git.samba.org / asn / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 86d3706)
netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group
authorRob van der Linde <rob@catalyst.net.nz>
Wed, 20 Mar 2024 09:31:48 +0000 (22:31 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 28 Mar 2024 01:50:41 +0000 (01:50 +0000)
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python/samba/netcmd/domain/auth/policy/policy.py patch | blob | history
python/samba/tests/blackbox/claims.py patch | blob | history
python/samba/tests/samba_tool/domain_auth_policy.py patch | blob | history

diff --git a/python/samba/netcmd/domain/auth/policy/policy.py b/python/samba/netcmd/domain/auth/policy/policy.py
index a4e148cb55ee1a8fbd913208a1222ed5aa10c364..42d197cd73e78ca1110829f48a515fa4a4a39ede 100644 (file)
--- a/python/samba/netcmd/domain/auth/policy/policy.py
+++ b/python/samba/netcmd/domain/auth/policy/policy.py
@@ -154,16 +154,6 @@ class ComputerOptions(options.OptionGroup):
                         type=str, dest="allowed_to_authenticate_to",
                         action="callback", callback=self.set_option,
                         metavar="SDDL")
-        self.add_option("--computer-allowed-to-authenticate-to-by-group",
-                        help="The computer account (server, workstation) service requires the connecting user to be in GROUP",
-                        type=str, dest="allowed_to_authenticate_to_by_group",
-                        action="callback", callback=self.set_option,
-                        metavar="GROUP")
-        self.add_option("--computer-allowed-to-authenticate-to-by-silo",
-                        help="The computer account (server, workstation) service requires the connecting user to be in SILO",
-                        type=str, dest="allowed_to_authenticate_to_by_silo",
-                        action="callback", callback=self.set_option,
-                        metavar="SILO")
 
 
 class cmd_domain_auth_policy_list(Command):
@@ -300,10 +290,6 @@ class cmd_domain_auth_policy_create(Command):
                            [serviceopts.allowed_to_authenticate_to,
                             serviceopts.allowed_to_authenticate_to_by_group,
                             serviceopts.allowed_to_authenticate_to_by_silo])
-        check_similar_args("--computer-allowed-to-authenticate-to",
-                           [computeropts.allowed_to_authenticate_to,
-                            computeropts.allowed_to_authenticate_to_by_group,
-                            computeropts.allowed_to_authenticate_to_by_silo])
 
         ldb = self.ldb_connect(hostopts, sambaopts, credopts)
 
@@ -355,18 +341,6 @@ class cmd_domain_auth_policy_create(Command):
                 ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
             serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
 
-        # Generate SDDL for authenticating computer accounts to a group
-        if computeropts.allowed_to_authenticate_to_by_group:
-            group = Group.get(
-                ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
-            computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
-
-        # Generate SDDL for authenticating computer accounts to a silo
-        if computeropts.allowed_to_authenticate_to_by_silo:
-            silo = AuthenticationSilo.get(
-                ldb, cn=computeropts.allowed_to_authenticate_to_by_silo)
-            computeropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
-
         try:
             policy = AuthenticationPolicy.get(ldb, cn=name)
         except ModelError as e:
@@ -478,10 +452,6 @@ class cmd_domain_auth_policy_modify(Command):
                            [serviceopts.allowed_to_authenticate_to,
                             serviceopts.allowed_to_authenticate_to_by_group,
                             serviceopts.allowed_to_authenticate_to_by_silo])
-        check_similar_args("--computer-allowed-to-authenticate-to",
-                           [computeropts.allowed_to_authenticate_to,
-                            computeropts.allowed_to_authenticate_to_by_group,
-                            computeropts.allowed_to_authenticate_to_by_silo])
 
         ldb = self.ldb_connect(hostopts, sambaopts, credopts)
 
@@ -533,18 +503,6 @@ class cmd_domain_auth_policy_modify(Command):
                 ldb, cn=serviceopts.allowed_to_authenticate_to_by_silo)
             serviceopts.allowed_to_authenticate_to = silo.get_authentication_sddl()
 
-        # Generate SDDL for authenticating computer accounts to a group
-        if computeropts.allowed_to_authenticate_to_by_group:
-            group = Group.get(
-                ldb, cn=computeropts.allowed_to_authenticate_to_by_group)
-            computeropts.allowed_to_authenticate_to = group.get_authentication_sddl()
-
-        # Generate SDDL for authenticating computer accounts to a silo
-        if computeropts.allowed_to_authenticate_to_by_silo:
-            silo = AuthenticationSilo.get(
-                ldb, cn=computeropts.allowed_to_authenticate_to_by_silo)
-            computeropts.allowed_to_authenticate_to = silo.get_authentication_sddl()
-
         try:
             policy = AuthenticationPolicy.get(ldb, cn=name)
         except ModelError as e:
diff --git a/python/samba/tests/blackbox/claims.py b/python/samba/tests/blackbox/claims.py
index cad8095ef27b1808f1a8daa41636fd785f287f02..05110c95d55ea55fff9c9f51965457041779d1d6 100755 (executable)
--- a/python/samba/tests/blackbox/claims.py
+++ b/python/samba/tests/blackbox/claims.py
@@ -245,8 +245,9 @@ class ClaimsSupportTests(BlackboxTestCase):
         # Likewise, if there are services running in user accounts, we need
         # --user-allowed-to-authenticate-to
         self.check_run("domain auth policy modify --name=allowed-devices-only-pol "
-                       "--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo "
-                       "--computer-allowed-to-authenticate-to-by-silo=allowed-devices-only-silo")
+                       "--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo")
+        self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
+                       "--name=allowed-devices-only-pol --by-silo=allowed-devices-only-silo")
 
         # Grant access to silo.
         self.check_run(r"domain auth silo member grant --name=allowed-devices-only-silo --member=claims-device\$")
@@ -350,8 +351,8 @@ class ClaimsSupportTests(BlackboxTestCase):
         self.addCleanup(self.run_command, "group delete server-access-group")
 
         # Set allowed to authenticate to.
-        self.check_run("domain auth policy modify --name=restricted-servers-pol "
-                       "--computer-allowed-to-authenticate-to-by-group=server-access-group")
+        self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
+                       "--name=restricted-servers-pol --by-group=server-access-group")
 
         self.check_run(r"user auth policy assign claims-server\$ --policy=restricted-servers-pol")
 
@@ -409,8 +410,8 @@ class ClaimsSupportTests(BlackboxTestCase):
                         "domain auth silo delete --name=restricted-servers-silo")
 
         # Set allowed to authenticate to.
-        self.check_run("domain auth policy modify --name=restricted-servers-pol "
-                       "--computer-allowed-to-authenticate-to-by-silo=restricted-servers-silo")
+        self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
+                       "--name=restricted-servers-pol --by-silo=restricted-servers-silo")
 
         # Grant access to silo.
         self.check_run(r"domain auth silo member grant --name=restricted-servers-silo --member=claims-server\$")
diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py
index eed8d3bb1adced14d8608d4c5b1da8ed2ec4e0ad..7a05796b38835f65ae2e89e33b4fb31abc0a89e7 100644 (file)
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -391,47 +391,6 @@ class AuthPolicyCmdTestCase(SiloTest):
         self.assertIn("--computer-tgt-lifetime-mins must be between 45 and 2147483647",
                       err)
 
-    def test_create__computer_allowed_to_authenticate_to_by_group(self):
-        """Tests the --computer-allowed-to-authenticate-to-by-group shortcut."""
-        name = self.unique_name()
-        expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
-            self.device_group.object_sid)
-
-        # Create a user with authenticate to by group attribute.
-        self.addCleanup(self.delete_authentication_policy, name=name, force=True)
-        result, out, err = self.runcmd(
-            "domain", "auth", "policy", "create", "--name", name,
-            "--computer-allowed-to-authenticate-to-by-group",
-            self.device_group.name)
-        self.assertIsNone(result, msg=err)
-
-        # Check user allowed to authenticate to field was modified.
-        policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["cn"]), name)
-        desc = policy["msDS-ComputerAllowedToAuthenticateTo"][0]
-        sddl = ndr_unpack(security.descriptor, desc).as_sddl()
-        self.assertEqual(sddl, expected)
-
-    def test_create__computer_allowed_to_authenticate_to_by_silo(self):
-        """Tests the --computer-allowed-to-authenticate-to-by-silo shortcut."""
-        name = self.unique_name()
-        expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
-                    'AuthenticationSilo == "QA"))')
-
-        # Create a user with authenticate to by silo attribute.
-        self.addCleanup(self.delete_authentication_policy, name=name, force=True)
-        result, out, err = self.runcmd(
-            "domain", "auth", "policy", "create", "--name", name,
-            "--computer-allowed-to-authenticate-to-by-silo", "QA")
-        self.assertIsNone(result, msg=err)
-
-        # Check user allowed to authenticate to field was modified.
-        policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["cn"]), name)
-        desc = policy["msDS-ComputerAllowedToAuthenticateTo"][0]
-        sddl = ndr_unpack(security.descriptor, desc).as_sddl()
-        self.assertEqual(sddl, expected)
-
     def test_create__valid_sddl(self):
         """Test creating a new authentication policy with valid SDDL in a field."""
         name = self.unique_name()
@@ -746,24 +705,27 @@ class AuthPolicyCmdTestCase(SiloTest):
         self.assertEqual(result, -1)
         self.assertIn("--service-allowed-to-authenticate-to argument repeated 2 times.", err)
 
-    def test_create__computer_allowed_to_authenticate_to_repeated(self):
+    def test_computer_allowed_to_authenticate_to__set_repeated(self):
         """Test repeating similar arguments doesn't make sense to use together.
 
-        --computer-allowed-to-authenticate-to
-        --computer-allowed-to-authenticate-to-by-silo
+        computer-allowed-to-authenticate-to set --by-group
+        computer-allowed-to-authenticate-to set --by-silo
         """
-        sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Managers"))'
         name = self.unique_name()
 
-        result, out, err = self.runcmd("domain", "auth", "policy", "create",
-                                       "--name", name,
-                                       "--computer-allowed-to-authenticate-to",
-                                       sddl,
-                                       "--computer-allowed-to-authenticate-to-by-silo",
+        self.runcmd("domain", "auth", "policy", "create", "--name", name)
+        self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+
+        result, out, err = self.runcmd("domain", "auth", "policy",
+                                       "computer-allowed-to-authenticate-to",
+                                       "set", "--name", name,
+                                       "--by-group",
+                                       self.device_group.name,
+                                       "--by-silo",
                                        "QA")
 
         self.assertEqual(result, -1)
-        self.assertIn("--computer-allowed-to-authenticate-to argument repeated 2 times.", err)
+        self.assertIn("Cannot have both --by-group and --by-silo options.", err)
 
     def test_create__fails(self):
         """Test creating an authentication policy, but it fails."""
@@ -1233,8 +1195,8 @@ class AuthPolicyCmdTestCase(SiloTest):
         sddl = ndr_unpack(security.descriptor, desc).as_sddl()
         self.assertEqual(sddl, expected)
 
-    def test_modify__computer_allowed_to_authenticate_to_by_group(self):
-        """Tests the --computer-allowed-to-authenticate-to-by-group shortcut."""
+    def test_computer_allowed_to_authenticate_to__set_by_group(self):
+        """Tests the computer-allowed-to-authenticate-to set --by-group shortcut."""
         name = self.unique_name()
         expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
             self.device_group.object_sid)
@@ -1244,9 +1206,9 @@ class AuthPolicyCmdTestCase(SiloTest):
         self.runcmd("domain", "auth", "policy", "create", "--name", name)
 
         # Modify user allowed to authenticate to field
-        result, out, err = self.runcmd("domain", "auth", "policy", "modify",
-                                       "--name", name,
-                                       "--computer-allowed-to-authenticate-to-by-group",
+        result, out, err = self.runcmd("domain", "auth", "policy",
+                                       "computer-allowed-to-authenticate-to",
+                                       "set", "--name", name, "--by-group",
                                        self.device_group.name)
         self.assertIsNone(result, msg=err)
 
@@ -1257,8 +1219,8 @@ class AuthPolicyCmdTestCase(SiloTest):
         sddl = ndr_unpack(security.descriptor, desc).as_sddl()
         self.assertEqual(sddl, expected)
 
-    def test_modify__computer_allowed_to_authenticate_to_by_silo(self):
-        """Tests the --computer-allowed-to-authenticate-to-by-silo shortcut."""
+    def test_computer_allowed_to_authenticate_to__set_by_silo(self):
+        """Tests the computer-allowed-to-authenticate-to set --by-silo shortcut."""
         name = self.unique_name()
         expected = ('O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/'
                     'AuthenticationSilo == "QA"))')
@@ -1268,9 +1230,9 @@ class AuthPolicyCmdTestCase(SiloTest):
         self.runcmd("domain", "auth", "policy", "create", "--name", name)
 
         # Modify user allowed to authenticate to field
-        result, out, err = self.runcmd("domain", "auth", "policy", "modify",
-                                       "--name", name,
-                                       "--computer-allowed-to-authenticate-to-by-silo",
+        result, out, err = self.runcmd("domain", "auth", "policy",
+                                       "computer-allowed-to-authenticate-to",
+                                       "set", "--name", name, "--by-silo",
                                        "QA")
         self.assertIsNone(result, msg=err)
 
guru meditation