diff options
| author | Rob van der Linde <rob@catalyst.net.nz> | 2023-11-21 15:23:59 +1300 |
|---|---|---|
| committer | Douglas Bagnall <dbagnall@samba.org> | 2023-11-22 23:35:33 +0000 |
| commit | fad29cd0a67de492a2597129d11c9c3abbe0062f (patch) | |
| tree | 701af85d024986b87123fc83bad67ae2d0b3be2b /python/samba/tests | |
| parent | 1b4514712d2a62899787c33575600749d496e2b3 (diff) | |
| download | samba-fad29cd0a67de492a2597129d11c9c3abbe0062f.tar.gz samba-fad29cd0a67de492a2597129d11c9c3abbe0062f.tar.bz2 samba-fad29cd0a67de492a2597129d11c9c3abbe0062f.zip | |
netcmd: auth policy: add allowed-to-authenticate-from-device-group attributes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python/samba/tests')
| -rw-r--r-- | python/samba/tests/samba_tool/domain_auth_policy.py | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/python/samba/tests/samba_tool/domain_auth_policy.py b/python/samba/tests/samba_tool/domain_auth_policy.py index 5f68b627d88..1854037dd3a 100644 --- a/python/samba/tests/samba_tool/domain_auth_policy.py +++ b/python/samba/tests/samba_tool/domain_auth_policy.py @@ -153,6 +153,28 @@ class AuthPolicyCmdTestCase(SiloTest): self.assertIn("--user-tgt-lifetime-mins must be between 45 and 2147483647", err) + def test_create__user_allowed_to_authenticate_from_device_group(self): + """Tests the --user-allowed-to-authenticate-from-device-group shortcut.""" + name = self.unique_name() + expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( + self.device_group.object_sid) + + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + result, out, err = self.runcmd("domain", "auth", "policy", "create", + "--name", name, + "--user-allowed-to-authenticate-from-device-group", + self.device_group.name) + self.assertIsNone(result, msg=err) + + # Check policy fields. + policy = self.get_authentication_policy(name) + self.assertEqual(str(policy["cn"]), name) + + # Check generated SDDL. + desc = policy["msDS-UserAllowedToAuthenticateFrom"][0] + sddl = ndr_unpack(security.descriptor, desc).as_sddl() + self.assertEqual(sddl, expected) + def test_create__user_allowed_to_authenticate_from_device_silo(self): """Tests the --user-allowed-to-authenticate-from-device-silo shortcut.""" name = self.unique_name() @@ -250,6 +272,28 @@ class AuthPolicyCmdTestCase(SiloTest): self.assertIn("--service-tgt-lifetime-mins must be between 45 and 2147483647", err) + def test_create__service_allowed_to_authenticate_from_device_group(self): + """Tests the --service-allowed-to-authenticate-from-device-group shortcut.""" + name = self.unique_name() + expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( + self.device_group.object_sid) + + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + result, out, err = self.runcmd("domain", "auth", "policy", "create", + "--name", name, + "--service-allowed-to-authenticate-from-device-group", + self.device_group.name) + self.assertIsNone(result, msg=err) + + # Check policy fields. + policy = self.get_authentication_policy(name) + self.assertEqual(str(policy["cn"]), name) + + # Check generated SDDL. + desc = policy["msDS-ServiceAllowedToAuthenticateFrom"][0] + sddl = ndr_unpack(security.descriptor, desc).as_sddl() + self.assertEqual(sddl, expected) + def test_create__service_allowed_to_authenticate_from_device_silo(self): """Tests the --service-allowed-to-authenticate-from-device-silo shortcut.""" name = self.unique_name() @@ -909,6 +953,29 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual(sddl, expected) + def test_modify__user_allowed_to_authenticate_from_device_group(self): + """Test the --user-allowed-to-authenticate-from-device-group shortcut.""" + name = self.unique_name() + expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( + self.device_group.object_sid) + + # Create a policy to modify for this test. + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + self.runcmd("domain", "auth", "policy", "create", "--name", name) + + # Modify user allowed to authenticate from silo field + result, out, err = self.runcmd("domain", "auth", "policy", "modify", + "--name", name, + "--user-allowed-to-authenticate-from-device-group", + self.device_group.name) + self.assertIsNone(result, msg=err) + + # Check generated SDDL. + policy = self.get_authentication_policy(name) + desc = policy["msDS-UserAllowedToAuthenticateFrom"][0] + sddl = ndr_unpack(security.descriptor, desc).as_sddl() + self.assertEqual(sddl, expected) + def test_modify__user_allowed_to_authenticate_from_device_silo(self): """Test the --user-allowed-to-authenticate-from-device-silo shortcut.""" name = self.unique_name() @@ -1026,6 +1093,29 @@ class AuthPolicyCmdTestCase(SiloTest): sddl = ndr_unpack(security.descriptor, desc).as_sddl() self.assertEqual(sddl, expected) + def test_modify__service_allowed_to_authenticate_from_device_group(self): + """Test the --service-allowed-to-authenticate-from-device-group shortcut.""" + name = self.unique_name() + expected = "O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of_any {SID(%s)}))" % ( + self.device_group.object_sid) + + # Create a policy to modify for this test. + self.addCleanup(self.delete_authentication_policy, name=name, force=True) + self.runcmd("domain", "auth", "policy", "create", "--name", name) + + # Modify user allowed to authenticate from silo field + result, out, err = self.runcmd("domain", "auth", "policy", "modify", + "--name", name, + "--service-allowed-to-authenticate-from-device-group", + self.device_group.name) + self.assertIsNone(result, msg=err) + + # Check generated SDDL. + policy = self.get_authentication_policy(name) + desc = policy["msDS-ServiceAllowedToAuthenticateFrom"][0] + sddl = ndr_unpack(security.descriptor, desc).as_sddl() + self.assertEqual(sddl, expected) + def test_modify__service_allowed_to_authenticate_from_device_silo(self): """Test the --service-allowed-to-authenticate-from-device-silo shortcut.""" name = self.unique_name() |