1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

netcmd: silo command remove combined --policy which set all 3

doesn't make much sense to set all 3 to the same policy, user authentication policy, service authentication policy, computer authentication policy

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Rob van der Linde 2023-10-17 14:30:40 +13:00 committed by Andrew Bartlett
parent b6ae5d6681
commit c22400fd8e
5 changed files with 42 additions and 84 deletions

View File

@ -1100,12 +1100,6 @@
Optional description for the authentication silo.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--policy</term>
<listitem><para>
Use single policy for all principals in this silo.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--user-policy</term>
<listitem><para>
@ -1193,12 +1187,6 @@
Optional description for the authentication silo.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--policy</term>
<listitem><para>
Use single policy for all principals in this silo.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--user-policy</term>
<listitem><para>

View File

@ -115,9 +115,6 @@ class cmd_domain_auth_silo_create(Command):
Option("--description",
help="Optional description for authentication silo.",
dest="description", action="store", type=str),
Option("--policy",
help="Use single policy for all principals in this silo.",
dest="policy", action="store", type=str),
Option("--user-policy",
help="User account policy.",
dest="user_policy", action="store", type=str),
@ -154,22 +151,15 @@ class cmd_domain_auth_silo_create(Command):
raise CommandError(e)
def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
description=None, policy=None, user_policy=None,
service_policy=None, computer_policy=None, protect=None,
unprotect=None, audit=None, enforce=None):
description=None, user_policy=None, service_policy=None,
computer_policy=None, protect=None, unprotect=None, audit=None,
enforce=None):
if protect and unprotect:
raise CommandError("--protect and --unprotect cannot be used together.")
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
# If --policy is present start with that as the base. Then optionally
# --user-policy, --service-policy, --computer-policy can override this.
if policy is not None:
user_policy = user_policy or policy
service_policy = service_policy or policy
computer_policy = computer_policy or policy
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
try:
@ -233,9 +223,6 @@ class cmd_domain_auth_silo_modify(Command):
Option("--description",
help="Optional description for authentication silo.",
dest="description", action="store", type=str),
Option("--policy",
help="Set single policy for all principals in this silo.",
dest="policy", action="store", type=str),
Option("--user-policy",
help="Set User account policy.",
dest="user_policy", action="store", type=str),
@ -272,22 +259,15 @@ class cmd_domain_auth_silo_modify(Command):
raise CommandError(e)
def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
description=None, policy=None, user_policy=None,
service_policy=None, computer_policy=None, protect=None,
unprotect=None, audit=None, enforce=None):
description=None, user_policy=None, service_policy=None,
computer_policy=None, protect=None, unprotect=None, audit=None,
enforce=None):
if audit and enforce:
raise CommandError("--audit and --enforce cannot be used together.")
if protect and unprotect:
raise CommandError("--protect and --unprotect cannot be used together.")
# If --policy is set then start with that for all policies.
# They can be individually overridden as well after that.
if policy is not None:
user_policy = user_policy or policy
service_policy = service_policy or policy
computer_policy = computer_policy or policy
ldb = self.ldb_connect(hostopts, sambaopts, credopts)
try:

View File

@ -40,17 +40,16 @@ class BaseAuthCmdTest(SambaToolCmdTest):
@classmethod
def setUpTestData(cls):
cls.create_authentication_policy(name="Single Policy")
cls.create_authentication_policy(name="User Policy")
cls.create_authentication_policy(name="Service Policy")
cls.create_authentication_policy(name="Computer Policy")
cls.create_authentication_silo(name="Developers",
description="Developers, Developers",
policy="Single Policy")
user_policy="User Policy")
cls.create_authentication_silo(name="Managers",
description="Managers",
policy="Single Policy")
user_policy="User Policy")
cls.create_authentication_silo(name="QA",
description="Quality Assurance",
user_policy="User Policy",
@ -147,7 +146,7 @@ class BaseAuthCmdTest(SambaToolCmdTest):
assert "Deleted authentication policy" in out
@classmethod
def create_authentication_silo(cls, name, description=None, policy=None,
def create_authentication_silo(cls, name, description=None,
user_policy=None, service_policy=None,
computer_policy=None, audit=False,
protect=False):
@ -156,14 +155,13 @@ class BaseAuthCmdTest(SambaToolCmdTest):
# Base command for create authentication policy.
cmd = ["domain", "auth", "silo", "create", "--name", name]
# If --policy is present, use a singular authentication policy.
# otherwise use --user-policy, --service-policy, --computer-policy
if policy is not None:
cmd += ["--policy", policy]
else:
cmd += ["--user-policy", user_policy,
"--service-policy", service_policy,
"--computer-policy", computer_policy]
# Authentication policies.
if user_policy:
cmd += ["--user-policy", user_policy]
if service_policy:
cmd += ["--service-policy", service_policy]
if computer_policy:
cmd += ["--computer-policy", computer_policy]
# Other optional attributes.
if description is not None:

View File

@ -40,8 +40,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "policy", "list")
self.assertIsNone(result, msg=err)
expected_policies = [
"Single Policy", "User Policy", "Service Policy", "Computer Policy"]
expected_policies = ["User Policy", "Service Policy", "Computer Policy"]
for policy in expected_policies:
self.assertIn(policy, out)
@ -55,8 +54,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
# we should get valid json
policies = json.loads(out)
expected_policies = [
"Single Policy", "User Policy", "Service Policy", "Computer Policy"]
expected_policies = ["User Policy", "Service Policy", "Computer Policy"]
for name in expected_policies:
policy = policies[name]
@ -69,14 +67,14 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
def test_authentication_policy_view(self):
"""Test viewing a single authentication policy."""
result, out, err = self.runcmd("domain", "auth", "policy", "view",
"--name", "Single Policy")
"--name", "User Policy")
self.assertIsNone(result, msg=err)
# we should get valid json
policy = json.loads(out)
# check a few fields only
self.assertEqual(policy["cn"], "Single Policy")
self.assertEqual(policy["cn"], "User Policy")
self.assertEqual(policy["msDS-AuthNPolicyEnforced"], True)
def test_authentication_policy_view_notfound(self):
@ -256,9 +254,9 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
def test_authentication_policy_create_already_exists(self):
"""Test creating a new authentication policy that already exists."""
result, out, err = self.runcmd("domain", "auth", "policy", "create",
"--name", "Single Policy")
"--name", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Authentication policy Single Policy already exists", err)
self.assertIn("Authentication policy User Policy already exists", err)
def test_authentication_policy_create_name_missing(self):
"""Test create authentication policy without --name argument."""
@ -541,7 +539,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
def test_authentication_policy_modify_audit_enforce_together(self):
"""Test modify auth policy using both --audit and --enforce."""
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
"--name", "Single Policy",
"--name", "User Policy",
"--audit", "--enforce")
self.assertEqual(result, -1)
self.assertIn("--audit and --enforce cannot be used together.", err)
@ -549,7 +547,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
def test_authentication_policy_modify_protect_unprotect_together(self):
"""Test modify authentication policy using --protect and --unprotect."""
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
"--name", "Single Policy",
"--name", "User Policy",
"--protect", "--unprotect")
self.assertEqual(result, -1)
self.assertIn("--protect and --unprotect cannot be used together.", err)
@ -560,7 +558,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
with patch.object(SamDB, "modify") as modify_mock:
modify_mock.side_effect = ModelError("Custom error message")
result, out, err = self.runcmd("domain", "auth", "policy", "modify",
"--name", "Single Policy",
"--name", "User Policy",
"--description", "New description")
self.assertEqual(result, -1)
self.assertIn("Custom error message", err)

View File

@ -58,8 +58,6 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
silo = silos[name]
self.assertIn("msDS-AuthNPolicySilo", list(silo["objectClass"]))
self.assertIn("description", silo)
self.assertIn("msDS-ComputerAuthNPolicy", silo)
self.assertIn("msDS-ServiceAuthNPolicy", silo)
self.assertIn("msDS-UserAuthNPolicy", silo)
self.assertIn("objectGUID", silo)
@ -96,15 +94,13 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "singlePolicy",
"--policy", "Single Policy")
"--user-policy", "User Policy")
self.assertIsNone(result, msg=err)
# Check silo that was created
silo = self.get_authentication_silo("singlePolicy")
self.assertEqual(str(silo["cn"]), "singlePolicy")
self.assertIn("Single Policy", str(silo["msDS-UserAuthNPolicy"]))
self.assertIn("Single Policy", str(silo["msDS-ServiceAuthNPolicy"]))
self.assertIn("Single Policy", str(silo["msDS-ComputerAuthNPolicy"]))
self.assertIn("User Policy", str(silo["msDS-UserAuthNPolicy"]))
self.assertEqual(str(silo["msDS-AuthNPolicySiloEnforced"]), "TRUE")
def test_authentication_silo_create_multiple_policies(self):
@ -129,36 +125,34 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
def test_authentication_silo_create_policy_dn(self):
"""Test creating a new authentication silo when policy is a dn."""
policy = self.get_authentication_policy("Single Policy")
policy = self.get_authentication_policy("User Policy")
self.addCleanup(self.delete_authentication_silo,
name="singlePolicyDN", force=True)
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "singlePolicyDN",
"--policy", policy["dn"])
"--user-policy", policy["dn"])
self.assertIsNone(result, msg=err)
# Check silo that was created
silo = self.get_authentication_silo("singlePolicyDN")
self.assertEqual(str(silo["cn"]), "singlePolicyDN")
self.assertIn(str(policy["name"]), str(silo["msDS-UserAuthNPolicy"]))
self.assertIn(str(policy["name"]), str(silo["msDS-ServiceAuthNPolicy"]))
self.assertIn(str(policy["name"]), str(silo["msDS-ComputerAuthNPolicy"]))
self.assertEqual(str(silo["msDS-AuthNPolicySiloEnforced"]), "TRUE")
def test_authentication_silo_create_already_exists(self):
"""Test creating a new authentication silo that already exists."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "Developers",
"--policy", "Single Policy")
"--user-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Authentication silo Developers already exists.", err)
def test_authentication_silo_create_name_missing(self):
"""Test create authentication silo without --name argument."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--policy", "Single Policy")
"--user-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Argument --name is required.", err)
@ -169,7 +163,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "auditPolicies",
"--policy", "Single Policy",
"--user-policy", "User Policy",
"--audit")
self.assertIsNone(result, msg=err)
@ -184,7 +178,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "enforcePolicies",
"--policy", "Single Policy",
"--user-policy", "User Policy",
"--enforce")
self.assertIsNone(result, msg=err)
@ -196,7 +190,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
"""Test create authentication silo using both --audit and --enforce."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "enforceTogether",
"--policy", "Single Policy",
"--user-policy", "User Policy",
"--audit", "--enforce")
self.assertEqual(result, -1)
self.assertIn("--audit and --enforce cannot be used together.", err)
@ -205,7 +199,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
"""Test create authentication silo using --protect and --unprotect."""
result, out, err = self.runcmd("domain", "auth", "silo",
"create", "--name", "protectTogether",
"--policy", "Single Policy",
"--user-policy", "User Policy",
"--protect", "--unprotect")
self.assertEqual(result, -1)
self.assertIn("--protect and --unprotect cannot be used together.", err)
@ -214,7 +208,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
"""Test create authentication silo with a policy that doesn't exist."""
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "policyNotFound",
"--policy", "Invalid Policy")
"--user-policy", "Invalid Policy")
self.assertEqual(result, -1)
self.assertIn("Authentication policy Invalid Policy not found.", err)
@ -225,7 +219,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
add_mock.side_effect = ModelError("Custom error message")
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name", "createFails",
"--policy", "Single Policy")
"--user-policy", "User Policy")
self.assertEqual(result, -1)
self.assertIn("Custom error message", err)
@ -347,7 +341,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create non-protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteTest",
"--policy", "User Policy")
"--user-policy", "User Policy")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteTest")
self.assertIsNotNone(silo)
@ -366,7 +360,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteProtected",
"--policy", "User Policy",
"--user-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteProtected")
@ -408,7 +402,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=deleteForceFail",
"--policy", "User Policy",
"--user-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("deleteForceFail")
@ -429,7 +423,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create regular authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=regularSilo",
"--policy", "User Policy")
"--user-policy", "User Policy")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("regularSilo")
self.assertIsNotNone(silo)
@ -450,7 +444,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
# Create protected authentication silo.
result, out, err = self.runcmd("domain", "auth", "silo", "create",
"--name=protectedSilo",
"--policy", "User Policy",
"--user-policy", "User Policy",
"--protect")
self.assertIsNone(result, msg=err)
silo = self.get_authentication_silo("protectedSilo")