Merge 920688b into cb1675a

Author: molotkov-and

ydb/core/protos/auth.proto

@@ -56,6 +56,7 @@ message TAuthConfig {
  optional string CertificateAuthenticationDomain = 80 [default = "cert"];
  optional bool EnableLoginAuthentication = 81 [default = true];
  optional string NodeRegistrationToken = 82 [default = "root@builtin", (Ydb.sensitive) = true];
+ optional TPasswordComplexitySettings PasswordComplexitySettings = 83;
 }
 
 message TUserRegistryConfig {
@@ -122,3 +123,13 @@ message TLdapAuthentication {
  optional string Scheme = 11 [default = "ldap"];
  optional TExtendedSettings ExtendedSettings = 12;
 }
+
+message TPasswordComplexitySettings {
+ optional uint32 MinLength = 1;
+ optional uint32 MinLowerCaseCount = 2;
+ optional uint32 MinUpperCaseCount = 3;
+ optional uint32 MinNumbersCount = 4;
+ optional uint32 MinSpecialCharsCount = 5;
+ optional string SpecialChars = 6 [default = "!@#$%^&*()_+{}|<>?="];
+ optional bool ContainUsername = 7;
+}

ydb/core/tx/schemeshard/schemeshard_impl.cpp

@@ -11,13 +11,15 @@
 #include <ydb/core/base/appdata.h>
 #include <ydb/core/base/tx_processing.h>
 #include <ydb/core/protos/feature_flags.pb.h>
+#include <ydb/core/protos/auth.pb.h>
 #include <ydb/core/engine/mkql_proto.h>
 #include <ydb/core/sys_view/partition_stats/partition_stats.h>
 #include <ydb/core/statistics/events.h>
 #include <ydb/core/statistics/service/service.h>
 #include <ydb/core/scheme/scheme_types_proto.h>
 #include <ydb/core/tx/columnshard/bg_tasks/events/events.h>
 #include <ydb/core/tx/scheme_board/events_schemeshard.h>
+#include <ydb/library/login/password_checker/password_checker.h>
 #include <yql/essentials/minikql/mkql_type_ops.h>
 #include <yql/essentials/providers/common/proto/gateways_config.pb.h>
 #include <util/random/random.h>
@@ -4434,6 +4436,16 @@ TSchemeShard::TSchemeShard(const TActorId &tablet, TTabletStorageInfo *info)
  COUNTER_PQ_STATS_WRITTEN,
  COUNTER_PQ_STATS_BATCH_LATENCY)
  , AllowDataColumnForIndexTable(0, 0, 1)
+ , PasswordCheckParameters({
+ .MinPasswordLength = AppData()->AuthConfig.GetPasswordCheckerParameters().GetMinimumLength(),
+ .MaxPasswordLength = AppData()->AuthConfig.GetPasswordCheckerParameters().GetMaximumLength(),
+ .NeedLowerCase = AppData()->AuthConfig.GetPasswordCheckerParameters().GetRestrictLower(),
+ .NeedUpperCase = AppData()->AuthConfig.GetPasswordCheckerParameters().GetRestrictUpper(),
+ .NeedNumbers = AppData()->AuthConfig.GetPasswordCheckerParameters().GetRestrictNumbers(),
+ .NeedSpecialSymbols = AppData()->AuthConfig.GetPasswordCheckerParameters().GetRestrictSpecial(),
+ .SpecialSymbols = AppData()->AuthConfig.GetPasswordCheckerParameters().GetSpecialChars()
+ })
+ , LoginProvider(PasswordCheckParameters)
 {
  TabletCountersPtr.Reset(new TProtobufTabletCounters<
  ESimpleCounters_descriptor,
@@ -7119,6 +7131,10 @@ void TSchemeShard::ApplyConsoleConfigs(const NKikimrConfig::TAppConfig& appConfi
  );
  }
 
+ if (appConfig.HasAuthConfig()) {
+ ConfigureLoginProvider(appConfig.GetAuthConfig(), ctx);
+ }
+
  if (IsSchemeShardConfigured()) {
  StartStopCompactionQueues();
  if (BackgroundCleaningQueue) {
@@ -7312,6 +7328,35 @@ void TSchemeShard::ConfigureBackgroundCleaningQueue(
  << ", InflightLimit# " << cleaningConfig.InflightLimit);
 }
 
+void TSchemeShard::ConfigureLoginProvider(
+ const ::NKikimrProto::TAuthConfig& config,
+ const TActorContext &ctx)
+{
+ const auto& passwordCheckParameters = config.GetPasswordCheckerParameters();
+ PasswordCheckParameters.SetMinPasswordLength(passwordCheckParameters.GetMinimumLength());
+ PasswordCheckParameters.SetMaxPasswordLength(passwordCheckParameters.GetMaximumLength());
+ PasswordCheckParameters.SetLowerCaseUse(passwordCheckParameters.GetRestrictLower());
+ PasswordCheckParameters.SetUpperCaseUse(passwordCheckParameters.GetRestrictUpper());
+ PasswordCheckParameters.SetNumbersUse(passwordCheckParameters.GetRestrictNumbers());
+ PasswordCheckParameters.SetSpecialSymbolsUse(passwordCheckParameters.GetRestrictSpecial());
+ PasswordCheckParameters.SetSpecialSymbols(passwordCheckParameters.GetSpecialChars());
+
+ LoginProvider.UpdatePasswordCheckParameters(PasswordCheckParameters);
+
+ auto printBool = [] (bool flag) -> TString {
+ return (flag ? "true" : "false");
+ };
+
+ LOG_NOTICE_S(ctx, NKikimrServices::FLAT_TX_SCHEMESHARD,
+ "LoginProvider configured: MinPasswordLength# " << PasswordCheckParameters.GetMinPasswordLength()
+ << ", MaxPasswordLength# " << PasswordCheckParameters.GetMaxPasswordLength()
+ << ", NeedLowerCase# " << printBool(PasswordCheckParameters.NeedLowerCaseUse())
+ << ", NeedUpperCase# " << printBool(PasswordCheckParameters.NeedUpperCaseUse())
+ << ", NeedNumbers# " << printBool(PasswordCheckParameters.NeedNumbersUse())
+ << ", NeedSpecialSymbols# " << printBool(PasswordCheckParameters.NeedSpecialSymbolsUse())
+ << ", SpecialSymbols# " << passwordCheckParameters.GetSpecialChars());
+}
+
 void TSchemeShard::StartStopCompactionQueues() {
  // note, that we don't need to check current state of compaction queue
  if (IsServerlessDomain(TPath::Init(RootPathId(), this))) {

ydb/core/tx/schemeshard/schemeshard_impl.h

@@ -64,6 +64,7 @@
 #include <ydb/core/blob_depot/events.h>
 
 #include <ydb/library/login/login.h>
+#include <ydb/library/login/password_checker/password_checker.h>
 
 #include <util/generic/ptr.h>
 
@@ -496,6 +497,10 @@ class TSchemeShard
  const NKikimrConfig::TBackgroundCleaningConfig& config,
  const TActorContext &ctx);
 
+ void ConfigureLoginProvider(
+ const ::NKikimrProto::TAuthConfig& config,
+ const TActorContext &ctx);
+
  void StartStopCompactionQueues();
 
  void WaitForTableProfiles(ui64 importId, ui32 itemIdx);
@@ -1455,6 +1460,7 @@ class TSchemeShard
  void ChangeDiskSpaceSoftQuotaBytes(i64 delta) override;
  void AddDiskSpaceSoftQuotaBytes(EUserFacingStorageType storageType, ui64 addend) override;
 
+ NLogin::TPasswordCheckParameters PasswordCheckParameters;
  NLogin::TLoginProvider LoginProvider;
 
 private:

ydb/core/tx/schemeshard/ut_login/ut_login.cpp

@@ -1,6 +1,7 @@
 #include <util/string/join.h>
 
 #include <ydb/library/login/login.h>
+#include <ydb/library/login/password_checker/password_checker.h>
 #include <ydb/library/actors/http/http_proxy.h>
 #include <ydb/library/testlib/service_mocks/ldap_mock/ldap_simple_server.h>
 #include <ydb/core/tx/schemeshard/ut_helpers/helpers.h>
@@ -27,6 +28,23 @@ void TestCreateAlterLoginCreateUser(TTestActorRuntime& runtime, ui64 txId, const
  TestModificationResults(runtime, txId, expectedResults);
 }
 
+void SetPasswordCheckerParameters(TTestActorRuntime &runtime, ui64 schemeShard, const NLogin::TPasswordCheckParameters::TInitializer& parameters) {
+ auto request = MakeHolder<NConsole::TEvConsole::TEvConfigNotificationRequest>();
+
+ ::NKikimrProto::TPasswordCheckerParameters passwordCheckParameters;
+ passwordCheckParameters.SetMinimumLength(parameters.MinPasswordLength);
+ passwordCheckParameters.SetMaximumLength(parameters.MaxPasswordLength);
+ passwordCheckParameters.SetRestrictLower(parameters.NeedLowerCase);
+ passwordCheckParameters.SetRestrictUpper(parameters.NeedUpperCase);
+ passwordCheckParameters.SetRestrictNumbers(parameters.NeedNumbers);
+ passwordCheckParameters.SetRestrictSpecial(parameters.NeedSpecialSymbols);
+ passwordCheckParameters.SetSpecialChars(parameters.SpecialSymbols);
+ *request->Record.MutableConfig()->MutableAuthConfig()->MutablePasswordCheckerParameters() = passwordCheckParameters;
+ SetConfig(runtime, schemeShard, std::move(request));
+}
+
+const TString VALID_SPECIAL_SYMBOLS = "!@#$%^&*()_+{}|<>?=";
+
 } // namespace NSchemeShardUT_Private
 
 Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
@@ -66,6 +84,128 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
  UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
  UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize() > 0);
  }
+
+ Y_UNIT_TEST(ChangeAcceptablePasswordParameters) {
+ TTestBasicRuntime runtime;
+ TTestEnv env(runtime);
+ ui64 txId = 100;
+ // Password parameters:
+ // length 0 - 4294967295
+ // optional: lower case, upper case, numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1", {{NKikimrScheme::StatusSuccess}});
+ auto resultLogin = Login(runtime, "user1", "password1");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
+ UNIT_ASSERT(describe.HasPathDescription());
+ UNIT_ASSERT(describe.GetPathDescription().HasDomainDescription());
+ UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
+ UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize() > 0);
+
+ // Accept password without lower case symbols
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user2", "PASSWORDU2", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user2", "PASSWORDU2");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 0 - 4294967295
+ // optional: upper case, numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ // required: lower case
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.NeedLowerCase = true, .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user3", "PASSWORDU3", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Add lower case symbols to password
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user3", "PASswORDu3", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user3", "PASswORDu3");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+
+ // Accept password without upper case symbols
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user4", "passwordu4", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user4", "passwordu4");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 0 - 4294967295
+ // optional: numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ // required: lower case, upper case
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.NeedLowerCase = true, .NeedUpperCase = true, .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user5", "passwordu5", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Add upper case symbols to password
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user5", "PASswORDu5", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user5", "PASswORDu5");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+
+ // Accept short and long passwords
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user6", "pasSWu6", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user6", "pasSWu6");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user7", "pasSW12345Word!*&u7", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user7", "pasSW12345Word!*&u7");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 8 - 15
+ // optional: numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ // required: lower case, upper case
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.MinPasswordLength = 8, .MaxPasswordLength = 15, .NeedLowerCase = true, .NeedUpperCase = true, .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ // Too short password
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user8", "pasSWu8", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Too long password
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user8", "pasSW12345Word!*&u8", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Password has correct length
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user8", "PASswORDu8", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user8", "PASswORDu8");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+
+ // Accept password without numbers
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user9", "passWorDunine", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user9", "passWorDunine");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 8 - 15
+ // optional: special symbols from list !@#$%^&*()_+{}|<>?=
+ // required: lower case, upper case, numbers
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.MinPasswordLength = 8,
+ .MaxPasswordLength = 15,
+ .NeedLowerCase = true,
+ .NeedUpperCase = true,
+ .NeedNumbers = true,
+ .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user10", "passWorDuten", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Password with numbers
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user10", "PASswORDu10", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user10", "PASswORDu10");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+
+ // Accept password without special symbols
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user11", "passWorDu11", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user11", "passWorDu11");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 8 - 15
+ // required: lower case, upper case, numbers, special symbols from list !@#$%^&*()_+{}|<>?=
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.MinPasswordLength = 8,
+ .MaxPasswordLength = 15,
+ .NeedLowerCase = true,
+ .NeedUpperCase = true,
+ .NeedNumbers = true,
+ .NeedSpecialSymbols = true,
+ .SpecialSymbols = VALID_SPECIAL_SYMBOLS});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user12", "passWorDu12", {{NKikimrScheme::StatusPreconditionFailed}});
+ // Password with special symbols
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user12", "PASswORDu12*&%#", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user12", "PASswORDu12*&%#");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ // Password parameters:
+ // length 8 - 15
+ // required: lower case, upper case, numbers, special symbols from list *#
+ SetPasswordCheckerParameters(runtime, TTestTxConfig::SchemeShard, {.MinPasswordLength = 8,
+ .MaxPasswordLength = 15,
+ .NeedLowerCase = true,
+ .NeedUpperCase = true,
+ .NeedNumbers = true,
+ .NeedSpecialSymbols = true,
+ .SpecialSymbols = "*#"}); // Only 2 special symbols are valid
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user13", "PASswORDu13*&%#", {{NKikimrScheme::StatusPreconditionFailed}});
+ TestCreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user13", "PASswORDu12*#", {{NKikimrScheme::StatusSuccess}});
+ resultLogin = Login(runtime, "user13", "PASswORDu12*#");
+ UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
+ }
 }
 
 namespace NSchemeShardUT_Private {

ydb/library/login/login.cpp

@@ -12,6 +12,8 @@
 
 #include <deque>
 
+#include <ydb/library/login/password_checker/password_checker.h>
+
 #include "login.h"
 
 namespace NLogin {
@@ -35,6 +37,12 @@ struct TLoginProvider::TImpl {
 
 TLoginProvider::TLoginProvider()
  : Impl(new TImpl())
+ , PasswordChecker(TPasswordCheckParameters())
+{}
+
+TLoginProvider::TLoginProvider(const TPasswordCheckParameters& passwordCheckParameters)
+ : Impl(new TImpl())
+ , PasswordChecker(passwordCheckParameters)
 {}
 
 TLoginProvider::~TLoginProvider()
@@ -51,6 +59,13 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateUser(const TCreateUserReque
  response.Error = "Name is not allowed";
  return response;
  }
+
+ TPasswordChecker::TResult passwordCheckResult = PasswordChecker.Check(request.User, request.Password);
+ if (!passwordCheckResult.Success) {
+ response.Error = passwordCheckResult.Error;
+ return response;
+ }
+
  auto itUserCreate = Sids.emplace(request.User, TSidRecord{.Type = NLoginProto::ESidType::USER});
  if (!itUserCreate.second) {
  if (itUserCreate.first->second.Type == ESidType::USER) {
@@ -86,6 +101,12 @@ TLoginProvider::TBasicResponse TLoginProvider::ModifyUser(const TModifyUserReque
  return response;
  }
 
+ TPasswordChecker::TResult passwordCheckResult = PasswordChecker.Check(request.User, request.Password);
+ if (!passwordCheckResult.Success) {
+ response.Error = passwordCheckResult.Error;
+ return response;
+ }
+
  TSidRecord& user = itUserModify->second;
  user.Hash = Impl->GenerateHash(request.Password);
 
@@ -650,4 +671,8 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat
  }
 }
 
+void TLoginProvider::UpdatePasswordCheckParameters(const TPasswordCheckParameters& passwordCheckParameters) {
+ PasswordChecker.Update(passwordCheckParameters);
+}
+
 }

ydb/library/login/login.h

@@ -7,6 +7,7 @@
 #include <deque>
 #include <util/generic/string.h>
 #include <ydb/library/login/protos/login.pb.h>
+#include <ydb/library/login/password_checker/password_checker.h>
 
 namespace NLogin {
 
@@ -172,7 +173,10 @@ class TLoginProvider {
  TRenameGroupResponse RenameGroup(const TRenameGroupRequest& request);
  TRemoveGroupResponse RemoveGroup(const TRemoveGroupRequest& request);
 
+ void UpdatePasswordCheckParameters(const TPasswordCheckParameters& passwordCheckParameters);
+
  TLoginProvider();
+ TLoginProvider(const TPasswordCheckParameters& passwordCheckParameters);
  ~TLoginProvider();
 
  std::vector<TString> GetGroupsMembership(const TString& member);
@@ -186,6 +190,8 @@ class TLoginProvider {
 
  struct TImpl;
  THolder<TImpl> Impl;
+
+ TPasswordChecker PasswordChecker;
 };
 
 }