From: Rob van der Linde Date: Tue, 21 Nov 2023 02:23:59 +0000 (+1300) Subject: netcmd: auth policy: add allowed-to-authenticate-from-device-group attributes X-Git-Tag: talloc-2.4.2~564 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fad29cd0a67de492a2597129d11c9c3abbe0062f;p=thirdparty%2Fsamba.git netcmd: auth policy: add allowed-to-authenticate-from-device-group attributes Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py index 6ba39a70ace..32a24adafee 100644 --- a/python/samba/netcmd/domain/auth/policy.py +++ b/python/samba/netcmd/domain/auth/policy.py @@ -65,6 +65,10 @@ class UserOptions(options.OptionGroup): help="User is allowed to authenticate from a device in a silo.", type=str, dest="allowed_to_authenticate_from_device_silo", action="callback", callback=self.set_option) + self.add_option("--user-allowed-to-authenticate-from-device-group", + help="User is allowed to authenticate from a device in group.", + type=str, dest="allowed_to_authenticate_from_device_group", + action="callback", callback=self.set_option) self.add_option("--user-allowed-to-authenticate-to", help="Conditions user is allowed to authenticate to.", type=str, dest="allowed_to_authenticate_to", @@ -103,6 +107,10 @@ class ServiceOptions(options.OptionGroup): help="Service is allowed to authenticate from a device in a silo.", type=str, dest="allowed_to_authenticate_from_device_silo", action="callback", callback=self.set_option) + self.add_option("--service-allowed-to-authenticate-from-device-group", + help="Service is allowed to authenticate from a device in group.", + type=str, dest="allowed_to_authenticate_from_device_group", + action="callback", callback=self.set_option) self.add_option("--service-allowed-to-authenticate-to", help="Conditions service is allowed to authenticate to.", type=str, dest="allowed_to_authenticate_to", @@ -264,6 +272,7 @@ class cmd_domain_auth_policy_create(Command): # Check for repeated, similar arguments. check_similar_args("--user-allowed-to-authenticate-from", [useropts.allowed_to_authenticate_from, + useropts.allowed_to_authenticate_from_device_group, useropts.allowed_to_authenticate_from_device_silo]) check_similar_args("--user-allowed-to-authenticate-to", [useropts.allowed_to_authenticate_to, @@ -271,6 +280,7 @@ class cmd_domain_auth_policy_create(Command): useropts.allowed_to_authenticate_to_by_silo]) check_similar_args("--service-allowed-to-authenticate-from", [serviceopts.allowed_to_authenticate_from, + serviceopts.allowed_to_authenticate_from_device_group, serviceopts.allowed_to_authenticate_from_device_silo]) check_similar_args("--service-allowed-to-authenticate-to", [serviceopts.allowed_to_authenticate_to, @@ -283,6 +293,12 @@ class cmd_domain_auth_policy_create(Command): ldb = self.ldb_connect(hostopts, sambaopts, credopts) + # Generate SDDL for authenticating users from a device in a group + if useropts.allowed_to_authenticate_from_device_group: + group = Group.get( + ldb, cn=useropts.allowed_to_authenticate_from_device_group) + useropts.allowed_to_authenticate_from = group.get_authentication_sddl() + # Generate SDDL for authenticating users from a device in a silo if useropts.allowed_to_authenticate_from_device_silo: silo = AuthenticationSilo.get( @@ -301,6 +317,12 @@ class cmd_domain_auth_policy_create(Command): ldb, cn=useropts.allowed_to_authenticate_to_by_silo) useropts.allowed_to_authenticate_to = silo.get_authentication_sddl() + # Generate SDDL for authenticating service accounts from a device in a group + if serviceopts.allowed_to_authenticate_from_device_group: + group = Group.get( + ldb, cn=serviceopts.allowed_to_authenticate_from_device_group) + serviceopts.allowed_to_authenticate_from = group.get_authentication_sddl() + # Generate SDDL for authenticating service accounts from a device in a silo if serviceopts.allowed_to_authenticate_from_device_silo: silo = AuthenticationSilo.get( @@ -428,6 +450,7 @@ class cmd_domain_auth_policy_modify(Command): # Check for repeated, similar arguments. check_similar_args("--user-allowed-to-authenticate-from", [useropts.allowed_to_authenticate_from, + useropts.allowed_to_authenticate_from_device_group, useropts.allowed_to_authenticate_from_device_silo]) check_similar_args("--user-allowed-to-authenticate-to", [useropts.allowed_to_authenticate_to, @@ -435,6 +458,7 @@ class cmd_domain_auth_policy_modify(Command): useropts.allowed_to_authenticate_to_by_silo]) check_similar_args("--service-allowed-to-authenticate-from", [serviceopts.allowed_to_authenticate_from, + serviceopts.allowed_to_authenticate_from_device_group, serviceopts.allowed_to_authenticate_from_device_silo]) check_similar_args("--service-allowed-to-authenticate-to", [serviceopts.allowed_to_authenticate_to, @@ -447,6 +471,12 @@ class cmd_domain_auth_policy_modify(Command): ldb = self.ldb_connect(hostopts, sambaopts, credopts) + # Generate SDDL for authenticating users from a device in a group + if useropts.allowed_to_authenticate_from_device_group: + group = Group.get( + ldb, cn=useropts.allowed_to_authenticate_from_device_group) + useropts.allowed_to_authenticate_from = group.get_authentication_sddl() + # Generate SDDL for authenticating users from a device in a silo if useropts.allowed_to_authenticate_from_device_silo: silo = AuthenticationSilo.get( @@ -465,6 +495,12 @@ class cmd_domain_auth_policy_modify(Command): ldb, cn=useropts.allowed_to_authenticate_to_by_silo) useropts.allowed_to_authenticate_to = silo.get_authentication_sddl() + # Generate SDDL for authenticating users from a device a device in a group + if serviceopts.allowed_to_authenticate_from_device_group: + group = Group.get( + ldb, cn=serviceopts.allowed_to_authenticate_from_device_group) + serviceopts.allowed_to_authenticate_from = group.get_authentication_sddl() + # Generate SDDL for authenticating service accounts from a device in a silo if serviceopts.allowed_to_authenticate_from_device_silo: silo = AuthenticationSilo.get( diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py index 5f68b627d88..1854037dd3a 100644 --- a/python/samba/tests/samba_tool/domain_auth_policy.py +++ b/python/samba/tests/samba_tool/domain_auth_policy.py @@ -153,6 +153,28 @@ class AuthPolicyCmdTestCase(SiloTest): self.assertIn("--user-tgt-lifetime-mins must be between 45 and 2147483647", err) + def test_create__user_allowed_to_authenticate_from_device_group(self): + """Tests the --user-allowed-to-authenticate-from-device-group shortcut.""" + name = self.unique_name() + expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( + self.device_group.object_sid) + + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + result, out, err = self.runcmd("domain", "auth", "policy", "create", + "--name", name, + "--user-allowed-to-authenticate-from-device-group", + self.device_group.name) + self.assertIsNone(result, msg=err) + + # Check policy fields. + policy = self.get_authentication_policy(name) + self.assertEqual(str(policy["cn"]), name) + + # Check generated SDDL. + desc = policy["msDS-UserAllowedToAuthenticateFrom"][0] + sddl = ndr_unpack(security.descriptor, desc).as_sddl() + self.assertEqual(sddl, expected) + def test_create__user_allowed_to_authenticate_from_device_silo(self): """Tests the --user-allowed-to-authenticate-from-device-silo shortcut.""" name = self.unique_name() @@ -250,6 +272,28 @@ class AuthPolicyCmdTestCase(SiloTest): self.assertIn("--service-tgt-lifetime-mins must be between 45 and 2147483647", err) + def test_create__service_allowed_to_authenticate_from_device_group(self): + """Tests the --service-allowed-to-authenticate-from-device-group shortcut.""" + name = self.unique_name() + expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( + self.device_group.object_sid) + + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + result, out, err = self.runcmd("domain", "auth", "policy", "create", + "--name", name, + "--service-allowed-to-authenticate-from-device-group", + self.device_group.name) + self.assertIsNone(result, msg=err) + + # Check policy fields. + policy = self.get_authentication_policy(name) + self.assertEqual(str(policy["cn"]), name) + + # Check generated SDDL. + desc = policy["msDS-ServiceAllowedToAuthenticateFrom"][0] + sddl = ndr_unpack(security.descriptor, desc).as_sddl() + self.assertEqual(sddl, expected) + def test_create__service_allowed_to_authenticate_from_device_silo(self): """Tests the --service-allowed-to-authenticate-from-device-silo shortcut.""" name = self.unique_name() @@ -909,6 +953,29 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual(sddl, expected) + def test_modify__user_allowed_to_authenticate_from_device_group(self): + """Test the --user-allowed-to-authenticate-from-device-group shortcut.""" + name = self.unique_name() + expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( + self.device_group.object_sid) + + # Create a policy to modify for this test. + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + self.runcmd("domain", "auth", "policy", "create", "--name", name) + + # Modify user allowed to authenticate from silo field + result, out, err = self.runcmd("domain", "auth", "policy", "modify", + "--name", name, + "--user-allowed-to-authenticate-from-device-group", + self.device_group.name) + self.assertIsNone(result, msg=err) + + # Check generated SDDL. + policy = self.get_authentication_policy(name) + desc = policy["msDS-UserAllowedToAuthenticateFrom"][0] + sddl = ndr_unpack(security.descriptor, desc).as_sddl() + self.assertEqual(sddl, expected) + def test_modify__user_allowed_to_authenticate_from_device_silo(self): """Test the --user-allowed-to-authenticate-from-device-silo shortcut.""" name = self.unique_name() @@ -1026,6 +1093,29 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual(sddl, expected) + def test_modify__service_allowed_to_authenticate_from_device_group(self): + """Test the --service-allowed-to-authenticate-from-device-group shortcut.""" + name = self.unique_name() + expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( + self.device_group.object_sid) + + # Create a policy to modify for this test. + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + self.runcmd("domain", "auth", "policy", "create", "--name", name) + + # Modify user allowed to authenticate from silo field + result, out, err = self.runcmd("domain", "auth", "policy", "modify", + "--name", name, + "--service-allowed-to-authenticate-from-device-group", + self.device_group.name) + self.assertIsNone(result, msg=err) + + # Check generated SDDL. + policy = self.get_authentication_policy(name) + desc = policy["msDS-ServiceAllowedToAuthenticateFrom"][0] + sddl = ndr_unpack(security.descriptor, desc).as_sddl() + self.assertEqual(sddl, expected) + def test_modify__service_allowed_to_authenticate_from_device_silo(self): """Test the --service-allowed-to-authenticate-from-device-silo shortcut.""" name = self.unique_name()