Don t prompt second factor after a failed log in attempt (#2088)

5 years ago · a4a73ca907
parent 4cebebb062
commit a4a73ca907
15 changed files with 50 additions and 45 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
@ -395,6 +395,7 @@ sub display {
                DISPLAY_YUBIKEY_FORM  => 0,
                AUTH_LOOP             => [],
                MSG                   => $req->info(),
+                LOCKTIME              => $req->lockTime(),
            );

        }
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm
@ -9,8 +9,7 @@ our $VERSION = '2.0.8';
 extends 'Lemonldap::NG::Portal::Main::Plugin';

 # INITIALIZATION
-
-use constant afterData => 'run';
+use constant afterSub => { storeHistory => 'run' };

 has lockTimes => (
    is      => 'rw',
@ -53,15 +52,21 @@ sub init {
          grep { /\d+/ }
          split /\s+/, $self->conf->{bruteForceProtectionLockTimes};

-        @{ $self->lockTimes } = ( 5, 15, 60, 300, 600 )
-          unless $lockTimes;
-        $self->logger->warn( 'Number of incremental lock time values ('
-              . "$lockTimes) is higher than failed logins history ("
-              . $self->conf->{failedLoginNumber}
-              . ')' )
-          if ( $lockTimes > $self->conf->{failedLoginNumber} );
+        unless ($lockTimes) {
+            @{ $self->lockTimes } = ( 5, 15, 60, 300, 600 );
+            $lockTimes = 5;
+        }
+        
+        if ( $lockTimes > $self->conf->{failedLoginNumber} ) {
+            $self->logger->warn( 'Number of incremental lock time values ('
+                  . "$lockTimes) is higher than failed logins history ("
+                  . $self->conf->{failedLoginNumber}
+                  . ')' );
+            splice @{ $self->lockTimes }, $self->conf->{failedLoginNumber};
+            $lockTimes = $self->conf->{failedLoginNumber};
+        }

-        my $sum = $self->conf->{bruteForceProtectionMaxAge};
+        my $sum = $self->conf->{bruteForceProtectionMaxAge} * ( 1 + $self->conf->{failedLoginNumber} - $lockTimes );
        $sum += $_ foreach @{ $self->lockTimes };
        $self->maxAge($sum);
    }
--- a/lemonldap-ng-portal/site/templates/bootstrap/login.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/login.tpl
@ -5,7 +5,11 @@
  <TMPL_INCLUDE NAME="customLoginHeader.tpl">

  <TMPL_IF NAME="AUTH_ERROR">
-  <div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert"><span trmsg="<TMPL_VAR NAME="AUTH_ERROR">"></span></div>
+    <div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert"><span trmsg="<TMPL_VAR NAME="AUTH_ERROR">"></span>
+      <TMPL_IF LOCKTIME>
+        <TMPL_VAR NAME="LOCKTIME"> <span trspan="seconds">seconds</span>.
+      </TMPL_IF>
+    </div>
  </TMPL_IF>

  <TMPL_IF AUTH_LOOP>
--- a/lemonldap-ng-portal/t/01-AuthDemo.t
+++ b/lemonldap-ng-portal/t/01-AuthDemo.t
@ -25,7 +25,7 @@ ok(
    ),
    'Get Menu'
 );
-ok( $res->[2]->[0] =~ /<span trmsg="37"><\/span><\/div>/,
+ok( $res->[2]->[0] =~ /<span trmsg="37">/,
    'Rejected with PE_BADURL' )
  or print STDERR Dumper( $res->[2]->[0] );
 ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
@ -41,7 +41,7 @@ ok(
    ),
    'Get Menu'
 );
-ok( $res->[2]->[0] =~ /<span trmsg="9"><\/span><\/div>/,
+ok( $res->[2]->[0] =~ /<span trmsg="9">/,
    'Rejected with PE_FIRSTACCESS' )
  or print STDERR Dumper( $res->[2]->[0] );
 ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
@ -73,7 +73,7 @@ ok(
    ),
    'Auth query'
 );
-ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
+ok( $res->[2]->[0] =~ /<span trmsg="5">/,
    'jdoe rejected with PE_BADCREDENTIALS' )
  or print STDERR Dumper( $res->[2]->[0] );
 ok( $res->[2]->[0] =~ m%<span trspan="connect">Connect</span>%,
@ -93,7 +93,7 @@ ok(
    'Auth query'
 );
 count(1);
-ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
+ok( $res->[2]->[0] =~ /<span trmsg="5">/,
    'dwho rejected with PE_BADCREDENTIALS' )
  or print STDERR Dumper( $res->[2]->[0] );
 count(1);
--- a/lemonldap-ng-portal/t/28-AuthChoice-with-captcha.t
+++ b/lemonldap-ng-portal/t/28-AuthChoice-with-captcha.t
@ -70,7 +70,7 @@ m#<img class="renewcaptchaclick" src="/static/common/icons/arrow_refresh.png" al
    ( $host, $url, $query ) =
      expectForm( $res, '#', undef, 'user', 'password', 'token' );

-    ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
+    ok( $res->[2]->[0] =~ /<span trmsg="5">/,
        'dalek rejected with PE_BADCREDENTIALS' )
      or print STDERR Dumper( $res->[2]->[0] );

--- a/lemonldap-ng-portal/t/28-AuthChoice-with-token.t
+++ b/lemonldap-ng-portal/t/28-AuthChoice-with-token.t
@ -50,7 +50,7 @@ ok(
 ( $host, $url, $query ) =
  expectForm( $res, '#', undef, 'user', 'password', 'token' );

-ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
+ok( $res->[2]->[0] =~ /<span trmsg="5">/,
    'dalek rejected with PE_BADCREDENTIALS' )
  or print STDERR Dumper( $res->[2]->[0] );

--- a/lemonldap-ng-portal/t/59-Double-cookies-Refresh-and-Logout.t
+++ b/lemonldap-ng-portal/t/59-Double-cookies-Refresh-and-Logout.t
@ -211,7 +211,7 @@ expectOK($res);

 ok(
    $res->[2]->[0] =~
-m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
+m%<div class="message message-positive alert"><span trmsg="47">%,
    'Dwho has been well disconnected'
 ) or print STDERR Dumper( $res->[2]->[0] );
 count(1);
--- a/lemonldap-ng-portal/t/59-Secured-cookie-Refresh-and-Logout.t
+++ b/lemonldap-ng-portal/t/59-Secured-cookie-Refresh-and-Logout.t
@ -121,7 +121,7 @@ expectOK($res);

 ok(
    $res->[2]->[0] =~
-m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
+m%<div class="message message-positive alert"><span trmsg="47">%,
    'Dwho has been well disconnected'
 ) or print STDERR Dumper( $res->[2]->[0] );
 count(1);
--- a/lemonldap-ng-portal/t/61-GrantSession.t
+++ b/lemonldap-ng-portal/t/61-GrantSession.t
@ -50,7 +50,7 @@ ok(
    'Auth query'
 );
 count(1);
-ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
+ok( $res->[2]->[0] =~ /<span trmsg="5">/,
    'dwho rejected with PE_BADCREDENTIALS' )
  or print STDERR Dumper( $res->[2]->[0] );
 count(1);
@ -105,7 +105,7 @@ ok(
 );
 count(1);
 ok(
-    $res->[2]->[0] =~ /<span trmsg="41"><\/span><\/div>/,
+    $res->[2]->[0] =~ /<span trmsg="41">/,
    'rtyler rejected with PE_SESSIONNOTGRANTED'
 ) or print STDERR Dumper( $res->[2]->[0] );
 count(1);
@ -121,7 +121,7 @@ ok(
 );
 count(1);
 ok(
-    $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
+    $res->[2]->[0] =~ /<span trmsg="5">/,
    'rtyler rejected with PE_BADCREDENTIALS'
 ) or print STDERR Dumper( $res->[2]->[0] );
 count(1);
--- a/lemonldap-ng-portal/t/61-Session-ActivityTimeout.t
+++ b/lemonldap-ng-portal/t/61-Session-ActivityTimeout.t
@ -62,7 +62,7 @@ ok(
 );
 ok(
    $res->[2]->[0] =~
-m%<div class="message message-warning alert"><span trmsg="1"></span></div>%,
+m%<div class="message message-warning alert"><span trmsg="1">%,
    'Found PE_SESSIONEXPIRED code'
 ) or print STDERR Dumper( $res->[2]->[0] );
 count(2);
--- a/lemonldap-ng-portal/t/61-Session-Timeout.t
+++ b/lemonldap-ng-portal/t/61-Session-Timeout.t
@ -61,7 +61,7 @@ ok(
 );
 ok(
    $res->[2]->[0] =~
-m%<div class="message message-warning alert"><span trmsg="1"></span></div>%,
+m%<div class="message message-warning alert"><span trmsg="1">%,
    'Found PE_SESSIONEXPIRED code'
 ) or print STDERR Dumper( $res->[2]->[0] );
 count(2);
--- a/lemonldap-ng-portal/t/68-ContextSwitching.t
+++ b/lemonldap-ng-portal/t/68-ContextSwitching.t
@ -375,7 +375,7 @@ ok(
 );
 count(6);

-ok( $res->[2]->[0] =~ m%<span trmsg="1"></span>%, 'Found PE_SESSIONEXPIRED' )
+ok( $res->[2]->[0] =~ m%<span trmsg="1">%, 'Found PE_SESSIONEXPIRED' )
  or explain( $res->[2]->[0], 'Sessuion expired' );
 ok(
    $res = $client->_get(
@ -403,7 +403,7 @@ expectOK($res);

 ok(
    $res->[2]->[0] =~
-m%<div class="message message-positive alert"><span trmsg="47"></span></div>%,
+m%<div class="message message-positive alert"><span trmsg="47">%,
    'Dwho has been well disconnected'
 ) or print STDERR Dumper( $res->[2]->[0] );
 count(2);
--- a/lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t
+++ b/lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t
@ -55,7 +55,7 @@ ok(
    ),
    'Auth query'
 );
-ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ' PE40 found' )
+ok( $res->[2]->[0] =~ m%<span trmsg="40">%, ' PE40 found' )
  or explain( $res->[2]->[0], "PE40 - Bad formed user" );
 count(2);

@ -83,7 +83,7 @@ ok(
 );
 ok(
    $res->[2]->[0] =~
-m%<div class="message message-negative alert"><span trmsg="5"></span></div>%,
+m%<div class="message message-negative alert"><span trmsg="5">%,
    ' PE5 found'
 ) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
 count(2);
@ -112,7 +112,7 @@ ok(
 );
 ok(
    $res->[2]->[0] =~
-m%<div class="message message-negative alert"><span trmsg="93"></span>%,
+m%<div class="message message-negative alert"><span trmsg="93">%,
    ' PE93 found'
 ) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
 count(2);
--- a/lemonldap-ng-portal/t/68-Impersonation.t
+++ b/lemonldap-ng-portal/t/68-Impersonation.t
@ -54,7 +54,7 @@ ok(
    ),
    'Auth query'
 );
-ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%, ' PE40 found' )
+ok( $res->[2]->[0] =~ m%<span trmsg="40">%, ' PE40 found' )
  or explain( $res->[2]->[0], "PE40 - Bad formed user" );
 count(2);

@ -82,7 +82,7 @@ ok(
 );
 ok(
    $res->[2]->[0] =~
-m%<div class="message message-negative alert"><span trmsg="5"></span></div>%,
+m%<div class="message message-negative alert"><span trmsg="5">%,
    ' PE5 found'
 ) or explain( $res->[2]->[0], "PE5 - Forbidden identity" );
 count(2);
@ -111,7 +111,7 @@ ok(
 );
 ok(
    $res->[2]->[0] =~
-m%<div class="message message-negative alert"><span trmsg="93"></span>%,
+m%<div class="message message-negative alert"><span trmsg="93">%,
    ' PE93 found'
 ) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" );
 count(2);
--- a/lemonldap-ng-portal/t/76-2F-Ext-with-BruteForce.t
+++ b/lemonldap-ng-portal/t/76-2F-Ext-with-BruteForce.t
@ -72,11 +72,10 @@ ok(
    ),
    '4th Bad Auth query -> Rejected'
 );
-count(1);
-ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
-count(1);
+ok( $res->[2]->[0] =~ /<span trmsg="86">/, 'Protection enabled' );
+count(2);

-# Cool down
+# Count down
 Time::Fake->offset("+2s");

 # Try to authenticate
@ -113,10 +112,8 @@ ok(
    ),
    'Post code'
 );
-count(1);
-
-ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
-count(1);
+ok( $res->[2]->[0] =~ /<span trmsg="86">/, 'Protection enabled' );
+count(2);

 # Cool down
 Time::Fake->offset("+6s");
@ -143,7 +140,6 @@ ok(
 qr%<input name="code" value="" type="text" class="form-control" id="extcode" trplaceholder="code" autocomplete="off" />%,
    'Found EXTCODE input'
 ) or print STDERR Dumper( $res->[2]->[0] );
-count(1);

 $query =~ s/code=/code=123456/;
 ok(
@ -155,17 +151,16 @@ ok(
    ),
    'Post code'
 );
-count(1);
+count(2);

 my $id = expectCookie($res);

 ok( $res->[2]->[0] =~ /trspan="lastLogins"/, 'History found' )
  or print STDERR Dumper( $res->[2]->[0] );
-count(1);
 my @c = ( $res->[2]->[0] =~ /<td>127.0.0.1/gs );
-ok( @c == 5, 'Five entries found' )
+ok( @c == 6, 'Six entries found' )
  or print STDERR Dumper( $res->[2]->[0] );
-count(1);
+count(2);

 $client->logout($id);
 clean_sessions();