@@ -3057,6 +3057,99 @@ WITH (
30573057 }
30583058 }
30593059
3060+ Y_UNIT_TEST (AuthUsers_LockUnlock) {
3061+ NKikimrProto::TAuthConfig authConfig;
3062+ auto accountLockout = authConfig.MutableAccountLockout ();
3063+ accountLockout->SetAttemptResetDuration (" 3s"
3064+ TTestEnv env (1 , 4 , {.AuthConfig = authConfig});
3065+ SetupAuthEnvironment (env);
3066+
3067+ TTableClient client (env.GetDriver ());
3068+
3069+ env.GetClient ().CreateUser (" /Root" " user1" " password1"
3070+ {
3071+ auto it = client.StreamExecuteScanQuery (R"(
3072+ SELECT Sid, IsEnabled, IsLockedOut, LastSuccessfulAttemptAt, LastFailedAttemptAt, FailedAttemptCount
3073+ FROM `Root/.sys/auth_users`
3074+ )" ).GetValueSync ();
3075+
3076+ auto expected = R"( [
3077+ [["user1"];[%true];[%false];#;#;[0u]];
3078+ ])" ;
3079+
3080+ NKqp::CompareYson (expected, NKqp::StreamResultToYson (it));
3081+ }
3082+
3083+
3084+ {
3085+ auto loginResult = env.GetClient ().Login (*(env.GetServer ().GetRuntime ()), " user1" " password1"
3086+ UNIT_ASSERT_EQUAL (loginResult.GetError (), " "
3087+ }
3088+
3089+ {
3090+ for (size_t i = 0 ; i < 4 ; i++) {
3091+ auto loginResult = env.GetClient ().Login (*(env.GetServer ().GetRuntime ()), " user1" " wrongPassword"
3092+ UNIT_ASSERT_EQUAL (loginResult.GetError (), " Invalid password"
3093+ }
3094+ }
3095+
3096+ // After some attempts login with wrong password user must be locked out. Flag IsLockedOut must be true
3097+ {
3098+ auto it = client.StreamExecuteScanQuery (R"(
3099+ SELECT Sid, IsEnabled, IsLockedOut, FailedAttemptCount
3100+ FROM `Root/.sys/auth_users`
3101+ )" ).GetValueSync ();
3102+
3103+ auto expected = R"( [
3104+ [["user1"];[%true];[%true];[4u]];
3105+ ])" ;
3106+
3107+ NKqp::CompareYson (expected, NKqp::StreamResultToYson (it));
3108+ }
3109+
3110+ // Check that user is locked out and cannot login
3111+ {
3112+ auto loginResult = env.GetClient ().Login (*(env.GetServer ().GetRuntime ()), " user1" " password1"
3113+ UNIT_ASSERT_EQUAL (loginResult.GetError (), " User user1 is not permitted to log in"
3114+ }
3115+
3116+ Sleep (TDuration::Seconds (5 ));
3117+
3118+ // User can login after 5 seconds. Flag IsLockedOut is false
3119+ {
3120+ auto it = client.StreamExecuteScanQuery (R"(
3121+ SELECT Sid, IsEnabled, IsLockedOut, FailedAttemptCount
3122+ FROM `Root/.sys/auth_users`
3123+ )" ).GetValueSync ();
3124+
3125+ auto expected = R"( [
3126+ [["user1"];[%true];[%false];[4u]];
3127+ ])" ;
3128+
3129+ NKqp::CompareYson (expected, NKqp::StreamResultToYson (it));
3130+ }
3131+
3132+ // User can login
3133+ {
3134+ auto loginResult = env.GetClient ().Login (*(env.GetServer ().GetRuntime ()), " user1" " password1"
3135+ UNIT_ASSERT_EQUAL (loginResult.GetError (), " "
3136+ }
3137+
3138+ // Check that FailedAttemptCount is reset
3139+ {
3140+ auto it = client.StreamExecuteScanQuery (R"(
3141+ SELECT Sid, IsEnabled, IsLockedOut, FailedAttemptCount
3142+ FROM `Root/.sys/auth_users`
3143+ )" ).GetValueSync ();
3144+
3145+ auto expected = R"( [
3146+ [["user1"];[%true];[%false];[0u]];
3147+ ])" ;
3148+
3149+ NKqp::CompareYson (expected, NKqp::StreamResultToYson (it));
3150+ }
3151+ }
3152+
30603153 Y_UNIT_TEST (AuthUsers_Access) {
30613154 TTestEnv env;
30623155 SetupAuthAccessEnvironment (env);
0 commit comments