tests/krb5: Add method to create an authentication policy

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2023-04-03 11:23:10 +1200
committer: Andrew Bartlett <abartlet@samba.org> 2023-05-05 02:54:30 +0000
commit: e7b2cd7d8315a5f182acba99b5c986f8b5a6186d (patch)
tree: 7a25b1df4425c39e5632c64c2a06250c529b6493 /python
parent: c4972272227696dfd5848db3897f1128f2817995 (diff)
download: samba-e7b2cd7d8315a5f182acba99b5c986f8b5a6186d.tar.gz
1 files changed, 103 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index fbc3447bd97..09abb1619a8 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -27,6 +27,7 @@ from functools import partial
 import tempfile
 import binascii
 import collections
+import numbers
 import secrets
 from enum import Enum
 
@@ -563,6 +564,108 @@ class KDCBaseTest(RawKerberosTest):
 
         return claim_id
 
+    def create_authn_policy(self,
+                            policy_id,
+                            enforced=None,
+                            strong_ntlm_policy=None,
+                            user_allowed_from=None,
+                            user_allowed_ntlm=None,
+                            user_allowed_to=None,
+                            user_tgt_lifetime=None,
+                            computer_allowed_to=None,
+                            computer_tgt_lifetime=None,
+                            service_allowed_from=None,
+                            service_allowed_ntlm=None,
+                            service_allowed_to=None,
+                            service_tgt_lifetime=None):
+        samdb = self.get_samdb()
+
+        policy_dn = self.get_authn_policies_dn()
+        self.assertTrue(policy_dn.add_child(f'CN={policy_id}'))
+
+        details = {
+            'dn': policy_dn,
+            'objectClass': 'msDS-AuthNPolicy',
+        }
+
+        _domain_sid = None
+
+        def sd_from_sddl(sddl):
+            nonlocal _domain_sid
+            if _domain_sid is None:
+                _domain_sid = security.dom_sid(samdb.get_domain_sid())
+
+            return ndr_pack(security.descriptor.from_sddl(sddl, _domain_sid))
+
+        if enforced is True:
+            enforced = 'TRUE'
+        elif enforced is False:
+            enforced = 'FALSE'
+
+        if user_allowed_ntlm is True:
+            user_allowed_ntlm = 'TRUE'
+        elif user_allowed_ntlm is False:
+            user_allowed_ntlm = 'FALSE'
+
+        if service_allowed_ntlm is True:
+            service_allowed_ntlm = 'TRUE'
+        elif service_allowed_ntlm is False:
+            service_allowed_ntlm = 'FALSE'
+
+        if enforced is not None:
+            details['msDS-AuthNPolicyEnforced'] = enforced
+        if strong_ntlm_policy is not None:
+            details['msDS-StrongNTLMPolicy'] = strong_ntlm_policy
+
+        if user_allowed_from is not None:
+            details['msDS-UserAllowedToAuthenticateFrom'] = sd_from_sddl(
+                user_allowed_from)
+        if user_allowed_ntlm is not None:
+            details['msDS-UserAllowedNTLMNetworkAuthentication'] = (
+                user_allowed_ntlm)
+        if user_allowed_to is not None:
+            details['msDS-UserAllowedToAuthenticateTo'] = sd_from_sddl(
+                user_allowed_to)
+        if user_tgt_lifetime is not None:
+            if isinstance(user_tgt_lifetime, numbers.Number):
+                user_tgt_lifetime = str(int(user_tgt_lifetime * 10_000_000))
+            details['msDS-UserTGTLifetime'] = user_tgt_lifetime
+
+        if computer_allowed_to is not None:
+            details['msDS-ComputerAllowedToAuthenticateTo'] = sd_from_sddl(
+                computer_allowed_to)
+        if computer_tgt_lifetime is not None:
+            if isinstance(computer_tgt_lifetime, numbers.Number):
+                computer_tgt_lifetime = str(
+                    int(computer_tgt_lifetime * 10_000_000))
+            details['msDS-ComputerTGTLifetime'] = computer_tgt_lifetime
+
+        if service_allowed_from is not None:
+            details['msDS-ServiceAllowedToAuthenticateFrom'] = sd_from_sddl(
+                service_allowed_from)
+        if service_allowed_ntlm is not None:
+            details['msDS-ServiceAllowedNTLMNetworkAuthentication'] = (
+                service_allowed_ntlm)
+        if service_allowed_to is not None:
+            details['msDS-ServiceAllowedToAuthenticateTo'] = sd_from_sddl(
+                service_allowed_to)
+        if service_tgt_lifetime is not None:
+            if isinstance(service_tgt_lifetime, numbers.Number):
+                service_tgt_lifetime = str(
+                    int(service_tgt_lifetime * 10_000_000))
+            details['msDS-ServiceTGTLifetime'] = service_tgt_lifetime
+
+        # Save the policy DN so it can be deleted in tearDownClass().
+        self.accounts.append(str(policy_dn))
+
+        # Remove the policy if it exists; this will happen if a previous test
+        # run failed.
+        delete_force(samdb, policy_dn)
+
+        samdb.add(details)
+
+        return policy_dn
+
     def create_claim(self,
                      claim_id,
                      enabled=None,
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2023-04-03 11:23:10 +1200
committer	Andrew Bartlett <abartlet@samba.org>	2023-05-05 02:54:30 +0000
commit	e7b2cd7d8315a5f182acba99b5c986f8b5a6186d (patch)
tree	7a25b1df4425c39e5632c64c2a06250c529b6493 /python
parent	c4972272227696dfd5848db3897f1128f2817995 (diff)
download	samba-e7b2cd7d8315a5f182acba99b5c986f8b5a6186d.tar.gz