47e52e2e34
This patch exports a new option, `password_next_logon`, which determines what will happen at the next logon in certain conditions. The option can accept three possible arguments: `always`, which forces the user to change the password at next logon, 'no', which doesn't change anything and `clear_text_injected_only`, which forces the user to change the password at the next logon if the password comes in clear text from the metadata. Change-Id: Ic6a0526ea9c9902e183898c42497133a135b5c53
66 lines
2.4 KiB
Python
66 lines
2.4 KiB
Python
# Copyright 2015 Cloudbase Solutions Srl
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo.config import cfg
|
|
|
|
from cloudbaseinit.osutils import factory
|
|
from cloudbaseinit.plugins.common import setuserpassword
|
|
|
|
CLEAR_TEXT_INJECTED_ONLY = 'clear_text_injected_only'
|
|
ALWAYS_CHANGE = 'always'
|
|
NEVER_CHANGE = 'no'
|
|
LOGON_PASSWORD_CHANGE_OPTIONS = [
|
|
CLEAR_TEXT_INJECTED_ONLY,
|
|
NEVER_CHANGE,
|
|
ALWAYS_CHANGE,
|
|
]
|
|
|
|
opts = [
|
|
cfg.StrOpt('first_logon_behaviour',
|
|
default=CLEAR_TEXT_INJECTED_ONLY,
|
|
choices=LOGON_PASSWORD_CHANGE_OPTIONS,
|
|
help='Control the behaviour of what happens at '
|
|
'next logon. If this option is set to `always`, '
|
|
'then the user will be forced to change the password '
|
|
'at next logon. If it is set to '
|
|
'`clear_text_injected_only`, '
|
|
'then the user will have to change the password only if '
|
|
'the password is a clear text password, coming from the '
|
|
'metadata. The last option is `no`, when the user is '
|
|
'never forced to change the password.'),
|
|
|
|
]
|
|
|
|
CONF = cfg.CONF
|
|
CONF.register_opts(opts)
|
|
|
|
|
|
class SetUserPasswordPlugin(setuserpassword.SetUserPasswordPlugin):
|
|
"""Plugin for changing the password, tailored to Windows."""
|
|
|
|
def post_set_password(self, username, _, password_injected=False):
|
|
"""Post set password logic
|
|
|
|
If the option is activated, force the user to change the
|
|
password at next logon.
|
|
"""
|
|
if CONF.first_logon_behaviour == NEVER_CHANGE:
|
|
return
|
|
|
|
clear_text = CONF.first_logon_behaviour == CLEAR_TEXT_INJECTED_ONLY
|
|
always = CONF.first_logon_behaviour == ALWAYS_CHANGE
|
|
if always or (clear_text and password_injected):
|
|
osutils = factory.get_os_utils()
|
|
osutils.change_password_next_logon(username)
|