PCI-DSS 8.1.4: Remove/disable inactive user accounts within 90 days

[gtema]

Implement and document

Implementation:
◦ Config: disable_user_account_days_inactive in keystone/conf/security_compliance.py
◦ Logic: User.enabled property in keystone/identity/backends/sql_model.py (lines 217-254)
◦ Database: last_active_at column in User table tracks last successful login
◦ Users automatically disabled when days_inactive >= max_days

Currently python keystone verifies the last_active_at + max_days < now in the user.active property. There is no automatic expiry process. Doing so would invalidate application credentials

    def enabled(self):
        """Return whether user is enabled or not."""
        if self._enabled:
            max_days = (
                CONF.security_compliance.disable_user_account_days_inactive
            )
            inactivity_exempt = getattr(
                self.get_resource_option(
                    iro.IGNORE_USER_INACTIVITY_OPT.option_id
                ),
                'option_value',
                False,
            )
            last_active = self.last_active_at
            if not last_active and self.created_at:
                last_active = self.created_at.date()
            if max_days and last_active:
                now = timeutils.utcnow().date()
                days_inactive = (now - last_active).days
                if days_inactive >= max_days and not inactivity_exempt:
                    self._enabled = False