From 275f6130503a92476766c827359bdcf428908671 Mon Sep 17 00:00:00 2001
From: Leonard Gram <leo@xlson.com>
Date: Wed, 5 Sep 2018 12:12:46 +0200
Subject: [PATCH] Only authenticate logins when password is set (#13147)

* auth: never authenticate passwords shorter than 4 chars.

* auth: refactoring password length check.

* auth: does not authenticate when password is empty.

* auth: removes unneccesary change.
---
 pkg/login/auth.go      | 13 ++++++++++++-
 pkg/login/auth_test.go | 18 ++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/pkg/login/auth.go b/pkg/login/auth.go
index 215a22cde33..991fa72fd54 100644
--- a/pkg/login/auth.go
+++ b/pkg/login/auth.go
@@ -2,7 +2,6 @@ package login
 
 import (
 	"errors"
-
 	"github.com/grafana/grafana/pkg/bus"
 	m "github.com/grafana/grafana/pkg/models"
 )
@@ -14,6 +13,7 @@ var (
 	ErrProviderDeniedRequest = errors.New("Login provider denied login request")
 	ErrSignUpNotAllowed      = errors.New("Signup is not allowed for this adapter")
 	ErrTooManyLoginAttempts  = errors.New("Too many consecutive incorrect login attempts for user. Login for user temporarily blocked")
+	ErrPasswordEmpty         = errors.New("No password provided.")
 	ErrUsersQuotaReached     = errors.New("Users quota reached")
 	ErrGettingUserQuota      = errors.New("Error getting user quota")
 )
@@ -28,6 +28,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error {
 		return err
 	}
 
+	if err := validatePasswordSet(query.Password); err != nil {
+		return err
+	}
+
 	err := loginUsingGrafanaDB(query)
 	if err == nil || (err != m.ErrUserNotFound && err != ErrInvalidCredentials) {
 		return err
@@ -52,3 +56,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error {
 
 	return err
 }
+func validatePasswordSet(password string) error {
+	if len(password) == 0 {
+		return ErrPasswordEmpty
+	}
+
+	return nil
+}
diff --git a/pkg/login/auth_test.go b/pkg/login/auth_test.go
index 932125c410e..a4cd8284cdd 100644
--- a/pkg/login/auth_test.go
+++ b/pkg/login/auth_test.go
@@ -10,6 +10,24 @@ import (
 
 func TestAuthenticateUser(t *testing.T) {
 	Convey("Authenticate user", t, func() {
+		authScenario("When a user authenticates without setting a password", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(nil, sc)
+			mockLoginUsingLdap(false, nil, sc)
+
+			loginQuery := m.LoginUserQuery{
+				Username: "user",
+				Password: "",
+			}
+			err := AuthenticateUser(&loginQuery)
+
+			Convey("login should fail", func() {
+				So(sc.grafanaLoginWasCalled, ShouldBeFalse)
+				So(sc.ldapLoginWasCalled, ShouldBeFalse)
+				So(err, ShouldEqual, ErrPasswordEmpty)
+			})
+		})
+
 		authScenario("When a user authenticates having too many login attempts", func(sc *authScenarioContext) {
 			mockLoginAttemptValidation(ErrTooManyLoginAttempts, sc)
 			mockLoginUsingGrafanaDB(nil, sc)