security_compliance: Support password hash options

... which were added during this cycle.

Depends-on: https://review.opendev.org/932423
Change-Id: Ie78944ed0f6bd5b18a93bb6c2fddf5b95083c4fd

manifests/security_compliance.pp

@@ -57,6 +57,23 @@
 #   (Integer value)
 #   Defaults to $facts['os_service_default']
 #
+# [*report_invalid_password_hash*]
+#   (Optional) Enriches `identiy.authenticate.failure` event notifications with
+#   partial invalid password hash.
+#   Defaults to $facts['os_service_default']
+#
+# [*invalid_password_hash_secret_key*]
+#   (Optional) Secret key used when generating password hashes.
+#   Defaults to $facts['os_service_default']
+#
+# [*invalid_password_hash_function*]
+#   (Optional) Hash function used when generating password hashes.
+#   Defaults to $facts['os_service_default']
+#
+# [*invalid_password_hash_max_chars*]
+#   (Optional) Number of characters of hash of invalid password to be returned.
+#   Defaults to $facts['os_service_default']
+#
 class keystone::security_compliance(
   $change_password_upon_first_use     = $facts['os_service_default'],
   $disable_user_account_days_inactive = $facts['os_service_default'],
@@ -67,6 +84,10 @@ class keystone::security_compliance(
   $password_regex                     = $facts['os_service_default'],
   $password_regex_description         = $facts['os_service_default'],
   $unique_last_password_count         = $facts['os_service_default'],
+  $report_invalid_password_hash       = $facts['os_service_default'],
+  $invalid_password_hash_secret_key   = $facts['os_service_default'],
+  $invalid_password_hash_function     = $facts['os_service_default'],
+  $invalid_password_hash_max_chars    = $facts['os_service_default'],
 ) {
 
   include keystone::deps
@@ -81,5 +102,9 @@ class keystone::security_compliance(
     'security_compliance/password_regex':                     value => $password_regex;
     'security_compliance/password_regex_description':         value => $password_regex_description;
     'security_compliance/unique_last_password_count':         value => $unique_last_password_count;
+    'security_compliance/report_invalid_password_hash':       value => join(any2array($report_invalid_password_hash), ',');
+    'security_compliance/invalid_password_hash_secret_key':   value => $invalid_password_hash_secret_key, secret => true;
+    'security_compliance/invalid_password_hash_function':     value => $invalid_password_hash_function;
+    'security_compliance/invalid_password_hash_max_chars':    value => $invalid_password_hash_max_chars;
   }
 }

releasenotes/notes/report-invalid-password-hash-bd7d3393f67475c1.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    The following parameters have been added to
+    the ``keystone::security_compliance`` class.
+
+    - ``report_invalid_password_hash``
+    - ``invalid_password_hash_secret_key``
+    - ``invalid_password_hash_function``
+    - ``invalid_password_hash_max_chars``

spec/classes/keystone_security_compliance_spec.rb

@@ -12,6 +12,10 @@ describe 'keystone::security_compliance' do
       is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/report_invalid_password_hash').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/invalid_password_hash_secret_key').with_value('<SERVICE DEFAULT>').with_secret(true)
+      is_expected.to contain_keystone_config('security_compliance/invalid_password_hash_function').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/invalid_password_hash_max_chars').with_value('<SERVICE DEFAULT>')
     end
 
     context 'with specific params' do
@@ -26,6 +30,10 @@ describe 'keystone::security_compliance' do
           :password_regex                     => 'SomeRegex',
           :password_regex_description         => 'this is some regex',
           :unique_last_password_count         => 6,
+          :report_invalid_password_hash       => 'event',
+          :invalid_password_hash_secret_key   => 'secret',
+          :invalid_password_hash_function     => 'sha256',
+          :invalid_password_hash_max_chars    => 5,
         }
       end
       it 'should have configure security compliance with params' do
@@ -38,6 +46,10 @@ describe 'keystone::security_compliance' do
         is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('SomeRegex')
         is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('this is some regex')
         is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value(6)
+        is_expected.to contain_keystone_config('security_compliance/report_invalid_password_hash').with_value('event')
+        is_expected.to contain_keystone_config('security_compliance/invalid_password_hash_secret_key').with_value('secret').with_secret(true)
+        is_expected.to contain_keystone_config('security_compliance/invalid_password_hash_function').with_value('sha256')
+        is_expected.to contain_keystone_config('security_compliance/invalid_password_hash_max_chars').with_value(5)
       end
     end
   end