diff options
Diffstat (limited to 'python/samba')
-rw-r--r-- | python/samba/netcmd/gpo.py | 33 | ||||
-rw-r--r-- | python/samba/tests/samba_tool/gpo_exts.py | 115 |
2 files changed, 148 insertions, 0 deletions
diff --git a/python/samba/netcmd/gpo.py b/python/samba/netcmd/gpo.py index 1b4159c4c0c..6fcc01d6080 100644 --- a/python/samba/netcmd/gpo.py +++ b/python/samba/netcmd/gpo.py @@ -3659,6 +3659,38 @@ class cmd_issue(SuperCommand): subcommands["list"] = cmd_list_issue() subcommands["set"] = cmd_set_issue() +class cmd_list_access(Command): + """List VGP Host Access Group Policy from the sysvol + +This command lists host access rules from the sysvol that will be applied to winbind clients. + +Example: +samba-tool gpo manage access list {31B2F340-016D-11D2-945F-00C04FB984F9} + """ + + synopsis = "%prog <gpo> [options]" + + takes_optiongroups = { + "sambaopts": options.SambaOptions, + "versionopts": options.VersionOptions, + "credopts": options.CredentialsOptions, + } + + takes_options = [ + Option("-H", "--URL", help="LDB URL for database or target server", type=str, + metavar="URL", dest="H"), + ] + + takes_args = ["gpo"] + + def run(self, gpo, H=None, sambaopts=None, credopts=None, versionopts=None): + pass + +class cmd_access(SuperCommand): + """Manage Host Access Group Policy Objects""" + subcommands = {} + subcommands["list"] = cmd_list_access() + class cmd_manage(SuperCommand): """Manage Group Policy Objects""" subcommands = {} @@ -3671,6 +3703,7 @@ class cmd_manage(SuperCommand): subcommands["scripts"] = cmd_scripts() subcommands["motd"] = cmd_motd() subcommands["issue"] = cmd_issue() + subcommands["access"] = cmd_access() class cmd_gpo(SuperCommand): """Group Policy Object (GPO) management.""" diff --git a/python/samba/tests/samba_tool/gpo_exts.py b/python/samba/tests/samba_tool/gpo_exts.py new file mode 100644 index 00000000000..222973fbb72 --- /dev/null +++ b/python/samba/tests/samba_tool/gpo_exts.py @@ -0,0 +1,115 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) David Mulder 2021 +# +# based on gpo.py: +# Copyright (C) Andrew Bartlett 2012 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import os +from samba.tests.samba_tool.base import SambaToolCmdTest +import shutil +from samba.param import LoadParm +from samba.tests.gpo import stage_file, unstage_file +import xml.etree.ElementTree as etree + +class GpoCmdTestCase(SambaToolCmdTest): + """Tests for samba-tool time subcommands""" + + gpo_name = "testgpo" + + def test_vgp_access_list(self): + lp = LoadParm() + lp.load(os.environ['SERVERCONFFILE']) + local_path = lp.get('path', 'sysvol') + vgp_xml = os.path.join(local_path, lp.get('realm').lower(), 'Policies', + self.gpo_guid, 'Machine/VGP/VTLA/VAS' + 'HostAccessControl/Allow/manifest.xml') + + stage = etree.Element('vgppolicy') + policysetting = etree.SubElement(stage, 'policysetting') + pv = etree.SubElement(policysetting, 'version') + pv.text = '1' + name = etree.SubElement(policysetting, 'name') + name.text = 'Host Access Control' + description = etree.SubElement(policysetting, 'description') + description.text = 'Represents host access control data (pam_access)' + apply_mode = etree.SubElement(policysetting, 'apply_mode') + apply_mode.text = 'merge' + data = etree.SubElement(policysetting, 'data') + listelement = etree.SubElement(data, 'listelement') + etype = etree.SubElement(listelement, 'type') + etype.text = 'USER' + entry = etree.SubElement(listelement, 'entry') + entry.text = 'goodguy@%s' % lp.get('realm').lower() + adobject = etree.SubElement(listelement, 'adobject') + name = etree.SubElement(adobject, 'name') + name.text = 'goodguy' + domain = etree.SubElement(adobject, 'domain') + domain.text = lp.get('realm').lower() + etype = etree.SubElement(adobject, 'type') + etype.text = 'user' + groupattr = etree.SubElement(data, 'groupattr') + groupattr.text = 'samAccountName' + listelement = etree.SubElement(data, 'listelement') + etype = etree.SubElement(listelement, 'type') + etype.text = 'GROUP' + entry = etree.SubElement(listelement, 'entry') + entry.text = '%s\\goodguys' % lp.get('realm').lower() + adobject = etree.SubElement(listelement, 'adobject') + name = etree.SubElement(adobject, 'name') + name.text = 'goodguys' + domain = etree.SubElement(adobject, 'domain') + domain.text = lp.get('realm').lower() + etype = etree.SubElement(adobject, 'type') + etype.text = 'group' + ret = stage_file(vgp_xml, etree.tostring(stage, 'utf-8')) + self.assertTrue(ret, 'Could not create the target %s' % vgp_xml) + + uentry = '+:%s\\goodguy:ALL' % domain.text + gentry = '+:%s\\goodguys:ALL' % domain.text + (result, out, err) = self.runsublevelcmd("gpo", ("manage", + "access", "list"), + self.gpo_guid, "-H", + "ldap://%s" % + os.environ["SERVER"], + "-U%s%%%s" % + (os.environ["USERNAME"], + os.environ["PASSWORD"])) + self.assertIn(uentry, out, 'The test entry was not found!') + self.assertIn(gentry, out, 'The test entry was not found!') + + # Unstage the manifest.xml file + unstage_file(vgp_xml) + + def setUp(self): + """set up a temporary GPO to work with""" + super(GpoCmdTestCase, self).setUp() + (result, out, err) = self.runsubcmd("gpo", "create", self.gpo_name, + "-H", "ldap://%s" % os.environ["SERVER"], + "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]), + "--tmpdir", self.tempdir) + self.assertCmdSuccess(result, out, err, "Ensuring gpo created successfully") + shutil.rmtree(os.path.join(self.tempdir, "policy")) + try: + self.gpo_guid = "{%s}" % out.split("{")[1].split("}")[0] + except IndexError: + self.fail("Failed to find GUID in output: %s" % out) + + def tearDown(self): + """remove the temporary GPO to work with""" + (result, out, err) = self.runsubcmd("gpo", "del", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"])) + self.assertCmdSuccess(result, out, err, "Ensuring gpo deleted successfully") + super(GpoCmdTestCase, self).tearDown() |