grafana/pkg/login/brute_force_login_protection_test.go

package login

import (
	"testing"

	"github.com/grafana/grafana/pkg/bus"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	. "github.com/smartystreets/goconvey/convey"
)

func TestLoginAttemptsValidation(t *testing.T) {
	Convey("Validate login attempts", t, func() {
		Convey("Given brute force login protection enabled", func() {
			setting.DisableBruteForceLoginProtection = false

			Convey("When user login attempt count equals max-1 ", func() {
				withLoginAttempts(maxInvalidLoginAttempts - 1)
				err := validateLoginAttempts("user")

				Convey("it should not result in error", func() {
					So(err, ShouldBeNil)
				})
			})

			Convey("When user login attempt count equals max ", func() {
				withLoginAttempts(maxInvalidLoginAttempts)
				err := validateLoginAttempts("user")

				Convey("it should result in too many login attempts error", func() {
					So(err, ShouldEqual, ErrTooManyLoginAttempts)
				})
			})

			Convey("When user login attempt count is greater than max ", func() {
				withLoginAttempts(maxInvalidLoginAttempts + 5)
				err := validateLoginAttempts("user")

				Convey("it should result in too many login attempts error", func() {
					So(err, ShouldEqual, ErrTooManyLoginAttempts)
				})
			})

			Convey("When saving invalid login attempt", func() {
				defer bus.ClearBusHandlers()
				createLoginAttemptCmd := &m.CreateLoginAttemptCommand{}

				bus.AddHandler("test", func(cmd *m.CreateLoginAttemptCommand) error {
					createLoginAttemptCmd = cmd
					return nil
				})

				saveInvalidLoginAttempt(&m.LoginUserQuery{
					Username:  "user",
					Password:  "pwd",
					IpAddress: "192.168.1.1:56433",
				})

				Convey("it should dispatch command", func() {
					So(createLoginAttemptCmd, ShouldNotBeNil)
					So(createLoginAttemptCmd.Username, ShouldEqual, "user")
					So(createLoginAttemptCmd.IpAddress, ShouldEqual, "192.168.1.1:56433")
				})
			})
		})

		Convey("Given brute force login protection disabled", func() {
			setting.DisableBruteForceLoginProtection = true

			Convey("When user login attempt count equals max-1 ", func() {
				withLoginAttempts(maxInvalidLoginAttempts - 1)
				err := validateLoginAttempts("user")

				Convey("it should not result in error", func() {
					So(err, ShouldBeNil)
				})
			})

			Convey("When user login attempt count equals max ", func() {
				withLoginAttempts(maxInvalidLoginAttempts)
				err := validateLoginAttempts("user")

				Convey("it should not result in error", func() {
					So(err, ShouldBeNil)
				})
			})

			Convey("When user login attempt count is greater than max ", func() {
				withLoginAttempts(maxInvalidLoginAttempts + 5)
				err := validateLoginAttempts("user")

				Convey("it should not result in error", func() {
					So(err, ShouldBeNil)
				})
			})

			Convey("When saving invalid login attempt", func() {
				defer bus.ClearBusHandlers()
				createLoginAttemptCmd := (*m.CreateLoginAttemptCommand)(nil)

				bus.AddHandler("test", func(cmd *m.CreateLoginAttemptCommand) error {
					createLoginAttemptCmd = cmd
					return nil
				})

				saveInvalidLoginAttempt(&m.LoginUserQuery{
					Username:  "user",
					Password:  "pwd",
					IpAddress: "192.168.1.1:56433",
				})

				Convey("it should not dispatch command", func() {
					So(createLoginAttemptCmd, ShouldBeNil)
				})
			})
		})
	})
}

func withLoginAttempts(loginAttempts int64) {
	bus.AddHandler("test", func(query *m.GetUserLoginAttemptCountQuery) error {
		query.Result = loginAttempts
		return nil
	})
}
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 10:41:41 +01:00			`package login`

			`import (`
			`"testing"`

			`"github.com/grafana/grafana/pkg/bus"`
			`m "github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/setting"`
			`. "github.com/smartystreets/goconvey/convey"`
			`)`

			`func TestLoginAttemptsValidation(t *testing.T) {`
			`Convey("Validate login attempts", t, func() {`
			`Convey("Given brute force login protection enabled", func() {`
			`setting.DisableBruteForceLoginProtection = false`

			`Convey("When user login attempt count equals max-1 ", func() {`
			`withLoginAttempts(maxInvalidLoginAttempts - 1)`
			`err := validateLoginAttempts("user")`

			`Convey("it should not result in error", func() {`
			`So(err, ShouldBeNil)`
			`})`
			`})`

			`Convey("When user login attempt count equals max ", func() {`
			`withLoginAttempts(maxInvalidLoginAttempts)`
			`err := validateLoginAttempts("user")`

			`Convey("it should result in too many login attempts error", func() {`
			`So(err, ShouldEqual, ErrTooManyLoginAttempts)`
			`})`
			`})`

			`Convey("When user login attempt count is greater than max ", func() {`
			`withLoginAttempts(maxInvalidLoginAttempts + 5)`
			`err := validateLoginAttempts("user")`

			`Convey("it should result in too many login attempts error", func() {`
			`So(err, ShouldEqual, ErrTooManyLoginAttempts)`
			`})`
			`})`

			`Convey("When saving invalid login attempt", func() {`
			`defer bus.ClearBusHandlers()`
			`createLoginAttemptCmd := &m.CreateLoginAttemptCommand{}`

			`bus.AddHandler("test", func(cmd *m.CreateLoginAttemptCommand) error {`
			`createLoginAttemptCmd = cmd`
			`return nil`
			`})`

shared library for managing external user accounts 2018-02-08 17:13:58 -05:00			`saveInvalidLoginAttempt(&m.LoginUserQuery{`
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 10:41:41 +01:00			`Username: "user",`
			`Password: "pwd",`
			`IpAddress: "192.168.1.1:56433",`
			`})`

			`Convey("it should dispatch command", func() {`
			`So(createLoginAttemptCmd, ShouldNotBeNil)`
			`So(createLoginAttemptCmd.Username, ShouldEqual, "user")`
			`So(createLoginAttemptCmd.IpAddress, ShouldEqual, "192.168.1.1:56433")`
			`})`
			`})`
			`})`

			`Convey("Given brute force login protection disabled", func() {`
			`setting.DisableBruteForceLoginProtection = true`

			`Convey("When user login attempt count equals max-1 ", func() {`
			`withLoginAttempts(maxInvalidLoginAttempts - 1)`
			`err := validateLoginAttempts("user")`

			`Convey("it should not result in error", func() {`
			`So(err, ShouldBeNil)`
			`})`
			`})`

			`Convey("When user login attempt count equals max ", func() {`
			`withLoginAttempts(maxInvalidLoginAttempts)`
			`err := validateLoginAttempts("user")`

			`Convey("it should not result in error", func() {`
			`So(err, ShouldBeNil)`
			`})`
			`})`

			`Convey("When user login attempt count is greater than max ", func() {`
			`withLoginAttempts(maxInvalidLoginAttempts + 5)`
			`err := validateLoginAttempts("user")`

			`Convey("it should not result in error", func() {`
			`So(err, ShouldBeNil)`
			`})`
			`})`

			`Convey("When saving invalid login attempt", func() {`
			`defer bus.ClearBusHandlers()`
			`createLoginAttemptCmd := (*m.CreateLoginAttemptCommand)(nil)`

			`bus.AddHandler("test", func(cmd *m.CreateLoginAttemptCommand) error {`
			`createLoginAttemptCmd = cmd`
			`return nil`
			`})`

shared library for managing external user accounts 2018-02-08 17:13:58 -05:00			`saveInvalidLoginAttempt(&m.LoginUserQuery{`
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 10:41:41 +01:00			`Username: "user",`
			`Password: "pwd",`
			`IpAddress: "192.168.1.1:56433",`
			`})`

			`Convey("it should not dispatch command", func() {`
			`So(createLoginAttemptCmd, ShouldBeNil)`
			`})`
			`})`
			`})`
			`})`
			`}`

			`func withLoginAttempts(loginAttempts int64) {`
			`bus.AddHandler("test", func(query *m.GetUserLoginAttemptCountQuery) error {`
			`query.Result = loginAttempts`
			`return nil`
			`})`
			`}`