dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don t prompt second factor after a failed log in attempt (#2088)

Browse Source
This commit is contained in:
Christophe Maudoux 2020-02-26 22:31:22 +01:00
parent 4cebebb062
commit a4a73ca907
15 changed files with 50 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
View File

@ -395,6 +395,7 @@ sub display {
DISPLAY_YUBIKEY_FORM => 0,
AUTH_LOOP => [],
MSG => $req->info(),
LOCKTIME => $req->lockTime(),
);
}

25
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm
View File

@ -9,8 +9,7 @@ our $VERSION = '2.0.8';
extends 'Lemonldap::NG::Portal::Main::Plugin';
# INITIALIZATION
use constant afterData => 'run';
use constant afterSub => { storeHistory => 'run' };
has lockTimes => (
is => 'rw',
@ -53,15 +52,21 @@ sub init {
grep { /\d+/ }
split /\s+/, $self->conf->{bruteForceProtectionLockTimes};
@{ $self->lockTimes } = ( 5, 15, 60, 300, 600 )
unless $lockTimes;
$self->logger->warn( 'Number of incremental lock time values ('
. "$lockTimes) is higher than failed logins history ("
. $self->conf->{failedLoginNumber}
. ')' )
if ( $lockTimes > $self->conf->{failedLoginNumber} );
unless ($lockTimes) {
@{ $self->lockTimes } = ( 5, 15, 60, 300, 600 );
$lockTimes = 5;
}
if ( $lockTimes > $self->conf->{failedLoginNumber} ) {
$self->logger->warn( 'Number of incremental lock time values ('
. "$lockTimes) is higher than failed logins history ("
. $self->conf->{failedLoginNumber}
. ')' );
splice @{ $self->lockTimes }, $self->conf->{failedLoginNumber};
$lockTimes = $self->conf->{failedLoginNumber};
}
my $sum = $self->conf->{bruteForceProtectionMaxAge};
my $sum = $self->conf->{bruteForceProtectionMaxAge} * ( 1 + $self->conf->{failedLoginNumber} - $lockTimes );
$sum += $_ foreach @{ $self->lockTimes };
$self->maxAge($sum);
}

6
lemonldap-ng-portal/site/templates/bootstrap/login.tpl
View File

@ -5,7 +5,11 @@
<TMPL_INCLUDE NAME="customLoginHeader.tpl">
<TMPL_IF NAME="AUTH_ERROR">
<div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert"><span trmsg="<TMPL_VAR NAME="AUTH_ERROR">"></span></div>
<div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert"><span trmsg="<TMPL_VAR NAME="AUTH_ERROR">"></span>
<TMPL_IF LOCKTIME>
<TMPL_VAR NAME="LOCKTIME"> <span trspan="seconds">seconds</span>.
</TMPL_IF>
</div>
</TMPL_IF>
<TMPL_IF AUTH_LOOP>

8
lemonldap-ng-portal/t/01-AuthDemo.t
View File

@ -25,7 +25,7 @@ ok(
),
'Get Menu'
);
ok( $res->[2]->[0] =~ /<span trmsg="37"><\/span><\/div>/,
ok( $res->[2]->[0] =~ /<span trmsg="37">/,
'Rejected with PE_BADURL' )
or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
@ -41,7 +41,7 @@ ok(
),
'Get Menu'
);
ok( $res->[2]->[0] =~ /<span trmsg="9"><\/span><\/div>/,
ok( $res->[2]->[0] =~ /<span trmsg="9">/,
'Rejected with PE_FIRSTACCESS' )
or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
@ -73,7 +73,7 @@ ok(
),
'Auth query'
);
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
'jdoe rejected with PE_BADCREDENTIALS' )
or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ m%<span trspan="connect">Connect</span>%,
@ -93,7 +93,7 @@ ok(
'Auth query'
);
count(1);
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
'dwho rejected with PE_BADCREDENTIALS' )
or print STDERR Dumper( $res->[2]->[0] );
count(1);

2
lemonldap-ng-portal/t/28-AuthChoice-with-captcha.t
View File

@ -70,7 +70,7 @@ m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" al
( $host, $url, $query ) =
expectForm( $res, '#', undef, 'user', 'password', 'token' );
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
'dalek rejected with PE_BADCREDENTIALS' )
or print STDERR Dumper( $res->[2]->[0] );

2
lemonldap-ng-portal/t/28-AuthChoice-with-token.t
View File

@ -50,7 +50,7 @@ ok(
( $host, $url, $query ) =
expectForm( $res, '#', undef, 'user', 'password', 'token' );
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
'dalek rejected with PE_BADCREDENTIALS' )
or print STDERR Dumper( $res->[2]->[0] );

2
lemonldap-ng-portal/t/59-Double-cookies-Refresh-and-Logout.t
View File

@ -211,7 +211,7 @@ expectOK($res);
ok(
$res->[2]->[0] =~
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
m%<div class="message message-positive alert"><span trmsg="47">%,
'Dwho has been well disconnected'
) or print STDERR Dumper( $res->[2]->[0] );
count(1);

2
lemonldap-ng-portal/t/59-Secured-cookie-Refresh-and-Logout.t
View File

@ -121,7 +121,7 @@ expectOK($res);
ok(
$res->[2]->[0] =~
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
m%<div class="message message-positive alert"><span trmsg="47">%,
'Dwho has been well disconnected'
) or print STDERR Dumper( $res->[2]->[0] );
count(1);

6
lemonldap-ng-portal/t/61-GrantSession.t
View File

@ -50,7 +50,7 @@ ok(
'Auth query'
);
count(1);
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
'dwho rejected with PE_BADCREDENTIALS' )
or print STDERR Dumper( $res->[2]->[0] );
count(1);
@ -105,7 +105,7 @@ ok(
);
count(1);
ok(
$res->[2]->[0] =~ /<span trmsg="41"><\/span><\/div>/,
$res->[2]->[0] =~ /<span trmsg="41">/,
'rtyler rejected with PE_SESSIONNOTGRANTED'
) or print STDERR Dumper( $res->[2]->[0] );
count(1);
@ -121,7 +121,7 @@ ok(
);
count(1);
ok(
$res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
$res->[2]->[0] =~ /<span trmsg="5">/,
'rtyler rejected with PE_BADCREDENTIALS'
) or print STDERR Dumper( $res->[2]->[0] );
count(1);

2
lemonldap-ng-portal/t/61-Session-ActivityTimeout.t
View File

@ -62,7 +62,7 @@ ok(
);
ok(
$res->[2]->[0] =~
m%<div class="message message-warning alert"><span trmsg="1"></span></div>%,
m%<div class="message message-warning alert"><span trmsg="1">%,
'Found PE_SESSIONEXPIRED code'
) or print STDERR Dumper( $res->[2]->[0] );
count(2);

2
lemonldap-ng-portal/t/61-Session-Timeout.t
View File

@ -61,7 +61,7 @@ ok(
);
ok(
$res->[2]->[0] =~
m%<div class="message message-warning alert"><span trmsg="1"></span></div>%,
m%<div class="message message-warning alert"><span trmsg="1">%,
'Found PE_SESSIONEXPIRED code'
) or print STDERR Dumper( $res->[2]->[0] );
count(2);

4
lemonldap-ng-portal/t/68-ContextSwitching.t
View File

@ -375,7 +375,7 @@ ok(
);
count(6);
ok( $res->[2]->[0] =~ m%<span trmsg="1"></span>%, 'Found PE_SESSIONEXPIRED' )
ok( $res->[2]->[0] =~ m%<span trmsg="1">%, 'Found PE_SESSIONEXPIRED' )
or explain( $res->[2]->[0], 'Sessuion expired' );
ok(
$res = $client->_get(
@ -403,7 +403,7 @@ expectOK($res);
ok(
$res->[2]->[0] =~
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
m%<div class="message message-positive alert"><span trmsg="47">%,
'Dwho has been well disconnected'
) or print STDERR Dumper( $res->[2]->[0] );
count(2);

6
lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t
View File

@ -55,7 +55,7 @@ ok(
),
'Auth query'
);
ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ' PE40 found' )
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, ' PE40 found' )
or explain( $res->[2]->[0], "PE40 - Bad formed user" );
count(2);
@ -83,7 +83,7 @@ ok(
);
ok(
$res->[2]->[0] =~
m%<div class="message message-negative alert"><span trmsg="5"></span></div>%,
m%<div class="message message-negative alert"><span trmsg="5">%,
' PE5 found'
) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
count(2);
@ -112,7 +112,7 @@ ok(
);
ok(
$res->[2]->[0] =~
m%<div class="message message-negative alert"><span trmsg="93"></span>%,
m%<div class="message message-negative alert"><span trmsg="93">%,
' PE93 found'
) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
count(2);

6
lemonldap-ng-portal/t/68-Impersonation.t
View File

@ -54,7 +54,7 @@ ok(
),
'Auth query'
);
ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ' PE40 found' )
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, ' PE40 found' )
or explain( $res->[2]->[0], "PE40 - Bad formed user" );
count(2);
@ -82,7 +82,7 @@ ok(
);
ok(
$res->[2]->[0] =~
m%<div class="message message-negative alert"><span trmsg="5"></span></div>%,
m%<div class="message message-negative alert"><span trmsg="5">%,
' PE5 found'
) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
count(2);
@ -111,7 +111,7 @@ ok(
);
ok(
$res->[2]->[0] =~
m%<div class="message message-negative alert"><span trmsg="93"></span>%,
m%<div class="message message-negative alert"><span trmsg="93">%,
' PE93 found'
) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
count(2);

21
lemonldap-ng-portal/t/76-2F-Ext-with-BruteForce.t
View File

@ -72,11 +72,10 @@ ok(
),
'4th Bad Auth query -> Rejected'
);
count(1);
ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
count(1);
ok( $res->[2]->[0] =~ /<span trmsg="86">/, 'Protection enabled' );
count(2);
# Cool down
# Count down
Time::Fake->offset("+2s");
# Try to authenticate
@ -113,10 +112,8 @@ ok(
),
'Post code'
);
count(1);
ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
count(1);
ok( $res->[2]->[0] =~ /<span trmsg="86">/, 'Protection enabled' );
count(2);
# Cool down
Time::Fake->offset("+6s");
@ -143,7 +140,6 @@ ok(
qr%<input name="code" value="" type="text" class="form-control" id="extcode" trplaceholder="code" autocomplete="off" />%,
'Found EXTCODE input'
) or print STDERR Dumper( $res->[2]->[0] );
count(1);
$query =~ s/code=/code=123456/;
ok(
@ -155,17 +151,16 @@ ok(
),
'Post code'
);
count(1);
count(2);
my $id = expectCookie($res);
ok( $res->[2]->[0] =~ /trspan="lastLogins"/, 'History found' )
or print STDERR Dumper( $res->[2]->[0] );
count(1);
my @c = ( $res->[2]->[0] =~ /<td>127.0.0.1/gs );
ok( @c == 5, 'Five entries found' )
ok( @c == 6, 'Six entries found' )
or print STDERR Dumper( $res->[2]->[0] );
count(1);
count(2);
$client->logout($id);
clean_sessions();