Skip to content

Commit

Permalink
Merge pull request #36 from NethServer/user-manager-password-policy
Browse files Browse the repository at this point in the history
feat(api-moduled): added get-password-policy api
  • Loading branch information
Tbaile authored Feb 23, 2024
2 parents 1e74135 + cd37628 commit b6e2aac
Show file tree
Hide file tree
Showing 4 changed files with 99 additions and 3 deletions.
2 changes: 1 addition & 1 deletion build-images.sh
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ fi
buildah add "${container}" imageroot /imageroot

# Copy ui of ns8-user-manager
user_manager_version=v0.7.0
user_manager_version=v0.8.1
curl -f -L -O https://github.com/NethServer/ns8-user-manager/releases/download/${user_manager_version}/ns8-user-manager-${user_manager_version}.tar.gz
buildah add "${container}" ns8-user-manager-${user_manager_version}.tar.gz /imageroot/api-moduled/public/

Expand Down
75 changes: 75 additions & 0 deletions imageroot/api-moduled/handlers/get-password-policy/post
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
#!/usr/bin/env python3

#
# Copyright (C) 2024 Nethesis S.r.l.
# SPDX-License-Identifier: GPL-3.0-or-later
#

import json
import sys
import subprocess
import os

SECONDS_PER_DAY = 86400
ldap_suffix = os.environ["LDAP_SUFFIX"]

ldapsearch_proc = subprocess.run(["podman", "exec", "openldap",
"ldapsearch", "-LLL", "-b", f"cn=default,ou=PPolicy,{ldap_suffix}", "-s", "base"
], text=True, capture_output=True, check=True)


ppolicy = {
"expiration": {
"min_age": 0,
"max_age": 0,
"enforced": False,
},
"strength": {
"enforced": False,
"history_length": 0,
"password_min_length": 0,
"complexity_check": False,
}
}

for line in ldapsearch_proc.stdout.split("\n"):
if not line:
continue

lattr, lval = line.split(":", 1)
lval = lval.strip() # trim wrapping blanks

if lattr == "pwdMinAge":
ppolicy["expiration"]["min_age"] = int(lval) // SECONDS_PER_DAY
elif lattr == "pwdMaxAge":
ppolicy["expiration"]["max_age"] = int(lval) // SECONDS_PER_DAY
elif lattr == "pwdMinLength":
ppolicy["strength"]["password_min_length"] = int(lval)
elif lattr == "pwdInHistory":
ppolicy["strength"]["history_length"] = int(lval)
elif lattr == "pwdUseCheckModule":
ppolicy["strength"]["complexity_check"] = lval == 'TRUE'

if ppolicy["strength"]["complexity_check"] is True or \
ppolicy["strength"]["history_length"] > 0 or \
ppolicy["strength"]["password_min_length"] > 0:
ppolicy["strength"]["enforced"] = True
else:
ppolicy["strength"]["enforced"] = False
ppolicy["strength"]["history_length"] = 12
ppolicy["strength"]["password_min_length"] = 8
ppolicy["strength"]["complexity_check"] = True

if ppolicy["expiration"]["min_age"] > 0 or \
ppolicy["expiration"]["max_age"] > 0:
ppolicy["expiration"]["enforced"] = True
else:
ppolicy["expiration"]["enforced"] = False
ppolicy["expiration"]["min_age"] = 0
ppolicy["expiration"]["max_age"] = 180

json.dump({
"status": "success",
"message": "password_policy",
"policy": ppolicy
}, fp=sys.stdout)
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "get password policy",
"$id": "http://schema.nethserver.org/ns8-openldap/api-moduled/handlers/get-password-policy/validate-output.json",
"type": "object",
"required": [
"status",
"message"
],
"properties": {
"status": {
"enum": [
"success",
"failure"
]
},
"message": {
"type": "string"
}
}
}
4 changes: 2 additions & 2 deletions imageroot/api-moduled/handlers/login/post
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ oclaims = {
if proc_whoami.returncode == 49 and "Password expired" in proc_whoami.stderr:
# Password must be changed immediately: return a token limited to
# password changing:
oclaims["scope"] = ["change-password"]
oclaims["scope"] = ["change-password", "get-password-policy"]
elif proc_whoami.returncode != 0:
sys.exit(3) # Login failed
elif "domain admins" not in oclaims["groups"]:
oclaims["scope"] = ["change-password"]
oclaims["scope"] = ["change-password", "get-password-policy"]

json.dump(oclaims, fp=sys.stdout)

0 comments on commit b6e2aac

Please sign in to comment.