Check account lockout config (#15147)

Author: molotkov-and

ydb/core/config/validation/auth_config_validator.cpp

@@ -1,13 +1,14 @@
 #include <ydb/core/protos/auth.pb.h>
 #include <vector>
 #include <util/generic/string.h>
+#include <util/datetime/base.h>
 #include "validators.h"
 
 
 namespace NKikimr::NConfig {
 namespace {
 
-EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComplexity& passwordComplexity, std::vector<TString>&msg) {
+EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComplexity& passwordComplexity, std::vector<TString>& msg) {
     size_t minCountOfRequiredChars = passwordComplexity.GetMinLowerCaseCount() +
                                      passwordComplexity.GetMinUpperCaseCount() +
                                      passwordComplexity.GetMinNumbersCount() +
@@ -20,13 +21,32 @@ EValidationResult ValidatePasswordComplexity(const NKikimrProto::TPasswordComple
     return EValidationResult::Ok;
 }
 
+EValidationResult ValidateAccountLockout(const NKikimrProto::TAccountLockout& accountLockout, std::vector<TString>& msg) {
+    TDuration attemptResetDuration;
+    if (TDuration::TryParse(accountLockout.GetAttemptResetDuration(), attemptResetDuration)) {
+        return EValidationResult::Ok;
+    }
+    msg = std::vector<TString>{"account_lockout: Cannot parse attempt reset duration"};
+    return EValidationResult::Error;
+}
+
 } // namespace
 
 EValidationResult ValidateAuthConfig(const NKikimrProto::TAuthConfig& authConfig, std::vector<TString>& msg) {
-    EValidationResult validatePasswordComplexityResult = ValidatePasswordComplexity(authConfig.GetPasswordComplexity(), msg);
-    if (validatePasswordComplexityResult == EValidationResult::Error) {
-        return EValidationResult::Error;
+    if (authConfig.HasPasswordComplexity()) {
+        EValidationResult validateResult = ValidatePasswordComplexity(authConfig.GetPasswordComplexity(), msg);
+        if (validateResult == EValidationResult::Error) {
+            return EValidationResult::Error;
+        }
     }
+
+    if (authConfig.HasAccountLockout()) {
+        EValidationResult validateResult = ValidateAccountLockout(authConfig.GetAccountLockout(), msg);
+        if (validateResult == EValidationResult::Error) {
+            return EValidationResult::Error;
+        }
+    }
+
     if (msg.size() > 0) {
         return EValidationResult::Warn;
     }

ydb/core/config/validation/auth_config_validator_ut/auth_config_validator_ut.cpp

@@ -19,7 +19,7 @@ Y_UNIT_TEST_SUITE(AuthConfigValidation) {
         std::vector<TString> error;
         EValidationResult result = ValidateAuthConfig(authConfig, error);
         UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
-        UNIT_ASSERT_C(error.empty(), "Should not be errors");
+        UNIT_ASSERT_C(error.empty(), error.front());
     }
 
     Y_UNIT_TEST(CannotAcceptInvalidPasswordComplexity) {
@@ -40,4 +40,71 @@ Y_UNIT_TEST_SUITE(AuthConfigValidation) {
         UNIT_ASSERT_STRINGS_EQUAL(error.front(), "password_complexity: Min length of password cannot be less than "
                                                  "total min counts of lower case chars, upper case chars, numbers and special chars");
     }
+
+    Y_UNIT_TEST(AcceptValidAccountLockoutConfig) {
+        NKikimrProto::TAuthConfig authConfig;
+        NKikimrProto::TAccountLockout* validAccountLockoutConfig = authConfig.MutableAccountLockout();
+
+        {
+            validAccountLockoutConfig->SetAttemptResetDuration("12h");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+            UNIT_ASSERT_C(error.empty(), error.front());
+        }
+
+        {
+            validAccountLockoutConfig->SetAttemptResetDuration("5m");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+            UNIT_ASSERT_C(error.empty(), error.front());
+        }
+
+        {
+            validAccountLockoutConfig->SetAttemptResetDuration("5s");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Ok);
+            UNIT_ASSERT_C(error.empty(), error.front());
+        }
+    }
+
+    Y_UNIT_TEST(CannotAcceptInvalidAccountLockoutConfig) {
+        NKikimrProto::TAuthConfig authConfig;
+        NKikimrProto::TAccountLockout* invalidAccountLockoutConfig = authConfig.MutableAccountLockout();
+
+        {
+            invalidAccountLockoutConfig->SetAttemptResetDuration("h");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+            UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+            UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+        }
+
+        {
+            invalidAccountLockoutConfig->SetAttemptResetDuration("");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+            UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+            UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+        }
+
+        {
+            invalidAccountLockoutConfig->SetAttemptResetDuration("12hhh");
+
+            std::vector<TString> error;
+            EValidationResult result = ValidateAuthConfig(authConfig, error);
+            UNIT_ASSERT_EQUAL(result, EValidationResult::Error);
+            UNIT_ASSERT_VALUES_EQUAL(error.size(), 1);
+            UNIT_ASSERT_STRINGS_EQUAL(error.front(), "account_lockout: Cannot parse attempt reset duration");
+        }
+    }
 }