def test_since_openstack_greater(self, _get_os_codename_package):
_get_os_codename_package.return_value = "rocky"
verifier = audits.since_openstack_release('test', 'queens')
self.assertEqual(verifier(), True)
def test_since_openstack_equal(self, _get_os_codename_package):
_get_os_codename_package.return_value = "mitaka"
verifier = audits.since_openstack_release('test', 'mitaka')
self.assertEqual(verifier(), True)
def test_since_openstack_less(self, _get_os_codename_package):
_get_os_codename_package.return_value = "icehouse"
verifier = audits.since_openstack_release('test', 'mitaka')
self.assertEqual(verifier(), False)
audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), )
def disable_password_autocomplete(audit_options):
"""Verify disable password autocomplete.
Security Guide Check Name: Check-Dashboard-07
:param audit_options: Dictionary of options for audit configuration
:type audit_options: Dict
:raises: AssertionError if the assertion fails.
"""
assert not LOCAL_SETTINGS.get('PASSWORD_AUTOCOMPLETE'), \
"PASSWORD_AUTOCOMPLETE should be set to False"
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),
audits.since_openstack_release('openstack-dashboard', 'kilo'))
def disable_password_reveal(audit_options):
"""Verify disable password reveal.
Security Guide Check Name: Check-Dashboard-08
:param audit_options: Dictionary of options for audit configuration
:type audit_options: Dict
:raises: AssertionError if the assertion fails.
"""
assert LOCAL_SETTINGS.get('DISABLE_PASSWORD_REVEAL'), \
"DISABLE_PASSWORD_REVEAL should be set to True"
@audits.audit(
audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide), )
:param audit_options: Dictionary of options for audit configuration
:type audit_options: Dict
:raises: AssertionError if the assertion fails.
"""
section = audit_options['keystone-conf'].get('token')
assert section is not None, "Missing section 'token'"
provider = section.get('provider')
algorithm = section.get("hash_algorithm")
if provider and "pki" in provider:
assert "SHA256" == algorithm, \
"Weak hash algorithm used with PKI provider: {}".format(
algorithm)
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),
audits.since_openstack_release('keystone', 'juno'))
def check_max_request_body_size(audit_options):
"""Validate that a sane max_request_body_size is set.
Security Guide Check Name: Check-Identity-05
:param audit_options: Dictionary of options for audit configuration
:type audit_options: Dict
:raises: AssertionError if the assertion fails.
"""
default = audit_options['keystone-conf'].get('DEFAULT', {})
oslo_middleware = audit_options['keystone-conf'] \
.get('oslo_middleware', {})
# assert section is not None, "Missing section 'DEFAULT'"
assert (default.get('max_request_body_size') or
oslo_middleware.get('max_request_body_size') is not None), \
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),)
def disable_password_autocomplete(audit_options):
"""Verify disable password autocomplete.
Security Guide Check Name: Check-Dashboard-07
:param audit_options: Dictionary of options for audit configuration
:type audit_options: Dict
:raises: AssertionError if the assertion fails.
"""
assert not LOCAL_SETTINGS.get('PASSWORD_AUTOCOMPLETE'), \
"PASSWORD_AUTOCOMPLETE should be set to False"
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),
audits.since_openstack_release('openstack-dashboard', 'kilo'))
def disable_password_reveal(audit_options):
"""Verify disable password reveal.
Security Guide Check Name: Check-Dashboard-08
:param audit_options: Dictionary of options for audit configuration
:type audit_options: Dict
:raises: AssertionError if the assertion fails.
"""
assert LOCAL_SETTINGS.get('DISABLE_PASSWORD_REVEAL'), \
"DISABLE_PASSWORD_REVEAL should be set to True"
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),)
def enforce_password_check(audit_options):
:param audit_options: Dictionary of options for audit configuration
:type audit_options: Dict
:raises: AssertionError if the assertion fails.
"""
section = audit_options['keystone-conf'].get('token')
assert section is not None, "Missing section 'token'"
provider = section.get('provider')
algorithm = section.get("hash_algorithm")
if provider and "pki" in provider:
assert "SHA256" == algorithm, \
"Weak hash algorithm used with PKI provider: ".format(
algorithm)
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),
audits.since_openstack_release('keystone', 'juno'))
def check_max_request_body_size(audit_options):
"""Validate that a sane max_request_body_size is set.
Security Guide Check Name: Check-Identity-05
:param audit_options: Dictionary of options for audit configuration
:type audit_options: Dict
:raises: AssertionError if the assertion fails.
"""
default = audit_options['keystone-conf'].get('DEFAULT', {})
oslo_middleware = audit_options['keystone-conf'] \
.get('oslo_middleware', {})
# assert section is not None, "Missing section 'DEFAULT'"
assert (default.get('max_request_body_size') or
oslo_middleware.get('max_request_body_size') is not None), \
