From 97c2ff19daa7ee1717d0cdc1128ca03b5e8d3144 Mon Sep 17 00:00:00 2001 From: Rob van der Linde Date: Thu, 21 Mar 2024 09:48:25 +1300 Subject: [PATCH] netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- .../samba/netcmd/domain/auth/policy/policy.py | 42 --------- python/samba/tests/blackbox/claims.py | 12 +-- .../tests/samba_tool/domain_auth_policy.py | 91 +++++-------------- 3 files changed, 31 insertions(+), 114 deletions(-) diff --git a/python/samba/netcmd/domain/auth/policy/policy.py b/python/samba/netcmd/domain/auth/policy/policy.py index 6f7983cfa25..701d6e40aa2 100644 --- a/python/samba/netcmd/domain/auth/policy/policy.py +++ b/python/samba/netcmd/domain/auth/policy/policy.py @@ -61,16 +61,6 @@ class UserOptions(options.OptionGroup): type=str, dest="allowed_to_authenticate_from", action="callback", callback=self.set_option, metavar="SDDL") - self.add_option("--user-allowed-to-authenticate-from-device-silo", - help="To authenticate, the user must log in from a device in SILO.", - type=str, dest="allowed_to_authenticate_from_device_silo", - action="callback", callback=self.set_option, - metavar="SILO") - self.add_option("--user-allowed-to-authenticate-from-device-group", - help="To authenticate, the user must log in from a device in GROUP.", - type=str, dest="allowed_to_authenticate_from_device_group", - action="callback", callback=self.set_option, - metavar="GROUP") self.add_option("--user-allowed-to-authenticate-to", help="A target service, on a user account, requires the connecting user to match SDDL", type=str, dest="allowed_to_authenticate_to", @@ -254,10 +244,6 @@ class cmd_domain_auth_policy_create(Command): raise CommandError("--audit and --enforce cannot be used together.") # Check for repeated, similar arguments. - check_similar_args("--user-allowed-to-authenticate-from", - [useropts.allowed_to_authenticate_from, - useropts.allowed_to_authenticate_from_device_group, - useropts.allowed_to_authenticate_from_device_silo]) check_similar_args("--service-allowed-to-authenticate-from", [serviceopts.allowed_to_authenticate_from, serviceopts.allowed_to_authenticate_from_device_group, @@ -265,18 +251,6 @@ class cmd_domain_auth_policy_create(Command): ldb = self.ldb_connect(hostopts, sambaopts, credopts) - # Generate SDDL for authenticating users from a device in a group - if useropts.allowed_to_authenticate_from_device_group: - group = Group.get( - ldb, cn=useropts.allowed_to_authenticate_from_device_group) - useropts.allowed_to_authenticate_from = group.get_authentication_sddl() - - # Generate SDDL for authenticating users from a device in a silo - if useropts.allowed_to_authenticate_from_device_silo: - silo = AuthenticationSilo.get( - ldb, cn=useropts.allowed_to_authenticate_from_device_silo) - useropts.allowed_to_authenticate_from = silo.get_authentication_sddl() - # Generate SDDL for authenticating service accounts from a device in a group if serviceopts.allowed_to_authenticate_from_device_group: group = Group.get( @@ -384,10 +358,6 @@ class cmd_domain_auth_policy_modify(Command): raise CommandError("--audit and --enforce cannot be used together.") # Check for repeated, similar arguments. - check_similar_args("--user-allowed-to-authenticate-from", - [useropts.allowed_to_authenticate_from, - useropts.allowed_to_authenticate_from_device_group, - useropts.allowed_to_authenticate_from_device_silo]) check_similar_args("--service-allowed-to-authenticate-from", [serviceopts.allowed_to_authenticate_from, serviceopts.allowed_to_authenticate_from_device_group, @@ -395,18 +365,6 @@ class cmd_domain_auth_policy_modify(Command): ldb = self.ldb_connect(hostopts, sambaopts, credopts) - # Generate SDDL for authenticating users from a device in a group - if useropts.allowed_to_authenticate_from_device_group: - group = Group.get( - ldb, cn=useropts.allowed_to_authenticate_from_device_group) - useropts.allowed_to_authenticate_from = group.get_authentication_sddl() - - # Generate SDDL for authenticating users from a device in a silo - if useropts.allowed_to_authenticate_from_device_silo: - silo = AuthenticationSilo.get( - ldb, cn=useropts.allowed_to_authenticate_from_device_silo) - useropts.allowed_to_authenticate_from = silo.get_authentication_sddl() - # Generate SDDL for authenticating users from a device a device in a group if serviceopts.allowed_to_authenticate_from_device_group: group = Group.get( diff --git a/python/samba/tests/blackbox/claims.py b/python/samba/tests/blackbox/claims.py index 05110c95d55..3bedeed9512 100755 --- a/python/samba/tests/blackbox/claims.py +++ b/python/samba/tests/blackbox/claims.py @@ -75,8 +75,8 @@ class ClaimsSupportTests(BlackboxTestCase): self.addCleanup(self.run_command, "group delete allowed-devices") # Set allowed to authenticate from. - self.check_run("domain auth policy modify --name=device-restricted-users-pol " - "--user-allowed-to-authenticate-from-device-group=allowed-devices") + self.check_run("domain auth policy user-allowed-to-authenticate-from set " + "--name=device-restricted-users-pol --device-group=allowed-devices") self.check_run("user auth policy assign claimstestuser --policy=device-restricted-users-pol") @@ -144,8 +144,8 @@ class ClaimsSupportTests(BlackboxTestCase): # Set allowed to authenticate from (where the login can happen) and to # (server requires silo that in term has this rule, so knows the user # was required to authenticate from). - self.check_run("domain auth policy modify --name=allowed-devices-only-pol " - "--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo") + self.check_run("domain auth policy user-allowed-to-authenticate-from set " + "--name=allowed-devices-only-pol --device-silo=allowed-devices-only-silo") # Grant access to silo. self.check_run(r"domain auth silo member grant --name=allowed-devices-only-silo --member=claims-device\$") @@ -244,8 +244,8 @@ class ClaimsSupportTests(BlackboxTestCase): # --service-allowed-to-authenticate-to/from options as well. # Likewise, if there are services running in user accounts, we need # --user-allowed-to-authenticate-to - self.check_run("domain auth policy modify --name=allowed-devices-only-pol " - "--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo") + self.check_run("domain auth policy user-allowed-to-authenticate-from set " + "--name=allowed-devices-only-pol --device-silo=allowed-devices-only-silo") self.check_run("domain auth policy computer-allowed-to-authenticate-to set " "--name=allowed-devices-only-pol --by-silo=allowed-devices-only-silo") diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py index 4336cc4cc15..7c07ab84613 100644 --- a/python/samba/tests/samba_tool/domain_auth_policy.py +++ b/python/samba/tests/samba_tool/domain_auth_policy.py @@ -153,50 +153,6 @@ class AuthPolicyCmdTestCase(SiloTest): self.assertIn("--user-tgt-lifetime-mins must be between 45 and 2147483647", err) - def test_create__user_allowed_to_authenticate_from_device_group(self): - """Tests the --user-allowed-to-authenticate-from-device-group shortcut.""" - name = self.unique_name() - expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( - self.device_group.object_sid) - - self.addCleanup(self.delete_authentication_policy, name=name, force=True) - result, out, err = self.runcmd("domain", "auth", "policy", "create", - "--name", name, - "--user-allowed-to-authenticate-from-device-group", - self.device_group.name) - self.assertIsNone(result, msg=err) - - # Check policy fields. - policy = self.get_authentication_policy(name) - self.assertEqual(str(policy["cn"]), name) - - # Check generated SDDL. - desc = policy["msDS-UserAllowedToAuthenticateFrom"][0] - sddl = ndr_unpack(security.descriptor, desc).as_sddl() - self.assertEqual(sddl, expected) - - def test_create__user_allowed_to_authenticate_from_device_silo(self): - """Tests the --user-allowed-to-authenticate-from-device-silo shortcut.""" - name = self.unique_name() - - self.addCleanup(self.delete_authentication_policy, name=name, force=True) - result, out, err = self.runcmd("domain", "auth", "policy", "create", - "--name", name, - "--user-allowed-to-authenticate-from-device-silo", - "Developers") - self.assertIsNone(result, msg=err) - - # Check policy fields. - policy = self.get_authentication_policy(name) - self.assertEqual(str(policy["cn"]), name) - - # Check generated SDDL. - desc = policy["msDS-UserAllowedToAuthenticateFrom"][0] - sddl = ndr_unpack(security.descriptor, desc).as_sddl() - self.assertEqual( - sddl, - 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))') - def test_create__service_tgt_lifetime_mins(self): """Test create a new authentication policy with --service-tgt-lifetime-mins. @@ -547,24 +503,27 @@ class AuthPolicyCmdTestCase(SiloTest): self.assertEqual(result, -1) self.assertIn("--protect and --unprotect cannot be used together.", err) - def test_create__user_allowed_to_authenticate_from_repeated(self): + def test_user_allowed_to_authenticate_from__set_repeated(self): """Test repeating similar arguments doesn't make sense to use together. - --user-allowed-to-authenticate-from - --user-allowed-to-authenticate-from-device-silo + user-allowed-to-authenticate-from set --device-group + user-allowed-to-authenticate-from set --device-silo """ - sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))' name = self.unique_name() - result, out, err = self.runcmd("domain", "auth", "policy", "create", - "--name", name, - "--user-allowed-to-authenticate-from", - sddl, - "--user-allowed-to-authenticate-from-device-silo", + self.runcmd("domain", "auth", "policy", "create", "--name", name) + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + + result, out, err = self.runcmd("domain", "auth", "policy", + "user-allowed-to-authenticate-from", + "set", "--name", name, + "--device-group", + self.device_group.name, + "--device-silo", "Managers") self.assertEqual(result, -1) - self.assertIn("--user-allowed-to-authenticate-from argument repeated 2 times.", err) + self.assertIn("Cannot have both --device-group and --device-silo options.", err) def test_user_allowed_to_authenticate_to__set_repeated(self): """Test repeating similar arguments doesn't make sense to use together. @@ -839,8 +798,8 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual(sddl, expected) - def test_modify__user_allowed_to_authenticate_from_device_group(self): - """Test the --user-allowed-to-authenticate-from-device-group shortcut.""" + def test_user_allowed_to_authenticate_from__set_device_group(self): + """Tests the user-allowed-to-authenticate-from set --device-group shortcut.""" name = self.unique_name() expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( self.device_group.object_sid) @@ -850,10 +809,10 @@ class AuthPolicyCmdTestCase(SiloTest): self.runcmd("domain", "auth", "policy", "create", "--name", name) # Modify user allowed to authenticate from silo field - result, out, err = self.runcmd("domain", "auth", "policy", "modify", - "--name", name, - "--user-allowed-to-authenticate-from-device-group", - self.device_group.name) + result, out, err = self.runcmd("domain", "auth", "policy", + "user-allowed-to-authenticate-from", + "set", "--name", name, + "--device-group", self.device_group.name) self.assertIsNone(result, msg=err) # Check generated SDDL. @@ -862,8 +821,8 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual(sddl, expected) - def test_modify__user_allowed_to_authenticate_from_device_silo(self): - """Test the --user-allowed-to-authenticate-from-device-silo shortcut.""" + def test_user_allowed_to_authenticate_from__set_device_silo(self): + """Tests the user-allowed-to-authenticate-from set --device-silo shortcut.""" name = self.unique_name() # Create a policy to modify for this test. @@ -871,10 +830,10 @@ class AuthPolicyCmdTestCase(SiloTest): self.runcmd("domain", "auth", "policy", "create", "--name", name) # Modify user allowed to authenticate from silo field - result, out, err = self.runcmd("domain", "auth", "policy", "modify", - "--name", name, - "--user-allowed-to-authenticate-from-device-silo", - "QA") + result, out, err = self.runcmd("domain", "auth", "policy", + "user-allowed-to-authenticate-from", + "set", "--name", name, + "--device-silo", "QA") self.assertIsNone(result, msg=err) # Check generated SDDL.