feat: password warning

NethServer/dev#7229

Author: gsanchietti

core/imageroot/etc/nethserver/password_warning/default_en.sbj

@@ -0,0 +1 @@
+Password expiration

core/imageroot/etc/nethserver/password_warning/default_en.tmpl

@@ -0,0 +1,62 @@
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Password expiration notice</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            background-color: #f4f4f4;
+            margin: 0;
+            padding: 0;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+        }
+        .container {
+            width: 100%;
+            max-width: 600px;
+            padding: 4rem 2.5rem;
+            border-radius: 0.75rem;
+            background: #FFF;
+            box-shadow: 0px 2px 4px 0px rgba(0, 0, 0, 0.06), 0px 4px 6px 0px rgba(0, 0, 0, 0.10);
+            text-align: center;
+        }
+        .header {
+            padding: 1.5rem 1rem;
+            border-radius: 0.375rem;
+            background: #F3F4F6;
+        }
+        .button {
+            display: inline-block;
+            padding: 0.5rem 0.75rem;
+            border-radius: 0.375rem;
+            background: #1D4ED8;
+            color: white;
+            text-decoration: none;
+            box-shadow: 0px 1px 2px 0px rgba(0, 0, 0, 0.05);
+            transition: background-color 0.3s ease;
+            margin-top: 1rem;
+        }
+        .button:hover {
+            background: #1E40AF;
+        }
+        .footer {
+            font-size: 12px;
+            color: #4B5563;
+            margin-top: 1.5rem;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>Password expiration notice</h1>
+        </div>
+        <p>Dear $name ($user),</p>
+        <p>your password is expiring in <strong>$days days</strong>. To ensure the security of your account, please change your password before it expires.</p>
+        <a href="$portal_url" class="button">Change password</a>
+        <p class="footer">For assistance or further inquiries, please reach out to your administrator.</p>
+    </div>
+</body>
+</html>

core/imageroot/etc/nethserver/password_warning/default_it.sbj

@@ -0,0 +1 @@
+Scadenza password

core/imageroot/etc/nethserver/password_warning/default_it.tmpl

@@ -0,0 +1,62 @@
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Avviso di scadenza password</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            background-color: #f4f4f4;
+            margin: 0;
+            padding: 0;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+        }
+        .container {
+            width: 100%;
+            max-width: 600px;
+            padding: 4rem 2.5rem;
+            border-radius: 0.75rem;
+            background: #FFF;
+            box-shadow: 0px 2px 4px 0px rgba(0, 0, 0, 0.06), 0px 4px 6px 0px rgba(0, 0, 0, 0.10);
+            text-align: center;
+        }
+        .header {
+            padding: 1.5rem 1rem;
+            border-radius: 0.375rem;
+            background: #F3F4F6;
+        }
+        .button {
+            display: inline-block;
+            padding: 0.5rem 0.75rem;
+            border-radius: 0.375rem;
+            background: #1D4ED8;
+            color: white;
+            text-decoration: none;
+            box-shadow: 0px 1px 2px 0px rgba(0, 0, 0, 0.05);
+            transition: background-color 0.3s ease;
+            margin-top: 1rem;
+        }
+        .button:hover {
+            background: #1E40AF;
+        }
+        .footer {
+            font-size: 12px;
+            color: #4B5563;
+            margin-top: 1.5rem;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>Avviso di scadenza password</h1>
+        </div>
+        <p>Gentile $name ($user),</p>
+        <p>la tua password scadrà tra <strong>$days giorni</strong>. Per garantire la sicurezza del tuo account, ti invitiamo a cambiarla prima della scadenza.</p>
+        <a href="$portal_url" class="button">Cambia password</a>
+        <p class="footer">Per assistenza o ulteriori informazioni, contatta l'amministratore.</p>
+    </div>
+</body>
+</html>

core/imageroot/etc/systemd/system/password-warning.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Domain user password notification
+
+[Service]
+Type=oneshot
+ExecStart=runagent -m cluster notify-password-warning

core/imageroot/etc/systemd/system/password-warning.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Domain user password notification trigger
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=3600
+
+[Install]
+WantedBy=timers.target

core/imageroot/usr/local/agent/bin/ns8-sendmail

@@ -0,0 +1,117 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+# This script reads a mail from stdin and sends it using Python's smtplib
+# It takes as arguments the recipient
+
+import re
+import ssl
+import sys
+import agent
+import smtplib
+import argparse
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+
+def get_content_type(body):
+    """
+    Determine if the input string is HTML or plain text.
+
+    Args:
+        input_string (str): The string to analyze.
+
+    Returns:
+        str: 'html' if the string is HTML, 'plain' otherwise.
+    """
+    # Define a simple regex pattern to detect HTML tags
+    html_pattern = re.compile(r'<[^>]+>')
+    
+    # Search for HTML tags in the input string
+    if re.search(html_pattern, body):
+        return 'html'
+    else:
+        return 'plain'
+    
+
+def main():
+    """
+    Main function to send an email using cluster notification settings.
+    This function parses command-line arguments to get email recipients, subject, and from address.
+    It reads the email body from stdin and retrieves SMTP configuration from a Redis database.
+    Depending on the SMTP configuration, it sets up an appropriate connection (plain, STARTTLS, or SSL/TLS),
+    authenticates if necessary, and sends the email.
+    Command-line arguments:
+    - recipients: List of email recipients.
+    - -s, --subject: Subject of the email.
+    - -f, --from: From address of the email.
+    Raises:
+    - SystemExit: If no recipients are provided or if the smarthost is not enabled.
+    """
+    # Accept the following arguments
+    # argv[1] to argv[n] = recipient
+    # -s = subject
+    # -f = from
+
+    # Parse the arguments
+    parser = argparse.ArgumentParser(description='Send an email using cluster notification settings.')
+    parser.add_argument('recipients', metavar='R', type=str, nargs='*', help='Email recipients')
+    parser.add_argument('-s', '--subject', type=str, default='', help='Email subject')
+    parser.add_argument('-f', '--from', dest='from_addr', type=str, default=f'no-reply@{agent.get_hostname()}', help='From address')
+
+    args = parser.parse_args()
+
+    # Check if recipients list is empty
+    if not args.recipients:
+        print("Error: At least one recipient is required.", file=sys.stderr)
+        sys.exit(1)
+
+    # Read mail body from stdin
+    body = sys.stdin.read()
+
+    # Read SMTP cluser configuration
+    rdb = agent.redis_connect(use_replica=True)
+    smtp_config = agent.get_smarthost_settings(rdb)
+    if not smtp_config['enabled']:
+        print("Error: Smarthost is not enabled.", file=sys.stderr)
+        sys.exit(1)
+
+    # Create a SSL context
+    ctx = ssl.create_default_context()
+    if not smtp_config['tls_verify']:
+        ctx.check_hostname = False
+        ctx.verify_mode = ssl.CERT_NONE
+
+    # Setup connection based on encrypt_smtp value.
+    # Possible values: none, starttls, tls
+    if smtp_config['encrypt_smtp'] == 'tls':
+        smtp = smtplib.SMTP_SSL(smtp_config['host'], smtp_config['port'], context=ctx)
+    elif smtp_config['encrypt_smtp'] == 'starttls':
+        smtp = smtplib.SMTP(smtp_config['host'], smtp_config['port'])
+        smtp.starttls(context=ctx)
+    else:
+        smtp = smtplib.SMTP(smtp_config['host'], smtp_config['port'])
+
+    # Authenticate if needed
+    if smtp_config['username'] and smtp_config['password']:
+        smtp.login(smtp_config['username'], smtp_config['password'])
+
+    # Create a multipart message and set headers
+    message = MIMEMultipart()
+    message["From"] = args.from_addr
+    message["To"] = ','.join(args.recipients)
+    message["Subject"] = args.subject
+
+    # Attach the HTML part
+    type = get_content_type(body)
+    message.attach(MIMEText(body, type))
+
+    # Send the message via the configured SMTP server
+    smtp.sendmail(args.from_addr, ','.join(args.recipients), message.as_string())
+    smtp.quit()
+
+
+main()

core/imageroot/usr/local/agent/pypkg/agent/ldapclient/ad.py

@@ -18,6 +18,8 @@
 # along with NethServer.  If not, see COPYING.
 #
 
+from datetime import timedelta
+import datetime
 import ldap3
 from .exceptions import LdapclientEntryNotFound
 from .base import LdapclientBase
@@ -31,6 +33,16 @@ def _get_dn_attributes(self, dn, lfilter='(objectClass=*)', attributes=[ldap3.AL
                 return entry['attributes']
 
         raise LdapclientEntryNotFound()
+    
+    def get_max_pwd_age(self):
+        response = self.ldapconn.search(self.base_dn, '(objectClass=domainDNS)', attributes=['maxPwdAge'])
+        if response[0]:
+            result = [entry for entry in response[2] if entry['type'] == 'searchResEntry']
+        else:
+            return None
+        if not result:
+            return None
+        return result[0]['attributes']['maxPwdAge']
 
     def get_group(self, group):
         # Escape group string to build the filter assertion:
@@ -121,12 +133,15 @@ def get_user_entry(self, user, lextra_attributes=[]):
 
         raise LdapclientEntryNotFound()
 
-    def list_users(self):
+    def list_users(self, extra_info=False):
+        attributes = ['displayName', 'sAMAccountName', 'userAccountControl']
+        if extra_info:
+            attributes += ['whenCreated', 'pwdLastSet', 'mail']
         user_entry_generator = self.ldapconn.extend.standard.paged_search(
             search_base = self.base_dn,
             search_filter = f'(&(objectClass=user)(objectCategory=person){self._get_users_search_filter_clause()})',
             search_scope = ldap3.SUBTREE,
-            attributes = ['displayName', 'sAMAccountName', 'userAccountControl'],
+            attributes = attributes,
             paged_size = 900,
             generator=True,
         )
@@ -135,9 +150,23 @@ def list_users(self):
         for entry in user_entry_generator:
             if entry['type'] != 'searchResEntry':
                 continue # ignore referrals
-            users.append({
+            user = {
                 "user": entry['attributes']['sAMAccountName'],
                 "display_name": entry['attributes'].get('displayName') or "",
                 "locked": bool(entry['attributes']['userAccountControl'] & 0x2), # ACCOUNTDISABLE
-            })
+            }
+            if extra_info:
+                pwd_changed_time = entry['attributes'].get('pwdLastSet', entry['attributes'].get('whenCreated', None))
+                if self.get_max_pwd_age().total_seconds() >= 86400000000000:
+                    # Password aging is disabled
+                    user['expired'] = False
+                    user['password_expiration'] = -1
+                else:
+                    expiry_date = pwd_changed_time + timedelta(seconds=self.get_max_pwd_age().total_seconds())
+                    user['expired'] = datetime.datetime.now(datetime.timezone.utc) > expiry_date
+                    user['password_expiration'] = int(expiry_date.timestamp())
+                user["mail"] = entry['attributes'].get('mail') if entry['attributes'].get('mail') else ""
+
+            users.append(user)
+
         return users