mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
58725364c1
On recent versions of FreeIPA option to verify passwords and for
controlling a password grace period have been added to IPA API.
This patch adds support for the parameters maxrepeat, maxsequence,
dictcheck and usercheck, available since FreeIPA, 4.9 and gracelimit,
available since FreeIPA 4.9.10.
Test playbooks for the module have been updated with the new supported
parameters.
New example playbooks can be found at:
playbooks/pwpolicy/pwpolicy_grace_limit.yml
playbooks/pwpolicy/pwpolicy_password_check.yml
388 lines
12 KiB
Python
388 lines
12 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
# Authors:
|
|
# Thomas Woerner <twoerner@redhat.com>
|
|
# Rafael Guterres Jeffman <rjeffman@redhat.com>
|
|
#
|
|
# Copyright (C) 2019-2022 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
|
|
__metaclass__ = type
|
|
|
|
ANSIBLE_METADATA = {
|
|
"metadata_version": "1.0",
|
|
"supported_by": "community",
|
|
"status": ["preview"],
|
|
}
|
|
|
|
DOCUMENTATION = """
|
|
---
|
|
module: ipapwpolicy
|
|
short_description: Manage FreeIPA pwpolicies
|
|
description: Manage FreeIPA pwpolicies
|
|
extends_documentation_fragment:
|
|
- ipamodule_base_docs
|
|
options:
|
|
name:
|
|
description: The group name
|
|
type: list
|
|
elements: str
|
|
required: false
|
|
aliases: ["cn"]
|
|
maxlife:
|
|
description: Maximum password lifetime (in days)
|
|
type: int
|
|
required: false
|
|
aliases: ["krbmaxpwdlife"]
|
|
minlife:
|
|
description: Minimum password lifetime (in hours)
|
|
type: int
|
|
required: false
|
|
aliases: ["krbminpwdlife"]
|
|
history:
|
|
description: Password history size
|
|
type: int
|
|
required: false
|
|
aliases: ["krbpwdhistorylength"]
|
|
minclasses:
|
|
description: Minimum number of character classes
|
|
type: int
|
|
required: false
|
|
aliases: ["krbpwdmindiffchars"]
|
|
minlength:
|
|
description: Minimum length of password
|
|
type: int
|
|
required: false
|
|
aliases: ["krbpwdminlength"]
|
|
priority:
|
|
description: Priority of the policy (higher number means lower priority)
|
|
type: int
|
|
required: false
|
|
aliases: ["cospriority"]
|
|
maxfail:
|
|
description: Consecutive failures before lockout
|
|
type: int
|
|
required: false
|
|
aliases: ["krbpwdmaxfailure"]
|
|
failinterval:
|
|
description: Period after which failure count will be reset (seconds)
|
|
type: int
|
|
required: false
|
|
aliases: ["krbpwdfailurecountinterval"]
|
|
lockouttime:
|
|
description: Period for which lockout is enforced (seconds)
|
|
type: int
|
|
required: false
|
|
aliases: ["krbpwdlockoutduration"]
|
|
maxrepeat:
|
|
description: >
|
|
Maximum number of same consecutive characters.
|
|
Requires IPA 4.9+
|
|
type: int
|
|
required: false
|
|
aliases: ["ipapwdmaxrepeat"]
|
|
maxsequence:
|
|
description: >
|
|
The maximum length of monotonic character sequences (abcd).
|
|
Requires IPA 4.9+
|
|
type: int
|
|
required: false
|
|
aliases: ["ipapwdmaxsequence"]
|
|
dictcheck:
|
|
description: >
|
|
Check if the password is a dictionary word.
|
|
Requires IPA 4.9+
|
|
type: bool
|
|
required: false
|
|
aliases: ["ipapwdictcheck"]
|
|
usercheck:
|
|
description: >
|
|
Check if the password contains the username.
|
|
Requires IPA 4.9+
|
|
type: bool
|
|
required: false
|
|
aliases: ["ipapwdusercheck"]
|
|
gracelimit:
|
|
description: >
|
|
Number of LDAP authentications allowed after expiration.
|
|
Requires IPA 4.10.1+
|
|
type: int
|
|
required: false
|
|
aliases: ["passwordgracelimit"]
|
|
state:
|
|
description: State to ensure
|
|
type: str
|
|
default: present
|
|
choices: ["present", "absent"]
|
|
author:
|
|
- Thomas Woerner (@t-woerner)
|
|
- Rafael Guterres Jeffman (@rjeffman)
|
|
"""
|
|
|
|
EXAMPLES = """
|
|
# Ensure pwpolicy is set for ops
|
|
- ipapwpolicy:
|
|
ipaadmin_password: SomeADMINpassword
|
|
name: ops
|
|
minlife: 7
|
|
maxlife: 49
|
|
history: 5
|
|
priority: 1
|
|
lockouttime: 300
|
|
minlength: 8
|
|
"""
|
|
|
|
RETURN = """
|
|
"""
|
|
|
|
from ansible.module_utils.ansible_freeipa_module import \
|
|
IPAAnsibleModule, compare_args_ipa
|
|
|
|
|
|
def find_pwpolicy(module, name):
|
|
_args = {
|
|
"all": True,
|
|
"cn": name,
|
|
}
|
|
|
|
_result = module.ipa_command("pwpolicy_find", name, _args)
|
|
|
|
if len(_result["result"]) > 1:
|
|
module.fail_json(
|
|
msg="There is more than one pwpolicy '%s'" % (name))
|
|
elif len(_result["result"]) == 1:
|
|
return _result["result"][0]
|
|
|
|
return None
|
|
|
|
|
|
def gen_args(maxlife, minlife, history, minclasses, minlength, priority,
|
|
maxfail, failinterval, lockouttime, maxrepeat, maxsequence,
|
|
dictcheck, usercheck, gracelimit):
|
|
_args = {}
|
|
if maxlife is not None:
|
|
_args["krbmaxpwdlife"] = maxlife
|
|
if minlife is not None:
|
|
_args["krbminpwdlife"] = minlife
|
|
if history is not None:
|
|
_args["krbpwdhistorylength"] = history
|
|
if minclasses is not None:
|
|
_args["krbpwdmindiffchars"] = minclasses
|
|
if minlength is not None:
|
|
_args["krbpwdminlength"] = minlength
|
|
if priority is not None:
|
|
_args["cospriority"] = priority
|
|
if maxfail is not None:
|
|
_args["krbpwdmaxfailure"] = maxfail
|
|
if failinterval is not None:
|
|
_args["krbpwdfailurecountinterval"] = failinterval
|
|
if lockouttime is not None:
|
|
_args["krbpwdlockoutduration"] = lockouttime
|
|
if maxrepeat is not None:
|
|
_args["ipapwdmaxrepeat"] = maxrepeat
|
|
if maxsequence is not None:
|
|
_args["ipapwdmaxrsequence"] = maxsequence
|
|
if dictcheck is not None:
|
|
_args["ipapwddictcheck"] = dictcheck
|
|
if usercheck is not None:
|
|
_args["ipapwdusercheck"] = usercheck
|
|
if gracelimit is not None:
|
|
_args["passwordgracelimit"] = gracelimit
|
|
|
|
return _args
|
|
|
|
|
|
def check_supported_params(
|
|
module, maxrepeat, maxsequence, dictcheck, usercheck, gracelimit
|
|
):
|
|
# All password checking parameters were added by the same commit,
|
|
# so we only need to test one of them.
|
|
has_password_check = module.ipa_command_param_exists(
|
|
"pwpolicy_add", "ipapwdmaxrepeat")
|
|
# check if gracelimit is supported
|
|
has_gracelimit = module.ipa_command_param_exists(
|
|
"pwpolicy_add", "passwordgracelimit")
|
|
|
|
# If needed, report unsupported password checking paramteres
|
|
if not has_password_check:
|
|
check_password_params = [maxrepeat, maxsequence, dictcheck, usercheck]
|
|
unsupported = [
|
|
x for x in check_password_params if x is not None
|
|
]
|
|
if unsupported:
|
|
module.fail_json(
|
|
msg="Your IPA version does not support arguments: "
|
|
"maxrepeat, maxsequence, dictcheck, usercheck.")
|
|
|
|
if gracelimit is not None and not has_gracelimit:
|
|
module.fail_json(
|
|
msg="Your IPA version does not support 'gracelimit'.")
|
|
|
|
|
|
def main():
|
|
ansible_module = IPAAnsibleModule(
|
|
argument_spec=dict(
|
|
# general
|
|
name=dict(type="list", elements="str", aliases=["cn"],
|
|
default=None, required=False),
|
|
# present
|
|
|
|
maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None),
|
|
minlife=dict(type="int", aliases=["krbminpwdlife"], default=None),
|
|
history=dict(type="int", aliases=["krbpwdhistorylength"],
|
|
default=None),
|
|
minclasses=dict(type="int", aliases=["krbpwdmindiffchars"],
|
|
default=None),
|
|
minlength=dict(type="int", aliases=["krbpwdminlength"],
|
|
default=None),
|
|
priority=dict(type="int", aliases=["cospriority"], default=None),
|
|
maxfail=dict(type="int", aliases=["krbpwdmaxfailure"],
|
|
default=None),
|
|
failinterval=dict(type="int",
|
|
aliases=["krbpwdfailurecountinterval"],
|
|
default=None),
|
|
lockouttime=dict(type="int", aliases=["krbpwdlockoutduration"],
|
|
default=None),
|
|
maxrepeat=dict(type="int", aliases=["ipapwdmaxrepeat"],
|
|
default=None),
|
|
maxsequence=dict(type="int", aliases=["ipapwdmaxsequence"],
|
|
default=None),
|
|
dictcheck=dict(type="bool", aliases=["ipapwdictcheck"],
|
|
default=None),
|
|
usercheck=dict(type="bool", aliases=["ipapwusercheck"],
|
|
default=None),
|
|
gracelimit=dict(type="int", aliases=["passwordgracelimit"],
|
|
default=None),
|
|
# state
|
|
state=dict(type="str", default="present",
|
|
choices=["present", "absent"]),
|
|
),
|
|
supports_check_mode=True,
|
|
)
|
|
|
|
ansible_module._ansible_debug = True
|
|
|
|
# Get parameters
|
|
|
|
# general
|
|
names = ansible_module.params_get("name")
|
|
|
|
# present
|
|
maxlife = ansible_module.params_get("maxlife")
|
|
minlife = ansible_module.params_get("minlife")
|
|
history = ansible_module.params_get("history")
|
|
minclasses = ansible_module.params_get("minclasses")
|
|
minlength = ansible_module.params_get("minlength")
|
|
priority = ansible_module.params_get("priority")
|
|
maxfail = ansible_module.params_get("maxfail")
|
|
failinterval = ansible_module.params_get("failinterval")
|
|
lockouttime = ansible_module.params_get("lockouttime")
|
|
maxrepeat = ansible_module.params_get("maxrepeat")
|
|
maxsequence = ansible_module.params_get("maxsequence")
|
|
dictcheck = ansible_module.params_get("dictcheck")
|
|
usercheck = ansible_module.params_get("usercheck")
|
|
gracelimit = ansible_module.params_get("gracelimit")
|
|
|
|
# state
|
|
state = ansible_module.params_get("state")
|
|
|
|
# Check parameters
|
|
invalid = []
|
|
|
|
if names is None:
|
|
names = [u"global_policy"]
|
|
|
|
if state == "present":
|
|
if len(names) != 1:
|
|
ansible_module.fail_json(
|
|
msg="Only one pwpolicy can be set at a time.")
|
|
|
|
if state == "absent":
|
|
if len(names) < 1:
|
|
ansible_module.fail_json(msg="No name given.")
|
|
if "global_policy" in names:
|
|
ansible_module.fail_json(
|
|
msg="'global_policy' can not be made absent.")
|
|
invalid = ["maxlife", "minlife", "history", "minclasses",
|
|
"minlength", "priority", "maxfail", "failinterval",
|
|
"lockouttime", "maxrepeat", "maxsequence", "dictcheck",
|
|
"usercheck", "gracelimit"]
|
|
|
|
ansible_module.params_fail_used_invalid(invalid, state)
|
|
|
|
if gracelimit is not None:
|
|
if gracelimit < -1:
|
|
ansible_module.fail_json(
|
|
msg="'gracelimit' must be no less than -1")
|
|
|
|
# Init
|
|
|
|
changed = False
|
|
exit_args = {}
|
|
|
|
with ansible_module.ipa_connect():
|
|
|
|
check_supported_params(
|
|
ansible_module, maxrepeat, maxsequence, dictcheck, usercheck,
|
|
gracelimit
|
|
)
|
|
|
|
commands = []
|
|
|
|
for name in names:
|
|
# Try to find pwpolicy
|
|
res_find = find_pwpolicy(ansible_module, name)
|
|
|
|
# Create command
|
|
if state == "present":
|
|
# Generate args
|
|
args = gen_args(maxlife, minlife, history, minclasses,
|
|
minlength, priority, maxfail, failinterval,
|
|
lockouttime, maxrepeat, maxsequence, dictcheck,
|
|
usercheck, gracelimit)
|
|
|
|
# Found the pwpolicy
|
|
if res_find is not None:
|
|
# For all settings is args, check if there are
|
|
# different settings in the find result.
|
|
# If yes: modify
|
|
if not compare_args_ipa(ansible_module, args,
|
|
res_find):
|
|
commands.append([name, "pwpolicy_mod", args])
|
|
else:
|
|
commands.append([name, "pwpolicy_add", args])
|
|
|
|
elif state == "absent":
|
|
if res_find is not None:
|
|
commands.append([name, "pwpolicy_del", {}])
|
|
|
|
else:
|
|
ansible_module.fail_json(msg="Unkown state '%s'" % state)
|
|
|
|
# Execute commands
|
|
|
|
changed = ansible_module.execute_ipa_commands(commands)
|
|
|
|
# Done
|
|
|
|
ansible_module.exit_json(changed=changed, **exit_args)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|