Revert "Issue 5749 - RFE - Allow Account Policy Plugin to handle inac…

…tivity and expiration at the same time" This reverts commit 2d1e145.
droideck · Sep 4, 2024 · 7b7e3b1 · 7b7e3b1
1 parent e8e916d
commit 7b7e3b1
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 282 deletions.
diff --git a/dirsrvtests/tests/suites/plugins/accpol_check_all_state_attrs_test.py b/dirsrvtests/tests/suites/plugins/accpol_check_all_state_attrs_test.py
diff --git a/ldap/servers/plugins/acctpolicy/acct_config.c b/ldap/servers/plugins/acctpolicy/acct_config.c
@@ -1,6 +1,5 @@
 /******************************************************************************
 Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
-Copyright (C) 2023 Red Hat, Inc.
 
 This program is free software; you can redistribute it and/or
 modify it under the terms of the GNU General Public License
@@ -105,19 +104,6 @@ acct_policy_entry2config(Slapi_Entry *e, acctPluginCfg *newcfg)
         slapi_ch_free_string(&newcfg->alt_state_attr_name); /*none - NULL */
     }                                                       /* else use configured value */
 
-    config_val = get_attr_string_val(e, CFG_CHECK_ALL_STATE_ATTRS);
-    if (config_val &&
-        (strcasecmp(config_val, "true") == 0 ||
-         strcasecmp(config_val, "yes") == 0 ||
-         strcasecmp(config_val, "on") == 0 ||
-         strcasecmp(config_val, "1") == 0))
-    {
-        newcfg->check_all_state_attrs = PR_TRUE;
-    } else {
-        newcfg->check_all_state_attrs = PR_FALSE;
-    }
-    slapi_ch_free_string(&config_val);
-
     newcfg->always_record_login_attr = get_attr_string_val(e, CFG_RECORD_LOGIN_ATTR);
     /* What user attribute will store the last login time
      * of a user. If empty, should have the same value as
@@ -162,10 +148,10 @@ acct_policy_entry2config(Slapi_Entry *e, acctPluginCfg *newcfg)
             rc = -1;
             newcfg->inactivitylimit = ULONG_MAX;
         }
-        slapi_ch_free_string(&config_val);
     } else {
         newcfg->inactivitylimit = ULONG_MAX;
     }
+    slapi_ch_free_string(&config_val);
 
     return (rc);
 }

diff --git a/ldap/servers/plugins/acctpolicy/acct_plugin.c b/ldap/servers/plugins/acctpolicy/acct_plugin.c
@@ -1,6 +1,5 @@
 /******************************************************************************
 Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
-Copyright (C) 2023 Red Hat, Inc.
 
 This program is free software; you can redistribute it and/or
 modify it under the terms of the GNU General Public License
@@ -80,99 +79,42 @@ acct_inact_limit(Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, ac
     int rc = 0; /* Optimistic default */
     acctPluginCfg *cfg;
 
-    cur_t = slapi_current_utc_time();
-
     config_rd_lock();
     cfg = get_config();
+    if ((lasttimestr = get_attr_string_val(target_entry,
+                                           cfg->state_attr_name)) != NULL) {
+        slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
+                      "acct_inact_limit - \"%s\" login timestamp is %s\n", dn, lasttimestr);
+    } else if (cfg->alt_state_attr_name && ((lasttimestr = get_attr_string_val(target_entry,
+                                                                               cfg->alt_state_attr_name)) != NULL)) {
+        slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
+                      "acct_inact_limit - \"%s\" alternate timestamp is %s\n", dn, lasttimestr);
+    } else {
+        /* the primary or alternate attribute might not yet exist eg.
+     * if only lastlogintime is specified and it id the first login
+     */
+        slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
+                      "acct_inact_limit - \"%s\" has no value for stateattr or altstateattr \n", dn);
+        goto done;
+    }
 
-    if (cfg->check_all_state_attrs) {
-        /*
-         * Check both state and alternate state attributes.
-         */
-        if ((lasttimestr = get_attr_string_val(target_entry, cfg->state_attr_name)) != NULL) {
-            slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                          "acct_inact_limit - \"%s\" login timestamp is %s (found in attribute '%s')\n",
-                          dn, lasttimestr, cfg->state_attr_name);
-            last_t = gentimeToEpochtime(lasttimestr);
-            lim_t = policy->inactivitylimit;
-            slapi_ch_free_string(&lasttimestr);
-
-            /* Finally do the time comparison */
-            if (cur_t > last_t + lim_t) {
-                slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                              "acct_inact_limit - \"%s\" has exceeded inactivity limit  (%ld > (%ld + %ld))\n",
-                              dn, cur_t, last_t, lim_t);
-                rc = 1;
-                goto done;
-            }
-        }
+    last_t = gentimeToEpochtime(lasttimestr);
+    cur_t = slapi_current_utc_time();
+    lim_t = policy->inactivitylimit;
 
-        /* Check alternate state attribute next... */
-        if (cfg->alt_state_attr_name &&
-                ((lasttimestr = get_attr_string_val(target_entry, cfg->alt_state_attr_name)) == NULL))
-        {
-            goto done;
-        }
+    /* Finally do the time comparison */
+    if (cur_t > last_t + lim_t) {
         slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                      "acct_inact_limit - \"%s\" alternate timestamp is %s (found in attribute '%s')\n",
-                      dn, lasttimestr, cfg->alt_state_attr_name);
-        last_t = gentimeToEpochtime(lasttimestr);
-        lim_t = policy->inactivitylimit;
-        slapi_ch_free_string(&lasttimestr);
-
-        /* Finally do the time comparison */
-        if (cur_t > last_t + lim_t) {
-            slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                          "acct_inact_limit - \"%s\" has exceeded inactivity limit  (%ld > (%ld + %ld))\n",
-                          dn, cur_t, last_t, lim_t);
-            rc = 1;
-            goto done;
-        }
+                      "acct_inact_limit - \"%s\" has exceeded inactivity limit  (%ld > (%ld + %ld))\n",
+                      dn, cur_t, last_t, lim_t);
+        rc = 1;
+        goto done;
+    } else {
         slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
                       "acct_inact_limit - \"%s\" is within inactivity limit (%ld < (%ld + %ld))\n",
                       dn, cur_t, last_t, lim_t);
-    } else {
-        /*
-         * Check state attribute, if not present in entry only then try
-         * alternate state attribute
-         */
-        if ((lasttimestr = get_attr_string_val(target_entry, cfg->state_attr_name)) != NULL) {
-            slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                          "acct_inact_limit - \"%s\" login timestamp is %s (found in attribute '%s')\n",
-                          dn, lasttimestr, cfg->state_attr_name);
-        } else if (cfg->alt_state_attr_name &&
-            ((lasttimestr = get_attr_string_val(target_entry, cfg->alt_state_attr_name)) != NULL))
-        {
-            slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                          "acct_inact_limit - \"%s\" alternate timestamp is %s (found in attribute '%s')\n",
-                          dn, lasttimestr, cfg->alt_state_attr_name);
-        } else {
-            /*
-             * The primary or alternate attribute might not yet exist eg.
-             * if only lastlogintime is specified and it is the first login
-             */
-            slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                          "acct_inact_limit - \"%s\" has no value for stateattr or altstateattr \n", dn);
-            goto done;
-        }
-
-        last_t = gentimeToEpochtime(lasttimestr);
-        lim_t = policy->inactivitylimit;
-        slapi_ch_free_string(&lasttimestr);
-
-        /* Finally do the time comparison */
-        if (cur_t > last_t + lim_t) {
-            slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                          "acct_inact_limit - \"%s\" has exceeded inactivity limit  (%ld > (%ld + %ld))\n",
-                          dn, cur_t, last_t, lim_t);
-            rc = 1;
-            goto done;
-        } else {
-            slapi_log_err(SLAPI_LOG_PLUGIN, PRE_PLUGIN_NAME,
-                          "acct_inact_limit - \"%s\" is within inactivity limit (%ld < (%ld + %ld))\n",
-                          dn, cur_t, last_t, lim_t);
-        }
     }
+
 done:
     config_unlock();
     /* Deny bind; the account has exceeded the inactivity limit */
@@ -183,6 +125,8 @@ acct_inact_limit(Slapi_PBlock *pb, const char *dn, Slapi_Entry *target_entry, ac
                                0, NULL);
     }
 
+    slapi_ch_free_string(&lasttimestr);
+
     return (rc);
 }
 
@@ -392,7 +336,8 @@ acct_bind_postop(Slapi_PBlock *pb)
             rc = -1;
             goto done;
         } else {
-            if (target_entry && has_attr(target_entry, cfg->spec_attr_name, NULL)) {
+            if (target_entry && has_attr(target_entry,
+                                         cfg->spec_attr_name, NULL)) {
                 tracklogin = 1;
             }
         }

diff --git a/ldap/servers/plugins/acctpolicy/acctpolicy.h b/ldap/servers/plugins/acctpolicy/acctpolicy.h
@@ -1,6 +1,5 @@
 /******************************************************************************
 Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
-Copyright (C) 2023 Red Hat, Inc.
 
 This program is free software; you can redistribute it and/or
 modify it under the terms of the GNU General Public License
@@ -25,7 +24,6 @@ Hewlett-Packard Development Company, L.P.
 
 #define CFG_LASTLOGIN_STATE_ATTR "stateAttrName"
 #define CFG_ALT_LASTLOGIN_STATE_ATTR "altStateAttrName"
-#define CFG_CHECK_ALL_STATE_ATTRS "checkAllStateAttrs"
 #define CFG_SPEC_ATTR "specAttrName"
 #define CFG_INACT_LIMIT_ATTR "limitAttrName"
 #define CFG_RECORD_LOGIN "alwaysRecordLogin"
@@ -61,7 +59,6 @@ typedef struct acct_plugin_cfg
     int always_record_login;
     char *always_record_login_attr;
     unsigned long inactivitylimit;
-    PRBool check_all_state_attrs;
 } acctPluginCfg;
 
 typedef struct accountpolicy