Add security_compliance manifest

This sets up the parameters in keystone.conf that belong in the
security_compliance group.

Change-Id: Ic4d962910343ad30de7840124bbc7773ea3697a1

manifests/security_compliance.pp

@@ -0,0 +1,84 @@
+# == class: keystone::security_compliance
+#
+# Security compliance features for keystone, specifically to satisfy
+# Payment Card Industry - Data Security Standard (PCI-DSS) v3.1 requirements.
+#
+# === parameters:
+#
+# [*change_password_upon_first_use*]
+#   Enabling this option requires users to change their password when the user
+#   is created, or upon administrative reset. (Boolean value)
+#   Defaults to $::os_service_default
+#
+# [*disable_user_account_days_inactive*]
+#   The maximum number of days a user can go without authenticating before
+#   being considered "inactive" and automatically disabled (locked). (Integer
+#   value)
+#   Defaults to $::os_service_default
+#
+# [*lockout_duration*]
+#   The number of seconds a user account will be locked when the maximum number
+#   of failed authentication attempts (as specified by `[security_compliance]
+#   lockout_failure_attempts`) is exceeded. (Integer value)
+#   Defaults to $::os_service_default
+#
+# [*lockout_failure_attempts*]
+#   The maximum number of times that a user can fail to authenticate before the
+#   user account is locked for the number of seconds specified by
+#   `[security_compliance] lockout_duration`. (Integer value)
+#   Defaults to $::os_service_default
+#
+# [*minimum_password_age*]
+#   The number of days that a password must be used before the user can change
+#   it. This prevents users from changing their passwords immediately in order
+#   to wipe out their password history and reuse an old password. (Integer
+#   value)
+#   Defaults to $::os_service_default
+#
+# [*password_expires_days*]
+#   The number of days for which a password will be considered valid before
+#   requiring it to be changed. (Integer value)
+#   Defaults to $::os_service_default
+#
+# [*password_regex*]
+#   The regular expression used to validate password strength requirements. By
+#   default, the regular expression will match any password. (String value)
+#   Defaults to $::os_service_default
+#
+# [*password_regex_description*]
+#   Describe your password regular expression here in language for humans.
+#   (String value)
+#   Defaults to $::os_service_default
+#
+# [*unique_last_password_count*]
+#   This controls the number of previous user password iterations to keep in
+#   history, in order to enforce that newly created passwords are unique.
+#   (Integer value)
+#   Defaults to $::os_service_default
+#
+class keystone::security_compliance(
+  $change_password_upon_first_use     = $::os_service_default,
+  $disable_user_account_days_inactive = $::os_service_default,
+  $lockout_duration                   = $::os_service_default,
+  $lockout_failure_attempts           = $::os_service_default,
+  $minimum_password_age               = $::os_service_default,
+  $password_expires_days              = $::os_service_default,
+  $password_regex                     = $::os_service_default,
+  $password_regex_description         = $::os_service_default,
+  $unique_last_password_count         = $::os_service_default,
+) {
+
+  include ::keystone::deps
+
+  keystone_config {
+    'security_compliance/change_password_upon_first_use':     value => $change_password_upon_first_use;
+    'security_compliance/disable_user_account_days_inactive': value => $disable_user_account_days_inactive;
+    'security_compliance/lockout_duration':                   value => $lockout_duration;
+    'security_compliance/lockout_failure_attempts':           value => $lockout_failure_attempts;
+    'security_compliance/minimum_password_age':               value => $minimum_password_age;
+    'security_compliance/password_expires_days':              value => $password_expires_days;
+    'security_compliance/password_regex':                     value => $password_regex;
+    'security_compliance/password_regex_description':         value => $password_regex_description;
+    'security_compliance/unique_last_password_count':         value => $unique_last_password_count;
+  }
+}

releasenotes/notes/security-compliance-09e2702580c42e3b.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The security_compliance module was added, which configures the values in
+    the security_compliance section of keystone.conf. This is useful for the
+    SQL backend and to comply with PCI-DSS.

spec/classes/keystone_security_compliance_spec.rb

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe 'keystone::security_compliance' do
+  shared_examples_for 'keystone security_compliance' do
+    it 'should configure security compliance defaults' do
+      is_expected.to contain_keystone_config('security_compliance/change_password_upon_first_use').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/disable_user_account_days_inactive').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/lockout_duration').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/lockout_failure_attempts').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/minimum_password_age').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/password_expires_days').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value('<SERVICE DEFAULT>')
+    end
+
+    context 'with specific params' do
+      let :params do
+        {
+          :change_password_upon_first_use     => true,
+          :disable_user_account_days_inactive => 1,
+          :lockout_duration                   => 2,
+          :lockout_failure_attempts           => 3,
+          :minimum_password_age               => 4,
+          :password_expires_days              => 5,
+          :password_regex                     => 'SomeRegex',
+          :password_regex_description         => 'this is some regex',
+          :unique_last_password_count         => 6,
+        }
+      end
+      it 'should have configure security compliance with params' do
+        is_expected.to contain_keystone_config('security_compliance/change_password_upon_first_use').with_value(true)
+        is_expected.to contain_keystone_config('security_compliance/disable_user_account_days_inactive').with_value(1)
+        is_expected.to contain_keystone_config('security_compliance/lockout_duration').with_value(2)
+        is_expected.to contain_keystone_config('security_compliance/lockout_failure_attempts').with_value(3)
+        is_expected.to contain_keystone_config('security_compliance/minimum_password_age').with_value(4)
+        is_expected.to contain_keystone_config('security_compliance/password_expires_days').with_value(5)
+        is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('SomeRegex')
+        is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('this is some regex')
+        is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value(6)
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_configures 'keystone security_compliance'
+    end
+  end
+end