Service parameters for pwd rules in keystone.conf

Introducing service parameters for password rules in
security_compliance section of /etc/keystone/keystone.conf

New service parameters :

| service | section | name |

identity security_compliance unique_last_password_count
identity security_compliance password_regex
identity security_compliance password_regex_description

In order for changes to take effect, the new configuration needs to be
applied with:

system service-parameter-apply identity

That operation will persist the new rules to keystone.conf and restart
the keystone service

No changes are needed to openstack::keystone::server::runtime as
password rules for security_compliance are already supported in
/usr/share/puppet/modules/openstack/manifests/keystone.pp

Test plan:

PASS: Verify that unique_last_password_count works with an integer
PASS: Verify that password_regex works with a valid regex
PASS: Verify that password_regex_description works with a non-empty
      string
PASS: Verify that new parameters show up in
      'system service-parameter-list' in section platform
PASS: Verify that 'system service-parameter-apply platform' will apply
      the puppet runtime class openstack::keystone::server::runtime
PASS: Verify that after 'system service-parameter-apply platform'
      new parameters are present in hieradata
PASS: Verify that after 'system service-parameter-apply platform'
      new parameters are persisted to keystone.conf
PASS: Verify that new configuration of keystone.conf stick even after
      a host-swact
PASS: Verify that new configuration of keystone.conf stick even after
      a host-lock / unlock
PASS: Verify that new password rules are indeed working by changing the
      password to a good password, according to new rules, with
      'openstack user password set'

Failure Path:

PASS: Verify that unique_last_password_count shows a validation error
      when a value other than integer is used
PASS: Verify that password_regex shows a validation error with an
      invalid regex
PASS: Verify that password_regex_description shows a validation error
      with an empty string
PASS: Verify that new password rules are indeed working by trying to
      change the password to a bad password, according to new rules,
      with 'openstack user password set' and seeing an error

Story: 2009284
Task: 43575

Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Change-Id: Ic27bf765ea8e281e2e8b030617d5c68864e9c693

sysinv/sysinv/sysinv/sysinv/common/constants.py

@@ -1194,6 +1194,12 @@ SERVICE_PARAM_NAME_PLATFORM_AUDITD = 'audit'
 SERVICE_PARAM_PLATFORM_AUDITD_DISABLED = '0'
 SERVICE_PARAM_PLATFORM_AUDITD_ENABLED = '1'
 
+# platform keystone security compliance config
+SERVICE_PARAM_SECTION_SECURITY_COMPLIANCE = 'security_compliance'
+SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_UNIQUE_LAST_PASSWORD_COUNT = 'unique_last_password_count'
+SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_PASSWORD_REGEX = 'password_regex'
+SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_PASSWORD_REGEX_DESCRIPTION = 'password_regex_description'
+
 # TIS part number, CPE = combined load, STD = standard load
 TIS_STD_BUILD = 'Standard'
 TIS_AIO_BUILD = 'All-in-one'

sysinv/sysinv/sysinv/sysinv/common/service_parameter.py

@@ -411,6 +411,15 @@ def _validate_kernel_audit(name, value):
          constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED)))
 
 
+def _validate_regex(name, value):
+    """Check if specified regex is valid"""
+    try:
+        re.compile(value)
+    except re.error:
+        raise wsme.exc.ClientSideError(_(
+            "Parameter %s must be a valid regex" % name))
+
+
 PLATFORM_CONFIG_PARAMETER_OPTIONAL = [
     constants.SERVICE_PARAM_NAME_PLAT_CONFIG_VIRTUAL,
 ]
@@ -543,15 +552,39 @@ PLATFORM_KERNEL_PARAMETER_OPTIONAL = [
     constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
 ]
 
+PLATFORM_KEYSTONE_PARAMETER_OPTIONAL = [
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_UNIQUE_LAST_PASSWORD_COUNT,
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_PASSWORD_REGEX,
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_PASSWORD_REGEX_DESCRIPTION,
+]
+
 PLATFORM_KERNEL_PARAMETER_VALIDATOR = {
     constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD: _validate_kernel_audit,
 }
 
+PLATFORM_KEYSTONE_PARAMETER_VALIDATOR = {
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_UNIQUE_LAST_PASSWORD_COUNT:
+        _validate_integer,
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_PASSWORD_REGEX:
+        _validate_regex,
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_PASSWORD_REGEX_DESCRIPTION:
+        _validate_not_empty
+}
+
 PLATFORM_KERNEL_PARAMETER_RESOURCE = {
     constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD:
         'platform::compute::grub::params::g_audit',
 }
 
+PLATFORM_KEYSTONE_PARAMETER_RESOURCE = {
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_UNIQUE_LAST_PASSWORD_COUNT:
+        'keystone::security_compliance::unique_last_password_count',
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_PASSWORD_REGEX:
+        'keystone::security_compliance::password_regex',
+    constants.SERVICE_PARAM_NAME_SECURITY_COMPLIANCE_PASSWORD_REGEX_DESCRIPTION:
+        'keystone::security_compliance::password_regex_description',
+}
+
 RADOSGW_CONFIG_PARAMETER_MANDATORY = [
     constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
 ]
@@ -797,6 +830,11 @@ SERVICE_PARAMETER_SCHEMA = {
             SERVICE_PARAM_VALIDATOR: IDENTITY_CONFIG_PARAMETER_VALIDATOR,
             SERVICE_PARAM_RESOURCE: IDENTITY_CONFIG_PARAMETER_RESOURCE,
         },
+        constants.SERVICE_PARAM_SECTION_SECURITY_COMPLIANCE: {
+            SERVICE_PARAM_OPTIONAL: PLATFORM_KEYSTONE_PARAMETER_OPTIONAL,
+            SERVICE_PARAM_VALIDATOR: PLATFORM_KEYSTONE_PARAMETER_VALIDATOR,
+            SERVICE_PARAM_RESOURCE: PLATFORM_KEYSTONE_PARAMETER_RESOURCE,
+        }
     },
     constants.SERVICE_TYPE_PLATFORM: {
         constants.SERVICE_PARAM_SECTION_PLATFORM_CONFIG: {
@@ -829,7 +867,7 @@ SERVICE_PARAMETER_SCHEMA = {
             SERVICE_PARAM_OPTIONAL: PLATFORM_KERNEL_PARAMETER_OPTIONAL,
             SERVICE_PARAM_VALIDATOR: PLATFORM_KERNEL_PARAMETER_VALIDATOR,
             SERVICE_PARAM_RESOURCE: PLATFORM_KERNEL_PARAMETER_RESOURCE,
-        },
+        }
     },
     constants.SERVICE_TYPE_HORIZON: {
         constants.SERVICE_PARAM_SECTION_HORIZON_AUTH: {