From: Rob van der Linde Date: Wed, 20 Mar 2024 20:58:02 +0000 (+1300) Subject: netcmd: auth policy: add service-allowed-to-authenticate-from subcommands X-Git-Tag: tdb-1.4.11~1319 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dcb6a14fa234678141c7dc9fae0c10dfe53e4dbd;p=thirdparty%2Fsamba.git netcmd: auth policy: add service-allowed-to-authenticate-from subcommands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/netcmd/domain/auth/policy/__init__.py b/python/samba/netcmd/domain/auth/policy/__init__.py index ddb560fa32a..c5d82ef0f58 100644 --- a/python/samba/netcmd/domain/auth/policy/__init__.py +++ b/python/samba/netcmd/domain/auth/policy/__init__.py @@ -25,6 +25,9 @@ from samba.netcmd import SuperCommand from .computer_allowed_to_authenticate_to import ( cmd_domain_auth_policy_computer_allowed_to_authenticate_to, ) +from .service_allowed_to_authenticate_from import ( + cmd_domain_auth_policy_service_allowed_to_authenticate_from, +) from .service_allowed_to_authenticate_to import ( cmd_domain_auth_policy_service_allowed_to_authenticate_to, ) @@ -54,6 +57,8 @@ class cmd_domain_auth_policy(SuperCommand): "delete": cmd_domain_auth_policy_delete(), "computer-allowed-to-authenticate-to": cmd_domain_auth_policy_computer_allowed_to_authenticate_to(), + "service-allowed-to-authenticate-from": + cmd_domain_auth_policy_service_allowed_to_authenticate_from(), "service-allowed-to-authenticate-to": cmd_domain_auth_policy_service_allowed_to_authenticate_to(), "user-allowed-to-authenticate-from": diff --git a/python/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_from.py b/python/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_from.py new file mode 100644 index 00000000000..a762703f3ad --- /dev/null +++ b/python/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_from.py @@ -0,0 +1,123 @@ +# Unix SMB/CIFS implementation. +# +# authentication policy - manage service-allowed-to-authenticate-from property +# +# Copyright (C) Catalyst.Net Ltd. 2024 +# +# Written by Rob van der Linde +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from samba.domain.models import AuthenticationPolicy, AuthenticationSilo, Group +from samba.domain.models.exceptions import ModelError +from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions +from samba.netcmd import Command, CommandError, SuperCommand + + +class cmd_domain_auth_policy_service_allowed_to_authenticate_from_set(Command): + """Set the service-allowed-to-authenticate-from property based on scenario. + + --device-group: + + To authenticate, the service must authenticate on a device in GROUP. + + --device-silo: + + To authenticate, the service must authenticate on a device in SILO. + + The options above are mutually exclusive, only one can be set at a time. + """ + + synopsis = "%prog -H [options]" + + takes_optiongroups = { + "sambaopts": SambaOptions, + "credopts": CredentialsOptions, + "hostopts": HostOptions, + } + + takes_options = [ + Option("--name", + help="Name of authentication policy to view (required).", + dest="name", action="store", type=str, required=True), + Option("--device-group", + help="To authenticate, the service must authenticate on " + "a device in GROUP.", + dest="groupname", action="store", type=str), + Option("--device-silo", + help="To authenticate, the service must authenticate " + "on a device in SILO.", + dest="siloname", action="store", type=str), + ] + + def run(self, hostopts=None, sambaopts=None, credopts=None, name=None, + groupname=None, siloname=None): + + if groupname and siloname: + raise CommandError("Cannot have both --device-group and --device-silo options.") + + ldb = self.ldb_connect(hostopts, sambaopts, credopts) + + try: + policy = AuthenticationPolicy.get(ldb, cn=name) + except ModelError as e: + raise CommandError(e) + + if policy is None: + raise CommandError(f"Authentication policy {name} not found.") + + if groupname: + try: + group = Group.get(ldb, cn=groupname) + except ModelError as e: + raise CommandError(e) + + if group is None: + raise CommandError(f"Group {groupname} not found.") + + sddl = group.get_authentication_sddl() + + elif siloname: + try: + silo = AuthenticationSilo.get(ldb, cn=siloname) + except ModelError as e: + raise CommandError(e) + + if silo is None: + raise CommandError(f"Authentication silo {siloname} not found.") + + sddl = silo.get_authentication_sddl() + + else: + raise CommandError("Either --device-group or --device-silo expected.") + + policy.service_allowed_to_authenticate_from = sddl + + try: + policy.save(ldb) + except ModelError as e: + raise CommandError(e) + + # Authentication policy updated successfully. + print(f"Updated authentication policy: {name}", file=self.outf) + print(f"Updated SDDL: {sddl}", file=self.outf) + + +class cmd_domain_auth_policy_service_allowed_to_authenticate_from(SuperCommand): + """Manage the service-allowed-to-authenticate-from property.""" + + subcommands = { + "set": cmd_domain_auth_policy_service_allowed_to_authenticate_from_set(), + }