Don t prompt second factor after a failed log in attempt (#2088)
This commit is contained in:
parent
4cebebb062
commit
a4a73ca907
|
@ -395,6 +395,7 @@ sub display {
|
||||||
DISPLAY_YUBIKEY_FORM => 0,
|
DISPLAY_YUBIKEY_FORM => 0,
|
||||||
AUTH_LOOP => [],
|
AUTH_LOOP => [],
|
||||||
MSG => $req->info(),
|
MSG => $req->info(),
|
||||||
|
LOCKTIME => $req->lockTime(),
|
||||||
);
|
);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,8 +9,7 @@ our $VERSION = '2.0.8';
|
||||||
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
||||||
|
|
||||||
# INITIALIZATION
|
# INITIALIZATION
|
||||||
|
use constant afterSub => { storeHistory => 'run' };
|
||||||
use constant afterData => 'run';
|
|
||||||
|
|
||||||
has lockTimes => (
|
has lockTimes => (
|
||||||
is => 'rw',
|
is => 'rw',
|
||||||
|
@ -53,15 +52,21 @@ sub init {
|
||||||
grep { /\d+/ }
|
grep { /\d+/ }
|
||||||
split /\s+/, $self->conf->{bruteForceProtectionLockTimes};
|
split /\s+/, $self->conf->{bruteForceProtectionLockTimes};
|
||||||
|
|
||||||
@{ $self->lockTimes } = ( 5, 15, 60, 300, 600 )
|
unless ($lockTimes) {
|
||||||
unless $lockTimes;
|
@{ $self->lockTimes } = ( 5, 15, 60, 300, 600 );
|
||||||
|
$lockTimes = 5;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $lockTimes > $self->conf->{failedLoginNumber} ) {
|
||||||
$self->logger->warn( 'Number of incremental lock time values ('
|
$self->logger->warn( 'Number of incremental lock time values ('
|
||||||
. "$lockTimes) is higher than failed logins history ("
|
. "$lockTimes) is higher than failed logins history ("
|
||||||
. $self->conf->{failedLoginNumber}
|
. $self->conf->{failedLoginNumber}
|
||||||
. ')' )
|
. ')' );
|
||||||
if ( $lockTimes > $self->conf->{failedLoginNumber} );
|
splice @{ $self->lockTimes }, $self->conf->{failedLoginNumber};
|
||||||
|
$lockTimes = $self->conf->{failedLoginNumber};
|
||||||
|
}
|
||||||
|
|
||||||
my $sum = $self->conf->{bruteForceProtectionMaxAge};
|
my $sum = $self->conf->{bruteForceProtectionMaxAge} * ( 1 + $self->conf->{failedLoginNumber} - $lockTimes );
|
||||||
$sum += $_ foreach @{ $self->lockTimes };
|
$sum += $_ foreach @{ $self->lockTimes };
|
||||||
$self->maxAge($sum);
|
$self->maxAge($sum);
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,7 +5,11 @@
|
||||||
<TMPL_INCLUDE NAME="customLoginHeader.tpl">
|
<TMPL_INCLUDE NAME="customLoginHeader.tpl">
|
||||||
|
|
||||||
<TMPL_IF NAME="AUTH_ERROR">
|
<TMPL_IF NAME="AUTH_ERROR">
|
||||||
<div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert"><span trmsg="<TMPL_VAR NAME="AUTH_ERROR">"></span></div>
|
<div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert"><span trmsg="<TMPL_VAR NAME="AUTH_ERROR">"></span>
|
||||||
|
<TMPL_IF LOCKTIME>
|
||||||
|
<TMPL_VAR NAME="LOCKTIME"> <span trspan="seconds">seconds</span>.
|
||||||
|
</TMPL_IF>
|
||||||
|
</div>
|
||||||
</TMPL_IF>
|
</TMPL_IF>
|
||||||
|
|
||||||
<TMPL_IF AUTH_LOOP>
|
<TMPL_IF AUTH_LOOP>
|
||||||
|
|
|
@ -25,7 +25,7 @@ ok(
|
||||||
),
|
),
|
||||||
'Get Menu'
|
'Get Menu'
|
||||||
);
|
);
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="37"><\/span><\/div>/,
|
ok( $res->[2]->[0] =~ /<span trmsg="37">/,
|
||||||
'Rejected with PE_BADURL' )
|
'Rejected with PE_BADURL' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
|
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
|
||||||
|
@ -41,7 +41,7 @@ ok(
|
||||||
),
|
),
|
||||||
'Get Menu'
|
'Get Menu'
|
||||||
);
|
);
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="9"><\/span><\/div>/,
|
ok( $res->[2]->[0] =~ /<span trmsg="9">/,
|
||||||
'Rejected with PE_FIRSTACCESS' )
|
'Rejected with PE_FIRSTACCESS' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
|
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
|
||||||
|
@ -73,7 +73,7 @@ ok(
|
||||||
),
|
),
|
||||||
'Auth query'
|
'Auth query'
|
||||||
);
|
);
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||||
'jdoe rejected with PE_BADCREDENTIALS' )
|
'jdoe rejected with PE_BADCREDENTIALS' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
ok( $res->[2]->[0] =~ m%<span trspan="connect">Connect</span>%,
|
ok( $res->[2]->[0] =~ m%<span trspan="connect">Connect</span>%,
|
||||||
|
@ -93,7 +93,7 @@ ok(
|
||||||
'Auth query'
|
'Auth query'
|
||||||
);
|
);
|
||||||
count(1);
|
count(1);
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||||
'dwho rejected with PE_BADCREDENTIALS' )
|
'dwho rejected with PE_BADCREDENTIALS' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
count(1);
|
||||||
|
|
|
@ -70,7 +70,7 @@ m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" al
|
||||||
( $host, $url, $query ) =
|
( $host, $url, $query ) =
|
||||||
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
||||||
|
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||||
'dalek rejected with PE_BADCREDENTIALS' )
|
'dalek rejected with PE_BADCREDENTIALS' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
|
|
||||||
|
|
|
@ -50,7 +50,7 @@ ok(
|
||||||
( $host, $url, $query ) =
|
( $host, $url, $query ) =
|
||||||
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
||||||
|
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||||
'dalek rejected with PE_BADCREDENTIALS' )
|
'dalek rejected with PE_BADCREDENTIALS' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
|
|
||||||
|
|
|
@ -211,7 +211,7 @@ expectOK($res);
|
||||||
|
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
|
m%<div class="message message-positive alert"><span trmsg="47">%,
|
||||||
'Dwho has been well disconnected'
|
'Dwho has been well disconnected'
|
||||||
) or print STDERR Dumper( $res->[2]->[0] );
|
) or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
count(1);
|
||||||
|
|
|
@ -121,7 +121,7 @@ expectOK($res);
|
||||||
|
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
|
m%<div class="message message-positive alert"><span trmsg="47">%,
|
||||||
'Dwho has been well disconnected'
|
'Dwho has been well disconnected'
|
||||||
) or print STDERR Dumper( $res->[2]->[0] );
|
) or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
count(1);
|
||||||
|
|
|
@ -50,7 +50,7 @@ ok(
|
||||||
'Auth query'
|
'Auth query'
|
||||||
);
|
);
|
||||||
count(1);
|
count(1);
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||||
'dwho rejected with PE_BADCREDENTIALS' )
|
'dwho rejected with PE_BADCREDENTIALS' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
count(1);
|
||||||
|
@ -105,7 +105,7 @@ ok(
|
||||||
);
|
);
|
||||||
count(1);
|
count(1);
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~ /<span trmsg="41"><\/span><\/div>/,
|
$res->[2]->[0] =~ /<span trmsg="41">/,
|
||||||
'rtyler rejected with PE_SESSIONNOTGRANTED'
|
'rtyler rejected with PE_SESSIONNOTGRANTED'
|
||||||
) or print STDERR Dumper( $res->[2]->[0] );
|
) or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
count(1);
|
||||||
|
@ -121,7 +121,7 @@ ok(
|
||||||
);
|
);
|
||||||
count(1);
|
count(1);
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
$res->[2]->[0] =~ /<span trmsg="5">/,
|
||||||
'rtyler rejected with PE_BADCREDENTIALS'
|
'rtyler rejected with PE_BADCREDENTIALS'
|
||||||
) or print STDERR Dumper( $res->[2]->[0] );
|
) or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
count(1);
|
||||||
|
|
|
@ -62,7 +62,7 @@ ok(
|
||||||
);
|
);
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-warning alert"><span trmsg="1"></span></div>%,
|
m%<div class="message message-warning alert"><span trmsg="1">%,
|
||||||
'Found PE_SESSIONEXPIRED code'
|
'Found PE_SESSIONEXPIRED code'
|
||||||
) or print STDERR Dumper( $res->[2]->[0] );
|
) or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(2);
|
count(2);
|
||||||
|
|
|
@ -61,7 +61,7 @@ ok(
|
||||||
);
|
);
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-warning alert"><span trmsg="1"></span></div>%,
|
m%<div class="message message-warning alert"><span trmsg="1">%,
|
||||||
'Found PE_SESSIONEXPIRED code'
|
'Found PE_SESSIONEXPIRED code'
|
||||||
) or print STDERR Dumper( $res->[2]->[0] );
|
) or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(2);
|
count(2);
|
||||||
|
|
|
@ -375,7 +375,7 @@ ok(
|
||||||
);
|
);
|
||||||
count(6);
|
count(6);
|
||||||
|
|
||||||
ok( $res->[2]->[0] =~ m%<span trmsg="1"></span>%, 'Found PE_SESSIONEXPIRED' )
|
ok( $res->[2]->[0] =~ m%<span trmsg="1">%, 'Found PE_SESSIONEXPIRED' )
|
||||||
or explain( $res->[2]->[0], 'Sessuion expired' );
|
or explain( $res->[2]->[0], 'Sessuion expired' );
|
||||||
ok(
|
ok(
|
||||||
$res = $client->_get(
|
$res = $client->_get(
|
||||||
|
@ -403,7 +403,7 @@ expectOK($res);
|
||||||
|
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
|
m%<div class="message message-positive alert"><span trmsg="47">%,
|
||||||
'Dwho has been well disconnected'
|
'Dwho has been well disconnected'
|
||||||
) or print STDERR Dumper( $res->[2]->[0] );
|
) or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(2);
|
count(2);
|
||||||
|
|
|
@ -55,7 +55,7 @@ ok(
|
||||||
),
|
),
|
||||||
'Auth query'
|
'Auth query'
|
||||||
);
|
);
|
||||||
ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ' PE40 found' )
|
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, ' PE40 found' )
|
||||||
or explain( $res->[2]->[0], "PE40 - Bad formed user" );
|
or explain( $res->[2]->[0], "PE40 - Bad formed user" );
|
||||||
count(2);
|
count(2);
|
||||||
|
|
||||||
|
@ -83,7 +83,7 @@ ok(
|
||||||
);
|
);
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-negative alert"><span trmsg="5"></span></div>%,
|
m%<div class="message message-negative alert"><span trmsg="5">%,
|
||||||
' PE5 found'
|
' PE5 found'
|
||||||
) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
|
) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
|
||||||
count(2);
|
count(2);
|
||||||
|
@ -112,7 +112,7 @@ ok(
|
||||||
);
|
);
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-negative alert"><span trmsg="93"></span>%,
|
m%<div class="message message-negative alert"><span trmsg="93">%,
|
||||||
' PE93 found'
|
' PE93 found'
|
||||||
) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
|
) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
|
||||||
count(2);
|
count(2);
|
||||||
|
|
|
@ -54,7 +54,7 @@ ok(
|
||||||
),
|
),
|
||||||
'Auth query'
|
'Auth query'
|
||||||
);
|
);
|
||||||
ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ' PE40 found' )
|
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, ' PE40 found' )
|
||||||
or explain( $res->[2]->[0], "PE40 - Bad formed user" );
|
or explain( $res->[2]->[0], "PE40 - Bad formed user" );
|
||||||
count(2);
|
count(2);
|
||||||
|
|
||||||
|
@ -82,7 +82,7 @@ ok(
|
||||||
);
|
);
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-negative alert"><span trmsg="5"></span></div>%,
|
m%<div class="message message-negative alert"><span trmsg="5">%,
|
||||||
' PE5 found'
|
' PE5 found'
|
||||||
) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
|
) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
|
||||||
count(2);
|
count(2);
|
||||||
|
@ -111,7 +111,7 @@ ok(
|
||||||
);
|
);
|
||||||
ok(
|
ok(
|
||||||
$res->[2]->[0] =~
|
$res->[2]->[0] =~
|
||||||
m%<div class="message message-negative alert"><span trmsg="93"></span>%,
|
m%<div class="message message-negative alert"><span trmsg="93">%,
|
||||||
' PE93 found'
|
' PE93 found'
|
||||||
) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
|
) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
|
||||||
count(2);
|
count(2);
|
||||||
|
|
|
@ -72,11 +72,10 @@ ok(
|
||||||
),
|
),
|
||||||
'4th Bad Auth query -> Rejected'
|
'4th Bad Auth query -> Rejected'
|
||||||
);
|
);
|
||||||
count(1);
|
ok( $res->[2]->[0] =~ /<span trmsg="86">/, 'Protection enabled' );
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
|
count(2);
|
||||||
count(1);
|
|
||||||
|
|
||||||
# Cool down
|
# Count down
|
||||||
Time::Fake->offset("+2s");
|
Time::Fake->offset("+2s");
|
||||||
|
|
||||||
# Try to authenticate
|
# Try to authenticate
|
||||||
|
@ -113,10 +112,8 @@ ok(
|
||||||
),
|
),
|
||||||
'Post code'
|
'Post code'
|
||||||
);
|
);
|
||||||
count(1);
|
ok( $res->[2]->[0] =~ /<span trmsg="86">/, 'Protection enabled' );
|
||||||
|
count(2);
|
||||||
ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
|
|
||||||
count(1);
|
|
||||||
|
|
||||||
# Cool down
|
# Cool down
|
||||||
Time::Fake->offset("+6s");
|
Time::Fake->offset("+6s");
|
||||||
|
@ -143,7 +140,6 @@ ok(
|
||||||
qr%<input name="code" value="" type="text" class="form-control" id="extcode" trplaceholder="code" autocomplete="off" />%,
|
qr%<input name="code" value="" type="text" class="form-control" id="extcode" trplaceholder="code" autocomplete="off" />%,
|
||||||
'Found EXTCODE input'
|
'Found EXTCODE input'
|
||||||
) or print STDERR Dumper( $res->[2]->[0] );
|
) or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
|
||||||
|
|
||||||
$query =~ s/code=/code=123456/;
|
$query =~ s/code=/code=123456/;
|
||||||
ok(
|
ok(
|
||||||
|
@ -155,17 +151,16 @@ ok(
|
||||||
),
|
),
|
||||||
'Post code'
|
'Post code'
|
||||||
);
|
);
|
||||||
count(1);
|
count(2);
|
||||||
|
|
||||||
my $id = expectCookie($res);
|
my $id = expectCookie($res);
|
||||||
|
|
||||||
ok( $res->[2]->[0] =~ /trspan="lastLogins"/, 'History found' )
|
ok( $res->[2]->[0] =~ /trspan="lastLogins"/, 'History found' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
|
||||||
my @c = ( $res->[2]->[0] =~ /<td>127.0.0.1/gs );
|
my @c = ( $res->[2]->[0] =~ /<td>127.0.0.1/gs );
|
||||||
ok( @c == 5, 'Five entries found' )
|
ok( @c == 6, 'Six entries found' )
|
||||||
or print STDERR Dumper( $res->[2]->[0] );
|
or print STDERR Dumper( $res->[2]->[0] );
|
||||||
count(1);
|
count(2);
|
||||||
|
|
||||||
$client->logout($id);
|
$client->logout($id);
|
||||||
clean_sessions();
|
clean_sessions();
|
||||||
|
|
Loading…
Reference in New Issue
Block a user