From eb83e956aa81b93f988708869cfccbd2e31dd7e2 Mon Sep 17 00:00:00 2001
From: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Date: Thu, 4 Apr 2024 13:28:01 -0300
Subject: [PATCH] Enforce new password rules to keystone accounts

This review will be enforcing new password rules to Keystone accounts,
the new rules are:
- Minimum 12 characters
- At least 1 Uppercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse past 5 passwords

Test Plan:
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock
      of the controller-0.
PASS: Run build-pkgs -c -p keystone.
PASS: Run build-image.
PASS: Change password 5 times and then try to use the first password of
      the sequence again to verify if it is using password history.
PASS: Try to change the password to a password without an uppercase
      letter and verify if it fail.
PASS: Try to change the password to a password without a number
      and verify if it fail.
PASS: Try to change the password to a password without a special
      character and verify if it fail.
PASS: Try password with less than 12 character and verify if it fails.
PASS: Access account and change password using serial console.
PASS: Try a password that doesn't fit the password requirements and
      verify if the error message is shown.

Story: 2011084
Task: 49824

Change-Id: Iba10465e4ea25fb6e35aa0e7b81391269cda739e
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
---
 ...-password-rules-to-keystone-accounts.patch | 57 +++++++++++++++++++
 openstack/keystone/debian/deb_patches/series  |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 openstack/keystone/debian/deb_patches/0003-Enforce-new-password-rules-to-keystone-accounts.patch

diff --git a/openstack/keystone/debian/deb_patches/0003-Enforce-new-password-rules-to-keystone-accounts.patch b/openstack/keystone/debian/deb_patches/0003-Enforce-new-password-rules-to-keystone-accounts.patch
new file mode 100644
index 00000000..411c481f
--- /dev/null
+++ b/openstack/keystone/debian/deb_patches/0003-Enforce-new-password-rules-to-keystone-accounts.patch
@@ -0,0 +1,57 @@
+From 4a5f7c44497c079844dbf86ebc3c92bf9eba7f91 Mon Sep 17 00:00:00 2001
+From: Karla Felix <karla.karolinenogueirafelix@windriver.com>
+Date: Thu, 4 Apr 2024 13:17:13 -0300
+Subject: [PATCH] Enforce new password rules to keystone accounts
+
+This review will be enforcing new password rules to Keystone accounts,
+the new rules are:
+- Minimum 12 characters
+- At least 1 Uppercase letter
+- At least 1 number
+- At least 1 special character
+- Cannot reuse past 5 passwords
+
+Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
+---
+ debian/stx/password-rules.conf | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf
+index ac18ef9..2f10f8e 100644
+--- a/debian/stx/password-rules.conf
++++ b/debian/stx/password-rules.conf
+@@ -18,20 +18,27 @@
+ # feature, values must be greater than 1. This feature depends on the `sql`
+ # backend for the `[identity] driver`. (integer value)
+ # Minimum value: 1
+-unique_last_password_count = 3
++unique_last_password_count = 5
+ 
+ # The regular expression used to validate password strength requirements. By
+ # default, the regular expression will match any password. The following is an
+ # example of a pattern which requires at least 1 letter, 1 digit, and have a
+-# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
++# minimum length of 12 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{12,}$ This feature
+ # depends on the `sql` backend for the `[identity] driver`. (string value)
+-password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$
++password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{12,}$
+ 
+ # Describe your password regular expression here in language for humans. If a
+ # password fails to match the regular expression, the contents of this
+ # configuration variable will be returned to users to explain why their
+ # requested password was insufficient. (string value)
+-password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
++password_regex_description = Password must have a minimum length of 12 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
++
++# Describe in a message if the password input does not comply with the regex
++# rules.
++password_regex_error_description = Password does not fit one of this requirements: have a minimum lenght of 12 characters, contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character.
++
++# Specifies the number of days after which passwords expire and must be changed.
++password_expires_days = 90
+ 
+ # The number of seconds a user account will be locked when the maximum number
+ # of failed authentication attempts (as specified by `[security_compliance]
+-- 
+2.34.1
+
diff --git a/openstack/keystone/debian/deb_patches/series b/openstack/keystone/debian/deb_patches/series
index f03dacc3..9ae19b64 100644
--- a/openstack/keystone/debian/deb_patches/series
+++ b/openstack/keystone/debian/deb_patches/series
@@ -1,2 +1,3 @@
 0001-Add-stx-support.patch
 0002-Add-login-fail-lockout-security-compliance-options.patch
+0003-Enforce-new-password-rules-to-keystone-accounts.patch
\ No newline at end of file