feat: add create or replace password policy support (#14654)

lichuang · web-flow · commit 4ca2def40fff · 2024-02-09T13:04:58.000+08:00
diff --git a/src/query/ast/src/ast/statements/password_policy.rs b/src/query/ast/src/ast/statements/password_policy.rs
@@ -15,18 +15,26 @@
 use std::fmt::Display;
 use std::fmt::Formatter;
 
+use databend_common_meta_app::schema::CreateOption;
+
 #[derive(Debug, Clone, PartialEq)]
 pub struct CreatePasswordPolicyStmt {
-    pub if_not_exists: bool,
+    pub create_option: CreateOption,
     pub name: String,
     pub set_options: PasswordSetOptions,
 }
 
 impl Display for CreatePasswordPolicyStmt {
     fn fmt(&self, f: &mut Formatter) -> std::fmt::Result {
-        write!(f, "CREATE PASSWORD POLICY ")?;
-        if self.if_not_exists {
-            write!(f, "IF NOT EXISTS ")?;
+        write!(f, "CREATE ")?;
+        if let CreateOption::CreateOrReplace = self.create_option {
+            write!(f, "OR REPLACE ")?;
+        }
+        write!(f, "PASSWORD POLICY ")?;
+        if let CreateOption::CreateIfNotExists(if_not_exists) = self.create_option {
+            if if_not_exists {
+                write!(f, "IF NOT EXISTS ")?;
+            }
         }
         write!(f, "{}", self.name)?;
         write!(f, "{}", self.set_options)?;
diff --git a/src/query/ast/src/parser/statement.rs b/src/query/ast/src/parser/statement.rs
@@ -1718,18 +1718,20 @@ pub fn statement(i: Input) -> IResult<StatementWithFormat> {
         rule! { SHOW ~ NETWORK ~ ^POLICIES },
     );
 
-    let create_password_policy = map(
+    let create_password_policy = map_res(
         rule! {
-            CREATE ~ PASSWORD ~ ^POLICY ~ ( IF ~ ^NOT ~ ^EXISTS )? ~ ^#ident
+            CREATE ~ (OR ~ REPLACE)? ~ PASSWORD ~ ^POLICY ~ ( IF ~ ^NOT ~ ^EXISTS )? ~ ^#ident
              ~ #password_set_options
         },
-        |(_, _, _, opt_if_not_exists, name, set_options)| {
+        |(_, opt_or_replace, _, _, opt_if_not_exists, name, set_options)| {
+            let create_option =
+                parse_create_option(opt_or_replace.is_some(), opt_if_not_exists.is_some())?;
             let stmt = CreatePasswordPolicyStmt {
-                if_not_exists: opt_if_not_exists.is_some(),
+                create_option,
                 name: name.to_string(),
                 set_options,
             };
-            Statement::CreatePasswordPolicy(stmt)
+            Ok(Statement::CreatePasswordPolicy(stmt))
         },
     );
     let alter_password_policy = map(
diff --git a/src/query/management/src/password_policy/password_policy_api.rs b/src/query/management/src/password_policy/password_policy_api.rs
@@ -14,12 +14,17 @@
 
 use databend_common_exception::Result;
 use databend_common_meta_app::principal::PasswordPolicy;
+use databend_common_meta_app::schema::CreateOption;
 use databend_common_meta_types::MatchSeq;
 use databend_common_meta_types::SeqV;
 
 #[async_trait::async_trait]
 pub trait PasswordPolicyApi: Sync + Send {
-    async fn add_password_policy(&self, password_policy: PasswordPolicy) -> Result<u64>;
+    async fn add_password_policy(
+        &self,
+        password_policy: PasswordPolicy,
+        create_option: &CreateOption,
+    ) -> Result<()>;
 
     async fn update_password_policy(
         &self,
diff --git a/src/query/management/src/password_policy/password_policy_mgr.rs b/src/query/management/src/password_policy/password_policy_mgr.rs
@@ -18,6 +18,7 @@ use databend_common_base::base::escape_for_key;
 use databend_common_exception::ErrorCode;
 use databend_common_exception::Result;
 use databend_common_meta_app::principal::PasswordPolicy;
+use databend_common_meta_app::schema::CreateOption;
 use databend_common_meta_kvapi::kvapi;
 use databend_common_meta_kvapi::kvapi::UpsertKVReq;
 use databend_common_meta_types::MatchSeq;
@@ -67,8 +68,12 @@ impl PasswordPolicyMgr {
 impl PasswordPolicyApi for PasswordPolicyMgr {
     #[async_backtrace::framed]
     #[minitrace::trace]
-    async fn add_password_policy(&self, password_policy: PasswordPolicy) -> Result<u64> {
-        let match_seq = MatchSeq::Exact(0);
+    async fn add_password_policy(
+        &self,
+        password_policy: PasswordPolicy,
+        create_option: &CreateOption,
+    ) -> Result<()> {
+        let seq = MatchSeq::from(*create_option);
         let key = self.make_password_policy_key(password_policy.name.as_str())?;
         let value = Operation::Update(serialize_struct(
             &password_policy,
@@ -77,16 +82,20 @@ impl PasswordPolicyApi for PasswordPolicyMgr {
         )?);
 
         let kv_api = self.kv_api.clone();
-        let upsert_kv = kv_api.upsert_kv(UpsertKVReq::new(&key, match_seq, value, None));
+        let res = kv_api
+            .upsert_kv(UpsertKVReq::new(&key, seq, value, None))
+            .await?;
 
-        let res_seq = upsert_kv.await?.added_seq_or_else(|_v| {
-            ErrorCode::PasswordPolicyAlreadyExists(format!(
-                "Password policy '{}' already exists.",
-                password_policy.name
-            ))
-        })?;
+        if let CreateOption::CreateIfNotExists(false) = create_option {
+            if res.prev.is_some() {
+                return Err(ErrorCode::PasswordPolicyAlreadyExists(format!(
+                    "Password policy '{}' already exists.",
+                    password_policy.name
+                )));
+            }
+        }
 
-        Ok(res_seq)
+        Ok(())
     }
 
     #[async_backtrace::framed]
diff --git a/src/query/service/src/interpreters/interpreter_password_policy_create.rs b/src/query/service/src/interpreters/interpreter_password_policy_create.rs
@@ -124,7 +124,7 @@ impl Interpreter for CreatePasswordPolicyInterpreter {
             update_on: None,
         };
         user_mgr
-            .add_password_policy(&tenant, password_policy, plan.if_not_exists)
+            .add_password_policy(&tenant, password_policy, &plan.create_option)
             .await?;
 
         Ok(PipelineBuildResult::create())
diff --git a/src/query/sql/src/planner/binder/ddl/password_policy.rs b/src/query/sql/src/planner/binder/ddl/password_policy.rs
@@ -32,14 +32,14 @@ impl Binder {
         stmt: &CreatePasswordPolicyStmt,
     ) -> Result<Plan> {
         let CreatePasswordPolicyStmt {
-            if_not_exists,
+            create_option,
             name,
             set_options,
         } = stmt;
 
         let tenant = self.ctx.get_tenant();
         let plan = CreatePasswordPolicyPlan {
-            if_not_exists: *if_not_exists,
+            create_option: *create_option,
             tenant,
             name: name.to_string(),
             set_options: set_options.clone(),
diff --git a/src/query/sql/src/planner/plans/ddl/account.rs b/src/query/sql/src/planner/plans/ddl/account.rs
@@ -204,7 +204,7 @@ impl ShowNetworkPoliciesPlan {
 
 #[derive(Clone, Debug, PartialEq)]
 pub struct CreatePasswordPolicyPlan {
-    pub if_not_exists: bool,
+    pub create_option: CreateOption,
     pub tenant: String,
     pub name: String,
     pub set_options: PasswordSetOptions,
diff --git a/src/query/users/src/password_policy.rs b/src/query/users/src/password_policy.rs
@@ -25,6 +25,7 @@ use databend_common_meta_app::principal::PasswordPolicy;
 use databend_common_meta_app::principal::UserIdentity;
 use databend_common_meta_app::principal::UserInfo;
 use databend_common_meta_app::principal::UserOption;
+use databend_common_meta_app::schema::CreateOption;
 use databend_common_meta_types::MatchSeq;
 use log::info;
 use passwords::analyzer;
@@ -65,30 +66,14 @@ impl UserApiProvider {
         &self,
         tenant: &str,
         password_policy: PasswordPolicy,
-        if_not_exists: bool,
-    ) -> Result<u64> {
+        create_option: &CreateOption,
+    ) -> Result<()> {
         check_password_policy(&password_policy)?;
 
-        if if_not_exists
-            && self
-                .exists_password_policy(tenant, password_policy.name.as_str())
-                .await?
-        {
-            return Ok(0);
-        }
-
         let client = self.get_password_policy_api_client(tenant)?;
-        let add_password_policy = client.add_password_policy(password_policy);
-        match add_password_policy.await {
-            Ok(res) => Ok(res),
-            Err(e) => {
-                if if_not_exists && e.code() == ErrorCode::PASSWORD_POLICY_ALREADY_EXISTS {
-                    Ok(0)
-                } else {
-                    Err(e.add_message_back("(while add password policy)"))
-                }
-            }
-        }
+        client
+            .add_password_policy(password_policy, create_option)
+            .await
     }
 
     // Update password policy.
diff --git a/src/query/users/tests/it/password_policy.rs b/src/query/users/tests/it/password_policy.rs
@@ -66,23 +66,35 @@ async fn test_password_policy() -> Result<()> {
     };
 
     let res = user_mgr
-        .add_password_policy(tenant, password_policy.clone(), false)
+        .add_password_policy(
+            tenant,
+            password_policy.clone(),
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_ok());
 
     // invalid min length
     let mut invalid_password_policy1 = password_policy.clone();
     invalid_password_policy1.min_length = 0;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy1, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy1,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
     // invalid max length
     let mut invalid_password_policy2 = password_policy.clone();
     invalid_password_policy2.max_length = 260;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy2, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy2,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
@@ -91,7 +103,11 @@ async fn test_password_policy() -> Result<()> {
     invalid_password_policy3.min_length = 30;
     invalid_password_policy3.max_length = 20;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy3, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy3,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
@@ -102,7 +118,11 @@ async fn test_password_policy() -> Result<()> {
     invalid_password_policy4.min_numeric_chars = 272;
     invalid_password_policy4.min_special_chars = 273;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy4, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy4,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
@@ -114,7 +134,11 @@ async fn test_password_policy() -> Result<()> {
     invalid_password_policy5.min_numeric_chars = 12;
     invalid_password_policy5.min_special_chars = 13;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy5, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy5,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
@@ -123,31 +147,47 @@ async fn test_password_policy() -> Result<()> {
     invalid_password_policy6.min_age_days = 20;
     invalid_password_policy6.max_age_days = 10;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy6, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy6,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
     // invalid max retries
     let mut invalid_password_policy7 = password_policy.clone();
     invalid_password_policy7.max_retries = 20;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy7, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy7,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
     // invalid lockout time mins
     let mut invalid_password_policy8 = password_policy.clone();
     invalid_password_policy8.lockout_time_mins = 2000;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy8, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy8,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
     // invalid history
     let mut invalid_password_policy9 = password_policy.clone();
     invalid_password_policy9.history = 50;
     let res = user_mgr
-        .add_password_policy(tenant, invalid_password_policy9, false)
+        .add_password_policy(
+            tenant,
+            invalid_password_policy9,
+            &CreateOption::CreateIfNotExists(false),
+        )
         .await;
     assert!(res.is_err());
 
diff --git a/tests/sqllogictests/suites/base/05_ddl/05_0035_ddl_password_policy.test b/tests/sqllogictests/suites/base/05_ddl/05_0035_ddl_password_policy.test
@@ -141,3 +141,50 @@ DESC PASSWORD POLICY test_policy
 statement ok
 DROP PASSWORD POLICY default_policy
 
+statement ok
+CREATE PASSWORD POLICY replace_policy
+    PASSWORD_MIN_LENGTH = 12
+    PASSWORD_MAX_LENGTH = 24
+    PASSWORD_MIN_UPPER_CASE_CHARS = 2
+    PASSWORD_MIN_LOWER_CASE_CHARS = 2
+    PASSWORD_MIN_NUMERIC_CHARS = 2
+    PASSWORD_MIN_SPECIAL_CHARS = 2
+    PASSWORD_MIN_AGE_DAYS = 1
+    PASSWORD_MAX_AGE_DAYS = 30
+    PASSWORD_MAX_RETRIES = 3
+    PASSWORD_LOCKOUT_TIME_MINS = 30
+    PASSWORD_HISTORY = 5
+    COMMENT = 'test comment'
+
+statement error 1005
+CREATE OR REPLACE PASSWORD POLICY IF NOT EXISTS replace_policy
+    PASSWORD_MIN_LENGTH = 24
+    PASSWORD_MAX_LENGTH = 48
+    PASSWORD_MIN_UPPER_CASE_CHARS = 2
+    PASSWORD_MIN_LOWER_CASE_CHARS = 2
+    PASSWORD_MIN_NUMERIC_CHARS = 2
+    PASSWORD_MIN_SPECIAL_CHARS = 2
+    PASSWORD_MIN_AGE_DAYS = 1
+    PASSWORD_MAX_AGE_DAYS = 30
+    PASSWORD_MAX_RETRIES = 3
+    PASSWORD_LOCKOUT_TIME_MINS = 30
+    PASSWORD_HISTORY = 5
+    COMMENT = 'test comment'
+
+statement ok
+CREATE OR REPLACE PASSWORD POLICY replace_policy
+    PASSWORD_MIN_LENGTH = 24
+    PASSWORD_MAX_LENGTH = 48
+    PASSWORD_MIN_UPPER_CASE_CHARS = 2
+    PASSWORD_MIN_LOWER_CASE_CHARS = 2
+    PASSWORD_MIN_NUMERIC_CHARS = 2
+    PASSWORD_MIN_SPECIAL_CHARS = 2
+    PASSWORD_MIN_AGE_DAYS = 1
+    PASSWORD_MAX_AGE_DAYS = 30
+    PASSWORD_MAX_RETRIES = 3
+    PASSWORD_LOCKOUT_TIME_MINS = 30
+    PASSWORD_HISTORY = 5
+    COMMENT = 'test comment'
+
+statement ok
+DROP PASSWORD POLICY replace_policy
