Cluster password policy and user management support (#283)

## What is the goal of this PR?

Add functionality relevant to the changes made in typedb/typedb-cluster#456:
* Optional password expiry in days for each user.
* The ability for admins to set passwords of other users
* User password update, which requires old and new password

## What are the changes implemented in this PR?

We've added the functionality that is being added in a recent TypeDB Cluster pull request:
* Support updating password now requiring both the old and the new password.
* Add support for retrieving the user password expiry in days. This is optional, depending on whether password expiration is enabled on the server.
* Allow updating password as the admin requiring only a new password.

Author: dmitrii-ubskii

.factory/automation.yml

@@ -40,6 +40,11 @@ build:
       image: vaticle-ubuntu-22.04
       type: foreground
       command: |
+        export PATH="$HOME/.local/bin:$PATH"
+        sudo apt-get update
+        sudo apt install python3-pip -y
+        python3 -m pip install -U pip
+        python3 -m pip install -r requirements_dev.txt
         export ARTIFACT_USERNAME=$REPO_VATICLE_USERNAME
         export ARTIFACT_PASSWORD=$REPO_VATICLE_PASSWORD
         bazel run @vaticle_dependencies//distribution/artifact:create-netrc

dependencies/vaticle/artifacts.bzl

@@ -29,7 +29,7 @@ def vaticle_typedb_artifacts():
         artifact_name = "typedb-server-{platform}-{version}.{ext}",
         tag_source = deployment["artifact.release"],
         commit_source = deployment["artifact.snapshot"],
-        tag = "2.14.3",
+        tag = "2.16.1",
     )
 
 def vaticle_typedb_cluster_artifacts():
@@ -39,5 +39,5 @@ def vaticle_typedb_cluster_artifacts():
         artifact_name = "typedb-cluster-all-{platform}-{version}.{ext}",
         tag_source = deployment_private["artifact.release"],
         commit_source = deployment_private["artifact.snapshot"],
-        tag = "2.13.0",
+        tag = "2.16.1",
     )

requirements.txt

@@ -35,6 +35,6 @@
 
 ## Dependencies
 
-typedb-protocol==2.14.1
+typedb-protocol==2.16.1
 grpcio>=1.43.0,<2
 protobuf>=3.15.5,<4

tests/behaviour/connection/user/user_steps.py

@@ -48,9 +48,19 @@ def step_impl(context: Context, username: str, password: str):
     _get_client(context).users().create(username, password)
 
 
-@step("user password: {username}, {password}")
+@step("users delete: {username}")
+def step_impl(context: Context, username: str):
+    _get_client(context).users().delete(username)
+
+
+@step("users password set: {username}, {password}")
 def step_impl(context: Context, username: str, password: str):
-    _get_client(context).users().get(username).password(password)
+    _get_client(context).users().password_set(username, password)
+
+
+@step("users password update: {username}, {password_old}, {password_new}")
+def step_impl(context: Context, username: str, password_old: str, password_new: str):
+    _get_client(context).users().get(username).password_update(password_old, password_new)
 
 
 @step("user connect: {username}, {password}")
@@ -59,9 +69,3 @@ def step_impl(context: Context, username: str, password: str):
     credential = TypeDBCredential(username, password, root_ca_path)
     with TypeDB.cluster_client(addresses=["127.0.0.1:" + context.config.userdata["port"]], credential=credential) as client:
         client.databases().all()
-
-
-@step("user delete: {username}")
-def step_impl(context: Context, username: str):
-    user = _get_client(context).users().get(username)
-    user.delete()

typedb/api/connection/user.py

@@ -20,7 +20,7 @@
 #
 
 from abc import ABC, abstractmethod
-from typing import List
+from typing import List, Optional
 
 
 class User(ABC):
@@ -30,28 +30,36 @@ def username(self) -> str:
         pass
 
     @abstractmethod
-    def password(self, password: str) -> None:
+    def password_expiry_days(self) -> Optional[int]:
         pass
 
     @abstractmethod
-    def delete(self) -> None:
+    def password_update(self, password_old: str, password_new: str) -> None:
         pass
 
 
 class UserManager(ABC):
 
     @abstractmethod
-    def get(self, username: str) -> User:
+    def contains(self, username: str) -> bool:
         pass
 
     @abstractmethod
-    def contains(self, username: str) -> bool:
+    def create(self, username: str, password: str) -> None:
         pass
 
     @abstractmethod
-    def create(self, username: str, password: str) -> None:
+    def delete(self, username: str) -> None:
+        pass
+
+    @abstractmethod
+    def get(self, username: str) -> User:
         pass
 
     @abstractmethod
     def all(self) -> List[User]:
         pass
+
+    @abstractmethod
+    def password_set(self, username: str, password: str) -> None:
+        pass

typedb/common/rpc/request_builder.py

@@ -100,29 +100,43 @@ def cluster_user_manager_create_req(username: str, password: str):
     return req
 
 
+def cluster_user_manager_delete_req(username: str):
+    req = cluster_user_proto.ClusterUserManager.Delete.Req()
+    req.username = username
+    return req
+
+
 def cluster_user_manager_contains_req(username: str):
     req = cluster_user_proto.ClusterUserManager.Contains.Req()
     req.username = username
     return req
 
 
-# ClusterUser
-
-def cluster_user_password_req(username: str, password: str):
-    req = cluster_user_proto.ClusterUser.Password.Req()
+def cluster_user_manager_password_set_req(username: str, password: str):
+    req = cluster_user_proto.ClusterUserManager.PasswordSet.Req()
     req.username = username
     req.password = password
     return req
 
 
-def cluster_user_token_req(username: str):
-    req = cluster_user_proto.ClusterUser.Token.Req()
+def cluster_user_manager_get_req(username: str):
+    req = cluster_user_proto.ClusterUserManager.Get.Req()
     req.username = username
     return req
 
 
-def cluster_user_delete_req(username: str):
-    req = cluster_user_proto.ClusterUser.Delete.Req()
+# ClusterUser
+
+def cluster_user_password_update_req(username: str, password_old: str, password_new: str):
+    req = cluster_user_proto.ClusterUser.PasswordUpdate.Req()
+    req.username = username
+    req.password_old = password_old
+    req.password_new = password_new
+    return req
+
+
+def cluster_user_token_req(username: str):
+    req = cluster_user_proto.ClusterUser.Token.Req()
     req.username = username
     return req
 

typedb/connection/cluster/stub.py

@@ -68,11 +68,17 @@ def users_contains(self, req: cluster_user_proto.ClusterUserManager.Contains.Req
     def users_create(self, req: cluster_user_proto.ClusterUserManager.Create.Req) -> cluster_user_proto.ClusterUserManager.Create.Res:
         return self.may_renew_token(lambda: self._cluster_stub.users_create(req))
 
-    def user_password(self, req: cluster_user_proto.ClusterUser.Delete.Req) -> cluster_user_proto.ClusterUser.Delete.Res:
-        return self.may_renew_token(lambda: self._cluster_stub.user_password(req))
+    def users_delete(self, req: cluster_user_proto.ClusterUserManager.Delete.Req) -> cluster_user_proto.ClusterUserManager.Delete.Res:
+        return self.may_renew_token(lambda: self._cluster_stub.users_delete(req))
 
-    def user_delete(self, req: cluster_user_proto.ClusterUser.Delete.Req) -> cluster_user_proto.ClusterUser.Delete.Res:
-        return self.may_renew_token(lambda: self._cluster_stub.user_delete(req))
+    def users_password_set(self, req: cluster_user_proto.ClusterUserManager.PasswordSet.Req) -> cluster_user_proto.ClusterUserManager.PasswordSet.Res:
+        return self.may_renew_token(lambda: self._cluster_stub.users_password_set(req))
+
+    def users_get(self, req: cluster_user_proto.ClusterUserManager.Get.Req) -> cluster_user_proto.ClusterUserManager.Get.Res:
+        return self.may_renew_token(lambda: self._cluster_stub.users_get(req))
+
+    def user_password_update(self, req: cluster_user_proto.ClusterUser.PasswordUpdate.Req) -> cluster_user_proto.ClusterUser.PasswordUpdate.Res:
+        return self.may_renew_token(lambda: self._cluster_stub.user_password_update(req))
 
     def cluster_databases_all(self, req: cluster_database_proto.ClusterDatabaseManager.All.Req) -> cluster_database_proto.ClusterDatabaseManager.All.Res:
         return self.may_renew_token(lambda: self._cluster_stub.databases_all(req))

typedb/connection/cluster/user.py

@@ -18,30 +18,42 @@
 #   specific language governing permissions and limitations
 #   under the License.
 #
-from typing import TYPE_CHECKING
+from typing import Optional, TYPE_CHECKING
+
+import typedb_protocol.cluster.cluster_user_pb2 as cluster_user_proto
 
 from typedb.api.connection.user import User
-from typedb.common.rpc.request_builder import cluster_user_password_req, cluster_user_delete_req
+from typedb.common.rpc.request_builder import cluster_user_password_update_req
 from typedb.connection.cluster.database import _FailsafeTask, _ClusterDatabase
 
 if TYPE_CHECKING:
     from typedb.connection.cluster.client import _ClusterClient
 
 class _ClusterUser(User):
 
-    def __init__(self, client: "_ClusterClient", username: str):
+    def __init__(self, client: "_ClusterClient", username: str, password_expiry_days: Optional[int]):
         self._client = client
         self._username = username
+        self._password_expiry_days = password_expiry_days
+
+    @staticmethod
+    def of(user: cluster_user_proto.ClusterUser, client: "_ClusterClient"):
+        if user.get_password_expiry_case() == cluster_user_proto.ClusterUser.PasswordExpiryCase.PASSWORDEXPIRY_NOT_SET:
+            return _ClusterUser(client, user.get_username(), None)
+        else:
+            return _ClusterUser(client, user.get_username(), user.get_password_expiry_days())
 
     def username(self) -> str:
         return self._username
 
-    def password(self, password: str) -> None:
-        failsafe_task = _UserFailsafeTask(self._client, lambda replica: self._client._stub(replica.address()).user_password(cluster_user_password_req(self.username(), password)))
-        failsafe_task.run_primary_replica()
+    def password_expiry_days(self) -> Optional[int]:
+        return self._password_expiry_days
 
-    def delete(self) -> None:
-        failsafe_task = _UserFailsafeTask(self._client, lambda replica: self._client._stub(replica.address()).user_delete(cluster_user_delete_req(self.username())))
+    def password_update(self, password_old: str, password_new: str) -> None:
+        failsafe_task = _UserFailsafeTask(
+            self._client,
+            lambda replica: self._client._stub(replica.address()).user_password_update(cluster_user_password_update_req(self.username(), password_old, password_new))
+        )
         failsafe_task.run_primary_replica()
 
 

typedb/connection/cluster/user_manager.py

@@ -21,11 +21,11 @@
 from typing import List,TYPE_CHECKING
 
 from typedb.api.connection.user import UserManager, User
-from typedb.common.rpc.request_builder import cluster_user_manager_create_req, cluster_user_manager_all_req, \
-    cluster_user_manager_contains_req
+from typedb.common.rpc.request_builder import cluster_user_manager_contains_req, cluster_user_manager_create_req, \
+    cluster_user_manager_delete_req, cluster_user_manager_all_req, cluster_user_manager_password_set_req, \
+    cluster_user_manager_get_req
 from typedb.connection.cluster.database import _FailsafeTask, _ClusterDatabase
 from typedb.connection.cluster.user import _ClusterUser
-from typedb.common.exception import TypeDBClientException, CLUSTER_USER_DOES_NOT_EXIST
 
 _SYSTEM_DB = "_system"
 
@@ -45,6 +45,14 @@ def create(self, username: str, password: str) -> None:
         )
         failsafe_task.run_primary_replica()
 
+    def delete(self, username: str) -> None:
+        failsafe_task = _UserManagerFailsafeTask(
+            self._client,
+            lambda replica: self._client._stub(replica.address()).users_delete(
+                cluster_user_manager_delete_req(username))
+        )
+        failsafe_task.run_primary_replica()
+
     def all(self) -> List[User]:
         failsafe_task = _UserManagerFailsafeTask(
             self._client,
@@ -65,10 +73,19 @@ def contains(self, username: str) -> bool:
         return failsafe_task.run_primary_replica()
 
     def get(self, username: str) -> User:
-        if (self.contains(username)):
-            return _ClusterUser(self._client, username)
-        else:
-            raise TypeDBClientException.of(CLUSTER_USER_DOES_NOT_EXIST, username)
+        failsafe_task = _UserManagerFailsafeTask(
+            self._client,
+            lambda replica: _ClusterUser.of(self._client._stub(replica.address()).users_get(cluster_user_manager_get_req(username)).get_user(), self._client)
+        )
+        return failsafe_task.run_primary_replica()
+
+    def password_set(self, username: str, password: str) -> None:
+        failsafe_task = _UserManagerFailsafeTask(
+            self._client,
+            lambda replica: self._client._stub(replica.address()).users_password_set(
+                cluster_user_manager_password_set_req(username, password))
+        )
+        failsafe_task.run_primary_replica()
 
 
 class _UserManagerFailsafeTask(_FailsafeTask):
@@ -79,4 +96,3 @@ def __init__(self, client: "_ClusterClient", task):
 
     def run(self, replica: _ClusterDatabase.Replica):
         return self._task(replica)
-