Add LastSuccessfulLogin time point to TSidRecord (#13254)

Author: andrewstalin

ydb/core/tx/schemeshard/schemeshard__init.cpp

@@ -3884,6 +3884,7 @@ struct TSchemeShard::TTxInit : public TTransactionBase<TSchemeShard> {
                 sid.SetType(rowset.GetValue<Schema::LoginSids::SidType>());
                 sid.SetHash(rowset.GetValue<Schema::LoginSids::SidHash>());
                 sid.SetCreatedAt(rowset.GetValueOrDefault<Schema::LoginSids::CreatedAt>());
+                sid.SetLastSuccessfulLogin(rowset.GetValue<Schema::LoginSids::LastSuccessfulAttempt>());
                 sidIndex[sid.name()] = securityState.SidsSize() - 1;
                 if (!rowset.Next()) {
                     return false;

ydb/core/tx/schemeshard/schemeshard__login.cpp

@@ -204,8 +204,8 @@ struct TSchemeShard::TTxLogin : TTransactionBase<TSchemeShard> {
         ResetFailedAttemptCount(loginRequest, db);
     }
 
-    void HandleLoginAuthSuccess(const NLogin::TLoginProvider::TLoginUserRequest& loginRequest, const NLogin::TLoginProvider::TLoginUserResponse& /* loginResponse */, NIceDb::TNiceDb& db) {
-        db.Table<Schema::LoginSids>().Key(loginRequest.User).Update<Schema::LoginSids::LastSuccessfulAttempt, Schema::LoginSids::FailedAttemptCount>(TAppData::TimeProvider->Now().MicroSeconds(), Schema::LoginSids::FailedAttemptCount::Default);
+    void HandleLoginAuthSuccess(const NLogin::TLoginProvider::TLoginUserRequest& loginRequest, const NLogin::TLoginProvider::TLoginUserResponse& loginResponse, NIceDb::TNiceDb& db) {
+        db.Table<Schema::LoginSids>().Key(loginRequest.User).Update<Schema::LoginSids::LastSuccessfulAttempt, Schema::LoginSids::FailedAttemptCount>(loginResponse.LoginAttemptTime, Schema::LoginSids::FailedAttemptCount::Default);
     }
 
     void HandleLoginAuthInvalidPassword(const NLogin::TLoginProvider::TLoginUserRequest& loginRequest, const NLogin::TLoginProvider::TLoginUserResponse& /* loginResponse */, NIceDb::TNiceDb& db) {

ydb/library/login/login.cpp

@@ -318,7 +318,16 @@ std::vector<TString> TLoginProvider::GetGroupsMembership(const TString& member)
 }
 
 TLoginProvider::TLoginUserResponse TLoginProvider::LoginUser(const TLoginUserRequest& request) {
+    auto now = std::chrono::system_clock::now();
     TLoginUserResponse response;
+    response.LoginAttemptTime = std::chrono::time_point_cast<std::chrono::microseconds>(now).time_since_epoch().count();
+
+    if (Keys.empty() || Keys.back().PrivateKey.empty()) {
+        response.Status = TLoginUserResponse::EStatus::UNAVAILABLE_KEY;
+        response.Error = "No key to generate token";
+        return response;
+    }
+
     if (!request.ExternalAuth) {
         auto itUser = Sids.find(request.User);
         if (itUser == Sids.end() || itUser->second.Type != ESidType::USER) {
@@ -332,22 +341,16 @@ TLoginProvider::TLoginUserResponse TLoginProvider::LoginUser(const TLoginUserReq
             response.Error = "Invalid password";
             return response;
         }
-    }
 
-    if (Keys.empty() || Keys.back().PrivateKey.empty()) {
-        response.Status = TLoginUserResponse::EStatus::UNAVAILABLE_KEY;
-        response.Error = "No key to generate token";
-        return response;
+        itUser->second.LastSuccessfulLogin = response.LoginAttemptTime;
     }
 
     const TKeyRecord& key = Keys.back();
-
     auto keyId = ToString(key.KeyId);
     const auto& publicKey = key.PublicKey;
     const auto& privateKey = key.PrivateKey;
 
     // encode jwt
-    auto now = std::chrono::system_clock::now();
     auto expires_at = now + MAX_TOKEN_EXPIRE_TIME;
     if (request.Options.ExpiresAfter != std::chrono::system_clock::duration::zero()) {
         expires_at = std::min(expires_at, now + request.Options.ExpiresAfter);
@@ -668,6 +671,7 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat
             sid.Type = pbSid.GetType();
             sid.Name = pbSid.GetName();
             sid.Hash = pbSid.GetHash();
+            sid.LastSuccessfulLogin = pbSid.GetLastSuccessfulLogin();
             for (const auto& pbSubSid : pbSid.GetMembers()) {
                 sid.Members.emplace(pbSubSid);
                 ChildToParentIndex[pbSubSid].emplace(sid.Name);

ydb/library/login/login.h

@@ -59,6 +59,7 @@ class TLoginProvider {
         TString Token;
         TString SanitizedToken; // Token for audit logs
         EStatus Status = EStatus::UNSPECIFIED;
+        ui64 LoginAttemptTime; // microseconds
     };
 
     struct TValidateTokenRequest : TBasicRequest {
@@ -146,6 +147,7 @@ class TLoginProvider {
         TString Hash;
         std::unordered_set<TString> Members;
         std::chrono::system_clock::time_point CreatedAt; // CreatedAt does not need in describe result. We will not add to security state
+        ui64 LastSuccessfulLogin;
     };
 
     // our current audience (database name)

ydb/library/login/protos/login.proto

@@ -23,6 +23,7 @@ message TSid {
     string Hash = 3;
     repeated string Members = 4;
     uint64 CreatedAt = 5;
+    uint64 LastSuccessfulLogin = 6; // microseconds
 }
 
 message TSecurityState {