roles: adding gpo management to samba role

SSSD · Jul 23, 2024 · 66c2c69 · 66c2c69
1 parent e66dd6d
commit 66c2c69
Show file tree

Hide file tree

Showing 4 changed files with 444 additions and 20 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,7 @@
-jc
-pytest
+jc~=1.25.1
+pytest~=8.0.1
 python-ldap
 pytest-mh >= 1.0.17
+
+PyYAML~=6.0.1
+Sphinx~=7.2.6
diff --git a/sssd_test_framework/roles/ad.py b/sssd_test_framework/roles/ad.py
@@ -1670,13 +1670,13 @@ def __init__(self, role: AD, name: str) -> None:
         self._search_base: str = f"cn=policies,cn=system,{self.role.host.naming_context}"
         """Group policy search base."""
 
-        self._dn = self.get("DistinguishedName")
+        self._dn = self._get("DistinguishedName")
         """Group policy dn."""
 
-        self._cn = self.get("CN")
+        self._cn = self._get("CN")
         """Group policy cn."""
 
-    def get(self, key: str) -> str | None:
+    def _get(self, key: str) -> str | None:
         """
         Get group policy attributes.
 
@@ -1728,8 +1728,8 @@ def add(self) -> GPO:
         """
         self.role.host.ssh.run(f'New-GPO -name "{self.name}"')
 
-        self._cn = self.get("CN")
-        self._dn = self.get("DistinguishedName")
+        self._cn = self._get("CN")
+        self._dn = self._get("DistinguishedName")
 
         self.role.host.ssh.run(
             rf"""
@@ -1750,13 +1750,15 @@ def link(
         self,
         op: str | None = "New",
         target: str | None = None,
-        args: list[str] | str | None = None,
+        enforced: bool | None = False,
+        disabled: bool | None = False,
+        order: int | None = 0,
     ) -> GPO:
         """
-        Link the group policy to the a target object inside the directory, a site, domain or an ou.
+        Link the group policy to the target object inside the directory, a site, domain or an ou.
 
         ..Note::
-            The New and Set cmdlets are identical. To modify an an existing link,
+            The New and Set cmdlets are identical. To modify an existing link,
             change the $op parameter to "Set", i.e. to disable 'Enforced'
 
             ou_policy.link("Set", args=["-Enforced No"])
@@ -1765,13 +1767,23 @@ def link(
         :type op: str, optional
         :param target: Group policy target
         :type target: str, optional
-        :param args: Additional arguments
-        :type args: list[str] | None, optional
+        :param enforced: Enforced the policy
+        :type enforced: bool, optional
+        :param disabled: Disable the policy
+        :type disabled: bool, optional
+        :param order: Order number
+        :type order: int, optional
         :return: Group policy object
         :rtype: GPO
         """
-        if args is None:
-            args = []
+        args = []
+
+        if enforced is True:
+            args.extend("-Enforce Yes")
+        if disabled is True:
+            args.extend("-LinkEnabled No")
+        if order != 0:
+            args.extend(f"-Order {str(order)}")
 
         if isinstance(args, list):
             args = " ".join(args)
@@ -1851,7 +1863,7 @@ def policy(self, logon_rights: dict[str, list[ADObject]], cfg: dict[str, Any] |
 
         This method does the remaining configuration of the group policy. It updates
         'GptTmpl.inf' with security logon right keys with the SIDs of users and groups
-        objects. The *Remote* keys can be omitted, in which the corresponding keys values
+        objects. The *Remote* keys can be omitted, in which the corresponding keys value
         will then be used.
 
         To add users and groups to the policy, the SID must be used for the values. The

diff --git a/sssd_test_framework/roles/generic.py b/sssd_test_framework/roles/generic.py
@@ -24,6 +24,7 @@
     "GenericAutomount",
     "GenericAutomountMap",
     "GenericAutomountKey",
+    "GenericGPO",
 ]
 
 
@@ -288,6 +289,14 @@ def fqn(self, name: str) -> str:
     def firewall(self) -> Firewall:
         pass
 
+    @property
+    @abstractmethod
+    def gpo(self) -> GenericGPO:
+        """
+        Generic GPO management.
+        """
+        pass
+
 
 class GenericUser(ABC, BaseObject):
     """
@@ -961,3 +970,65 @@ def dump(self) -> str:
     @abstractmethod
     def __str__(self) -> str:
         pass
+
+
+class GenericGPO(ABC, object):
+    """
+    Generic GPO management.
+    """
+
+    @abstractmethod
+    def get(self, key: str) -> str | None:
+        """
+        Get GPO attribute.
+
+        :param key: GPO key value.
+        :type key: str
+        :return: GPO key value.
+        :rtype: str | None
+        """
+        pass
+
+    @abstractmethod
+    def delete(self) -> None:
+        """
+        Delete GPO.
+        """
+        pass
+
+    @abstractmethod
+    def add(self) -> GenericGPO:
+        """
+        Add GPO.
+        """
+        pass
+
+    @abstractmethod
+    def link(
+        self, op: str | None = "New", target: str | None = None, args: list[str] | str | None = None
+    ) -> GenericGPO:
+        """
+        Link GPO.
+        """
+        pass
+
+    @abstractmethod
+    def unlink(self) -> None:
+        """
+        Unlink GPO.
+        """
+        pass
+
+    @abstractmethod
+    def permissions(self, target: str, permission_level: str, target_type: str | None = "Group") -> GenericGPO:
+        """
+        Configure GPO permissions.
+        """
+        pass
+
+    @abstractmethod
+    def policy(self, logon_rights: dict[str, list[GenericUser]], cfg: dict[str, Any] | None = None) -> GenericGPO:
+        """
+        GPO configuration.
+        """
+        pass