From f22c88d23fe3f1271227531e674ea72a43ecd207 Mon Sep 17 00:00:00 2001
From: Vladimir Davydov <vdavydov@tarantool.org>
Date: Tue, 19 Sep 2023 11:55:10 +0300
Subject: [PATCH] config: add security.auth_retries option

The new option is backed by `box.cfg.auth_retries`. It is available only
in Enterprise Edition builds.

Needed for tarantool/tarantool-ee#541

NO_DOC=will be added to Enterprise Edition
NO_CHANGELOG=will be added to Enterprise Edition
---
 src/box/lua/config/instance_config.lua              | 5 +++++
 src/box/lua/load_cfg.lua                            | 4 ++++
 test/box/box.lua                                    | 1 +
 test/config-luatest/cluster_config_schema_test.lua  | 1 +
 test/config-luatest/config_test.lua                 | 2 ++
 test/config-luatest/instance_config_schema_test.lua | 1 +
 6 files changed, 14 insertions(+)

diff --git a/src/box/lua/config/instance_config.lua b/src/box/lua/config/instance_config.lua
index af259943b4..016ef756b5 100644
--- a/src/box/lua/config/instance_config.lua
+++ b/src/box/lua/config/instance_config.lua
@@ -1428,6 +1428,11 @@ return schema.new('instance_config', schema.record({
             default = 0,
             box_cfg = 'auth_delay',
         })),
+        auth_retries = enterprise_edition(schema.scalar({
+            type = 'integer',
+            default = 0,
+            box_cfg = 'auth_retries',
+        })),
         disable_guest = enterprise_edition(schema.scalar({
             type = 'boolean',
             default = false,
diff --git a/src/box/lua/load_cfg.lua b/src/box/lua/load_cfg.lua
index fedf9afb1a..359ebe6f2b 100644
--- a/src/box/lua/load_cfg.lua
+++ b/src/box/lua/load_cfg.lua
@@ -119,6 +119,7 @@ local default_cfg = {
 
     auth_type           = 'chap-sha1',
     auth_delay          = ifdef_security(0),
+    auth_retries        = ifdef_security(0),
     disable_guest       = ifdef_security(false),
     password_lifetime_days = ifdef_security(0),
     password_min_length = ifdef_security(0),
@@ -314,6 +315,7 @@ local template_cfg = {
 
     auth_type           = 'string',
     auth_delay          = ifdef_security('number'),
+    auth_retries        = ifdef_security('number'),
     disable_guest       = ifdef_security('boolean'),
     password_lifetime_days = ifdef_security('number'),
     password_min_length = ifdef_security('number'),
@@ -517,6 +519,7 @@ local dynamic_cfg = {
     txn_isolation           = private.cfg_set_txn_isolation,
     auth_type               = private.cfg_set_auth_type,
     auth_delay              = private.cfg_set_security,
+    auth_retries            = private.cfg_set_security,
     disable_guest           = private.cfg_set_security,
     password_lifetime_days  = private.cfg_set_security,
     password_min_length     = ifdef_security(nop),
@@ -679,6 +682,7 @@ local dynamic_cfg_skip_at_load = {
     readahead               = true,
     auth_type               = true,
     auth_delay              = ifdef_security(true),
+    auth_retries            = ifdef_security(true),
     disable_guest           = ifdef_security(true),
     password_lifetime_days  = ifdef_security(true),
 }
diff --git a/test/box/box.lua b/test/box/box.lua
index af3f98e732..0028282bae 100644
--- a/test/box/box.lua
+++ b/test/box/box.lua
@@ -35,6 +35,7 @@ local _enterprise_keys = {
     flightrec_requests_max_req_size = true,
     flightrec_requests_max_res_size = true,
     auth_delay = true,
+    auth_retries = true,
     disable_guest = true,
     password_lifetime_days = true,
     password_min_length = true,
diff --git a/test/config-luatest/cluster_config_schema_test.lua b/test/config-luatest/cluster_config_schema_test.lua
index 8f0c9e715f..991f25bec6 100644
--- a/test/config-luatest/cluster_config_schema_test.lua
+++ b/test/config-luatest/cluster_config_schema_test.lua
@@ -247,6 +247,7 @@ g.test_defaults = function()
         } or nil,
         security = is_enterprise and {
             auth_delay = 0,
+            auth_retries = 0,
             auth_type = "chap-sha1",
             disable_guest = false,
             password_enforce_digits = false,
diff --git a/test/config-luatest/config_test.lua b/test/config-luatest/config_test.lua
index 483e961b2a..42c0d2a1fb 100644
--- a/test/config-luatest/config_test.lua
+++ b/test/config-luatest/config_test.lua
@@ -666,6 +666,7 @@ g.test_security_options = function()
         security:
             auth_type: pap-sha256
             auth_delay: 5
+            auth_retries: 3
             disable_guest: false
             password_lifetime_days: 90
             password_min_length: 14
@@ -693,6 +694,7 @@ g.test_security_options = function()
     g.server:exec(function()
         t.assert_equals(box.cfg.auth_type, 'pap-sha256')
         t.assert_equals(box.cfg.auth_delay, 5)
+        t.assert_equals(box.cfg.auth_retries, 3)
         t.assert_equals(box.cfg.disable_guest, false)
         t.assert_equals(box.cfg.password_lifetime_days, 90)
         t.assert_equals(box.cfg.password_min_length, 14)
diff --git a/test/config-luatest/instance_config_schema_test.lua b/test/config-luatest/instance_config_schema_test.lua
index 61341862a2..1a089f2c5b 100644
--- a/test/config-luatest/instance_config_schema_test.lua
+++ b/test/config-luatest/instance_config_schema_test.lua
@@ -1187,6 +1187,7 @@ g.test_security_enterprise = function()
         security = {
             auth_type = 'pap-sha256',
             auth_delay = 5,
+            auth_retries = 3,
             disable_guest = true,
             password_lifetime_days = 90,
             password_min_length = 10,
-- 
GitLab