Merge branch 'master' of git://git.engineering.redhat.com/users/rcritten/freeipa2

2025-02-25 18:55:28 -06:00 · 2008-10-13 15:39:14 -06:00
parent 225e2b0c93 6d2705b363
commit 367143adf3
7 changed files with 350 additions and 26 deletions
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -286,57 +286,73 @@ class SameGroupError(InputError):
    """You can't add a group to itself"""
    faultCode = 1008

+class NotGroupMember(InputError):
+    """This entry is not a member of the group"""
+    faultCode = 1009
+
 class AdminsImmutable(InputError):
    """The admins group cannot be renamed"""
-    faultCode = 1009
+    faultCode = 1010

 class UsernameTooLong(InputError):
    """The requested username is too long"""
-    faultCode = 1010
+    faultCode = 1011

 class PrincipalError(GenericError):
    """There is a problem with the kerberos principal"""
-    faultCode = 1011
+    faultCode = 1012

 class MalformedServicePrincipal(PrincipalError):
    """The requested service principal is not of the form: service/fully-qualified host name"""
-    faultCode = 1012
+    faultCode = 1013

 class RealmMismatch(PrincipalError):
    """The realm for the principal does not match the realm for this IPA server"""
-    faultCode = 1013
+    faultCode = 1014

 class PrincipalRequired(PrincipalError):
    """You cannot remove IPA server service principals"""
-    faultCode = 1014
+    faultCode = 1015

 class InactivationError(GenericError):
    """This entry cannot be inactivated"""
-    faultCode = 1015
+    faultCode = 1016
+
+class AlreadyActiveError(InactivationError):
+    """This entry is already locked"""
+    faultCode = 1017
+
+class AlreadyInactiveError(InactivationError):
+    """This entry is already unlocked"""
+    faultCode = 1018
+
+class HasNSAccountLock(InactivationError):
+    """This entry appears to have the nsAccountLock attribute in it so the Class of Service activation/inactivation will not work. You will need to remove the attribute nsAccountLock for this to work."""
+    faultCode = 1019

 class ConnectionError(GenericError):
    """Connection to database failed"""
-    faultCode = 1016
+    faultCode = 1020

 class NoCCacheError(GenericError):
    """No Kerberos credentials cache is available. Connection cannot be made"""
-    faultCode = 1017
+    faultCode = 1021

 class GSSAPIError(GenericError):
    """GSSAPI Authorization error"""
-    faultCode = 1018
+    faultCode = 1022

 class ServerUnwilling(GenericError):
    """Account inactivated. Server is unwilling to perform"""
-    faultCode = 1018
+    faultCode = 1023

 class ConfigurationError(GenericError):
    """A configuration error occurred"""
-    faultCode = 1019
+    faultCode = 1024

 class DefaultGroup(ConfigurationError):
    """You cannot remove the default users group"""
-    faultCode = 1020
+    faultCode = 1025

 class FunctionDeprecated(GenericError):
    """Raised by a deprecated function"""
--- a/ipalib/plugins/f_delegation.py
+++ b/ipalib/plugins/f_delegation.py
@@ -40,7 +40,7 @@ class delegation(frontend.Object):
        'target',
        Param('name', primary_key=True)
    )
-api.register(user)
+api.register(delegation)


 class delegation_add(crud.Add):
--- a/ipalib/plugins/f_pwpolicy.py
+++ b/ipalib/plugins/f_pwpolicy.py
@@ -0,0 +1,100 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2008  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+"""
+Frontend plugins for password policy.
+"""
+
+from ipalib import frontend
+from ipalib import crud
+from ipalib.frontend import Param
+from ipalib import api
+from ipalib import errors
+from ipalib import ipa_types
+from ipa_server import servercore
+from ipa_server import ipaldap
+import ldap
+
+
+class pwpolicy_mod(frontend.Command):
+    'Edit existing password policy.'
+    # FIXME, switch to more human-readable names at some point
+    takes_options = (
+        Param('krbmaxpwdlife?', type=ipa_types.Int(), doc='Max. Password Lifetime (days)'),
+        Param('krbminpwdlife?', type=ipa_types.Int(), doc='Min. Password Lifetime (hours)'),
+        Param('krbpwdhistorylength?', type=ipa_types.Int(), doc='Password History Size'),
+        Param('krbpwdmindiffchars?', type=ipa_types.Int(), doc='Min. Number of Character Classes'),
+        Param('krbpwdminlength?', type=ipa_types.Int(), doc='Min. Length of Password'),
+    )
+    def execute(self, *args, **kw):
+        # Get the existing policy entry
+        oldpolicy = servercore.get_entry_by_cn("accounts", None)
+
+        # Convert the existing policy into an entry object
+        dn = oldpolicy.get('dn')
+        del oldpolicy['dn']
+        entry = ipaldap.Entry((dn, servercore.convert_scalar_values(oldpolicy)))
+
+        # FIXME: if the user passed no options should we return something
+        # more than No modifications to be performed?
+
+        policy = kw
+
+        # The LDAP routines want strings, not ints, so convert a few
+        # things. Otherwise it sees a string -> int conversion as a change.
+        for k in policy.iterkeys():
+            if k.startswith("krb", 0, 3):
+                policy[k] = str(policy[k])
+
+        # Convert hours and days to seconds       
+        if policy.get('krbmaxpwdlife'):
+            policy['krbmaxpwdlife'] = str(int(policy.get('krbmaxpwdlife')) * 86400)
+        if policy.get('krbminpwdlife'):
+            policy['krbminpwdlife'] = str(int(policy.get('krbminpwdlife')) * 3600)
+        # Update the values passed-in
+        for p in policy:
+            # Values need to be strings, not integers
+            entry.setValues(p, str(policy[p]))
+
+        result = servercore.update_entry(entry.toDict())
+
+        return result
+    def forward(self, *args, **kw):
+        result = super(pwpolicy_mod, self).forward(*args, **kw)
+        if result:
+            print "Policy modified"
+api.register(pwpolicy_mod)
+
+
+class pwpolicy_show(frontend.Command):
+    'Retrieve current password policy'
+    def execute(self, *args, **kw):
+        policy = servercore.get_entry_by_cn("accounts", None)
+
+        # convert some values for display purposes
+        policy['krbmaxpwdlife'] = str(int(policy.get('krbmaxpwdlife')) / 86400)
+        policy['krbminpwdlife'] = str(int(policy.get('krbminpwdlife')) / 3600)
+
+        return policy
+
+    def forward(self, *args, **kw):
+        result = super(pwpolicy_show, self).forward(*args, **kw)
+        if not result: return
+        print result
+api.register(pwpolicy_show)
--- a/ipalib/plugins/f_user.py
+++ b/ipalib/plugins/f_user.py
@@ -26,6 +26,7 @@ from ipalib import crud
 from ipalib.frontend import Param
 from ipalib import api
 from ipalib import errors
+from ipalib import ipa_types
 from ipa_server import servercore
 from ipa_server import ipaldap
 import ldap
@@ -136,7 +137,7 @@ class user_add(crud.Add):
                user['gidnumber'] = default_group.get('gidnumber')
        except errors.NotFound:
            # Fake an LDAP error so we can return something useful to the user
-            raise ipalib.NotFound, "The default group for new users, '%s', cannot be found." % config.get('ipadefaultprimarygroup')
+            raise errors.NotFound, "The default group for new users, '%s', cannot be found." % config.get('ipadefaultprimarygroup')
        except Exception, e:
            # catch everything else
            raise e
@@ -203,7 +204,9 @@ class user_mod(crud.Mod):
    'Edit an existing user.'
    def execute(self, *args, **kw):
        uid=args[0]
-        result = servercore.get_sub_entry(servercore.basedn, "uid=%s" % uid, ["*"])
+
+        # Get the existing user entry
+        result = servercore.get_sub_entry("cn=accounts," + servercore.basedn, "uid=%s" % uid, ["*"])

        user = kw
        dn = result.get('dn')
@@ -263,3 +266,34 @@ class user_show(crud.Get):
        except errors.NotFound:
            print "User %s not found" % args[0]
 api.register(user_show)
+
+class user_lock(frontend.Command):
+    'Lock a user account.'
+    takes_args = (
+        Param('uid', primary_key=True),
+    )
+    def execute(self, *args, **kw):
+        uid = args[0]
+        user = servercore.get_user_by_uid(uid, ['dn', 'uid'])
+        return servercore.mark_entry_inactive(user['dn'])
+    def forward(self, *args, **kw):
+        result = super(user_lock, self).forward(*args, **kw)
+        if result:
+            print "User locked"
+api.register(user_lock)
+
+class user_unlock(frontend.Command):
+    'Unlock a user account.'
+    takes_args = (
+        Param('uid', primary_key=True),
+    )
+    def execute(self, *args, **kw):
+        uid = args[0]
+        user = servercore.get_user_by_uid(uid, ['dn', 'uid'])
+        return servercore.mark_entry_active(user['dn'])
+    def forward(self, *args, **kw):
+        result = super(user_unlock, self).forward(*args, **kw)
+        if result:
+            print "User unlocked"
+api.register(user_unlock)
+