bronevichok

Commit Diff

Commit:: 952d15827b9a299e6a13a8f0e3a0f3b0c36118cc
From:: Gleb Kashkin <g.kashkin@tarantool.org>
Via:: Alexander Turenko <totktonada.ru@gmail.com>
Date:: Fri Oct 13 13:29:32 2023 UTC
Message:: config: update password hashes after auth_type change User password is stored in a system space is a form of hash when 'chap-sha1' auth type is set, and in a form of hash with salt when 'pap-sha256' is set. Now, if a user is set inside config, and the current auth type is different from the type the users password is stored in, the password hash will be regenerated. Part of #8967 NO_DOC=documentation request will be filed manually for the whole credentials
Actions:: Patch | Tree

commit - a21c0e6acf9ee1b818150d2f5ce8a40fc861f20d
commit + 952d15827b9a299e6a13a8f0e3a0f3b0c36118cc
blob - /dev/null
blob + a91a7707d26d5dc2f80b01ca6577b3cdf3b72012 (mode 644)
--- /dev/null
+++ changelogs/unreleased/gh-8967-creds-consider-auth-type.md
@@ -0,0 +1,5 @@
+## feature/config
+
+* Now a password hash (and salt) will be regenerated for users managed
+  in the configuration file if `security.auth_type` differs from a user's
+  `auth_type` (gh-8967).
blob - 5723fea63e398a1f6ed425860ccbff004c04e0ff
blob + 6e088f412cb0ea517d855827e3159720111526c1
--- src/box/lua/config/applier/credentials.lua
+++ src/box/lua/config/applier/credentials.lua
@@ -631,18 +631,15 @@ local function set_password(user_name, password)
     end
 
     local auth_type = auth_def['chap-sha1'] and 'chap-sha1' or 'pap-sha256'
+
+    local new_password = false
 
     if auth_type == 'chap-sha1' then
         local current_hash = auth_def['chap-sha1']
 
         local new_hash = box.schema.user.password(password)
-        if new_hash == current_hash then
-            log.verbose('credentials.apply: a password is already set ' ..
-                        'for user %q', user_name)
-        else
-            log.verbose('credentials.apply: set a password for user %q',
-                        user_name)
-            box.schema.user.passwd(user_name, password)
+        if new_hash ~= current_hash then
+            new_password = true
         end
     else
         assert(auth_def['pap-sha256'])
@@ -651,16 +648,30 @@ local function set_password(user_name, password)
 
         local new_hash = digest.sha256(current_salt .. password)
         if new_hash == current_hash then
+            -- Note: passwd() generated new random salt, it will be different
+            -- from current_salt.
+            new_password = true
+        end
+    end
+
+    if not new_password then
+        -- Note that security.auth_type is applied by box_cfg applier.
+        -- It is executed before credentials applier, so the current
+        -- box.cfg.auth_type is already set.
+        if box.cfg.auth_type == auth_type then
             log.verbose('credentials.apply: a password is already set ' ..
                         'for user %q', user_name)
         else
-            log.verbose('credentials.apply: set a password for user %q',
-                        user_name)
-            -- Note: passwd() generated new random salt, it will be different
-            -- from current_salt.
+            log.verbose('credentials.apply: a password for user %q has ' ..
+                        'different auth_type, resetting it', user_name)
             box.schema.user.passwd(user_name, password)
         end
+    else
+        log.verbose('credentials.apply: set a password for user %q',
+                    user_name)
+        box.schema.user.passwd(user_name, password)
     end
+
 end
 
 local function create_users(user_map)
blob - 5a91a0d2bff8b5d3a194b59557b21d9c51368ece
blob + e5e76322d1b3e83bbdcb0ca9b5003eca21919ad9
--- test/config-luatest/credentials_applier_test.lua
+++ test/config-luatest/credentials_applier_test.lua
@@ -1296,3 +1296,52 @@ g.test_lua_eval_lua_call_sql = function()
         end
     })
 end
+
+g.test_consider_auth_type_for_passwods = function(g)
+    t.tarantool.skip_if_not_enterprise()
+
+    helpers.reload_success_case(g, {
+        options = {
+            credentials = {
+                users = {
+                    guest = {
+                        roles = { 'super' }
+                    },
+                    myuser = {
+                        password = 'secret',
+                    },
+                },
+            },
+            security = {
+                auth_type = 'chap-sha1',
+            },
+        },
+        verify = function()
+            t.assert_equals(box.cfg.auth_type, 'chap-sha1')
+
+            local password_def = box.space._user.index.name:get({'myuser'})[5]
+            t.assert_equals(type(password_def['chap-sha1']), 'string')
+        end,
+        options_2 = {
+            credentials = {
+                users = {
+                    guest = {
+                        roles = { 'super' }
+                    },
+                    myuser = {
+                        password = 'secret',
+                    },
+                },
+            },
+            security = {
+                auth_type = 'pap-sha256',
+            },
+        },
+        verify_2 = function()
+            t.assert_equals(box.cfg.auth_type, 'pap-sha256')
+
+            local password_def = box.space._user.index.name:get({'myuser'})[5]
+            t.assert_equals(type(password_def['pap-sha256']), 'table')
+        end,
+    })
+end