use datetime.timedelta to parse duration

[4elta]

• use timedelta's built in string formatter to print the value in a human-readable format
• return the number of (calculated) seconds in case the parsing results in an exception

WARNING: i have not yet tested the code

---

i stumbled upon this bug (?) while trying to understand the results of a scan of one of the GOAD machines (provided by @ikstream):

....
    "policy": {
        "Domain password information": {
            "Password history length": 24,
            "Minimum password length": 5,
            "Maximum password age": "37201 days (101 years) 2 minutes",
            "Password properties": [
                ...

the maximum password age for this machine is in fact 10675199 days (29247 years).
see GOAD/ansible/roles/password_policy/tasks/main.yaml

[cddmp]

Thank you, I will need more time to test this code. I can probably test it next week!

[4elta]

awesome!
i'm looking forward to your review comments.

have a pleasant weekend 👋

[4elta]

the formatting code works correctly, as can be seen below:

% python3        
Python 3.13.5 (main, Jun 25 2025, 18:55:22) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import datetime
>>> s = ((((10675199 * 24) + 2) * 60) + 48 ) * 60 + 5.4775807
>>> duration = datetime.timedelta(seconds=s)
>>> str(duration)
'10675199 days, 2:48:05.477539'

the value for s is TimeSpan.MaxValue, the largest timespan the max/min password age and other related properties can be set to.

unfortunately, the same (incorrect) max. password age is reported:

37201 days, 0:02:37.001318 (hours:minutes:seconds)

so either the conversion from the two 32-bit values, low and high, to a 64-bit integer, or one or both of these values are incorrect.

[4elta]

so either the conversion from the two 32-bit values, low and high, to a 64-bit integer, or one or both of these values are incorrect.

... or maximum password age is in fact set to the above value and there's something wrong with the ansible script

[ikstream]

... or maximum password age is in fact set to the above value and there's something wrong with the ansible script

The maximum password age is indeed set to the detected value (minus the minutes). Looks like it is just a windows feature.

Looks like the value translate (at least in the GUI) to "does not expire". As the maximum age is limited in the GUI to 999 as written in documentation.

Looks like the value can go above the 37201, but if the maximum value for Set-ADDefaultDomainPasswordPolicy is used for days, the value of 37201 will be set instead

I am not sure yet, where this value comes from, but it looks like enum4linux-ng indeed detects the maximum password age correctly

[4elta]

thank you @ikstream 🙏

i am really confused: why does microsoft specify a maximum when the real maximum is lower?

[cddmp]

I have not forgotten this pull request. Since it doesn't bring any benefit at the moment, I leave it open for now. I actually like your implementation, I just want to test this a bit more.