public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Auth: Add IP address login attempt validation (#98123)

Browse Source 
* Auth: Add IP address login attempt validation

* LoginAttempt struct IpAddress field must be camelCase to match db ip_address column

* add setting DisableIPAddressLoginProtection

* lint

* add DisableIPAddressLoginProtection setting to tests

* add request object to authenticate password test

* nit suggestions & rename tests

* add login attempt on failed password authentication

* dont need to reset login attempts if successful

* don't change error message

* revert go.work.sum

* Update pkg/services/authn/clients/password.go

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>

---------

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
This commit is contained in:
colin-stuart
2025-02-05 13:16:36 -05:00
committed by GitHub
parent d58dec7951
commit 6200361f36
15 changed files with 224 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/services/authn/clients/password.go
+11 -2
View File
@@ -39,6 +39,14 @@ func (c *Password) AuthenticatePassword(ctx context.Context, r *authn.Request, u
return nil, errPasswordAuthFailed.Errorf("too many consecutive incorrect login attempts for user - login for user temporarily blocked")
}
ok, err = c.loginAttempts.ValidateIPAddress(ctx, web.RemoteAddr(r.HTTPRequest))
if err != nil {
return nil, err
}
if !ok {
return nil, errPasswordlessClientTooManyLoginAttempts.Errorf("too many consecutive incorrect login attempts for IP address - login for IP address temporarily blocked")
}
if len(password) == 0 {
return nil, errPasswordAuthFailed.Errorf("no password provided")
}
@@ -56,8 +64,9 @@ func (c *Password) AuthenticatePassword(ctx context.Context, r *authn.Request, u
return identity, nil
}
if errors.Is(clientErrs, errInvalidPassword) {
_ = c.loginAttempts.Add(ctx, username, web.RemoteAddr(r.HTTPRequest))
err = c.loginAttempts.Add(ctx, username, web.RemoteAddr(r.HTTPRequest))
if err != nil {
return nil, err
}
return nil, errPasswordAuthFailed.Errorf("failed to authenticate identity: %w", clientErrs)
pkg/services/authn/clients/password_test.go
+18 -8
View File
@@ -2,6 +2,8 @@ package clients
import (
"context"
"net/http"
"net/url"
"testing"
"github.com/stretchr/testify/assert"
@@ -18,7 +20,6 @@ func TestPassword_AuthenticatePassword(t *testing.T) {
desc string
username string
password string
req *authn.Request
blockLogin bool
clients []authn.PasswordClient
expectedErr error
@@ -30,7 +31,6 @@ func TestPassword_AuthenticatePassword(t *testing.T) {
desc: "should success when password client return identity",
username: "test",
password: "test",
req: &authn.Request{},
clients: []authn.PasswordClient{authntest.FakePasswordClient{ExpectedIdentity: &authn.Identity{ID: "1", Type: claims.TypeUser}}},
expectedIdentity: &authn.Identity{ID: "1", Type: claims.TypeUser},
},
@@ -38,7 +38,6 @@ func TestPassword_AuthenticatePassword(t *testing.T) {
desc: "should success when found in second client",
username: "test",
password: "test",
req: &authn.Request{},
clients: []authn.PasswordClient{authntest.FakePasswordClient{ExpectedErr: errIdentityNotFound}, authntest.FakePasswordClient{ExpectedIdentity: &authn.Identity{ID: "2", Type: claims.TypeUser}}},
expectedIdentity: &authn.Identity{ID: "2", Type: claims.TypeUser},
},
@@ -46,14 +45,12 @@ func TestPassword_AuthenticatePassword(t *testing.T) {
desc: "should fail for empty password",
username: "test",
password: "",
req: &authn.Request{},
expectedErr: errPasswordAuthFailed,
},
{
desc: "should if login is blocked by to many attempts",
username: "test",
password: "test",
req: &authn.Request{},
blockLogin: true,
expectedErr: errPasswordAuthFailed,
},
@@ -61,7 +58,6 @@ func TestPassword_AuthenticatePassword(t *testing.T) {
desc: "should fail when not found in any clients",
username: "test",
password: "test",
req: &authn.Request{},
clients: []authn.PasswordClient{authntest.FakePasswordClient{ExpectedErr: errIdentityNotFound}, authntest.FakePasswordClient{ExpectedErr: errIdentityNotFound}},
expectedErr: errPasswordAuthFailed,
},
@@ -70,8 +66,22 @@ func TestPassword_AuthenticatePassword(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
c := ProvidePassword(loginattempttest.FakeLoginAttemptService{ExpectedValid: !tt.blockLogin}, tt.clients...)
identity, err := c.AuthenticatePassword(context.Background(), tt.req, tt.username, tt.password)
r := &authn.Request{
OrgID: 12345,
HTTPRequest: &http.Request{
Method: "GET",
URL: &url.URL{
Scheme: "https",
Host: "example.com",
Path: "/api/v1/resource",
},
Header: http.Header{
"Content-Type": []string{"application/json"},
"User-Agent": []string{"MyApp/1.0"},
},
},
}
identity, err := c.AuthenticatePassword(context.Background(), r, tt.username, tt.password)
if tt.expectedErr != nil {
assert.ErrorIs(t, err, tt.expectedErr)
assert.Nil(t, identity)
pkg/services/authn/clients/passwordless.go
+9 -1
View File
@@ -105,7 +105,6 @@ func (c *Passwordless) RedirectURL(ctx context.Context, r *authn.Request) (*auth
return nil, err
}
// TODO: add IP address validation
ok, err := c.loginAttempts.Validate(ctx, form.Email)
if err != nil {
return nil, err
@@ -115,6 +114,15 @@ func (c *Passwordless) RedirectURL(ctx context.Context, r *authn.Request) (*auth
return nil, errPasswordlessClientTooManyLoginAttempts.Errorf("too many consecutive incorrect login attempts for user - login for user temporarily blocked")
}
ok, err = c.loginAttempts.ValidateIPAddress(ctx, web.RemoteAddr(r.HTTPRequest))
if err != nil {
return nil, err
}
if !ok {
return nil, errPasswordlessClientTooManyLoginAttempts.Errorf("too many consecutive incorrect login attempts for IP address - login for IP address temporarily blocked")
}
err = c.loginAttempts.Add(ctx, form.Email, web.RemoteAddr(r.HTTPRequest))
if err != nil {
return nil, err