IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add new password policy plugin based on baseldap.py classes.

Browse Source
This commit is contained in:
root 2010-05-04 16:56:17 -04:00 committed by Rob Crittenden
parent fa59c8b9d3
commit f6cde533fd
2 changed files with 522 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

351
ipalib/plugins/pwpolicy2.py Normal file
View File

@ -0,0 +1,351 @@
# Authors:
# Pavel Zuna <pzuna@redhat.com>
#
# Copyright (C) 2010 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
Password policy
"""
from ipalib import api
from ipalib import Int, Str
from ipalib.plugins.baseldap import *
from ipalib import _
class cosentry(LDAPObject):
"""
Class of Service object used for linking policies with groups
"""
INTERNAL = True
container_dn = 'cn=costemplates,%s' % api.env.container_accounts
object_class = ['top', 'costemplate', 'extensibleobject', 'krbcontainer']
default_attributes = ['cn', 'cospriority', 'krbpwdpolicyreference']
takes_params = (
Str('cn', primary_key=True),
Str('krbpwdpolicyreference'),
Int('cospriority', minvalue=0),
)
priority_not_unique_msg = _(
'priority must be a unique value (%(prio)d already used by %(gname)s)'
)
def get_dn(self, *keys, **options):
group_dn = self.api.Object.group.get_dn(keys[-1])
return self.backend.make_dn_from_attr(
'cn', group_dn, self.container_dn
)
def check_priority_uniqueness(self, *keys, **options):
if options.get('cospriority') is not None:
entries = self.methods.find(
cospriority=options['cospriority']
)['result']
if len(entries) > 0:
group_name = self.api.Object.group.get_primary_key_from_dn(
entries[0]['cn'][0]
)
raise errors.ValidationError(
name='priority',
error=self.priority_not_unique_msg % {
'prio': options['cospriority'],
'gname': group_name,
}
)
api.register(cosentry)
class cosentry_add(LDAPCreate):
INTERNAL = True
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
# check for existence of the group
self.api.Command.group_show(keys[-1])
self.obj.check_priority_uniqueness(*keys, **options)
del entry_attrs['cn']
return dn
api.register(cosentry_add)
class cosentry_del(LDAPDelete):
INTERNAL = True
api.register(cosentry_del)
class cosentry_mod(LDAPUpdate):
INTERNAL = True
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
self.obj.check_priority_uniqueness(*keys, **options)
return dn
api.register(cosentry_mod)
class cosentry_show(LDAPRetrieve):
INTERNAL = True
api.register(cosentry_show)
class cosentry_find(LDAPSearch):
INTERNAL = True
api.register(cosentry_find)
GLOBAL_POLICY_NAME = u'GLOBAL'
class pwpolicy2(LDAPObject):
"""
Password Policy object
"""
container_dn = 'cn=%s,cn=kerberos' % api.env.realm
object_name = 'password policy'
object_name_plural = 'password policies'
object_class = ['top', 'nscontainer', 'krbpwdpolicy']
default_attributes = [
'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife',
'krbpwdhistorylength', 'krbpwdmindiffchars', 'krbpwdminlength',
]
takes_params = (
Str('cn?',
cli_name='group',
label=_('Group'),
doc=_('Manage password policy for specific group'),
primary_key=True,
),
Int('krbmaxpwdlife?',
cli_name='maxlife',
label=_('Max lifetime (days)'),
doc=_('Maximum password lifetime (in days)'),
minvalue=0,
),
Int('krbminpwdlife?',
cli_name='minlife',
label=_('Min lifetime (hours)'),
doc=_('Minimum password lifetime (in hours)'),
minvalue=0,
),
Int('krbpwdhistorylength?',
cli_name='history',
label=_('History size'),
doc=_('Password history size'),
minvalue=0,
),
Int('krbpwdmindiffchars?',
cli_name='minclasses',
label=_('Character classes'),
doc=_('Minimum number of character classes'),
minvalue=0,
maxvalue=5,
),
Int('krbpwdminlength?',
cli_name='minlength',
label=_('Min length'),
doc=_('Minimum length of password'),
minvalue=0,
),
Int('cospriority',
cli_name='priority',
label=_('Priority'),
doc=_('Priority of the policy (higher number means lower priority'),
minvalue=0,
),
)
def get_dn(self, *keys, **options):
if keys[-1] is not None:
return self.backend.make_dn_from_attr(
self.primary_key.name, keys[-1], self.container_dn
)
return self.api.env.container_accounts
def convert_time_for_output(self, entry_attrs, **options):
# Convert seconds to hours and days for displaying to user
if not options.get('raw', False):
if 'krbmaxpwdlife' in entry_attrs:
entry_attrs['krbmaxpwdlife'][0] = unicode(
int(entry_attrs['krbmaxpwdlife'][0]) / 86400
)
if 'krbminpwdlife' in entry_attrs:
entry_attrs['krbminpwdlife'][0] = unicode(
int(entry_attrs['krbminpwdlife'][0]) / 3600
)
def convert_time_on_input(self, entry_attrs):
# Convert hours and days to seconds for writing to LDAP
if 'krbmaxpwdlife' in entry_attrs and entry_attrs['krbmaxpwdlife']:
entry_attrs['krbmaxpwdlife'] = entry_attrs['krbmaxpwdlife'] * 86400
if 'krbminpwdlife' in entry_attrs and entry_attrs['krbminpwdlife']:
entry_attrs['krbminpwdlife'] = entry_attrs['krbminpwdlife'] * 3600
api.register(pwpolicy2)
class pwpolicy2_add(LDAPCreate):
"""
Create new group password policy.
"""
def get_args(self):
yield self.obj.primary_key.clone(attribute=True, required=True)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
self.api.Command.cosentry_add(
keys[-1], krbpwdpolicyreference=dn,
cospriority=options.get('cospriority')
)
if 'cospriority' in entry_attrs:
del entry_attrs['cospriority']
self.obj.convert_time_on_input(entry_attrs)
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
self.log.info('%r' % entry_attrs)
if not options.get('raw', False):
if options.get('cospriority') is not None:
entry_attrs['cospriority'] = [unicode(options['cospriority'])]
self.obj.convert_time_for_output(entry_attrs, **options)
return dn
api.register(pwpolicy2_add)
class pwpolicy2_del(LDAPDelete):
"""
Delete group password policy.
"""
def get_args(self):
yield self.obj.primary_key.clone(attribute=True, required=True)
def post_callback(self, ldap, dn, *keys, **options):
try:
self.api.Command.cosentry_del(keys[-1])
except errors.NotFound:
pass
return True
api.register(pwpolicy2_del)
class pwpolicy2_mod(LDAPUpdate):
"""
Modify group password policy.
"""
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
if options.get('cospriority') is not None:
if keys[-1] is None:
raise errors.ValidationError(
name='priority',
error=_('priority cannot be set on global policy')
)
try:
self.api.Command.cosentry_mod(
keys[-1], cospriority=options['cospriority']
)
except errors.NotFound:
self.api.Command.cosentry_add(
keys[-1], krbpwdpolicyreference=dn,
cospriority=options['cospriority']
)
del entry_attrs['cospriority']
self.obj.convert_time_on_input(entry_attrs)
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if not options.get('raw', False):
if options.get('cospriority') is not None:
entry_attrs['cospriority'] = [unicode(options['copriority'])]
if keys[-1] is None:
entry_attrs['cn'] = GLOBAL_POLICY_NAME
self.obj.convert_time_for_output(entry_attrs, **options)
return dn
api.register(pwpolicy2_mod)
class pwpolicy2_show(LDAPRetrieve):
"""
Display group password policy.
"""
takes_options = (
Str('user?',
label=_('User'),
doc=_('Display effective policy for a specific user'),
),
)
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
if options.get('user') is not None:
user_entry = self.api.Command.user_show(
options['user'], all=True
)['result']
if 'krbpwdpolicyreference' in user_entry:
return user_entry.get('krbpwdpolicyreference', [dn])[0]
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if not options.get('raw', False):
if keys[-1] is not None:
try:
cos_entry = self.api.Command.cosentry_show(
keys[-1]
)['result']
if cos_entry.get('cospriority') is not None:
entry_attrs['cospriority'] = cos_entry['cospriority']
except errors.NotFound:
pass
else:
entry_attrs['cn'] = GLOBAL_POLICY_NAME
self.obj.convert_time_for_output(entry_attrs, **options)
return dn
api.register(pwpolicy2_show)
class pwpolicy2_find(LDAPSearch):
"""
Search for group password policies.
"""
def post_callback(self, ldap, entries, truncated, *args, **options):
if not options.get('raw', False):
for e in entries:
try:
cos_entry = self.api.Command.cosentry_show(
e[1]['cn'][0]
)['result']
if cos_entry.get('cospriority') is not None:
e[1]['cospriority'] = cos_entry['cospriority']
except errors.NotFound:
pass
self.obj.convert_time_for_output(e[1], **options)
global_entry = self.api.Command.pwpolicy2_show(
all=options.get('all', False), raw=options.get('raw', False)
)['result']
dn = global_entry['dn']
del global_entry['dn']
entries.insert(0, (dn, global_entry))
api.register(pwpolicy2_find)

171
tests/test_xmlrpc/test_pwpolicy2.py Normal file
View File

@ -0,0 +1,171 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
# Pavel Zuna <pzuna@redhat.com>
#
# Copyright (C) 2010 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
Test the `ipalib/plugins/pwpolicy2.py` module.
"""
import sys
from xmlrpc_test import XMLRPC_test, assert_attr_equal
from ipalib import api
from ipalib import errors
class test_pwpolicy2(XMLRPC_test):
"""
Test the `pwpolicy2` plugin.
"""
group = u'testgroup12'
group2 = u'testgroup22'
user = u'testuser12'
kw = {'cospriority': 1, 'krbminpwdlife': 30, 'krbmaxpwdlife': 40, 'krbpwdhistorylength': 5, 'krbpwdminlength': 6 }
kw2 = {'cospriority': 2, 'krbminpwdlife': 40, 'krbmaxpwdlife': 60, 'krbpwdhistorylength': 8, 'krbpwdminlength': 9 }
def test_1_pwpolicy2_add(self):
"""
Test adding a per-group policy using the `xmlrpc.pwpolicy2_add` method.
"""
# First set up a group and user that will use this policy
self.failsafe_add(
api.Object.group, self.group, description=u'pwpolicy test group',
)
self.failsafe_add(
api.Object.user, self.user, givenname=u'Test', sn=u'User'
)
api.Command.group_add_member(self.group, users=self.user)
entry = api.Command['pwpolicy2_add'](self.group, **self.kw)['result']
assert_attr_equal(entry, 'krbminpwdlife', '30')
assert_attr_equal(entry, 'krbmaxpwdlife', '40')
assert_attr_equal(entry, 'krbpwdhistorylength', '5')
assert_attr_equal(entry, 'krbpwdminlength', '6')
assert_attr_equal(entry, 'cospriority', '1')
def test_2_pwpolicy2_add(self):
"""
Add a policy with a already used priority.
The priority validation is done first, so it's OK that the group
is the same here.
"""
try:
api.Command['pwpolicy2_add'](self.group, **self.kw)
except errors.ValidationError:
pass
else:
assert False
def test_3_pwpolicy2_add(self):
"""
Add a policy that already exists.
"""
try:
# cospriority needs to be unique
self.kw['cospriority'] = 3
api.Command['pwpolicy2_add'](self.group, **self.kw)
except errors.DuplicateEntry:
pass
else:
assert False
def test_4_pwpolicy2_add(self):
"""
Test adding another per-group policy using the `xmlrpc.pwpolicy2_add` method.
"""
self.failsafe_add(
api.Object.group, self.group2, description=u'pwpolicy test group 2'
)
entry = api.Command['pwpolicy2_add'](self.group2, **self.kw2)['result']
assert_attr_equal(entry, 'krbminpwdlife', '40')
assert_attr_equal(entry, 'krbmaxpwdlife', '60')
assert_attr_equal(entry, 'krbpwdhistorylength', '8')
assert_attr_equal(entry, 'krbpwdminlength', '9')
assert_attr_equal(entry, 'cospriority', '2')
def test_5_pwpolicy2_add(self):
"""
Add a pwpolicy for a non-existent group
"""
try:
api.Command['pwpolicy2_add'](u'nopwpolicy', cospriority=1, krbminpwdlife=1)
except errors.NotFound:
pass
else:
assert False
def test_6_pwpolicy2_show(self):
"""
Test the `xmlrpc.pwpolicy2_show` method with global policy.
"""
entry = api.Command['pwpolicy2_show']()['result']
# Note that this assumes an unchanged global policy
assert_attr_equal(entry, 'krbminpwdlife', '1')
assert_attr_equal(entry, 'krbmaxpwdlife', '90')
assert_attr_equal(entry, 'krbpwdhistorylength', '0')
assert_attr_equal(entry, 'krbpwdminlength', '8')
def test_7_pwpolicy2_show(self):
"""
Test the `xmlrpc.pwpolicy2_show` method.
"""
entry = api.Command['pwpolicy2_show'](self.group)['result']
assert_attr_equal(entry, 'krbminpwdlife', '30')
assert_attr_equal(entry, 'krbmaxpwdlife', '40')
assert_attr_equal(entry, 'krbpwdhistorylength', '5')
assert_attr_equal(entry, 'krbpwdminlength', '6')
assert_attr_equal(entry, 'cospriority', '1')
def test_8_pwpolicy2_mod(self):
"""
Test the `xmlrpc.pwpolicy2_mod` method for global policy.
"""
entry = api.Command['pwpolicy2_mod'](krbminpwdlife=50)['result']
assert_attr_equal(entry, 'krbminpwdlife', '50')
# Great, now change it back
entry = api.Command['pwpolicy2_mod'](krbminpwdlife=1)['result']
assert_attr_equal(entry, 'krbminpwdlife', '1')
def test_9_pwpolicy2_mod(self):
"""
Test the `xmlrpc.pwpolicy2_mod` method.
"""
entry = api.Command['pwpolicy2_mod'](self.group, krbminpwdlife=50)['result']
assert_attr_equal(entry, 'krbminpwdlife', '50')
def test_a_pwpolicy_del(self):
"""
Test the `xmlrpc.pwpolicy2_del` method.
"""
assert api.Command['pwpolicy2_del'](self.group)['result'] is True
# Verify that it is gone
try:
api.Command['pwpolicy2_show'](self.group)
except errors.NotFound:
pass
else:
assert False
# Remove the groups we created
api.Command['group_del'](self.group)
api.Command['group_del'](self.group2)
# Remove the user we created
api.Command['user_del'](self.user)