ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

ipa: ipa_pwpolicy update pwpolicy module (#7723)

Browse source 
* ipa: ipa_pwpolicy support maxrepeat, maxsequence, dictcheck, usercheck, gracelimit

* ipa: ipa_pwdpolicy replace if statements with for loop

* ipa: ipa_pwdpolicy add changelog
This commit is contained in:
Parsa Yousefi 2023-12-31 17:51:59 +03:30 committed by GitHub
parent 4f92f39720
commit 6afe35d263
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 180 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
changelogs/fragments/7723-ipa-pwpolicy-update-pwpolicy-module.yml Normal file
View file

@ -0,0 +1,3 @@
minor_changes:
- ipa_pwpolicy - update module to support ``maxrepeat``, ``maxsequence``, ``dictcheck``, ``usercheck``, ``gracelimit`` parameters in FreeIPA password policies (https://github.com/ansible-collections/community.general/pull/7723).
- ipa_pwpolicy - refactor module and exchange a sequence ``if`` statements with a ``for`` loop (https://github.com/ansible-collections/community.general/pull/7723).

89
plugins/modules/ipa_pwpolicy.py
View file

@ -64,6 +64,26 @@ options:
lockouttime: lockouttime:
description: Period (in seconds) for which users are locked out. description: Period (in seconds) for which users are locked out.
type: str type: str
gracelimit:
description: Maximum number of LDAP logins after password expiration.
type: int
version_added: 8.2.0
maxrepeat:
description: Maximum number of allowed same consecutive characters in the new password.
type: int
version_added: 8.2.0
maxsequence:
description: Maximum length of monotonic character sequences in the new password. An example of a monotonic sequence of length 5 is V(12345).
type: int
version_added: 8.2.0
dictcheck:
description: Check whether the password (with possible modifications) matches a word in a dictionary (using cracklib).
type: bool
version_added: 8.2.0
usercheck:
description: Check whether the password (with possible modifications) contains the user name in some form (if the name has > 3 characters).
type: bool
version_added: 8.2.0
extends_documentation_fragment: extends_documentation_fragment:
- community.general.ipa.documentation - community.general.ipa.documentation
- community.general.attributes - community.general.attributes
@ -93,9 +113,15 @@ EXAMPLES = r'''
historylength: '16' historylength: '16'
minclasses: '4' minclasses: '4'
priority: '10' priority: '10'
minlength: '6'
maxfailcount: '4' maxfailcount: '4'
failinterval: '600' failinterval: '600'
lockouttime: '1200' lockouttime: '1200'
gracelimit: 3
maxrepeat: 3
maxsequence: 3
dictcheck: true
usercheck: true
ipa_host: ipa.example.com ipa_host: ipa.example.com
ipa_user: admin ipa_user: admin
ipa_pass: topsecret ipa_pass: topsecret
@ -159,26 +185,35 @@ class PwPolicyIPAClient(IPAClient):
def get_pwpolicy_dict(maxpwdlife=None, minpwdlife=None, historylength=None, minclasses=None, def get_pwpolicy_dict(maxpwdlife=None, minpwdlife=None, historylength=None, minclasses=None,
minlength=None, priority=None, maxfailcount=None, failinterval=None, minlength=None, priority=None, maxfailcount=None, failinterval=None,
lockouttime=None): lockouttime=None, gracelimit=None, maxrepeat=None, maxsequence=None, dictcheck=None, usercheck=None):
pwpolicy = {} pwpolicy = {}
if maxpwdlife is not None: pwpolicy_options = {
pwpolicy['krbmaxpwdlife'] = maxpwdlife 'krbmaxpwdlife': maxpwdlife,
if minpwdlife is not None: 'krbminpwdlife': minpwdlife,
pwpolicy['krbminpwdlife'] = minpwdlife 'krbpwdhistorylength': historylength,
if historylength is not None: 'krbpwdmindiffchars': minclasses,
pwpolicy['krbpwdhistorylength'] = historylength 'krbpwdminlength': minlength,
if minclasses is not None: 'cospriority': priority,
pwpolicy['krbpwdmindiffchars'] = minclasses 'krbpwdmaxfailure': maxfailcount,
if minlength is not None: 'krbpwdfailurecountinterval': failinterval,
pwpolicy['krbpwdminlength'] = minlength 'krbpwdlockoutduration': lockouttime,
if priority is not None: 'passwordgracelimit': gracelimit,
pwpolicy['cospriority'] = priority 'ipapwdmaxrepeat': maxrepeat,
if maxfailcount is not None: 'ipapwdmaxsequence': maxsequence,
pwpolicy['krbpwdmaxfailure'] = maxfailcount }
if failinterval is not None:
pwpolicy['krbpwdfailurecountinterval'] = failinterval pwpolicy_boolean_options = {
if lockouttime is not None: 'ipapwddictcheck': dictcheck,
pwpolicy['krbpwdlockoutduration'] = lockouttime 'ipapwdusercheck': usercheck,
}
for option, value in pwpolicy_options.items():
if value is not None:
pwpolicy[option] = to_native(value)
for option, value in pwpolicy_boolean_options.items():
if value is not None:
pwpolicy[option] = bool(value)
return pwpolicy return pwpolicy
@ -199,7 +234,13 @@ def ensure(module, client):
priority=module.params.get('priority'), priority=module.params.get('priority'),
maxfailcount=module.params.get('maxfailcount'), maxfailcount=module.params.get('maxfailcount'),
failinterval=module.params.get('failinterval'), failinterval=module.params.get('failinterval'),
lockouttime=module.params.get('lockouttime')) lockouttime=module.params.get('lockouttime'),
gracelimit=module.params.get('gracelimit'),
maxrepeat=module.params.get('maxrepeat'),
maxsequence=module.params.get('maxsequence'),
dictcheck=module.params.get('dictcheck'),
usercheck=module.params.get('usercheck'),
)
ipa_pwpolicy = client.pwpolicy_find(name=name) ipa_pwpolicy = client.pwpolicy_find(name=name)
@ -236,7 +277,13 @@ def main():
priority=dict(type='str'), priority=dict(type='str'),
maxfailcount=dict(type='str'), maxfailcount=dict(type='str'),
failinterval=dict(type='str'), failinterval=dict(type='str'),
lockouttime=dict(type='str')) lockouttime=dict(type='str'),
gracelimit=dict(type='int'),
maxrepeat=dict(type='int'),
maxsequence=dict(type='int'),
dictcheck=dict(type='bool'),
usercheck=dict(type='bool'),
)
module = AnsibleModule(argument_spec=argument_spec, module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=True) supports_check_mode=True)

123
tests/unit/plugins/modules/test_ipa_pwpolicy.py
View file

@ -100,7 +100,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '16', 'minlength': '16',
'maxfailcount': '6', 'maxfailcount': '6',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = {} return_value = {}
mock_calls = ( mock_calls = (
@ -124,7 +129,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdminlength': '16', 'krbpwdminlength': '16',
'krbpwdmaxfailure': '6', 'krbpwdmaxfailure': '6',
'krbpwdfailurecountinterval': '60', 'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600' 'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': True,
'ipapwdusercheck': True,
} }
} }
) )
@ -145,7 +155,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '16', 'minlength': '16',
'maxfailcount': '6', 'maxfailcount': '6',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = {} return_value = {}
mock_calls = ( mock_calls = (
@ -169,7 +184,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdminlength': '16', 'krbpwdminlength': '16',
'krbpwdmaxfailure': '6', 'krbpwdmaxfailure': '6',
'krbpwdfailurecountinterval': '60', 'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600' 'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': True,
'ipapwdusercheck': True,
} }
} }
) )
@ -190,7 +210,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '12', 'minlength': '12',
'maxfailcount': '8', 'maxfailcount': '8',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = { return_value = {
'cn': ['sysops'], 'cn': ['sysops'],
@ -203,6 +228,11 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdmaxfailure': ['6'], 'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'], 'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'], 'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': [True],
'ipapwdusercheck': [True],
'dn': 'cn=sysops,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', 'dn': 'cn=sysops,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy'] 'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
} }
@ -227,7 +257,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdminlength': '12', 'krbpwdminlength': '12',
'krbpwdmaxfailure': '8', 'krbpwdmaxfailure': '8',
'krbpwdfailurecountinterval': '60', 'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600' 'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': True,
'ipapwdusercheck': True,
} }
} }
) )
@ -248,7 +283,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '16', 'minlength': '16',
'maxfailcount': '6', 'maxfailcount': '6',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = { return_value = {
'cn': ['sysops'], 'cn': ['sysops'],
@ -281,7 +321,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdminlength': '16', 'krbpwdminlength': '16',
'krbpwdmaxfailure': '6', 'krbpwdmaxfailure': '6',
'krbpwdfailurecountinterval': '60', 'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600' 'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': True,
'ipapwdusercheck': True,
} }
} }
) )
@ -342,7 +387,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '16', 'minlength': '16',
'maxfailcount': '6', 'maxfailcount': '6',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = { return_value = {
'cn': ['admins'], 'cn': ['admins'],
@ -355,6 +405,11 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdmaxfailure': ['6'], 'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'], 'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'], 'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': [True],
'ipapwdusercheck': [True],
'dn': 'cn=admins,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', 'dn': 'cn=admins,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy'] 'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
} }
@ -409,7 +464,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '12', 'minlength': '12',
'maxfailcount': '8', 'maxfailcount': '8',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = { return_value = {
'cn': ['global_policy'], 'cn': ['global_policy'],
@ -420,6 +480,11 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdmaxfailure': ['6'], 'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'], 'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'], 'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': [True],
'ipapwdusercheck': [True],
'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', 'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy'] 'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
} }
@ -443,7 +508,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdminlength': '12', 'krbpwdminlength': '12',
'krbpwdmaxfailure': '8', 'krbpwdmaxfailure': '8',
'krbpwdfailurecountinterval': '60', 'krbpwdfailurecountinterval': '60',
'krbpwdlockoutduration': '600' 'krbpwdlockoutduration': '600',
'passwordgracelimit': '3',
'ipapwdmaxrepeat': '3',
'ipapwdmaxsequence': '3',
'ipapwddictcheck': True,
'ipapwdusercheck': True,
} }
} }
) )
@ -461,7 +531,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '16', 'minlength': '16',
'maxfailcount': '6', 'maxfailcount': '6',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = { return_value = {
'cn': ['global_policy'], 'cn': ['global_policy'],
@ -473,6 +548,11 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdmaxfailure': ['6'], 'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'], 'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'], 'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': [True],
'ipapwdusercheck': [True],
'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', 'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy'] 'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
} }
@ -504,7 +584,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '16', 'minlength': '16',
'maxfailcount': '6', 'maxfailcount': '6',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = {} return_value = {}
mock_calls = [ mock_calls = [
@ -535,7 +620,12 @@ class TestIPAPwPolicy(ModuleTestCase):
'minlength': '12', 'minlength': '12',
'maxfailcount': '8', 'maxfailcount': '8',
'failinterval': '60', 'failinterval': '60',
'lockouttime': '600' 'lockouttime': '600',
'gracelimit': 3,
'maxrepeat': 3,
'maxsequence': 3,
'dictcheck': True,
'usercheck': True,
} }
return_value = { return_value = {
'cn': ['sysops'], 'cn': ['sysops'],
@ -548,6 +638,11 @@ class TestIPAPwPolicy(ModuleTestCase):
'krbpwdmaxfailure': ['6'], 'krbpwdmaxfailure': ['6'],
'krbpwdfailurecountinterval': ['60'], 'krbpwdfailurecountinterval': ['60'],
'krbpwdlockoutduration': ['600'], 'krbpwdlockoutduration': ['600'],
'passwordgracelimit': ['3'],
'ipapwdmaxrepeat': ['3'],
'ipapwdmaxsequence': ['3'],
'ipapwddictcheck': [True],
'ipapwdusercheck': [True],
'dn': 'cn=sysops,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', 'dn': 'cn=sysops,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
'objectclass': ['top', 'nscontainer', 'krbpwdpolicy'] 'objectclass': ['top', 'nscontainer', 'krbpwdpolicy']
} }