Account lockout

Merge Luke's users/lhoward/lockout2 branch to trunk.  Implements
account lockout policies for preauth-using principals using existing
principal metadata fields and new policy fields.  The kadmin API
version is bumped from 2 to 3 to compatibly extend the policy_ent_rec
structure.

ticket: 6577

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 44 insertions, 3 deletions

diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
index 6679ce0a7..08f3a52a4 100644
--- a/src/kadmin/testing/util/tcl_kadm5.c
+++ b/src/kadmin/testing/util/tcl_kadm5.c
@@ -71,7 +71,10 @@ static struct flagval policy_mask_flags[] = {
      {"KADM5_PW_MIN_LENGTH", KADM5_PW_MIN_LENGTH},
      {"KADM5_PW_MIN_CLASSES", KADM5_PW_MIN_CLASSES},
      {"KADM5_PW_HISTORY_NUM", KADM5_PW_HISTORY_NUM},
-     {"KADM5_REF_COUNT", KADM5_REF_COUNT}
+     {"KADM5_REF_COUNT", KADM5_REF_COUNT},
+     {"KADM5_PW_MAX_FAILURE", KADM5_PW_MAX_FAILURE},
+     {"KADM5_PW_FAILURE_COUNT_INTERVAL", KADM5_PW_FAILURE_COUNT_INTERVAL},
+     {"KADM5_PW_LOCKOUT_DURATION", KADM5_PW_LOCKOUT_DURATION},
 };
 
 static struct flagval config_mask_flags[] = {
@@ -1309,6 +1312,7 @@ static int parse_principal_ent(Tcl_Interp *interp, char *list,
 	  retcode = TCL_ERROR;
 	  goto finished;
      }
+     princ->n_tl_data = tmp;
 
 finished:
      Tcl_Free((char *) argv);
@@ -1360,6 +1364,15 @@ static Tcl_DString *unparse_policy_ent(kadm5_policy_ent_t policy)
      sprintf(buf, "%ld", policy->policy_refcnt);
      Tcl_DStringAppendElement(str, buf);
 
+     sprintf(buf, "%d", policy->pw_max_fail);
+     Tcl_DStringAppendElement(str, buf);
+
+     sprintf(buf, "%d", policy->pw_failcnt_interval);
+     Tcl_DStringAppendElement(str, buf);
+
+     sprintf(buf, "%d", policy->pw_lockout_duration);
+     Tcl_DStringAppendElement(str, buf);
+
      return str;
 }
 
@@ -1379,8 +1392,8 @@ static int parse_policy_ent(Tcl_Interp *interp, char *list,
 	  return tcl_ret;
      }
 
-     if (argc != 7) {
-	  sprintf(interp->result, "wrong # args in policy structure (%d should be 7)",
+     if (argc != 7 && argc != 10) {
+	  sprintf(interp->result, "wrong # args in policy structure (%d should be 7 or 10)",
 		  argc);
 	  retcode = TCL_ERROR;
 	  goto finished;
@@ -1459,6 +1472,32 @@ static int parse_policy_ent(Tcl_Interp *interp, char *list,
      }
      policy->policy_refcnt = tmp;
 
+     if (argc == 7) goto finished;
+
+     if ((tcl_ret = Tcl_GetInt(interp, argv[7], &tmp))
+	 != TCL_OK) {
+	  Tcl_AppendElement(interp, "while parsing pw_max_fail");
+	  retcode = TCL_ERROR;
+	  goto finished;
+     }
+     policy->pw_max_fail = tmp;
+
+     if ((tcl_ret = Tcl_GetInt(interp, argv[8], &tmp))
+	 != TCL_OK) {
+	  Tcl_AppendElement(interp, "while parsing pw_failcnt_interval");
+	  retcode = TCL_ERROR;
+	  goto finished;
+     }
+     policy->pw_failcnt_interval = tmp;
+
+     if ((tcl_ret = Tcl_GetInt(interp, argv[9], &tmp))
+	 != TCL_OK) {
+	  Tcl_AppendElement(interp, "while parsing pw_lockout_duration");
+	  retcode = TCL_ERROR;
+	  goto finished;
+     }
+     policy->pw_lockout_duration = tmp;
+
 finished:
      Tcl_Free((char *) argv);
      *out_policy = policy;
@@ -2488,6 +2527,8 @@ void Tcl_kadm5_init(Tcl_Interp *interp)
      Tcl_SetVar(interp, "KADM5_STRUCT_VERSION", buf, TCL_GLOBAL_ONLY);
     (void) sprintf(buf, "%d", KADM5_API_VERSION_2);
      Tcl_SetVar(interp, "KADM5_API_VERSION_2", buf, TCL_GLOBAL_ONLY);
+    (void) sprintf(buf, "%d", KADM5_API_VERSION_3);
+     Tcl_SetVar(interp, "KADM5_API_VERSION_3", buf, TCL_GLOBAL_ONLY);
     (void) sprintf(buf, "%d", KADM5_API_VERSION_MASK);
      Tcl_SetVar(interp, "KADM5_API_VERSION_MASK", buf, TCL_GLOBAL_ONLY);
     (void) sprintf(buf, "%d", KADM5_STRUCT_VERSION_MASK);