furukawa3
diff --git a/‎doc/source/cli/command-objects/user.rst‎
Lines changed: 126 additions & 0 deletions b/‎doc/source/cli/command-objects/user.rst‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎openstackclient/identity/v3/user.py‎
Lines changed: 119 additions & 1 deletion b/‎openstackclient/identity/v3/user.py‎
Lines changed: 119 additions & 1 deletion
diff --git a/‎openstackclient/tests/unit/identity/v3/fakes.py‎
Lines changed: 3 additions & 0 deletions b/‎openstackclient/tests/unit/identity/v3/fakes.py‎
Lines changed: 3 additions & 0 deletions
@@ -19,6 +19,12 @@ Create new user
         [--password-prompt]
         [--email <email-address>]
         [--description <description>]
+        [--multi-factor-auth-rule <rule>]
+        [--ignore-lockout-failure-attempts| --no-ignore-lockout-failure-attempts]
+        [--ignore-password-expiry| --no-ignore-password-expiry]
+        [--ignore-change-password-upon-first-use| --no-ignore-change-password-upon-first-use]
+        [--enable-lock-password| --disable-lock-password]
+        [--enable-multi-factor-auth| --disable-multi-factor-auth]
         [--enable | --disable]
         [--or-show]
         <user-name>
@@ -56,6 +62,63 @@ Create new user
 
     .. versionadded:: 3
 
+.. option:: --ignore-lockout-failure-attempts
+
+    Opt into ignoring the number of times a user has authenticated and
+    locking out the user as a result
+
+.. option:: --no-ignore-lockout-failure-attempts
+
+    Opt out of ignoring the number of times a user has authenticated
+    and locking out the user as a result
+
+.. option:: --ignore-change-password-upon-first-use
+
+    Control if a user should be forced to change their password immediately
+    after they log into keystone for the first time. Opt into ignoring
+    the user to change their password during first time login in keystone.
+
+.. option:: --no-ignore-change-password-upon-first-use
+
+    Control if a user should be forced to change their password immediately
+    after they log into keystone for the first time. Opt out of ignoring
+    the user to change their password during first time login in keystone.
+
+.. option:: --ignore-password-expiry
+
+    Opt into allowing user to continue using passwords that may be
+    expired
+
+.. option:: --no-ignore-password-expiry
+
+    Opt out of allowing user to continue using passwords that may be
+    expired
+
+.. option:: --enable-lock-password
+
+    Disables the ability for a user to change its password through
+    self-service APIs
+
+.. option:: --disable-lock-password
+
+    Enables the ability for a user to change its password through
+    self-service APIs
+
+.. option:: --enable-multi-factor-auth
+
+    Enables the MFA (Multi Factor Auth)
+
+.. option:: --disable-multi-factor-auth
+
+    Disables the MFA (Multi Factor Auth)
+
+.. option:: --multi-factor-auth-rule <rule>
+
+    Set multi-factor auth rules. For example, to set a rule requiring the
+    "password" and "totp" auth methods to be provided,
+    use: "--multi-factor-auth-rule password,totp".
+    May be provided multiple times to set different rule combinations.
+
 .. option:: --enable
 
     Enable user (default)
@@ -146,6 +209,12 @@ Set user properties
         [--password-prompt]
         [--email <email-address>]
         [--description <description>]
+        [--multi-factor-auth-rule <rule>]
+        [--ignore-lockout-failure-attempts| --no-ignore-lockout-failure-attempts]
+        [--ignore-password-expiry| --no-ignore-password-expiry]
+        [--ignore-change-password-upon-first-use| --no-ignore-change-password-upon-first-use]
+        [--enable-lock-password| --disable-lock-password]
+        [--enable-multi-factor-auth| --disable-multi-factor-auth]
         [--enable|--disable]
         <user>
 
@@ -187,6 +256,63 @@ Set user properties
 
     .. versionadded:: 3
 
+.. option:: --ignore-lockout-failure-attempts
+
+    Opt into ignoring the number of times a user has authenticated and
+    locking out the user as a result
+
+.. option:: --no-ignore-lockout-failure-attempts
+
+    Opt out of ignoring the number of times a user has authenticated
+    and locking out the user as a result
+
+.. option:: --ignore-change-password-upon-first-use
+
+    Control if a user should be forced to change their password immediately
+    after they log into keystone for the first time. Opt into ignoring
+    the user to change their password during first time login in keystone.
+
+.. option:: --no-ignore-change-password-upon-first-use
+
+    Control if a user should be forced to change their password immediately
+    after they log into keystone for the first time. Opt out of ignoring
+    the user to change their password during first time login in keystone.
+
+.. option:: --ignore-password-expiry
+
+    Opt into allowing user to continue using passwords that may be
+    expired
+
+.. option:: --no-ignore-password-expiry
+
+    Opt out of allowing user to continue using passwords that may be
+    expired
+
+.. option:: --enable-lock-password
+
+    Disables the ability for a user to change its password through
+    self-service APIs
+
+.. option:: --disable-lock-password
+
+    Enables the ability for a user to change its password through
+    self-service APIs
+
+.. option:: --enable-multi-factor-auth
+
+    Enables the MFA (Multi Factor Auth)
+
+.. option:: --disable-multi-factor-auth
+
+    Disables the MFA (Multi Factor Auth)
+
+.. option:: --multi-factor-auth-rule <rule>
+
+    Set multi-factor auth rules. For example, to set a rule requiring the
+    "password" and "totp" auth methods to be provided,
+    use: "--multi-factor-auth-rule password,totp".
+    May be provided multiple times to set different rule combinations.
+
 .. option:: --enable
 
     Enable user (default)
 
@@ -30,6 +30,114 @@
 LOG = logging.getLogger(__name__)
 
 
+def _get_options_for_user(identity_client, parsed_args):
+    options = {}
+    if parsed_args.ignore_lockout_failure_attempts:
+        options['ignore_lockout_failure_attempts'] = True
+    if parsed_args.no_ignore_lockout_failure_attempts:
+        options['ignore_lockout_failure_attempts'] = False
+    if parsed_args.ignore_password_expiry:
+        options['ignore_password_expiry'] = True
+    if parsed_args.no_ignore_password_expiry:
+        options['ignore_password_expiry'] = False
+    if parsed_args.ignore_change_password_upon_first_use:
+        options['ignore_change_password_upon_first_use'] = True
+    if parsed_args.no_ignore_change_password_upon_first_use:
+        options['ignore_change_password_upon_first_use'] = False
+    if parsed_args.enable_lock_password:
+        options['lock_password'] = True
+    if parsed_args.disable_lock_password:
+        options['lock_password'] = False
+    if parsed_args.enable_multi_factor_auth:
+        options['multi_factor_auth_enabled'] = True
+    if parsed_args.disable_multi_factor_auth:
+        options['multi_factor_auth_enabled'] = False
+    if parsed_args.multi_factor_auth_rule:
+        auth_rules = [rule.split(",") for rule in
+                      parsed_args.multi_factor_auth_rule]
+        if auth_rules:
+            options['multi_factor_auth_rules'] = auth_rules
+    return options
+
+
+def _add_user_options(parser):
+    # Add additional user options
+
+    parser.add_argument(
+        '--ignore-lockout-failure-attempts',
+        action="store_true",
+        help=_('Opt into ignoring the number of times a user has '
+               'authenticated and locking out the user as a result'),
+    )
+    parser.add_argument(
+        '--no-ignore-lockout-failure-attempts',
+        action="store_true",
+        help=_('Opt out of ignoring the number of times a user has '
+               'authenticated and locking out the user as a result'),
+    )
+    parser.add_argument(
+        '--ignore-password-expiry',
+        action="store_true",
+        help=_('Opt into allowing user to continue using passwords that '
+               'may be expired'),
+    )
+    parser.add_argument(
+        '--no-ignore-password-expiry',
+        action="store_true",
+        help=_('Opt out of allowing user to continue using passwords '
+               'that may be expired'),
+    )
+    parser.add_argument(
+        '--ignore-change-password-upon-first-use',
+        action="store_true",
+        help=_('Control if a user should be forced to change their password '
+               'immediately after they log into keystone for the first time. '
+               'Opt into ignoring the user to change their password during '
+               'first time login in keystone'),
+    )
+    parser.add_argument(
+        '--no-ignore-change-password-upon-first-use',
+        action="store_true",
+        help=_('Control if a user should be forced to change their password '
+               'immediately after they log into keystone for the first time. '
+               'Opt out of ignoring the user to change their password during '
+               'first time login in keystone'),
+    )
+    parser.add_argument(
+        '--enable-lock-password',
+        action="store_true",
+        help=_('Disables the ability for a user to change its password '
+               'through self-service APIs'),
+    )
+    parser.add_argument(
+        '--disable-lock-password',
+        action="store_true",
+        help=_('Enables the ability for a user to change its password '
+               'through self-service APIs'),
+    )
+    parser.add_argument(
+        '--enable-multi-factor-auth',
+        action="store_true",
+        help=_('Enables the MFA (Multi Factor Auth)'),
+    )
+    parser.add_argument(
+        '--disable-multi-factor-auth',
+        action="store_true",
+        help=_('Disables the MFA (Multi Factor Auth)'),
+    )
+    parser.add_argument(
+        '--multi-factor-auth-rule',
+        metavar='<rule>',
+        action="append",
+        default=[],
+        help=_('Set multi-factor auth rules. For example, to set a rule '
+               'requiring the "password" and "totp" auth methods to be '
+               'provided, use: "--multi-factor-auth-rule password,totp". '
+               'May be provided multiple times to set different rule '
+               'combinations.')
+    )
+
+
 class CreateUser(command.ShowOne):
     _description = _("Create new user")
 
@@ -72,6 +180,8 @@ def get_parser(self, prog_name):
             metavar='<description>',
             help=_('User description'),
         )
+        _add_user_options(parser)
+
         enable_group = parser.add_mutually_exclusive_group()
         enable_group.add_argument(
             '--enable',
@@ -113,6 +223,7 @@ def take_action(self, parsed_args):
         if not parsed_args.password:
             LOG.warning(_("No password was supplied, authentication will fail "
                           "when a user does not have a password."))
+        options = _get_options_for_user(identity_client, parsed_args)
 
         try:
             user = identity_client.users.create(
@@ -122,7 +233,8 @@ def take_action(self, parsed_args):
                 password=parsed_args.password,
                 email=parsed_args.email,
                 description=parsed_args.description,
-                enabled=enabled
+                enabled=enabled,
+                options=options,
             )
         except ks_exc.Conflict:
             if parsed_args.or_show:
@@ -333,6 +445,8 @@ def get_parser(self, prog_name):
             metavar='<description>',
             help=_('Set user description'),
         )
+        _add_user_options(parser)
+
         enable_group = parser.add_mutually_exclusive_group()
         enable_group.add_argument(
             '--enable',
@@ -390,6 +504,10 @@ def take_action(self, parsed_args):
         if parsed_args.disable:
             kwargs['enabled'] = False
 
+        options = _get_options_for_user(identity_client, parsed_args)
+        if options:
+            kwargs['options'] = options
+
         identity_client.users.update(user.id, **kwargs)
 
 
 
@@ -108,6 +108,9 @@
     "rules": MAPPING_RULES_2
 }
 
+mfa_opt1 = 'password,totp'
+mfa_opt2 = 'password'
+
 project_id = '8-9-64'
 project_name = 'beatles'
 project_description = 'Fab Four'
Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,9 @@`
`108`	`108`	`"rules": MAPPING_RULES_2`
`109`	`109`	`}`
`110`	`110`
	`111`	`+mfa_opt1 = 'password,totp'`
	`112`	`+mfa_opt2 = 'password'`
	`113`	`+`
`111`	`114`	`project_id = '8-9-64'`
`112`	`115`	`project_name = 'beatles'`
`113`	`116`	`project_description = 'Fab Four'`