netcmd: models: move add trustee code to the GMSA model

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/python/samba/netcmd/domain/models/gmsa.py b/python/samba/netcmd/domain/models/gmsa.py
index 570e40e44a8ed04a00ca7f5eeb61715376d12014..ee412ce79efc1b8b1b3fd37eaddfefd4aef127e3 100644 (file)
--- a/python/samba/netcmd/domain/models/gmsa.py
+++ b/python/samba/netcmd/domain/models/gmsa.py
@@ -28,6 +28,7 @@ from .constants import GROUP_MSA_MEMBERSHIP_DEFAULT
 from .exceptions import FieldError
 from .fields import BinaryField, EnumField, IntegerField, SDDLField, StringField
 from .types import SupportedEncryptionTypes
+from .user import User
 
 
 class GroupManagedServiceAccount(Computer):
@@ -77,3 +78,21 @@ class GroupManagedServiceAccount(Computer):
                     field=GroupManagedServiceAccount.group_msa_membership)
 
         return allowed
+
+    def add_trustee(self, trustee: User):
+        """Adds the User `trustee` to group_msa_membership.
+
+        Checking if the trustee already has access is the responsibility
+        of the caller.
+        """
+        aces = self.group_msa_membership.dacl.aces
+
+        ace = security.ace()
+        ace.type = security.SEC_ACE_TYPE_ACCESS_ALLOWED
+        ace.trustee = security.dom_sid(trustee.object_sid)
+        ace.access_mask = security.SEC_ADS_GENERIC_ALL
+        aces.append(ace)
+
+        # Because aces is a copy this is necessary, also setting num_aces.
+        self.group_msa_membership.dacl.aces = aces
+        self.group_msa_membership.dacl.num_aces = len(aces)

diff --git a/python/samba/netcmd/service_account/group_msa_membership.py b/python/samba/netcmd/service_account/group_msa_membership.py
index 86ae22d9c29fcd91116a9551ed4de647e2c2ddaf..9b737d347a8299e4318e28eb01647a4bfa811c12 100644 (file)
--- a/python/samba/netcmd/service_account/group_msa_membership.py
+++ b/python/samba/netcmd/service_account/group_msa_membership.py
@@ -19,7 +19,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from samba.dcerpc import security
 from samba.getopt import CredentialsOptions, HostOptions, Option, SambaOptions
 from samba.netcmd import Command, CommandError, SuperCommand
 from samba.netcmd.domain.models import (Group, GroupManagedServiceAccount,
@@ -131,17 +130,7 @@ class cmd_service_account_group_msa_membership_add(Command):
             print(f"Trustee '{trustee}' is already allowed to show managed passwords for: {gmsa}",
                   file=self.outf)
         else:
-            aces = gmsa.group_msa_membership.dacl.aces
-
-            ace = security.ace()
-            ace.type = security.SEC_ACE_TYPE_ACCESS_ALLOWED
-            ace.trustee = security.dom_sid(trustee.object_sid)
-            ace.access_mask = security.SEC_ADS_GENERIC_ALL
-            aces.append(ace)
-
-            # aces is a copy so this is necessary including the len
-            gmsa.group_msa_membership.dacl.aces = aces
-            gmsa.group_msa_membership.dacl.num_aces = len(aces)
+            gmsa.add_trustee(trustee)
 
             try:
                 gmsa.save(ldb)