netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/netcmd/domain/auth/policy/policy.py b/python/samba/netcmd/domain/auth/policy/policy.py
index 6f7983cfa256e7a626d2b1394fd8ba0af3672e5e..701d6e40aa21c0518804a813eafb012b14473cf0 100644 (file)
--- a/python/samba/netcmd/domain/auth/policy/policy.py
+++ b/python/samba/netcmd/domain/auth/policy/policy.py
@@ -61,16 +61,6 @@ class UserOptions(options.OptionGroup):
                         type=str, dest="allowed_to_authenticate_from",
                         action="callback", callback=self.set_option,
                         metavar="SDDL")
-        self.add_option("--user-allowed-to-authenticate-from-device-silo",
-                        help="To authenticate, the user must log in from a device in SILO.",
-                        type=str, dest="allowed_to_authenticate_from_device_silo",
-                        action="callback", callback=self.set_option,
-                        metavar="SILO")
-        self.add_option("--user-allowed-to-authenticate-from-device-group",
-                        help="To authenticate, the user must log in from a device in GROUP.",
-                        type=str, dest="allowed_to_authenticate_from_device_group",
-                        action="callback", callback=self.set_option,
-                        metavar="GROUP")
         self.add_option("--user-allowed-to-authenticate-to",
                         help="A target service, on a user account, requires the connecting user to match SDDL",
                         type=str, dest="allowed_to_authenticate_to",
@@ -254,10 +244,6 @@ class cmd_domain_auth_policy_create(Command):
             raise CommandError("--audit and --enforce cannot be used together.")
 
         # Check for repeated, similar arguments.
-        check_similar_args("--user-allowed-to-authenticate-from",
-                           [useropts.allowed_to_authenticate_from,
-                            useropts.allowed_to_authenticate_from_device_group,
-                            useropts.allowed_to_authenticate_from_device_silo])
         check_similar_args("--service-allowed-to-authenticate-from",
                            [serviceopts.allowed_to_authenticate_from,
                             serviceopts.allowed_to_authenticate_from_device_group,
@@ -265,18 +251,6 @@ class cmd_domain_auth_policy_create(Command):
 
         ldb = self.ldb_connect(hostopts, sambaopts, credopts)
 
-        # Generate SDDL for authenticating users from a device in a group
-        if useropts.allowed_to_authenticate_from_device_group:
-            group = Group.get(
-                ldb, cn=useropts.allowed_to_authenticate_from_device_group)
-            useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
-
-        # Generate SDDL for authenticating users from a device in a silo
-        if useropts.allowed_to_authenticate_from_device_silo:
-            silo = AuthenticationSilo.get(
-                ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
-            useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
-
         # Generate SDDL for authenticating service accounts from a device in a group
         if serviceopts.allowed_to_authenticate_from_device_group:
             group = Group.get(
@@ -384,10 +358,6 @@ class cmd_domain_auth_policy_modify(Command):
             raise CommandError("--audit and --enforce cannot be used together.")
 
         # Check for repeated, similar arguments.
-        check_similar_args("--user-allowed-to-authenticate-from",
-                           [useropts.allowed_to_authenticate_from,
-                            useropts.allowed_to_authenticate_from_device_group,
-                            useropts.allowed_to_authenticate_from_device_silo])
         check_similar_args("--service-allowed-to-authenticate-from",
                            [serviceopts.allowed_to_authenticate_from,
                             serviceopts.allowed_to_authenticate_from_device_group,
@@ -395,18 +365,6 @@ class cmd_domain_auth_policy_modify(Command):
 
         ldb = self.ldb_connect(hostopts, sambaopts, credopts)
 
-        # Generate SDDL for authenticating users from a device in a group
-        if useropts.allowed_to_authenticate_from_device_group:
-            group = Group.get(
-                ldb, cn=useropts.allowed_to_authenticate_from_device_group)
-            useropts.allowed_to_authenticate_from = group.get_authentication_sddl()
-
-        # Generate SDDL for authenticating users from a device in a silo
-        if useropts.allowed_to_authenticate_from_device_silo:
-            silo = AuthenticationSilo.get(
-                ldb, cn=useropts.allowed_to_authenticate_from_device_silo)
-            useropts.allowed_to_authenticate_from = silo.get_authentication_sddl()
-
         # Generate SDDL for authenticating users from a device a device in a group
         if serviceopts.allowed_to_authenticate_from_device_group:
             group = Group.get(

diff --git a/python/samba/tests/blackbox/claims.py b/python/samba/tests/blackbox/claims.py
index 05110c95d55ea55fff9c9f51965457041779d1d6..3bedeed9512392499a6e73c15fe26a181e972ef0 100755 (executable)
--- a/python/samba/tests/blackbox/claims.py
+++ b/python/samba/tests/blackbox/claims.py
@@ -75,8 +75,8 @@ class ClaimsSupportTests(BlackboxTestCase):
         self.addCleanup(self.run_command, "group delete allowed-devices")
 
         # Set allowed to authenticate from.
-        self.check_run("domain auth policy modify --name=device-restricted-users-pol "
-                       "--user-allowed-to-authenticate-from-device-group=allowed-devices")
+        self.check_run("domain auth policy user-allowed-to-authenticate-from set "
+                       "--name=device-restricted-users-pol --device-group=allowed-devices")
 
         self.check_run("user auth policy assign claimstestuser --policy=device-restricted-users-pol")
 
@@ -144,8 +144,8 @@ class ClaimsSupportTests(BlackboxTestCase):
         # Set allowed to authenticate from (where the login can happen) and to
         # (server requires silo that in term has this rule, so knows the user
         # was required to authenticate from).
-        self.check_run("domain auth policy modify --name=allowed-devices-only-pol "
-                       "--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo")
+        self.check_run("domain auth policy user-allowed-to-authenticate-from set "
+                       "--name=allowed-devices-only-pol --device-silo=allowed-devices-only-silo")
 
         # Grant access to silo.
         self.check_run(r"domain auth silo member grant --name=allowed-devices-only-silo --member=claims-device\$")
@@ -244,8 +244,8 @@ class ClaimsSupportTests(BlackboxTestCase):
         # --service-allowed-to-authenticate-to/from options as well.
         # Likewise, if there are services running in user accounts, we need
         # --user-allowed-to-authenticate-to
-        self.check_run("domain auth policy modify --name=allowed-devices-only-pol "
-                       "--user-allowed-to-authenticate-from-device-silo=allowed-devices-only-silo")
+        self.check_run("domain auth policy user-allowed-to-authenticate-from set "
+                       "--name=allowed-devices-only-pol --device-silo=allowed-devices-only-silo")
         self.check_run("domain auth policy computer-allowed-to-authenticate-to set "
                        "--name=allowed-devices-only-pol --by-silo=allowed-devices-only-silo")
 

diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py
index 4336cc4cc15cbf31add48c9d9ddc922aa6a4c8f0..7c07ab84613f11f9dad8077a997db30500a735b6 100644 (file)
--- a/python/samba/tests/samba_tool/domain_auth_policy.py
+++ b/python/samba/tests/samba_tool/domain_auth_policy.py
@@ -153,50 +153,6 @@ class AuthPolicyCmdTestCase(SiloTest):
         self.assertIn("--user-tgt-lifetime-mins must be between 45 and 2147483647",
                       err)
 
-    def test_create__user_allowed_to_authenticate_from_device_group(self):
-        """Tests the --user-allowed-to-authenticate-from-device-group shortcut."""
-        name = self.unique_name()
-        expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
-            self.device_group.object_sid)
-
-        self.addCleanup(self.delete_authentication_policy, name=name, force=True)
-        result, out, err = self.runcmd("domain", "auth", "policy", "create",
-                                       "--name", name,
-                                       "--user-allowed-to-authenticate-from-device-group",
-                                       self.device_group.name)
-        self.assertIsNone(result, msg=err)
-
-        # Check policy fields.
-        policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["cn"]), name)
-
-        # Check generated SDDL.
-        desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
-        sddl = ndr_unpack(security.descriptor, desc).as_sddl()
-        self.assertEqual(sddl, expected)
-
-    def test_create__user_allowed_to_authenticate_from_device_silo(self):
-        """Tests the --user-allowed-to-authenticate-from-device-silo shortcut."""
-        name = self.unique_name()
-
-        self.addCleanup(self.delete_authentication_policy, name=name, force=True)
-        result, out, err = self.runcmd("domain", "auth", "policy", "create",
-                                       "--name", name,
-                                       "--user-allowed-to-authenticate-from-device-silo",
-                                       "Developers")
-        self.assertIsNone(result, msg=err)
-
-        # Check policy fields.
-        policy = self.get_authentication_policy(name)
-        self.assertEqual(str(policy["cn"]), name)
-
-        # Check generated SDDL.
-        desc = policy["msDS-UserAllowedToAuthenticateFrom"][0]
-        sddl = ndr_unpack(security.descriptor, desc).as_sddl()
-        self.assertEqual(
-            sddl,
-            'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))')
-
     def test_create__service_tgt_lifetime_mins(self):
         """Test create a new authentication policy with --service-tgt-lifetime-mins.
 
@@ -547,24 +503,27 @@ class AuthPolicyCmdTestCase(SiloTest):
         self.assertEqual(result, -1)
         self.assertIn("--protect and --unprotect cannot be used together.", err)
 
-    def test_create__user_allowed_to_authenticate_from_repeated(self):
+    def test_user_allowed_to_authenticate_from__set_repeated(self):
         """Test repeating similar arguments doesn't make sense to use together.
 
-        --user-allowed-to-authenticate-from
-        --user-allowed-to-authenticate-from-device-silo
+        user-allowed-to-authenticate-from set --device-group
+        user-allowed-to-authenticate-from set --device-silo
         """
-        sddl = 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == "Developers"))'
         name = self.unique_name()
 
-        result, out, err = self.runcmd("domain", "auth", "policy", "create",
-                                       "--name", name,
-                                       "--user-allowed-to-authenticate-from",
-                                       sddl,
-                                       "--user-allowed-to-authenticate-from-device-silo",
+        self.runcmd("domain", "auth", "policy", "create", "--name", name)
+        self.addCleanup(self.delete_authentication_policy, name=name, force=True)
+
+        result, out, err = self.runcmd("domain", "auth", "policy",
+                                       "user-allowed-to-authenticate-from",
+                                       "set", "--name", name,
+                                       "--device-group",
+                                       self.device_group.name,
+                                       "--device-silo",
                                        "Managers")
 
         self.assertEqual(result, -1)
-        self.assertIn("--user-allowed-to-authenticate-from argument repeated 2 times.", err)
+        self.assertIn("Cannot have both --device-group and --device-silo options.", err)
 
     def test_user_allowed_to_authenticate_to__set_repeated(self):
         """Test repeating similar arguments doesn't make sense to use together.
@@ -839,8 +798,8 @@ class AuthPolicyCmdTestCase(SiloTest):
         sddl = ndr_unpack(security.descriptor, desc).as_sddl()
         self.assertEqual(sddl, expected)
 
-    def test_modify__user_allowed_to_authenticate_from_device_group(self):
-        """Test the --user-allowed-to-authenticate-from-device-group shortcut."""
+    def test_user_allowed_to_authenticate_from__set_device_group(self):
+        """Tests the user-allowed-to-authenticate-from set --device-group shortcut."""
         name = self.unique_name()
         expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % (
             self.device_group.object_sid)
@@ -850,10 +809,10 @@ class AuthPolicyCmdTestCase(SiloTest):
         self.runcmd("domain", "auth", "policy", "create", "--name", name)
 
         # Modify user allowed to authenticate from silo field
-        result, out, err = self.runcmd("domain", "auth", "policy", "modify",
-                                       "--name", name,
-                                       "--user-allowed-to-authenticate-from-device-group",
-                                       self.device_group.name)
+        result, out, err = self.runcmd("domain", "auth", "policy",
+                                       "user-allowed-to-authenticate-from",
+                                       "set", "--name", name,
+                                       "--device-group", self.device_group.name)
         self.assertIsNone(result, msg=err)
 
         # Check generated SDDL.
@@ -862,8 +821,8 @@ class AuthPolicyCmdTestCase(SiloTest):
         sddl = ndr_unpack(security.descriptor, desc).as_sddl()
         self.assertEqual(sddl, expected)
 
-    def test_modify__user_allowed_to_authenticate_from_device_silo(self):
-        """Test the --user-allowed-to-authenticate-from-device-silo shortcut."""
+    def test_user_allowed_to_authenticate_from__set_device_silo(self):
+        """Tests the user-allowed-to-authenticate-from set --device-silo shortcut."""
         name = self.unique_name()
 
         # Create a policy to modify for this test.
@@ -871,10 +830,10 @@ class AuthPolicyCmdTestCase(SiloTest):
         self.runcmd("domain", "auth", "policy", "create", "--name", name)
 
         # Modify user allowed to authenticate from silo field
-        result, out, err = self.runcmd("domain", "auth", "policy", "modify",
-                                       "--name", name,
-                                       "--user-allowed-to-authenticate-from-device-silo",
-                                       "QA")
+        result, out, err = self.runcmd("domain", "auth", "policy",
+                                       "user-allowed-to-authenticate-from",
+                                       "set", "--name", name,
+                                       "--device-silo", "QA")
         self.assertIsNone(result, msg=err)
 
         # Check generated SDDL.