Commit c2da030b authored by Christophe Maudoux's avatar Christophe Maudoux 🐛
Browse files

BruteForceProtection plugin disable by default

parent d06a6fc9
...@@ -19,7 +19,6 @@ sub defaultValues { ...@@ -19,7 +19,6 @@ sub defaultValues {
'authentication' => 'Demo', 'authentication' => 'Demo',
'available2F' => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey', 'available2F' => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey',
'available2FSelfRegistration' => 'TOTP,U2F,Yubikey', 'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
'bruteForceProtection' => 1,
'bruteForceProtectionMaxAge' => 300, 'bruteForceProtectionMaxAge' => 300,
'bruteForceProtectionTempo' => 30, 'bruteForceProtectionTempo' => 30,
'captcha_mail_enabled' => 1, 'captcha_mail_enabled' => 1,
......
...@@ -608,7 +608,7 @@ sub attributes { ...@@ -608,7 +608,7 @@ sub attributes {
'type' => 'text' 'type' => 'text'
}, },
'bruteForceProtection' => { 'bruteForceProtection' => {
'default' => 1, 'default' => 0,
'type' => 'bool' 'type' => 'bool'
}, },
'bruteForceProtectionMaxAge' => { 'bruteForceProtectionMaxAge' => {
......
...@@ -574,7 +574,7 @@ sub attributes { ...@@ -574,7 +574,7 @@ sub attributes {
'Maximun interval in seconds since last authentifcation to force reauthentication', 'Maximun interval in seconds since last authentifcation to force reauthentication',
}, },
bruteForceProtection => { bruteForceProtection => {
default => 1, default => 0,
type => 'bool', type => 'bool',
documentation => 'Enable brute force attack protection', documentation => 'Enable brute force attack protection',
}, },
......
...@@ -16,16 +16,17 @@ sub displayInit { ...@@ -16,16 +16,17 @@ sub displayInit {
my ($self) = @_; my ($self) = @_;
$self->skinRules( [] ); $self->skinRules( [] );
if ( $self->conf->{portalSkinRules} ) { if ( $self->conf->{portalSkinRules} ) {
foreach my $skinRule ( sort keys %{ $self->conf->{portalSkinRules} } ) { foreach my $skinRule ( sort keys %{ $self->conf->{portalSkinRules} } )
{
my $sub = HANDLER->buildSub( HANDLER->substitute($skinRule) ); my $sub = HANDLER->buildSub( HANDLER->substitute($skinRule) );
if ($sub) { if ($sub) {
push @{ $self->skinRules }, push @{ $self->skinRules },
[ $self->conf->{portalSkinRules}->{$skinRule}, $sub ]; [ $self->conf->{portalSkinRules}->{$skinRule}, $sub ];
} }
else { else {
$self->logger->error( $self->logger->error(
qq(Skin rule "$skinRule" returns an error: ) qq(Skin rule "$skinRule" returns an error: )
. HANDLER->tsv->{jail}->error ); . HANDLER->tsv->{jail}->error );
} }
} }
} }
...@@ -54,8 +55,7 @@ sub display { ...@@ -54,8 +55,7 @@ sub display {
AUTH_URL => $req->{data}->{_url}, AUTH_URL => $req->{data}->{_url},
CHOICE_PARAM => $self->conf->{authChoiceParam}, CHOICE_PARAM => $self->conf->{authChoiceParam},
CHOICE_VALUE => $req->data->{_authChoice}, CHOICE_VALUE => $req->data->{_authChoice},
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -79,12 +79,11 @@ sub display { ...@@ -79,12 +79,11 @@ sub display {
CHOICE_PARAM => $self->conf->{authChoiceParam}, CHOICE_PARAM => $self->conf->{authChoiceParam},
CHOICE_VALUE => $req->data->{_authChoice}, CHOICE_VALUE => $req->data->{_authChoice},
CHECK_LOGINS => $self->conf->{portalCheckLogins} CHECK_LOGINS => $self->conf->{portalCheckLogins}
&& $req->data->{login}, && $req->data->{login},
ASK_LOGINS => $req->param('checkLogins') || 0, ASK_LOGINS => $req->param('checkLogins') || 0,
CONFIRMKEY => $self->stamp(), CONFIRMKEY => $self->stamp(),
REMEMBER => $req->data->{confirmRemember}, REMEMBER => $req->data->{confirmRemember},
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -107,13 +106,12 @@ sub display { ...@@ -107,13 +106,12 @@ sub display {
CHOICE_PARAM => $self->conf->{authChoiceParam}, CHOICE_PARAM => $self->conf->{authChoiceParam},
CHOICE_VALUE => $req->data->{_authChoice}, CHOICE_VALUE => $req->data->{_authChoice},
CHECK_LOGINS => $self->conf->{portalCheckLogins} CHECK_LOGINS => $self->conf->{portalCheckLogins}
&& $req->data->{login}, && $req->data->{login},
ASK_LOGINS => $req->param('checkLogins') || 0, ASK_LOGINS => $req->param('checkLogins') || 0,
CONFIRMKEY => $self->stamp(), CONFIRMKEY => $self->stamp(),
LIST => $req->data->{list} || [], LIST => $req->data->{list} || [],
REMEMBER => $req->data->{confirmRemember}, REMEMBER => $req->data->{confirmRemember},
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -123,7 +121,8 @@ sub display { ...@@ -123,7 +121,8 @@ sub display {
# 1.3 There is a message to display # 1.3 There is a message to display
elsif ( my $info = $req->info ) { elsif ( my $info = $req->info ) {
$self->logger->debug('Display: info detected'); $self->logger->debug('Display: info detected');
$self->logger->debug('Hidden values -> '. Dumper( $req->{portalHiddenFormValues})); $self->logger->debug(
'Hidden values -> ' . Dumper( $req->{portalHiddenFormValues} ) );
$skinfile = 'info'; $skinfile = 'info';
%templateParams = ( %templateParams = (
MAIN_LOGO => $self->conf->{portalMainLogo}, MAIN_LOGO => $self->conf->{portalMainLogo},
...@@ -136,8 +135,7 @@ sub display { ...@@ -136,8 +135,7 @@ sub display {
FORM_METHOD => $self->conf->{infoFormMethod}, FORM_METHOD => $self->conf->{infoFormMethod},
CHOICE_PARAM => $self->conf->{authChoiceParam}, CHOICE_PARAM => $self->conf->{authChoiceParam},
CHOICE_VALUE => $req->data->{_authChoice}, CHOICE_VALUE => $req->data->{_authChoice},
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -152,15 +150,14 @@ sub display { ...@@ -152,15 +150,14 @@ sub display {
my $p = $self->conf->{portal} . $self->conf->{issuerDBOpenIDPath}; my $p = $self->conf->{portal} . $self->conf->{issuerDBOpenIDPath};
$p =~ s#(?<!:)/?\^?/#/#g; $p =~ s#(?<!:)/?\^?/#/#g;
my $id = $req->{sessionInfo} my $id = $req->{sessionInfo}
->{ $self->conf->{openIdAttr} || $self->conf->{whatToTrace} }; ->{ $self->conf->{openIdAttr} || $self->conf->{whatToTrace} };
%templateParams = ( %templateParams = (
MAIN_LOGO => $self->conf->{portalMainLogo}, MAIN_LOGO => $self->conf->{portalMainLogo},
AUTH_ERROR => $self->error, AUTH_ERROR => $self->error,
AUTH_ERROR_TYPE => $req->error_type, AUTH_ERROR_TYPE => $req->error_type,
PROVIDERURI => $p, PROVIDERURI => $p,
MSG => $req->info(), MSG => $req->info(),
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -177,8 +174,7 @@ sub display { ...@@ -177,8 +174,7 @@ sub display {
URL => $req->{urldc}, URL => $req->{urldc},
HIDDEN_INPUTS => $self->buildHiddenForm($req), HIDDEN_INPUTS => $self->buildHiddenForm($req),
FORM_METHOD => $req->data->{redirectFormMethod} || 'get', FORM_METHOD => $req->data->{redirectFormMethod} || 'get',
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -191,17 +187,17 @@ sub display { ...@@ -191,17 +187,17 @@ sub display {
#utf8::decode($auth_user); #utf8::decode($auth_user);
%templateParams = ( %templateParams = (
MAIN_LOGO => $self->conf->{portalMainLogo}, MAIN_LOGO => $self->conf->{portalMainLogo},
AUTH_USER => $req->{sessionInfo}->{ $self->conf->{portalUserAttr} }, AUTH_USER =>
NEWWINDOW => $self->conf->{portalOpenLinkInNewWindow}, $req->{sessionInfo}->{ $self->conf->{portalUserAttr} },
NEWWINDOW => $self->conf->{portalOpenLinkInNewWindow},
LOGOUT_URL => $self->conf->{portal} . "?logout=1", LOGOUT_URL => $self->conf->{portal} . "?logout=1",
APPSLIST_ORDER => $req->{sessionInfo}->{'_appsListOrder'}, APPSLIST_ORDER => $req->{sessionInfo}->{'_appsListOrder'},
PING => $self->conf->{portalPingInterval}, PING => $self->conf->{portalPingInterval},
REQUIRE_OLDPASSWORD => $self->conf->{portalRequireOldPassword}, REQUIRE_OLDPASSWORD => $self->conf->{portalRequireOldPassword},
HIDE_OLDPASSWORD => 0, HIDE_OLDPASSWORD => 0,
$self->menu->params($req), $self->menu->params($req),
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -216,8 +212,7 @@ sub display { ...@@ -216,8 +212,7 @@ sub display {
CONFIRMKEY => $self->stamp, CONFIRMKEY => $self->stamp,
PORTAL => $self->conf->{portal}, PORTAL => $self->conf->{portal},
URL => $req->data->{_url}, URL => $req->data->{_url},
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -232,8 +227,7 @@ sub display { ...@@ -232,8 +227,7 @@ sub display {
CONFIRMKEY => $self->stamp, CONFIRMKEY => $self->stamp,
PORTAL => $self->conf->{portal}, PORTAL => $self->conf->{portal},
URL => $req->data->{_url}, URL => $req->data->{_url},
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -246,15 +240,14 @@ sub display { ...@@ -246,15 +240,14 @@ sub display {
or ( not $req->data->{noerror} or ( not $req->data->{noerror}
and $req->userData and $req->userData
and %{ $req->userData } ) and %{ $req->userData } )
) )
{ {
$skinfile = 'error'; $skinfile = 'error';
%templateParams = ( %templateParams = (
MAIN_LOGO => $self->conf->{portalMainLogo}, MAIN_LOGO => $self->conf->{portalMainLogo},
AUTH_ERROR => $req->error, AUTH_ERROR => $req->error,
AUTH_ERROR_TYPE => $req->error_type, AUTH_ERROR_TYPE => $req->error_type,
( ( $req->data->{customScript}
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -267,21 +260,21 @@ sub display { ...@@ -267,21 +260,21 @@ sub display {
my $login = $self->userId($req); my $login = $self->userId($req);
$login = '' if ( $login eq 'anonymous' ); $login = '' if ( $login eq 'anonymous' );
%templateParams = ( %templateParams = (
MAIN_LOGO => $self->conf->{portalMainLogo}, MAIN_LOGO => $self->conf->{portalMainLogo},
AUTH_ERROR => $req->error, AUTH_ERROR => $req->error,
AUTH_ERROR_TYPE => $req->error_type, AUTH_ERROR_TYPE => $req->error_type,
AUTH_URL => $req->{data}->{_url}, AUTH_URL => $req->{data}->{_url},
LOGIN => $login, LOGIN => $login,
CHECK_LOGINS => $self->conf->{portalCheckLogins}, CHECK_LOGINS => $self->conf->{portalCheckLogins},
ASK_LOGINS => $req->param('checkLogins') || 0, ASK_LOGINS => $req->param('checkLogins') || 0,
DISPLAY_RESETPASSWORD => $self->conf->{portalDisplayResetPassword}, DISPLAY_RESETPASSWORD =>
DISPLAY_REGISTER => $self->conf->{portalDisplayRegister}, $self->conf->{portalDisplayResetPassword},
MAIL_URL => $self->conf->{mailUrl}, DISPLAY_REGISTER => $self->conf->{portalDisplayRegister},
REGISTER_URL => $self->conf->{registerUrl}, MAIL_URL => $self->conf->{mailUrl},
HIDDEN_INPUTS => $self->buildHiddenForm($req), REGISTER_URL => $self->conf->{registerUrl},
STAYCONNECTED => $self->conf->{stayConnected}, HIDDEN_INPUTS => $self->buildHiddenForm($req),
( STAYCONNECTED => $self->conf->{stayConnected},
$req->data->{customScript} ( $req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} ) ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
: () : ()
), ),
...@@ -313,12 +306,12 @@ sub display { ...@@ -313,12 +306,12 @@ sub display {
or $req->{error} == PE_PASSWORDFORMEMPTY or $req->{error} == PE_PASSWORDFORMEMPTY
or ( $req->{error} == PE_PP_PASSWORD_EXPIRED or ( $req->{error} == PE_PP_PASSWORD_EXPIRED
and $self->conf->{ldapAllowResetExpiredPassword} ) and $self->conf->{ldapAllowResetExpiredPassword} )
) )
{ {
%templateParams = ( %templateParams = (
%templateParams, %templateParams,
REQUIRE_OLDPASSWORD => REQUIRE_OLDPASSWORD =>
1, # Old password is required to check user credentials 1, # Old password is required to check user credentials
DISPLAY_FORM => 0, DISPLAY_FORM => 0,
DISPLAY_OPENID_FORM => 0, DISPLAY_OPENID_FORM => 0,
DISPLAY_YUBIKEY_FORM => 0, DISPLAY_YUBIKEY_FORM => 0,
...@@ -375,15 +368,17 @@ sub display { ...@@ -375,15 +368,17 @@ sub display {
# Choose what form to display if not in a loop # Choose what form to display if not in a loop
else { else {
my $displayType = my $displayType
eval { $self->_authentication->getDisplayType($req) }; = eval { $self->_authentication->getDisplayType($req) };
$self->logger->debug("Display type $displayType "); $self->logger->debug("Display type $displayType ");
%templateParams = ( %templateParams = (
%templateParams, %templateParams,
DISPLAY_FORM => $displayType =~ /\bstandardform\b/ ? 1 : 0, DISPLAY_FORM => $displayType =~ /\bstandardform\b/ ? 1
DISPLAY_OPENID_FORM => $displayType =~ /\bopenidform\b/ ? 1 : 0,
DISPLAY_OPENID_FORM => $displayType =~ /\bopenidform\b/
? 1
: 0, : 0,
DISPLAY_YUBIKEY_FORM => $displayType =~ /\byubikeyform\b/ DISPLAY_YUBIKEY_FORM => $displayType =~ /\byubikeyform\b/
? 1 ? 1
...@@ -393,9 +388,10 @@ sub display { ...@@ -393,9 +388,10 @@ sub display {
module => $displayType eq "logo" module => $displayType eq "logo"
? $self->getModule( $req, 'auth' ) ? $self->getModule( $req, 'auth' )
: "", : "",
AUTH_LOOP => [], AUTH_LOOP => [],
PORTAL_URL => PORTAL_URL => (
( $displayType eq "logo" ? $self->conf->{portal} : 0 ), $displayType eq "logo" ? $self->conf->{portal} : 0
),
MSG => $req->info(), MSG => $req->info(),
); );
...@@ -406,7 +402,8 @@ sub display { ...@@ -406,7 +402,8 @@ sub display {
} }
# Additional $req param # Additional $req param
%templateParams = ( %templateParams, %{ $req->{customParameters} // {} }, ); %templateParams
= ( %templateParams, %{ $req->{customParameters} // {} }, );
$self->logger->debug("Skin returned: $skinfile"); $self->logger->debug("Skin returned: $skinfile");
return ( $skinfile, \%templateParams ); return ( $skinfile, \%templateParams );
...@@ -422,15 +419,16 @@ sub staticFile { ...@@ -422,15 +419,16 @@ sub staticFile {
require Plack::Util; require Plack::Util;
require Cwd; require Cwd;
require HTTP::Date; require HTTP::Date;
open my $fh, '<:raw', $self->conf->{templatesDir} . "/$file" open my $fh, '<:raw',
or return $self->sendError( $req, $self->conf->{templatesDir}
. "/$file"
or return $self->sendError( $req,
$self->conf->{templatesDir} . "/$file: $!", 403 ); $self->conf->{templatesDir} . "/$file: $!", 403 );
my @stat = stat $file; my @stat = stat $file;
Plack::Util::set_io_path( $fh, Cwd::realpath($file) ); Plack::Util::set_io_path( $fh, Cwd::realpath($file) );
return [ return [
200, 200,
[ [ 'Content-Type' => $type,
'Content-Type' => $type,
'Content-Length' => $stat[7], 'Content-Length' => $stat[7],
'Last-Modified' => HTTP::Date::time2str( $stat[9] ) 'Last-Modified' => HTTP::Date::time2str( $stat[9] )
], ],
...@@ -447,11 +445,12 @@ sub buildHiddenForm { ...@@ -447,11 +445,12 @@ sub buildHiddenForm {
# Check XSS attacks # Check XSS attacks
next next
if $self->checkXSSAttack( $_, $req->{portalHiddenFormValues}->{$_} ); if $self->checkXSSAttack( $_,
$req->{portalHiddenFormValues}->{$_} );
# Build hidden input HTML code # Build hidden input HTML code
$val .= qq{<input type="hidden" name="$_" id="$_" value="} $val .= qq{<input type="hidden" name="$_" id="$_" value="}
. $req->{portalHiddenFormValues}->{$_} . '" />'; . $req->{portalHiddenFormValues}->{$_} . '" />';
} }
return $val; return $val;
...@@ -522,13 +521,12 @@ sub mkSessionArray { ...@@ -522,13 +521,12 @@ sub mkSessionArray {
displayError => $displayError, displayError => $displayError,
fields => [ fields => [
map { { name => $self->conf->{sessionDataToRemember}->{$_} } } map { { name => $self->conf->{sessionDataToRemember}->{$_} } }
@fields @fields
], ],
sessions => [ sessions => [
map { map {
my $session = $_; my $session = $_;
{ { user => $session->{user},
user => $session->{user},
utime => $session->{_utime}, utime => $session->{_utime},
ip => $session->{ipAddr}, ip => $session->{ipAddr},
values => [ map { { v => $session->{$_} } } @fields ], values => [ map { { v => $session->{$_} } } @fields ],
...@@ -547,10 +545,10 @@ sub mkOidcConsent { ...@@ -547,10 +545,10 @@ sub mkOidcConsent {
and ref( $self->conf->{oidcRPMetaDataOptions} ) ) and ref( $self->conf->{oidcRPMetaDataOptions} ) )
{ {
# Set default RP displayname # Set default RP displayname
foreach my $oidc ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) { foreach my $oidc ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
$self->conf->{oidcRPMetaDataOptions}->{$oidc} $self->conf->{oidcRPMetaDataOptions}->{$oidc}
->{oidcRPMetaDataOptionsDisplayName} ||= $oidc; ->{oidcRPMetaDataOptionsDisplayName} ||= $oidc;
} }
} }
...@@ -576,9 +574,9 @@ sub mkOidcConsent { ...@@ -576,9 +574,9 @@ sub mkOidcConsent {
$self->logger->debug("RP { $rp } Consent found"); $self->logger->debug("RP { $rp } Consent found");
$consents->{$rp}->{epoch} = $_->{epoch}; $consents->{$rp}->{epoch} = $_->{epoch};
$consents->{$rp}->{scope} = $_->{scope}; $consents->{$rp}->{scope} = $_->{scope};
$consents->{$rp}->{displayName} = $consents->{$rp}->{displayName}
$self->conf->{oidcRPMetaDataOptions}->{$rp} = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsDisplayName}; ->{oidcRPMetaDataOptionsDisplayName};
} }
} }
...@@ -588,8 +586,7 @@ sub mkOidcConsent { ...@@ -588,8 +586,7 @@ sub mkOidcConsent {
params => { params => {
partners => [ partners => [
map { map {
{ { name => $_,
name => $_,
epoch => $consents->{$_}->{epoch}, epoch => $consents->{$_}->{epoch},
scope => $consents->{$_}->{scope}, scope => $consents->{$_}->{scope},
displayName => $consents->{$_}->{displayName} displayName => $consents->{$_}->{displayName}
......
...@@ -15,9 +15,9 @@ use constant afterData => 'run'; ...@@ -15,9 +15,9 @@ use constant afterData => 'run';
sub init { sub init {
my ($self) = @_; my ($self) = @_;
unless ( $self->conf->{loginHistoryEnabled} ) { unless ( $self->conf->{loginHistoryEnabled} ) {
$self->logger->warn( $self->logger->error(
'"History" plugin is required for "BruteForceProtection" plugin'); '"History" plugin is required for "BruteForceProtection" plugin');
#return 0; return 0;
} }
return 1; return 1;
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment