roles: adding gpo management to samba role

requirements.txt

@@ -1,4 +1,6 @@
-jc
-pytest
+jc~=1.25.1
+pytest~=8.0.1
 python-ldap
 pytest-mh >= 1.0.18
+PyYAML~=6.0.1
+Sphinx~=7.2.6

sssd_test_framework/hosts/samba.py

@@ -30,6 +30,9 @@ def __init__(self, *args, **kwargs) -> None:
 
         self._features: dict[str, bool] | None = None
 
+        self.admin: str = self.config.get("username", "Administrator")
+        """Username of the admin user, defaults to value of ``Administrator``."""
+
         self.adminpw: str = self.config.get("adminpw", self.bindpw)
         """Password of the admin user, defaults to value of ``bindpw``."""
 

sssd_test_framework/roles/ad.py

@@ -1655,13 +1655,13 @@ def __init__(self, role: AD, name: str) -> None:
         self._search_base: str = f"cn=policies,cn=system,{self.role.host.naming_context}"
         """Group policy search base."""
 
-        self._dn = self.get("DistinguishedName")
+        self._dn = self._get("DistinguishedName")
         """Group policy dn."""
 
-        self._cn = self.get("CN")
+        self._cn = self._get("CN")
         """Group policy cn."""
 
-    def get(self, key: str) -> str | None:
+    def _get(self, key: str) -> str | None:
         """
         Get group policy attributes.
 
@@ -1713,8 +1713,8 @@ def add(self) -> GPO:
         """
         self.role.host.conn.run(f'New-GPO -name "{self.name}"')
 
-        self._cn = self.get("CN")
-        self._dn = self.get("DistinguishedName")
+        self._cn = self._get("CN")
+        self._dn = self._get("DistinguishedName")
 
         self.role.host.conn.run(
             rf"""
@@ -1733,30 +1733,33 @@ def add(self) -> GPO:
 
     def link(
         self,
-        op: str | None = "New",
         target: str | None = None,
-        args: list[str] | str | None = None,
+        enforced: bool | None = False,
+        disabled: bool | None = False,
+        order: int | None = 0,
     ) -> GPO:
         """
-        Link the group policy to the a target object inside the directory, a site, domain or an ou.
+        Link the group policy to the target object inside the directory, a site, domain or an ou.
 
-        ..Note::
-            The New and Set cmdlets are identical. To modify an an existing link,
-            change the $op parameter to "Set", i.e. to disable 'Enforced'
-
-            ou_policy.link("Set", args=["-Enforced No"])
-
-        :param op: Cmdlet operation, defaults to "New"
-        :type op: str, optional
         :param target: Group policy target
         :type target: str, optional
-        :param args: Additional arguments
-        :type args: list[str] | None, optional
+        :param enforced: Enforced the policy
+        :type enforced: bool, optional
+        :param disabled: Disable the policy
+        :type disabled: bool, optional
+        :param order: Order number
+        :type order: int, optional
         :return: Group policy object
         :rtype: GPO
         """
-        if args is None:
-            args = []
+        args = []
+
+        if enforced is True:
+            args.extend("-Enforce Yes")
+        if disabled is True:
+            args.extend("-LinkEnabled No")
+        if order != 0:
+            args.extend(f"-Order {str(order)}")
 
         if isinstance(args, list):
             args = " ".join(args)
@@ -1769,7 +1772,7 @@ def link(
         if target is not None and self.target is None:
             self.target = target
 
-        self.role.host.conn.run(f'{op}-GPLink -Guid "{self._cn}" -Target "{self.target}" -LinkEnabled Yes {args}')
+        self.role.host.conn.run(f'New-GPLink -Guid "{self._cn}" -Target "{self.target}" -LinkEnabled Yes {args}')
 
         return self
 
@@ -1836,7 +1839,7 @@ def policy(self, logon_rights: dict[str, list[ADObject]], cfg: dict[str, Any] |
 
         This method does the remaining configuration of the group policy. It updates
         'GptTmpl.inf' with security logon right keys with the SIDs of users and groups
-        objects. The *Remote* keys can be omitted, in which the corresponding keys values
+        objects. The *Remote* keys can be omitted, in which the corresponding keys value
         will then be used.
 
         To add users and groups to the policy, the SID must be used for the values. The

sssd_test_framework/roles/generic.py

@@ -24,6 +24,7 @@
     "GenericAutomount",
     "GenericAutomountMap",
     "GenericAutomountKey",
+    "GenericGPO",
 ]
 
 
@@ -255,6 +256,39 @@ def test_example(client: Client, provider: GenericProvider, nfs: NFS):
         """
         pass
 
+    @abstractmethod
+    def gpo(self, name: str) -> GenericGPO:
+        """
+        Get group policy object.
+
+        .. code-block:: python
+            :caption: Example usage
+
+            @pytest.mark.topology(KnownTopologies.GenericAD)
+            def test_gpo_is_set_to_enforcing(client: Client, provider: GenericProvider):
+                user = provider.user("user").add()
+                allow_user = provider.user("allow_user").add()
+                deny_user = provider.user("deny_user").add()
+
+                provider.gpo("test policy").add().policy(
+                    {
+                    "SeInteractiveLogonRight": [allow_user, ad.group("Domain Admins")],
+                    "SeRemoteInteractiveLogonRight": [allow_user, ad.group("Domain Admins")],
+                    "SeDenyInteractiveLogonRight": [deny_user],
+                    "SeDenyRemoteInteractiveLogonRight": [deny_user],
+                    }
+                ).link()
+
+                client.sssd.domain["ad_gpo_access_control"] = "enforcing"
+                client.sssd.start()
+
+                assert client.auth.ssh.password(username="allow_user", password="Secret123")
+                assert not client.auth.ssh.password(username="user", password="Secret123")
+                assert not client.auth.ssh.password(username="deny_user", password="Secret123")
+
+        """
+        pass
+
 
 class GenericADProvider(GenericProvider):
     """
@@ -961,3 +995,72 @@ def dump(self) -> str:
     @abstractmethod
     def __str__(self) -> str:
         pass
+
+
+class GenericGPO(ABC, BaseObject,):
+    """
+    Generic GPO management.
+    """
+
+    @property
+    @abstractmethod
+    def name(self):
+        """
+        GPO name.
+        """
+        pass
+
+    @abstractmethod
+    def get(self, key: str) -> str | None:
+        """
+        Get GPO attribute.
+        """
+        pass
+
+    @abstractmethod
+    def delete(self) -> None:
+        """
+        Delete GPO.
+        """
+        pass
+
+    @abstractmethod
+    def add(self) -> GenericGPO:
+        """
+        Add GPO.
+        """
+        pass
+
+    @abstractmethod
+    def link(
+        self,
+        op: str | None = None,
+        target: str | None = None,
+        enforced: bool | None = False,
+        disabled: bool | None = False,
+    ) -> GenericGPO:
+        """
+        Link GPO.
+        """
+        pass
+
+    @abstractmethod
+    def unlink(self) -> None:
+        """
+        Unlink GPO.
+        """
+        pass
+
+    @abstractmethod
+    def permissions(self, target: str, permission_level: str, target_type: str | None = "Group") -> GenericGPO:
+        """
+        Configure GPO permissions.
+        """
+        pass
+
+    @abstractmethod
+    def policy(self, logon_rights: dict[str, list[GenericUser]], cfg: dict[str, Any] | None = None) -> GenericGPO:
+        """
+        GPO configuration.
+        """
+        pass

sssd_test_framework/roles/ipa.py

@@ -1,4 +1,4 @@
-"""IPA multihost role."""
+"" """IPA multihost role."""
 
 from __future__ import annotations