authelia/test/features/regulation.feature

@needs-regulation-config
Feature: Authelia regulates authentication to avoid brute force

  @need-registered-user-blackhat
  Scenario: Attacker tries too many authentication in a short period of time and get banned
    Given I visit "https://login.example.com:8080/"
    And I set field "username" to "blackhat"
    And I set field "password" to "bad-password"
    And I click on "Sign in"
    And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
    And I set field "password" to "bad-password"
    And I click on "Sign in"
    And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
    And I set field "password" to "bad-password"
    And I click on "Sign in"
    And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
    When I set field "password" to "password"
    And I click on "Sign in"
    Then I get a notification of type "error" with message "Authentication failed. Please check your credentials."

  @need-registered-user-blackhat
  Scenario: User is unbanned after a configured amount of time
    Given I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
    And I set field "username" to "blackhat"
    And I set field "password" to "bad-password"
    And I click on "Sign in"
    And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
    And I set field "password" to "bad-password"
    And I click on "Sign in"
    And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
    And I set field "password" to "bad-password"
    And I click on "Sign in"
    And I get a notification of type "error" with message "Authentication failed. Please check your credentials."
    When I wait 6 seconds 
    And I set field "password" to "password"
    And I click on "Sign in"
    And I use "REGISTERED" as TOTP token handle
    And I click on "Sign in"
    Then I'm redirected to "https://public.example.com:8080/secret.html"
Implement session inactivity timeout This timeout will prevent an attacker from using a session that has been inactive for too long. This inactivity timeout combined with the timeout before expiration makes a good combination of security mechanisms to prevent session theft. If no activity timeout is provided, then the feature is disabled and only session expiration remains as a protection. 2017-10-16 22:38:10 +00:00			`@needs-regulation-config`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`Feature: Authelia regulates authentication to avoid brute force`

Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`@need-registered-user-blackhat`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`Scenario: Attacker tries too many authentication in a short period of time and get banned`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Given I visit "https://login.example.com:8080/"`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`And I set field "username" to "blackhat"`
			`And I set field "password" to "bad-password"`
			`And I click on "Sign in"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`And I get a notification of type "error" with message "Authentication failed. Please check your credentials."`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`And I set field "password" to "bad-password"`
			`And I click on "Sign in"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`And I get a notification of type "error" with message "Authentication failed. Please check your credentials."`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`And I set field "password" to "bad-password"`
			`And I click on "Sign in"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`And I get a notification of type "error" with message "Authentication failed. Please check your credentials."`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`When I set field "password" to "password"`
			`And I click on "Sign in"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`Then I get a notification of type "error" with message "Authentication failed. Please check your credentials."`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`@need-registered-user-blackhat`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`Scenario: User is unbanned after a configured amount of time`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Given I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`And I set field "username" to "blackhat"`
			`And I set field "password" to "bad-password"`
			`And I click on "Sign in"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`And I get a notification of type "error" with message "Authentication failed. Please check your credentials."`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`And I set field "password" to "bad-password"`
			`And I click on "Sign in"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`And I get a notification of type "error" with message "Authentication failed. Please check your credentials."`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`And I set field "password" to "bad-password"`
			`And I click on "Sign in"`
Every public endpoints return 200 with harmonized error messages or 401 Now, /verify can return 401 or 403 depending on the user authentication. Every public API endpoints and pages return 200 with error message in JSON body or 401 if the user is not authorized. This policy makes it complicated for an attacker to know what is the source of the failure and hide server-side bugs (not returning 500), bugs being potential threats. 2017-10-10 21:03:30 +00:00			`And I get a notification of type "error" with message "Authentication failed. Please check your credentials."`
Parameterize authentication regulation via configuration file. Both for flexibility and for testing purposes. 2017-09-02 23:25:43 +00:00			`When I wait 6 seconds`
			`And I set field "password" to "password"`
			`And I click on "Sign in"`
Add logs to detect redis connection issues earlier Before this fix, the application was simply crashing during execution when connection to redis was failing. Now, it is correctly handled with failing promises and logs have been enabled to clearly see the problem 2017-09-21 20:07:34 +00:00			`And I use "REGISTERED" as TOTP token handle`
Improve UX of the second factor page Start the U2F signing request when entering in the second factor page so that the user only has to touch the token without any other clicks. 2017-10-21 23:23:26 +00:00			`And I click on "Sign in"`
Change domain from test.local to example.com Warning: you will need to update your /etc/hosts to take this change into account for the example environment to work. 2017-11-02 20:34:07 +00:00			`Then I'm redirected to "https://public.example.com:8080/secret.html"`