aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Molotkov <molotkov-and@ydb.tech>2025-02-28 16:33:47 +0300
committerGitHub <noreply@github.com>2025-02-28 16:33:47 +0300
commit94c61d5c6c2dcdb74c2b6021922ee544a46240a1 (patch)
tree5c61bd09a91a986d85471b8f98e9ba5ee6ec057b
parentc5b531e5ab62ce07f4aaf50552679425d810459c (diff)
downloadydb-94c61d5c6c2dcdb74c2b6021922ee544a46240a1.tar.gz
Check account lockout config (#15147)
-rw-r--r--ydb/core/config/validation/auth_config_validator.cpp28
-rw-r--r--ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp69
2 files changed, 92 insertions, 5 deletions
diff --git a/ydb/core/config/validation/auth_config_validator.cpp b/ydb/core/config/validation/auth_config_validator.cpp
index 7f558b37a6..964bbce5b9 100644
--- a/ydb/core/config/validation/auth_config_validator.cpp
+++ b/ydb/core/config/validation/auth_config_validator.cpp
@@ -1,13 +1,14 @@
#include <ydb/core/protos/auth.pb.h>
#include <vector>
#include <util/generic/string.h>
+#include <util/datetime/base.h>
#include "validators.h"
namespace NKikimr::NConfig {
namespace {
-EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComplexity& passwordComplexity, std::vector<TString>&msg) {
+EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComplexity& passwordComplexity, std::vector<TString>& msg) {
size_t minCountOfRequiredChars = passwordComplexity.GetMinLowerCaseCount() +
passwordComplexity.GetMinUpperCaseCount() +
passwordComplexity.GetMinNumbersCount() +
@@ -20,13 +21,32 @@ EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComple
return EValidationResult::Ok;
}
+EValidationResult ValidateAccountLockout(const NKikimrProto::TAccountLockout& accountLockout, std::vector<TString>& msg) {
+ TDuration attemptResetDuration;
+ if (TDuration::TryParse(accountLockout.GetAttemptResetDuration(), attemptResetDuration)) {
+ return EValidationResult::Ok;
+ }
+ msg = std::vector<TString>{"account_lockout: Cannot parse attempt reset duration"};
+ return EValidationResult::Error;
+}
+
} // namespace
EValidationResult ValidateAuthConfig(const NKikimrProto::TAuthConfig& authConfig, std::vector<TString>& msg) {
- EValidationResult validatePasswordComplexityResult = ValidatePasswordComplexity(authConfig.GetPasswordComplexity(), msg);
- if (validatePasswordComplexityResult == EValidationResult::Error) {
- return EValidationResult::Error;
+ if (authConfig.HasPasswordComplexity()) {
+ EValidationResult validateResult = ValidatePasswordComplexity(authConfig.GetPasswordComplexity(), msg);
+ if (validateResult == EValidationResult::Error) {
+ return EValidationResult::Error;
+ }
}
+
+ if (authConfig.HasAccountLockout()) {
+ EValidationResult validateResult = ValidateAccountLockout(authConfig.GetAccountLockout(), msg);
+ if (validateResult == EValidationResult::Error) {
+ return EValidationResult::Error;
+ }
+ }
+
if (msg.size() > 0) {
return EValidationResult::Warn;
}
diff --git a/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp b/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp
index 8b68f4027a..b8333656ea 100644
--- a/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp
+++ b/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp
@@ -19,7 +19,7 @@ Y_UNIT_TEST_SUITE(AuthConfigValidation) {
std::vector<TString> error;
EValidationResult result = ValidateAuthConfig(authConfig, error);
UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
- UNIT_ASSERT_C(error.empty(), "Should not be errors");
+ UNIT_ASSERT_C(error.empty(), error.front());
}
Y_UNIT_TEST(CannotAcceptInvalidPasswordComplexity) {
@@ -40,4 +40,71 @@ Y_UNIT_TEST_SUITE(AuthConfigValidation) {
UNIT_ASSERT_STRINGS_EQUAL(error.front(), "password_complexity: Min length of password cannot be less than "
"total min counts of lower case chars, upper case chars, numbers and special chars");
}
+
+ Y_UNIT_TEST(AcceptValidAccountLockoutConfig) {
+ NKikimrProto::TAuthConfig authConfig;
+ NKikimrProto::TAccountLockout* validAccountLockoutConfig = authConfig.MutableAccountLockout();
+
+ {
+ validAccountLockoutConfig->SetAttemptResetDuration("12h");
+
+ std::vector<TString> error;
+ EValidationResult result = ValidateAuthConfig(authConfig, error);
+ UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+ UNIT_ASSERT_C(error.empty(), error.front());
+ }
+
+ {
+ validAccountLockoutConfig->SetAttemptResetDuration("5m");
+
+ std::vector<TString> error;
+ EValidationResult result = ValidateAuthConfig(authConfig, error);
+ UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+ UNIT_ASSERT_C(error.empty(), error.front());
+ }
+
+ {
+ validAccountLockoutConfig->SetAttemptResetDuration("5s");
+
+ std::vector<TString> error;
+ EValidationResult result = ValidateAuthConfig(authConfig, error);
+ UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+ UNIT_ASSERT_C(error.empty(), error.front());
+ }
+ }
+
+ Y_UNIT_TEST(CannotAcceptInvalidAccountLockoutConfig) {
+ NKikimrProto::TAuthConfig authConfig;
+ NKikimrProto::TAccountLockout* invalidAccountLockoutConfig = authConfig.MutableAccountLockout();
+
+ {
+ invalidAccountLockoutConfig->SetAttemptResetDuration("h");
+
+ std::vector<TString> error;
+ EValidationResult result = ValidateAuthConfig(authConfig, error);
+ UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+ UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+ UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+ }
+
+ {
+ invalidAccountLockoutConfig->SetAttemptResetDuration("");
+
+ std::vector<TString> error;
+ EValidationResult result = ValidateAuthConfig(authConfig, error);
+ UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+ UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+ UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+ }
+
+ {
+ invalidAccountLockoutConfig->SetAttemptResetDuration("12hhh");
+
+ std::vector<TString> error;
+ EValidationResult result = ValidateAuthConfig(authConfig, error);
+ UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+ UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+ UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+ }
+ }
}