68e3a0081e53b9e105f99766bb57f2b6884d00c4
[nivanova/samba-autobuild/.git] / python / samba / gp_sec_ext.py
1 # gp_sec_ext kdc gpo policy
2 # Copyright (C) Luke Morrison <luc785@.hotmail.com> 2013
3 # Copyright (C) David Mulder <dmulder@suse.com> 2018
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU General Public License
16 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
17
18 import os.path
19 from samba.gpclass import gp_ext_setter, gp_inf_ext
20
21 class inf_to_kdc_tdb(gp_ext_setter):
22     def mins_to_hours(self):
23         return '%d' % (int(self.val)/60)
24
25     def days_to_hours(self):
26         return '%d' % (int(self.val)*24)
27
28     def set_kdc_tdb(self, val):
29         old_val = self.gp_db.gpostore.get(self.attribute)
30         self.logger.info('%s was changed from %s to %s' % (self.attribute,
31                                                            old_val, val))
32         if val is not None:
33             self.gp_db.gpostore.store(self.attribute, val)
34             self.gp_db.store(str(self), self.attribute, old_val)
35         else:
36             self.gp_db.gpostore.delete(self.attribute)
37             self.gp_db.delete(str(self), self.attribute)
38
39     def mapper(self):
40         return {'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit),
41                  'kdc:service_ticket_lifetime': (self.set_kdc_tdb,
42                                                  self.mins_to_hours),
43                  'kdc:renewal_lifetime': (self.set_kdc_tdb,
44                                           self.days_to_hours),
45                  }
46
47     def __str__(self):
48         return 'Kerberos Policy'
49
50 class inf_to_ldb(gp_ext_setter):
51     '''This class takes the .inf file parameter (essentially a GPO file mapped
52     to a GUID), hashmaps it to the Samba parameter, which then uses an ldb
53     object to update the parameter to Samba4. Not registry oriented whatsoever.
54     '''
55
56     def ch_minPwdAge(self, val):
57         old_val = self.ldb.get_minPwdAge()
58         self.logger.info('KDC Minimum Password age was changed from %s to %s' \
59                          % (old_val, val))
60         self.gp_db.store(str(self), self.attribute, str(old_val))
61         self.ldb.set_minPwdAge(val)
62
63     def ch_maxPwdAge(self, val):
64         old_val = self.ldb.get_maxPwdAge()
65         self.logger.info('KDC Maximum Password age was changed from %s to %s' \
66                          % (old_val, val))
67         self.gp_db.store(str(self), self.attribute, str(old_val))
68         self.ldb.set_maxPwdAge(val)
69
70     def ch_minPwdLength(self, val):
71         old_val = self.ldb.get_minPwdLength()
72         self.logger.info(
73             'KDC Minimum Password length was changed from %s to %s' \
74             % (old_val, val))
75         self.gp_db.store(str(self), self.attribute, str(old_val))
76         self.ldb.set_minPwdLength(val)
77
78     def ch_pwdProperties(self, val):
79         old_val = self.ldb.get_pwdProperties()
80         self.logger.info('KDC Password Properties were changed from %s to %s' \
81                          % (old_val, val))
82         self.gp_db.store(str(self), self.attribute, str(old_val))
83         self.ldb.set_pwdProperties(val)
84
85     def days2rel_nttime(self):
86         seconds = 60
87         minutes = 60
88         hours = 24
89         sam_add = 10000000
90         val = (self.val)
91         val = int(val)
92         return str(-(val * seconds * minutes * hours * sam_add))
93
94     def mapper(self):
95         '''ldap value : samba setter'''
96         return {"minPwdAge" : (self.ch_minPwdAge, self.days2rel_nttime),
97                  "maxPwdAge" : (self.ch_maxPwdAge, self.days2rel_nttime),
98                  # Could be none, but I like the method assignment in
99                  # update_samba
100                  "minPwdLength" : (self.ch_minPwdLength, self.explicit),
101                  "pwdProperties" : (self.ch_pwdProperties, self.explicit),
102
103                  }
104
105     def __str__(self):
106         return 'System Access'
107
108 class gp_sec_ext(gp_inf_ext):
109     '''This class does the following two things:
110         1) Identifies the GPO if it has a certain kind of filepath,
111         2) Finally parses it.
112     '''
113
114     count = 0
115
116     def __str__(self):
117         return "Security GPO extension"
118
119     def list(self, rootpath):
120         return os.path.join(rootpath,
121                             "MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf")
122
123     def listmachpol(self, rootpath):
124         return os.path.join(rootpath, "Machine/Registry.pol")
125
126     def listuserpol(self, rootpath):
127         return os.path.join(rootpath, "User/Registry.pol")
128
129     def apply_map(self):
130         return {"System Access": {"MinimumPasswordAge": ("minPwdAge",
131                                                          inf_to_ldb),
132                                   "MaximumPasswordAge": ("maxPwdAge",
133                                                          inf_to_ldb),
134                                   "MinimumPasswordLength": ("minPwdLength",
135                                                             inf_to_ldb),
136                                   "PasswordComplexity": ("pwdProperties",
137                                                          inf_to_ldb),
138                                   },
139                 "Kerberos Policy": {"MaxTicketAge": (
140                                         "kdc:user_ticket_lifetime",
141                                         inf_to_kdc_tdb
142                                     ),
143                                     "MaxServiceAge": (
144                                         "kdc:service_ticket_lifetime",
145                                         inf_to_kdc_tdb
146                                     ),
147                                     "MaxRenewAge": (
148                                         "kdc:renewal_lifetime",
149                                         inf_to_kdc_tdb
150                                     ),
151                                     }
152                 }
153