Merge branch '43525-limit-number-of-failed-logins-using-ldap' into 'master'

Resolve "Limit number of failed logins using LDAP for authentication" Closes #43525 See merge request gitlab-org/gitlab-ce!17886

Merge branch '43525-limit-number-of-failed-logins-using-ldap' into 'master'
Resolve "Limit number of failed logins using LDAP for authentication" Closes #43525 See merge request gitlab-org/gitlab-ce!17886
f8401d5c · Douwe Maan · 32614419 · 161a05b9 · f8401d5c · f8401d5c
Commit f8401d5c authored Mar 23, 2018 by Douwe Maan
3 changed files
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -18,6 +18,18 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    end
  end

+  # Extend the standard implementation to also increment
+  # the number of failed sign in attempts
+  def failure
+    if params[:username].present? && AuthHelper.form_based_provider?(failed_strategy.name)
+      user = User.by_login(params[:username])
+
+      user&.increment_failed_attempts!
+    end
+
+    super
+  end
+
  # Extend the standard message generation to accept our custom exception
  def failure_message
    exception = env["omniauth.error"]

--- a/changelogs/unreleased/43525-limit-number-of-failed-logins-using-ldap.yml
+++ b/changelogs/unreleased/43525-limit-number-of-failed-logins-using-ldap.yml
+---
+title: Limit the number of failed logins when using LDAP for authentication
+merge_request: 43525
+author:
+type: added
--- a/spec/controllers/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
@@ -10,6 +10,41 @@ describe OmniauthCallbacksController do
    stub_omniauth_provider(provider, context: request)
  end

+  context 'when the user is on the last sign in attempt' do
+    let(:extern_uid) { 'my-uid' }
+
+    before do
+      user.update(failed_attempts: User.maximum_attempts.pred)
+      subject.response = ActionDispatch::Response.new
+    end
+
+    context 'when using a form based provider' do
+      let(:provider) { :ldap }
+
+      it 'locks the user when sign in fails' do
+        allow(subject).to receive(:params).and_return(ActionController::Parameters.new(username: user.username))
+        request.env['omniauth.error.strategy'] = OmniAuth::Strategies::LDAP.new(nil)
+
+        subject.send(:failure)
+
+        expect(user.reload).to be_access_locked
+      end
+    end
+
+    context 'when using a button based provider' do
+      let(:provider) { :github }
+
+      it 'does not lock the user when sign in fails' do
+        request.env['omniauth.error.strategy'] = OmniAuth::Strategies::GitHub.new(nil)
+
+        subject.send(:failure)
+
+        expect(user.reload).not_to be_access_locked
+      end
+    end
+  end
+
+  context 'strategies' do
    context 'github' do
      let(:extern_uid) { 'my-uid' }
      let(:provider) { :github }
@@ -89,4 +124,5 @@ describe OmniauthCallbacksController do
        expect(controller).to set_flash[:alert].to('Wrong extern UID provided. Make sure Auth0 is configured correctly.')
      end
    end
+  end
 end