Account lockout

Merge Luke's users/lhoward/lockout2 branch to trunk.  Implements
account lockout policies for preauth-using principals using existing
principal metadata fields and new policy fields.  The kadmin API
version is bumped from 2 to 3 to compatibly extend the policy_ent_rec
structure.

ticket: 6577

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 51 insertions, 10 deletions

diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db
index 1cb96f843..d5930223d 100755
--- a/src/kadmin/testing/scripts/init_db
+++ b/src/kadmin/testing/scripts/init_db
@@ -103,13 +103,13 @@ if {[info exists env(USER)]} {
 set cmds {
     {kadm5_init $env(SRVTCL) mrroot null \
 	    [config_params {KADM5_CONFIG_REALM} $r] $KADM5_STRUCT_VERSION \
-	    $KADM5_API_VERSION_2 server_handle}
+	    $KADM5_API_VERSION_3 server_handle}
 
-    {kadm5_create_policy $server_handle "test-pol 0 10000 8 2 3 0" \
-	    {KADM5_POLICY KADM5_PW_MIN_LENGTH KADM5_PW_MIN_CLASSES KADM5_PW_MAX_LIFE KADM5_PW_HISTORY_NUM}}
-    {kadm5_create_policy $server_handle "once-a-min 10 0 0 0 0 0" \
+    {kadm5_create_policy $server_handle "test-pol 0 10000 8 2 3 0 2 90 180" \
+	    {KADM5_POLICY KADM5_PW_MIN_LENGTH KADM5_PW_MIN_CLASSES KADM5_PW_MAX_LIFE KADM5_PW_HISTORY_NUM KADM5_PW_MAX_FAILURE KADM5_PW_FAILURE_COUNT_INTERVAL KADM5_PW_LOCKOUT_DURATION}}
+    {kadm5_create_policy $server_handle "once-a-min 10 0 0 0 0 0 0 0 0" \
 	    {KADM5_POLICY KADM5_PW_MIN_LIFE}}
-    {kadm5_create_policy $server_handle "dict-only 0 0 0 0 0 0" \
+    {kadm5_create_policy $server_handle "dict-only 0 0 0 0 0 0 0 0 0" \
 	    {KADM5_POLICY}}
     {kadm5_create_policy $server_handle [simple_policy test-pol-nopw] \
 	    {KADM5_POLICY}}
diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local
index 8cd0f3a61..a8890d731 100755
--- a/src/kadmin/testing/scripts/start_servers_local
+++ b/src/kadmin/testing/scripts/start_servers_local
@@ -83,7 +83,7 @@ if { [catch {
 	set q $env(QUALNAME)
 	puts stdout [kadm5_init $env(SRVTCL) mrroot null \
 		[config_params {KADM5_CONFIG_REALM} $r] \
-		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle]
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 server_handle]
 	puts stdout [kadm5_create_principal $server_handle \
 		[simple_principal host/$q@$r] {KADM5_PRINCIPAL} notathena]
 	puts stdout [kadm5_destroy $server_handle]
diff --git a/src/kadmin/testing/tcl/util.t b/src/kadmin/testing/tcl/util.t
index 0e39061f7..772160990 100644
--- a/src/kadmin/testing/tcl/util.t
+++ b/src/kadmin/testing/tcl/util.t
@@ -7,7 +7,7 @@ proc princ_w_pol {name policy} {
 }
 
 proc simple_policy {name} {
-    return "{$name} 0 0 0 0 0 0"
+    return "{$name} 0 0 0 0 0 0 0 0 0"
 }
 
 proc config_params {masks values} {
diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
index 6679ce0a7..08f3a52a4 100644
--- a/src/kadmin/testing/util/tcl_kadm5.c
+++ b/src/kadmin/testing/util/tcl_kadm5.c
@@ -71,7 +71,10 @@ static struct flagval policy_mask_flags[] = {
      {"KADM5_PW_MIN_LENGTH", KADM5_PW_MIN_LENGTH},
      {"KADM5_PW_MIN_CLASSES", KADM5_PW_MIN_CLASSES},
      {"KADM5_PW_HISTORY_NUM", KADM5_PW_HISTORY_NUM},
-     {"KADM5_REF_COUNT", KADM5_REF_COUNT}
+     {"KADM5_REF_COUNT", KADM5_REF_COUNT},
+     {"KADM5_PW_MAX_FAILURE", KADM5_PW_MAX_FAILURE},
+     {"KADM5_PW_FAILURE_COUNT_INTERVAL", KADM5_PW_FAILURE_COUNT_INTERVAL},
+     {"KADM5_PW_LOCKOUT_DURATION", KADM5_PW_LOCKOUT_DURATION},
 };
 
 static struct flagval config_mask_flags[] = {
@@ -1309,6 +1312,7 @@ static int parse_principal_ent(Tcl_Interp *interp, char *list,
 	  retcode = TCL_ERROR;
 	  goto finished;
      }
+     princ->n_tl_data = tmp;
 
 finished:
      Tcl_Free((char *) argv);
@@ -1360,6 +1364,15 @@ static Tcl_DString *unparse_policy_ent(kadm5_policy_ent_t policy)
      sprintf(buf, "%ld", policy->policy_refcnt);
      Tcl_DStringAppendElement(str, buf);
 
+     sprintf(buf, "%d", policy->pw_max_fail);
+     Tcl_DStringAppendElement(str, buf);
+
+     sprintf(buf, "%d", policy->pw_failcnt_interval);
+     Tcl_DStringAppendElement(str, buf);
+
+     sprintf(buf, "%d", policy->pw_lockout_duration);
+     Tcl_DStringAppendElement(str, buf);
+
      return str;
 }
 
@@ -1379,8 +1392,8 @@ static int parse_policy_ent(Tcl_Interp *interp, char *list,
 	  return tcl_ret;
      }
 
-     if (argc != 7) {
-	  sprintf(interp->result, "wrong # args in policy structure (%d should be 7)",
+     if (argc != 7 && argc != 10) {
+	  sprintf(interp->result, "wrong # args in policy structure (%d should be 7 or 10)",
 		  argc);
 	  retcode = TCL_ERROR;
 	  goto finished;
@@ -1459,6 +1472,32 @@ static int parse_policy_ent(Tcl_Interp *interp, char *list,
      }
      policy->policy_refcnt = tmp;
 
+     if (argc == 7) goto finished;
+
+     if ((tcl_ret = Tcl_GetInt(interp, argv[7], &tmp))
+	 != TCL_OK) {
+	  Tcl_AppendElement(interp, "while parsing pw_max_fail");
+	  retcode = TCL_ERROR;
+	  goto finished;
+     }
+     policy->pw_max_fail = tmp;
+
+     if ((tcl_ret = Tcl_GetInt(interp, argv[8], &tmp))
+	 != TCL_OK) {
+	  Tcl_AppendElement(interp, "while parsing pw_failcnt_interval");
+	  retcode = TCL_ERROR;
+	  goto finished;
+     }
+     policy->pw_failcnt_interval = tmp;
+
+     if ((tcl_ret = Tcl_GetInt(interp, argv[9], &tmp))
+	 != TCL_OK) {
+	  Tcl_AppendElement(interp, "while parsing pw_lockout_duration");
+	  retcode = TCL_ERROR;
+	  goto finished;
+     }
+     policy->pw_lockout_duration = tmp;
+
 finished:
      Tcl_Free((char *) argv);
      *out_policy = policy;
@@ -2488,6 +2527,8 @@ void Tcl_kadm5_init(Tcl_Interp *interp)
      Tcl_SetVar(interp, "KADM5_STRUCT_VERSION", buf, TCL_GLOBAL_ONLY);
     (void) sprintf(buf, "%d", KADM5_API_VERSION_2);
      Tcl_SetVar(interp, "KADM5_API_VERSION_2", buf, TCL_GLOBAL_ONLY);
+    (void) sprintf(buf, "%d", KADM5_API_VERSION_3);
+     Tcl_SetVar(interp, "KADM5_API_VERSION_3", buf, TCL_GLOBAL_ONLY);
     (void) sprintf(buf, "%d", KADM5_API_VERSION_MASK);
      Tcl_SetVar(interp, "KADM5_API_VERSION_MASK", buf, TCL_GLOBAL_ONLY);
     (void) sprintf(buf, "%d", KADM5_STRUCT_VERSION_MASK);