PCI-DSS 8.1.6: Limit repeated access attempts (max 6)

[gtema]

Implement and document

Implementation:
◦ Config: lockout_failure_attempts in keystone/conf/security_compliance.py
◦ Logic: _is_account_locked() method in keystone/identity/backends/sql.py (lines 84-114)
◦ Database: failed_auth_count and failed_auth_at in LocalUser table
◦ Methods: _record_failed_auth() and _reset_failed_auth() track attempts

Before checking the password the check is performed

attempts = user_ref.local_user.failed_auth_count or 0
max_attempts = CONF.security_compliance.lockout_failure_attempts
lockout_duration = CONF.security_compliance.lockout_duration
if max_attempts and (attempts >= max_attempts):
    if not lockout_duration:
        return True
    else:
        #temporary lockout check
        delta = datetime.timedelta(seconds=lockout_duration)
        last_failure = user_ref.local_user.failed_auth_at
        if (last_failure + delta) > timeutils.utcnow():
            return True
        else:
            self._reset_failed_auth(user_id)
return False