.unique_name()
|
||||
|
||||
# Create a policy to modify for this test.
|
||||
@ -871,10 +830,10 @@ class AuthPolicyCmdTestCase(SiloTest):
|
||||
self.runcmd("domain", "auth", "policy", "create", "--name", name)
|
||||
|
||||
# Modify user allowed to authenticate from silo field
|
||||
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
|
||||
"--name", name,
|
||||
"--user-allowed-to-authenticate-from-device-silo",
|
||||
"QA")
|
||||
result, out, err = self.runcmd("domain", "auth", "policy",
|
||||
"user-allowed-to-authenticate-from",
|
||||
"set", "--name", name,
|
||||
"--device-silo", "QA")
|
||||
self.assertIsNone(result, msg=err)
|
||||
|
||||
# Check generated SDDL.
|
||||
|
Loading…
Reference in New Issue
Block a user