Add security_compliance manifest
This sets up the parameters in keystone.conf that belong in the security_compliance group. Change-Id: Ic4d962910343ad30de7840124bbc7773ea3697a1
This commit is contained in:
Juan Antonio Osorio Robles
parent
a55b9e4efe
commit
d8b88f023a
|
|
@ -0,0 +1,84 @@
|
|||
# == class: keystone::security_compliance
|
||||
#
|
||||
# Security compliance features for keystone, specifically to satisfy
|
||||
# Payment Card Industry - Data Security Standard (PCI-DSS) v3.1 requirements.
|
||||
#
|
||||
# === parameters:
|
||||
#
|
||||
# [*change_password_upon_first_use*]
|
||||
# Enabling this option requires users to change their password when the user
|
||||
# is created, or upon administrative reset. (Boolean value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*disable_user_account_days_inactive*]
|
||||
# The maximum number of days a user can go without authenticating before
|
||||
# being considered "inactive" and automatically disabled (locked). (Integer
|
||||
# value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*lockout_duration*]
|
||||
# The number of seconds a user account will be locked when the maximum number
|
||||
# of failed authentication attempts (as specified by `[security_compliance]
|
||||
# lockout_failure_attempts`) is exceeded. (Integer value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*lockout_failure_attempts*]
|
||||
# The maximum number of times that a user can fail to authenticate before the
|
||||
# user account is locked for the number of seconds specified by
|
||||
# `[security_compliance] lockout_duration`. (Integer value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*minimum_password_age*]
|
||||
# The number of days that a password must be used before the user can change
|
||||
# it. This prevents users from changing their passwords immediately in order
|
||||
# to wipe out their password history and reuse an old password. (Integer
|
||||
# value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*password_expires_days*]
|
||||
# The number of days for which a password will be considered valid before
|
||||
# requiring it to be changed. (Integer value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*password_regex*]
|
||||
# The regular expression used to validate password strength requirements. By
|
||||
# default, the regular expression will match any password. (String value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*password_regex_description*]
|
||||
# Describe your password regular expression here in language for humans.
|
||||
# (String value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*unique_last_password_count*]
|
||||
# This controls the number of previous user password iterations to keep in
|
||||
# history, in order to enforce that newly created passwords are unique.
|
||||
# (Integer value)
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
class keystone::security_compliance(
|
||||
$change_password_upon_first_use = $::os_service_default,
|
||||
$disable_user_account_days_inactive = $::os_service_default,
|
||||
$lockout_duration = $::os_service_default,
|
||||
$lockout_failure_attempts = $::os_service_default,
|
||||
$minimum_password_age = $::os_service_default,
|
||||
$password_expires_days = $::os_service_default,
|
||||
$password_regex = $::os_service_default,
|
||||
$password_regex_description = $::os_service_default,
|
||||
$unique_last_password_count = $::os_service_default,
|
||||
) {
|
||||
|
||||
include ::keystone::deps
|
||||
|
||||
keystone_config {
|
||||
'security_compliance/change_password_upon_first_use': value => $change_password_upon_first_use;
|
||||
'security_compliance/disable_user_account_days_inactive': value => $disable_user_account_days_inactive;
|
||||
'security_compliance/lockout_duration': value => $lockout_duration;
|
||||
'security_compliance/lockout_failure_attempts': value => $lockout_failure_attempts;
|
||||
'security_compliance/minimum_password_age': value => $minimum_password_age;
|
||||
'security_compliance/password_expires_days': value => $password_expires_days;
|
||||
'security_compliance/password_regex': value => $password_regex;
|
||||
'security_compliance/password_regex_description': value => $password_regex_description;
|
||||
'security_compliance/unique_last_password_count': value => $unique_last_password_count;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The security_compliance module was added, which configures the values in
|
||||
the security_compliance section of keystone.conf. This is useful for the
|
||||
SQL backend and to comply with PCI-DSS.
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'keystone::security_compliance' do
|
||||
shared_examples_for 'keystone security_compliance' do
|
||||
it 'should configure security compliance defaults' do
|
||||
is_expected.to contain_keystone_config('security_compliance/change_password_upon_first_use').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('security_compliance/disable_user_account_days_inactive').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('security_compliance/lockout_duration').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('security_compliance/lockout_failure_attempts').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('security_compliance/minimum_password_age').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('security_compliance/password_expires_days').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
|
||||
context 'with specific params' do
|
||||
let :params do
|
||||
{
|
||||
:change_password_upon_first_use => true,
|
||||
:disable_user_account_days_inactive => 1,
|
||||
:lockout_duration => 2,
|
||||
:lockout_failure_attempts => 3,
|
||||
:minimum_password_age => 4,
|
||||
:password_expires_days => 5,
|
||||
:password_regex => 'SomeRegex',
|
||||
:password_regex_description => 'this is some regex',
|
||||
:unique_last_password_count => 6,
|
||||
}
|
||||
end
|
||||
it 'should have configure security compliance with params' do
|
||||
is_expected.to contain_keystone_config('security_compliance/change_password_upon_first_use').with_value(true)
|
||||
is_expected.to contain_keystone_config('security_compliance/disable_user_account_days_inactive').with_value(1)
|
||||
is_expected.to contain_keystone_config('security_compliance/lockout_duration').with_value(2)
|
||||
is_expected.to contain_keystone_config('security_compliance/lockout_failure_attempts').with_value(3)
|
||||
is_expected.to contain_keystone_config('security_compliance/minimum_password_age').with_value(4)
|
||||
is_expected.to contain_keystone_config('security_compliance/password_expires_days').with_value(5)
|
||||
is_expected.to contain_keystone_config('security_compliance/password_regex').with_value('SomeRegex')
|
||||
is_expected.to contain_keystone_config('security_compliance/password_regex_description').with_value('this is some regex')
|
||||
is_expected.to contain_keystone_config('security_compliance/unique_last_password_count').with_value(6)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
:supported_os => OSDefaults.get_supported_os
|
||||
}).each do |os,facts|
|
||||
context "on #{os}" do
|
||||
let (:facts) do
|
||||
facts.merge!(OSDefaults.get_facts())
|
||||
end
|
||||
|
||||
it_configures 'keystone security_compliance'
|
||||
end
|
||||
end
|
||||
end
|
||||
Loading…
Reference in New Issue