Skip to content

Commit

Permalink
ipa: ipa_pwpolicy support maxrepeat, maxsequence, dictcheck, userchec…
Browse files Browse the repository at this point in the history 
…k, gracelimit
  • Loading branch information
@parsa97
parsa97 committed Dec 14, 2023
1 parent 838e4e3 commit 3591dba
Show file tree
Hide file tree
Showing 2 changed files with 160 additions and 17 deletions.
54 changes: 51 additions & 3 deletions plugins/modules/ipa_pwpolicy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,28 @@
lockouttime:
description: Period (in seconds) for which users are locked out.
type: str
gracelimit:
description: Maximum number of ldap logins after password expiration.
type: str
version_added: 8.2.0
maxrepeat:
description: Maximum number of same consecutive characters.
type: str
version_added: 8.2.0
maxsequence:
description: The max. length of monotonic character sequences (abcd).
type: str
version_added: 8.2.0
dictcheck:
description: Check if the password is a dictionary word.
default: false
type: bool
version_added: 8.2.0
usercheck:
description: Check if the password contains the username.
default: false
type: bool
version_added: 8.2.0
extends_documentation_fragment:
- community.general.ipa.documentation
- community.general.attributes
Expand Down Expand Up @@ -93,9 +115,15 @@
historylength: '16'
minclasses: '4'
priority: '10'
minlength: '6'
maxfailcount: '4'
failinterval: '600'
lockouttime: '1200'
gracelimit: '3'
maxrepeat: '3'
maxsequence: '3'
dictcheck: True
usercheck: True
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
Expand Down Expand Up @@ -159,7 +187,7 @@ def pwpolicy_del(self, name):

def get_pwpolicy_dict(maxpwdlife=None, minpwdlife=None, historylength=None, minclasses=None,
minlength=None, priority=None, maxfailcount=None, failinterval=None,
lockouttime=None):
lockouttime=None, gracelimit=None, maxrepeat=None, maxsequence=None, dictcheck=False, usercheck=False):
pwpolicy = {}
if maxpwdlife is not None:
pwpolicy['krbmaxpwdlife'] = maxpwdlife
Expand All @@ -179,6 +207,16 @@ def get_pwpolicy_dict(maxpwdlife=None, minpwdlife=None, historylength=None, minc
pwpolicy['krbpwdfailurecountinterval'] = failinterval
if lockouttime is not None:
pwpolicy['krbpwdlockoutduration'] = lockouttime
if gracelimit is not None:
pwpolicy['passwordgracelimit'] = gracelimit
if maxrepeat is not None:
pwpolicy['ipapwdmaxrepeat'] = maxrepeat
if maxsequence is not None:
pwpolicy['ipapwdmaxsequence'] = maxsequence
if dictcheck is True:
pwpolicy['ipapwddictcheck'] = 'True'
if usercheck is True:
pwpolicy['ipapwdusercheck'] = 'True'

return pwpolicy

Expand All @@ -199,7 +237,12 @@ def ensure(module, client):
priority=module.params.get('priority'),
maxfailcount=module.params.get('maxfailcount'),
failinterval=module.params.get('failinterval'),
lockouttime=module.params.get('lockouttime'))
lockouttime=module.params.get('lockouttime'),
gracelimit=module.params.get('gracelimit'),
maxrepeat=module.params.get('maxrepeat'),
maxsequence=module.params.get('maxsequence'),
dictcheck=module.params.get('dictcheck'),
usercheck=module.params.get('usercheck'))

ipa_pwpolicy = client.pwpolicy_find(name=name)

Expand Down Expand Up @@ -236,7 +279,12 @@ def main():
priority=dict(type='str'),
maxfailcount=dict(type='str'),
failinterval=dict(type='str'),
lockouttime=dict(type='str'))
lockouttime=dict(type='str'),
gracelimit=dict(type='str'),
maxrepeat=dict(type='str'),
maxsequence=dict(type='str'),
dictcheck=dict(type='bool'),
usercheck=dict(type='bool'))

module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=True)
Expand Down
123 changes: 109 additions & 14 deletions tests/unit/plugins/modules/test_ipa_pwpolicy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,12 @@ def test_add(self):
'minlength': '16',
'maxfailcount': '6',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {}
mock_calls = (
Expand All @@ -124,7 +129,12 @@ def test_add(self):
'krbpwdminlength': '16',
'krbpwdmaxfailure': '6',
'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600'
'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': 'True',
'ipapwdusercheck': 'True'
}
}
)
Expand All @@ -145,7 +155,12 @@ def test_aliases(self):
'minlength': '16',
'maxfailcount': '6',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {}
mock_calls = (
Expand All @@ -169,7 +184,12 @@ def test_aliases(self):
'krbpwdminlength': '16',
'krbpwdmaxfailure': '6',
'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600'
'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': 'True',
'ipapwdusercheck': 'True'
}
}
)
Expand All @@ -190,7 +210,12 @@ def test_mod_different_args(self):
'minlength': '12',
'maxfailcount': '8',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {
'cn': ['sysops'],
Expand All @@ -203,6 +228,11 @@ def test_mod_different_args(self):
'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': ['True'],
'ipapwdusercheck': ['True'],
'dn': 'cn=sysops,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
}
Expand All @@ -227,7 +257,12 @@ def test_mod_different_args(self):
'krbpwdminlength': '12',
'krbpwdmaxfailure': '8',
'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600'
'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': 'True',
'ipapwdusercheck': 'True'
}
}
)
Expand All @@ -248,7 +283,12 @@ def test_mod_missing_args(self):
'minlength': '16',
'maxfailcount': '6',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {
'cn': ['sysops'],
Expand Down Expand Up @@ -281,7 +321,12 @@ def test_mod_missing_args(self):
'krbpwdminlength': '16',
'krbpwdmaxfailure': '6',
'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600'
'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': 'True',
'ipapwdusercheck': 'True'
}
}
)
Expand Down Expand Up @@ -342,7 +387,12 @@ def test_no_change(self):
'minlength': '16',
'maxfailcount': '6',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {
'cn': ['admins'],
Expand All @@ -355,6 +405,11 @@ def test_no_change(self):
'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': ['True'],
'ipapwdusercheck': ['True'],
'dn': 'cn=admins,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
}
Expand Down Expand Up @@ -409,7 +464,12 @@ def test_global(self):
'minlength': '12',
'maxfailcount': '8',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {
'cn': ['global_policy'],
Expand All @@ -420,6 +480,11 @@ def test_global(self):
'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': ['True'],
'ipapwdusercheck': ['True'],
'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
}
Expand All @@ -443,7 +508,12 @@ def test_global(self):
'krbpwdminlength': '12',
'krbpwdmaxfailure': '8',
'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600'
'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': 'True',
'ipapwdusercheck': 'True'
}
}
)
Expand All @@ -461,7 +531,12 @@ def test_global_no_change(self):
'minlength': '16',
'maxfailcount': '6',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {
'cn': ['global_policy'],
Expand All @@ -473,6 +548,11 @@ def test_global_no_change(self):
'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': ['True'],
'ipapwdusercheck': ['True'],
'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
}
Expand Down Expand Up @@ -504,7 +584,12 @@ def test_check_add(self):
'minlength': '16',
'maxfailcount': '6',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {}
mock_calls = [
Expand Down Expand Up @@ -535,7 +620,12 @@ def test_check_mod(self):
'minlength': '12',
'maxfailcount': '8',
'failinterval': '60',
'lockouttime': '600'
'lockouttime': '600',
'gracelimit': '3',
'maxrepeat': '3',
'maxsequence': '3',
'dictcheck': True,
'usercheck': True
}
return_value = {
'cn': ['sysops'],
Expand All @@ -548,6 +638,11 @@ def test_check_mod(self):
'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': ['True'],
'ipapwdusercheck': ['True'],
'dn': 'cn=sysops,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
}
Expand Down

0 comments on commit 3591dba

Please sign in to comment.