Merge pull request #4870 from wansir/fix-4857

Fix: restricted users cannot activate manually
2022-05-12 14:08:04 +08:00
parent 788fc508e3 a67451a51a
commit 1c96f99072
2 changed files with 7 additions and 3 deletions
--- a/pkg/controller/user/user_controller.go
+++ b/pkg/controller/user/user_controller.go
@@ -530,7 +530,9 @@ func (r *Reconciler) syncUserStatus(ctx context.Context, user *iamv1alpha2.User)
 	now := time.Now()
 	failedLoginAttempts := 0
 	for _, loginRecord := range records.Items {
+		afterStateTransition := user.Status.LastTransitionTime == nil || loginRecord.CreationTimestamp.After(user.Status.LastTransitionTime.Time)
 		if !loginRecord.Spec.Success &&
+			afterStateTransition &&
 			loginRecord.CreationTimestamp.Add(r.AuthenticationOptions.AuthenticateRateLimiterDuration).After(now) {
 			failedLoginAttempts++
 		}
--- a/pkg/controller/user/user_controller_test.go
+++ b/pkg/controller/user/user_controller_test.go
@@ -68,9 +68,11 @@ func TestDoNothing(t *testing.T) {
 	for i := 0; i < authenticateOptions.AuthenticateRateLimiterMaxTries+1; i++ {
 		loginRecord := iamv1alpha2.LoginRecord{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:              fmt.Sprintf("%s-%d", user.Name, i),
-				Labels:            map[string]string{iamv1alpha2.UserReferenceLabel: user.Name},
-				CreationTimestamp: metav1.Now(),
+				Name:   fmt.Sprintf("%s-%d", user.Name, i),
+				Labels: map[string]string{iamv1alpha2.UserReferenceLabel: user.Name},
+				// Ensure that the failed login record created after the user status change to active,
+				// otherwise, the failed login attempts will not be counted.
+				CreationTimestamp: metav1.NewTime(time.Now().Add(time.Minute)),
 			},
 			Spec: iamv1alpha2.LoginRecordSpec{
 				Success: false,