From cb875d327a69e470dcf1f776b9d1e4ad57217ae3 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 4 Jan 2018 14:39:55 +0200
Subject: [PATCH] Add parameters to configure options in keystone's
 security_compliance group

These parameters were introduced as strings and will only be configured
if the value is set. This way it respects the $::os_service_default
settings which is the default for all of them.

Depends-On: I089f2e28cce2688ed080096c88ab539393627cfb
Change-Id: I3399129c41054a914bb91417c814cd063ee0c07e
---
 puppet/services/keystone.yaml                 | 113 ++++++++++++++++++
 .../security-compliance-f4f7ae077b148af1.yaml |  10 ++
 2 files changed, 123 insertions(+)
 create mode 100644 releasenotes/notes/security-compliance-f4f7ae077b148af1.yaml

diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 5ec682d12d..ae0f1ffd43 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -220,6 +220,63 @@ parameters:
     description: Driver or drivers to handle sending notifications.
     constraints:
       - allowed_values: [ 'messagingv2', 'noop' ]
+  KeystoneChangePasswordUponFirstUse:
+    type: string
+    default: ''
+    description: >-
+      Enabling this option requires users to change their password when the
+      user is created, or upon administrative reset.
+    constraints:
+      - allowed_values: [ '', 'true', 'True', 'TRUE', 'false', 'False', 'FALSE']
+  KeystoneDisableUserAccountDaysInactive:
+    type: string
+    default: ''
+    description: >-
+      The maximum number of days a user can go without authenticating before
+      being considered "inactive" and automatically disabled (locked).
+  KeystoneLockoutDuration:
+    type: string
+    default: ''
+    description: >-
+      The number of seconds a user account will be locked when the maximum
+      number of failed authentication attempts (as specified by
+      KeystoneLockoutFailureAttempts) is exceeded.
+  KeystoneLockoutFailureAttempts:
+    type: string
+    default: ''
+    description: >-
+      The maximum number of times that a user can fail to authenticate before
+      the user account is locked for the number of seconds specified by
+      KeystoneLockoutDuration.
+  KeystoneMinimumPasswordAge:
+    type: string
+    default: ''
+    description: >-
+      The number of days that a password must be used before the user can
+      change it. This prevents users from changing their passwords immediately
+      in order to wipe out their password history and reuse an old password.
+  KeystonePasswordExpiresDays:
+    type: string
+    default: ''
+    description: >-
+      The number of days for which a password will be considered valid before
+      requiring it to be changed.
+  KeystonePasswordRegex:
+    type: string
+    default: ''
+    description: >-
+      The regular expression used to validate password strength requirements.
+  KeystonePasswordRegexDescription:
+    type: string
+    default: ''
+    description: >-
+      Describe your password regular expression here in language for humans.
+  KeystoneUniqueLastPasswordCount:
+    type: string
+    default: ''
+    description: >-
+      This controls the number of previous user password iterations to keep in
+      history, in order to enforce that newly created passwords are unique.
 
 parameter_groups:
 - label: deprecated
@@ -251,6 +308,17 @@ conditions:
   keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
   service_debug_unset: {equals : [{get_param: KeystoneDebug}, '']}
 
+  # Security compliance
+  change_password_upon_first_use_set: {not: {equals: [{get_param: KeystoneChangePasswordUponFirstUse}, '']}}
+  disable_user_account_days_inactive_set: {not: {equals: [{get_param: KeystoneDisableUserAccountDaysInactive}, '']}}
+  lockout_duration_set: {not: {equals: [{get_param: KeystoneLockoutDuration}, '']}}
+  lockout_failure_attempts_set: {not: {equals: [{get_param: KeystoneLockoutFailureAttempts}, '']}}
+  minimum_password_age_set: {not: {equals: [{get_param: KeystoneMinimumPasswordAge}, '']}}
+  password_expires_days_set: {not: {equals: [{get_param: KeystonePasswordExpiresDays}, '']}}
+  password_regex_set: {not: {equals: [{get_param: KeystonePasswordRegex}, '']}}
+  password_regex_description_set: {not: {equals: [{get_param: KeystonePasswordRegexDescription}, '']}}
+  unique_last_password_count_set: {not: {equals: [{get_param: KeystoneUniqueLastPasswordCount}, '']}}
+
 outputs:
   role_data:
     description: Role data for the Keystone role.
@@ -385,6 +453,51 @@ outputs:
               tripleo::profile::base::keystone::ldap_backends_config:
                 get_param: KeystoneLDAPBackendConfigs
             - {}
+          -
+            if:
+            - change_password_upon_first_use_set
+            - keystone::security_compliance::change_password_upon_first_use: {get_param: KeystoneChangePasswordUponFirstUse}
+            - {}
+          -
+            if:
+            - disable_user_account_days_inactive_set
+            - keystone::security_compliance::disable_user_account_days_inactive: {get_param: KeystoneDisableUserAccountDaysInactive}
+            - {}
+          -
+            if:
+            - lockout_duration_set
+            - keystone::security_compliance::lockout_duration: {get_param: KeystoneLockoutDuration}
+            - {}
+          -
+            if:
+            - lockout_failure_attempts_set
+            - keystone::security_compliance::lockout_failure_attempts: {get_param: KeystoneLockoutFailureAttempts}
+            - {}
+          -
+            if:
+            - minimum_password_age_set
+            - keystone::security_compliance::minimum_password_age: {get_param: KeystoneMinimumPasswordAge}
+            - {}
+          -
+            if:
+            - password_expires_days_set
+            - keystone::security_compliance::password_expires_days: {get_param: KeystonePasswordExpiresDays}
+            - {}
+          -
+            if:
+            - password_regex_set
+            - keystone::security_compliance::password_regex: {get_param: KeystonePasswordRegex}
+            - {}
+          -
+            if:
+            - password_regex_description_set
+            - keystone::security_compliance::password_regex_description: {get_param: KeystonePasswordRegexDescription}
+            - {}
+          -
+            if:
+            - unique_last_password_count_set
+            - keystone::security_compliance::unique_last_password_count: {get_param: KeystoneUniqueLastPasswordCount}
+            - {}
 
       step_config: |
         include ::tripleo::profile::base::keystone
diff --git a/releasenotes/notes/security-compliance-f4f7ae077b148af1.yaml b/releasenotes/notes/security-compliance-f4f7ae077b148af1.yaml
new file mode 100644
index 0000000000..471f0b2852
--- /dev/null
+++ b/releasenotes/notes/security-compliance-f4f7ae077b148af1.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    The parameters KeystoneChangePasswordUponFirstUse,
+    KeystoneDisableUserAccountDaysInactive, KeystoneLockoutDuration,
+    KeystoneLockoutFailureAttempts, KeystoneMinimumPasswordAge,
+    KeystonePasswordExpiresDays, KeystonePasswordRegex,
+    KeystonePasswordRegexDescription, KeystoneUniqueLastPasswordCount were
+    introduced. They all correspond to keystone configuration options that
+    belong to the security_compliance group.