IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-12-02 05:29:42 -06:00
Code Issues Packages Projects Releases Wiki Activity
d4ae10ecc6
grafana/pkg/services/authn/clients/password.go
Karl Persson 37ceffb74c
Authn: Standardize errors (#74012)
2023-08-29 15:44:04 +02:00

65 lines
2.0 KiB
Go
Raw Blame History

package clients
import (
"context"
"errors"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/authn"
"github.com/grafana/grafana/pkg/services/loginattempt"
"github.com/grafana/grafana/pkg/util/errutil"
"github.com/grafana/grafana/pkg/web"
)
var (
errInvalidPassword = errutil.Unauthorized("password-auth.invalid", errutil.WithPublicMessage("Invalid password or username"))
errPasswordAuthFailed = errutil.Unauthorized("password-auth.failed", errutil.WithPublicMessage("Invalid username or password"))
)
var _ authn.PasswordClient = new(Password)
func ProvidePassword(loginAttempts loginattempt.Service, clients ...authn.PasswordClient) *Password {
return &Password{loginAttempts, clients, log.New("authn.password")}
}
type Password struct {
loginAttempts loginattempt.Service
clients []authn.PasswordClient
log log.Logger
}
func (c *Password) AuthenticatePassword(ctx context.Context, r *authn.Request, username, password string) (*authn.Identity, error) {
r.SetMeta(authn.MetaKeyUsername, username)
ok, err := c.loginAttempts.Validate(ctx, username)
if err != nil {
return nil, err
}
if !ok {
return nil, errPasswordAuthFailed.Errorf("too many consecutive incorrect login attempts for user - login for user temporarily blocked")
}
if len(password) == 0 {
return nil, errPasswordAuthFailed.Errorf("no password provided")
}
var clientErrs error
for _, pwClient := range c.clients {
identity, clientErr := pwClient.AuthenticatePassword(ctx, r, username, password)
clientErrs = errors.Join(clientErrs, clientErr)
// we always try next client on any error
if clientErr != nil {
c.log.FromContext(ctx).Debug("Failed to authenticate password identity", "client", pwClient, "error", clientErr)
continue
}
return identity, nil
}
if errors.Is(clientErrs, errInvalidPassword) {
_ = c.loginAttempts.Add(ctx, username, web.RemoteAddr(r.HTTPRequest))
}
return nil, errPasswordAuthFailed.Errorf("failed to authenticate identity: %w", clientErrs)
}
Reference in New Issue View Git Blame Copy Permalink