Commit f8401d5c authored by Douwe Maan's avatar Douwe Maan

Merge branch '43525-limit-number-of-failed-logins-using-ldap' into 'master'

Resolve "Limit number of failed logins using LDAP for authentication"

Closes #43525

See merge request gitlab-org/gitlab-ce!17886
parents 32614419 161a05b9
...@@ -18,6 +18,18 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController ...@@ -18,6 +18,18 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
end end
end end
# Extend the standard implementation to also increment
# the number of failed sign in attempts
def failure
if params[:username].present? && AuthHelper.form_based_provider?(failed_strategy.name)
user = User.by_login(params[:username])
user&.increment_failed_attempts!
end
super
end
# Extend the standard message generation to accept our custom exception # Extend the standard message generation to accept our custom exception
def failure_message def failure_message
exception = env["omniauth.error"] exception = env["omniauth.error"]
......
---
title: Limit the number of failed logins when using LDAP for authentication
merge_request: 43525
author:
type: added
...@@ -10,6 +10,41 @@ describe OmniauthCallbacksController do ...@@ -10,6 +10,41 @@ describe OmniauthCallbacksController do
stub_omniauth_provider(provider, context: request) stub_omniauth_provider(provider, context: request)
end end
context 'when the user is on the last sign in attempt' do
let(:extern_uid) { 'my-uid' }
before do
user.update(failed_attempts: User.maximum_attempts.pred)
subject.response = ActionDispatch::Response.new
end
context 'when using a form based provider' do
let(:provider) { :ldap }
it 'locks the user when sign in fails' do
allow(subject).to receive(:params).and_return(ActionController::Parameters.new(username: user.username))
request.env['omniauth.error.strategy'] = OmniAuth::Strategies::LDAP.new(nil)
subject.send(:failure)
expect(user.reload).to be_access_locked
end
end
context 'when using a button based provider' do
let(:provider) { :github }
it 'does not lock the user when sign in fails' do
request.env['omniauth.error.strategy'] = OmniAuth::Strategies::GitHub.new(nil)
subject.send(:failure)
expect(user.reload).not_to be_access_locked
end
end
end
context 'strategies' do
context 'github' do context 'github' do
let(:extern_uid) { 'my-uid' } let(:extern_uid) { 'my-uid' }
let(:provider) { :github } let(:provider) { :github }
...@@ -89,4 +124,5 @@ describe OmniauthCallbacksController do ...@@ -89,4 +124,5 @@ describe OmniauthCallbacksController do
expect(controller).to set_flash[:alert].to('Wrong extern UID provided. Make sure Auth0 is configured correctly.') expect(controller).to set_flash[:alert].to('Wrong extern UID provided. Make sure Auth0 is configured correctly.')
end end
end end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment