freeipa/ipaclient/remote_plugins/2_164/pwpolicy.py
Jan Cholasta 2cf7c7b4ac client: add support for pre-schema servers
Bundle remote plugin interface definitions for servers which lack API
schema support. These server API versions are included:
* 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+,
* 2.114: IPA 4.1.4 on Fedora 22,
* 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23,
* 2.164: IPA 4.3.1 on Fedora 23.

For servers with other API versions, the closest lower API version is used.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-07-01 09:40:04 +02:00

938 lines
27 KiB
Python

#
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
# pylint: disable=unused-import
import six
from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName
if six.PY3:
unicode = str
__doc__ = _("""
Password policy
A password policy sets limitations on IPA passwords, including maximum
lifetime, minimum lifetime, the number of passwords to save in
history, the number of character classes required (for stronger passwords)
and the minimum password length.
By default there is a single, global policy for all users. You can also
create a password policy to apply to a group. Each user is only subject
to one password policy, either the group policy or the global policy. A
group policy stands alone; it is not a super-set of the global policy plus
custom settings.
Each group password policy requires a unique priority setting. If a user
is in multiple groups that have password policies, this priority determines
which password policy is applied. A lower value indicates a higher priority
policy.
Group password policies are automatically removed when the groups they
are associated with are removed.
EXAMPLES:
Modify the global policy:
ipa pwpolicy-mod --minlength=10
Add a new group password policy:
ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins
Display the global password policy:
ipa pwpolicy-show
Display a group password policy:
ipa pwpolicy-show localadmins
Display the policy that would be applied to a given user:
ipa pwpolicy-show --user=tuser1
Modify a group password policy:
ipa pwpolicy-mod --minclasses=2 localadmins
""")
register = Registry()
@register()
class cosentry(Object):
takes_params = (
parameters.Str(
'cn',
primary_key=True,
),
parameters.DNParam(
'krbpwdpolicyreference',
),
parameters.Int(
'cospriority',
),
)
@register()
class pwpolicy(Object):
takes_params = (
parameters.Str(
'cn',
required=False,
primary_key=True,
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
parameters.Int(
'krbmaxpwdlife',
required=False,
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
label=_(u'Priority'),
doc=_(u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
)
@register()
class cosentry_add(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
),
)
takes_options = (
parameters.DNParam(
'krbpwdpolicyreference',
),
parameters.Int(
'cospriority',
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class cosentry_del(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
multivalue=True,
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.ListOfPrimaryKeys(
'value',
),
)
@register()
class cosentry_find(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
),
parameters.DNParam(
'krbpwdpolicyreference',
required=False,
),
parameters.Int(
'cospriority',
required=False,
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds (0 is unlimited)'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned (0 is unlimited)'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("cn")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class cosentry_mod(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
),
)
takes_options = (
parameters.DNParam(
'krbpwdpolicyreference',
required=False,
),
parameters.Int(
'cospriority',
required=False,
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class cosentry_show(Method):
NO_CLI = True
takes_args = (
parameters.Str(
'cn',
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class pwpolicy_add(Method):
__doc__ = _("Add a new group password policy.")
takes_args = (
parameters.Str(
'cn',
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
)
takes_options = (
parameters.Int(
'krbmaxpwdlife',
required=False,
cli_name='maxlife',
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
cli_name='minlife',
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
cli_name='history',
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
cli_name='minclasses',
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
cli_name='minlength',
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
cli_name='priority',
label=_(u'Priority'),
doc=_(u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
cli_name='maxfail',
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
cli_name='failinterval',
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
cli_name='lockouttime',
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class pwpolicy_del(Method):
__doc__ = _("Delete a group password policy.")
takes_args = (
parameters.Str(
'cn',
multivalue=True,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
)
takes_options = (
parameters.Flag(
'continue',
doc=_(u"Continuous mode: Don't stop on errors."),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Output(
'result',
dict,
doc=_(u'List of deletions that failed'),
),
output.ListOfPrimaryKeys(
'value',
),
)
@register()
class pwpolicy_find(Method):
__doc__ = _("Search for group password policies.")
takes_args = (
parameters.Str(
'criteria',
required=False,
doc=_(u'A string searched in all relevant object attributes'),
),
)
takes_options = (
parameters.Str(
'cn',
required=False,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
parameters.Int(
'krbmaxpwdlife',
required=False,
cli_name='maxlife',
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
cli_name='minlife',
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
cli_name='history',
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
cli_name='minclasses',
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
cli_name='minlength',
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
required=False,
cli_name='priority',
label=_(u'Priority'),
doc=_(u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
cli_name='maxfail',
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
cli_name='failinterval',
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
cli_name='lockouttime',
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
parameters.Int(
'timelimit',
required=False,
label=_(u'Time Limit'),
doc=_(u'Time limit of search in seconds (0 is unlimited)'),
),
parameters.Int(
'sizelimit',
required=False,
label=_(u'Size Limit'),
doc=_(u'Maximum number of entries returned (0 is unlimited)'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'pkey_only',
required=False,
label=_(u'Primary key only'),
doc=_(u'Results should contain primary key attribute only ("group")'),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.ListOfEntries(
'result',
),
output.Output(
'count',
int,
doc=_(u'Number of entries returned'),
),
output.Output(
'truncated',
bool,
doc=_(u'True if not all results were returned'),
),
)
@register()
class pwpolicy_mod(Method):
__doc__ = _("Modify a group password policy.")
takes_args = (
parameters.Str(
'cn',
required=False,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
)
takes_options = (
parameters.Int(
'krbmaxpwdlife',
required=False,
cli_name='maxlife',
label=_(u'Max lifetime (days)'),
doc=_(u'Maximum password lifetime (in days)'),
),
parameters.Int(
'krbminpwdlife',
required=False,
cli_name='minlife',
label=_(u'Min lifetime (hours)'),
doc=_(u'Minimum password lifetime (in hours)'),
),
parameters.Int(
'krbpwdhistorylength',
required=False,
cli_name='history',
label=_(u'History size'),
doc=_(u'Password history size'),
),
parameters.Int(
'krbpwdmindiffchars',
required=False,
cli_name='minclasses',
label=_(u'Character classes'),
doc=_(u'Minimum number of character classes'),
),
parameters.Int(
'krbpwdminlength',
required=False,
cli_name='minlength',
label=_(u'Min length'),
doc=_(u'Minimum length of password'),
),
parameters.Int(
'cospriority',
required=False,
cli_name='priority',
label=_(u'Priority'),
doc=_(u'Priority of the policy (higher number means lower priority'),
),
parameters.Int(
'krbpwdmaxfailure',
required=False,
cli_name='maxfail',
label=_(u'Max failures'),
doc=_(u'Consecutive failures before lockout'),
),
parameters.Int(
'krbpwdfailurecountinterval',
required=False,
cli_name='failinterval',
label=_(u'Failure reset interval'),
doc=_(u'Period after which failure count will be reset (seconds)'),
),
parameters.Int(
'krbpwdlockoutduration',
required=False,
cli_name='lockouttime',
label=_(u'Lockout duration'),
doc=_(u'Period for which lockout is enforced (seconds)'),
),
parameters.Str(
'setattr',
required=False,
multivalue=True,
doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'),
exclude=('webui',),
),
parameters.Str(
'addattr',
required=False,
multivalue=True,
doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'),
exclude=('webui',),
),
parameters.Str(
'delattr',
required=False,
multivalue=True,
doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'),
exclude=('webui',),
),
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)
@register()
class pwpolicy_show(Method):
__doc__ = _("Display information about password policy.")
takes_args = (
parameters.Str(
'cn',
required=False,
cli_name='group',
label=_(u'Group'),
doc=_(u'Manage password policy for specific group'),
),
)
takes_options = (
parameters.Flag(
'rights',
label=_(u'Rights'),
doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'),
default=False,
autofill=True,
),
parameters.Str(
'user',
required=False,
label=_(u'User'),
doc=_(u'Display effective policy for a specific user'),
),
parameters.Flag(
'all',
doc=_(u'Retrieve and print all attributes from the server. Affects command output.'),
exclude=('webui',),
default=False,
autofill=True,
),
parameters.Flag(
'raw',
doc=_(u'Print entries as stored on the server. Only affects output format.'),
exclude=('webui',),
default=False,
autofill=True,
),
)
has_output = (
output.Output(
'summary',
(unicode, type(None)),
doc=_(u'User-friendly description of action performed'),
),
output.Entry(
'result',
),
output.PrimaryKey(
'value',
doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"),
),
)