mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
netcmd:tests: Test authentication policies containing device‐specific attributes and operators
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
db36a930e6
commit
a08a724a28
@ -25,7 +25,7 @@ from optparse import OptionValueError
|
|||||||
from unittest.mock import patch
|
from unittest.mock import patch
|
||||||
|
|
||||||
from samba.dcerpc import security
|
from samba.dcerpc import security
|
||||||
from samba.ndr import ndr_unpack
|
from samba.ndr import ndr_pack, ndr_unpack
|
||||||
from samba.netcmd.domain.models.exceptions import ModelError
|
from samba.netcmd.domain.models.exceptions import ModelError
|
||||||
from samba.samdb import SamDB
|
from samba.samdb import SamDB
|
||||||
from samba.sd_utils import SDUtils
|
from samba.sd_utils import SDUtils
|
||||||
@ -339,6 +339,107 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
|
|||||||
self.assertIn("unknown error", err)
|
self.assertIn("unknown error", err)
|
||||||
self.assertNotIn(" File ", err) # traceback marker
|
self.assertNotIn(" File ", err) # traceback marker
|
||||||
|
|
||||||
|
def test_create__device_attribute_in_sddl_allowed_to(self):
|
||||||
|
"""Test creating a new authentication policy that uses
|
||||||
|
user-allowed-to-authenticate-to with a device attribute."""
|
||||||
|
|
||||||
|
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@Device.claim == "foo"))'
|
||||||
|
|
||||||
|
name = self.unique_name()
|
||||||
|
self.addCleanup(self.delete_authentication_policy, name=name)
|
||||||
|
result, _, err = self.runcmd("domain", "auth", "policy", "create",
|
||||||
|
"--name", name,
|
||||||
|
"--user-allowed-to-authenticate-to",
|
||||||
|
sddl)
|
||||||
|
self.assertIsNone(result, msg=err)
|
||||||
|
|
||||||
|
def test_create__device_operator_in_sddl_allowed_to(self):
|
||||||
|
"""Test creating a new authentication policy that uses
|
||||||
|
user-allowed-to-authenticate-to with a device operator."""
|
||||||
|
|
||||||
|
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Device_Member_of {SID(WD)}))'
|
||||||
|
|
||||||
|
name = self.unique_name()
|
||||||
|
self.addCleanup(self.delete_authentication_policy, name=name)
|
||||||
|
result, _, err = self.runcmd("domain", "auth", "policy", "create",
|
||||||
|
"--name", name,
|
||||||
|
"--user-allowed-to-authenticate-to",
|
||||||
|
sddl)
|
||||||
|
self.assertIsNone(result, msg=err)
|
||||||
|
|
||||||
|
def test_create__device_attribute_in_sddl_allowed_from(self):
|
||||||
|
"""Test creating a new authentication policy that uses
|
||||||
|
user-allowed-to-authenticate-from with a device attribute."""
|
||||||
|
|
||||||
|
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@Device.claim == "foo"))'
|
||||||
|
|
||||||
|
name = self.unique_name()
|
||||||
|
result, _, err = self.runcmd("domain", "auth", "policy", "create",
|
||||||
|
"--name", name,
|
||||||
|
"--user-allowed-to-authenticate-from",
|
||||||
|
sddl)
|
||||||
|
self.assertEqual(result, -1)
|
||||||
|
self.assertIn("Unable to parse SDDL", err)
|
||||||
|
self.assertIn(sddl, err)
|
||||||
|
self.assertIn(f"\n{'^':>31}\n", err)
|
||||||
|
self.assertIn(" a device attribute is not applicable in this context "
|
||||||
|
"(did you intend a user attribute?)",
|
||||||
|
err)
|
||||||
|
self.assertNotIn(" File ", err)
|
||||||
|
|
||||||
|
def test_create__device_operator_in_sddl_allowed_from(self):
|
||||||
|
"""Test creating a new authentication policy that uses
|
||||||
|
user-allowed-to-authenticate-from with a device operator."""
|
||||||
|
|
||||||
|
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Device_Member_of {SID(WD)}))'
|
||||||
|
|
||||||
|
name = self.unique_name()
|
||||||
|
result, _, err = self.runcmd("domain", "auth", "policy", "create",
|
||||||
|
"--name", name,
|
||||||
|
"--user-allowed-to-authenticate-from",
|
||||||
|
sddl)
|
||||||
|
self.assertEqual(result, -1)
|
||||||
|
self.assertIn("Unable to parse SDDL", err)
|
||||||
|
self.assertIn(sddl, err)
|
||||||
|
self.assertIn(f"\n{'^':>30}\n", err)
|
||||||
|
self.assertIn(" a device‐relative expression will never evaluate to "
|
||||||
|
"true in this context (did you intend a user‐relative "
|
||||||
|
"expression?)",
|
||||||
|
err)
|
||||||
|
self.assertNotIn(" File ", err)
|
||||||
|
|
||||||
|
def test_create__device_attribute_in_sddl_already_exists(self):
|
||||||
|
"""Test modifying an existing authentication policy that uses
|
||||||
|
user-allowed-to-authenticate-from with a device attribute."""
|
||||||
|
|
||||||
|
# The SDDL refers to ‘Device.claim’.
|
||||||
|
sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@Device.claim == "foo"))'
|
||||||
|
domain_sid = security.dom_sid(self.samdb.get_domain_sid())
|
||||||
|
descriptor = security.descriptor.from_sddl(sddl, domain_sid)
|
||||||
|
|
||||||
|
# Manually create an authentication policy that refers to a device
|
||||||
|
# attribute.
|
||||||
|
|
||||||
|
name = self.unique_name()
|
||||||
|
dn = self.get_authn_policies_dn()
|
||||||
|
dn.add_child(f"CN={name}")
|
||||||
|
message = {
|
||||||
|
'dn': dn,
|
||||||
|
'msDS-AuthNPolicyEnforced': b'TRUE',
|
||||||
|
'objectClass': b'msDS-AuthNPolicy',
|
||||||
|
'msDS-UserAllowedToAuthenticateFrom': ndr_pack(descriptor),
|
||||||
|
}
|
||||||
|
|
||||||
|
self.addCleanup(self.delete_authentication_policy, name=name)
|
||||||
|
self.samdb.add(message)
|
||||||
|
|
||||||
|
# Change the policy description. This should succeed, in spite of the
|
||||||
|
# policy’s referring to a device attribute when it shouldn’t.
|
||||||
|
result, _, err = self.runcmd("domain", "auth", "policy", "modify",
|
||||||
|
"--name", name,
|
||||||
|
"--description", "NewDescription")
|
||||||
|
self.assertIsNone(result, msg=err)
|
||||||
|
|
||||||
def test_create__already_exists(self):
|
def test_create__already_exists(self):
|
||||||
"""Test creating a new authentication policy that already exists."""
|
"""Test creating a new authentication policy that already exists."""
|
||||||
result, out, err = self.runcmd("domain", "auth", "policy", "create",
|
result, out, err = self.runcmd("domain", "auth", "policy", "create",
|
||||||
|
2
selftest/knownfail.d/device-in-sddl
Normal file
2
selftest/knownfail.d/device-in-sddl
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
^samba\.tests\.samba_tool\.domain_auth_policy\.samba\.tests\.samba_tool\.domain_auth_policy\.AuthPolicyCmdTestCase\.test_create__device_attribute_in_sddl_allowed_from\(ad_dc_default\)$
|
||||||
|
^samba\.tests\.samba_tool\.domain_auth_policy\.samba\.tests\.samba_tool\.domain_auth_policy\.AuthPolicyCmdTestCase\.test_create__device_operator_in_sddl_allowed_from\(ad_dc_default\)$
|
Loading…
Reference in New Issue
Block a user