summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorroot <root@webui.pzuna>2010-05-04 16:56:17 -0400
committerRob Crittenden <rcritten@redhat.com>2010-05-05 15:00:04 -0400
commitf6cde533fdc480a2bccfdf757f350bbc3aa49799 (patch)
tree5057f5e4915a53d73fa53e0ff1a995f7c3940fd9
parentfa59c8b9d33853f1676ea5c872451e088e83a8d3 (diff)
downloadfreeipa-f6cde533fdc480a2bccfdf757f350bbc3aa49799.tar.gz
freeipa-f6cde533fdc480a2bccfdf757f350bbc3aa49799.tar.xz
freeipa-f6cde533fdc480a2bccfdf757f350bbc3aa49799.zip
Add new password policy plugin based on baseldap.py classes.
-rw-r--r--ipalib/plugins/pwpolicy2.py351
-rw-r--r--tests/test_xmlrpc/test_pwpolicy2.py171
2 files changed, 522 insertions, 0 deletions
diff --git a/ipalib/plugins/pwpolicy2.py b/ipalib/plugins/pwpolicy2.py
new file mode 100644
index 000000000..797c08105
--- /dev/null
+++ b/ipalib/plugins/pwpolicy2.py
@@ -0,0 +1,351 @@
+# Authors:
+# Pavel Zuna <pzuna@redhat.com>
+#
+# Copyright (C) 2010 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Password policy
+"""
+
+from ipalib import api
+from ipalib import Int, Str
+from ipalib.plugins.baseldap import *
+from ipalib import _
+
+
+class cosentry(LDAPObject):
+ """
+ Class of Service object used for linking policies with groups
+ """
+ INTERNAL = True
+
+ container_dn = 'cn=costemplates,%s' % api.env.container_accounts
+ object_class = ['top', 'costemplate', 'extensibleobject', 'krbcontainer']
+ default_attributes = ['cn', 'cospriority', 'krbpwdpolicyreference']
+
+ takes_params = (
+ Str('cn', primary_key=True),
+ Str('krbpwdpolicyreference'),
+ Int('cospriority', minvalue=0),
+ )
+
+ priority_not_unique_msg = _(
+ 'priority must be a unique value (%(prio)d already used by %(gname)s)'
+ )
+
+ def get_dn(self, *keys, **options):
+ group_dn = self.api.Object.group.get_dn(keys[-1])
+ return self.backend.make_dn_from_attr(
+ 'cn', group_dn, self.container_dn
+ )
+
+ def check_priority_uniqueness(self, *keys, **options):
+ if options.get('cospriority') is not None:
+ entries = self.methods.find(
+ cospriority=options['cospriority']
+ )['result']
+ if len(entries) > 0:
+ group_name = self.api.Object.group.get_primary_key_from_dn(
+ entries[0]['cn'][0]
+ )
+ raise errors.ValidationError(
+ name='priority',
+ error=self.priority_not_unique_msg % {
+ 'prio': options['cospriority'],
+ 'gname': group_name,
+ }
+ )
+
+api.register(cosentry)
+
+
+class cosentry_add(LDAPCreate):
+ INTERNAL = True
+
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ # check for existence of the group
+ self.api.Command.group_show(keys[-1])
+ self.obj.check_priority_uniqueness(*keys, **options)
+ del entry_attrs['cn']
+ return dn
+
+api.register(cosentry_add)
+
+
+class cosentry_del(LDAPDelete):
+ INTERNAL = True
+
+api.register(cosentry_del)
+
+
+class cosentry_mod(LDAPUpdate):
+ INTERNAL = True
+
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ self.obj.check_priority_uniqueness(*keys, **options)
+ return dn
+
+api.register(cosentry_mod)
+
+
+class cosentry_show(LDAPRetrieve):
+ INTERNAL = True
+
+api.register(cosentry_show)
+
+
+class cosentry_find(LDAPSearch):
+ INTERNAL = True
+
+api.register(cosentry_find)
+
+
+GLOBAL_POLICY_NAME = u'GLOBAL'
+
+
+class pwpolicy2(LDAPObject):
+ """
+ Password Policy object
+ """
+ container_dn = 'cn=%s,cn=kerberos' % api.env.realm
+ object_name = 'password policy'
+ object_name_plural = 'password policies'
+ object_class = ['top', 'nscontainer', 'krbpwdpolicy']
+ default_attributes = [
+ 'cn', 'cospriority', 'krbmaxpwdlife', 'krbminpwdlife',
+ 'krbpwdhistorylength', 'krbpwdmindiffchars', 'krbpwdminlength',
+ ]
+
+ takes_params = (
+ Str('cn?',
+ cli_name='group',
+ label=_('Group'),
+ doc=_('Manage password policy for specific group'),
+ primary_key=True,
+ ),
+ Int('krbmaxpwdlife?',
+ cli_name='maxlife',
+ label=_('Max lifetime (days)'),
+ doc=_('Maximum password lifetime (in days)'),
+ minvalue=0,
+ ),
+ Int('krbminpwdlife?',
+ cli_name='minlife',
+ label=_('Min lifetime (hours)'),
+ doc=_('Minimum password lifetime (in hours)'),
+ minvalue=0,
+ ),
+ Int('krbpwdhistorylength?',
+ cli_name='history',
+ label=_('History size'),
+ doc=_('Password history size'),
+ minvalue=0,
+ ),
+ Int('krbpwdmindiffchars?',
+ cli_name='minclasses',
+ label=_('Character classes'),
+ doc=_('Minimum number of character classes'),
+ minvalue=0,
+ maxvalue=5,
+ ),
+ Int('krbpwdminlength?',
+ cli_name='minlength',
+ label=_('Min length'),
+ doc=_('Minimum length of password'),
+ minvalue=0,
+ ),
+ Int('cospriority',
+ cli_name='priority',
+ label=_('Priority'),
+ doc=_('Priority of the policy (higher number means lower priority'),
+ minvalue=0,
+ ),
+ )
+
+ def get_dn(self, *keys, **options):
+ if keys[-1] is not None:
+ return self.backend.make_dn_from_attr(
+ self.primary_key.name, keys[-1], self.container_dn
+ )
+ return self.api.env.container_accounts
+
+ def convert_time_for_output(self, entry_attrs, **options):
+ # Convert seconds to hours and days for displaying to user
+ if not options.get('raw', False):
+ if 'krbmaxpwdlife' in entry_attrs:
+ entry_attrs['krbmaxpwdlife'][0] = unicode(
+ int(entry_attrs['krbmaxpwdlife'][0]) / 86400
+ )
+ if 'krbminpwdlife' in entry_attrs:
+ entry_attrs['krbminpwdlife'][0] = unicode(
+ int(entry_attrs['krbminpwdlife'][0]) / 3600
+ )
+
+ def convert_time_on_input(self, entry_attrs):
+ # Convert hours and days to seconds for writing to LDAP
+ if 'krbmaxpwdlife' in entry_attrs and entry_attrs['krbmaxpwdlife']:
+ entry_attrs['krbmaxpwdlife'] = entry_attrs['krbmaxpwdlife'] * 86400
+ if 'krbminpwdlife' in entry_attrs and entry_attrs['krbminpwdlife']:
+ entry_attrs['krbminpwdlife'] = entry_attrs['krbminpwdlife'] * 3600
+
+api.register(pwpolicy2)
+
+
+class pwpolicy2_add(LDAPCreate):
+ """
+ Create new group password policy.
+ """
+ def get_args(self):
+ yield self.obj.primary_key.clone(attribute=True, required=True)
+
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ self.api.Command.cosentry_add(
+ keys[-1], krbpwdpolicyreference=dn,
+ cospriority=options.get('cospriority')
+ )
+ if 'cospriority' in entry_attrs:
+ del entry_attrs['cospriority']
+ self.obj.convert_time_on_input(entry_attrs)
+ return dn
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ self.log.info('%r' % entry_attrs)
+ if not options.get('raw', False):
+ if options.get('cospriority') is not None:
+ entry_attrs['cospriority'] = [unicode(options['cospriority'])]
+ self.obj.convert_time_for_output(entry_attrs, **options)
+ return dn
+
+api.register(pwpolicy2_add)
+
+
+class pwpolicy2_del(LDAPDelete):
+ """
+ Delete group password policy.
+ """
+ def get_args(self):
+ yield self.obj.primary_key.clone(attribute=True, required=True)
+
+ def post_callback(self, ldap, dn, *keys, **options):
+ try:
+ self.api.Command.cosentry_del(keys[-1])
+ except errors.NotFound:
+ pass
+ return True
+
+api.register(pwpolicy2_del)
+
+
+class pwpolicy2_mod(LDAPUpdate):
+ """
+ Modify group password policy.
+ """
+ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ if options.get('cospriority') is not None:
+ if keys[-1] is None:
+ raise errors.ValidationError(
+ name='priority',
+ error=_('priority cannot be set on global policy')
+ )
+ try:
+ self.api.Command.cosentry_mod(
+ keys[-1], cospriority=options['cospriority']
+ )
+ except errors.NotFound:
+ self.api.Command.cosentry_add(
+ keys[-1], krbpwdpolicyreference=dn,
+ cospriority=options['cospriority']
+ )
+ del entry_attrs['cospriority']
+ self.obj.convert_time_on_input(entry_attrs)
+ return dn
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ if not options.get('raw', False):
+ if options.get('cospriority') is not None:
+ entry_attrs['cospriority'] = [unicode(options['copriority'])]
+ if keys[-1] is None:
+ entry_attrs['cn'] = GLOBAL_POLICY_NAME
+ self.obj.convert_time_for_output(entry_attrs, **options)
+ return dn
+
+api.register(pwpolicy2_mod)
+
+
+class pwpolicy2_show(LDAPRetrieve):
+ """
+ Display group password policy.
+ """
+ takes_options = (
+ Str('user?',
+ label=_('User'),
+ doc=_('Display effective policy for a specific user'),
+ ),
+ )
+
+ def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
+ if options.get('user') is not None:
+ user_entry = self.api.Command.user_show(
+ options['user'], all=True
+ )['result']
+ if 'krbpwdpolicyreference' in user_entry:
+ return user_entry.get('krbpwdpolicyreference', [dn])[0]
+ return dn
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ if not options.get('raw', False):
+ if keys[-1] is not None:
+ try:
+ cos_entry = self.api.Command.cosentry_show(
+ keys[-1]
+ )['result']
+ if cos_entry.get('cospriority') is not None:
+ entry_attrs['cospriority'] = cos_entry['cospriority']
+ except errors.NotFound:
+ pass
+ else:
+ entry_attrs['cn'] = GLOBAL_POLICY_NAME
+ self.obj.convert_time_for_output(entry_attrs, **options)
+ return dn
+
+api.register(pwpolicy2_show)
+
+
+class pwpolicy2_find(LDAPSearch):
+ """
+ Search for group password policies.
+ """
+ def post_callback(self, ldap, entries, truncated, *args, **options):
+ if not options.get('raw', False):
+ for e in entries:
+ try:
+ cos_entry = self.api.Command.cosentry_show(
+ e[1]['cn'][0]
+ )['result']
+ if cos_entry.get('cospriority') is not None:
+ e[1]['cospriority'] = cos_entry['cospriority']
+ except errors.NotFound:
+ pass
+ self.obj.convert_time_for_output(e[1], **options)
+ global_entry = self.api.Command.pwpolicy2_show(
+ all=options.get('all', False), raw=options.get('raw', False)
+ )['result']
+ dn = global_entry['dn']
+ del global_entry['dn']
+ entries.insert(0, (dn, global_entry))
+
+api.register(pwpolicy2_find)
+
diff --git a/tests/test_xmlrpc/test_pwpolicy2.py b/tests/test_xmlrpc/test_pwpolicy2.py
new file mode 100644
index 000000000..72c65beda
--- /dev/null
+++ b/tests/test_xmlrpc/test_pwpolicy2.py
@@ -0,0 +1,171 @@
+# Authors:
+# Rob Crittenden <rcritten@redhat.com>
+# Pavel Zuna <pzuna@redhat.com>
+#
+# Copyright (C) 2010 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Test the `ipalib/plugins/pwpolicy2.py` module.
+"""
+
+import sys
+from xmlrpc_test import XMLRPC_test, assert_attr_equal
+from ipalib import api
+from ipalib import errors
+
+
+class test_pwpolicy2(XMLRPC_test):
+ """
+ Test the `pwpolicy2` plugin.
+ """
+ group = u'testgroup12'
+ group2 = u'testgroup22'
+ user = u'testuser12'
+ kw = {'cospriority': 1, 'krbminpwdlife': 30, 'krbmaxpwdlife': 40, 'krbpwdhistorylength': 5, 'krbpwdminlength': 6 }
+ kw2 = {'cospriority': 2, 'krbminpwdlife': 40, 'krbmaxpwdlife': 60, 'krbpwdhistorylength': 8, 'krbpwdminlength': 9 }
+
+ def test_1_pwpolicy2_add(self):
+ """
+ Test adding a per-group policy using the `xmlrpc.pwpolicy2_add` method.
+ """
+ # First set up a group and user that will use this policy
+ self.failsafe_add(
+ api.Object.group, self.group, description=u'pwpolicy test group',
+ )
+ self.failsafe_add(
+ api.Object.user, self.user, givenname=u'Test', sn=u'User'
+ )
+ api.Command.group_add_member(self.group, users=self.user)
+
+ entry = api.Command['pwpolicy2_add'](self.group, **self.kw)['result']
+ assert_attr_equal(entry, 'krbminpwdlife', '30')
+ assert_attr_equal(entry, 'krbmaxpwdlife', '40')
+ assert_attr_equal(entry, 'krbpwdhistorylength', '5')
+ assert_attr_equal(entry, 'krbpwdminlength', '6')
+ assert_attr_equal(entry, 'cospriority', '1')
+
+ def test_2_pwpolicy2_add(self):
+ """
+ Add a policy with a already used priority.
+
+ The priority validation is done first, so it's OK that the group
+ is the same here.
+ """
+ try:
+ api.Command['pwpolicy2_add'](self.group, **self.kw)
+ except errors.ValidationError:
+ pass
+ else:
+ assert False
+
+ def test_3_pwpolicy2_add(self):
+ """
+ Add a policy that already exists.
+ """
+ try:
+ # cospriority needs to be unique
+ self.kw['cospriority'] = 3
+ api.Command['pwpolicy2_add'](self.group, **self.kw)
+ except errors.DuplicateEntry:
+ pass
+ else:
+ assert False
+
+ def test_4_pwpolicy2_add(self):
+ """
+ Test adding another per-group policy using the `xmlrpc.pwpolicy2_add` method.
+ """
+ self.failsafe_add(
+ api.Object.group, self.group2, description=u'pwpolicy test group 2'
+ )
+ entry = api.Command['pwpolicy2_add'](self.group2, **self.kw2)['result']
+ assert_attr_equal(entry, 'krbminpwdlife', '40')
+ assert_attr_equal(entry, 'krbmaxpwdlife', '60')
+ assert_attr_equal(entry, 'krbpwdhistorylength', '8')
+ assert_attr_equal(entry, 'krbpwdminlength', '9')
+ assert_attr_equal(entry, 'cospriority', '2')
+
+ def test_5_pwpolicy2_add(self):
+ """
+ Add a pwpolicy for a non-existent group
+ """
+ try:
+ api.Command['pwpolicy2_add'](u'nopwpolicy', cospriority=1, krbminpwdlife=1)
+ except errors.NotFound:
+ pass
+ else:
+ assert False
+
+ def test_6_pwpolicy2_show(self):
+ """
+ Test the `xmlrpc.pwpolicy2_show` method with global policy.
+ """
+ entry = api.Command['pwpolicy2_show']()['result']
+ # Note that this assumes an unchanged global policy
+ assert_attr_equal(entry, 'krbminpwdlife', '1')
+ assert_attr_equal(entry, 'krbmaxpwdlife', '90')
+ assert_attr_equal(entry, 'krbpwdhistorylength', '0')
+ assert_attr_equal(entry, 'krbpwdminlength', '8')
+
+ def test_7_pwpolicy2_show(self):
+ """
+ Test the `xmlrpc.pwpolicy2_show` method.
+ """
+ entry = api.Command['pwpolicy2_show'](self.group)['result']
+ assert_attr_equal(entry, 'krbminpwdlife', '30')
+ assert_attr_equal(entry, 'krbmaxpwdlife', '40')
+ assert_attr_equal(entry, 'krbpwdhistorylength', '5')
+ assert_attr_equal(entry, 'krbpwdminlength', '6')
+ assert_attr_equal(entry, 'cospriority', '1')
+
+ def test_8_pwpolicy2_mod(self):
+ """
+ Test the `xmlrpc.pwpolicy2_mod` method for global policy.
+ """
+ entry = api.Command['pwpolicy2_mod'](krbminpwdlife=50)['result']
+ assert_attr_equal(entry, 'krbminpwdlife', '50')
+
+ # Great, now change it back
+ entry = api.Command['pwpolicy2_mod'](krbminpwdlife=1)['result']
+ assert_attr_equal(entry, 'krbminpwdlife', '1')
+
+ def test_9_pwpolicy2_mod(self):
+ """
+ Test the `xmlrpc.pwpolicy2_mod` method.
+ """
+ entry = api.Command['pwpolicy2_mod'](self.group, krbminpwdlife=50)['result']
+ assert_attr_equal(entry, 'krbminpwdlife', '50')
+
+ def test_a_pwpolicy_del(self):
+ """
+ Test the `xmlrpc.pwpolicy2_del` method.
+ """
+ assert api.Command['pwpolicy2_del'](self.group)['result'] is True
+ # Verify that it is gone
+ try:
+ api.Command['pwpolicy2_show'](self.group)
+ except errors.NotFound:
+ pass
+ else:
+ assert False
+
+ # Remove the groups we created
+ api.Command['group_del'](self.group)
+ api.Command['group_del'](self.group2)
+
+ # Remove the user we created
+ api.Command['user_del'](self.user)
+