feat/TS-5927-long-password

2025-01-23 08:46:29 +00:00 · 2025-01-23 08:46:29 +00:00 · 3c5b8037e3
parent 513e564adb
commit 3c5b8037e3
8 changed files with 121 additions and 15 deletions
--- a/include/common/tglobal.h
+++ b/include/common/tglobal.h
@ -69,6 +69,7 @@ extern EEncryptAlgor tsiEncryptAlgorithm;
 extern EEncryptScope tsiEncryptScope;
 // extern char     tsAuthCode[];
 extern char tsEncryptKey[];
+extern int8_t tsEnableStrongPassword;

 // common
 extern int32_t tsMaxShellConns;
--- a/include/common/tmsg.h
+++ b/include/common/tmsg.h
@ -1089,6 +1089,7 @@ typedef struct {
  char*       sql;
  int8_t      isImport;
  int8_t      createDb;
+  char        longPass[TSDB_USET_PASSWORD_LONGLEN];
 } SCreateUserReq;

 int32_t tSerializeSCreateUserReq(void* buf, int32_t bufLen, SCreateUserReq* pReq);
@ -1159,6 +1160,7 @@ typedef struct {
  int64_t     privileges;
  int32_t     sqlLen;
  char*       sql;
+  char        longPass[TSDB_USET_PASSWORD_LONGLEN];
 } SAlterUserReq;

 int32_t tSerializeSAlterUserReq(void* buf, int32_t bufLen, SAlterUserReq* pReq);
--- a/include/util/tdef.h
+++ b/include/util/tdef.h
@ -297,9 +297,10 @@ typedef enum ELogicConditionType {

 #define TSDB_AUTH_LEN          16
 #define TSDB_PASSWORD_MIN_LEN  8
-#define TSDB_PASSWORD_MAX_LEN  16
+#define TSDB_PASSWORD_MAX_LEN      255
 #define TSDB_PASSWORD_LEN      32
 #define TSDB_USET_PASSWORD_LEN 129
+#define TSDB_USET_PASSWORD_LONGLEN 256
 #define TSDB_VERSION_LEN       32
 #define TSDB_LABEL_LEN         16
 #define TSDB_JOB_STATUS_LEN    32
--- a/source/common/src/msg/tmsg.c
+++ b/source/common/src/msg/tmsg.c
@ -2007,6 +2007,7 @@ int32_t tSerializeSCreateUserReq(void *buf, int32_t bufLen, SCreateUserReq *pReq
  ENCODESQL();
  TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->isImport));
  TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->createDb));
+  TAOS_CHECK_EXIT(tEncodeCStr(&encoder, pReq->longPass));

  tEndEncode(&encoder);

@ -2047,6 +2048,9 @@ int32_t tDeserializeSCreateUserReq(void *buf, int32_t bufLen, SCreateUserReq *pR
    TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->createDb));
    TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->isImport));
  }
+  if (!tDecodeIsEnd(&decoder)) {
+    TAOS_CHECK_EXIT(tDecodeCStrTo(&decoder, pReq->longPass));
+  }

  tEndDecode(&decoder);

@ -2402,6 +2406,7 @@ int32_t tSerializeSAlterUserReq(void *buf, int32_t bufLen, SAlterUserReq *pReq)
  TAOS_CHECK_EXIT(tEncodeI64(&encoder, pReq->privileges));
  ENCODESQL();
  TAOS_CHECK_EXIT(tEncodeU8(&encoder, pReq->flag));
+  TAOS_CHECK_EXIT(tEncodeCStr(&encoder, pReq->longPass));
  tEndEncode(&encoder);

 _exit:
@ -2453,6 +2458,9 @@ int32_t tDeserializeSAlterUserReq(void *buf, int32_t bufLen, SAlterUserReq *pReq
  if (!tDecodeIsEnd(&decoder)) {
    TAOS_CHECK_EXIT(tDecodeU8(&decoder, &pReq->flag));
  }
+  if (!tDecodeIsEnd(&decoder)) {
+    TAOS_CHECK_EXIT(tDecodeCStrTo(&decoder, pReq->longPass));
+  }
  tEndDecode(&decoder);

 _exit:
--- a/source/common/src/tglobal.c
+++ b/source/common/src/tglobal.c
@ -58,6 +58,7 @@ EEncryptScope tsiEncryptScope = 0;
 // char     tsAuthCode[500] = {0};
 // char     tsEncryptKey[17] = {0};
 char tsEncryptKey[17] = {0};
+int8_t tsEnableStrongPassword = 1;

 // common
 int32_t tsMaxShellConns = 50000;
@ -838,6 +839,7 @@ static int32_t taosAddServerCfg(SConfig *pCfg) {

  TAOS_CHECK_RETURN(cfgAddString(pCfg, "encryptAlgorithm", tsEncryptAlgorithm, CFG_SCOPE_SERVER, CFG_DYN_NONE, CFG_CATEGORY_GLOBAL));
  TAOS_CHECK_RETURN(cfgAddString(pCfg, "encryptScope", tsEncryptScope, CFG_SCOPE_SERVER, CFG_DYN_NONE,CFG_CATEGORY_GLOBAL));
+  TAOS_CHECK_RETURN(cfgAddBool(pCfg, "enableStrongPassword", tsEnableStrongPassword, CFG_SCOPE_SERVER, CFG_DYN_SERVER,CFG_CATEGORY_GLOBAL));

  TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "statusInterval", tsStatusInterval, 1, 30, CFG_SCOPE_SERVER, CFG_DYN_SERVER_LAZY,CFG_CATEGORY_GLOBAL));
  TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "maxShellConns", tsMaxShellConns, 10, 50000000, CFG_SCOPE_SERVER, CFG_DYN_SERVER_LAZY, CFG_CATEGORY_LOCAL));
@ -1527,6 +1529,9 @@ static int32_t taosSetServerCfg(SConfig *pCfg) {
  TAOS_CHECK_RETURN(taosCheckCfgStrValueLen(pItem->name, pItem->str, 100));
  tstrncpy(tsEncryptScope, pItem->str, 100);

+  TAOS_CHECK_GET_CFG_ITEM(pCfg, pItem, "enableStrongPassword");
+  tsEnableStrongPassword = pItem->i32;
+
  TAOS_CHECK_GET_CFG_ITEM(pCfg, pItem, "numOfRpcThreads");
  tsNumOfRpcThreads = pItem->i32;

@ -2518,7 +2523,8 @@ static int32_t taosCfgDynamicOptionsForServer(SConfig *pCfg, const char *name) {
                                         {"arbHeartBeatIntervalSec", &tsArbHeartBeatIntervalSec},
                                         {"arbCheckSyncIntervalSec", &tsArbCheckSyncIntervalSec},
                                         {"arbSetAssignedTimeoutSec", &tsArbSetAssignedTimeoutSec},
-                                         {"queryNoFetchTimeoutSec", &tsQueryNoFetchTimeoutSec}};
+                                         {"queryNoFetchTimeoutSec", &tsQueryNoFetchTimeoutSec},
+                                         {"enableStrongPassword", &tsEnableStrongPassword}};

    if ((code = taosCfgSetOption(debugOptions, tListLen(debugOptions), pItem, true)) != TSDB_CODE_SUCCESS) {
      code = taosCfgSetOption(options, tListLen(options), pItem, false);
--- a/source/dnode/mnode/impl/src/mndUser.c
+++ b/source/dnode/mnode/impl/src/mndUser.c
@ -1705,11 +1705,22 @@ static int32_t mndCreateUser(SMnode *pMnode, char *acct, SCreateUserReq *pCreate
  int32_t  code = 0;
  int32_t  lino = 0;
  SUserObj userObj = {0};
+  char     pass[TSDB_USET_PASSWORD_LONGLEN] = {0};
+
+  int32_t len = strlen(pCreate->longPass);
+
+  if (len > 0) {
+    strncpy(pass, pCreate->longPass, TSDB_USET_PASSWORD_LONGLEN);
+  } else {
+    len = strlen(pCreate->pass);
+    strncpy(pass, pCreate->pass, TSDB_PASSWORD_LEN);
+  }
+
  if (pCreate->isImport != 1) {
-    taosEncryptPass_c((uint8_t *)pCreate->pass, strlen(pCreate->pass), userObj.pass);
+    taosEncryptPass_c((uint8_t *)pass, strlen(pass), userObj.pass);
  } else {
    // mInfo("pCreate->pass:%s", pCreate->eass)
-    memcpy(userObj.pass, pCreate->pass, TSDB_PASSWORD_LEN);
+    memcpy(userObj.pass, pass, TSDB_PASSWORD_LEN);
  }
  tstrncpy(userObj.user, pCreate->user, TSDB_USER_LEN);
  tstrncpy(userObj.acct, acct, TSDB_USER_LEN);
@ -1884,16 +1895,28 @@ static int32_t mndProcessCreateUserReq(SRpcMsg *pReq) {
    TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_USER_FORMAT, &lino, _OVER);
  }

-  int32_t len = strlen(createReq.pass);
+  char pass[TSDB_USET_PASSWORD_LONGLEN] = {0};
+
+  int32_t len = strlen(createReq.longPass);
+
+  if (len > 0) {
+    strncpy(pass, createReq.longPass, TSDB_USET_PASSWORD_LONGLEN);
+  } else {
+    len = strlen(createReq.pass);
+    strncpy(pass, createReq.pass, TSDB_PASSWORD_LEN);
+  }
+
  if (createReq.isImport != 1) {
-    if (mndCheckPasswordMinLen(createReq.pass, len) != 0) {
+    if (mndCheckPasswordMinLen(pass, len) != 0) {
      TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER);
    }
-    if (mndCheckPasswordMaxLen(createReq.pass, len) != 0) {
+    if (mndCheckPasswordMaxLen(pass, len) != 0) {
      TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER);
    }
-    if (mndCheckPasswordFmt(createReq.pass, len) != 0) {
-      TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+    if (tsEnableStrongPassword) {
+      if (mndCheckPasswordFmt(pass, len) != 0) {
+        TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+      }
    }
  }

@ -2376,16 +2399,27 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
    TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_USER_FORMAT, &lino, _OVER);
  }

+  char    userSetPass[TSDB_USET_PASSWORD_LONGLEN] = {0};
+  int32_t len = strlen(alterReq.longPass);
+
  if (TSDB_ALTER_USER_PASSWD == alterReq.alterType) {
-    int32_t len = strlen(alterReq.pass);
-    if (mndCheckPasswordMinLen(alterReq.pass, len) != 0) {
+    if (len > 0) {
+      strncpy(userSetPass, alterReq.longPass, TSDB_USET_PASSWORD_LONGLEN);
+    } else {
+      len = strlen(alterReq.pass);
+      strncpy(userSetPass, alterReq.pass, TSDB_USET_PASSWORD_LEN);
+    }
+
+    if (mndCheckPasswordMinLen(userSetPass, len) != 0) {
      TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER);
    }
-    if (mndCheckPasswordMaxLen(alterReq.pass, len) != 0) {
+    if (mndCheckPasswordMaxLen(userSetPass, len) != 0) {
      TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER);
    }
-    if (mndCheckPasswordFmt(alterReq.pass, len) != 0) {
-      TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+    if (tsEnableStrongPassword) {
+      if (mndCheckPasswordFmt(userSetPass, len) != 0) {
+        TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER);
+      }
    }
  }

@ -2402,7 +2436,8 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {

  if (alterReq.alterType == TSDB_ALTER_USER_PASSWD) {
    char pass[TSDB_PASSWORD_LEN + 1] = {0};
-    taosEncryptPass_c((uint8_t *)alterReq.pass, strlen(alterReq.pass), pass);
+
+    taosEncryptPass_c((uint8_t *)userSetPass, len, pass);
    (void)memcpy(newUser.pass, pass, TSDB_PASSWORD_LEN);
    if (0 != strncmp(pUser->pass, pass, TSDB_PASSWORD_LEN)) {
      ++newUser.passVersion;
--- a/tests/army/cluster/strongPassword.py
+++ b/tests/army/cluster/strongPassword.py
@ -0,0 +1,52 @@
+import taos
+import sys
+import os
+import subprocess
+import glob
+import shutil
+import time
+
+from frame.log import *
+from frame.cases import *
+from frame.sql import *
+from frame.srvCtl import *
+from frame.caseBase import *
+from frame import *
+from frame.autogen import *
+from frame import epath
+# from frame.server.dnodes import *
+# from frame.server.cluster import *
+
+
+class TDTestCase(TBase):
+    
+    def init(self, conn, logSql, replicaVar=1):
+        super(TDTestCase, self).init(conn, logSql, replicaVar=1, checkColName="c1")
+        
+        tdSql.init(conn.cursor(), logSql)  
+
+    def run(self):
+        # strong
+        tdSql.error("create user test pass '12345678' sysinfo 0;", expectErrInfo="Invalid password format")
+
+        tdSql.execute("create user test pass '12345678@Abc' sysinfo 0;")
+
+        tdSql.error("alter user test pass '23456789'", expectErrInfo="Invalid password format")
+
+        tdSql.execute("alter user test pass '23456789@Abc';")
+
+        # change setting
+        tdSql.execute("ALTER ALL DNODES 'enableStrongPassword' '0'")
+
+        # weak
+        tdSql.execute("create user test1 pass '12345678' sysinfo 0;")
+
+        tdSql.execute("alter user test1 pass '12345678';")
+
+    def stop(self):
+        tdSql.close()
+        tdLog.success(f"{__file__} successfully executed")
+
+
+tdCases.addLinux(__file__, TDTestCase())
+tdCases.addWindows(__file__, TDTestCase())
--- a/tests/parallel_test/cases.task
+++ b/tests/parallel_test/cases.task
@ -72,6 +72,7 @@
 ,,n,army,python3 ./test.py -f tmq/drop_lost_comsumers.py
 ,,y,army,./pytest.sh python3 ./test.py -f cmdline/taosCli.py
 ,,n,army,python3 ./test.py -f whole/checkErrorCode.py
+,,y,army,./pytest.sh python3 ./test.py -f cluster/strongPassword.py

 #
 # system test