SystemView Auth Fix sid timestamps (#15001)

kunga · web-flow · commit 1d92a1f362d1 · 2025-02-26T19:04:05.000+01:00
diff --git a/ydb/core/security/login_page.cpp b/ydb/core/security/login_page.cpp
@@ -199,7 +199,7 @@ class TLoginRequest : public NActors::TActorBootstrapped<TLoginRequest> {
         ALOG_DEBUG(NActorsServices::HTTP, "Login success for " << User);
         NHttp::THeadersBuilder headers;
         SetCORS(headers);
-        TDuration maxAge = (ToInstant(NLogin::TLoginProvider::GetTokenExpiresAt(cookie)) - TInstant::Now());
+        TDuration maxAge = ToInstant(NLogin::TLoginProvider::GetTokenExpiresAt(cookie)) - TInstant::Now();
         headers.Set("Set-Cookie", TStringBuilder() << "ydb_session_id=" << cookie << "; Max-Age=" << maxAge.Seconds());
         Send(Sender, new NHttp::TEvHttpProxy::TEvHttpOutgoingResponse(Request->CreateResponse("200", "OK", headers)));
         PassAway();
diff --git a/ydb/core/sys_view/ut_kqp.cpp b/ydb/core/sys_view/ut_kqp.cpp
@@ -2192,7 +2192,7 @@ Y_UNIT_TEST_SUITE(SystemView) {
             )").GetValueSync();
 
             auto expected = R"([
-                [["user1"];[%true];[%false];[0u];[0u];[0u]];
+                [["user1"];[%true];[%false];#;#;[0u]];
             ])";
 
             NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
@@ -2218,7 +2218,7 @@ Y_UNIT_TEST_SUITE(SystemView) {
             )").GetValueSync();
 
             auto expected = R"([
-                [["user2"];[%true];[%false];[0u];[0u];[0u]];
+                [["user2"];[%true];[%false];#;#;[0u]];
             ])";
 
             NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
@@ -2231,8 +2231,8 @@ Y_UNIT_TEST_SUITE(SystemView) {
             )").GetValueSync();
 
             auto expected = R"([
-                [["user3"];[%true];[%false];[0u];[0u];[0u]];
-                [["user4"];[%true];[%false];[0u];[0u];[0u]];
+                [["user3"];[%true];[%false];#;#;[0u]];
+                [["user4"];[%true];[%false];#;#;[0u]];
             ])";
 
             NKqp::CompareYson(expected, NKqp::StreamResultToYson(it));
diff --git a/ydb/core/tx/schemeshard/schemeshard__init_root.cpp b/ydb/core/tx/schemeshard/schemeshard__init_root.cpp
@@ -58,7 +58,7 @@ struct TSchemeShard::TTxInitRoot : public TSchemeShard::TRwTxBase {
                 auto& sid = Self->LoginProvider.Sids[defaultUser.GetName()];
                 db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
                                                                    Schema::LoginSids::SidHash,
-                                                                   Schema::LoginSids::CreatedAt>(sid.Type, sid.PasswordHash, ToInstant(sid.CreatedAt).MilliSeconds());
+                                                                   Schema::LoginSids::CreatedAt>(sid.Type, sid.PasswordHash, ToMicroSeconds(sid.CreatedAt));
                 if (owner.empty()) {
                     owner = defaultUser.GetName();
                 }
@@ -81,7 +81,7 @@ struct TSchemeShard::TTxInitRoot : public TSchemeShard::TRwTxBase {
             } else {
                 auto& sid = Self->LoginProvider.Sids[defaultGroup.GetName()];
                 db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
-                                                                   Schema::LoginSids::CreatedAt>(sid.Type, ToInstant(sid.CreatedAt).MilliSeconds());
+                                                                   Schema::LoginSids::CreatedAt>(sid.Type, ToMicroSeconds(sid.CreatedAt));
                 for (const auto& member : defaultGroup.GetMembers()) {
                     auto response = Self->LoginProvider.AddGroupMembership({
                         .Group = defaultGroup.GetName(),
diff --git a/ydb/core/tx/schemeshard/schemeshard__list_users.cpp b/ydb/core/tx/schemeshard/schemeshard__list_users.cpp
@@ -32,9 +32,13 @@ struct TSchemeShard::TTxListUsers : TTransactionBase<TSchemeShard> {
             user->SetName(sid.Name);
             user->SetIsEnabled(sid.IsEnabled);
             user->SetIsLockedOut(Self->LoginProvider.IsLockedOut(sid));
-            user->SetCreatedAt(ToInstant(sid.CreatedAt).MilliSeconds());
-            user->SetLastSuccessfulAttemptAt(ToInstant(sid.LastSuccessfulLogin).MilliSeconds());
-            user->SetLastFailedAttemptAt(ToInstant(sid.LastFailedLogin).MilliSeconds());
+            user->SetCreatedAt(ToMicroSeconds(sid.CreatedAt));
+            if (sid.LastSuccessfulLogin != std::chrono::system_clock::time_point()) {
+                user->SetLastSuccessfulAttemptAt(ToMicroSeconds(sid.LastSuccessfulLogin));
+            }
+            if (sid.LastFailedLogin != std::chrono::system_clock::time_point()) {
+                user->SetLastFailedAttemptAt(ToMicroSeconds(sid.LastFailedLogin));
+            }
             user->SetFailedAttemptCount(sid.FailedLoginAttemptCount);
             user->SetPasswordHash(sid.PasswordHash);
         }
diff --git a/ydb/core/tx/schemeshard/schemeshard__login.cpp b/ydb/core/tx/schemeshard/schemeshard__login.cpp
@@ -153,7 +153,7 @@ struct TSchemeShard::TTxLogin : TSchemeShard::TRwTxBase {
         case TLoginProvider::TLoginUserResponse::EStatus::SUCCESS: {
             const auto& sid = Self->LoginProvider.Sids[loginRequest.User];
             db.Table<Schema::LoginSids>().Key(loginRequest.User).Update<Schema::LoginSids::LastSuccessfulAttempt,
-                                                                        Schema::LoginSids::FailedAttemptCount>(ToInstant(sid.LastSuccessfulLogin).MilliSeconds(), sid.FailedLoginAttemptCount);
+                                                                        Schema::LoginSids::FailedAttemptCount>(ToMicroSeconds(sid.LastSuccessfulLogin), sid.FailedLoginAttemptCount);
             Result->Record.SetToken(loginResponse.Token);
             Result->Record.SetSanitizedToken(loginResponse.SanitizedToken);
             Result->Record.SetIsAdmin(IsAdmin());
@@ -162,7 +162,7 @@ struct TSchemeShard::TTxLogin : TSchemeShard::TRwTxBase {
         case TLoginProvider::TLoginUserResponse::EStatus::INVALID_PASSWORD: {
             const auto& sid = Self->LoginProvider.Sids[loginRequest.User];
             db.Table<Schema::LoginSids>().Key(loginRequest.User).Update<Schema::LoginSids::LastFailedAttempt,
-                                                                        Schema::LoginSids::FailedAttemptCount>(ToInstant(sid.LastFailedLogin).MilliSeconds(), sid.FailedLoginAttemptCount);
+                                                                        Schema::LoginSids::FailedAttemptCount>(ToMicroSeconds(sid.LastFailedLogin), sid.FailedLoginAttemptCount);
             Result->Record.SetError(loginResponse.Error);
             break;
         }
diff --git a/ydb/core/tx/schemeshard/schemeshard__operation_alter_login.cpp b/ydb/core/tx/schemeshard/schemeshard__operation_alter_login.cpp
@@ -51,7 +51,7 @@ class TAlterLogin: public TSubOperationBase {
                         db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
                                                                            Schema::LoginSids::SidHash,
                                                                            Schema::LoginSids::CreatedAt,
-                                                                           Schema::LoginSids::IsEnabled>(sid.Type, sid.PasswordHash, ToInstant(sid.CreatedAt).MilliSeconds(), sid.IsEnabled);
+                                                                           Schema::LoginSids::IsEnabled>(sid.Type, sid.PasswordHash, ToMicroSeconds(sid.CreatedAt), sid.IsEnabled);
 
                         if (securityConfig.HasAllUsersGroup()) {
                             auto response = context.SS->LoginProvider.AddGroupMembership({
@@ -127,7 +127,7 @@ class TAlterLogin: public TSubOperationBase {
                     } else {
                         auto& sid = context.SS->LoginProvider.Sids[group];
                         db.Table<Schema::LoginSids>().Key(sid.Name).Update<Schema::LoginSids::SidType,
-                                                                           Schema::LoginSids::CreatedAt>(sid.Type, ToInstant(sid.CreatedAt).MilliSeconds());
+                                                                           Schema::LoginSids::CreatedAt>(sid.Type, ToMicroSeconds(sid.CreatedAt));
                         result->SetStatus(NKikimrScheme::StatusSuccess);
                     }
                     break;
diff --git a/ydb/library/login/login.cpp b/ydb/library/login/login.cpp
@@ -102,7 +102,6 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateUser(const TCreateUserReque
     user.Name = request.User;
     user.PasswordHash = request.IsHashedPassword ? request.Password : Impl->GenerateHash(request.Password);
     user.CreatedAt = std::chrono::system_clock::now();
-    user.LastFailedLogin = std::chrono::system_clock::time_point();
     user.IsEnabled = request.CanLogin;
     return response;
 }
@@ -799,10 +798,10 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat
                 sid.Members.emplace(pbSubSid);
                 ChildToParentIndex[pbSubSid].emplace(sid.Name);
             }
-            sid.CreatedAt = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetCreatedAt()));
+            sid.CreatedAt = std::chrono::system_clock::time_point(std::chrono::microseconds(pbSid.GetCreatedAt()));
             sid.FailedLoginAttemptCount = pbSid.GetFailedLoginAttemptCount();
-            sid.LastFailedLogin = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetLastFailedLogin()));
-            sid.LastSuccessfulLogin = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetLastSuccessfulLogin()));
+            sid.LastFailedLogin = std::chrono::system_clock::time_point(std::chrono::microseconds(pbSid.GetLastFailedLogin()));
+            sid.LastSuccessfulLogin = std::chrono::system_clock::time_point(std::chrono::microseconds(pbSid.GetLastSuccessfulLogin()));
         }
     }
 }
diff --git a/ydb/library/security/util.h b/ydb/library/security/util.h
@@ -12,12 +12,16 @@ namespace NKikimr {
 
     // copy-pasted from <robot/library/utils/time_convert.h>
     template<typename Rep, typename Period>
-    constexpr ui64 ToMicroseconds(std::chrono::duration<Rep, Period> value) {
+    constexpr ui64 ToMicroSeconds(std::chrono::duration<Rep, Period> value) {
         return std::chrono::duration_cast<std::chrono::microseconds>(value).count();
     }
 
     template<typename Clock, typename Duration>
     constexpr TInstant ToInstant(std::chrono::time_point<Clock, Duration> value) {
-        return TInstant::MicroSeconds(ToMicroseconds(value.time_since_epoch()));
+        return TInstant::MicroSeconds(ToMicroSeconds(value.time_since_epoch()));
+    }
+
+    constexpr ui64 ToMicroSeconds(std::chrono::system_clock::time_point value) {
+        return ToMicroSeconds(value.time_since_epoch());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,6 @@ TLoginProvider::TBasicResponse TLoginProvider::CreateUser(const TCreateUserReque`
`102`	`102`	`user.Name = request.User;`
`103`	`103`	`user.PasswordHash = request.IsHashedPassword ? request.Password : Impl->GenerateHash(request.Password);`
`104`	`104`	`user.CreatedAt = std::chrono::system_clock::now();`
`105`		`- user.LastFailedLogin = std::chrono::system_clock::time_point();`
`106`	`105`	`user.IsEnabled = request.CanLogin;`
`107`	`106`	`return response;`
`108`	`107`	`}`
`@@ -799,10 +798,10 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat`
`799`	`798`	`sid.Members.emplace(pbSubSid);`
`800`	`799`	`ChildToParentIndex[pbSubSid].emplace(sid.Name);`
`801`	`800`	`}`
`802`		`- sid.CreatedAt = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetCreatedAt()));`
	`801`	`+ sid.CreatedAt = std::chrono::system_clock::time_point(std::chrono::microseconds(pbSid.GetCreatedAt()));`
`803`	`802`	`sid.FailedLoginAttemptCount = pbSid.GetFailedLoginAttemptCount();`
`804`		`- sid.LastFailedLogin = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetLastFailedLogin()));`
`805`		`- sid.LastSuccessfulLogin = std::chrono::system_clock::time_point(std::chrono::milliseconds(pbSid.GetLastSuccessfulLogin()));`
	`803`	`+ sid.LastFailedLogin = std::chrono::system_clock::time_point(std::chrono::microseconds(pbSid.GetLastFailedLogin()));`
	`804`	`+ sid.LastSuccessfulLogin = std::chrono::system_clock::time_point(std::chrono::microseconds(pbSid.GetLastSuccessfulLogin()));`
`806`	`805`	`}`
`807`	`806`	`}`
`808`	`807`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,12 +12,16 @@ namespace NKikimr {`
`12`	`12`
`13`	`13`	`// copy-pasted from <robot/library/utils/time_convert.h>`
`14`	`14`	`template<typename Rep, typename Period>`
`15`		`- constexpr ui64 ToMicroseconds(std::chrono::duration<Rep, Period> value) {`
	`15`	`+ constexpr ui64 ToMicroSeconds(std::chrono::duration<Rep, Period> value) {`
`16`	`16`	`return std::chrono::duration_cast<std::chrono::microseconds>(value).count();`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`template<typename Clock, typename Duration>`
`20`	`20`	`constexpr TInstant ToInstant(std::chrono::time_point<Clock, Duration> value) {`
`21`		`- return TInstant::MicroSeconds(ToMicroseconds(value.time_since_epoch()));`
	`21`	`+ return TInstant::MicroSeconds(ToMicroSeconds(value.time_since_epoch()));`
	`22`	`+ }`
	`23`	`+`
	`24`	`+ constexpr ui64 ToMicroSeconds(std::chrono::system_clock::time_point value) {`
	`25`	`+ return ToMicroSeconds(value.time_since_epoch());`
`22`	`26`	`}`
`23`	`27`	`}`