hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix validate password bug of special char

Browse Source
This commit is contained in:
yinyj17
2023-09-08 14:21:17 +08:00
committed by ob-robot
parent bb216de58d
commit 5b773f1b88
6 changed files with 33 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/sql/engine/expr/ob_expr_validate_password_strength.h
View File

@ -44,7 +44,6 @@ public:
const ObRawExpr &raw_expr,
ObExpr &rt_expr) const override;
static int eval_password_strength(const ObExpr &expr, ObEvalCtx &ctx, ObDatum &res_datum);
private:
static int calc_password_strength(const common::ObString &password,
const ObBasicSessionInfo &session,
int &strength);
@ -64,6 +63,7 @@ private:
const int64_t password_char_length,
const ObBasicSessionInfo &session,
bool &passed);
private:
static const int64_t VALID_PASSWORD_LENGTH_MIN = 4;
static const int64_t PASSWORD_STRENGTH_MULTIPLIER = 25;
static const ObValidatePasswordFunc validate_funcs_[STRENGTH_MAX];

2
src/sql/resolver/dcl/ob_create_user_resolver.cpp
View File

@ -169,7 +169,7 @@ int ObCreateUserResolver::resolve(const ParseNode &parse_tree)
}
create_user_stmt->set_profile_id(profile_id); //只有oracle模式profile id是有效的
if (OB_SUCC(ret)) {
if (!lib::is_oracle_mode() && OB_FAIL(check_password_strength(password, user_name))) {
if (!lib::is_oracle_mode() && OB_FAIL(check_password_strength(password))) {
LOG_WARN("password don't satisfied current policy", K(ret));
} else if (lib::is_oracle_mode() && OB_FAIL(check_oracle_password_strength(
params_.session_info_->get_effective_tenant_id(),

136
src/sql/resolver/dcl/ob_dcl_resolver.cpp
View File

@ -13,6 +13,7 @@
#define USING_LOG_PREFIX SQL_RESV
#include "observer/ob_server_struct.h"
#include "observer/ob_inner_sql_connection_pool.h"
#include "sql/engine/expr/ob_expr_validate_password_strength.h"
#include "sql/resolver/dcl/ob_dcl_resolver.h"
#include "sql/session/ob_sql_session_info.h"
#include "sql/ob_sql_utils.h"
@ -59,52 +60,47 @@ int ObDCLResolver::check_and_convert_name(ObString &db, ObString &table)
return ret;
}
int ObDCLResolver::check_password_strength(common::ObString &password, common::ObString &user_name)
int ObDCLResolver::check_password_strength(common::ObString &password)
{
int ret = OB_SUCCESS;
int64_t pw_policy = 0;
uint64_t valid_pw_len = 0;
int64_t check_user_name_flag = 0;
size_t char_len = ObCharset::strlen_char(ObCharset::get_system_collation(), password.ptr(),
static_cast<int64_t>(password.length()));
bool passed = true;
if (OB_ISNULL(session_info_)) {
ret = OB_NOT_INIT;
LOG_WARN("Session info is not inited", K(ret));
// 0 代表密码政策为low, 1代表密码政策为medium
} else if (OB_FAIL(session_info_->get_sys_variable(share::SYS_VAR_VALIDATE_PASSWORD_POLICY, pw_policy))) {
LOG_WARN("fail to get validate_password_policy variable", K(ret));
} else if (OB_FAIL(session_info_->get_sys_variable(share::SYS_VAR_VALIDATE_PASSWORD_LENGTH, valid_pw_len))) {
LOG_WARN("fail to get validate_password_length variable", K(ret));
} else if (ObPasswordPolicy::LOW == pw_policy) {
if (OB_FAIL(check_password_len(password, valid_pw_len))) {
LOG_WARN("password len dont satisfied current pw policy", K(ret));
}
} else if (ObPasswordPolicy::MEDIUM == pw_policy) {
uint64_t valid_pw_len = 0;
int64_t check_user_name_flag = 0;
uint64_t mix_case_count = 0;
uint64_t number_count = 0;
uint64_t special_char_count = 0;
if (OB_FAIL(session_info_->get_sys_variable(share::SYS_VAR_VALIDATE_PASSWORD_CHECK_USER_NAME, check_user_name_flag))) {
} else if (OB_FAIL(session_info_->get_sys_variable(share::SYS_VAR_VALIDATE_PASSWORD_CHECK_USER_NAME, check_user_name_flag))) {
LOG_WARN("fail to get validate_password_check_user_name variable", K(ret));
} else if (OB_FAIL(session_info_->get_sys_variable(share::SYS_VAR_VALIDATE_PASSWORD_NUMBER_COUNT, number_count))) {
LOG_WARN("fail to get validate_password_number_count variable", K(ret));
} else if (OB_FAIL(session_info_->get_sys_variable(share::SYS_VAR_VALIDATE_PASSWORD_SPECIAL_CHAR_COUNT, special_char_count))) {
LOG_WARN("fail to get validate_password_length variable", K(ret));
} else if (OB_FAIL(session_info_->get_sys_variable(share::SYS_VAR_VALIDATE_PASSWORD_MIXED_CASE_COUNT, mix_case_count))) {
LOG_WARN("fail to get validate_password_mixed_case_count variable", K(ret));
} else if (OB_FAIL(check_number_count(password, number_count))) {
LOG_WARN("password number count not satisfied current pw policy", K(ret));
} else if (OB_FAIL(check_special_char_count(password, special_char_count))) {
LOG_WARN("password special char count not satisfied current pw policy", K(ret));
} else if (OB_FAIL(check_mixed_case_count(password, mix_case_count))) {
LOG_WARN("password mixed case count not satisfied current pw policy", K(ret));
} else if (!check_user_name_flag && OB_FAIL(check_user_name(password, user_name))) {
} else if (!check_user_name_flag && OB_FAIL(check_user_name(password, session_info_->get_user_name()))) {
LOG_WARN("password cannot be the same with user name", K(ret));
} else if (OB_FAIL(check_password_len(password, valid_pw_len))) {
} else if (OB_FAIL(ObExprValidatePasswordStrength::validate_password_low(password,
char_len,
*session_info_,
passed))) {
LOG_WARN("password len dont satisfied current pw policy", K(ret));
} else if (ObPasswordPolicy::LOW == pw_policy) {
// do nothing
} else if (ObPasswordPolicy::MEDIUM == pw_policy) {
if (OB_FAIL(ObExprValidatePasswordStrength::validate_password_medium(password,
char_len,
*session_info_,
passed))) {
LOG_WARN("password len dont satisfied current pw policy", K(ret));
}
} else {
ret = OB_ERR_UNEXPECTED;
LOG_WARN("the value of password policy is unexpectd", K(ret));
}
if (OB_SUCC(ret)) {
if (OB_UNLIKELY(!passed)) {
ret = OB_ERR_NOT_VALID_PASSWORD;
LOG_WARN("the password is not valid", K(ret));
}
}
return ret;
}
@ -183,85 +179,7 @@ int ObDCLResolver::check_oracle_password_strength(int64_t tenant_id,
return ret;
}
int ObDCLResolver::check_number_count(common::ObString &password, const int64_t &number_count)
{
int ret = OB_SUCCESS;
int64_t count = 0;
for (int i = 0; OB_SUCC(ret) && i < password.length(); ++i) {
if (password[i] >= '0' && password[i] <= '9') {
count++;
}
if (count >= number_count) {
break;
}
}
if (OB_SUCC(ret)) {
if (number_count > count) {
ret = OB_ERR_NOT_VALID_PASSWORD;
LOG_WARN("the password is not valid", K(ret));
}
}
return ret;
}
int ObDCLResolver::check_special_char_count(common::ObString &password, const int64_t &special_char_count)
{
int ret = OB_SUCCESS;
int64_t count = 0;
for (int i = 0; OB_SUCC(ret) && i < password.length(); ++i) {
if ((password[i] >= '!' && password[i] <= '/')||
(password[i] >= ':' && password[i] <= '?')) {
count++;
}
if (count >= special_char_count) {
break;
}
}
if (OB_SUCC(ret)) {
if (special_char_count > count) {
ret = OB_ERR_NOT_VALID_PASSWORD;
LOG_WARN("the password is not valid", K(ret));
}
}
return ret;
}
int ObDCLResolver::check_mixed_case_count(common::ObString &password, const int64_t &mix_case_count)
{
int ret = OB_SUCCESS;
int64_t lower_count = 0;
int64_t upper_count = 0;
for (int i = 0; OB_SUCC(ret) && i < password.length(); ++i) {
if (islower(password[i])) {
lower_count++;
} else if (isupper(password[i])) {
upper_count++;
}
if (lower_count >= mix_case_count && upper_count >= mix_case_count) {
break;
}
}
if (OB_SUCC(ret)) {
if (mix_case_count > lower_count || mix_case_count > upper_count) {
ret = OB_ERR_NOT_VALID_PASSWORD;
LOG_WARN("the password is not valid", K(ret));
}
}
return ret;
}
int ObDCLResolver::check_password_len(common::ObString &password, const int64_t &password_len)
{
int ret = OB_SUCCESS;
if (password.length() < password_len) {
ret = OB_ERR_NOT_VALID_PASSWORD;
LOG_WARN("the password is not valid", K(ret));
}
return ret;
}
int ObDCLResolver::check_user_name(common::ObString &password, common::ObString &user_name)
int ObDCLResolver::check_user_name(common::ObString &password, const common::ObString &user_name)
{
int ret = OB_SUCCESS;
if (ObCharset::case_insensitive_equal(password, user_name)) {

8
src/sql/resolver/dcl/ob_dcl_resolver.h
View File

@ -35,12 +35,8 @@ public:
bool skip_enclosed_char = false);
protected:
int check_and_convert_name(common::ObString &db, common::ObString &table);
int check_password_strength(common::ObString &password, common::ObString &user_name);
int check_number_count(common::ObString &password, const int64_t &number_count);
int check_special_char_count(common::ObString &password, const int64_t &special_char_count);
int check_mixed_case_count(common::ObString &password, const int64_t &mix_case_count);
int check_user_name(common::ObString &password, common::ObString &user_name);
int check_password_len(common::ObString &password, const int64_t &password_len);
int check_password_strength(common::ObString &password);
int check_user_name(common::ObString &password, const common::ObString &user_name);
int check_oracle_password_strength(int64_t tenant_id,
int64_t profile_id,
common::ObString &password,

2
src/sql/resolver/dcl/ob_grant_resolver.cpp
View File

@ -1337,7 +1337,7 @@ int ObGrantResolver::resolve_mysql(const ParseNode &parse_tree)
if (OB_ISNULL(user_node->children_[2])) {
ret = OB_ERR_PARSE_SQL;
LOG_WARN("The child 2 of user_node should not be NULL", K(ret));
} else if (OB_FAIL(check_password_strength(pwd, user_name))) {
} else if (OB_FAIL(check_password_strength(pwd))) {
LOG_WARN("fail to check password strength", K(ret));
} else if (0 == user_node->children_[2]->value_) {
if (!ObSetPasswordResolver::is_valid_mysql41_passwd(pwd)) {

2
src/sql/resolver/dcl/ob_set_password_resolver.cpp
View File

@ -156,7 +156,7 @@ int ObSetPasswordResolver::resolve(const ParseNode &parse_tree)
} else {
ObString password(static_cast<int32_t>(node->children_[1]->str_len_),
node->children_[1]->str_value_);
if (!lib::is_oracle_mode() && OB_FAIL(check_password_strength(password, user_name))) {
if (!lib::is_oracle_mode() && OB_FAIL(check_password_strength(password))) {
LOG_WARN("fail to check password strength", K(ret));
} else if (lib::is_oracle_mode() && OB_FAIL(
resolve_oracle_password_strength(user_name, host_name, password))) {