synapse 2.197.0__py311-none-any.whl → 2.198.0__py311-none-any.whl

synapse/lib/storm.lark

@@ -40,7 +40,7 @@ _editblock: "[" _editoper* "]"
 // A single edit operation
 _editoper: editnodeadd
             | editpropset | editunivset | edittagpropset | edittagadd | editcondpropset
-            | editpropdel | editunivdel | edittagpropdel | edittagdel
+            | editpropsetmulti | editpropdel | editunivdel | edittagpropdel | edittagdel
             | editparens | edgeaddn1 | edgedeln1 | edgeaddn2 | edgedeln2
 
 // Parenthesis in an edit block don't have incoming nodes
@@ -48,18 +48,20 @@ editparens: "(" editnodeadd _editoper* ")"
 edittagadd: "+" [SETTAGOPER] tagname [(EQSPACE | EQNOSPACE) _valu]
 editunivdel: EXPRMINUS univprop
 edittagdel: EXPRMINUS tagname
-editpropset: relprop (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYSETPLUS | TRYSETMINUS) _valu
+editpropset: relprop (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYMODSET) _valu
 editcondpropset: relprop condsetoper _valu
+editpropsetmulti: relprop (MODSETMULTI | TRYMODSETMULTI) _valu
 editpropdel: EXPRMINUS relprop
-editunivset: univprop (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYSETPLUS | TRYSETMINUS) _valu
-editnodeadd: formname (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYSETPLUS | TRYSETMINUS) _valu
-edittagpropset: "+" tagprop (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYSETPLUS | TRYSETMINUS) _valu
+editunivset: univprop (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYMODSET) _valu
+editnodeadd: formname (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYMODSET) _valu
+edittagpropset: "+" tagprop (EQSPACE | EQNOSPACE | MODSET | TRYSET | TRYMODSET) _valu
 edittagpropdel: EXPRMINUS tagprop
 
 EQSPACE: /((?<=\s)=|=(?=\s))/
 MODSET.4: "+=" | "-="
-TRYSETPLUS.1: "?+="
-TRYSETMINUS.1: "?-="
+TRYMODSET.1: "?+=" | "?-="
+MODSETMULTI.4: "++=" | "--="
+TRYMODSETMULTI.1: "?++=" | "?--="
 TRYSET.1: "?="
 SETTAGOPER: "?"
 
@@ -226,10 +228,10 @@ _EDGEN2JOININIT: "<+("
 // comparisons to an expression like '<(2)'
 _EDGEN2INIT: /\<\((?=(?>(?<EDGEN2INITRECUR>\(((?>[^()"'`]+|(?&EDGEN2INITRECUR)|`(?:[^`\\]|\\.)*`|"(?:[^"\\]|\\.)*"|'''.*?'''|'[^']*'(?!'))*)\))|'''.*?'''|`(?:[^`\\]|\\.)*`|"(?:[^"\\]|\\.)*"|'[^']*'(?!')|[^)])*\)[\-\+])/
 
-edgeaddn1: _EDGEADDN1INIT _valu _EDGEN1FINI baresubquery
-edgedeln1: _EDGEN1INIT _valu _EDGEN1FINI baresubquery
-edgeaddn2: _EDGEN2INIT _valu _EDGEADDN2FINI baresubquery
-edgedeln2: _EDGEN2INIT _valu _EDGEN2FINI baresubquery
+edgeaddn1: _EDGEADDN1INIT _valu _EDGEN1FINI (baresubquery | _varvalu)
+edgedeln1: _EDGEN1INIT _valu _EDGEN1FINI (baresubquery | _varvalu)
+edgeaddn2: _EDGEN2INIT _valu _EDGEADDN2FINI (baresubquery | _varvalu)
+edgedeln2: _EDGEN2INIT _valu _EDGEN2FINI (baresubquery | _varvalu)
 
 _REVERSE: /reverse(?=[\s\(])/
 liftreverse: _REVERSE "(" (liftformtag | liftpropby | liftprop | liftbyarray | lifttagtag | liftbytag | liftbytagprop | liftbyformtagprop) ")"

synapse/lib/storm.py

@@ -1299,7 +1299,7 @@ stormcmds = (
 
 @s_cache.memoize(size=1024)
 def queryhash(text):
-    return hashlib.md5(text.encode(errors='surrogatepass'), usedforsecurity=False).hexdigest()
+    return s_common.queryhash(text)
 
 class DmonManager(s_base.Base):
     '''

synapse/lib/storm_format.py

@@ -55,6 +55,7 @@ TerminalPygMap = {
     'LSQB': p_t.Punctuation,
     'MCASEBARE': p_t.Literal.String,
     'MODSET': p_t.Operator,
+    'MODSETMULTI': p_t.Operator,
     'NONQUOTEWORD': p_t.Literal,
     'NOT': p_t.Keyword,
     'NULL': p_t.Keyword,
@@ -74,8 +75,8 @@ TerminalPygMap = {
     'TAGSEGNOVAR': p_t.Name,
     'TRIPLEQUOTEDSTRING': p_t.Literal.String,
     'TRYSET': p_t.Operator,
-    'TRYSETMINUS': p_t.Operator,
-    'TRYSETPLUS': p_t.Operator,
+    'TRYMODSET': p_t.Operator,
+    'TRYMODSETMULTI': p_t.Operator,
     'UNIVNAME': p_t.Name,
     'UNSET': p_t.Operator,
     'EXPRUNIVNAME': p_t.Name,

synapse/lib/stormtypes.py

@@ -3490,7 +3490,11 @@ class LibRegx(Lib):
         lkey = (pattern, flags)
         regx = self.compiled.get(lkey)
         if regx is None:
-            regx = self.compiled[lkey] = regex.compile(pattern, flags=flags)
+            try:
+                regx = self.compiled[lkey] = regex.compile(pattern, flags=flags)
+            except (regex.error, ValueError) as e:
+                mesg = f'Error compiling regex pattern: {e}: pattern="{s_common.trimText(pattern)}"'
+                raise s_exc.BadArg(mesg=mesg) from None
         return regx
 
     @stormfunc(readonly=True)
@@ -3500,7 +3504,12 @@ class LibRegx(Lib):
         pattern = await tostr(pattern)
         replace = await tostr(replace)
         regx = await self._getRegx(pattern, flags)
-        return regx.sub(replace, text)
+
+        try:
+            return regx.sub(replace, text)
+        except (regex.error, IndexError) as e:
+            mesg = f'$lib.regex.replace() error: {e}'
+            raise s_exc.BadArg(mesg=mesg) from None
 
     @stormfunc(readonly=True)
     async def matches(self, pattern, text, flags=0):
@@ -9868,7 +9877,7 @@ async def tostor(valu, isndef=False):
         retn = []
         for v in valu:
             try:
-                retn.append(await tostor(v))
+                retn.append(await tostor(v, isndef=isndef))
             except s_exc.NoSuchType:
                 pass
         return tuple(retn)
@@ -9877,7 +9886,7 @@ async def tostor(valu, isndef=False):
         retn = {}
         for k, v in valu.items():
             try:
-                retn[k] = await tostor(v)
+                retn[k] = await tostor(v, isndef=isndef)
             except s_exc.NoSuchType:
                 pass
         return retn

synapse/lib/version.py

@@ -223,6 +223,6 @@ def reqVersion(valu, reqver,
 ##############################################################################
 # The following are touched during the release process by bumpversion.
 # Do not modify these directly.
-version = (2, 197, 0)
+version = (2, 198, 0)
 verstring = '.'.join([str(x) for x in version])
-commit = 'c8c758131cae47ef21e23ac8242012459ebfce9d'
+commit = '047e5e996d0bcaad4ada4ea390a726aca1abba9b'

synapse/models/infotech.py

@@ -1252,6 +1252,15 @@ class ItModule(s_module.CoreModule):
                     ('product', ('it:prod:softver', {}), {
                         'doc': 'The software which produced the log entry.'}),
 
+                    ('service:platform', ('inet:service:platform', {}), {
+                        'doc': 'The service platform which generated the log event.'}),
+
+                    ('service:instance', ('inet:service:instance', {}), {
+                        'doc': 'The service instance which generated the log event.'}),
+
+                    ('service:account', ('inet:service:account', {}), {
+                        'doc': 'The service account which generated the log event.'}),
+
                 )),
                 ('it:domain', {}, (
                     ('name', ('str', {'lower': True, 'onespace': True}), {
@@ -2587,6 +2596,15 @@ class ItModule(s_module.CoreModule):
 
                     ('synuser', ('syn:user', {}), {
                         'doc': 'The synapse user who executed the query.'}),
+
+                    ('service:platform', ('inet:service:platform', {}), {
+                        'doc': 'The service platform which was queried.'}),
+
+                    ('service:instance', ('inet:service:instance', {}), {
+                        'doc': 'The service instance which was queried.'}),
+
+                    ('service:account', ('inet:service:account', {}), {
+                        'doc': 'The service account which ran the query.'}),
                 )),
                 ('it:exec:thread', {}, (
                     ('proc', ('it:exec:proc', {}), {

synapse/models/risk.py

@@ -810,6 +810,15 @@ class RiskModule(s_module.CoreModule):
 
                     ('host', ('it:host', {}), {
                         'doc': 'The host which generated the alert.'}),
+
+                    ('service:platform', ('inet:service:platform', {}), {
+                        'doc': 'The service platform which generated the alert.'}),
+
+                    ('service:instance', ('inet:service:instance', {}), {
+                        'doc': 'The service instance which generated the alert.'}),
+
+                    ('service:account', ('inet:service:account', {}), {
+                        'doc': 'The service account which generated the alert.'}),
                 )),
                 ('risk:compromisetype', {}, ()),
                 ('risk:compromise', {}, (

synapse/models/syn.py

@@ -23,7 +23,15 @@ class SynUser(s_types.Guid):
             if user is not None:
                 return user.iden, {}
 
-        return s_types.Guid._normPyStr(self, text)
+        if text == '*':
+            mesg = f'{self.name} values must be a valid username or a guid.'
+            raise s_exc.BadTypeValu(mesg=mesg, name=self.name, valu=text)
+
+        try:
+            return s_types.Guid._normPyStr(self, text)
+        except s_exc.BadTypeValu:
+            mesg = f'No user named {text} and value is not a guid.'
+            raise s_exc.BadTypeValu(mesg=mesg, name=self.name, valu=text) from None
 
     def repr(self, iden):
 
@@ -51,7 +59,15 @@ class SynRole(s_types.Guid):
             if role is not None:
                 return role.iden, {}
 
-        return s_types.Guid._normPyStr(self, text)
+        if text == '*':
+            mesg = f'{self.name} values must be a valid rolename or a guid.'
+            raise s_exc.BadTypeValu(mesg=mesg, name=self.name, valu=text)
+
+        try:
+            return s_types.Guid._normPyStr(self, text)
+        except s_exc.BadTypeValu:
+            mesg = f'No role named {text} and value is not a guid.'
+            raise s_exc.BadTypeValu(mesg=mesg, name=self.name, valu=text) from None
 
     def repr(self, iden):
 

synapse/tests/files/stormpkg/badendpoints.yaml

@@ -0,0 +1,7 @@
+name: test
+version: 0.0.1
+commands:
+  - name: 'foo.bar'
+    storm: (null)
+    endpoints:
+      - host: vertex.link

synapse/tests/files/stormpkg/testpkg.yaml

@@ -113,6 +113,14 @@ commands:
           - help: Help on foo opt
         - - --bar
           - help: Help on bar opt
+      storm: |
+        test:str
+      endpoints:
+        - path: /v1/test/one
+        - path: /v1/test/two
+          host: vertex.link
+        - path: /v1/test/three
+          desc: endpoint three
 
     - name: testpkg.baz
       descr: |

synapse/tests/test_cortex.py

@@ -1001,6 +1001,114 @@ class CortexTest(s_t_utils.SynTest):
             self.eq(cm.exception.get('mesg'),
                     'walk operation expected a string or list.  got: 0.')
 
+            await core.nodes('[media:news=*]')
+
+            nodes = await core.nodes('$n = {[it:dev:str=foo]} media:news [ +(refs)> $n ]')
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef[0], 'media:news')
+
+            nodes = await core.nodes('media:news -(refs)> it:dev:str')
+            self.len(1, nodes)
+
+            q = '''
+            function foo() {
+                for $x in $lib.range(5) {
+                    [ it:dev:int=$x ]
+                    emit $node
+                }
+            }
+            media:news [ +(refs)> $foo() ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef[0], 'media:news')
+
+            nodes = await core.nodes('media:news -(refs)> it:dev:int')
+            self.len(5, nodes)
+
+            nodes = await core.nodes('$n = {[it:dev:str=foo]} media:news [ -(refs)> $n ]')
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef[0], 'media:news')
+
+            nodes = await core.nodes('media:news -(refs)> it:dev:str')
+            self.len(0, nodes)
+
+            q = '''
+            function foo() {
+                for $x in $lib.range(5) {
+                    [ it:dev:int=$x ]
+                    emit $node
+                }
+            }
+            media:news [ -(refs)> $foo() ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef[0], 'media:news')
+
+            nodes = await core.nodes('media:news -(refs)> it:dev:int')
+            self.len(0, nodes)
+
+            nodes = await core.nodes('$n = {[it:dev:str=foo]} media:news [ <(refs)+ $n ]')
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef[0], 'media:news')
+
+            nodes = await core.nodes('media:news <(refs)- it:dev:str')
+            self.len(1, nodes)
+
+            q = '''
+            function foo() {
+                for $x in $lib.range(5) {
+                    [ it:dev:int=$x ]
+                    emit $node
+                }
+            }
+            media:news [ <(refs)+ $foo() ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef[0], 'media:news')
+
+            nodes = await core.nodes('media:news <(refs)- it:dev:int')
+            self.len(5, nodes)
+
+            nodes = await core.nodes('$n = {[it:dev:str=foo]} media:news [ <(refs)- $n ]')
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef[0], 'media:news')
+
+            nodes = await core.nodes('media:news <(refs)- it:dev:str')
+            self.len(0, nodes)
+
+            q = '''
+            function foo() {
+                for $x in $lib.range(5) {
+                    [ it:dev:int=$x ]
+                    emit $node
+                }
+            }
+            media:news [ <(refs)- $foo() ]
+            '''
+            nodes = await core.nodes(q)
+            self.len(1, nodes)
+            self.eq(nodes[0].ndef[0], 'media:news')
+
+            nodes = await core.nodes('media:news <(refs)- it:dev:int')
+            self.len(0, nodes)
+
+            await core.nodes('[media:news=*]')
+
+            nodes = await core.nodes('$n = {[it:dev:str=foo]} $edge=refs media:news [ +($edge)> $n ]')
+            self.len(2, nodes)
+
+            nodes = await core.nodes('media:news -(refs)> it:dev:str')
+            self.len(2, nodes)
+
+            nodes = await core.nodes('$n = {[it:dev:str=foo]} $edge=refs media:news [ -($edge)> $n ]')
+            self.len(2, nodes)
+
+            nodes = await core.nodes('media:news -(refs)> it:dev:str')
+            self.len(0, nodes)
+
     async def test_cortex_callstorm(self):
 
         async with self.getTestCore(conf={'auth:passwd': 'root'}) as core:

synapse/tests/test_lib_aha.py

@@ -133,9 +133,14 @@ class AhaTest(s_test.SynTest):
         with self.getTestDir() as dirn:
             cryo0_dirn = s_common.gendir(dirn, 'cryo0')
             async with self.getTestAha(dirn=dirn) as aha:
+
+                replaymult = 1
+                if s_common.envbool('SYNDEV_NEXUS_REPLAY'):
+                    replaymult = 2
+
                 purl = await aha.addAhaSvcProv('0.cryo')
 
-                wait00 = aha.waiter(1, 'aha:svcadd')
+                wait00 = aha.waiter(1 * replaymult, 'aha:svcadd')
 
                 conf = {'aha:provision': purl}
                 async with self.getTestCryo(dirn=cryo0_dirn, conf=conf) as cryo:
@@ -444,8 +449,13 @@ class AhaTest(s_test.SynTest):
 
             async with self.getTestAha() as aha:
 
+                replaymult = 1
+                if s_common.envbool('SYNDEV_NEXUS_REPLAY'):
+                    replaymult = 2
+
                 aha.testerr = True
                 wait00 = aha.waiter(1, 'aha:svcadd')
+
                 conf = {'aha:provision': await aha.addAhaSvcProv('0.cryo')}
                 async with self.getTestCryo(conf=conf) as cryo:
 
@@ -454,7 +464,7 @@ class AhaTest(s_test.SynTest):
                     svc = await aha.getAhaSvc('0.cryo...')
                     self.none(svc)
 
-                    wait01 = aha.waiter(1, 'aha:svcadd')
+                    wait01 = aha.waiter(1 * replaymult, 'aha:svcadd')
                     aha.testerr = False
 
                     self.nn(await wait01.wait(timeout=2))

synapse/tests/test_lib_ast.py

@@ -492,6 +492,63 @@ class AstTest(s_test.SynTest):
                 q = '$foo=newp [test:str=foo :hehe*$foo=heval]'
                 nodes = await core.nodes(q)
 
+    async def test_ast_setmultioper(self):
+        async with self.getTestCore() as core:
+
+            nodes = await core.nodes('[ test:arrayprop="*" :ints=(1,) ]')
+            self.eq(nodes[0].get('ints'), (1,))
+
+            nodes = await core.nodes('test:arrayprop [ :ints++=([3, 4]) ]')
+            self.eq(nodes[0].get('ints'), (1, 3, 4))
+
+            nodes = await core.nodes('test:arrayprop [ :ints++=(null) ]')
+            self.eq(nodes[0].get('ints'), (1, 3, 4))
+
+            nodes = await core.nodes('test:arrayprop [ :ints--=(null) ]')
+            self.eq(nodes[0].get('ints'), (1, 3, 4))
+
+            nodes = await core.nodes('test:arrayprop [ :strs++=(foo, bar, baz) ]')
+            self.eq(nodes[0].get('strs'), ('foo', 'bar', 'baz'))
+
+            with self.raises(s_exc.BadTypeValu):
+                await core.nodes('test:arrayprop [ :ints++=(["newp", 5, 6]) ]')
+
+            nodes = await core.nodes('test:arrayprop [ :ints?++=(["newp", 5, 6]) ]')
+            self.eq(nodes[0].get('ints'), (1, 3, 4, 5, 6))
+
+            with self.raises(s_exc.BadTypeValu):
+                await core.nodes('test:arrayprop [ :ints--=(["newp", 5, 6]) ]')
+
+            nodes = await core.nodes('test:arrayprop [ :ints?--=(["newp", 5, 6, 7]) ]')
+            self.eq(nodes[0].get('ints'), (1, 3, 4))
+
+            nodes = await core.nodes('[ test:str=foo :ndefs++={[ test:str=bar ]} ]')
+            self.eq(nodes[0].get('ndefs'), (('test:str', 'bar'),))
+
+            nodes = await core.nodes('test:str=foo  [ :ndefs++={[ test:str=baz test:str=faz ]} ]')
+            self.eq(nodes[0].get('ndefs'), (('test:str', 'bar'), ('test:str', 'baz'), ('test:str', 'faz')))
+
+            nodes = await core.nodes('test:str=foo  [ :ndefs--={ test:str=baz test:str=faz } ]')
+            self.eq(nodes[0].get('ndefs'), (('test:str', 'bar'),))
+
+            with self.raises(s_exc.NoSuchProp):
+                await core.nodes('test:arrayprop [ :newp++=(["newp", 5, 6]) ]')
+
+            badq = [
+                'test:str [ :hehe++=([3, 4]) ]',
+                'test:str [ :hehe?++=([3, 4]) ]',
+                'test:str [ :hehe--=([3, 4]) ]',
+                'test:str [ :hehe?--=([3, 4]) ]',
+                'test:arrayprop [ :ints++=(3) ]',
+                'test:arrayprop [ :ints?++=(3) ]',
+                'test:arrayprop [ :ints--=(3) ]',
+                'test:arrayprop [ :ints?--=(3) ]',
+            ]
+
+            for q in badq:
+                with self.raises(s_exc.StormRuntimeError):
+                    await core.nodes(q)
+
     async def test_ast_editparens(self):
 
         async with self.getTestCore() as core:

synapse/tests/test_lib_auth.py

@@ -1,9 +1,15 @@
 import string
 import pathlib
 
+from unittest import mock
+
 import synapse.exc as s_exc
+import synapse.common as s_common
 import synapse.telepath as s_telepath
-import synapse.lib.hiveauth as s_hiveauth
+
+import synapse.lib.auth as s_auth
+import synapse.lib.cell as s_cell
+import synapse.lib.lmdbslab as s_lmdbslab
 
 import synapse.tests.utils as s_test
 
@@ -426,6 +432,126 @@ class AuthTest(s_test.SynTest):
             with self.raises(s_exc.SchemaViolation):
                 await core.auth.allrole.setRules([(True, )])
 
+    async def test_auth_archived_locked_interaction(self):
+
+        # Check that we can't unlock an archived user
+        async with self.getTestCore() as core:
+            lowuser = await core.addUser('lowuser')
+            useriden = lowuser.get('iden')
+
+            await core.setUserArchived(useriden, True)
+
+            udef = await core.getUserDef(useriden)
+            self.true(udef.get('archived'))
+            self.true(udef.get('locked'))
+
+            # Unlocking an archived user is invalid
+            with self.raises(s_exc.BadArg) as exc:
+                await core.setUserLocked(useriden, False)
+            self.eq(exc.exception.get('mesg'), 'Cannot unlock archived user.')
+            self.eq(exc.exception.get('user'), useriden)
+            self.eq(exc.exception.get('username'), 'lowuser')
+
+        # Check our cell migration that locks archived users
+        async with self.getRegrCore('unlocked-archived-users') as core:
+            for ii in range(10):
+                user = await core.getUserDefByName(f'lowuser{ii:02d}')
+                self.nn(user)
+                self.true(user.get('archived'))
+                self.true(user.get('locked'))
+
+        # Check behavior of upgraded mirrors and non-upgraded leader
+        async with self.getTestAha() as aha:
+
+            with self.getTestDir() as dirn:
+                path00 = s_common.gendir(dirn, 'cell00')
+                path01 = s_common.gendir(dirn, 'cell01')
+
+                with mock.patch('synapse.lib.cell.NEXUS_VERSION', (2, 177)):
+                    async with self.addSvcToAha(aha, '00.cell', s_cell.Cell, dirn=path00) as cell00:
+                        lowuser = await cell00.addUser('lowuser')
+                        useriden = lowuser.get('iden')
+                        await cell00.setUserArchived(useriden, True)
+
+                        with mock.patch('synapse.lib.cell.NEXUS_VERSION', (2, 198)):
+                            async with self.addSvcToAha(aha, '01.cell', s_cell.Cell, dirn=path01, provinfo={'mirror': 'cell'}) as cell01:
+                                await cell01.sync()
+                                udef = await cell01.getUserDef(useriden)
+                                self.true(udef.get('locked'))
+                                self.true(udef.get('archived'))
+
+                                # Simulate a call to cell00.setUserLocked(useriden, False) to bypass
+                                # the check in cell00.auth.setUserInfo()
+                                await cell00.auth._push('user:info', useriden, 'locked', False)
+                                await cell01.sync()
+
+                                udef00 = await cell00.getUserDef(useriden)
+                                self.true(udef00.get('archived'))
+                                self.false(udef00.get('locked'))
+
+                                udef01 = await cell01.getUserDef(useriden)
+                                self.true(udef01.get('archived'))
+                                self.false(udef01.get('locked'))
+
+        # Check that we don't blowup/schism if an upgraded mirror is behind a leader with a pending
+        # user:info event that unlocks an archived user
+        async with self.getTestAha() as aha:
+
+            with self.getTestDir() as dirn:
+                path00 = s_common.gendir(dirn, 'cell00')
+                path01 = s_common.gendir(dirn, 'cell01')
+
+                async with self.addSvcToAha(aha, '00.cell', s_cell.Cell, dirn=path00) as cell00:
+                    lowuser = await cell00.addUser('lowuser')
+                    useriden = lowuser.get('iden')
+                    await cell00.setUserLocked(useriden, True)
+
+                    async with self.addSvcToAha(aha, '01.cell', s_cell.Cell, dirn=path01, provinfo={'mirror': 'cell'}) as cell01:
+                        await cell01.sync()
+                        udef = await cell01.getUserDef(useriden)
+                        self.true(udef.get('locked'))
+                        self.false(udef.get('archived'))
+
+                    # Set user locked while cell01 is offline so it will get the edit when it comes
+                    # back
+                    await cell00.setUserLocked(useriden, False)
+                    await cell00.sync()
+
+                # Edit the slabs on both cells directly to archive the user
+                lmdb00 = s_common.genpath(path00, 'slabs', 'cell.lmdb')
+                lmdb01 = s_common.genpath(path01, 'slabs', 'cell.lmdb')
+
+                slab00 = await s_lmdbslab.Slab.anit(lmdb00, map_size=s_cell.SLAB_MAP_SIZE)
+                slab01 = await s_lmdbslab.Slab.anit(lmdb01, map_size=s_cell.SLAB_MAP_SIZE)
+
+                # Simulate the cell migration which locks archived users
+                for slab in (slab00, slab01):
+                    authkv = slab.getSafeKeyVal('auth')
+                    userkv = authkv.getSubKeyVal('user:info:')
+
+                    info = userkv.get(useriden)
+                    info['archived'] = True
+                    info['locked'] = True
+                    userkv.set(useriden, info)
+
+                await slab00.fini()
+                await slab01.fini()
+
+                # Spin the cells back up and wait for the edit to sync to cell01
+                async with self.addSvcToAha(aha, '00.cell', s_cell.Cell, dirn=path00) as cell00:
+                    udef = await cell00.getUserDef(useriden)
+                    self.true(udef.get('archived'))
+                    self.true(udef.get('locked'))
+
+                    async with self.addSvcToAha(aha, '01.cell', s_cell.Cell, dirn=path01, provinfo={'mirror': 'cell'}) as cell01:
+                        await cell01.sync()
+                        udef = await cell01.getUserDef(useriden)
+                        self.true(udef.get('archived'))
+                        self.true(udef.get('locked'))
+
+                        self.ge(cell00.nexsvers, (2, 198))
+                        self.ge(cell01.nexsvers, (2, 198))
+
     async def test_auth_password_policy(self):
         policy = {
             'complexity': {
@@ -446,6 +572,21 @@ class AuthTest(s_test.SynTest):
         pass3 = 'ZXN-pyv7ber-kzq2kgh'
 
         conf = {'auth:passwd:policy': policy}
+        async with self.getTestCore(conf=conf) as core:
+
+            user = await core.auth.addUser('blackout@vertex.link')
+
+            self.none(user.info.get('policy:previous'))
+            await user.setPasswd(pass1, nexs=False)
+            await user.setPasswd(pass2, nexs=False)
+            await user.setPasswd(pass3, nexs=False)
+            self.len(2, user.info.get('policy:previous'))
+
+            await user.tryPasswd('newp')
+            self.eq(1, user.info.get('policy:attempts'))
+            await user.setLocked(False, logged=False)
+            self.eq(0, user.info.get('policy:attempts'))
+
         async with self.getTestCore(conf=conf) as core:
             auth = core.auth
             self.nn(auth.policy)
@@ -708,7 +849,7 @@ class AuthTest(s_test.SynTest):
             await core.callStorm('auth.role.addrule ninjas --gate $gate another.rule',
                                  opts={'vars': {'gate': fork}})
 
-            user = await core.auth.getUserByName('lowuser')  # type: s_hiveauth.HiveUser
+            user = await core.auth.getUserByName('lowuser')  # type: s_auth.User
             self.false(user.allowed(('hehe',)))
             self.false(user.allowed(('hehe',), deepdeny=True))
             self.true(user.allowed(('hehe', 'haha')))