Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

roles, adding default domain password policy management #139

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

roles, adding default domain password policy management #139

wants to merge 7 commits into from

Conversation

danlavu
Copy link

@danlavu danlavu commented Nov 27, 2024
edited
Loading

Tests PR, SSSD/sssd#7728

This PR is larger than I expected.

misc.py

  • added seconds to timespan method and test, timespan is the powershell M:D:H:S:F format

authentication.py

  • SUAuthentication, added password_expired_with_output
  • SSHAuthentication, added password_expired_with_output
  • like password_with_out, replaced put with a valid {{exitmsg}}

roles/ad.py, roles/ipa.py, roles/samba.py, roles/ldap.py

  • added PasswordPolicy class
  • password.lockout(duration, attempts)
  • password.complexity(enable)
  • password.age(min, max)
  • password.requirements(length)
  • additionally to LDAP, added password.get() and password.set() and added ACI to the password constructor.

roles/generic.py

  • added GenericPasswordPolicy class

@danlavu danlavu added the enhancement New feature or request label Nov 27, 2024
@danlavu danlavu marked this pull request as draft November 27, 2024 12:55
@danlavu danlavu force-pushed the roles-password-policy branch 2 times, most recently from 6ce3b2f to a0156fe Compare November 29, 2024 06:05
@danlavu danlavu mentioned this pull request Nov 30, 2024
Draft
@danlavu danlavu force-pushed the roles-password-policy branch 6 times, most recently from e63f374 to fe86c02 Compare December 4, 2024 01:51
@danlavu danlavu marked this pull request as ready for review December 4, 2024 01:54
@andreboscatto andreboscatto requested a review from aplopez December 5, 2024 13:53
aplopez
aplopez reviewed Dec 10, 2024
View reviewed changes
sssd_test_framework/roles/ipa.py
"minclasses": (self.cli.option.VALUE, 5),
"priority": (self.cli.option.VALUE, 1),
}
self._add(attrs)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you calling self._add() here but self._modify() in the else section?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the way the command is constructed. IPARole._add is ipa pwpolicy add , while IPARole._modify is ipa pwpolicy modify. If enabled, we are adding the values that don't exist, to disable it, we are modifying the existing values.

Copy link
Contributor

@aplopez aplopez Dec 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if the test has code like this?

ipp = IPAPasswordPolicy(...)
...
ipp.complexity(true)
...
ipp.complexity(false)
...
ipp.complexity(true)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch, I'll go ahead and add something to check to see if the attribute exists and decide which function to use.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aplopez , I added another conditional, if the policy is empty. I had to update IPAObject.get() to return None and raise no errors if the results are empty.

@danlavu danlavu force-pushed the roles-password-policy branch 5 times, most recently from 3eab089 to 13eef9b Compare December 11, 2024 03:22
@danlavu
Copy link
Author

danlavu commented Dec 11, 2024

The tests are passing locally.

tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ad) 
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ad) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ad) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ad) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ad) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ad) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ad) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ad) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ad) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ad) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ad) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ad) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ad) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ad) 
tests/test_authentication.py::test_authentication__using_the_users_email_address[root-su] (ad) 
tests/test_authentication.py::test_authentication__using_the_users_email_address[root-ssh] (ad) 
tests/test_authentication.py::test_authentication__using_the_users_email_address[sssd-su] (ad) 
tests/test_authentication.py::test_authentication__using_the_users_email_address[sssd-ssh] (ad) 
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ipa) 
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ipa) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ipa) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ipa) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ipa) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ipa) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ipa) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ipa) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ipa) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ipa) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ipa) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ipa) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ipa) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ipa) 
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ldap) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ldap) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ldap) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ldap) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ldap) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ldap) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ldap) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ldap) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ldap) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ldap) 
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (samba) 
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (samba) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (samba) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (samba) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (samba) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (samba) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (samba) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (samba) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (samba) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (samba) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (samba) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (samba) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (samba) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (samba) 

======================== 60 passed in 995.22s (0:16:35) ========================
PASSED [  1%]PASSED [  3%]PASSED [  5%]PASSED [  6%]PASSED [  8%]PASSED [ 10%]PASSED [ 11%]PASSED [ 13%]PASSED [ 15%]PASSED [ 16%]PASSED [ 18%]PASSED [ 20%]PASSED [ 21%]PASSED [ 23%]PASSED [ 25%]PASSED [ 26%]PASSED [ 28%]PASSED [ 30%]PASSED [ 31%]PASSED [ 33%]PASSED [ 35%]PASSED [ 36%]PASSED [ 38%]PASSED [ 40%]PASSED [ 41%]PASSED [ 43%]PASSED [ 45%]PASSED [ 46%]PASSED [ 48%]PASSED [ 50%]PASSED [ 51%]PASSED [ 53%]PASSED [ 55%]
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ldap) PASSED [ 56%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ldap) PASSED [ 58%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ldap) PASSED [ 60%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ldap) PASSED [ 61%]PASSED [ 63%]PASSED [ 65%]PASSED [ 66%]PASSED [ 68%]PASSED [ 70%]PASSED [ 71%]PASSED [ 73%]PASSED [ 75%]PASSED [ 76%]PASSED [ 78%]PASSED [ 80%]PASSED [ 81%]PASSED [ 83%]PASSED [ 85%]PASSED [ 86%]PASSED [ 88%]PASSED [ 90%]PASSED [ 91%]PASSED [ 93%]PASSED [ 95%]PASSED [ 96%]PASSED [ 98%]PASSED [100%]
Process finished with exit code 0

@danlavu danlavu force-pushed the roles-password-policy branch from 13eef9b to 10992d0 Compare December 11, 2024 22:40
danlavu
danlavu commented Dec 18, 2024
View reviewed changes
Copy link
Author

@danlavu danlavu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Going to put this on hold until after the holidays, but noted the changes I need to make when I get back.

sssd_test_framework/roles/ipa.py
"minclasses": (self.cli.option.VALUE, 5),
"priority": (self.cli.option.VALUE, 1),
}
self._add(attrs)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch, I'll go ahead and add something to check to see if the attribute exists and decide which function to use.

@danlavu danlavu force-pushed the roles-password-policy branch from 10992d0 to 28fffdf Compare February 3, 2025 20:45
@danlavu danlavu requested review from aplopez and spoore1 and removed request for shridhargadekar and pbrezina February 3, 2025 20:47
@danlavu danlavu assigned spoore1 and unassigned shridhargadekar and pbrezina Feb 4, 2025
spoore1
spoore1 reviewed Feb 4, 2025
View reviewed changes
Copy link
Contributor

@spoore1 spoore1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first pass mostly looks good. Just a small thing but, I want to try to setup and run the tests with this code to see how everything looks.

sssd_test_framework/roles/ipa.py
}
self._add(attrs)
else:
_attrs: CLIBuilderArgs = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a need for _attrs here vs attrs in the conditional section above the else?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a mypy complaint.

Found 1 error in 1 file (checked 46 source files)
sssd_test_framework/roles/ipa.py:1673: error: Name "attrs" already defined on line 1664  [no-redef]
lint-upstream: exit 1 (0.82 seconds) /home/dlavu/git/sssd-test-framework> mypy --install-types --non-interactive sssd_test_framework tests pid=692404
lint-upstream: FAIL ✖ in 3.71 seconds

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would defining attrs before the conditional as an empty dict solve this? It seems odd to have to define a new variable here.

@spoore1
Copy link
Contributor

spoore1 commented Feb 5, 2025

FYI, with a couple of small modifications, all the tests pass locally for me:

tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ad) PASSED                                                                                                               [  1%] 
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ad) PASSED                                                                                                              [  3%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ad) PASSED                                                                                                               [  5%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ad) PASSED                                                                                                              [  6%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ad) PASSED                                                                                                            [  8%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ad) PASSED                                                                                                           [ 10%]
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ad) PASSED                                                                                                            [ 11%]
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ad) PASSED                                                                                                           [ 13%]
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ad) PASSED                                                                                    [ 15%]
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ad) PASSED                                                                                   [ 16%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ad) PASSED                                                                                       [ 18%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ad) PASSED                                                                                      [ 20%] 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ad) PASSED                                                                                       [ 21%] 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ad) PASSED                                                                                      [ 23%]
tests/test_authentication.py::test_authentication__using_the_users_email_address[root-su] (ad) PASSED                                                                                                       [ 25%]
tests/test_authentication.py::test_authentication__using_the_users_email_address[root-ssh] (ad) PASSED                                                                                                      [ 26%]
tests/test_authentication.py::test_authentication__using_the_users_email_address[sssd-su] (ad) PASSED                                                                                                       [ 28%]
tests/test_authentication.py::test_authentication__using_the_users_email_address[sssd-ssh] (ad) PASSED                                                                                                      [ 30%]
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ipa) PASSED                                                                                                              [ 31%]
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ipa) PASSED                                                                                                             [ 33%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ipa) PASSED                                                                                                              [ 35%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ipa) PASSED                                                                                                             [ 36%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ipa) PASSED                                                                                                           [ 38%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ipa) PASSED                                                                                                          [ 40%]
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ipa) PASSED                                                                                                           [ 41%]
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ipa) PASSED                                                                                                          [ 43%]
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ipa) PASSED                                                                                   [ 45%]
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ipa) PASSED                                                                                  [ 46%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ipa) PASSED                                                                                      [ 48%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ipa) PASSED                                                                                     [ 50%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ipa) PASSED                                                                                      [ 51%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ipa) PASSED                                                                                     [ 53%]
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ldap) PASSED                                                                                                             [ 55%]
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ldap) PASSED                                                                                                            [ 56%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ldap) PASSED                                                                                                             [ 58%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ldap) PASSED                                                                                                            [ 60%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ldap) PASSED                                                                                                          [ 61%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ldap) PASSED                                                                                                         [ 63%]
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ldap) PASSED                                                                                                          [ 65%]
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ldap) PASSED                                                                                                         [ 66%]
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ldap) PASSED                                                                                  [ 68%]
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ldap) PASSED                                                                                 [ 70%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ldap) PASSED                                                                                     [ 71%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ldap) PASSED                                                                                    [ 73%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ldap) PASSED                                                                                     [ 75%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ldap) PASSED                                                                                    [ 76%]
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (samba) PASSED                                                                                                            [ 78%]
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (samba) PASSED                                                                                                           [ 80%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (samba) PASSED                                                                                                            [ 81%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (samba) PASSED                                                                                                           [ 83%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (samba) PASSED                                                                                                         [ 85%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (samba) PASSED                                                                                                        [ 86%]
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (samba) PASSED                                                                                                         [ 88%]
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (samba) PASSED                                                                                                        [ 90%]
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (samba) PASSED                                                                                 [ 91%]
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (samba) PASSED                                                                                [ 93%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (samba) PASSED                                                                                    [ 95%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (samba) PASSED                                                                                   [ 96%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (samba) PASSED                                                                                    [ 98%]
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (samba) PASSED                                                                                   [100%]

------------------------------------------------------------ generated xml file: .../junit.xml -------------------------------------------------------------
================================================================================= 60 passed, 604 deselected in 1040.38s (0:17:20) =================================================================================

@danlavu danlavu force-pushed the roles-password-policy branch from 28fffdf to 252b248 Compare February 26, 2025 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spoore1 spoore1 spoore1 left review comments

@aplopez aplopez Awaiting requested review from aplopez

At least 1 approving review is required to merge this pull request.

Assignees

@spoore1 spoore1

@aplopez aplopez

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@danlavu @spoore1 @aplopez @andreboscatto @shridhargadekar @pbrezina