Merge 5675413 into e1ce008

molotkov-and · web-flow · commit 322052f08b8e · 2024-12-28T12:02:17.000Z
diff --git a/ydb/core/tx/schemeshard/schemeshard__init.cpp b/ydb/core/tx/schemeshard/schemeshard__init.cpp
@@ -3883,6 +3883,7 @@ struct TSchemeShard::TTxInit : public TTransactionBase<TSchemeShard> {
                 sid.SetName(rowset.GetValue<Schema::LoginSids::SidName>());
                 sid.SetType(rowset.GetValue<Schema::LoginSids::SidType>());
                 sid.SetHash(rowset.GetValue<Schema::LoginSids::SidHash>());
+                sid.SetCreatedAt(rowset.GetValueOrDefault<Schema::LoginSids::CreatedAt>());
                 sidIndex[sid.name()] = securityState.SidsSize() - 1;
                 if (!rowset.Next()) {
                     return false;
diff --git a/ydb/core/tx/schemeshard/schemeshard__init_root.cpp b/ydb/core/tx/schemeshard/schemeshard__init_root.cpp
@@ -4,6 +4,7 @@
 #include <ydb/core/tablet/tablet_exception.h>
 #include <ydb/core/tablet_flat/flat_cxx_database.h>
 #include <ydb/library/aclib/aclib.h>
+#include <ydb/library/security/util.h>
 
 namespace NKikimr {
 namespace NSchemeShard {
@@ -55,7 +56,9 @@ struct TSchemeShard::TTxInitRoot : public TSchemeShard::TRwTxBase {
                          << ", error: " << response.Error);
             } else {
                 auto& sid = Self->LoginProvider.Sids[defaultUser.GetName()];
-                db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType, Schema::LoginSids::SidHash>(sid.Type, sid.Hash);
+                db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
+                                                                   Schema::LoginSids::SidHash,
+                                                                   Schema::LoginSids::CreatedAt>(sid.Type, sid.Hash, ToInstant(sid.CreatedAt).MilliSeconds());
                 if (owner.empty()) {
                     owner = defaultUser.GetName();
                 }
@@ -77,7 +80,8 @@ struct TSchemeShard::TTxInitRoot : public TSchemeShard::TRwTxBase {
                          << ", error: " << response.Error);
             } else {
                 auto& sid = Self->LoginProvider.Sids[defaultGroup.GetName()];
-                db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType>(sid.Type);
+                db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
+                                                                   Schema::LoginSids::CreatedAt>(sid.Type, ToInstant(sid.CreatedAt).MilliSeconds());
                 for (const auto& member : defaultGroup.GetMembers()) {
                     auto response = Self->LoginProvider.AddGroupMembership({
                         .Group = defaultGroup.GetName(),
diff --git a/ydb/core/tx/schemeshard/schemeshard__operation_alter_login.cpp b/ydb/core/tx/schemeshard/schemeshard__operation_alter_login.cpp
@@ -1,6 +1,7 @@
 #include "schemeshard__operation_part.h"
 #include "schemeshard__operation_common.h"
 #include "schemeshard_impl.h"
+#include <ydb/library/security/util.h>
 #include <ydb/core/protos/auth.pb.h>
 
 namespace {
@@ -32,7 +33,9 @@ class TAlterLogin: public TSubOperationBase {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
                     } else {
                         auto& sid = context.SS->LoginProvider.Sids[createUser.GetUser()];
-                        db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType, Schema::LoginSids::SidHash>(sid.Type, sid.Hash);
+                        db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
+                                                                           Schema::LoginSids::SidHash,
+                                                                           Schema::LoginSids::CreatedAt>(sid.Type, sid.Hash, ToInstant(sid.CreatedAt).MilliSeconds());
                         if (securityConfig.HasAllUsersGroup()) {
                             auto response = context.SS->LoginProvider.AddGroupMembership({
                                 .Group = securityConfig.GetAllUsersGroup(),
@@ -76,7 +79,8 @@ class TAlterLogin: public TSubOperationBase {
                         result->SetStatus(NKikimrScheme::StatusPreconditionFailed, response.Error);
                     } else {
                         auto& sid = context.SS->LoginProvider.Sids[group];
-                        db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType>(sid.Type);
+                        db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
+                                                                           Schema::LoginSids::CreatedAt>(sid.Type, ToInstant(sid.CreatedAt).MilliSeconds());
                         result->SetStatus(NKikimrScheme::StatusSuccess);
                     }
                     break;
@@ -200,7 +204,7 @@ class TAlterLogin: public TSubOperationBase {
             TPathElement::TPtr path = context.SS->PathsById.at(pathId);
             if (path->Owner == user) {
                 auto pathStr = TPath::Init(pathId, context.SS).PathString();
-                return {.Error = TStringBuilder() << 
+                return {.Error = TStringBuilder() <<
                     "User " << user << " owns " << pathStr << " and can't be removed"};
             }
         }
@@ -239,7 +243,7 @@ class TAlterLogin: public TSubOperationBase {
         for (const TString& group : removeUserResponse.TouchedGroups) {
             db.Table<Schema::LoginSidMembers>().Key(group, user).Delete();
         }
-        
+
         return {}; // success
     }
 };
diff --git a/ydb/core/tx/schemeshard/schemeshard_schema.h b/ydb/core/tx/schemeshard/schemeshard_schema.h
@@ -1634,6 +1634,7 @@ struct Schema : NIceDb::Schema {
         struct LastSuccessfulAttempt : Column<4, NScheme::NTypeIds::Timestamp> {};
         struct LastFailedAttempt : Column<5, NScheme::NTypeIds::Timestamp> {};
         struct FailedAttemptCount : Column<6, NScheme::NTypeIds::Uint32> {using Type = ui32; static constexpr Type Default = 0;};
+        struct CreatedAt : Column<7, NScheme::NTypeIds::Timestamp> {};
 
         using TKey = TableKey<SidName>;
         using TColumns = TableColumns<
@@ -1642,7 +1643,8 @@ struct Schema : NIceDb::Schema {
             SidHash,
             LastSuccessfulAttempt,
             LastFailedAttempt,
-            FailedAttemptCount
+            FailedAttemptCount,
+            CreatedAt
         >;
     };
 
diff --git a/ydb/core/tx/schemeshard/ut_login/ut_login.cpp b/ydb/core/tx/schemeshard/ut_login/ut_login.cpp
@@ -311,7 +311,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
         auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
         CheckSecurityState(describe, {.PublicKeysSize = 1, .SidsSize = 0});
     }
-    
+
     Y_UNIT_TEST(AddAccess_NonExisting) {
         TTestBasicRuntime runtime;
         TTestEnv env(runtime);
@@ -331,7 +331,7 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
             AsyncModifyACL(runtime, ++txId, "/MyRoot", "Dir1", NACLib::TDiffACL{}.SerializeAsString(), "user1");
             TestModificationResults(runtime, txId, {{NKikimrScheme::StatusPreconditionFailed, "Owner SID user1 not found"}});
         }
-        
+
         CreateAlterLoginCreateUser(runtime, ++txId, "/MyRoot", "user1", "password1");
 
         TestDescribeResult(DescribePath(runtime, "/MyRoot/Dir1"),
diff --git a/ydb/library/login/login.cpp b/ydb/library/login/login.cpp
@@ -79,6 +79,7 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateUser(const TCreateUserReque
     TSidRecord& user = itUserCreate.first->second;
     user.Name = request.User;
     user.Hash = Impl->GenerateHash(request.Password);
+    user.CreatedAt = std::chrono::system_clock::now();
 
     return response;
 }
@@ -158,6 +159,7 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateGroup(const TCreateGroupReq
 
     TSidRecord& group = itGroupCreate.first->second;
     group.Name = request.Group;
+    group.CreatedAt = std::chrono::system_clock::now();
 
     return response;
 }
@@ -670,6 +672,7 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat
                 sid.Members.emplace(pbSubSid);
                 ChildToParentIndex[pbSubSid].emplace(sid.Name);
             }
+            sid.CreatedAt = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetCreatedAt()));
         }
     }
 }
diff --git a/ydb/library/login/login.h b/ydb/library/login/login.h
@@ -145,6 +145,7 @@ class TLoginProvider {
         TString Name;
         TString Hash;
         std::unordered_set<TString> Members;
+        std::chrono::system_clock::time_point CreatedAt; // CreatedAt does not need in describe result. We will not add to security state
     };
 
     // our current audience (database name)
diff --git a/ydb/library/login/login_ut.cpp b/ydb/library/login/login_ut.cpp
@@ -356,4 +356,41 @@ Y_UNIT_TEST_SUITE(Login) {
         UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("token_without_dot"), "");
         UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("token_without_signature."), "");
     }
+
+    Y_UNIT_TEST(CheckTimeOfUserCreating) {
+        TLoginProvider provider;
+        provider.Audience = "test_audience1";
+        provider.RotateKeys();
+
+        {
+            std::chrono::time_point<std::chrono::system_clock> start = std::chrono::system_clock::now();
+            TLoginProvider::TCreateUserRequest request {
+                .User = "user1",
+                .Password = "password1"
+            };
+            auto response = provider.CreateUser(request);
+            std::chrono::time_point<std::chrono::system_clock> finish = std::chrono::system_clock::now();
+            UNIT_ASSERT(!response.Error);
+            const auto& sid = provider.Sids["user1"];
+            UNIT_ASSERT(sid.CreatedAt >= start && sid.CreatedAt <= finish);
+        }
+        {
+            std::chrono::time_point<std::chrono::system_clock> start = std::chrono::system_clock::now();
+            TLoginProvider::TCreateUserRequest request {
+                .User = "user2",
+                .Password = "password2"
+            };
+            auto response = provider.CreateUser(request);
+            std::chrono::time_point<std::chrono::system_clock> finish = std::chrono::system_clock::now();
+            UNIT_ASSERT(!response.Error);
+            const auto& sid = provider.Sids["user2"];
+            UNIT_ASSERT(sid.CreatedAt >= start && sid.CreatedAt <= finish);
+        }
+
+        {
+            const auto& sid1 = provider.Sids["user1"];
+            const auto& sid2 = provider.Sids["user2"];
+            UNIT_ASSERT(sid1.CreatedAt < sid2.CreatedAt);
+        }
+    }
 }
diff --git a/ydb/library/login/protos/login.proto b/ydb/library/login/protos/login.proto
@@ -22,11 +22,11 @@ message TSid {
     ESidType.SidType Type = 2;
     string Hash = 3;
     repeated string Members = 4;
+    uint64 CreatedAt = 5;
 }
 
 message TSecurityState {
     repeated TPublicKey PublicKeys = 1;
     repeated TSid Sids = 2;
     string Audience = 3;
 }
-

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateUser(const TCreateUserReque`
`79`	`79`	`TSidRecord& user = itUserCreate.first->second;`
`80`	`80`	`user.Name = request.User;`
`81`	`81`	`user.Hash = Impl->GenerateHash(request.Password);`
	`82`	`+ user.CreatedAt = std::chrono::system_clock::now();`
`82`	`83`
`83`	`84`	`return response;`
`84`	`85`	`}`
`@@ -158,6 +159,7 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateGroup(const TCreateGroupReq`
`158`	`159`
`159`	`160`	`TSidRecord& group = itGroupCreate.first->second;`
`160`	`161`	`group.Name = request.Group;`
	`162`	`+ group.CreatedAt = std::chrono::system_clock::now();`
`161`	`163`
`162`	`164`	`return response;`
`163`	`165`	`}`
`@@ -670,6 +672,7 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat`
`670`	`672`	`sid.Members.emplace(pbSubSid);`
`671`	`673`	`ChildToParentIndex[pbSubSid].emplace(sid.Name);`
`672`	`674`	`}`
	`675`	`+ sid.CreatedAt = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetCreatedAt()));`
`673`	`676`	`}`
`674`	`677`	`}`
`675`	`678`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,11 +22,11 @@ message TSid {`
`22`	`22`	`ESidType.SidType Type = 2;`
`23`	`23`	`string Hash = 3;`
`24`	`24`	`repeated string Members = 4;`
	`25`	`+ uint64 CreatedAt = 5;`
`25`	`26`	`}`
`26`	`27`
`27`	`28`	`message TSecurityState {`
`28`	`29`	`repeated TPublicKey PublicKeys = 1;`
`29`	`30`	`repeated TSid Sids = 2;`
`30`	`31`	`string Audience = 3;`
`31`	`32`	`}`
`32`		`-`