From a67451a51a4407311a746e72f943ac1c32a6bb76 Mon Sep 17 00:00:00 2001 From: hongming Date: Wed, 11 May 2022 15:54:48 +0800 Subject: [PATCH] Fix: restricted users cannot activate manually --- pkg/controller/user/user_controller.go | 2 ++ pkg/controller/user/user_controller_test.go | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/controller/user/user_controller.go b/pkg/controller/user/user_controller.go index d758aba0c..9729e66ba 100644 --- a/pkg/controller/user/user_controller.go +++ b/pkg/controller/user/user_controller.go @@ -530,7 +530,9 @@ func (r *Reconciler) syncUserStatus(ctx context.Context, user *iamv1alpha2.User) now := time.Now() failedLoginAttempts := 0 for _, loginRecord := range records.Items { + afterStateTransition := user.Status.LastTransitionTime == nil || loginRecord.CreationTimestamp.After(user.Status.LastTransitionTime.Time) if !loginRecord.Spec.Success && + afterStateTransition && loginRecord.CreationTimestamp.Add(r.AuthenticationOptions.AuthenticateRateLimiterDuration).After(now) { failedLoginAttempts++ } diff --git a/pkg/controller/user/user_controller_test.go b/pkg/controller/user/user_controller_test.go index 58b59033f..7fa484e20 100644 --- a/pkg/controller/user/user_controller_test.go +++ b/pkg/controller/user/user_controller_test.go @@ -68,9 +68,11 @@ func TestDoNothing(t *testing.T) { for i := 0; i < authenticateOptions.AuthenticateRateLimiterMaxTries+1; i++ { loginRecord := iamv1alpha2.LoginRecord{ ObjectMeta: metav1.ObjectMeta{ - Name: fmt.Sprintf("%s-%d", user.Name, i), - Labels: map[string]string{iamv1alpha2.UserReferenceLabel: user.Name}, - CreationTimestamp: metav1.Now(), + Name: fmt.Sprintf("%s-%d", user.Name, i), + Labels: map[string]string{iamv1alpha2.UserReferenceLabel: user.Name}, + // Ensure that the failed login record created after the user status change to active, + // otherwise, the failed login attempts will not be counted. + CreationTimestamp: metav1.NewTime(time.Now().Add(time.Minute)), }, Spec: iamv1alpha2.LoginRecordSpec{ Success: false,