I have set up a FreeIPA server. I am facing an issue which is password is expired when a user is first created. So a new user should always set his password when he logs in for the first time which is defined in here. but I don't want this feature.
I am using this library to create or add user in FreeIPA.
So, I connect with FreeIPA like this-
private function getIPA()
{
$host = env('FREEIPA_HOST', 'cloud-host-ipa.com');
$certificate = database_path(env('FREEIPA_CERTIFICATE', 'ca.crt'));
try {
return new \FreeIPA\APIAccess\Main($host, $certificate);
} catch (Exception $e) {
throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
return false;
}
}
private function getIPAConnection() //Ged authinticated admin IPA connection
{
$ipa = $this->getIPA();
try {
$auth = $ipa->connection()->authenticate(env('FREEIPA_ADMIN_NAME', 'oc-ipa-connector'), env('FREEIPA_ADMIN_PASS', 'ADMIN_PASS'));
if ($auth) {
return $ipa;
} else {
$auth_info = $ipa->connection()->getAuthenticationInfo();
$auth_info = implode(' ', $auth_info);
throw new \ErrorException("\nLogin Failed : {$auth_info}");
//return false;
}
} catch (Exception $e) {
throw new \ErrorException("\nError {$e->getCode()}: {$e->getMessage()}");
//return false;
}
}
Then add a user like this-
$ipa = $this->getIPAConnection();
try {
$new_user_data = array(
'givenname' => $givenname,
'sn' => $sn,
'uid' => $uid,
//'userpassword' => $_POST["userpassword"],
'mail' => $mail,
'mobile' => $phone
);
$add_user = $ipa->user()->add($new_user_data);
if ($add_user) {
return true;
}
} catch (Exception $e) {
throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
return false;
}
This code works fine and user is added.
Then I am setting password with this code-
$ipa = $this->getIPAConnection();
try {
$user_info = $ipa->user()->get($uid);
if($user_info != false)
{
try {
$new_user_data = array(
'userpassword' => $password,
);
$mod_user = $ipa->user()->modify($uid, $new_user_data);
if ($mod_user) {
return true;
}
else
{
return false;
}
} catch (Exception $e) {
throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
}
}
} catch (Exception $e) {
throw new \ErrorException("Error {$e->getCode()}: {$e->getMessage()}");
}
Password is also set perfectly. But the set password is expired automatically just after it is set.
I want my users to have this password for at least 1 week. So, I want to disable this feature. Is there any practical way?
Re-
I have created this issue in FreeIPA to provide us with a workaround, but the issue is closed and marked as - Closed: wontfix . So, I wonder if there exists a workaround?
The answer was provided in the link https://www.redhat.com/archives/freeipa-users/2012-June/msg00360.html.
There is a global policy for passwords that you can see from the command below:
[server]$ ipa pwpolicy-show
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 1
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
You can create a new policy override for the group to which you are adding the user by running the command:
[server]$ ipa pwpolicy-add sysadmin --minlife=0
Priority: 50
Group: sysadmin
Min lifetime (hours): 0
Priority: 50
Now this policy overrides the global password policy and creates a policy just for the group.
If you want to modify the global policy, you can do the same with the command:
[server]$ ipa pwpolicy-mod global_policy --minlife=0
Group: global_policy
Max lifetime (days): 90
Min lifetime (hours): 0
History size: 0
Character classes: 0
Min length: 8
Max failures: 6
Failure reset interval: 60
Lockout duration: 600
Note the change in Min lifetime(hours) to 0 which causes password to never expire.
After you create the user you need to run this code from a script in the server:
echo -e $PASSWORD\n$PASSWORD\n$PASSWORD | kinit $username
kdestroy
Note that you need to send PASSWORD and username as parameters to the script and execute this script remotely.
See https://www.freeipa.org/page/New_Passwords_Expired - basically FreeIPA have a policy that admin-set passwords are immediately expired. I believe the "password lifetime" then only applies once the user has themselves changed their password.
Related
I need help about php artisan db:seed.
I installed Laratrust 5.2 for Laravel 7 and than i make upgrade from 5.2 to 6.
I follow this steps: https://laratrust.santigarcor.me/docs/6.x/upgrade.html;
This is how it works, everything is ok.
Later, I ran the command: php artisan migrate:fresh to get the new tables but I have a problem:
sviluppo#Mac-mini-di-sviluppo prova % php artisan migrate:fresh
Dropped all tables successfully.
Migration table created successfully.
Migrating: 2014_10_12_000000_create_users_table
Migrated: 2014_10_12_000000_create_users_table (0.04 seconds)
Migrating: 2014_10_12_100000_create_password_resets_table
Migrated: 2014_10_12_100000_create_password_resets_table (0.04 seconds)
Migrating: 2019_08_19_000000_create_failed_jobs_table
Migrated: 2019_08_19_000000_create_failed_jobs_table (0.02 seconds)
Migrating: 2022_09_26_102236_laratrust_setup_tables
Migrated: 2022_09_26_102236_laratrust_setup_tables (0.39 seconds)
Migrating: 2022_09_26_102709_create_roles_table
Illuminate\Database\QueryException
SQLSTATE[42S01]: Base table or view already exists: 1050 Table 'roles' already exists (SQL: create table `roles` (`id` bigint unsigned not null auto_increment primary key, `created_at` timestamp null, `updated_at` timestamp null) default character set utf8mb4 collate 'utf8mb4_unicode_ci')
at vendor/laravel/framework/src/Illuminate/Database/Connection.php:671
667| // If an exception occurs when attempting to run a query, we'll format the error
668| // message to include the bindings with SQL, which will make this exception a
669| // lot more helpful to the developer instead of just the database's errors.
670| catch (Exception $e) {
> 671| throw new QueryException(
672| $query, $this->prepareBindings($bindings), $e
673| );
674| }
675|
+9 vendor frames
10 database/migrations/2022_09_26_102709_create_roles_table.php:19
Illuminate\Support\Facades\Facade::__callStatic("create")
+32 vendor frames
43 artisan:37
Illuminate\Foundation\Console\Kernel::handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
sviluppo#Mac-mini-di-sviluppo visan-day-app %
And if i run:
sviluppo#Mac-mini-di-sviluppo prova % php artisan db:seed
Seeding: LaratrustSeeder
Truncating User, Role and Permission tables
The configuration has not been published. Did you run `php artisan vendor:publish --tag="laratrust-seeder"`
Seeded: LaratrustSeeder (0.03 seconds)
Database seeding completed successfully.
Info:
My file in laratrust.php e laratrust_seeder.php are config;
There are tables in the database/migrations;
It is present within database/seed/DatabaseSeeder.php => $this->call(LaratrustSeeder::class);
My file laratrustSeeder.php:
<?php
use Illuminate\Support\Facades\Schema;
use Illuminate\Database\Seeder;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Config;
class LaratrustSeeder extends Seeder
{
/**
* Run the database seeds.
*
* #return void
*/
public function run()
{
$this->truncateLaratrustTables();
$config = Config::get('laratrust_seeder.roles_structure');
if ($config === null) {
$this->command->error("The configuration has not been published. Did you run `php artisan vendor:publish --tag=\"laratrust-seeder\"`");
$this->command->line('');
return false;
}
$mapPermission = collect(config('laratrust_seeder.permissions_map'));
foreach ($config as $key => $modules) {
// Create a new role
$role = \App\Role::firstOrCreate([
'name' => $key,
'display_name' => ucwords(str_replace('_', ' ', $key)),
'description' => ucwords(str_replace('_', ' ', $key))
]);
$permissions = [];
$this->command->info('Creating Role '. strtoupper($key));
// Reading role permission modules
foreach ($modules as $module => $value) {
foreach (explode(',', $value) as $p => $perm) {
$permissionValue = $mapPermission->get($perm);
$permissions[] = \App\Permission::firstOrCreate([
'name' => $module . '-' . $permissionValue,
'display_name' => ucfirst($permissionValue) . ' ' . ucfirst($module),
'description' => ucfirst($permissionValue) . ' ' . ucfirst($module),
])->id;
$this->command->info('Creating Permission to '.$permissionValue.' for '. $module);
}
}
// Attach all permissions to the role
$role->permissions()->sync($permissions);
if (Config::get('laratrust_seeder.create_users')) {
$this->command->info("Creating '{$key}' user");
// Create default user for each role
$user = \App\User::create([
'name' => ucwords(str_replace('_', ' ', $key)),
'email' => $key.'#app.com',
'password' => bcrypt('password')
]);
$user->attachRole($role);
}
}
}
/**
* Truncates all the laratrust tables and the users table
*
* #return void
*/
public function truncateLaratrustTables()
{
$this->command->info('Truncating User, Role and Permission tables');
Schema::disableForeignKeyConstraints();
DB::table('permission_role')->truncate();
DB::table('permission_user')->truncate();
DB::table('role_user')->truncate();
if (Config::get('laratrust_seeder.truncate_tables')) {
DB::table('roles')->truncate();
DB::table('permissions')->truncate();
if (Config::get('laratrust_seeder.create_users')) {
$usersTable = (new \App\User)->getTable();
DB::table($usersTable)->truncate();
}
}
Schema::enableForeignKeyConstraints();
}
}
Thanks!
I want to test access to a method for a group of users with different roles in one test. I am trying to change the logged in user like this:
#Test
void allMenusAuthorizePermissions() throws Exception {
for (User user : ALL_ROLES_USERS) {
Authentication authentication = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), user.getAuthorities());
SecurityContextHolder.clearContext();
SecurityContextHolder.getContext().setAuthentication(authentication);
log.debug("User role: " + user.getAuthorities());
if (user == ADMIN || user == EDITOR) {
perform(get(MenuEditorController.MENU_EDITOR_URL).principal(authentication))
.andExpect(status().isOk());
}else{
perform(get(MenuEditorController.MENU_EDITOR_URL).principal(authentication))
.andExpect(status().isForbidden());
}
}
}
But no matter how hard I try, perform(get (...)) is always performed from the first user from the ALL_ROLES_USERS array. This can be seen from the log:
o.s.s.a.i.a.MethodSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken#e74255f0: Principal: +79990200001; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: CLIENT
-the same user in every iteration!
Any idea why this might be happening? Maybe perform(get(...)) is passing the JSESSIONID of the first user? I don't know where to dig anymore
You need to use:
#Test
void allMenusAuthorizePermissions() throws Exception {
for (User user : ALL_ROLES_USERS) {
log.debug("User role: " + user.getAuthorities());
if (user == ADMIN || user == EDITOR) {
// perform(get(MenuEditorController.MENU_EDITOR_URL).with(SecurityMockMvcRequestPostProcessors.user(user.getUsername()).authorities(user.getAuthorities())))
perform(get(MenuEditorController.MENU_EDITOR_URL).with(SecurityMockMvcRequestPostProcessors.user(user)))
.andExpect(status().isOk());
}else{
perform(get(MenuEditorController.MENU_EDITOR_URL).with(SecurityMockMvcRequestPostProcessors.user(user)))
.andExpect(status().isForbidden());
}
}
}
How to Mock the security context in Spring MVC for testing
i'm coding a Discord bot with JDA 4.1.1_101. I created the "ban" command, but i can't make the unban command work. I can't really understand why... Thank you for your help.
if (args[0].equalsIgnoreCase(Main.prefix + "unban")) {
if(event.getGuild().getSelfMember().hasPermission(Permission.BAN_MEMBERS)) {
if (args.length > 0 && args.length < 3) {
try {
event.getMessage().delete().queue();
User member = event.getMessage().getMentionedMembers().get(0).getUser();
String id = member.getId();
event.getGuild().unban(id).queue();
EmbedBuilder ban = new EmbedBuilder();
ban.setColor(Color.GREEN);
ban.setTitle("UnBan");
ban.setDescription("UnBan Report");
ban.addField("Staffer: ", event.getMessage().getAuthor().getName(), true);
ban.addField("Unban: ", member.getName(), true);
logs.sendMessage(ban.build()).queue();
} catch (IndexOutOfBoundsException exx) {
EmbedBuilder error = new EmbedBuilder();
error.setColor(0xff3923);
error.setTitle("Error: User");
error.setDescription("Invalid user.");
event.getChannel().sendMessage(error.build()).queue(message -> {
message.delete().queueAfter(5, TimeUnit.SECONDS);
});
}
} else {
EmbedBuilder error = new EmbedBuilder();
error.setColor(0xff3923);
error.setTitle("Error: Wrong usage.");
error.setDescription("Use: .unban [#user].");
event.getChannel().sendMessage(error.build()).queue(message -> {
message.delete().queueAfter(5, TimeUnit.SECONDS);
});
}
}
}
The problem is, that you are trying to retrieve the user from the mention in the message.
Since the user isn't part of the guild anymore, it seems like this doesn't work.
In order to work around this issue, you have to retrieve the ID manually.
A mention is always in the format <#userid> or <!#userid>.
To get the ID you could just split the message and replace the unnecessary parts, e.g. String id = event.getMessage().getContentRaw().split("<")[1].split(">")[0].replace("!", "").replace("#", "");
I'm sure there are better and smoother ways for doing this. ;)
A better way of retrieving the ID would be using a regex such as <#!?(\d+)> as mentioned by Minn.
In order to get the name of the user, you just need the ID via event.getJDA().getUserById(id).getName().
It's important to mention that you can't properly mention a user who isn't on the server (which is the case when they are banned).
(Addition: I tried using .getMentionedUsers() with the same result as OP.)
I have a Jenkinsfile with multiple stages and one of them is in fact another job (the deploy one) which can fail in some cases.
I know that I can made prompts using Jenkinsfile but I don't really know how to implement a retry mechanism for this job.
I want to be able to click on the failed stage and choose to retry it.
You should be able to combine retry + input to do that
Something like that
stage('deploy-test') {
try {
build 'yourJob'
} catch(error) {
echo "First build failed, let's retry if accepted"
retry(2) {
input "Retry the job ?"
build 'yourJob'
}
}
}
you could also use timeout for the input if you want it to finish if nobody validates.
There is also waitUntil that might be useful but i haven't used it yet
Edit :
WaitUntil seems definitely the best, you should play with it a bit but something like that is cleaner :
stage('deploy-test') {
waitUntil {
try {
build 'yourJob'
} catch(error) {
input "Retry the job ?"
false
}
}
}
By the way, there is doc all of the steps here https://jenkins.io/doc/pipeline/steps
This one with a nice incremental wait
stage('deploy-test') {
def retryAttempt = 0
retry(2) {
if (retryAttempt > 0) {
sleep(1000 * 2 + 2000 * retryAttempt)
}
retryAttempt = retryAttempt + 1
input "Retry the job ?"
build 'yourJob'
}
}
This gist (not mine) was one of the better options that I found while trying to implement this functionality too. https://gist.github.com/beercan1989/b66b7643b48434f5bdf7e1c87094acb9
Changed it to a method in a shared library that just did retry or abort for my needs. Also added a max retries and made the timeout variable so that we could change it depending on the job or stage that needs it.
package com.foo.bar.jenkins
def class PipelineHelper {
def steps
PipelineHelper(steps) {
this.steps = steps
}
void retryOrAbort(final Closure<?> action, int maxAttempts, int timeoutSeconds, final int count = 0) {
steps.echo "Trying action, attempt count is: ${count}"
try {
action.call();
} catch (final exception) {
steps.echo "${exception.toString()}"
steps.timeout(time: timeoutSeconds, unit: 'SECONDS') {
def userChoice = false
try {
userChoice = steps.input(message: 'Retry?', ok: 'Ok', parameters: [
[$class: 'BooleanParameterDefinition', defaultValue: true, description: '', name: 'Check to retry from failed stage']])
} catch (org.jenkinsci.plugins.workflow.steps.FlowInterruptedException e) {
userChoice = false
}
if (userChoice) {
if (count <= maxAttempts) {
steps.echo "Retrying from failed stage."
return retryOrAbort(action, maxAttempts, timeoutMinutes, count + 1)
} else {
steps.echo "Max attempts reached. Will not retry."
throw exception
}
} else {
steps.echo 'Aborting'
throw exception;
}
}
}
}
}
Example usage with a max of 2 retries that waits for 60s for input.
def pipelineHelper = new PipelineHelper(this)
stage ('Retry Example'){
pipelineHelper.retryOrAbort({
node{
echo 'Here is an example'
throw new RuntimeException('This example will fail.')
}
}, 2, 60)
}
Just remember to put nodes inside of the closure so that waiting for an input doesn't block an executor.
If you have the paid jenkins enterprise Cloudbees has a Checkpoint plugin that can better handle this, but it is not planned to be release for open source Jenkins (JENKINS-33846).
I am pissed off with this problem from 2 days.
I am using MODx Revolution 2.2.5 (traditional) and want to login to modx from external server just to fetch some user details.
1) I know that runprocessor method works only if i am logged in to manager (unfortunately, that's the only way i know to login user in) So i tried IFRAME method to avoid (cross scripting) it worked perfectly but i am not able to read the data from IFRAME using javascript because of same issue, cross domain access policy.
When i try to post data using some other method like CURL, Ajax using
header("Access-Control-Allow-Origin: *");
I am able to login (I see $response->response['success'] == 1) but cant access any data and it says
Fatal error: Call to a member function get() on a non-object
Below is the snippet code i am using
if(isset($_POST) && count($_POST)){
$c = array(
'username' => $_POST['username'],
'password' => $_POST['password']
);
$response = $modx->runProcessor('security/login',$c);
if($response->response['success'] == 1){
$user['id'] = $modx->user->get('id');
$profile = $modx->user->getOne('Profile');
$user['fullname'] = $profile->get('fullname');
$user['email'] = $profile->get('email');
echo json_encode($user);
}else{
echo json_encode($response->response);
}
}
2) I can use login snippet but it doesnt return output what i expect. We have ready site and we are already using login plugin so i cant even modify login plugin to respond with expected data
How can i login to modx using api or any other method ??
You are really attacking this problem completely wrong in my opinion. If you want to access a server/webpage from another, you don't iFrame and do it the way you are. That is hacking, and this hole will most likely be fixed in a future version.
What you SHOULD do is connecting to the database and just gather the information from the user-table.
No hacking, no "tricks", won't stop working and much safer.
Well, I sorted out this today, Below is the complete come that worked perfectly.
Pay attention to
header("Access-Control-Allow-Origin: http://www.xyz.com");
Using above CORS specification you can allow 2 servers to communication.
header("Access-Control-Allow-Origin: http://www.xyz.com");
if(isset($_POST['username']) && isset($_POST['password'])){
// get username and password from POST array
$username = $modx->sanitizeString($_POST['username']);
$password = $modx->sanitizeString($_POST['password']);
if(trim($username) != "" and trim($password) != ""){
// Load lexicons to show proper error messages
if (!isset($modx->lexicon) || !is_object($modx->lexicon)) {
$modx->getService('lexicon','modLexicon');
}
$modx->lexicon->load('login');
$loginContext= isset ($scriptProperties['login_context']) ? $scriptProperties['login_context'] :
$modx->context->get('key');
$addContexts= isset ($scriptProperties['add_contexts']) && !empty($scriptProperties['add_contexts']) ? explode(',', $scriptProperties['add_contexts']) : array();
$mgrEvents = ($loginContext == 'mgr');
$givenPassword = $password;
/** #var $user modUser */
$user= $modx->getObjectGraph('modUser', '{"Profile":{},"UserSettings":{}}', array ('modUser.username' => $username));
if (!$user) {
$ru = $modx->invokeEvent("OnUserNotFound", array(
'user' => &$user,
'username' => $username,
'password' => $password,
'attributes' => array(
'loginContext' => $loginContext,
)
));
if (!empty($ru)) {
foreach ($ru as $obj) {
if (is_object($obj) && $obj instanceof modUser) {
$user = $obj;
break;
}
}
}
if (!is_object($user) || !($user instanceof modUser)) {
//echo "cant locate account";
echo $modx->toJSON($modx->error->failure($modx->lexicon('login_cannot_locate_account')));
exit;
}
}
if (!$user->get('active')) {
//echo "inactivated accout";
echo $modx->toJSON($modx->error->failure($modx->lexicon('login_user_inactive')));
exit;
}
if (!$user->passwordMatches($givenPassword)) {
if (!array_key_exists('login_failed', $_SESSION)) {
$_SESSION['login_failed'] = 0;
}
if ($_SESSION['login_failed'] == 0) {
$flc = ((integer) $user->Profile->get('failedlogincount')) + 1;
$user->Profile->set('failedlogincount', $flc);
$user->Profile->save();
$_SESSION['login_failed']++;
} else {
$_SESSION['login_failed'] = 0;
}
//echo "wrong username pass";
echo $modx->toJSON($modx->error->failure($modx->lexicon('login_username_password_incorrect')));
exit;
}
$fullname = $user->Profile->get('fullname');
echo '{"success":true,"message":"Welcome '.$fullname.'!"}';
}else{
echo '{"success":false,"message":"Please enter username and password"}';
}
}