commit b51a8862b1f80a947815094148bc229ba3d58ae1
author Rodrigo Duarte <rduartes@redhat.com> Mon Sep 26 15:22:35 2016 -0300
committer Rodrigo Duarte Sousa <rduartes@redhat.com> Thu Jan 05 16:06:39 2017 -0300
tree f4bd64a0f5a1b8ce82b44124953deb0a73dca32d
parent 281c5c22ce7f4e7d367f689488e15ad77695a183

Adds keystone security compliance settings

The PCI-DSS feature has been introduced during the Newton
release and its settings are disabled by default. This
patch adds the possibility to enable some of them during
DevStack setup.

Change-Id: If6b5eb3e3cbc43eb241c94d18af80ad50be08772
Depends-On: Id97ca26f93b742cc3d8d49e98afc581f22360504

lib/keystone

diff --git a/lib/keystone b/lib/keystone
index 825fe44..34730b8 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -131,6 +131,12 @@
 KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
 KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3
 
+# Security compliance
+KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True}
+KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2}
+KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-5}
+KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2}
+
 
 # Functions
 # ---------
@@ -339,6 +345,12 @@
     # allows policy changes in order to clarify the adminess scope.
     #iniset $KEYSTONE_CONF resource admin_project_domain_name Default
     #iniset $KEYSTONE_CONF resource admin_project_name admin
+
+    if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
+        iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
+        iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
+        iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
+    fi
 }
 
 # create_keystone_accounts() - Sets up common required keystone accounts

lib/tempest

diff --git a/lib/tempest b/lib/tempest
index 3915c57..4b8fbb7 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -261,6 +261,9 @@
     # Identity
     iniset $TEMPEST_CONFIG identity uri "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:5000/v2.0/"
     iniset $TEMPEST_CONFIG identity uri_v3 "$KEYSTONE_SERVICE_URI_V3"
+    iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
+    iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION
+    iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
     # Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation
     iniset $TEMPEST_CONFIG identity admin_domain_scope True
     if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then
@@ -285,6 +288,9 @@
     fi
 
     # Identity Features
+    if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
+        iniset $TEMPEST_CONFIG identity-feature-enabled security_compliance True
+    fi
     # TODO(rodrigods): Remove the reseller flag when Kilo and Liberty are end of life.
     iniset $TEMPEST_CONFIG identity-feature-enabled reseller True