diff --git a/include/common/tglobal.h b/include/common/tglobal.h index 4e9a9bd8013..5990db467a9 100644 --- a/include/common/tglobal.h +++ b/include/common/tglobal.h @@ -69,6 +69,7 @@ extern EEncryptAlgor tsiEncryptAlgorithm; extern EEncryptScope tsiEncryptScope; // extern char tsAuthCode[]; extern char tsEncryptKey[]; +extern int8_t tsEnableStrongPassword; // common extern int32_t tsMaxShellConns; diff --git a/include/common/tmsg.h b/include/common/tmsg.h index 82eaa2359ed..5fc02a068ef 100644 --- a/include/common/tmsg.h +++ b/include/common/tmsg.h @@ -1089,6 +1089,7 @@ typedef struct { char* sql; int8_t isImport; int8_t createDb; + char longPass[TSDB_USET_PASSWORD_LONGLEN]; } SCreateUserReq; int32_t tSerializeSCreateUserReq(void* buf, int32_t bufLen, SCreateUserReq* pReq); @@ -1159,6 +1160,7 @@ typedef struct { int64_t privileges; int32_t sqlLen; char* sql; + char longPass[TSDB_USET_PASSWORD_LONGLEN]; } SAlterUserReq; int32_t tSerializeSAlterUserReq(void* buf, int32_t bufLen, SAlterUserReq* pReq); diff --git a/include/util/tdef.h b/include/util/tdef.h index f08697b0d42..1facb2074d7 100644 --- a/include/util/tdef.h +++ b/include/util/tdef.h @@ -297,9 +297,10 @@ typedef enum ELogicConditionType { #define TSDB_AUTH_LEN 16 #define TSDB_PASSWORD_MIN_LEN 8 -#define TSDB_PASSWORD_MAX_LEN 16 +#define TSDB_PASSWORD_MAX_LEN 255 #define TSDB_PASSWORD_LEN 32 #define TSDB_USET_PASSWORD_LEN 129 +#define TSDB_USET_PASSWORD_LONGLEN 256 #define TSDB_VERSION_LEN 32 #define TSDB_LABEL_LEN 16 #define TSDB_JOB_STATUS_LEN 32 diff --git a/source/common/src/msg/tmsg.c b/source/common/src/msg/tmsg.c index 7a51669d463..ff60c120d18 100644 --- a/source/common/src/msg/tmsg.c +++ b/source/common/src/msg/tmsg.c @@ -2007,6 +2007,7 @@ int32_t tSerializeSCreateUserReq(void *buf, int32_t bufLen, SCreateUserReq *pReq ENCODESQL(); TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->isImport)); TAOS_CHECK_EXIT(tEncodeI8(&encoder, pReq->createDb)); + TAOS_CHECK_EXIT(tEncodeCStr(&encoder, pReq->longPass)); tEndEncode(&encoder); @@ -2047,6 +2048,9 @@ int32_t tDeserializeSCreateUserReq(void *buf, int32_t bufLen, SCreateUserReq *pR TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->createDb)); TAOS_CHECK_EXIT(tDecodeI8(&decoder, &pReq->isImport)); } + if (!tDecodeIsEnd(&decoder)) { + TAOS_CHECK_EXIT(tDecodeCStrTo(&decoder, pReq->longPass)); + } tEndDecode(&decoder); @@ -2402,6 +2406,7 @@ int32_t tSerializeSAlterUserReq(void *buf, int32_t bufLen, SAlterUserReq *pReq) TAOS_CHECK_EXIT(tEncodeI64(&encoder, pReq->privileges)); ENCODESQL(); TAOS_CHECK_EXIT(tEncodeU8(&encoder, pReq->flag)); + TAOS_CHECK_EXIT(tEncodeCStr(&encoder, pReq->longPass)); tEndEncode(&encoder); _exit: @@ -2453,6 +2458,9 @@ int32_t tDeserializeSAlterUserReq(void *buf, int32_t bufLen, SAlterUserReq *pReq if (!tDecodeIsEnd(&decoder)) { TAOS_CHECK_EXIT(tDecodeU8(&decoder, &pReq->flag)); } + if (!tDecodeIsEnd(&decoder)) { + TAOS_CHECK_EXIT(tDecodeCStrTo(&decoder, pReq->longPass)); + } tEndDecode(&decoder); _exit: diff --git a/source/common/src/tglobal.c b/source/common/src/tglobal.c index 83b1845fd4d..a16457dccdf 100644 --- a/source/common/src/tglobal.c +++ b/source/common/src/tglobal.c @@ -58,6 +58,7 @@ EEncryptScope tsiEncryptScope = 0; // char tsAuthCode[500] = {0}; // char tsEncryptKey[17] = {0}; char tsEncryptKey[17] = {0}; +int8_t tsEnableStrongPassword = 1; // common int32_t tsMaxShellConns = 50000; @@ -838,6 +839,7 @@ static int32_t taosAddServerCfg(SConfig *pCfg) { TAOS_CHECK_RETURN(cfgAddString(pCfg, "encryptAlgorithm", tsEncryptAlgorithm, CFG_SCOPE_SERVER, CFG_DYN_NONE, CFG_CATEGORY_GLOBAL)); TAOS_CHECK_RETURN(cfgAddString(pCfg, "encryptScope", tsEncryptScope, CFG_SCOPE_SERVER, CFG_DYN_NONE,CFG_CATEGORY_GLOBAL)); + TAOS_CHECK_RETURN(cfgAddBool(pCfg, "enableStrongPassword", tsEnableStrongPassword, CFG_SCOPE_SERVER, CFG_DYN_SERVER,CFG_CATEGORY_GLOBAL)); TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "statusInterval", tsStatusInterval, 1, 30, CFG_SCOPE_SERVER, CFG_DYN_SERVER_LAZY,CFG_CATEGORY_GLOBAL)); TAOS_CHECK_RETURN(cfgAddInt32(pCfg, "maxShellConns", tsMaxShellConns, 10, 50000000, CFG_SCOPE_SERVER, CFG_DYN_SERVER_LAZY, CFG_CATEGORY_LOCAL)); @@ -1527,6 +1529,9 @@ static int32_t taosSetServerCfg(SConfig *pCfg) { TAOS_CHECK_RETURN(taosCheckCfgStrValueLen(pItem->name, pItem->str, 100)); tstrncpy(tsEncryptScope, pItem->str, 100); + TAOS_CHECK_GET_CFG_ITEM(pCfg, pItem, "enableStrongPassword"); + tsEnableStrongPassword = pItem->i32; + TAOS_CHECK_GET_CFG_ITEM(pCfg, pItem, "numOfRpcThreads"); tsNumOfRpcThreads = pItem->i32; @@ -2518,7 +2523,8 @@ static int32_t taosCfgDynamicOptionsForServer(SConfig *pCfg, const char *name) { {"arbHeartBeatIntervalSec", &tsArbHeartBeatIntervalSec}, {"arbCheckSyncIntervalSec", &tsArbCheckSyncIntervalSec}, {"arbSetAssignedTimeoutSec", &tsArbSetAssignedTimeoutSec}, - {"queryNoFetchTimeoutSec", &tsQueryNoFetchTimeoutSec}}; + {"queryNoFetchTimeoutSec", &tsQueryNoFetchTimeoutSec}, + {"enableStrongPassword", &tsEnableStrongPassword}}; if ((code = taosCfgSetOption(debugOptions, tListLen(debugOptions), pItem, true)) != TSDB_CODE_SUCCESS) { code = taosCfgSetOption(options, tListLen(options), pItem, false); diff --git a/source/dnode/mnode/impl/src/mndUser.c b/source/dnode/mnode/impl/src/mndUser.c index 5b2a5fa8aa6..8572c954c80 100644 --- a/source/dnode/mnode/impl/src/mndUser.c +++ b/source/dnode/mnode/impl/src/mndUser.c @@ -1705,11 +1705,22 @@ static int32_t mndCreateUser(SMnode *pMnode, char *acct, SCreateUserReq *pCreate int32_t code = 0; int32_t lino = 0; SUserObj userObj = {0}; + char pass[TSDB_USET_PASSWORD_LONGLEN] = {0}; + + int32_t len = strlen(pCreate->longPass); + + if (len > 0) { + strncpy(pass, pCreate->longPass, TSDB_USET_PASSWORD_LONGLEN); + } else { + len = strlen(pCreate->pass); + strncpy(pass, pCreate->pass, TSDB_PASSWORD_LEN); + } + if (pCreate->isImport != 1) { - taosEncryptPass_c((uint8_t *)pCreate->pass, strlen(pCreate->pass), userObj.pass); + taosEncryptPass_c((uint8_t *)pass, strlen(pass), userObj.pass); } else { // mInfo("pCreate->pass:%s", pCreate->eass) - memcpy(userObj.pass, pCreate->pass, TSDB_PASSWORD_LEN); + memcpy(userObj.pass, pass, TSDB_PASSWORD_LEN); } tstrncpy(userObj.user, pCreate->user, TSDB_USER_LEN); tstrncpy(userObj.acct, acct, TSDB_USER_LEN); @@ -1884,16 +1895,28 @@ static int32_t mndProcessCreateUserReq(SRpcMsg *pReq) { TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_USER_FORMAT, &lino, _OVER); } - int32_t len = strlen(createReq.pass); + char pass[TSDB_USET_PASSWORD_LONGLEN] = {0}; + + int32_t len = strlen(createReq.longPass); + + if (len > 0) { + strncpy(pass, createReq.longPass, TSDB_USET_PASSWORD_LONGLEN); + } else { + len = strlen(createReq.pass); + strncpy(pass, createReq.pass, TSDB_PASSWORD_LEN); + } + if (createReq.isImport != 1) { - if (mndCheckPasswordMinLen(createReq.pass, len) != 0) { + if (mndCheckPasswordMinLen(pass, len) != 0) { TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER); } - if (mndCheckPasswordMaxLen(createReq.pass, len) != 0) { + if (mndCheckPasswordMaxLen(pass, len) != 0) { TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER); } - if (mndCheckPasswordFmt(createReq.pass, len) != 0) { - TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER); + if (tsEnableStrongPassword) { + if (mndCheckPasswordFmt(pass, len) != 0) { + TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER); + } } } @@ -2376,16 +2399,27 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) { TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_USER_FORMAT, &lino, _OVER); } + char userSetPass[TSDB_USET_PASSWORD_LONGLEN] = {0}; + int32_t len = strlen(alterReq.longPass); + if (TSDB_ALTER_USER_PASSWD == alterReq.alterType) { - int32_t len = strlen(alterReq.pass); - if (mndCheckPasswordMinLen(alterReq.pass, len) != 0) { + if (len > 0) { + strncpy(userSetPass, alterReq.longPass, TSDB_USET_PASSWORD_LONGLEN); + } else { + len = strlen(alterReq.pass); + strncpy(userSetPass, alterReq.pass, TSDB_USET_PASSWORD_LEN); + } + + if (mndCheckPasswordMinLen(userSetPass, len) != 0) { TAOS_CHECK_GOTO(TSDB_CODE_PAR_PASSWD_TOO_SHORT_OR_EMPTY, &lino, _OVER); } - if (mndCheckPasswordMaxLen(alterReq.pass, len) != 0) { + if (mndCheckPasswordMaxLen(userSetPass, len) != 0) { TAOS_CHECK_GOTO(TSDB_CODE_PAR_NAME_OR_PASSWD_TOO_LONG, &lino, _OVER); } - if (mndCheckPasswordFmt(alterReq.pass, len) != 0) { - TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER); + if (tsEnableStrongPassword) { + if (mndCheckPasswordFmt(userSetPass, len) != 0) { + TAOS_CHECK_GOTO(TSDB_CODE_MND_INVALID_PASS_FORMAT, &lino, _OVER); + } } } @@ -2402,7 +2436,8 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) { if (alterReq.alterType == TSDB_ALTER_USER_PASSWD) { char pass[TSDB_PASSWORD_LEN + 1] = {0}; - taosEncryptPass_c((uint8_t *)alterReq.pass, strlen(alterReq.pass), pass); + + taosEncryptPass_c((uint8_t *)userSetPass, len, pass); (void)memcpy(newUser.pass, pass, TSDB_PASSWORD_LEN); if (0 != strncmp(pUser->pass, pass, TSDB_PASSWORD_LEN)) { ++newUser.passVersion; diff --git a/tests/army/cluster/strongPassword.py b/tests/army/cluster/strongPassword.py new file mode 100644 index 00000000000..01dba7f394c --- /dev/null +++ b/tests/army/cluster/strongPassword.py @@ -0,0 +1,52 @@ +import taos +import sys +import os +import subprocess +import glob +import shutil +import time + +from frame.log import * +from frame.cases import * +from frame.sql import * +from frame.srvCtl import * +from frame.caseBase import * +from frame import * +from frame.autogen import * +from frame import epath +# from frame.server.dnodes import * +# from frame.server.cluster import * + + +class TDTestCase(TBase): + + def init(self, conn, logSql, replicaVar=1): + super(TDTestCase, self).init(conn, logSql, replicaVar=1, checkColName="c1") + + tdSql.init(conn.cursor(), logSql) + + def run(self): + # strong + tdSql.error("create user test pass '12345678' sysinfo 0;", expectErrInfo="Invalid password format") + + tdSql.execute("create user test pass '12345678@Abc' sysinfo 0;") + + tdSql.error("alter user test pass '23456789'", expectErrInfo="Invalid password format") + + tdSql.execute("alter user test pass '23456789@Abc';") + + # change setting + tdSql.execute("ALTER ALL DNODES 'enableStrongPassword' '0'") + + # weak + tdSql.execute("create user test1 pass '12345678' sysinfo 0;") + + tdSql.execute("alter user test1 pass '12345678';") + + def stop(self): + tdSql.close() + tdLog.success(f"{__file__} successfully executed") + + +tdCases.addLinux(__file__, TDTestCase()) +tdCases.addWindows(__file__, TDTestCase()) diff --git a/tests/parallel_test/cases.task b/tests/parallel_test/cases.task index 0201c88d2b2..3486b04e407 100644 --- a/tests/parallel_test/cases.task +++ b/tests/parallel_test/cases.task @@ -72,6 +72,7 @@ ,,n,army,python3 ./test.py -f tmq/drop_lost_comsumers.py ,,y,army,./pytest.sh python3 ./test.py -f cmdline/taosCli.py ,,n,army,python3 ./test.py -f whole/checkErrorCode.py +,,y,army,./pytest.sh python3 ./test.py -f cluster/strongPassword.py # # system test