diff options
author | Andrey Molotkov <molotkov-and@ydb.tech> | 2025-02-28 16:33:47 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2025-02-28 16:33:47 +0300 |
commit | 94c61d5c6c2dcdb74c2b6021922ee544a46240a1 (patch) | |
tree | 5c61bd09a91a986d85471b8f98e9ba5ee6ec057b | |
parent | c5b531e5ab62ce07f4aaf50552679425d810459c (diff) | |
download | ydb-94c61d5c6c2dcdb74c2b6021922ee544a46240a1.tar.gz |
Check account lockout config (#15147)
-rw-r--r-- | ydb/core/config/validation/auth_config_validator.cpp | 28 | ||||
-rw-r--r-- | ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp | 69 |
2 files changed, 92 insertions, 5 deletions
diff --git a/ydb/core/config/validation/auth_config_validator.cpp b/ydb/core/config/validation/auth_config_validator.cpp index 7f558b37a6..964bbce5b9 100644 --- a/ydb/core/config/validation/auth_config_validator.cpp +++ b/ydb/core/config/validation/auth_config_validator.cpp @@ -1,13 +1,14 @@ #include <ydb/core/protos/auth.pb.h> #include <vector> #include <util/generic/string.h> +#include <util/datetime/base.h> #include "validators.h" namespace NKikimr::NConfig { namespace { -EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComplexity& passwordComplexity, std::vector<TString>&msg) { +EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComplexity& passwordComplexity, std::vector<TString>& msg) { size_t minCountOfRequiredChars = passwordComplexity.GetMinLowerCaseCount() + passwordComplexity.GetMinUpperCaseCount() + passwordComplexity.GetMinNumbersCount() + @@ -20,13 +21,32 @@ EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComple return EValidationResult::Ok; } +EValidationResult ValidateAccountLockout(const NKikimrProto::TAccountLockout& accountLockout, std::vector<TString>& msg) { + TDuration attemptResetDuration; + if (TDuration::TryParse(accountLockout.GetAttemptResetDuration(), attemptResetDuration)) { + return EValidationResult::Ok; + } + msg = std::vector<TString>{"account_lockout: Cannot parse attempt reset duration"}; + return EValidationResult::Error; +} + } // namespace EValidationResult ValidateAuthConfig(const NKikimrProto::TAuthConfig& authConfig, std::vector<TString>& msg) { - EValidationResult validatePasswordComplexityResult = ValidatePasswordComplexity(authConfig.GetPasswordComplexity(), msg); - if (validatePasswordComplexityResult == EValidationResult::Error) { - return EValidationResult::Error; + if (authConfig.HasPasswordComplexity()) { + EValidationResult validateResult = ValidatePasswordComplexity(authConfig.GetPasswordComplexity(), msg); + if (validateResult == EValidationResult::Error) { + return EValidationResult::Error; + } } + + if (authConfig.HasAccountLockout()) { + EValidationResult validateResult = ValidateAccountLockout(authConfig.GetAccountLockout(), msg); + if (validateResult == EValidationResult::Error) { + return EValidationResult::Error; + } + } + if (msg.size() > 0) { return EValidationResult::Warn; } diff --git a/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp b/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp index 8b68f4027a..b8333656ea 100644 --- a/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp +++ b/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp @@ -19,7 +19,7 @@ Y_UNIT_TEST_SUITE(AuthConfigValidation) { std::vector<TString> error; EValidationResult result = ValidateAuthConfig(authConfig, error); UNIT_ASSERT_EQUAL(result, EValidationResult::Ok); - UNIT_ASSERT_C(error.empty(), "Should not be errors"); + UNIT_ASSERT_C(error.empty(), error.front()); } Y_UNIT_TEST(CannotAcceptInvalidPasswordComplexity) { @@ -40,4 +40,71 @@ Y_UNIT_TEST_SUITE(AuthConfigValidation) { UNIT_ASSERT_STRINGS_EQUAL(error.front(), "password_complexity: Min length of password cannot be less than " "total min counts of lower case chars, upper case chars, numbers and special chars"); } + + Y_UNIT_TEST(AcceptValidAccountLockoutConfig) { + NKikimrProto::TAuthConfig authConfig; + NKikimrProto::TAccountLockout* validAccountLockoutConfig = authConfig.MutableAccountLockout(); + + { + validAccountLockoutConfig->SetAttemptResetDuration("12h"); + + std::vector<TString> error; + EValidationResult result = ValidateAuthConfig(authConfig, error); + UNIT_ASSERT_EQUAL(result, EValidationResult::Ok); + UNIT_ASSERT_C(error.empty(), error.front()); + } + + { + validAccountLockoutConfig->SetAttemptResetDuration("5m"); + + std::vector<TString> error; + EValidationResult result = ValidateAuthConfig(authConfig, error); + UNIT_ASSERT_EQUAL(result, EValidationResult::Ok); + UNIT_ASSERT_C(error.empty(), error.front()); + } + + { + validAccountLockoutConfig->SetAttemptResetDuration("5s"); + + std::vector<TString> error; + EValidationResult result = ValidateAuthConfig(authConfig, error); + UNIT_ASSERT_EQUAL(result, EValidationResult::Ok); + UNIT_ASSERT_C(error.empty(), error.front()); + } + } + + Y_UNIT_TEST(CannotAcceptInvalidAccountLockoutConfig) { + NKikimrProto::TAuthConfig authConfig; + NKikimrProto::TAccountLockout* invalidAccountLockoutConfig = authConfig.MutableAccountLockout(); + + { + invalidAccountLockoutConfig->SetAttemptResetDuration("h"); + + std::vector<TString> error; + EValidationResult result = ValidateAuthConfig(authConfig, error); + UNIT_ASSERT_EQUAL(result, EValidationResult::Error); + UNIT_ASSERT_VALUES_EQUAL(error.size(), 1); + UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration"); + } + + { + invalidAccountLockoutConfig->SetAttemptResetDuration(""); + + std::vector<TString> error; + EValidationResult result = ValidateAuthConfig(authConfig, error); + UNIT_ASSERT_EQUAL(result, EValidationResult::Error); + UNIT_ASSERT_VALUES_EQUAL(error.size(), 1); + UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration"); + } + + { + invalidAccountLockoutConfig->SetAttemptResetDuration("12hhh"); + + std::vector<TString> error; + EValidationResult result = ValidateAuthConfig(authConfig, error); + UNIT_ASSERT_EQUAL(result, EValidationResult::Error); + UNIT_ASSERT_VALUES_EQUAL(error.size(), 1); + UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration"); + } + } } |