mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
3d1c624c12
* db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616
102 lines
2.6 KiB
Go
102 lines
2.6 KiB
Go
package login
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/BurntSushi/toml"
|
|
"github.com/grafana/grafana/pkg/log"
|
|
m "github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
type LdapConfig struct {
|
|
Servers []*LdapServerConf `toml:"servers"`
|
|
}
|
|
|
|
type LdapServerConf struct {
|
|
Host string `toml:"host"`
|
|
Port int `toml:"port"`
|
|
UseSSL bool `toml:"use_ssl"`
|
|
StartTLS bool `toml:"start_tls"`
|
|
SkipVerifySSL bool `toml:"ssl_skip_verify"`
|
|
RootCACert string `toml:"root_ca_cert"`
|
|
BindDN string `toml:"bind_dn"`
|
|
BindPassword string `toml:"bind_password"`
|
|
Attr LdapAttributeMap `toml:"attributes"`
|
|
|
|
SearchFilter string `toml:"search_filter"`
|
|
SearchBaseDNs []string `toml:"search_base_dns"`
|
|
|
|
GroupSearchFilter string `toml:"group_search_filter"`
|
|
GroupSearchFilterUserAttribute string `toml:"group_search_filter_user_attribute"`
|
|
GroupSearchBaseDNs []string `toml:"group_search_base_dns"`
|
|
|
|
LdapGroups []*LdapGroupToOrgRole `toml:"group_mappings"`
|
|
}
|
|
|
|
type LdapAttributeMap struct {
|
|
Username string `toml:"username"`
|
|
Name string `toml:"name"`
|
|
Surname string `toml:"surname"`
|
|
Email string `toml:"email"`
|
|
MemberOf string `toml:"member_of"`
|
|
}
|
|
|
|
type LdapGroupToOrgRole struct {
|
|
GroupDN string `toml:"group_dn"`
|
|
OrgId int64 `toml:"org_id"`
|
|
OrgRole m.RoleType `toml:"org_role"`
|
|
}
|
|
|
|
var LdapCfg LdapConfig
|
|
var ldapLogger log.Logger = log.New("ldap")
|
|
|
|
func loadLdapConfig() {
|
|
if !setting.LdapEnabled {
|
|
return
|
|
}
|
|
|
|
ldapLogger.Info("Ldap enabled, reading config file", "file", setting.LdapConfigFile)
|
|
|
|
_, err := toml.DecodeFile(setting.LdapConfigFile, &LdapCfg)
|
|
if err != nil {
|
|
ldapLogger.Crit("Failed to load ldap config file", "error", err)
|
|
os.Exit(1)
|
|
}
|
|
|
|
if len(LdapCfg.Servers) == 0 {
|
|
ldapLogger.Crit("ldap enabled but no ldap servers defined in config file")
|
|
os.Exit(1)
|
|
}
|
|
|
|
// set default org id
|
|
for _, server := range LdapCfg.Servers {
|
|
assertNotEmptyCfg(server.SearchFilter, "search_filter")
|
|
assertNotEmptyCfg(server.SearchBaseDNs, "search_base_dns")
|
|
|
|
for _, groupMap := range server.LdapGroups {
|
|
if groupMap.OrgId == 0 {
|
|
groupMap.OrgId = 1
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func assertNotEmptyCfg(val interface{}, propName string) {
|
|
switch v := val.(type) {
|
|
case string:
|
|
if v == "" {
|
|
ldapLogger.Crit("LDAP config file is missing option", "option", propName)
|
|
os.Exit(1)
|
|
}
|
|
case []string:
|
|
if len(v) == 0 {
|
|
ldapLogger.Crit("LDAP config file is missing option", "option", propName)
|
|
os.Exit(1)
|
|
}
|
|
default:
|
|
fmt.Println("unknown")
|
|
}
|
|
}
|