3030LOG = logging .getLogger (__name__ )
3131
3232
33+ def _get_options_for_user (identity_client , parsed_args ):
34+ options = {}
35+ if parsed_args .ignore_lockout_failure_attempts :
36+ options ['ignore_lockout_failure_attempts' ] = True
37+ if parsed_args .no_ignore_lockout_failure_attempts :
38+ options ['ignore_lockout_failure_attempts' ] = False
39+ if parsed_args .ignore_password_expiry :
40+ options ['ignore_password_expiry' ] = True
41+ if parsed_args .no_ignore_password_expiry :
42+ options ['ignore_password_expiry' ] = False
43+ if parsed_args .ignore_change_password_upon_first_use :
44+ options ['ignore_change_password_upon_first_use' ] = True
45+ if parsed_args .no_ignore_change_password_upon_first_use :
46+ options ['ignore_change_password_upon_first_use' ] = False
47+ if parsed_args .enable_lock_password :
48+ options ['lock_password' ] = True
49+ if parsed_args .disable_lock_password :
50+ options ['lock_password' ] = False
51+ if parsed_args .enable_multi_factor_auth :
52+ options ['multi_factor_auth_enabled' ] = True
53+ if parsed_args .disable_multi_factor_auth :
54+ options ['multi_factor_auth_enabled' ] = False
55+ if parsed_args .multi_factor_auth_rule :
56+ auth_rules = [rule .split ("," ) for rule in
57+ parsed_args .multi_factor_auth_rule ]
58+ if auth_rules :
59+ options ['multi_factor_auth_rules' ] = auth_rules
60+ return options
61+
62+
63+ def _add_user_options (parser ):
64+ # Add additional user options
65+
66+ parser .add_argument (
67+ '--ignore-lockout-failure-attempts' ,
68+ action = "store_true" ,
69+ help = _ ('Opt into ignoring the number of times a user has '
70+ 'authenticated and locking out the user as a result' ),
71+ )
72+ parser .add_argument (
73+ '--no-ignore-lockout-failure-attempts' ,
74+ action = "store_true" ,
75+ help = _ ('Opt out of ignoring the number of times a user has '
76+ 'authenticated and locking out the user as a result' ),
77+ )
78+ parser .add_argument (
79+ '--ignore-password-expiry' ,
80+ action = "store_true" ,
81+ help = _ ('Opt into allowing user to continue using passwords that '
82+ 'may be expired' ),
83+ )
84+ parser .add_argument (
85+ '--no-ignore-password-expiry' ,
86+ action = "store_true" ,
87+ help = _ ('Opt out of allowing user to continue using passwords '
88+ 'that may be expired' ),
89+ )
90+ parser .add_argument (
91+ '--ignore-change-password-upon-first-use' ,
92+ action = "store_true" ,
93+ help = _ ('Control if a user should be forced to change their password '
94+ 'immediately after they log into keystone for the first time. '
95+ 'Opt into ignoring the user to change their password during '
96+ 'first time login in keystone' ),
97+ )
98+ parser .add_argument (
99+ '--no-ignore-change-password-upon-first-use' ,
100+ action = "store_true" ,
101+ help = _ ('Control if a user should be forced to change their password '
102+ 'immediately after they log into keystone for the first time. '
103+ 'Opt out of ignoring the user to change their password during '
104+ 'first time login in keystone' ),
105+ )
106+ parser .add_argument (
107+ '--enable-lock-password' ,
108+ action = "store_true" ,
109+ help = _ ('Disables the ability for a user to change its password '
110+ 'through self-service APIs' ),
111+ )
112+ parser .add_argument (
113+ '--disable-lock-password' ,
114+ action = "store_true" ,
115+ help = _ ('Enables the ability for a user to change its password '
116+ 'through self-service APIs' ),
117+ )
118+ parser .add_argument (
119+ '--enable-multi-factor-auth' ,
120+ action = "store_true" ,
121+ help = _ ('Enables the MFA (Multi Factor Auth)' ),
122+ )
123+ parser .add_argument (
124+ '--disable-multi-factor-auth' ,
125+ action = "store_true" ,
126+ help = _ ('Disables the MFA (Multi Factor Auth)' ),
127+ )
128+ parser .add_argument (
129+ '--multi-factor-auth-rule' ,
130+ metavar = '<rule>' ,
131+ action = "append" ,
132+ default = [],
133+ help = _ ('Set multi-factor auth rules. For example, to set a rule '
134+ 'requiring the "password" and "totp" auth methods to be '
135+ 'provided, use: "--multi-factor-auth-rule password,totp". '
136+ 'May be provided multiple times to set different rule '
137+ 'combinations.' )
138+ )
139+
140+
33141class CreateUser (command .ShowOne ):
34142 _description = _ ("Create new user" )
35143
@@ -72,6 +180,8 @@ def get_parser(self, prog_name):
72180 metavar = '<description>' ,
73181 help = _ ('User description' ),
74182 )
183+ _add_user_options (parser )
184+
75185 enable_group = parser .add_mutually_exclusive_group ()
76186 enable_group .add_argument (
77187 '--enable' ,
@@ -113,6 +223,7 @@ def take_action(self, parsed_args):
113223 if not parsed_args .password :
114224 LOG .warning (_ ("No password was supplied, authentication will fail "
115225 "when a user does not have a password." ))
226+ options = _get_options_for_user (identity_client , parsed_args )
116227
117228 try :
118229 user = identity_client .users .create (
@@ -122,7 +233,8 @@ def take_action(self, parsed_args):
122233 password = parsed_args .password ,
123234 email = parsed_args .email ,
124235 description = parsed_args .description ,
125- enabled = enabled
236+ enabled = enabled ,
237+ options = options ,
126238 )
127239 except ks_exc .Conflict :
128240 if parsed_args .or_show :
@@ -333,6 +445,8 @@ def get_parser(self, prog_name):
333445 metavar = '<description>' ,
334446 help = _ ('Set user description' ),
335447 )
448+ _add_user_options (parser )
449+
336450 enable_group = parser .add_mutually_exclusive_group ()
337451 enable_group .add_argument (
338452 '--enable' ,
@@ -390,6 +504,10 @@ def take_action(self, parsed_args):
390504 if parsed_args .disable :
391505 kwargs ['enabled' ] = False
392506
507+ options = _get_options_for_user (identity_client , parsed_args )
508+ if options :
509+ kwargs ['options' ] = options
510+
393511 identity_client .users .update (user .id , ** kwargs )
394512
395513
0 commit comments