support password_history and password_reuse_interval take effect sepa…

…rately(#2.0-dev) (#19950) support password_history and password_reuse_interval take effect separately Approved by: @daviszhen, @heni02, @sukki37
matrixorigin · Nov 11, 2024 · 14644a5 · 14644a5
1 parent 04529f1
commit 14644a5
Show file tree

Hide file tree

Showing 4 changed files with 164 additions and 24 deletions.
diff --git a/pkg/frontend/password_management.go b/pkg/frontend/password_management.go
@@ -337,7 +337,7 @@ func whetherSavePasswordHistory(ses *Session) (bool, error) {
 		return false, err
 	}
 
-	return passwordReuseInfo.PasswordHisoty > 0 && passwordReuseInfo.PasswordReuseInterval > 0, nil
+	return passwordReuseInfo.PasswordHisoty > 0 || passwordReuseInfo.PasswordReuseInterval > 0, nil
 }
 
 func generateSinglePasswordRecod(pwd string) ([]byte, error) {
@@ -426,7 +426,7 @@ func checkPasswordIntervalRule(ctx context.Context, reuseInfo *passwordReuseInfo
 				return false, err
 			}
 
-			if passwordTime.AddDate(0, 0, int(reuseInfo.PasswordReuseInterval)).After(time.Now()) {
+			if passwordTime.AddDate(0, 0, int(reuseInfo.PasswordReuseInterval)).After(time.Now().UTC()) {
 				return false, moerr.NewInvalidInputf(ctx, "The password has been used before, please change another one")
 			}
 		}
@@ -501,7 +501,7 @@ func checkPasswordReusePolicy(ctx context.Context, ses *Session, bh BackgroundEx
 		return err
 	}
 
-	if reuseInfo.PasswordHisoty <= 0 || reuseInfo.PasswordReuseInterval <= 0 {
+	if reuseInfo.PasswordHisoty <= 0 && reuseInfo.PasswordReuseInterval <= 0 {
 		return nil
 	}
 
@@ -525,13 +525,7 @@ func checkPasswordReusePolicy(ctx context.Context, ses *Session, bh BackgroundEx
 	if canDeleteNum > 0 {
 		for i := 0; i < int(canDeleteNum); i++ {
 			// if password time exceeds the password history, delete the password record
-			var passwordTime time.Time
-			passwordTime, err = time.ParseInLocation("2006-01-02 15:04:05", userPasswords[i].PasswordTimestamp, time.UTC)
-			if err != nil {
-				return err
-			}
-
-			if passwordTime.AddDate(0, 0, int(reuseInfo.PasswordHisoty)).Before(time.Now()) {
+			if passwordIntervalExpired(userPasswords[i].PasswordTimestamp, reuseInfo.PasswordReuseInterval) {
 				deleteNum++
 			} else {
 				break
@@ -673,3 +667,11 @@ func checkValidIpInInvitedNodes(ctx context.Context, invitedNodes string, ip str
 	}
 	return moerr.NewInvalidInputf(ctx, "IP %s is not in the invited nodes", ip)
 }
+
+func passwordIntervalExpired(timeStr string, interVal int64) bool {
+	passwordTime, err := time.ParseInLocation("2006-01-02 15:04:05", timeStr, time.UTC)
+	if err != nil {
+		return false
+	}
+	return passwordTime.AddDate(0, 0, int(interVal)).Before(time.Now().UTC())
+}
diff --git a/pkg/frontend/password_management_test.go b/pkg/frontend/password_management_test.go
@@ -306,3 +306,23 @@ func TestCheckValidIpInInvitedNodes(t *testing.T) {
 		}
 	}
 }
+
+func TestPasswordTimeIntervalCheck(t *testing.T) {
+	tests := []struct {
+		timeStr  string
+		interval int64
+		want     bool
+	}{
+		{"2024-11-11 06:45:56", 0, true},
+		{"2024-11-11 06:46:01", 0, true},
+		{"2024-11-11 06:48:30", 0, true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.timeStr, func(t *testing.T) {
+			if got := passwordIntervalExpired(tt.timeStr, tt.interval); got != tt.want {
+				t.Errorf("passwordTimeIntervalCheck(%v) = %v, want %v", tt.timeStr, got, tt.want)
+			}
+		})
+	}
+}