Skip to content

Commit bb70896

Browse files
authored
Fix handle password complexity default values (#15314)
1 parent 59ab890 commit bb70896

File tree

6 files changed

+43
-21
lines changed

6 files changed

+43
-21
lines changed

ydb/core/tx/schemeshard/schemeshard_impl.cpp

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7445,7 +7445,6 @@ void TSchemeShard::ConfigureBackgroundCleaningQueue(
74457445
<< ", InflightLimit# " << cleaningConfig.InflightLimit);
74467446
}
74477447

7448-
// void TScheme
74497448
void TSchemeShard::ConfigureLoginProvider(
74507449
const ::NKikimrProto::TAuthConfig& config,
74517450
const TActorContext &ctx)
@@ -7457,18 +7456,26 @@ void TSchemeShard::ConfigureLoginProvider(
74577456
.MinUpperCaseCount = passwordComplexityConfig.GetMinUpperCaseCount(),
74587457
.MinNumbersCount = passwordComplexityConfig.GetMinNumbersCount(),
74597458
.MinSpecialCharsCount = passwordComplexityConfig.GetMinSpecialCharsCount(),
7460-
.SpecialChars = (passwordComplexityConfig.GetSpecialChars().empty() ? NLogin::TPasswordComplexity::VALID_SPECIAL_CHARS : passwordComplexityConfig.GetSpecialChars()),
7459+
.SpecialChars = passwordComplexityConfig.GetSpecialChars(),
74617460
.CanContainUsername = passwordComplexityConfig.GetCanContainUsername()
74627461
});
74637462
LoginProvider.UpdatePasswordCheckParameters(passwordComplexity);
74647463

7464+
auto getSpecialChars = [&passwordComplexity] () {
7465+
TStringBuilder result;
7466+
for (const auto& ch : passwordComplexity.SpecialChars) {
7467+
result << ch;
7468+
}
7469+
return result;
7470+
};
7471+
74657472
LOG_NOTICE_S(ctx, NKikimrServices::FLAT_TX_SCHEMESHARD,
74667473
"PasswordComplexity for LoginProvider configured: MinLength# " << passwordComplexity.MinLength
74677474
<< ", MinLowerCaseCount# " << passwordComplexity.MinLowerCaseCount
74687475
<< ", MinUpperCaseCount# " << passwordComplexity.MinUpperCaseCount
74697476
<< ", MinNumbersCount# " << passwordComplexity.MinNumbersCount
74707477
<< ", MinSpecialCharsCount# " << passwordComplexity.MinSpecialCharsCount
7471-
<< ", SpecialChars# " << (passwordComplexityConfig.GetSpecialChars().empty() ? NLogin::TPasswordComplexity::VALID_SPECIAL_CHARS : passwordComplexityConfig.GetSpecialChars())
7478+
<< ", SpecialChars# " << getSpecialChars()
74727479
<< ", CanContainUsername# " << (passwordComplexity.CanContainUsername ? "true" : "false"));
74737480
}
74747481

ydb/core/tx/schemeshard/ut_login/ut_login.cpp

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -313,7 +313,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
313313
AlterLoginAddGroupMembership(runtime, ++txId, "/MyRoot", "user1", "group1");
314314
TestDescribeResult(DescribePath(runtime, "/MyRoot"),
315315
{NLs::HasGroup("group1", {"user1"})});
316-
316+
317317
CreateAlterLoginRemoveGroup(runtime, ++txId, "/MyRoot", "group1");
318318
TestDescribeResult(DescribePath(runtime, "/MyRoot"),
319319
{NLs::HasNoGroup("group1")});
@@ -323,7 +323,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
323323
TTestBasicRuntime runtime;
324324
TTestEnv env(runtime, TTestEnvOptions().EnableStrictAclCheck(StrictAclCheck));
325325
ui64 txId = 100;
326-
326+
327327
for (bool missingOk : {false, true}) {
328328
auto modifyTx = std::make_unique<TEvSchemeShard::TEvModifySchemeTransaction>(txId, TTestTxConfig::SchemeShard);
329329
auto transaction = modifyTx->Record.AddTransaction();
@@ -370,7 +370,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
370370
TestModificationResult(runtime, txId, NKikimrScheme::StatusSuccess);
371371
TestDescribeResult(DescribePath(runtime, "/MyRoot/Dir1"),
372372
{NLs::HasOwner("root@builtin")});
373-
373+
374374
CreateAlterLoginRemoveGroup(runtime, ++txId, "/MyRoot", "group1");
375375
TestDescribeResult(DescribePath(runtime, "/MyRoot"),
376376
{NLs::HasNoGroup("group1")});
@@ -412,7 +412,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
412412
TestModificationResult(runtime, txId, NKikimrScheme::StatusSuccess);
413413
TestDescribeResult(DescribePath(runtime, "/MyRoot/Dir1"),
414414
{NLs::HasNoRight("+U:group1")});
415-
415+
416416
CreateAlterLoginRemoveGroup(runtime, ++txId, "/MyRoot", "group1");
417417
TestDescribeResult(DescribePath(runtime, "/MyRoot"),
418418
{NLs::HasNoGroup("group1")});
@@ -630,8 +630,8 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
630630
// required: cannot contain username
631631

632632
{
633-
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
634-
auto resultLogin = Login(runtime, "user1", "password1");
633+
CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "Pass_word1");
634+
auto resultLogin = Login(runtime, "user1", "Pass_word1");
635635
UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "");
636636
auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
637637
CheckSecurityState(describe, {.PublicKeysSize = 1, .SidsSize = 1});
@@ -1101,7 +1101,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
11011101
accountLockout->SetAttemptThreshold(4);
11021102
accountLockout->SetAttemptResetDuration("3s");
11031103
});
1104-
1104+
11051105
TTestEnv env(runtime);
11061106
auto accountLockoutConfig = runtime.GetAppData().AuthConfig.GetAccountLockout();
11071107
ui64 txId = 100;

ydb/library/login/login_ut.cpp

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -109,8 +109,7 @@ Y_UNIT_TEST_SUITE(Login) {
109109
.MinLowerCaseCount = 2,
110110
.MinUpperCaseCount = 2,
111111
.MinNumbersCount = 2,
112-
.MinSpecialCharsCount = 2,
113-
.SpecialChars = TPasswordComplexity::VALID_SPECIAL_CHARS
112+
.MinSpecialCharsCount = 2
114113
});
115114

116115
provider.UpdatePasswordCheckParameters(passwordComplexity);

ydb/library/login/password_checker/password_checker.cpp

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
namespace NLogin {
66

77
TPasswordComplexity::TPasswordComplexity()
8-
: SpecialChars(VALID_SPECIAL_CHARS.cbegin(), VALID_SPECIAL_CHARS.cend())
8+
: SpecialChars(VALID_SPECIAL_CHARS)
99
{}
1010

1111
TPasswordComplexity::TPasswordComplexity(const TInitializer& initializer)
@@ -16,10 +16,13 @@ TPasswordComplexity::TPasswordComplexity(const TInitializer& initializer)
1616
, MinSpecialCharsCount(initializer.MinSpecialCharsCount)
1717
, CanContainUsername(initializer.CanContainUsername)
1818
{
19-
static const std::unordered_set<char> validSpecialChars(VALID_SPECIAL_CHARS.cbegin(), VALID_SPECIAL_CHARS.cend());
20-
for (const char ch : initializer.SpecialChars) {
21-
if (validSpecialChars.contains(ch)) {
22-
SpecialChars.insert(ch);
19+
if (initializer.SpecialChars.empty()) {
20+
SpecialChars.insert(VALID_SPECIAL_CHARS.begin(), VALID_SPECIAL_CHARS.end());
21+
} else {
22+
for (const char ch : initializer.SpecialChars) {
23+
if (VALID_SPECIAL_CHARS.contains(ch)) {
24+
SpecialChars.insert(ch);
25+
}
2326
}
2427
}
2528
}
@@ -28,7 +31,9 @@ bool TPasswordComplexity::IsSpecialCharValid(char ch) const {
2831
return SpecialChars.contains(ch);
2932
}
3033

31-
const TString TPasswordComplexity::VALID_SPECIAL_CHARS = "!@#$%^&*()_+{}|<>?=";
34+
const std::unordered_set<char> TPasswordComplexity::VALID_SPECIAL_CHARS {'!', '@', '#', '$', '%', '^', '&',
35+
'*', '(', ')', '_', '+', '{',
36+
'}', '|', '<', '>', '?', '='};
3237

3338
TPasswordChecker::TComplexityState::TComplexityState(const TPasswordComplexity& passwordComplexity)
3439
: PasswordComplexity(passwordComplexity)

ydb/library/login/password_checker/password_checker.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,11 +14,11 @@ class TPasswordComplexity {
1414
size_t MinUpperCaseCount = 0;
1515
size_t MinNumbersCount = 0;
1616
size_t MinSpecialCharsCount = 0;
17-
TString SpecialChars = VALID_SPECIAL_CHARS;
17+
TString SpecialChars;
1818
bool CanContainUsername = false;
1919
};
2020

21-
static const TString VALID_SPECIAL_CHARS;
21+
static const std::unordered_set<char> VALID_SPECIAL_CHARS;
2222

2323
size_t MinLength = 0;
2424
size_t MinLowerCaseCount = 0;

ydb/library/login/password_checker/password_checker_ut.cpp

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ Y_UNIT_TEST_SUITE(PasswordChecker) {
1414
.MinUpperCaseCount = 2,
1515
.MinNumbersCount = 2,
1616
.MinSpecialCharsCount = 2,
17-
.SpecialChars = TPasswordComplexity::VALID_SPECIAL_CHARS,
1817
.CanContainUsername = false
1918
});
2019
TPasswordChecker passwordChecker(passwordComplexity);
@@ -169,6 +168,18 @@ Y_UNIT_TEST_SUITE(PasswordChecker) {
169168
UNIT_ASSERT_STRINGS_EQUAL(result.Error, "Password is too short");
170169
}
171170

171+
Y_UNIT_TEST(AcceptPasswordWithSpecialCharsIfSpecialCharsListIsEmpty) {
172+
TPasswordComplexity passwordComplexity({
173+
.SpecialChars = ""
174+
});
175+
TPasswordChecker passwordChecker(passwordComplexity);
176+
TString username = "testuser";
177+
TString password = "user_password";
178+
TPasswordChecker::TResult result = passwordChecker.Check(username, password);
179+
UNIT_ASSERT_C(result.Success, result.Error);
180+
UNIT_ASSERT(result.Error.empty());
181+
}
182+
172183
Y_UNIT_TEST(HashChecker) {
173184
{
174185
auto hash = R"(

0 commit comments

Comments
 (0)