Don t prompt second factor after a failed log in attempt (#2088)
This commit is contained in:
parent
4cebebb062
commit
a4a73ca907
|
@ -395,6 +395,7 @@ sub display {
|
|||
DISPLAY_YUBIKEY_FORM => 0,
|
||||
AUTH_LOOP => [],
|
||||
MSG => $req->info(),
|
||||
LOCKTIME => $req->lockTime(),
|
||||
);
|
||||
|
||||
}
|
||||
|
|
|
@ -9,8 +9,7 @@ our $VERSION = '2.0.8';
|
|||
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
||||
|
||||
# INITIALIZATION
|
||||
|
||||
use constant afterData => 'run';
|
||||
use constant afterSub => { storeHistory => 'run' };
|
||||
|
||||
has lockTimes => (
|
||||
is => 'rw',
|
||||
|
@ -53,15 +52,21 @@ sub init {
|
|||
grep { /\d+/ }
|
||||
split /\s+/, $self->conf->{bruteForceProtectionLockTimes};
|
||||
|
||||
@{ $self->lockTimes } = ( 5, 15, 60, 300, 600 )
|
||||
unless $lockTimes;
|
||||
$self->logger->warn( 'Number of incremental lock time values ('
|
||||
. "$lockTimes) is higher than failed logins history ("
|
||||
. $self->conf->{failedLoginNumber}
|
||||
. ')' )
|
||||
if ( $lockTimes > $self->conf->{failedLoginNumber} );
|
||||
unless ($lockTimes) {
|
||||
@{ $self->lockTimes } = ( 5, 15, 60, 300, 600 );
|
||||
$lockTimes = 5;
|
||||
}
|
||||
|
||||
if ( $lockTimes > $self->conf->{failedLoginNumber} ) {
|
||||
$self->logger->warn( 'Number of incremental lock time values ('
|
||||
. "$lockTimes) is higher than failed logins history ("
|
||||
. $self->conf->{failedLoginNumber}
|
||||
. ')' );
|
||||
splice @{ $self->lockTimes }, $self->conf->{failedLoginNumber};
|
||||
$lockTimes = $self->conf->{failedLoginNumber};
|
||||
}
|
||||
|
||||
my $sum = $self->conf->{bruteForceProtectionMaxAge};
|
||||
my $sum = $self->conf->{bruteForceProtectionMaxAge} * ( 1 + $self->conf->{failedLoginNumber} - $lockTimes );
|
||||
$sum += $_ foreach @{ $self->lockTimes };
|
||||
$self->maxAge($sum);
|
||||
}
|
||||
|
|
|
@ -5,7 +5,11 @@
|
|||
<TMPL_INCLUDE NAME="customLoginHeader.tpl">
|
||||
|
||||
<TMPL_IF NAME="AUTH_ERROR">
|
||||
<div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert"><span trmsg="<TMPL_VAR NAME="AUTH_ERROR">"></span></div>
|
||||
<div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert"><span trmsg="<TMPL_VAR NAME="AUTH_ERROR">"></span>
|
||||
<TMPL_IF LOCKTIME>
|
||||
<TMPL_VAR NAME="LOCKTIME"> <span trspan="seconds">seconds</span>.
|
||||
</TMPL_IF>
|
||||
</div>
|
||||
</TMPL_IF>
|
||||
|
||||
<TMPL_IF AUTH_LOOP>
|
||||
|
|
|
@ -25,7 +25,7 @@ ok(
|
|||
),
|
||||
'Get Menu'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="37"><\/span><\/div>/,
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="37">/,
|
||||
'Rejected with PE_BADURL' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
|
||||
|
@ -41,7 +41,7 @@ ok(
|
|||
),
|
||||
'Get Menu'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="9"><\/span><\/div>/,
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="9">/,
|
||||
'Rejected with PE_FIRSTACCESS' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
|
||||
|
@ -73,7 +73,7 @@ ok(
|
|||
),
|
||||
'Auth query'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||
'jdoe rejected with PE_BADCREDENTIALS' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="connect">Connect</span>%,
|
||||
|
@ -93,7 +93,7 @@ ok(
|
|||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||
'dwho rejected with PE_BADCREDENTIALS' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
|
|
|
@ -70,7 +70,7 @@ m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" al
|
|||
( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
||||
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||
'dalek rejected with PE_BADCREDENTIALS' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
|
||||
|
|
|
@ -50,7 +50,7 @@ ok(
|
|||
( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
||||
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||
'dalek rejected with PE_BADCREDENTIALS' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
|
||||
|
|
|
@ -211,7 +211,7 @@ expectOK($res);
|
|||
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
|
||||
m%<div class="message message-positive alert"><span trmsg="47">%,
|
||||
'Dwho has been well disconnected'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
|
|
|
@ -121,7 +121,7 @@ expectOK($res);
|
|||
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
|
||||
m%<div class="message message-positive alert"><span trmsg="47">%,
|
||||
'Dwho has been well disconnected'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
|
|
|
@ -50,7 +50,7 @@ ok(
|
|||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5">/,
|
||||
'dwho rejected with PE_BADCREDENTIALS' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
|
@ -105,7 +105,7 @@ ok(
|
|||
);
|
||||
count(1);
|
||||
ok(
|
||||
$res->[2]->[0] =~ /<span trmsg="41"><\/span><\/div>/,
|
||||
$res->[2]->[0] =~ /<span trmsg="41">/,
|
||||
'rtyler rejected with PE_SESSIONNOTGRANTED'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
|
@ -121,7 +121,7 @@ ok(
|
|||
);
|
||||
count(1);
|
||||
ok(
|
||||
$res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
||||
$res->[2]->[0] =~ /<span trmsg="5">/,
|
||||
'rtyler rejected with PE_BADCREDENTIALS'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
|
|
|
@ -62,7 +62,7 @@ ok(
|
|||
);
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-warning alert"><span trmsg="1"></span></div>%,
|
||||
m%<div class="message message-warning alert"><span trmsg="1">%,
|
||||
'Found PE_SESSIONEXPIRED code'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
|
|
@ -61,7 +61,7 @@ ok(
|
|||
);
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-warning alert"><span trmsg="1"></span></div>%,
|
||||
m%<div class="message message-warning alert"><span trmsg="1">%,
|
||||
'Found PE_SESSIONEXPIRED code'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
|
|
@ -375,7 +375,7 @@ ok(
|
|||
);
|
||||
count(6);
|
||||
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="1"></span>%, 'Found PE_SESSIONEXPIRED' )
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="1">%, 'Found PE_SESSIONEXPIRED' )
|
||||
or explain( $res->[2]->[0], 'Sessuion expired' );
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
|
@ -403,7 +403,7 @@ expectOK($res);
|
|||
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
|
||||
m%<div class="message message-positive alert"><span trmsg="47">%,
|
||||
'Dwho has been well disconnected'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
|
|
@ -55,7 +55,7 @@ ok(
|
|||
),
|
||||
'Auth query'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ' PE40 found' )
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, ' PE40 found' )
|
||||
or explain( $res->[2]->[0], "PE40 - Bad formed user" );
|
||||
count(2);
|
||||
|
||||
|
@ -83,7 +83,7 @@ ok(
|
|||
);
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-negative alert"><span trmsg="5"></span></div>%,
|
||||
m%<div class="message message-negative alert"><span trmsg="5">%,
|
||||
' PE5 found'
|
||||
) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
|
||||
count(2);
|
||||
|
@ -112,7 +112,7 @@ ok(
|
|||
);
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-negative alert"><span trmsg="93"></span>%,
|
||||
m%<div class="message message-negative alert"><span trmsg="93">%,
|
||||
' PE93 found'
|
||||
) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
|
||||
count(2);
|
||||
|
|
|
@ -54,7 +54,7 @@ ok(
|
|||
),
|
||||
'Auth query'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ' PE40 found' )
|
||||
ok( $res->[2]->[0] =~ m%<span trmsg="40">%, ' PE40 found' )
|
||||
or explain( $res->[2]->[0], "PE40 - Bad formed user" );
|
||||
count(2);
|
||||
|
||||
|
@ -82,7 +82,7 @@ ok(
|
|||
);
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-negative alert"><span trmsg="5"></span></div>%,
|
||||
m%<div class="message message-negative alert"><span trmsg="5">%,
|
||||
' PE5 found'
|
||||
) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
|
||||
count(2);
|
||||
|
@ -111,7 +111,7 @@ ok(
|
|||
);
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="message message-negative alert"><span trmsg="93"></span>%,
|
||||
m%<div class="message message-negative alert"><span trmsg="93">%,
|
||||
' PE93 found'
|
||||
) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
|
||||
count(2);
|
||||
|
|
|
@ -72,11 +72,10 @@ ok(
|
|||
),
|
||||
'4th Bad Auth query -> Rejected'
|
||||
);
|
||||
count(1);
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
|
||||
count(1);
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="86">/, 'Protection enabled' );
|
||||
count(2);
|
||||
|
||||
# Cool down
|
||||
# Count down
|
||||
Time::Fake->offset("+2s");
|
||||
|
||||
# Try to authenticate
|
||||
|
@ -113,10 +112,8 @@ ok(
|
|||
),
|
||||
'Post code'
|
||||
);
|
||||
count(1);
|
||||
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
|
||||
count(1);
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="86">/, 'Protection enabled' );
|
||||
count(2);
|
||||
|
||||
# Cool down
|
||||
Time::Fake->offset("+6s");
|
||||
|
@ -143,7 +140,6 @@ ok(
|
|||
qr%<input name="code" value="" type="text" class="form-control" id="extcode" trplaceholder="code" autocomplete="off" />%,
|
||||
'Found EXTCODE input'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
|
||||
$query =~ s/code=/code=123456/;
|
||||
ok(
|
||||
|
@ -155,17 +151,16 @@ ok(
|
|||
),
|
||||
'Post code'
|
||||
);
|
||||
count(1);
|
||||
count(2);
|
||||
|
||||
my $id = expectCookie($res);
|
||||
|
||||
ok( $res->[2]->[0] =~ /trspan="lastLogins"/, 'History found' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
my @c = ( $res->[2]->[0] =~ /<td>127.0.0.1/gs );
|
||||
ok( @c == 5, 'Five entries found' )
|
||||
ok( @c == 6, 'Six entries found' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(1);
|
||||
count(2);
|
||||
|
||||
$client->logout($id);
|
||||
clean_sessions();
|
||||
|
|
Loading…
Reference in New Issue
Block a user