roles, adding default domain password policy management #139

danlavu · 2024-11-27T12:55:26Z

Tests PR, SSSD/sssd#7728

This PR is larger than I expected.

misc.py

added seconds to timespan method and test, timespan is the powershell M:D:H:S:F format

authentication.py

SUAuthentication, added password_expired_with_output
SSHAuthentication, added password_expired_with_output
like password_with_out, replaced put with a valid {{exitmsg}}

roles/ad.py, roles/ipa.py, roles/samba.py, roles/ldap.py

added PasswordPolicy class
password.lockout(duration, attempts)
password.complexity(enable)
password.age(min, max)
password.requirements(length)
additionally to LDAP, added password.get() and password.set() and added ACI to the password constructor.

roles/generic.py

added GenericPasswordPolicy class

sssd_test_framework/roles/generic.py

sssd_test_framework/roles/ad.py

aplopez · 2024-12-10T14:08:11Z

sssd_test_framework/roles/ad.py

+        super().__init__(role)
+
+    def complexity(self, enable: bool) -> ADPasswordPolicy:
+        """


I'm not sure whether this documentation is needed if it is already present in the superclass.

I'm going to change this back to a @property , so it's not instantiated with every call, I forgot about that and I will put usage examples in that docstring.

Making this function a property will not allow you to return a ADPasswordPolicy object (self) in order to chain method invocations. I have nothing against it, but it doesn't align with the rest of your code. Do as you want.

Ah that explains something I didn't quite understand. I made this decision change because it wouldn't automatically instantiate the object, but I do want the other behavior so I will change this back.

sssd_test_framework/roles/samba.py

sssd_test_framework/roles/ipa.py

aplopez · 2024-12-10T15:39:11Z

sssd_test_framework/roles/ipa.py

+                "minclasses": (self.cli.option.VALUE, 5),
+                "priority": (self.cli.option.VALUE, 1),
+            }
+            self._add(attrs)


Why are you calling self._add() here but self._modify() in the else section?

It's the way the command is constructed. IPARole._add is ipa pwpolicy add , while IPARole._modify is ipa pwpolicy modify. If enabled, we are adding the values that don't exist, to disable it, we are modifying the existing values.

What happens if the test has code like this?

ipp = IPAPasswordPolicy(...) ... ipp.complexity(true) ... ipp.complexity(false) ... ipp.complexity(true)

Nice catch, I'll go ahead and add something to check to see if the attribute exists and decide which function to use.

sssd_test_framework/roles/ipa.py

sssd_test_framework/roles/ldap.py

danlavu · 2024-12-11T05:36:16Z

The tests are passing locally.

tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ad) 
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ad) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ad) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ad) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ad) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ad) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ad) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ad) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ad) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ad) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ad) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ad) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ad) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ad) 
tests/test_authentication.py::test_authentication__using_the_users_email_address[root-su] (ad) 
tests/test_authentication.py::test_authentication__using_the_users_email_address[root-ssh] (ad) 
tests/test_authentication.py::test_authentication__using_the_users_email_address[sssd-su] (ad) 
tests/test_authentication.py::test_authentication__using_the_users_email_address[sssd-ssh] (ad) 
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ipa) 
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ipa) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ipa) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ipa) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ipa) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ipa) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ipa) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ipa) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ipa) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ipa) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ipa) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ipa) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ipa) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ipa) 
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (ldap) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (ldap) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (ldap) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (ldap) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (ldap) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (ldap) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (ldap) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (ldap) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (ldap) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (ldap) 
tests/test_authentication.py::test_authentication__with_default_settings[root-su] (samba) 
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (samba) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (samba) 
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (samba) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (samba) 
tests/test_authentication.py::test_authentication__password_change_on_login[root-ssh] (samba) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-su] (samba) 
tests/test_authentication.py::test_authentication__password_change_on_login[sssd-ssh] (samba) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[su] (samba) 
tests/test_authentication.py::test_authentication__password_change_does_not_meet_complexity_requirements[ssh] (samba) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-su] (samba) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[root-ssh] (samba) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-su] (samba) 
tests/test_authentication.py::test_authentication__default_settings_when_the_provider_is_offline[sssd-ssh] (samba) 

======================== 60 passed in 995.22s (0:16:35) ========================
PASSED [  1%]PASSED [  3%]PASSED [  5%]PASSED [  6%]PASSED [  8%]PASSED [ 10%]PASSED [ 11%]PASSED [ 13%]PASSED [ 15%]PASSED [ 16%]PASSED [ 18%]PASSED [ 20%]PASSED [ 21%]PASSED [ 23%]PASSED [ 25%]PASSED [ 26%]PASSED [ 28%]PASSED [ 30%]PASSED [ 31%]PASSED [ 33%]PASSED [ 35%]PASSED [ 36%]PASSED [ 38%]PASSED [ 40%]PASSED [ 41%]PASSED [ 43%]PASSED [ 45%]PASSED [ 46%]PASSED [ 48%]PASSED [ 50%]PASSED [ 51%]PASSED [ 53%]PASSED [ 55%]
tests/test_authentication.py::test_authentication__with_default_settings[root-ssh] (ldap) PASSED [ 56%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-su] (ldap) PASSED [ 58%]
tests/test_authentication.py::test_authentication__with_default_settings[sssd-ssh] (ldap) PASSED [ 60%]
tests/test_authentication.py::test_authentication__password_change_on_login[root-su] (ldap) PASSED [ 61%]PASSED [ 63%]PASSED [ 65%]PASSED [ 66%]PASSED [ 68%]PASSED [ 70%]PASSED [ 71%]PASSED [ 73%]PASSED [ 75%]PASSED [ 76%]PASSED [ 78%]PASSED [ 80%]PASSED [ 81%]PASSED [ 83%]PASSED [ 85%]PASSED [ 86%]PASSED [ 88%]PASSED [ 90%]PASSED [ 91%]PASSED [ 93%]PASSED [ 95%]PASSED [ 96%]PASSED [ 98%]PASSED [100%]
Process finished with exit code 0

danlavu

Going to put this on hold until after the holidays, but noted the changes I need to make when I get back.

danlavu · 2024-12-18T23:11:00Z

sssd_test_framework/roles/ipa.py

+                "minclasses": (self.cli.option.VALUE, 5),
+                "priority": (self.cli.option.VALUE, 1),
+            }
+            self._add(attrs)


Nice catch, I'll go ahead and add something to check to see if the attribute exists and decide which function to use.

danlavu added the enhancement New feature or request label Nov 27, 2024

danlavu marked this pull request as draft November 27, 2024 12:55

danlavu force-pushed the roles-password-policy branch 2 times, most recently from 6ce3b2f to a0156fe Compare November 29, 2024 06:05

danlavu mentioned this pull request Nov 30, 2024

test: authentication, adding generic password policy tests SSSD/sssd#7728

Draft

danlavu force-pushed the roles-password-policy branch 6 times, most recently from e63f374 to fe86c02 Compare December 4, 2024 01:51

danlavu marked this pull request as ready for review December 4, 2024 01:54

danlavu requested review from pbrezina and shridhargadekar December 4, 2024 01:54

danlavu assigned danlavu, pbrezina and shridhargadekar and unassigned danlavu Dec 4, 2024

andreboscatto requested a review from aplopez December 5, 2024 13:53

andreboscatto assigned aplopez Dec 5, 2024

aplopez reviewed Dec 10, 2024

View reviewed changes

misc: adding function to convert seconds to powershell timespan format

66880c4

danlavu force-pushed the roles-password-policy branch from fe86c02 to 41c9628 Compare December 10, 2024 18:21

Dan Lavu added 2 commits December 10, 2024 18:23

authentication: added password_expired_with_output to su and ssh objects

21c57a9

roles: added password policy utilities to ad role

f4d556c

danlavu force-pushed the roles-password-policy branch 4 times, most recently from 3eab089 to 13eef9b Compare December 11, 2024 03:22

Dan Lavu added 5 commits December 11, 2024 17:39

roles: added password policy utilities to ad role

f7d87f0

roles: added password policy utilities to ipa role

68223df

roles: added password policy utilities to samba role

5799817

roles: added password policy utilities to ldap role

a9b1bb6

roles: added password policy utilities to generic role

10992d0

danlavu force-pushed the roles-password-policy branch from 13eef9b to 10992d0 Compare December 11, 2024 22:40

danlavu commented Dec 18, 2024

View reviewed changes

aplopez added the changes requested label Jan 7, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

roles, adding default domain password policy management #139

roles, adding default domain password policy management #139

danlavu commented Nov 27, 2024 •

edited

Loading

aplopez Dec 10, 2024

danlavu Dec 10, 2024

aplopez Dec 18, 2024

danlavu Dec 18, 2024

aplopez Dec 10, 2024

danlavu Dec 10, 2024

aplopez Dec 18, 2024 •

edited

Loading

danlavu Dec 18, 2024

danlavu commented Dec 11, 2024

danlavu left a comment

danlavu Dec 18, 2024

roles, adding default domain password policy management #139

Are you sure you want to change the base?

roles, adding default domain password policy management #139

Conversation

danlavu commented Nov 27, 2024 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

aplopez Dec 18, 2024 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

danlavu commented Dec 11, 2024

danlavu left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

danlavu commented Nov 27, 2024 •

edited

Loading

aplopez Dec 18, 2024 •

edited

Loading