authelia/internal/regulation/regulator.go

package regulation

import (
	"context"
	"strings"
	"time"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/model"
	"github.com/authelia/authelia/v4/internal/storage"
	"github.com/authelia/authelia/v4/internal/utils"
)

// NewRegulator create a regulator instance.
func NewRegulator(config schema.RegulationConfiguration, store storage.RegulatorProvider, clock utils.Clock) *Regulator {
	return &Regulator{
		enabled: config.MaxRetries > 0,
		store:   store,
		clock:   clock,
		config:  config,
	}
}

// Mark an authentication attempt.
// We split Mark and Regulate in order to avoid timing attacks.
func (r *Regulator) Mark(ctx Context, successful, banned bool, username, requestURI, requestMethod, authType string) error {
	ctx.RecordAuthn(successful, banned, strings.ToLower(authType))

	return r.store.AppendAuthenticationLog(ctx, model.AuthenticationAttempt{
		Time:          r.clock.Now(),
		Successful:    successful,
		Banned:        banned,
		Username:      username,
		Type:          authType,
		RemoteIP:      model.NewNullIP(ctx.RemoteIP()),
		RequestURI:    requestURI,
		RequestMethod: requestMethod,
	})
}

// Regulate the authentication attempts for a given user.
// This method returns ErrUserIsBanned if the user is banned along with the time until when the user is banned.
func (r *Regulator) Regulate(ctx context.Context, username string, remoteIp string) (time.Time, error) {
	// If there is regulation configuration, no regulation applies.
	if !r.enabled {
		return time.Time{}, nil
	}

	attempts, err := r.store.LoadAuthenticationLogs(ctx, username, remoteIp, r.clock.Now().Add(-r.config.BanTime), 10, 0)
	if err != nil {
		return time.Time{}, nil
	}

	latestFailedAttempts := make([]model.AuthenticationAttempt, 0, r.config.MaxRetries)

	for _, attempt := range attempts {
		if attempt.Successful || len(latestFailedAttempts) >= r.config.MaxRetries {
			// We stop appending failed attempts once we find the first successful attempts or we reach
			// the configured number of retries, meaning the user is already banned.
			break
		} else {
			latestFailedAttempts = append(latestFailedAttempts, attempt)
		}
	}

	// If the number of failed attempts within the ban time is less than the max number of retries
	// then the user is not banned.
	if len(latestFailedAttempts) < r.config.MaxRetries {
		return time.Time{}, nil
	}

	// Now we compute the time between the latest attempt and the MaxRetry-th one. If it's
	// within the FindTime then it means that the user has been banned.
	durationBetweenLatestAttempts := latestFailedAttempts[0].Time.Sub(
		latestFailedAttempts[r.config.MaxRetries-1].Time)

	if durationBetweenLatestAttempts < r.config.FindTime {
		bannedUntil := latestFailedAttempts[0].Time.Add(r.config.BanTime)
		return bannedUntil, ErrUserIsBanned
	}

	return time.Time{}, nil
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package regulation`

			`import (`
feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`"context"`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`"strings"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`"time"`

fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`"github.com/authelia/authelia/v4/internal/model"`
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/storage"`
			`"github.com/authelia/authelia/v4/internal/utils"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

			`// NewRegulator create a regulator instance.`
test: add misc missing tests (#5479) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-24 12:33:05 +00:00			`func NewRegulator(config schema.RegulationConfiguration, store storage.RegulatorProvider, clock utils.Clock) *Regulator {`
refactor(configuration): utilize time duration decode hook (#2938) This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable. 2022-03-02 06:40:26 +00:00			`return &Regulator{`
test: add misc missing tests (#5479) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-24 12:33:05 +00:00			`enabled: config.MaxRetries > 0,`
			`store: store,`
			`clock: clock,`
			`config: config,`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
			`}`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`// Mark an authentication attempt.`
[CI] Add godot linter (#958) * [CI] Add godot linter * Implement godot recommendations 2020-05-02 05:06:39 +00:00			`// We split Mark and Regulate in order to avoid timing attacks.`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`func (r *Regulator) Mark(ctx Context, successful, banned bool, username, requestURI, requestMethod, authType string) error {`
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`ctx.RecordAuthn(successful, banned, strings.ToLower(authType))`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00
test: add misc missing tests (#5479) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-24 12:33:05 +00:00			`return r.store.AppendAuthenticationLog(ctx, model.AuthenticationAttempt{`
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 03:09:14 +00:00			`Time: r.clock.Now(),`
			`Successful: successful,`
			`Banned: banned,`
			`Username: username,`
			`Type: authType,`
feat(metrics): implement prometheus metrics (#3234) Adds ability to record metrics and gather them for Prometheus. 2022-06-14 07:20:13 +00:00			`RemoteIP: model.NewNullIP(ctx.RemoteIP()),`
feat(regulator): enhance authentication logs (#2622) This adds additional logging to the authentication logs such as type, remote IP, request method, redirect URL, and if the attempt was done during a ban. This also means we log attempts that occur when the attempt was blocked by the regulator for record keeping purposes, as well as record 2FA attempts which can be used to inform admins and later to regulate based on other factors. Fixes #116, Fixes #1293. 2021-11-29 03:09:14 +00:00			`RequestURI: requestURI,`
			`RequestMethod: requestMethod,`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`})`
			`}`

feat(storage): primary key for all tables and general qol refactoring (#2431) This is a massive overhaul to the SQL Storage for Authelia. It facilitates a whole heap of utility commands to help manage the database, primary keys, ensures all database requests use a context for cancellations, and paves the way for a few other PR's which improve the database. Fixes #1337 2021-11-23 09:45:38 +00:00			`// Regulate the authentication attempts for a given user.`
			`// This method returns ErrUserIsBanned if the user is banned along with the time until when the user is banned.`
Add option to ban user by ip instead of username 2023-06-23 20:07:23 +00:00			`func (r *Regulator) Regulate(ctx context.Context, username string, remoteIp string) (time.Time, error) {`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// If there is regulation configuration, no regulation applies.`
			`if !r.enabled {`
			`return time.Time{}, nil`
			`}`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
Add option to ban user by ip instead of username 2023-06-23 20:07:23 +00:00			`attempts, err := r.store.LoadAuthenticationLogs(ctx, username, remoteIp, r.clock.Now().Add(-r.config.BanTime), 10, 0)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`if err != nil {`
			`return time.Time{}, nil`
			`}`

refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`latestFailedAttempts := make([]model.AuthenticationAttempt, 0, r.config.MaxRetries)`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`for _, attempt := range attempts {`
refactor(configuration): utilize time duration decode hook (#2938) This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable. 2022-03-02 06:40:26 +00:00			`if attempt.Successful \|\| len(latestFailedAttempts) >= r.config.MaxRetries {`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// We stop appending failed attempts once we find the first successful attempts or we reach`
			`// the configured number of retries, meaning the user is already banned.`
			`break`
			`} else {`
			`latestFailedAttempts = append(latestFailedAttempts, attempt)`
			`}`
			`}`

			`// If the number of failed attempts within the ban time is less than the max number of retries`
			`// then the user is not banned.`
refactor(configuration): utilize time duration decode hook (#2938) This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable. 2022-03-02 06:40:26 +00:00			`if len(latestFailedAttempts) < r.config.MaxRetries {`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`return time.Time{}, nil`
			`}`

			`// Now we compute the time between the latest attempt and the MaxRetry-th one. If it's`
			`// within the FindTime then it means that the user has been banned.`
			`durationBetweenLatestAttempts := latestFailedAttempts[0].Time.Sub(`
refactor(configuration): utilize time duration decode hook (#2938) This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable. 2022-03-02 06:40:26 +00:00			`latestFailedAttempts[r.config.MaxRetries-1].Time)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
refactor(configuration): utilize time duration decode hook (#2938) This enhances the existing time.Duration parser to allow multiple units, and implements a decode hook which can be used by koanf to decode string/integers into time.Durations as applicable. 2022-03-02 06:40:26 +00:00			`if durationBetweenLatestAttempts < r.config.FindTime {`
			`bannedUntil := latestFailedAttempts[0].Time.Add(r.config.BanTime)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`return bannedUntil, ErrUserIsBanned`
			`}`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`return time.Time{}, nil`
			`}`