def test_since_openstack_greater(self, _get_os_codename_package): _get_os_codename_package.return_value = "rocky" verifier = audits.since_openstack_release('test', 'queens') self.assertEqual(verifier(), True)
def test_since_openstack_equal(self, _get_os_codename_package): _get_os_codename_package.return_value = "mitaka" verifier = audits.since_openstack_release('test', 'mitaka') self.assertEqual(verifier(), True)
def test_since_openstack_less(self, _get_os_codename_package): _get_os_codename_package.return_value = "icehouse" verifier = audits.since_openstack_release('test', 'mitaka') self.assertEqual(verifier(), False)
audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), ) def disable_password_autocomplete(audit_options): """Verify disable password autocomplete. Security Guide Check Name: Check-Dashboard-07 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ assert not LOCAL_SETTINGS.get('PASSWORD_AUTOCOMPLETE'), \ "PASSWORD_AUTOCOMPLETE should be set to False" @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), audits.since_openstack_release('openstack-dashboard', 'kilo')) def disable_password_reveal(audit_options): """Verify disable password reveal. Security Guide Check Name: Check-Dashboard-08 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ assert LOCAL_SETTINGS.get('DISABLE_PASSWORD_REVEAL'), \ "DISABLE_PASSWORD_REVEAL should be set to True" @audits.audit( audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), )
:param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ section = audit_options['keystone-conf'].get('token') assert section is not None, "Missing section 'token'" provider = section.get('provider') algorithm = section.get("hash_algorithm") if provider and "pki" in provider: assert "SHA256" == algorithm, \ "Weak hash algorithm used with PKI provider: {}".format( algorithm) @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), audits.since_openstack_release('keystone', 'juno')) def check_max_request_body_size(audit_options): """Validate that a sane max_request_body_size is set. Security Guide Check Name: Check-Identity-05 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ default = audit_options['keystone-conf'].get('DEFAULT', {}) oslo_middleware = audit_options['keystone-conf'] \ .get('oslo_middleware', {}) # assert section is not None, "Missing section 'DEFAULT'" assert (default.get('max_request_body_size') or oslo_middleware.get('max_request_body_size') is not None), \
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),) def disable_password_autocomplete(audit_options): """Verify disable password autocomplete. Security Guide Check Name: Check-Dashboard-07 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ assert not LOCAL_SETTINGS.get('PASSWORD_AUTOCOMPLETE'), \ "PASSWORD_AUTOCOMPLETE should be set to False" @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), audits.since_openstack_release('openstack-dashboard', 'kilo')) def disable_password_reveal(audit_options): """Verify disable password reveal. Security Guide Check Name: Check-Dashboard-08 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ assert LOCAL_SETTINGS.get('DISABLE_PASSWORD_REVEAL'), \ "DISABLE_PASSWORD_REVEAL should be set to True" @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),) def enforce_password_check(audit_options):
:param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ section = audit_options['keystone-conf'].get('token') assert section is not None, "Missing section 'token'" provider = section.get('provider') algorithm = section.get("hash_algorithm") if provider and "pki" in provider: assert "SHA256" == algorithm, \ "Weak hash algorithm used with PKI provider: ".format( algorithm) @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), audits.since_openstack_release('keystone', 'juno')) def check_max_request_body_size(audit_options): """Validate that a sane max_request_body_size is set. Security Guide Check Name: Check-Identity-05 :param audit_options: Dictionary of options for audit configuration :type audit_options: Dict :raises: AssertionError if the assertion fails. """ default = audit_options['keystone-conf'].get('DEFAULT', {}) oslo_middleware = audit_options['keystone-conf'] \ .get('oslo_middleware', {}) # assert section is not None, "Missing section 'DEFAULT'" assert (default.get('max_request_body_size') or oslo_middleware.get('max_request_body_size') is not None), \