Add password hash algorithm and rounds config

Adds the password_hash_algorithm and password_hash_rounds configuration options. These can be used to configure the password hash algorithm and the amount of rounds on the hash that keystone should do. Change-Id: I5160e59522b5cf96eb80f83ab7f2ca593b64fe54
2018-09-13 11:23:40 +02:00 · 2018-09-13 11:23:40 +02:00 · 92b307db46
commit 92b307db46
parent c948359a1b
3 changed files with 33 additions and 1 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -75,6 +75,14 @@
 #   (optional) Amount of time a token should remain valid (seconds).
 #   Defaults to 3600 (1 hour).
 #
+# [*password_hash_algorithm*]
+#   (optional) The password hash algorithm to use.
+#   Defaults to $::os_service_default
+#
+# [*password_hash_rounds*]
+#   (optional) The amount of rounds to do on the hash.
+#   Defaults to $::os_service_default
+#
 # [*revoke_driver*]
 #   (optional) Driver for token revocation.
 #   Defaults to $::os_service_default
@ -663,6 +671,8 @@ class keystone(
  $token_provider                       = 'fernet',
  $token_driver                         = 'sql',
  $token_expiration                     = 3600,
+  $password_hash_algorithm              = $::os_service_default,
+  $password_hash_rounds                 = $::os_service_default,
  $revoke_driver                        = $::os_service_default,
  $revoke_by_id                         = true,
  $public_endpoint                      = $::os_service_default,
@ -846,7 +856,12 @@ admin_token will be removed in a later release")
  }

  keystone_config {
-    'revoke/driver':    value => $revoke_driver;
+    'identity/password_hash_algorithm': value => $password_hash_algorithm;
+    'identity/password_hash_rounds':    value => $password_hash_rounds;
+  }
+
+  keystone_config {
+    'revoke/driver': value => $revoke_driver;
  }

  keystone_config {
--- a/releasenotes/notes/password-hash-algo-884cb38f8edecb6b.yaml
+++ b/releasenotes/notes/password-hash-algo-884cb38f8edecb6b.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added new parameters password_hash_algorithm and password_hash_rounds
+    to keystone class that can be used to configure the password hash algorithm.
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@ -32,6 +32,8 @@ describe 'keystone' do
      'catalog_driver'                     => false,
      'token_provider'                     => 'fernet',
      'token_driver'                       => 'sql',
+      'password_hash_algorithm'            => '<SERVICE DEFAULT>',
+      'password_hash_rounds'               => '<SERVICE DEFAULT>',
      'revoke_driver'                      => 'sql',
      'revoke_by_id'                       => true,
      'cache_dir'                          => '/var/cache/keystone',
@ -86,6 +88,8 @@ describe 'keystone' do
      'catalog_type'                       => 'template',
      'token_provider'                     => 'uuid',
      'token_driver'                       => 'kvs',
+      'password_hash_algorithm'            => 'pbkdf2_sha512',
+      'password_hash_rounds'               => '29000',
      'revoke_driver'                      => 'kvs',
      'revoke_by_id'                       => false,
      'public_endpoint'                    => 'https://localhost:5000/v2.0/',
@ -205,6 +209,14 @@ describe 'keystone' do
      is_expected.to contain_keystone_config('revoke/driver').with_value(param_hash['revoke_driver'])
    end

+    it 'should contain password_hash_algorithm' do
+      is_expected.to contain_keystone_config('identity/password_hash_algorithm').with_value(param_hash['password_hash_algorithm'])
+    end
+
+    it 'should contain password_hash_rounds' do
+      is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value(param_hash['password_hash_rounds'])
+    end
+
    it 'should contain default revoke_by_id value ' do
      is_expected.to contain_keystone_config('token/revoke_by_id').with_value(param_hash['revoke_by_id'])
    end