Append BruteForceProtection (#1506)

2018-09-28 19:50:01 +02:00 · 2018-09-28 19:50:01 +02:00 · d4eb025de3
commit d4eb025de3
parent 1662f471bb
6 changed files with 1404 additions and 218 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
@ -20,6 +20,8 @@ sub defaultValues {
        'available2F'                 => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey',
        'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
        'bruteForceProtection'        => 1,
+        'bruteForceProtectionMaxAge'  => 300,
+        'bruteForceProtectionTempo'   => 30,
        'captcha_mail_enabled'        => 1,
        'captcha_register_enabled'    => 1,
        'captcha_size'                => 6,
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -611,6 +611,14 @@ sub attributes {
            'default' => 1,
            'type'    => 'bool'
        },
+        'bruteForceProtectionMaxAge' => {
+            'default' => 300,
+            'type'    => 'int'
+        },
+        'bruteForceProtectionTempo' => {
+            'default' => 30,
+            'type'    => 'int'
+        },
        'captcha_login_enabled' => {
            'default' => 0,
            'type'    => 'bool'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
--- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.js
+++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.js
--- a/lemonldap-ng-manager/t/80-attributes.t
+++ b/lemonldap-ng-manager/t/80-attributes.t
@ -23,6 +23,9 @@ my @notManagedAttributes = (
    # Second factor engine and lists of 2F modules
    'sfEngine', 'available2FSelfRegistration', 'available2F',

+    # Brute forece attack protection parameters
+    'bruteForceProtectionMaxAge', 'bruteForceProtectionTempo',
+
    # Metadatas (added by manager itself)
    'cfgAuthor', 'cfgAuthorIP', 'cfgNum', 'cfgDate', 'cfgLog', 'cfgVersion',

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm
@ -19,6 +19,7 @@ sub init {1}
 sub run {
    my ( $self, $req ) = @_;

+    my $MaxAge               = 0;
    my $countFailed          = 0;
    my @lastFailedLoginEpoch = ();

@ -27,7 +28,7 @@ sub run {
        $countFailed = @{ $req->sessionInfo->{_loginHistory}->{failedLogin} };
    }

-    $self->logger->debug( " Number of failedLogin = $countFailed" );
+    $self->logger->debug(" Number of failedLogin = $countFailed");
    return PE_OK if ( $countFailed < 3 );

    foreach ( 0 .. 2 ) {
@ -39,19 +40,20 @@ sub run {
        }
    }

-    # If Auth_N-2 older than 5 minutes -> another try allowed
+    # If Auth_N-2 older than MaxAge -> another try allowed
+    $MaxAge = $lastFailedLoginEpoch[0] - $lastFailedLoginEpoch[2];
+    $self->logger->debug( " MaxAge = $MaxAge" );
    return PE_OK
-        if ( ( $lastFailedLoginEpoch[0] - $lastFailedLoginEpoch[2] ) > 300 );
+        if ( $MaxAge > $self->conf->{bruteForceProtectionMaxAge} );

    # Delta between the two last failed logins -> Auth_N - Auth_N-1
    my $delta = time - $lastFailedLoginEpoch[1];
-
-    $self->logger->debug( " Local time = " . time );
-    $self->logger->debug(" Delta time - lastFailedLoginN-1 = $delta");
+    $self->logger->debug(" Delta = $delta");

    # Delta between the two last failed logins < 30s => wait
-    return PE_OK unless ( $delta < 31 );
-    
+    return PE_OK
+        unless ( $delta <= $self->conf->{bruteForceProtectionTempo} );
+
    # Account locked
    shift @{ $req->sessionInfo->{_loginHistory}->{failedLogin} };
    return PE_WAIT;