WIP - Incremental tempo

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -19,7 +19,7 @@ sub defaultValues {
         'authentication'  => 'Demo',
         'available2F'     => 'UTOTP,TOTP,U2F,REST,Mail2F,Ext2F,Yubikey,Radius',
         'available2FSelfRegistration'        => 'TOTP,U2F,Yubikey',
-        'bruteForceProtectionLockTimes'      => '5 15 60 300 600',
+        'bruteForceProtectionLockTimes'      => '5, 15, 60, 300, 600',
         'bruteForceProtectionMaxAge'         => 300,
         'bruteForceProtectionMaxFailed'      => 3,
         'bruteForceProtectionMaxLockTime'    => 900,

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -636,7 +636,7 @@ sub attributes {
             'type'    => 'bool'
         },
         'bruteForceProtectionLockTimes' => {
-            'default' => '5 15 60 300 600',
+            'default' => '5, 15, 60, 300, 600',
             'type'    => 'text'
         },
         'bruteForceProtectionMaxAge' => {

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -833,7 +833,7 @@ sub attributes {
         },
         bruteForceProtectionLockTimes => {
             type    => 'text',
-            default => '5 15 60 300 600',
+            default => '5, 15, 60, 300, 600',
             documentation =>
               'Incremental lock time values for brute force attack protection',
         },

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -630,7 +630,8 @@ sub tree {
                                 'notificationStorageOptions',
                                 {
                                     title => 'serverNotification',
-                                    help  => 'notifications.html#notification-server',
+                                    help =>
+                                      'notifications.html#notification-server',
                                     nodes => [
                                         'notificationServer',
                                         'notificationDefaultCond',
@@ -959,7 +960,10 @@ sub tree {
                                     form  => 'simpleInputContainer',
                                     nodes => [
                                         'bruteForceProtection',
+                                        'bruteForceProtectionTempo',
+                                        'bruteForceProtectionMaxFailed',
                                         'bruteForceProtectionIncrementalTempo',
+                                        'bruteForceProtectionLockTimes',
                                     ]
                                 },
                                 'lwpOpts',

lemonldap-ng-manager/t/80-attributes.t

@@ -24,10 +24,6 @@ my @notManagedAttributes = (
     'sfEngine', 'available2FSelfRegistration', 'available2F', 'max2FDevices',
     'max2FDevicesNameLength',
 
-    # Brute force attack protection parameters
-    'bruteForceProtectionMaxAge', 'bruteForceProtectionTempo',
-    'bruteForceProtectionMaxFailed',
-
     # Handlers
     'handlerInternalCache', 'handlerServiceTokenTTL',
 
@@ -42,8 +38,8 @@ my @notManagedAttributes = (
     'syslogFacility',   'userLogger',         'logLevel',
 
     # Plugins parameters
-    'notificationsMaxRetrieve',      'persistentSessionAttributes',
+    'notificationsMaxRetrieve',   'persistentSessionAttributes',
-    'bruteForceProtectionLockTimes', 'bruteForceProtectionMaxLockTime',
+    'bruteForceProtectionMaxAge', 'bruteForceProtectionMaxLockTime',
 
     # PSGI/CGI protection (must be set in lemonldap-ng.ini)
     'protection',

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm

@@ -4,7 +4,7 @@ use strict;
 use Mouse;
 use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_WAIT);
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.0.9';
 
 extends 'Lemonldap::NG::Portal::Main::Plugin';
 
@@ -48,15 +48,25 @@ sub init {
     if ( $self->conf->{bruteForceProtectionIncrementalTempo} ) {
         my $lockTimes = @{ $self->lockTimes } =
           sort { $a <=> $b }
-          map { $_ < $self->conf->{bruteForceProtectionMaxLockTime} ? $_ : () }
+          map  { $_ < $self->conf->{bruteForceProtectionMaxLockTime} ? $_ : () }
           grep { /\d+/ }
-          split /\s+/, $self->conf->{bruteForceProtectionLockTimes};
+          split /\s*,\s*/, $self->conf->{bruteForceProtectionLockTimes};
 
         unless ($lockTimes) {
             @{ $self->lockTimes } = ( 5, 15, 60, 300, 600 );
             $lockTimes = 5;
         }
 
+        # for (
+        #     my $i = 1 ;
+        #     $i <= $self->conf->{bruteForceProtectionMaxFailed} ;
+        #     $i++
+        #   )
+        # {
+        #     unshift @{ $self->lockTimes }, 0;
+        #     $lockTimes++;
+        # }
+
         if ( $lockTimes > $self->conf->{failedLoginNumber} ) {
             $self->logger->warn( 'Number of incremental lock time values ('
                   . "$lockTimes) is higher than failed logins history ("
@@ -96,9 +106,9 @@ sub run {
         my $delta = $now - $lastFailedLoginEpoch;
         $self->logger->debug(" -> Delta = $delta");
         my $waitingTime = $self->lockTimes->[ $countFailed - 1 ]
-          || $self->conf->{bruteForceProtectionMaxLockTime};
+          // $self->conf->{bruteForceProtectionMaxLockTime};
         $self->logger->debug(" -> Waiting time = $waitingTime");
-        unless ( $delta > $waitingTime ) {
+        if ( $waitingTime && $delta <= $waitingTime ) {
             $self->logger->debug("BruteForceProtection enabled");
             $req->lockTime($waitingTime);
             return PE_WAIT;