config: add security section to schema

Lord-KA · Lord-KA · commit 429f968dee09 · 2023-07-27T09:34:24.000Z
The following box.cfg options were described in instance_config with defaults similar to ones in box.cfg: * auth_type * auth_delay * disable_guest * password_lifetime_days * password_min_length * password_enforce_uppercase * password_enforce_lowercase * password_enforce_digits * password_enforce_specialchars * password_history_length Part of tarantool#8861 NO_DOC=tarantool/doc#3544 links the most actual schema, no need to update the issue.
diff --git a/changelogs/unreleased/gh-8861-security-options.md b/changelogs/unreleased/gh-8861-security-options.md
@@ -0,0 +1,4 @@
+## feature/config
+
+* All security hardening `box.cfg{}` options are now supported by
+  config (gh-8861).
diff --git a/src/box/lua/config/instance_config.lua b/src/box/lua/config/instance_config.lua
@@ -1295,6 +1295,68 @@ return schema.new('instance_config', schema.record({
             default = 16384,
         })),
     }),
+    security = schema.record({
+        auth_type = schema.enum({
+            'chap-sha1',
+            'pap-sha256',
+        }, {
+            box_cfg = 'auth_type',
+            default = 'chap-sha1',
+            validate = function(auth_type, w)
+                if auth_type ~= 'chap-sha1' and
+                        tarantool.package ~= 'Tarantool Enterprise' then
+                    w.error('"chap-sha1" is the only authentication method ' ..
+                            '(auth_type) available in Tarantool Community ' ..
+                            'Edition (%q requested)', auth_type)
+                end
+            end,
+        }),
+        auth_delay = enterprise_edition(schema.scalar({
+            type = 'number',
+            default = 0,
+            box_cfg = 'auth_delay',
+        })),
+        disable_guest = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'disable_guest',
+        })),
+        password_lifetime_days = enterprise_edition(schema.scalar({
+            type = 'integer',
+            default = 0,
+            box_cfg = 'password_lifetime_days',
+        })),
+        password_min_length = enterprise_edition(schema.scalar({
+            type = 'integer',
+            default = 0,
+            box_cfg = 'password_min_length',
+        })),
+        password_enforce_uppercase = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'password_enforce_uppercase',
+        })),
+        password_enforce_lowercase = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'password_enforce_lowercase',
+        })),
+        password_enforce_digits = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'password_enforce_digits',
+        })),
+        password_enforce_specialchars = enterprise_edition(schema.scalar({
+            type = 'boolean',
+            default = false,
+            box_cfg = 'password_enforce_specialchars',
+        })),
+        password_history_length = enterprise_edition(schema.scalar({
+            type = 'integer',
+            default = 0,
+            box_cfg = 'password_history_length',
+        })),
+    }),
 }, {
     -- This kind of validation cannot be implemented as the
     -- 'validate' annotation of a particular schema node. There
diff --git a/test/config-luatest/cluster_config_schema_test.lua b/test/config-luatest/cluster_config_schema_test.lua
@@ -245,6 +245,20 @@ g.test_defaults = function()
             interval = 3600,
             metrics_limit = 1024*1024,
         } or nil,
+        security = is_enterprise and {
+            auth_delay = 0,
+            auth_type = "chap-sha1",
+            disable_guest = false,
+            password_enforce_digits = false,
+            password_enforce_lowercase = false,
+            password_enforce_specialchars = false,
+            password_enforce_uppercase = false,
+            password_history_length = 0,
+            password_lifetime_days = 0,
+            password_min_length = 0,
+        } or {
+            auth_type = "chap-sha1"
+        },
     }
     local res = cluster_config:apply_default({})
     t.assert_equals(res, exp)
diff --git a/test/config-luatest/config_test.lua b/test/config-luatest/config_test.lua
@@ -632,3 +632,59 @@ g.test_flightrec_options = function()
         t.assert_equals(box.cfg.flightrec_requests_size, 2000000)
     end)
 end
+
+g.test_security_options = function()
+    t.tarantool.skip_if_not_enterprise()
+    local dir = treegen.prepare_directory(g, {}, {})
+    -- guest user is required for luatest.server helper to function properly,
+    -- so it is enabled (`disable_guest: false`) unlike other options.
+    local config = [[
+        credentials:
+          users:
+            guest:
+              roles:
+              - super
+
+        iproto:
+          listen: unix/:./{{ instance_name }}.iproto
+
+        security:
+            auth_type: pap-sha256
+            auth_delay: 5
+            disable_guest: false
+            password_lifetime_days: 90
+            password_min_length: 14
+            password_enforce_uppercase: true
+            password_enforce_lowercase: true
+            password_enforce_digits: true
+            password_enforce_specialchars: true
+            password_history_length: 3
+
+        groups:
+          group-001:
+            replicasets:
+              replicaset-001:
+                instances:
+                  instance-001: {}
+    ]]
+    local config_file = treegen.write_script(dir, 'config.yaml', config)
+    local opts = {
+        config_file = config_file,
+        alias = 'instance-001',
+        chdir = dir,
+    }
+    g.server = server:new(opts)
+    g.server:start()
+    g.server:exec(function()
+        t.assert_equals(box.cfg.auth_type, 'pap-sha256')
+        t.assert_equals(box.cfg.auth_delay, 5)
+        t.assert_equals(box.cfg.disable_guest, false)
+        t.assert_equals(box.cfg.password_lifetime_days, 90)
+        t.assert_equals(box.cfg.password_min_length, 14)
+        t.assert_equals(box.cfg.password_enforce_uppercase, true)
+        t.assert_equals(box.cfg.password_enforce_lowercase, true)
+        t.assert_equals(box.cfg.password_enforce_digits, true)
+        t.assert_equals(box.cfg.password_enforce_specialchars, true)
+        t.assert_equals(box.cfg.password_history_length, 3)
+    end)
+end
diff --git a/test/config-luatest/instance_config_schema_test.lua b/test/config-luatest/instance_config_schema_test.lua
@@ -1037,18 +1037,6 @@ g.test_box_cfg_coverage = function()
         audit_format = true,
         audit_filter = true,
 
-        -- TODO: Will be added in the scope of gh-8861.
-        auth_type = true,
-        auth_delay = true,
-        disable_guest = true,
-        password_lifetime_days = true,
-        password_min_length = true,
-        password_enforce_uppercase = true,
-        password_enforce_lowercase = true,
-        password_enforce_digits = true,
-        password_enforce_specialchars = true,
-        password_history_length = true,
-
         -- TODO: Will be added in the scope of gh-8861.
         metrics = true,
     }
@@ -1233,3 +1221,62 @@ g.test_flightrec = function()
     local res = instance_config:apply_default({}).flightrec
     t.assert_equals(res, exp)
 end
+
+g.test_security_enterprise = function()
+    t.tarantool.skip_if_not_enterprise()
+
+    local iconfig = {
+        security = {
+            auth_type = 'pap-sha256',
+            auth_delay = 5,
+            disable_guest = true,
+            password_lifetime_days = 90,
+            password_min_length = 10,
+            password_enforce_uppercase = true,
+            password_enforce_lowercase = true,
+            password_enforce_digits = true,
+            password_enforce_specialchars = true,
+            password_history_length = 3,
+        }
+    }
+
+    instance_config:validate(iconfig)
+    validate_fields(iconfig.security, instance_config.schema.fields.security)
+end
+
+g.test_security_community = function()
+    t.tarantool.skip_if_enterprise()
+    local iconfig = {
+        security = {
+            auth_type = 'pap-sha256',
+        }
+    }
+
+    local ok, err = pcall(instance_config.validate, instance_config, iconfig)
+    t.assert_not(ok)
+    local exp = '[instance_config] security.auth_type: "chap-sha1" is the ' ..
+                'only authentication method (auth_type) available in ' ..
+                'Tarantool Community Edition (\"pap-sha256\" requested)'
+    t.assert_equals(err, exp)
+
+    iconfig = {
+        security = {
+            auth_type = 'chap-sha1',
+            auth_delay = 5,
+        }
+    }
+
+    ok, err = pcall(instance_config.validate, instance_config, iconfig)
+    t.assert_not(ok)
+    exp = '[instance_config] security.auth_delay: This configuration ' ..
+          'parameter is available only in Tarantool Enterprise Edition'
+    t.assert_equals(err, exp)
+
+    iconfig = {
+        security = {
+            auth_type = 'chap-sha1',
+        }
+    }
+
+    instance_config:validate(iconfig)
+end
