From 222d9a3ce27e17e64f9e261b8abd84e409f9eb45 Mon Sep 17 00:00:00 2001
From: Jim McDonough <jmcd@samba.org>
Date: Thu, 19 Feb 2004 21:37:24 +0000
Subject: Clean up bad pw count and autolock flag update fn()s (This used to be
 commit 9a79f9fbcb43085e419dbccd670a54256d01cb4b)

---
 source3/passdb/passdb.c | 174 ++++++++++++++++++++++++++----------------------
 1 file changed, 95 insertions(+), 79 deletions(-)

(limited to 'source3/passdb/passdb.c')

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 86e3af4a2a..1f1b5bdae6 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -2209,26 +2209,34 @@ BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated)
 	uint16 BadPasswordCount;
 	uint32 resettime; 
 
+	if (!sampass) return False;
+	
 	BadPasswordCount = pdb_get_bad_password_count(sampass);
-	if(BadPasswordCount > 0){
-		if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) {
-			DEBUG(0, ("account_policy_get failed.\n"));
-			return False;
-		} else {
-			LastBadPassword = pdb_get_bad_password_time(sampass);
-			DEBUG(10, ("LastBadPassword=%d, resettime=%d.\n", 
-				   (uint32) LastBadPassword, resettime));
-			if (resettime && 
-			    (time(NULL) > (LastBadPassword + 
-					   (time_t)resettime*60))){
-				pdb_set_bad_password_count(sampass, 
-							   0, PDB_CHANGED);
-				pdb_set_bad_password_time(sampass, 0, 
-							  PDB_CHANGED);
-				*updated =True;
-			}		 		 
-		}
+	if (!BadPasswordCount) {
+		DEBUG(9, ("No bad password attempts.\n"));
+		return True;
+	}
+
+	if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) {
+		DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n"));
+		return False;
+	}
+
+	/* First, check if there is a reset time to compare */
+	if (!resettime) {
+		DEBUG(9, ("Reset time = 0, can't reset bad pw count\n"));
+		return True;
+	}
+
+	LastBadPassword = pdb_get_bad_password_time(sampass);
+	DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n", 
+		   (uint32) LastBadPassword, resettime, (uint32)time(NULL)));
+	if (time(NULL) > (LastBadPassword + (time_t)resettime*60)){
+		pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+		pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+		if (updated) *updated = True;
 	}
+
 	return True;
 }
 
@@ -2241,36 +2249,36 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
 	uint32 duration;
 	time_t LastBadPassword;
 
-	if (!sampass)
-		return False;
+	if (!sampass) return False;
  
-	if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
-		if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION, 
-					&duration)) {
-			DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
-			return False;
-		} else {
-			LastBadPassword = pdb_get_bad_password_time(sampass);
-			DEBUG(10, ("LastBadPassword=%d, duration=%d.\n",
-				   (uint32) LastBadPassword, duration*60 ));
-			if (duration && 
-			    (time(NULL) > 
-			     (LastBadPassword + (time_t)duration*60))){
-				DEBUG(10, ("LastBadPassword=%d, duration=%d.\n",
-					   (uint32) LastBadPassword,
-					   duration*60 ));
-				pdb_set_acct_ctrl(sampass,
-						  pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
-						  PDB_CHANGED);
-				pdb_set_bad_password_count(sampass, 
-							   0, PDB_CHANGED);
-				pdb_set_bad_password_time(sampass, 0, 
-							  PDB_CHANGED);
-				*updated =True;
-			}		 		 
-		}
+	if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
+		DEBUG(9, ("Account not autolocked, no check needed\n"));
+		return True;
 	}
 
+	if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION, &duration)) {
+		DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
+		return False;
+	}
+
+	/* First, check if there is a duration to compare */
+	if (!duration) {
+		DEBUG(9, ("Lockout duration = 0, can't reset autolock\n"));
+		return True;
+	}
+		      
+	LastBadPassword = pdb_get_bad_password_time(sampass);
+	DEBUG(7, ("LastBadPassword=%d, duration=%d, current time =%d.\n",
+		  (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
+	if ((time(NULL) > (LastBadPassword + (time_t) duration * 60))) {
+		pdb_set_acct_ctrl(sampass,
+				  pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
+				  PDB_CHANGED);
+		pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+		pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+		if (updated) *updated = True;
+	}
+	
 	return True;
 }
 
@@ -2280,46 +2288,54 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
 
 BOOL pdb_increment_bad_password_count(SAM_ACCOUNT *sampass)
 {
-	uint32 resettime;
 	uint32 account_policy_lockout;
-	time_t LastBadPassword;
+	BOOL autolock_updated = False, badpw_updated = False;
 
 	if (!sampass)
 		return False;
-		 
-	if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) {
-		DEBUG(0, ("account_policy_get failed.\n"));
+
+	/* Retrieve the account lockout policy */
+	if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
+				&account_policy_lockout)) {
+		DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n"));
 		return False;
-	} else {
-		LastBadPassword = pdb_get_bad_password_time(sampass);
-		DEBUG(10, ("LastBadPassword=%d, resettime=%d.\n", 
-			   (uint32) LastBadPassword, resettime));
-		DEBUG(10, ("time(null) = %d\n", (uint32) time(NULL)));
-		if ((resettime) && (LastBadPassword) &&
-		    (time(NULL) > (LastBadPassword + (time_t)resettime*60))){
-			pdb_set_bad_password_count(sampass, 1, PDB_CHANGED);
-		} else {
-			pdb_set_bad_password_count(sampass, 
-						   pdb_get_bad_password_count(sampass)+1,
-						   PDB_CHANGED);
-		}
-		pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
+	}
 
-		if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
-					&account_policy_lockout)) {
-			DEBUG(0, ("account_policy_get failed.\n"));
-			return False;
-		} else {
-			if (account_policy_lockout && 
-			    (pdb_get_bad_password_count(sampass) >= account_policy_lockout)) {
-				if (!pdb_set_acct_ctrl (sampass,
-							pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK,
-							PDB_CHANGED)) {
-					DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n")); 
-					return False;
-				}
-			}
-		}		 		 
+	/* If there is no policy, we don't need to continue checking */
+	if (!account_policy_lockout) {
+		DEBUG(9, ("No lockout policy, don't track bad passwords\n"));
 		return True;
 	}
+
+	/* Check if the autolock needs to be cleared */
+	if (!pdb_update_autolock_flag(sampass, &autolock_updated))
+		return False;
+
+	/* Check if the badpw count needs to be reset */
+	if (!pdb_update_bad_password_count(sampass, &badpw_updated))
+		return False;
+
+	/*
+	  Ok, now we can assume that any resetting that needs to be 
+	  done has been done, and just get on with incrementing
+	  and autolocking if necessary
+	*/
+
+	pdb_set_bad_password_count(sampass, 
+				   pdb_get_bad_password_count(sampass)+1,
+				   PDB_CHANGED);
+	pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
+
+
+	if (pdb_get_bad_password_count(sampass) < account_policy_lockout) 
+		return True;
+
+	if (!pdb_set_acct_ctrl(sampass,
+			       pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
+			       PDB_CHANGED)) {
+		DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n")); 
+		return False;
+	}
+
+	return True;
 }
-- 
cgit