authelia/internal/regulation/regulator.go

package regulation

import (
	"fmt"
	"time"

	"github.com/authelia/authelia/internal/configuration/schema"
	"github.com/authelia/authelia/internal/models"
	"github.com/authelia/authelia/internal/storage"
	"github.com/authelia/authelia/internal/utils"
)

// NewRegulator create a regulator instance.
func NewRegulator(configuration *schema.RegulationConfiguration, provider storage.Provider, clock utils.Clock) *Regulator {
	regulator := &Regulator{storageProvider: provider}
	regulator.clock = clock

	if configuration != nil {
		findTime, err := utils.ParseDurationString(configuration.FindTime)
		if err != nil {
			panic(err)
		}

		banTime, err := utils.ParseDurationString(configuration.BanTime)
		if err != nil {
			panic(err)
		}

		if findTime > banTime {
			panic(fmt.Errorf("find_time cannot be greater than ban_time"))
		}

		// Set regulator enabled only if MaxRetries is not 0.
		regulator.enabled = configuration.MaxRetries > 0
		regulator.maxRetries = configuration.MaxRetries
		regulator.findTime = findTime
		regulator.banTime = banTime
	}

	return regulator
}

// Mark mark an authentication attempt.
// We split Mark and Regulate in order to avoid timing attacks.
func (r *Regulator) Mark(username string, successful bool) error {
	return r.storageProvider.AppendAuthenticationLog(models.AuthenticationAttempt{
		Username:   username,
		Successful: successful,
		Time:       r.clock.Now(),
	})
}

// Regulate regulate the authentication attempts for a given user.
// This method returns ErrUserIsBanned if the user is banned along with the time until when
// the user is banned.
func (r *Regulator) Regulate(username string) (time.Time, error) {
	// If there is regulation configuration, no regulation applies.
	if !r.enabled {
		return time.Time{}, nil
	}

	now := r.clock.Now()

	// TODO(c.michaud): make sure FindTime < BanTime.
	attempts, err := r.storageProvider.LoadLatestAuthenticationLogs(username, now.Add(-r.banTime))

	if err != nil {
		return time.Time{}, nil
	}

	latestFailedAttempts := make([]models.AuthenticationAttempt, 0, r.maxRetries)

	for _, attempt := range attempts {
		if attempt.Successful || len(latestFailedAttempts) >= r.maxRetries {
			// We stop appending failed attempts once we find the first successful attempts or we reach
			// the configured number of retries, meaning the user is already banned.
			break
		} else {
			latestFailedAttempts = append(latestFailedAttempts, attempt)
		}
	}

	// If the number of failed attempts within the ban time is less than the max number of retries
	// then the user is not banned.
	if len(latestFailedAttempts) < r.maxRetries {
		return time.Time{}, nil
	}

	// Now we compute the time between the latest attempt and the MaxRetry-th one. If it's
	// within the FindTime then it means that the user has been banned.
	durationBetweenLatestAttempts := latestFailedAttempts[0].Time.Sub(
		latestFailedAttempts[r.maxRetries-1].Time)

	if durationBetweenLatestAttempts < r.findTime {
		bannedUntil := latestFailedAttempts[0].Time.Add(r.banTime)
		return bannedUntil, ErrUserIsBanned
	}

	return time.Time{}, nil
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package regulation`

			`import (`
			`"fmt"`
			`"time"`

Rename org from clems4ever to authelia Also fix references from config.yml to configuration.yml 2019-12-24 02:14:52 +00:00			`"github.com/authelia/authelia/internal/configuration/schema"`
			`"github.com/authelia/authelia/internal/models"`
			`"github.com/authelia/authelia/internal/storage"`
			`"github.com/authelia/authelia/internal/utils"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

			`// NewRegulator create a regulator instance.`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`func NewRegulator(configuration schema.RegulationConfiguration, provider storage.Provider, clock utils.Clock) Regulator {`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`regulator := &Regulator{storageProvider: provider}`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`regulator.clock = clock`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`if configuration != nil {`
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go 2020-04-05 12:37:21 +00:00			`findTime, err := utils.ParseDurationString(configuration.FindTime)`
			`if err != nil {`
			`panic(err)`
			`}`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go 2020-04-05 12:37:21 +00:00			`banTime, err := utils.ParseDurationString(configuration.BanTime)`
			`if err != nil {`
			`panic(err)`
			`}`

			`if findTime > banTime {`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`panic(fmt.Errorf("find_time cannot be greater than ban_time"))`
			`}`
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go 2020-04-05 12:37:21 +00:00
[FIX] Disable regulation when max_retries set to 0 (#584) - Only set regulator to enabled if max_retries is not set to 0, default is false (zero value). - Added test for the scenario. - Fixes #584 2020-01-26 21:42:05 +00:00			`// Set regulator enabled only if MaxRetries is not 0.`
			`regulator.enabled = configuration.MaxRetries > 0`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`regulator.maxRetries = configuration.MaxRetries`
[MISC] Update durations to notation format and housekeeping (#824) * added regulation validator * made regulations find_time and ban_time values duration notation strings * added DefaultRegulationConfiguration for the validator * made session expiration and inactivity values duration notation strings * TOTP period does not need to be converted because adjustment should be discouraged * moved TOTP defaults to DefaultTOTPConfiguration and removed the consts * arranged the root config validator in configuration file order * adjusted tests for the changes * moved duration notation docs to root of configuration * added references to duration notation where applicable * project wide gofmt and goimports: * run gofmt * run goimports -local github.com/authelia/authelia -w on all files * Make jwt_secret error uniform and add tests * now at 100% coverage for internal/configuration/validator/configuration.go 2020-04-05 12:37:21 +00:00			`regulator.findTime = findTime`
			`regulator.banTime = banTime`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`return regulator`
			`}`

			`// Mark mark an authentication attempt.`
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations 2020-05-02 05:06:39 +00:00			`// We split Mark and Regulate in order to avoid timing attacks.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`func (r *Regulator) Mark(username string, successful bool) error {`
			`return r.storageProvider.AppendAuthenticationLog(models.AuthenticationAttempt{`
			`Username: username,`
			`Successful: successful,`
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`Time: r.clock.Now(),`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`})`
			`}`

			`// Regulate regulate the authentication attempts for a given user.`
			`// This method returns ErrUserIsBanned if the user is banned along with the time until when`
			`// the user is banned.`
			`func (r *Regulator) Regulate(username string) (time.Time, error) {`
			`// If there is regulation configuration, no regulation applies.`
			`if !r.enabled {`
			`return time.Time{}, nil`
			`}`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
Rewrite and fix remaining suites in Go. 2019-11-24 20:27:59 +00:00			`now := r.clock.Now()`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
			`// TODO(c.michaud): make sure FindTime < BanTime.`
			`attempts, err := r.storageProvider.LoadLatestAuthenticationLogs(username, now.Add(-r.banTime))`

			`if err != nil {`
			`return time.Time{}, nil`
			`}`

			`latestFailedAttempts := make([]models.AuthenticationAttempt, 0, r.maxRetries)`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`for _, attempt := range attempts {`
			`if attempt.Successful \|\| len(latestFailedAttempts) >= r.maxRetries {`
			`// We stop appending failed attempts once we find the first successful attempts or we reach`
			`// the configured number of retries, meaning the user is already banned.`
			`break`
			`} else {`
			`latestFailedAttempts = append(latestFailedAttempts, attempt)`
			`}`
			`}`

			`// If the number of failed attempts within the ban time is less than the max number of retries`
			`// then the user is not banned.`
			`if len(latestFailedAttempts) < r.maxRetries {`
			`return time.Time{}, nil`
			`}`

			`// Now we compute the time between the latest attempt and the MaxRetry-th one. If it's`
			`// within the FindTime then it means that the user has been banned.`
			`durationBetweenLatestAttempts := latestFailedAttempts[0].Time.Sub(`
			`latestFailedAttempts[r.maxRetries-1].Time)`

			`if durationBetweenLatestAttempts < r.findTime {`
			`bannedUntil := latestFailedAttempts[0].Time.Add(r.banTime)`
			`return bannedUntil, ErrUserIsBanned`
			`}`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`return time.Time{}, nil`
			`}`