netcmd: silo command remove combined --policy which set all 3

doesn't make much sense to set all 3 to the same policy, user authentication policy, service authentication policy, computer authentication policy

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 83d91bd0af166a14d1718a4a5e52f756dfb1b570..9e90c2335c0ac5166361a8cc6a19cf3b76e702e5 100644 (file)
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -1100,12 +1100,6 @@
                                Optional description for the authentication silo.
                        </para></listitem>
                </varlistentry>
-               <varlistentry>
-                       <term>--policy</term>
-                       <listitem><para>
-                               Use single policy for all principals in this silo.
-                       </para></listitem>
-               </varlistentry>
                <varlistentry>
                        <term>--user-policy</term>
                        <listitem><para>
@@ -1193,12 +1187,6 @@
                                Optional description for the authentication silo.
                        </para></listitem>
                </varlistentry>
-               <varlistentry>
-                       <term>--policy</term>
-                       <listitem><para>
-                               Use single policy for all principals in this silo.
-                       </para></listitem>
-               </varlistentry>
                <varlistentry>
                        <term>--user-policy</term>
                        <listitem><para>

diff --git a/python/samba/netcmd/domain/auth/silo.py b/python/samba/netcmd/domain/auth/silo.py
index 0c486aeeaffa609c1b9537c834df2255d57b0a47..945fef7785f661ce0a42e5e703792d1a0faeefcd 100644 (file)
--- a/python/samba/netcmd/domain/auth/silo.py
+++ b/python/samba/netcmd/domain/auth/silo.py
@@ -115,9 +115,6 @@ class cmd_domain_auth_silo_create(Command):
         Option("--description",
                help="Optional description for authentication silo.",
                dest="description", action="store", type=str),
-        Option("--policy",
-               help="Use single policy for all principals in this silo.",
-               dest="policy", action="store", type=str),
         Option("--user-policy",
                help="User account policy.",
                dest="user_policy", action="store", type=str),
@@ -154,22 +151,15 @@ class cmd_domain_auth_silo_create(Command):
             raise CommandError(e)
 
     def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
-            description=None, policy=None, user_policy=None,
-            service_policy=None, computer_policy=None, protect=None,
-            unprotect=None, audit=None, enforce=None):
+            description=None, user_policy=None, service_policy=None,
+            computer_policy=None, protect=None, unprotect=None, audit=None,
+            enforce=None):
 
         if protect and unprotect:
             raise CommandError("--protect and --unprotect cannot be used together.")
         if audit and enforce:
             raise CommandError("--audit and --enforce cannot be used together.")
 
-        # If --policy is present start with that as the base. Then optionally
-        # --user-policy, --service-policy, --computer-policy can override this.
-        if policy is not None:
-            user_policy = user_policy or policy
-            service_policy = service_policy or policy
-            computer_policy = computer_policy or policy
-
         ldb = self.ldb_connect(hostopts, sambaopts, credopts)
 
         try:
@@ -233,9 +223,6 @@ class cmd_domain_auth_silo_modify(Command):
         Option("--description",
                help="Optional description for authentication silo.",
                dest="description", action="store", type=str),
-        Option("--policy",
-               help="Set single policy for all principals in this silo.",
-               dest="policy", action="store", type=str),
         Option("--user-policy",
                help="Set User account policy.",
                dest="user_policy", action="store", type=str),
@@ -272,22 +259,15 @@ class cmd_domain_auth_silo_modify(Command):
             raise CommandError(e)
 
     def run(self, hostopts=None, sambaopts=None, credopts=None, name=None,
-            description=None, policy=None, user_policy=None,
-            service_policy=None, computer_policy=None, protect=None,
-            unprotect=None, audit=None, enforce=None):
+            description=None, user_policy=None, service_policy=None,
+            computer_policy=None, protect=None, unprotect=None, audit=None,
+            enforce=None):
 
         if audit and enforce:
             raise CommandError("--audit and --enforce cannot be used together.")
         if protect and unprotect:
             raise CommandError("--protect and --unprotect cannot be used together.")
 
-        # If --policy is set then start with that for all policies.
-        # They can be individually overridden as well after that.
-        if policy is not None:
-            user_policy = user_policy or policy
-            service_policy = service_policy or policy
-            computer_policy = computer_policy or policy
-
         ldb = self.ldb_connect(hostopts, sambaopts, credopts)
 
         try:

diff --git a/python/samba/tests/samba_tool/domain_auth_base.py b/python/samba/tests/samba_tool/domain_auth_base.py
index a0f423767c6654adf33c4f297840051d64ad040e..505674d7d91e62a1c2383632f5ddea359a1c70d5 100644 (file)
--- a/python/samba/tests/samba_tool/domain_auth_base.py
+++ b/python/samba/tests/samba_tool/domain_auth_base.py
@@ -40,17 +40,16 @@ class BaseAuthCmdTest(SambaToolCmdTest):
 
     @classmethod
     def setUpTestData(cls):
-        cls.create_authentication_policy(name="Single Policy")
         cls.create_authentication_policy(name="User Policy")
         cls.create_authentication_policy(name="Service Policy")
         cls.create_authentication_policy(name="Computer Policy")
 
         cls.create_authentication_silo(name="Developers",
                                        description="Developers, Developers",
-                                       policy="Single Policy")
+                                       user_policy="User Policy")
         cls.create_authentication_silo(name="Managers",
                                        description="Managers",
-                                       policy="Single Policy")
+                                       user_policy="User Policy")
         cls.create_authentication_silo(name="QA",
                                        description="Quality Assurance",
                                        user_policy="User Policy",
@@ -147,7 +146,7 @@ class BaseAuthCmdTest(SambaToolCmdTest):
         assert "Deleted authentication policy" in out
 
     @classmethod
-    def create_authentication_silo(cls, name, description=None, policy=None,
+    def create_authentication_silo(cls, name, description=None,
                                    user_policy=None, service_policy=None,
                                    computer_policy=None, audit=False,
                                    protect=False):
@@ -156,14 +155,13 @@ class BaseAuthCmdTest(SambaToolCmdTest):
         # Base command for create authentication policy.
         cmd = ["domain", "auth", "silo", "create", "--name", name]
 
-        # If --policy is present, use a singular authentication policy.
-        # otherwise use --user-policy, --service-policy, --computer-policy
-        if policy is not None:
-            cmd += ["--policy", policy]
-        else:
-            cmd += ["--user-policy", user_policy,
-                    "--service-policy", service_policy,
-                    "--computer-policy", computer_policy]
+        # Authentication policies.
+        if user_policy:
+            cmd += ["--user-policy", user_policy]
+        if service_policy:
+            cmd += ["--service-policy", service_policy]
+        if computer_policy:
+            cmd += ["--computer-policy", computer_policy]
 
         # Other optional attributes.
         if description is not None:

diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py
index 0cf5d15ca8b5b49674b4dda40e7cfac754529830..9aa94becfd3bb0d80290c5736a98964eeb8f322e 100644 (file)
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -40,8 +40,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
         result, out, err = self.runcmd("domain", "auth", "policy", "list")
         self.assertIsNone(result, msg=err)
 
-        expected_policies = [
-            "Single Policy", "User Policy", "Service Policy", "Computer Policy"]
+        expected_policies = ["User Policy", "Service Policy", "Computer Policy"]
 
         for policy in expected_policies:
             self.assertIn(policy, out)
@@ -55,8 +54,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
         # we should get valid json
         policies = json.loads(out)
 
-        expected_policies = [
-            "Single Policy", "User Policy", "Service Policy", "Computer Policy"]
+        expected_policies = ["User Policy", "Service Policy", "Computer Policy"]
 
         for name in expected_policies:
             policy = policies[name]
@@ -69,14 +67,14 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
     def test_authentication_policy_view(self):
         """Test viewing a single authentication policy."""
         result, out, err = self.runcmd("domain", "auth", "policy", "view",
-                                       "--name", "Single Policy")
+                                       "--name", "User Policy")
         self.assertIsNone(result, msg=err)
 
         # we should get valid json
         policy = json.loads(out)
 
         # check a few fields only
-        self.assertEqual(policy["cn"], "Single Policy")
+        self.assertEqual(policy["cn"], "User Policy")
         self.assertEqual(policy["msDS-AuthNPolicyEnforced"], True)
 
     def test_authentication_policy_view_notfound(self):
@@ -256,9 +254,9 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
     def test_authentication_policy_create_already_exists(self):
         """Test creating a new authentication policy that already exists."""
         result, out, err = self.runcmd("domain", "auth", "policy", "create",
-                                       "--name", "Single Policy")
+                                       "--name", "User Policy")
         self.assertEqual(result, -1)
-        self.assertIn("Authentication policy Single Policy already exists", err)
+        self.assertIn("Authentication policy User Policy already exists", err)
 
     def test_authentication_policy_create_name_missing(self):
         """Test create authentication policy without --name argument."""
@@ -541,7 +539,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
     def test_authentication_policy_modify_audit_enforce_together(self):
         """Test modify auth policy using both --audit and --enforce."""
         result, out, err = self.runcmd("domain", "auth", "policy", "modify",
-                                       "--name", "Single Policy",
+                                       "--name", "User Policy",
                                        "--audit", "--enforce")
         self.assertEqual(result, -1)
         self.assertIn("--audit and --enforce cannot be used together.", err)
@@ -549,7 +547,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
     def test_authentication_policy_modify_protect_unprotect_together(self):
         """Test modify authentication policy using --protect and --unprotect."""
         result, out, err = self.runcmd("domain", "auth", "policy", "modify",
-                                       "--name", "Single Policy",
+                                       "--name", "User Policy",
                                        "--protect", "--unprotect")
         self.assertEqual(result, -1)
         self.assertIn("--protect and --unprotect cannot be used together.", err)
@@ -560,7 +558,7 @@ class AuthPolicyCmdTestCase(BaseAuthCmdTest):
         with patch.object(SamDB, "modify") as modify_mock:
             modify_mock.side_effect = ModelError("Custom error message")
             result, out, err = self.runcmd("domain", "auth", "policy", "modify",
-                                           "--name", "Single Policy",
+                                           "--name", "User Policy",
                                            "--description", "New description")
             self.assertEqual(result, -1)
             self.assertIn("Custom error message", err)

diff --git a/python/samba/tests/samba_tool/domain_auth_silo.py b/python/samba/tests/samba_tool/domain_auth_silo.py
index c1d73058b437af02ef735e4a3f7289d324e6bab3..632609fcd3f5ea195e291a1b9c36d76a9727ef6d 100644 (file)
--- a/python/samba/tests/samba_tool/domain_auth_silo.py
+++ b/python/samba/tests/samba_tool/domain_auth_silo.py
@@ -58,8 +58,6 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
             silo = silos[name]
             self.assertIn("msDS-AuthNPolicySilo", list(silo["objectClass"]))
             self.assertIn("description", silo)
-            self.assertIn("msDS-ComputerAuthNPolicy", silo)
-            self.assertIn("msDS-ServiceAuthNPolicy", silo)
             self.assertIn("msDS-UserAuthNPolicy", silo)
             self.assertIn("objectGUID", silo)
 
@@ -96,15 +94,13 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
 
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name", "singlePolicy",
-                                       "--policy", "Single Policy")
+                                       "--user-policy", "User Policy")
         self.assertIsNone(result, msg=err)
 
         # Check silo that was created
         silo = self.get_authentication_silo("singlePolicy")
         self.assertEqual(str(silo["cn"]), "singlePolicy")
-        self.assertIn("Single Policy", str(silo["msDS-UserAuthNPolicy"]))
-        self.assertIn("Single Policy", str(silo["msDS-ServiceAuthNPolicy"]))
-        self.assertIn("Single Policy", str(silo["msDS-ComputerAuthNPolicy"]))
+        self.assertIn("User Policy", str(silo["msDS-UserAuthNPolicy"]))
         self.assertEqual(str(silo["msDS-AuthNPolicySiloEnforced"]), "TRUE")
 
     def test_authentication_silo_create_multiple_policies(self):
@@ -129,36 +125,34 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
 
     def test_authentication_silo_create_policy_dn(self):
         """Test creating a new authentication silo when policy is a dn."""
-        policy = self.get_authentication_policy("Single Policy")
+        policy = self.get_authentication_policy("User Policy")
 
         self.addCleanup(self.delete_authentication_silo,
                         name="singlePolicyDN", force=True)
 
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name", "singlePolicyDN",
-                                       "--policy", policy["dn"])
+                                       "--user-policy", policy["dn"])
         self.assertIsNone(result, msg=err)
 
         # Check silo that was created
         silo = self.get_authentication_silo("singlePolicyDN")
         self.assertEqual(str(silo["cn"]), "singlePolicyDN")
         self.assertIn(str(policy["name"]), str(silo["msDS-UserAuthNPolicy"]))
-        self.assertIn(str(policy["name"]), str(silo["msDS-ServiceAuthNPolicy"]))
-        self.assertIn(str(policy["name"]), str(silo["msDS-ComputerAuthNPolicy"]))
         self.assertEqual(str(silo["msDS-AuthNPolicySiloEnforced"]), "TRUE")
 
     def test_authentication_silo_create_already_exists(self):
         """Test creating a new authentication silo that already exists."""
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name", "Developers",
-                                       "--policy", "Single Policy")
+                                       "--user-policy", "User Policy")
         self.assertEqual(result, -1)
         self.assertIn("Authentication silo Developers already exists.", err)
 
     def test_authentication_silo_create_name_missing(self):
         """Test create authentication silo without --name argument."""
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
-                                       "--policy", "Single Policy")
+                                       "--user-policy", "User Policy")
         self.assertEqual(result, -1)
         self.assertIn("Argument --name is required.", err)
 
@@ -169,7 +163,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
 
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name", "auditPolicies",
-                                       "--policy", "Single Policy",
+                                       "--user-policy", "User Policy",
                                        "--audit")
         self.assertIsNone(result, msg=err)
 
@@ -184,7 +178,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
 
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name", "enforcePolicies",
-                                       "--policy", "Single Policy",
+                                       "--user-policy", "User Policy",
                                        "--enforce")
         self.assertIsNone(result, msg=err)
 
@@ -196,7 +190,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
         """Test create authentication silo using both --audit and --enforce."""
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name", "enforceTogether",
-                                       "--policy", "Single Policy",
+                                       "--user-policy", "User Policy",
                                        "--audit", "--enforce")
         self.assertEqual(result, -1)
         self.assertIn("--audit and --enforce cannot be used together.", err)
@@ -205,7 +199,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
         """Test create authentication silo using --protect and --unprotect."""
         result, out, err = self.runcmd("domain", "auth", "silo",
                                        "create", "--name", "protectTogether",
-                                       "--policy", "Single Policy",
+                                       "--user-policy", "User Policy",
                                        "--protect", "--unprotect")
         self.assertEqual(result, -1)
         self.assertIn("--protect and --unprotect cannot be used together.", err)
@@ -214,7 +208,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
         """Test create authentication silo with a policy that doesn't exist."""
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name", "policyNotFound",
-                                       "--policy", "Invalid Policy")
+                                       "--user-policy", "Invalid Policy")
         self.assertEqual(result, -1)
         self.assertIn("Authentication policy Invalid Policy not found.", err)
 
@@ -225,7 +219,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
             add_mock.side_effect = ModelError("Custom error message")
             result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                            "--name", "createFails",
-                                           "--policy", "Single Policy")
+                                           "--user-policy", "User Policy")
             self.assertEqual(result, -1)
             self.assertIn("Custom error message", err)
 
@@ -347,7 +341,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
         # Create non-protected authentication silo.
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name=deleteTest",
-                                       "--policy", "User Policy")
+                                       "--user-policy", "User Policy")
         self.assertIsNone(result, msg=err)
         silo = self.get_authentication_silo("deleteTest")
         self.assertIsNotNone(silo)
@@ -366,7 +360,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
         # Create protected authentication silo.
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name=deleteProtected",
-                                       "--policy", "User Policy",
+                                       "--user-policy", "User Policy",
                                        "--protect")
         self.assertIsNone(result, msg=err)
         silo = self.get_authentication_silo("deleteProtected")
@@ -408,7 +402,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
         # Create protected authentication silo.
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name=deleteForceFail",
-                                       "--policy", "User Policy",
+                                       "--user-policy", "User Policy",
                                        "--protect")
         self.assertIsNone(result, msg=err)
         silo = self.get_authentication_silo("deleteForceFail")
@@ -429,7 +423,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
         # Create regular authentication silo.
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name=regularSilo",
-                                       "--policy", "User Policy")
+                                       "--user-policy", "User Policy")
         self.assertIsNone(result, msg=err)
         silo = self.get_authentication_silo("regularSilo")
         self.assertIsNotNone(silo)
@@ -450,7 +444,7 @@ class AuthSiloCmdTestCase(BaseAuthCmdTest):
         # Create protected authentication silo.
         result, out, err = self.runcmd("domain", "auth", "silo", "create",
                                        "--name=protectedSilo",
-                                       "--policy", "User Policy",
+                                       "--user-policy", "User Policy",
                                        "--protect")
         self.assertIsNone(result, msg=err)
         silo = self.get_authentication_silo("protectedSilo")