Interface support for security configuration

Configuration support for password and security
enforcement for user account under AccountPolicy
interface (which will manage global policies
related to accounts).

Change-Id: Icdea6d83654f9449088a6319f453788cb25ecfc2
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/xyz/openbmc_project/User/AccountPolicy.interface.yaml b/xyz/openbmc_project/User/AccountPolicy.interface.yaml
new file mode 100644
index 0000000..9397f4b
--- /dev/null
+++ b/xyz/openbmc_project/User/AccountPolicy.interface.yaml
@@ -0,0 +1,33 @@
+description: >
+    Provides global user account policy related management.
+
+properties:
+    - name: MaxLoginAttemptBeforeLockout
+      type: uint16
+      description: >
+          Configures the maximum permissible attempt before locking
+          out the user. Value of 0 indicates that account lockout
+          feature is disabled.
+
+    - name: AccountUnlockTimeout
+      type: uint32
+      description: >
+          Configures timeout needed (in seconds) to unlock the account
+          after a lockout. Value of 0 indicates that account must be
+          unlocked manually.
+
+    - name: MinPasswordLength
+      type: byte
+      description: >
+          Configures the minimum password length. Minimum password length
+          specified in build time is marked as default value. This property
+          cannot be configured below the build time default value but can be
+          set to higher one for security reasons.
+
+    - name: RememberOldPasswordTimes
+      type: byte
+      description: >
+          Configures the number of times old password shouldn't be allowed
+          when trying to update new password. Value of 0 (by default) indicates
+          this feature is not enforced.
+# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/xyz/openbmc_project/User/Attributes.interface.yaml b/xyz/openbmc_project/User/Attributes.interface.yaml
index 108934d..31d9939 100644
--- a/xyz/openbmc_project/User/Attributes.interface.yaml
+++ b/xyz/openbmc_project/User/Attributes.interface.yaml
@@ -18,4 +18,14 @@
       type: boolean
       description: >
           Enabled or disabled state of the user.
+
+    - name: UserLockedForFailedAttempt
+      type: boolean
+      description: >
+          Locked or unlocked state of the user. After repeated failed
+          login attempt (configured through MaxLoginAttemptBeforeLockout),
+          locked out user can be unlocked manually by setting false to
+          this property. This property will return true if user is locked
+          out user. AccountUnlockTimeout property can be configured to unlock
+          the user after a timeout.
 # vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4
diff --git a/xyz/openbmc_project/User/Common.errors.yaml b/xyz/openbmc_project/User/Common.errors.yaml
index a1c60ab..ccca302 100644
--- a/xyz/openbmc_project/User/Common.errors.yaml
+++ b/xyz/openbmc_project/User/Common.errors.yaml
@@ -9,7 +9,7 @@
   description: Specified Group related restriction failure for user name.
 # xyz.openbmc_project.User.Common.Error.UserNamePrivFail
 - name: UserNamePrivFail
-  description: Specificed privilege related restriction failure for user name.
+  description: Specified privilege related restriction failure for user name.
 # xyz.openbmc_project.User.Common.Error.NoResource
 - name: NoResource
   description: No resource available.
diff --git a/xyz/openbmc_project/User/README.md b/xyz/openbmc_project/User/README.md
index cbda1e3..1ce17e0 100644
--- a/xyz/openbmc_project/User/README.md
+++ b/xyz/openbmc_project/User/README.md
@@ -19,8 +19,18 @@
 ##### signals
 * UserRenamed - Signal sent out when user is renamed in the system.
 
+#### xyz.openbmc_project.User.AccountPolicy interface
+##### properties
+* MaxLoginAttemptBeforeLockout - Permissible attempt before locking out the
+user for failed login attempts.
+* AccountUnlockTimeout - Timeout (in seconds) to unlock the account after a
+lockout.
+* MinPasswordLength - Minimum password length, which can be set.
+* RememberOldPasswordTimes – Number of times old password shouldn’t be allowed
+when updating password for the user.
+
 ### Users Interface
-User manager daemon, will create user objects for each and every user existing
+User manager daemon, will create user objects for every user existing
 in the system under object path `/xyz/openbmc_project/user/<user name>`.
 Each user object can be handled through 'org.freedesktop.DBus.ObjectManager'.
 User object will expose following properties and methods.
@@ -30,12 +40,13 @@
 * UserPrivilege - Privilege of the user.
 * UserGroups - Groups to which the user belongs.
 * UserEnabled - User enabled state.
+* UserLockedForFailedAttempt - Locked or unlocked state of the user account.
 
 #### xyz.openbmc_project.Object.Delete
 #### methods
 * Delete - To delete the user object in the system.
 
 ##Note
-This interface doesn't provide ways to set / update password. The same has to
+This interface doesn't provide ways to set / update password. The same must
 be set / updated through pam_chauthtok() (PAM modules). This is to avoid
 sending out password through D-Bus.