Check account lockout config (#15147)

author: Andrey Molotkov <molotkov-and@ydb.tech> 2025-02-28 16:33:47 +0300
committer: GitHub <noreply@github.com> 2025-02-28 16:33:47 +0300
commit: 94c61d5c6c2dcdb74c2b6021922ee544a46240a1 (patch)
tree: 5c61bd09a91a986d85471b8f98e9ba5ee6ec057b
parent: c5b531e5ab62ce07f4aaf50552679425d810459c (diff)
download: ydb-94c61d5c6c2dcdb74c2b6021922ee544a46240a1.tar.gz
2 files changed, 92 insertions, 5 deletions
diff --git a/ydb/core/config/validation/auth_config_validator.cpp b/ydb/core/config/validation/auth_config_validator.cpp
index 7f558b37a6..964bbce5b9 100644
--- a/ydb/core/config/validation/auth_config_validator.cpp
+++ b/ydb/core/config/validation/auth_config_validator.cpp
@@ -1,13 +1,14 @@
 #include <ydb/core/protos/auth.pb.h>
 #include <vector>
 #include <util/generic/string.h>
+#include <util/datetime/base.h>
 #include "validators.h"
 
 
 namespace NKikimr::NConfig {
 namespace {
 
-EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComplexity& passwordComplexity, std::vector<TString>&msg) {
+EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComplexity& passwordComplexity, std::vector<TString>& msg) {
     size_t minCountOfRequiredChars = passwordComplexity.GetMinLowerCaseCount() +
                                      passwordComplexity.GetMinUpperCaseCount() +
                                      passwordComplexity.GetMinNumbersCount() +
@@ -20,13 +21,32 @@ EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComple
     return EValidationResult::Ok;
 }
 
+EValidationResult ValidateAccountLockout(const NKikimrProto::TAccountLockout& accountLockout, std::vector<TString>& msg) {
+    TDuration attemptResetDuration;
+    if (TDuration::TryParse(accountLockout.GetAttemptResetDuration(), attemptResetDuration)) {
+        return EValidationResult::Ok;
+    }
+    msg = std::vector<TString>{"account_lockout: Cannot parse attempt reset duration"};
+    return EValidationResult::Error;
+}
+
 } // namespace
 
 EValidationResult ValidateAuthConfig(const NKikimrProto::TAuthConfig& authConfig, std::vector<TString>& msg) {
-    EValidationResult validatePasswordComplexityResult = ValidatePasswordComplexity(authConfig.GetPasswordComplexity(), msg);
-    if (validatePasswordComplexityResult == EValidationResult::Error) {
-        return EValidationResult::Error;
+    if (authConfig.HasPasswordComplexity()) {
+        EValidationResult validateResult = ValidatePasswordComplexity(authConfig.GetPasswordComplexity(), msg);
+        if (validateResult == EValidationResult::Error) {
+            return EValidationResult::Error;
+        }
     }
+
+    if (authConfig.HasAccountLockout()) {
+        EValidationResult validateResult = ValidateAccountLockout(authConfig.GetAccountLockout(), msg);
+        if (validateResult == EValidationResult::Error) {
+            return EValidationResult::Error;
+        }
+    }
+
     if (msg.size() > 0) {
         return EValidationResult::Warn;
     }
diff --git a/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp b/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp
index 8b68f4027a..b8333656ea 100644
--- a/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp
+++ b/ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp
@@ -19,7 +19,7 @@ Y_UNIT_TEST_SUITE(AuthConfigValidation) {
         std::vector<TString> error;
         EValidationResult result = ValidateAuthConfig(authConfig, error);
         UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
-        UNIT_ASSERT_C(error.empty(), "Should not be errors");
+        UNIT_ASSERT_C(error.empty(), error.front());
     }
 
     Y_UNIT_TEST(CannotAcceptInvalidPasswordComplexity) {
@@ -40,4 +40,71 @@ Y_UNIT_TEST_SUITE(AuthConfigValidation) {
         UNIT_ASSERT_STRINGS_EQUAL(error.front(), "password_complexity: Min length of password cannot be less than "
                                                  "total min counts of lower case chars, upper case chars, numbers and special chars");
     }
+
+    Y_UNIT_TEST(AcceptValidAccountLockoutConfig) {
+        NKikimrProto::TAuthConfig authConfig;
+        NKikimrProto::TAccountLockout* validAccountLockoutConfig = authConfig.MutableAccountLockout();
+
+        {
+            validAccountLockoutConfig->SetAttemptResetDuration("12h");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+            UNIT_ASSERT_C(error.empty(), error.front());
+        }
+
+        {
+            validAccountLockoutConfig->SetAttemptResetDuration("5m");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+            UNIT_ASSERT_C(error.empty(), error.front());
+        }
+
+        {
+            validAccountLockoutConfig->SetAttemptResetDuration("5s");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+            UNIT_ASSERT_C(error.empty(), error.front());
+        }
+    }
+
+    Y_UNIT_TEST(CannotAcceptInvalidAccountLockoutConfig) {
+        NKikimrProto::TAuthConfig authConfig;
+        NKikimrProto::TAccountLockout* invalidAccountLockoutConfig = authConfig.MutableAccountLockout();
+
+        {
+            invalidAccountLockoutConfig->SetAttemptResetDuration("h");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+            UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+            UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+        }
+
+        {
+            invalidAccountLockoutConfig->SetAttemptResetDuration("");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+            UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+            UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+        }
+
+        {
+            invalidAccountLockoutConfig->SetAttemptResetDuration("12hhh");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+            UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+            UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+        }
+    }
 }
author	Andrey Molotkov <molotkov-and@ydb.tech>	2025-02-28 16:33:47 +0300
committer	GitHub <noreply@github.com>	2025-02-28 16:33:47 +0300
commit	94c61d5c6c2dcdb74c2b6021922ee544a46240a1 (patch)
tree	5c61bd09a91a986d85471b8f98e9ba5ee6ec057b
parent	c5b531e5ab62ce07f4aaf50552679425d810459c (diff)
download	ydb-94c61d5c6c2dcdb74c2b6021922ee544a46240a1.tar.gz