Account lockout

Merge Luke's users/lhoward/lockout2 branch to trunk.  Implements
account lockout policies for preauth-using principals using existing
principal metadata fields and new policy fields.  The kadmin API
version is bumped from 2 to 3 to compatibly extend the policy_ent_rec
structure.

ticket: 6577

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 69 insertions, 6 deletions

diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c
index 47bc22c..d5426f8 100644
--- a/src/lib/kadm5/srv/server_init.c
+++ b/src/lib/kadm5/srv/server_init.c
@@ -273,7 +273,7 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass,
 	 return ENOMEM;
     }
     *handle->lhandle = *handle;
-    handle->lhandle->api_version = KADM5_API_VERSION_2;
+    handle->lhandle->api_version = KADM5_API_VERSION_3;
     handle->lhandle->struct_version = KADM5_STRUCT_VERSION;
     handle->lhandle->lhandle = handle->lhandle;
 
diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c
index 47f00c0..fe2020d 100644
--- a/src/lib/kadm5/srv/server_kdb.c
+++ b/src/lib/kadm5/srv/server_kdb.c
@@ -395,6 +395,9 @@ kdb_put_entry(kadm5_server_handle_t handle,
 
     one = 1;
 
+    /* we are always updating TL data */
+    kdb->mask |= KADM5_TL_DATA;
+
     ret = krb5_db_put_principal(handle->context, kdb, &one);
     if (ret)
 	return(ret);
diff --git a/src/lib/kadm5/srv/svr_policy.c b/src/lib/kadm5/srv/svr_policy.c
index 5b7828c..0d8c5ce 100644
--- a/src/lib/kadm5/srv/svr_policy.c
+++ b/src/lib/kadm5/srv/svr_policy.c
@@ -140,6 +140,26 @@ kadm5_create_policy_internal(void *server_handle,
 	pent.policy_refcnt = 0;
     else
 	pent.policy_refcnt = entry->policy_refcnt;
+
+    if (handle->api_version == KADM5_API_VERSION_3) {
+	if (!(mask & KADM5_PW_MAX_FAILURE))
+	    pent.pw_max_fail = 0;
+	else
+	    pent.pw_max_fail = entry->pw_max_fail;
+	if (!(mask & KADM5_PW_FAILURE_COUNT_INTERVAL))
+	    pent.pw_failcnt_interval = 0;
+	else
+	    pent.pw_failcnt_interval = entry->pw_failcnt_interval;
+	if (!(mask & KADM5_PW_LOCKOUT_DURATION))
+	    pent.pw_lockout_duration = 0;
+	else
+	    pent.pw_lockout_duration = entry->pw_lockout_duration;
+    } else {
+	pent.pw_max_fail = 0;
+	pent.pw_failcnt_interval = 0;
+	pent.pw_lockout_duration = 0;
+    }
+
     if ((ret = krb5_db_create_policy(handle->context, &pent)))
 	return ret;
     else
@@ -248,6 +268,14 @@ kadm5_modify_policy_internal(void *server_handle,
     }
     if ((mask & KADM5_REF_COUNT))
 	p->policy_refcnt = entry->policy_refcnt;
+    if (handle->api_version == KADM5_API_VERSION_3) {
+	if ((mask & KADM5_PW_MAX_FAILURE))
+	    p->pw_max_fail = entry->pw_max_fail;
+	if ((mask & KADM5_PW_FAILURE_COUNT_INTERVAL))
+	    p->pw_failcnt_interval = entry->pw_failcnt_interval;
+	if ((mask & KADM5_PW_LOCKOUT_DURATION))
+	    p->pw_lockout_duration = entry->pw_lockout_duration;
+    }
     ret = krb5_db_put_policy(handle->context, p);
     krb5_db_free_policy(handle->context, p);
     return ret;
@@ -286,6 +314,11 @@ kadm5_get_policy(void *server_handle, kadm5_policy_t name,
     entry->pw_min_classes = t->pw_min_classes;
     entry->pw_history_num = t->pw_history_num;
     entry->policy_refcnt = t->policy_refcnt;
+    if (handle->api_version == KADM5_API_VERSION_3) {
+	entry->pw_max_fail = t->pw_max_fail;
+	entry->pw_failcnt_interval = t->pw_failcnt_interval;
+	entry->pw_lockout_duration = t->pw_lockout_duration;
+    }
     krb5_db_free_policy(handle->context, t);
 
     return KADM5_OK;
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 1a60f52..7ba89ec 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -650,8 +650,6 @@ kadm5_modify_principal(void *server_handle,
 	 kdb.pw_expiration = entry->pw_expiration;
     if (mask & KADM5_MAX_RLIFE)
 	 kdb.max_renewable_life = entry->max_renewable_life;
-    if (mask & KADM5_FAIL_AUTH_COUNT)
-	 kdb.fail_auth_count = entry->fail_auth_count;
 
     if((mask & KADM5_KVNO)) {
 	 for (i = 0; i < kdb.n_key_data; i++)
@@ -674,6 +672,20 @@ kadm5_modify_principal(void *server_handle,
 	 }
     }
 
+    /*
+     * Setting entry->fail_auth_count to 0 can be used to manually unlock
+     * an account. It is not possible to set fail_auth_count to any other
+     * value using kadmin.
+     */
+    if (mask & KADM5_FAIL_AUTH_COUNT) {
+	if (entry->fail_auth_count != 0) {
+	    ret = KADM5_BAD_SERVER_PARAMS;
+	    goto done;
+	}
+
+	kdb.fail_auth_count = 0;
+    }
+
     /* let the mask propagate to the database provider */
     kdb.mask = mask;
 
@@ -1443,8 +1455,13 @@ kadm5_chpass_principal_3(void *server_handle,
     if (ret)
 	goto done;
 
+    /* unlock principal on this KDC */
+    kdb.fail_auth_count = 0;
+
     /* key data and attributes changed, let the database provider know */
-    kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES /* | KADM5_CPW_FUNCTION */;
+    kdb.mask = KADM5_KEY_DATA | KADM5_ATTRIBUTES |
+	       KADM5_FAIL_AUTH_COUNT;
+	       /* | KADM5_CPW_FUNCTION */
 
     if ((ret = kdb_put_entry(handle, &kdb, &adb)))
 	goto done;
@@ -1576,7 +1593,10 @@ kadm5_randkey_principal_3(void *server_handle,
     if (ret)
 	 goto done;
 
-    if (keyblocks) {
+    /* unlock principal on this KDC */
+    kdb.fail_auth_count = 0;
+
+   if (keyblocks) {
 	ret = decrypt_key_data(handle->context, act_mkey,
 			       kdb.n_key_data, kdb.key_data,
 			       keyblocks, n_keys);
@@ -1585,7 +1605,8 @@ kadm5_randkey_principal_3(void *server_handle,
     }
 
     /* key data changed, let the database provider know */
-    kdb.mask = KADM5_KEY_DATA /* | KADM5_RANDKEY_USED */;
+    kdb.mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT;
+	       /* | KADM5_RANDKEY_USED */;
 
     if ((ret = kdb_put_entry(handle, &kdb, &adb)))
 	goto done;
@@ -1753,6 +1774,9 @@ kadm5_setv4key_principal(void *server_handle,
     if (ret)
 	 goto done;
 
+    /* unlock principal on this KDC */
+    kdb.fail_auth_count = 0;
+
     if ((ret = kdb_put_entry(handle, &kdb, &adb)))
 	goto done;
 
@@ -1990,6 +2014,9 @@ kadm5_setkey_principal_3(void *server_handle,
     if ((ret = krb5_dbe_update_last_pwd_change(handle->context, &kdb, now)))
         goto done;
 
+    /* unlock principal on this KDC */
+    kdb.fail_auth_count = 0;
+
     if ((ret = kdb_put_entry(handle, &kdb, &adb)))
 	goto done;