Restrict ds_auth to Enterprise license (#12706)

This commit limits API access for directory services users to
enterprise license holders only.

src/middlewared/middlewared/plugins/system_general/update.py

@@ -111,6 +111,12 @@ async def validate_general_settings(self, data, schema):
         if data['ui_port'] == data['ui_httpsport']:
             verrors.add(f'{schema}.ui_port', 'Must be different from "ui_httpsport"')
 
+        if data['ds_auth'] and not await self.middleware.call('system.is_enterprise'):
+            verrors.add(
+                f'{schema}.ds_auth',
+               'Directory services authentication for UI and API access requires an Enterprise license.'
+            )
+
         language = data.get('language')
         system_languages = await self.middleware.call('system.general.language_choices')
         if language not in system_languages.keys():

src/middlewared/middlewared/test/integration/assets/product.py

@@ -0,0 +1,9 @@
+import contextlib
+
+from middlewared.test.integration.utils import call, mock
+
+
+@contextlib.contextmanager
+def product_type(product_type='SCALE_ENTERPRISE'):
+    with mock('system.product_type', return_value=product_type):
+        yield

tests/api2/test_030_activedirectory.py

@@ -13,9 +13,11 @@
 from functions import GET, POST, PUT, DELETE, SSH_TEST, cmd_test, make_ws_request, wait_on_job
 from protocols import smb_connection, smb_share
 
+from middlewared.service_exception import ValidationErrors
 from middlewared.test.integration.assets.pool import dataset
 from middlewared.test.integration.assets.privilege import privilege
 from middlewared.test.integration.utils import call, client
+from middlewared.test.integration.assets.product import product_type
 
 if ha and "hostname_virtual" in os.environ:
     hostname = os.environ["hostname_virtual"]
@@ -111,6 +113,12 @@ def cleanup_reverse_zone():
     remove_dns_entries(payload)
 
 
+@pytest.fixture(scope="function")
+def set_product_type(request):
+    with product_type():
+        yield
+
+
 @pytest.fixture(scope="module")
 def set_ad_nameserver(request):
     with override_nameservers(ADNameServer) as ns:
@@ -186,6 +194,11 @@ def test_06_get_activedirectory_started_before_starting_activedirectory(request)
 @pytest.mark.dependency(name="ad_works")
 def test_07_enable_leave_activedirectory(request):
     global domain_users_id
+
+    with pytest.raises(ValidationErrors):
+        # At this point we are not enterprise licensed
+        call("system.general.update", {"ds_auth": True})
+
     with active_directory(AD_DOMAIN, ADUSERNAME, ADPASSWORD,
         netbiosname=hostname,
         createcomputer=AD_COMPUTER_OU,
@@ -396,7 +409,7 @@ def test_08_activedirectory_smb_ops(request):
             assert acl['trivial'] is False, str(acl)
 
 
-def test_10_account_privilege_authentication(request):
+def test_10_account_privilege_authentication(request, set_product_type):
     depends(request, ["ad_works"], scope="session")
 
     with active_directory(AD_DOMAIN, ADUSERNAME, ADPASSWORD,

tests/api2/test_275_ldap.py

@@ -20,6 +20,7 @@
 from auto_config import pool_name, ip, user, password
 
 from middlewared.test.integration.assets.privilege import privilege
+from middlewared.test.integration.assets.product import product_type
 from middlewared.test.integration.utils import call, client
 
 try:
@@ -41,12 +42,14 @@
 smb_path = f"/mnt/{dataset}"
 VOL_GROUP = "root"
 
+
 @pytest.fixture(scope="module")
 def do_ldap_connection(request):
     with ldap(LDAPBASEDN, LDAPBINDDN, LDAPBINDPASSWORD, LDAPHOSTNAME,
         has_samba_schema=True,
     ) as ldap_conn:
-        yield (request, ldap_conn)
+        with product_type():
+            yield (request, ldap_conn)
 
 def test_01_get_ldap():
     results = GET("/ldap/")