From b51a8862b1f80a947815094148bc229ba3d58ae1 Mon Sep 17 00:00:00 2001
From: Rodrigo Duarte <rduartes@redhat.com>
Date: Mon, 26 Sep 2016 15:22:35 -0300
Subject: [PATCH] Adds keystone security compliance settings

The PCI-DSS feature has been introduced during the Newton
release and its settings are disabled by default. This
patch adds the possibility to enable some of them during
DevStack setup.

Change-Id: If6b5eb3e3cbc43eb241c94d18af80ad50be08772
Depends-On: Id97ca26f93b742cc3d8d49e98afc581f22360504
---
 lib/keystone | 12 ++++++++++++
 lib/tempest  |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/lib/keystone b/lib/keystone
index 825fe44fca..34730b892a 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -131,6 +131,12 @@ fi
 KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
 KEYSTONE_SERVICE_URI_V3=$KEYSTONE_SERVICE_URI/v3
 
+# Security compliance
+KEYSTONE_SECURITY_COMPLIANCE_ENABLED=${KEYSTONE_SECURITY_COMPLIANCE_ENABLED:-True}
+KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS=${KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS:-2}
+KEYSTONE_LOCKOUT_DURATION=${KEYSTONE_LOCKOUT_DURATION:-5}
+KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT=${KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT:-2}
+
 
 # Functions
 # ---------
@@ -339,6 +345,12 @@ function configure_keystone {
     # allows policy changes in order to clarify the adminess scope.
     #iniset $KEYSTONE_CONF resource admin_project_domain_name Default
     #iniset $KEYSTONE_CONF resource admin_project_name admin
+
+    if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
+        iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
+        iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
+        iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
+    fi
 }
 
 # create_keystone_accounts() - Sets up common required keystone accounts
diff --git a/lib/tempest b/lib/tempest
index 3915c570ee..4b8fbb7a46 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -261,6 +261,9 @@ function configure_tempest {
     # Identity
     iniset $TEMPEST_CONFIG identity uri "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:5000/v2.0/"
     iniset $TEMPEST_CONFIG identity uri_v3 "$KEYSTONE_SERVICE_URI_V3"
+    iniset $TEMPEST_CONFIG identity user_lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
+    iniset $TEMPEST_CONFIG identity user_lockout_duration $KEYSTONE_LOCKOUT_DURATION
+    iniset $TEMPEST_CONFIG identity user_unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
     # Use domain scoped tokens for admin v3 tests, v3 dynamic credentials of v3 account generation
     iniset $TEMPEST_CONFIG identity admin_domain_scope True
     if [[ "$TEMPEST_HAS_ADMIN" == "True" ]]; then
@@ -285,6 +288,9 @@ function configure_tempest {
     fi
 
     # Identity Features
+    if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
+        iniset $TEMPEST_CONFIG identity-feature-enabled security_compliance True
+    fi
     # TODO(rodrigods): Remove the reseller flag when Kilo and Liberty are end of life.
     iniset $TEMPEST_CONFIG identity-feature-enabled reseller True