|
0 |
- |
1 |
#!/usr/bin/python2.7 |
|
|
2 |
# coding: utf-8 |
3 |
# |
4 |
# Univention Management Console module: |
5 |
# System Diagnosis UMC module |
6 |
# |
7 |
# Copyright 2017 Univention GmbH |
8 |
# |
9 |
# http://www.univention.de/ |
10 |
# |
11 |
# All rights reserved. |
12 |
# |
13 |
# The source code of this program is made available |
14 |
# under the terms of the GNU Affero General Public License version 3 |
15 |
# (GNU AGPL V3) as published by the Free Software Foundation. |
16 |
# |
17 |
# Binary versions of this program provided by Univention to you as |
18 |
# well as other copyrighted, protected or trademarked materials like |
19 |
# Logos, graphics, fonts, specific documentations and configurations, |
20 |
# cryptographic keys etc. are subject to a license agreement between |
21 |
# you and Univention and not subject to the GNU AGPL V3. |
22 |
# |
23 |
# In the case you use this program under the terms of the GNU AGPL V3, |
24 |
# the program is provided in the hope that it will be useful, |
25 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
26 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
27 |
# GNU Affero General Public License for more details. |
28 |
# |
29 |
# You should have received a copy of the GNU Affero General Public |
30 |
# License with the Debian GNU/Linux or Univention distribution in file |
31 |
# /usr/share/common-licenses/AGPL-3; if not, see |
32 |
# <http://www.gnu.org/licenses/>. |
33 |
|
34 |
import ldap |
35 |
|
36 |
import univention.uldap |
37 |
import univention.admin.uldap |
38 |
import univention.admin.modules as udm_modules |
39 |
from univention.management.console.modules.diagnostic import Warning |
40 |
|
41 |
from univention.lib.i18n import Translation |
42 |
_ = Translation('univention-management-console-module-diagnostic').translate |
43 |
|
44 |
title = _('Check password policy inconsistencies') |
45 |
description = _('No problems found.') |
46 |
|
47 |
|
48 |
def fix_policies(umc_instance): |
49 |
for mismatch in check_policies(): |
50 |
mismatch.fix() |
51 |
return run(umc_instance) |
52 |
|
53 |
|
54 |
actions = { |
55 |
'fix_policies': fix_policies, |
56 |
} |
57 |
|
58 |
|
59 |
class PolicyMismatch(Exception): |
60 |
def __init__(self, policy, mismatches): |
61 |
super(PolicyMismatch, self).__init__(policy.dn) |
62 |
self.policy = policy |
63 |
self.mismatches = mismatches |
64 |
|
65 |
def __str__(self): |
66 |
msg = _('In policy {name!r} (see {{udm:policies/policy}}):') |
67 |
messages = [msg.format(name=self.policy.get('name'))] |
68 |
empty_tmpl = _('Attribute {attr} should be empty.') |
69 |
mismatch_tmpl = _('Attribute {attr} should have value {value}.') |
70 |
properties = udm_modules.get(self.policy.module).property_descriptions |
71 |
|
72 |
for (attr, value) in self.mismatches: |
73 |
template = empty_tmpl if value is None else mismatch_tmpl |
74 |
attr_desc = properties.get(attr).short_description |
75 |
messages.append(template.format(attr=attr_desc, value=value)) |
76 |
return '\n'.join(messages) |
77 |
|
78 |
def module(self): |
79 |
return { |
80 |
'module': 'udm', |
81 |
'flavor': 'policies/policy', |
82 |
'props': { |
83 |
'openObject': { |
84 |
'objectDN': self.policy.dn, |
85 |
'objectType': 'policies/pwhistory' |
86 |
} |
87 |
} |
88 |
} |
89 |
|
90 |
def fix(self): |
91 |
for (attr, value) in self.mismatches: |
92 |
self.policy[attr] = value |
93 |
self.policy.modify() |
94 |
|
95 |
|
96 |
def get_samba_domain(ldap_connection, position): |
97 |
module = udm_modules.get('settings/sambadomain') |
98 |
udm_modules.init(ldap_connection, position, module) |
99 |
for sambadomain in module.lookup(None, ldap_connection, ''): |
100 |
sambadomain.open() |
101 |
return sambadomain |
102 |
|
103 |
|
104 |
def policy_used(ldap_connection, dn): |
105 |
filter_expr = ldap.filter.filter_format('(univentionPolicyReference=%s)', (dn,)) |
106 |
search = ldap_connection.search(filter=filter_expr, sizelimit=3, attr=['dn']) |
107 |
return any(dn is not None for (dn, attr) in search) |
108 |
|
109 |
|
110 |
def get_pw_policies(ldap_connection, position): |
111 |
module = udm_modules.get('policies/pwhistory') |
112 |
udm_modules.init(ldap_connection, position, module) |
113 |
for policy in module.lookup(None, ldap_connection, ''): |
114 |
if policy_used(ldap_connection, policy.dn): |
115 |
policy.open() |
116 |
yield policy |
117 |
|
118 |
|
119 |
def to_days(unix_time_interval, default_unit='seconds'): |
120 |
if unix_time_interval is None: |
121 |
return None |
122 |
|
123 |
try: |
124 |
(value, unit) = unix_time_interval |
125 |
except ValueError: |
126 |
(value, unit) = (unix_time_interval, default_unit) |
127 |
|
128 |
try: |
129 |
as_int = int(value) |
130 |
except ValueError: |
131 |
as_int = 0 |
132 |
|
133 |
if unit == 'days': |
134 |
return str(as_int) |
135 |
elif unit == 'hours': |
136 |
return str(as_int / 24) |
137 |
elif unit == 'minutes': |
138 |
return str(as_int / (24 * 60)) |
139 |
return str(as_int / (24 * 60 * 60)) |
140 |
|
141 |
|
142 |
def policy_mismatch(samba_domain, pw_policy): |
143 |
def compare(policy_attr, domain_attr, convert=lambda x: x): |
144 |
(policy_value, domain_value) = (pw_policy.get(policy_attr), samba_domain.get(domain_attr)) |
145 |
converted_domain_value = convert(domain_value) |
146 |
if policy_value != converted_domain_value: |
147 |
yield (policy_attr, converted_domain_value) |
148 |
|
149 |
for result in compare('length', 'passwordHistory'): |
150 |
yield result |
151 |
for result in compare('pwLength', 'passwordLength'): |
152 |
yield result |
153 |
for result in compare('expiryInterval', 'maxPasswordAge', to_days): |
154 |
yield result |
155 |
|
156 |
|
157 |
def check_policies(): |
158 |
(ldap_connection, position) = univention.admin.uldap.getAdminConnection() |
159 |
samba_domain = get_samba_domain(ldap_connection, position) |
160 |
for policy in get_pw_policies(ldap_connection, position): |
161 |
mismatch = list(policy_mismatch(samba_domain, policy)) |
162 |
if mismatch: |
163 |
yield PolicyMismatch(policy, mismatch) |
164 |
|
165 |
|
166 |
def run(_umc_instance): |
167 |
univention.admin.modules.update() |
168 |
problems = list(check_policies()) |
169 |
error = _('There are inconsistencies between the Univention policies and the Samba settings.') |
170 |
buttons = [{ |
171 |
'action': 'fix_policies', |
172 |
'label': _('Fix password policies'), |
173 |
}] |
174 |
|
175 |
if problems: |
176 |
ed = [error, ''] |
177 |
ed.extend(str(error) for error in problems) |
178 |
umc_modules = [e.module() for e in problems] |
179 |
raise Warning(description='\n'.join(ed), umc_modules=umc_modules, buttons=buttons) |
180 |
|
181 |
|
182 |
if __name__ == '__main__': |
183 |
from univention.management.console.modules.diagnostic import main |
184 |
main() |
1 |
`inconsistent_policies.py` (po) |
185 |
`inconsistent_policies.py` (po) |
2 |
-- |
|
|
3 |
.../umc/python/diagnostic/de.po | 36 +++++++++++++++++++++- |
186 |
.../umc/python/diagnostic/de.po | 36 +++++++++++++++++++++- |
4 |
1 file changed, 35 insertions(+), 1 deletion(-) |
187 |
1 file changed, 35 insertions(+), 1 deletion(-) |