config: add security section to schema

Lord-KA · Lord-KA · commit 31185c48dfa0 · 2023-07-24T08:31:55.000Z
The following box.cfg options were described in instance_config with defaults similar to ones in box.cfg: * auth_type * auth_delay * disable_guest * password_lifetime_days * password_min_length * password_enforce_uppercase * password_enforce_lowercase * password_enforce_digits * password_enforce_specialchars * password_history_length Part of tarantool#8861 NO_DOC=tarantool/doc#3544 links the most actual schema, no need to update the issue.
diff --git a/changelogs/unreleased/gh-8861-security-options.md b/changelogs/unreleased/gh-8861-security-options.md
@@ -0,0 +1,3 @@
+## feature/config
+
+* All security hardening box.cfg options are now supported by config (gh-8861).
diff --git a/src/box/lua/config/instance_config.lua b/src/box/lua/config/instance_config.lua
@@ -1241,6 +1241,68 @@ return schema.new('instance_config', schema.record({
             validate = feedback_validate,
         }),
     }),
+    security = schema.record({
+        auth_type = schema.enum({
+            'chap-sha1',
+            'pap-sha256',
+        }, {
+            box_cfg = 'auth_type',
+            default = 'chap-sha1',
+            validate = function(auth_type, w)
+                if auth_type ~= 'chap-sha1' and
+                        tarantool.package ~= 'Tarantool Enterprise' then
+                    w.error('"chap-sha1" is the only auth_type available in' ..
+                            ' Tarantool Community Edition (%q requested)',
+                            auth_type)
+                end
+            end,
+        }),
+        auth_delay = enterprise_edition(schema.scalar({
+            type = 'number',
+            default = 0,
+            box_cfg = 'auth_delay',
+        })),
+        disable_guest = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'disable_guest',
+        })),
+        password_lifetime_days = enterprise_edition(schema.scalar({
+            type = 'integer',
+            default = 0,
+            box_cfg = 'password_lifetime_days',
+        })),
+        password_min_length = enterprise_edition(schema.scalar({
+            type = 'integer',
+            default = 0,
+            box_cfg = 'password_min_length',
+        })),
+        password_enforce_uppercase = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'password_enforce_uppercase',
+        })),
+        password_enforce_lowercase = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'password_enforce_lowercase',
+        })),
+        password_enforce_digits = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'password_enforce_digits',
+        })),
+        password_enforce_specialchars = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'password_enforce_specialchars',
+        })),
+        password_history_length = enterprise_edition(schema.scalar({
+            type = 'integer',
+            default = 0,
+            box_cfg = 'password_history_length',
+        })),
+    }),
 }, {
     -- This kind of validation cannot be implemented as the
     -- 'validate' annotation of a particular schema node. There
diff --git a/test/config-luatest/cluster_config_schema_test.lua b/test/config-luatest/cluster_config_schema_test.lua
@@ -5,6 +5,8 @@ local cluster_config = require('internal.config.cluster_config')
 
 local g = t.group()
 
+local is_enterprise = require('tarantool').package == 'Tarantool Enterprise'
+
 g.test_cluster_config = function()
     local config = {
         credentials = {
@@ -231,6 +233,20 @@ g.test_defaults = function()
             interval = 3600,
             metrics_limit = 1024*1024,
         } or nil,
+        security = is_enterprise and {
+            auth_delay = 0,
+            auth_type = "chap-sha1",
+            disable_guest = false,
+            password_enforce_digits = false,
+            password_enforce_lowercase = false,
+            password_enforce_specialchars = false,
+            password_enforce_uppercase = false,
+            password_history_length = 0,
+            password_lifetime_days = 0,
+            password_min_length = 0,
+        } or {
+            auth_type = "chap-sha1"
+        },
     }
     local res = cluster_config:apply_default({})
     t.assert_equals(res, exp)
diff --git a/test/config-luatest/config_test.lua b/test/config-luatest/config_test.lua
@@ -391,3 +391,59 @@ g.test_feedback_options = function()
         t.assert_equals(box.cfg.feedback_metrics_limit, 1000000)
     end)
 end
+
+g.test_security_options = function()
+    t.tarantool.skip_if_not_enterprise()
+    local dir = treegen.prepare_directory(g, {}, {})
+    -- guest user is required for luatest.server helper to function properly,
+    -- so it is enabled (`disable_guest: false`) unlike other options.
+    local config = [[
+        credentials:
+          users:
+            guest:
+              roles:
+              - super
+
+        iproto:
+          listen: unix/:./{{ instance_name }}.iproto
+
+        security:
+            auth_type: pap-sha256
+            auth_delay: 5
+            disable_guest: false
+            password_lifetime_days: 90
+            password_min_length: 14
+            password_enforce_uppercase: true
+            password_enforce_lowercase: true
+            password_enforce_digits: true
+            password_enforce_specialchars: true
+            password_history_length: 3
+
+        groups:
+          group-001:
+            replicasets:
+              replicaset-001:
+                instances:
+                  instance-001: {}
+    ]]
+    local config_file = treegen.write_script(dir, 'config.yaml', config)
+    local opts = {
+        config_file = config_file,
+        alias = 'instance-001',
+        chdir = dir,
+    }
+    g.server = server:new(opts)
+    g.server:start()
+    g.server:exec(function()
+        t.assert_equals(box.cfg.auth_type, 'pap-sha256')
+        t.assert_equals(box.cfg.auth_delay, 5)
+        t.assert_equals(box.cfg.disable_guest, false)
+        t.assert_equals(box.cfg.password_lifetime_days, 90)
+        t.assert_equals(box.cfg.password_min_length, 14)
+        t.assert_equals(box.cfg.password_enforce_uppercase, true)
+        t.assert_equals(box.cfg.password_enforce_lowercase, true)
+        t.assert_equals(box.cfg.password_enforce_digits, true)
+        t.assert_equals(box.cfg.password_enforce_specialchars, true)
+        t.assert_equals(box.cfg.password_history_length, 3)
+    end)
+end
diff --git a/test/config-luatest/instance_config_schema_test.lua b/test/config-luatest/instance_config_schema_test.lua
@@ -1032,18 +1032,6 @@ g.test_box_cfg_coverage = function()
         audit_format = true,
         audit_filter = true,
 
-        -- TODO: Will be added in the scope of gh-8861.
-        auth_type = true,
-        auth_delay = true,
-        disable_guest = true,
-        password_lifetime_days = true,
-        password_min_length = true,
-        password_enforce_uppercase = true,
-        password_enforce_lowercase = true,
-        password_enforce_digits = true,
-        password_enforce_specialchars = true,
-        password_history_length = true,
-
         -- TODO: Will be added in the scope of gh-8861.
         flightrec_enabled = true,
         flightrec_logs_size = true,
@@ -1210,3 +1198,53 @@ g.test_feedback_disabled = function()
                 'without feedback reports sending support'
     t.assert_equals(err, exp)
 end
+
+g.test_security_enterprise = function()
+    t.tarantool.skip_if_not_enterprise()
+
+    local iconfig = {
+        security = {
+            auth_type = 'pap-sha256',
+            auth_delay = 5,
+            disable_guest = true,
+            password_lifetime_days = 90,
+            password_min_length = 10,
+            password_enforce_uppercase = true,
+            password_enforce_lowercase = true,
+            password_enforce_digits = true,
+            password_enforce_specialchars = true,
+            password_history_length = 3,
+        }
+    }
+
+    instance_config:validate(iconfig)
+    validate_fields(iconfig.security, instance_config.schema.fields.security)
+end
+
+g.test_security_community = function()
+    t.tarantool.skip_if_enterprise()
+    local iconfig = {
+        security = {
+            auth_type = 'pap-sha256',
+        }
+    }
+
+    local ok, err = pcall(instance_config.validate, instance_config, iconfig)
+    t.assert_not(ok)
+    local exp = '[instance_config] security.auth_type: "chap-sha1" is the ' ..
+                'only auth_type available in Tarantool Community Edition ' ..
+                '(\"pap-sha256\" requested)'
+    t.assert_equals(err, exp)
+
+    iconfig = {
+        security = {
+            auth_type = 'chap-sha1',
+            auth_delay = 5,
+        }
+    }
+
+    ok, err = pcall(instance_config.validate, instance_config, iconfig)
+    t.assert_not(ok)
+    exp = '[instance_config] security.auth_delay: This configuration parameter is available only in Tarantool Enterprise Edition'
+    t.assert_equals(err, exp)
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## feature/config`
	`2`	`+`
	`3`	`+* All security hardening box.cfg options are now supported by config (gh-8861).`