starlingx/upstream
Code Issues Proposed changes

Enforce new password rules to keystone accounts

Browse Source 
This review will be enforcing new password rules to Keystone accounts,
the new rules are:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords

Test Plan:
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock
      of the controller-0.
PASS: Run build-pkgs -c -p keystone.
PASS: Run build-image.
Note: The password command that I used for the next test cases is:
      openstack user password set
PASS: Change password 5 times and then try to use the first password of
      the sequence again to verify if it is using password history.
PASS: Try to change the password to a password without an uppercase
      letter and verify if it fail.
PASS: Try to change the password to a password without a number
      and verify if it fail.
PASS: Try to change the password to a password without a special
      character and verify if it fail.
PASS: Try password with less than 12 character and verify if it fails.
PASS: Access account and change password using serial console.
PASS: Try a password that doesn't fit the password requirements and
      verify if the error message is shown.

Story: 2011084
Task: 49824

Change-Id: Iba10465e4ea25fb6e35aa0e7b81391269cda739e
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
This commit is contained in:
Karla Felix 2024-04-04 13:28:01 -03:00
parent 2b88224302
commit cefa3d2582
2 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
openstack/keystone/debian/deb_patches/0003-Enforce-new-password-rules-to-keystone-accounts.patch Normal file
View File

@ -0,0 +1,53 @@
From 9ab6fb0efd1c9a35d5d6e44226cce6fd7f5189a7 Mon Sep 17 00:00:00 2001
From: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Date: Thu, 4 Apr 2024 13:17:13 -0300
Subject: [PATCH] Enforce new password rules to keystone accounts
This review will be enforcing new password rules to Keystone accounts,
the new rules are:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
---
debian/stx/password-rules.conf | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf
index ac18ef9..2e1a7ff 100644
--- a/debian/stx/password-rules.conf
+++ b/debian/stx/password-rules.conf
@@ -18,20 +18,23 @@
# feature, values must be greater than 1. This feature depends on the `sql`
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
-unique_last_password_count = 3
+unique_last_password_count = 5
# The regular expression used to validate password strength requirements. By
# default, the regular expression will match any password. The following is an
# example of a pattern which requires at least 1 letter, 1 digit, and have a
-# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
+# minimum length of 12 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{12,}$ This feature
# depends on the `sql` backend for the `[identity] driver`. (string value)
-password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$
+password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{12,}$
# Describe your password regular expression here in language for humans. If a
# password fails to match the regular expression, the contents of this
# configuration variable will be returned to users to explain why their
# requested password was insufficient. (string value)
-password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
+password_regex_description = Password must have a minimum length of 12 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
+
+# Specifies the number of days after which passwords expire and must be changed.
+password_expires_days = 90
# The number of seconds a user account will be locked when the maximum number
# of failed authentication attempts (as specified by `[security_compliance]
--
2.34.1

1
openstack/keystone/debian/deb_patches/series
View File

@ -1,2 +1,3 @@
0001-Add-stx-support.patch
0002-Add-login-fail-lockout-security-compliance-options.patch
0003-Enforce-new-password-rules-to-keystone-accounts.patch