"Fossies" - the Fresh Open Source Software Archive

Member "keystone-18.0.0/keystone/conf/security_compliance.py" (14 Oct 2020, 5874 Bytes) of package /linux/misc/openstack/keystone-18.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "security_compliance.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 17.0.0_vs_18.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 from oslo_config import cfg
   14 
   15 from keystone.conf import utils
   16 
   17 
   18 disable_user_account_days_inactive = cfg.IntOpt(
   19     'disable_user_account_days_inactive',
   20     min=1,
   21     help=utils.fmt("""
   22 The maximum number of days a user can go without authenticating before being
   23 considered "inactive" and automatically disabled (locked). This feature is
   24 disabled by default; set any value to enable it. This feature depends on the
   25 `sql` backend for the `[identity] driver`. When a user exceeds this threshold
   26 and is considered "inactive", the user's `enabled` attribute in the HTTP API
   27 may not match the value of the user's `enabled` column in the user table.
   28 """))
   29 
   30 lockout_failure_attempts = cfg.IntOpt(
   31     'lockout_failure_attempts',
   32     min=1,
   33     help=utils.fmt("""
   34 The maximum number of times that a user can fail to authenticate before the
   35 user account is locked for the number of seconds specified by
   36 `[security_compliance] lockout_duration`. This feature is disabled by
   37 default. If this feature is enabled and `[security_compliance]
   38 lockout_duration` is not set, then users may be locked out indefinitely
   39 until the user is explicitly enabled via the API. This feature depends on
   40 the `sql` backend for the `[identity] driver`.
   41 """))
   42 
   43 lockout_duration = cfg.IntOpt(
   44     'lockout_duration',
   45     default=1800,
   46     min=1,
   47     help=utils.fmt("""
   48 The number of seconds a user account will be locked when the maximum number of
   49 failed authentication attempts (as specified by `[security_compliance]
   50 lockout_failure_attempts`) is exceeded. Setting this option will have no effect
   51 unless you also set `[security_compliance] lockout_failure_attempts` to a
   52 non-zero value. This feature depends on the `sql` backend for the `[identity]
   53 driver`.
   54 """))
   55 
   56 password_expires_days = cfg.IntOpt(
   57     'password_expires_days',
   58     min=1,
   59     help=utils.fmt("""
   60 The number of days for which a password will be considered valid
   61 before requiring it to be changed. This feature is disabled by default. If
   62 enabled, new password changes will have an expiration date, however existing
   63 passwords would not be impacted. This feature depends on the `sql` backend for
   64 the `[identity] driver`.
   65 """))
   66 
   67 unique_last_password_count = cfg.IntOpt(
   68     'unique_last_password_count',
   69     default=0,
   70     min=0,
   71     help=utils.fmt("""
   72 This controls the number of previous user password iterations to keep in
   73 history, in order to enforce that newly created passwords are unique. The total
   74 number which includes the new password should not be greater or equal to this
   75 value. Setting the value to zero (the default) disables this feature. Thus, to
   76 enable this feature, values must be greater than 0. This feature depends on
   77 the `sql` backend for the `[identity] driver`.
   78 """))
   79 
   80 minimum_password_age = cfg.IntOpt(
   81     'minimum_password_age',
   82     default=0,
   83     min=0,
   84     help=utils.fmt("""
   85 The number of days that a password must be used before the user can change it.
   86 This prevents users from changing their passwords immediately in order to wipe
   87 out their password history and reuse an old password. This feature does not
   88 prevent administrators from manually resetting passwords. It is disabled by
   89 default and allows for immediate password changes. This feature depends on the
   90 `sql` backend for the `[identity] driver`. Note: If `[security_compliance]
   91 password_expires_days` is set, then the value for this option should be less
   92 than the `password_expires_days`.
   93 """))
   94 
   95 password_regex = cfg.StrOpt(
   96     'password_regex',
   97     help=utils.fmt("""
   98 The regular expression used to validate password strength requirements. By
   99 default, the regular expression will match any password. The following is an
  100 example of a pattern which requires at least 1 letter, 1 digit, and have a
  101 minimum length of 7 characters: ^(?=.*\\\d)(?=.*[a-zA-Z]).{7,}$ This feature
  102 depends on the `sql` backend for the `[identity] driver`.
  103 """))  # noqa: W605
  104 
  105 password_regex_description = cfg.StrOpt(
  106     'password_regex_description',
  107     help=utils.fmt("""
  108 Describe your password regular expression here in language for humans. If a
  109 password fails to match the regular expression, the contents of this
  110 configuration variable will be returned to users to explain why their
  111 requested password was insufficient.
  112 """))
  113 
  114 change_password_upon_first_use = cfg.BoolOpt(
  115     'change_password_upon_first_use',
  116     default=False,
  117     help=utils.fmt("""
  118 Enabling this option requires users to change their password when the user is
  119 created, or upon administrative reset. Before accessing any services, affected
  120 users will have to change their password. To ignore this requirement for
  121 specific users, such as service users, set the `options` attribute
  122 `ignore_change_password_upon_first_use` to `True` for the desired user via the
  123 update user API. This feature is disabled by default. This feature is only
  124 applicable with the `sql` backend for the `[identity] driver`.
  125 """))
  126 
  127 
  128 GROUP_NAME = __name__.split('.')[-1]
  129 ALL_OPTS = [
  130     disable_user_account_days_inactive,
  131     lockout_failure_attempts,
  132     lockout_duration,
  133     password_expires_days,
  134     unique_last_password_count,
  135     minimum_password_age,
  136     password_regex,
  137     password_regex_description,
  138     change_password_upon_first_use
  139 ]
  140 
  141 
  142 def register_opts(conf):
  143     conf.register_opts(ALL_OPTS, group=GROUP_NAME)
  144 
  145 
  146 def list_opts():
  147     return {GROUP_NAME: ALL_OPTS}