Support max_password_length config option

Change-Id: Ic00419f12a922d866b490e351d0eb87c96380315
2024-04-16 14:06:01 +10:00
parent 1cb55e22e0
commit ac752a4ee1
3 changed files with 14 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -29,6 +29,10 @@
 #   (Optional) The amount of rounds to do on the hash.
 #   Defaults to $facts['os_service_default']
 #
+# [*max_password_length*]
+#   (Optional) Maximum allowed length for user passwords.
+#   Defaults to $facts['os_service_default']
+#
 # [*revoke_driver*]
 #   (Optional) Driver for token revocation.
 #   Defaults to $facts['os_service_default']
@@ -361,6 +365,7 @@ class keystone(
  $token_expiration                               = 3600,
  $password_hash_algorithm                        = $facts['os_service_default'],
  $password_hash_rounds                           = $facts['os_service_default'],
+  $max_password_length                            = $facts['os_service_default'],
  $revoke_driver                                  = $facts['os_service_default'],
  $revoke_by_id                                   = true,
  $public_endpoint                                = $facts['os_service_default'],
@@ -473,6 +478,7 @@ class keystone(
  keystone_config {
    'identity/password_hash_algorithm': value => $password_hash_algorithm;
    'identity/password_hash_rounds':    value => $password_hash_rounds;
+    'identity/max_password_length':     value => $max_password_length;
  }

  keystone_config {
--- a/releasenotes/notes/added-max_password_length-option-658378eee937e891.yaml
+++ b/releasenotes/notes/added-max_password_length-option-658378eee937e891.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added the new ``keystone::max_password_length`` parameter to configure
+    the maximum allowed length for user passwords.
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@@ -35,6 +35,7 @@ describe 'keystone' do
        is_expected.to contain_keystone_config('token/expiration').with_value(3600)
        is_expected.to contain_keystone_config('identity/password_hash_algorithm').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('identity/max_password_length').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('revoke/driver').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('policy/driver').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_keystone_config('token/revoke_by_id').with_value(true)
@@ -127,6 +128,7 @@ describe 'keystone' do
          :token_expiration             => 7200,
          :password_hash_algorithm      => 'bcrypt',
          :password_hash_rounds         => 12,
+          :max_password_length          => 54,
          :revoke_driver                => 'sql',
          :policy_driver                => 'sql',
          :revoke_by_id                 => true,
@@ -151,6 +153,7 @@ describe 'keystone' do
        is_expected.to contain_keystone_config('token/expiration').with_value(7200)
        is_expected.to contain_keystone_config('identity/password_hash_algorithm').with_value('bcrypt')
        is_expected.to contain_keystone_config('identity/password_hash_rounds').with_value(12)
+        is_expected.to contain_keystone_config('identity/max_password_length').with_value(54)
        is_expected.to contain_keystone_config('revoke/driver').with_value('sql')
        is_expected.to contain_keystone_config('policy/driver').with_value('sql')
        is_expected.to contain_keystone_config('token/revoke_by_id').with_value(true)