def _do_login(self) -> None:
"""handle the sent login form"""
if not html.request.var('_login'):
return
try:
if not config.user_login:
raise MKUserError(None,
_('Login is not allowed on this site.'))
username_var = html.request.get_unicode_input('_username', '')
assert username_var is not None
username = UserId(username_var.rstrip())
if not username:
raise MKUserError('_username', _('No username given.'))
password = html.request.var('_password', '')
if not password:
raise MKUserError('_password', _('No password given.'))
default_origtarget = config.url_prefix() + "check_mk/"
origtarget = html.get_url_input("_origtarget", default_origtarget)
# Disallow redirections to:
# - logout.py: Happens after login
# - side.py: Happens when invalid login is detected during sidebar refresh
if "logout.py" in origtarget or 'side.py' in origtarget:
origtarget = default_origtarget
result = userdb.check_credentials(username, password)
if result:
# use the username provided by the successful login function, this function
# might have transformed the username provided by the user. e.g. switched
# from mixed case to lower case.
username = result
session_id = userdb.on_succeeded_login(username)
# The login succeeded! Now:
# a) Set the auth cookie
# b) Unset the login vars in further processing
# c) Redirect to really requested page
_create_auth_session(username, session_id)
# Never use inplace redirect handling anymore as used in the past. This results
# in some unexpected situations. We simpy use 302 redirects now. So we have a
# clear situation.
# userdb.need_to_change_pw returns either False or the reason description why the
# password needs to be changed
change_pw_result = userdb.need_to_change_pw(username)
if change_pw_result:
raise HTTPRedirect(
'user_change_pw.py?_origtarget=%s&reason=%s' %
(html.urlencode(origtarget), change_pw_result))
raise HTTPRedirect(origtarget)
userdb.on_failed_login(username)
raise MKUserError(None, _('Invalid credentials.'))
except MKUserError as e:
html.add_user_error(e.varname, e)
def test_on_failed_login_count_reset_on_succeeded_login(user_id):
assert config.lock_on_logon_failures is False
assert userdb._load_failed_logins(user_id) == 0
assert userdb._user_locked(user_id) is False
userdb.on_failed_login(user_id)
assert userdb._load_failed_logins(user_id) == 1
assert userdb._user_locked(user_id) is False
userdb.on_succeeded_login(user_id)
assert userdb._load_failed_logins(user_id) == 0
assert userdb._user_locked(user_id) is False
def test_on_failed_login_count_reset_on_succeeded_login(
user_id: UserId) -> None:
now = datetime.now()
assert active_config.lock_on_logon_failures is None
assert userdb._load_failed_logins(user_id) == 0
assert not userdb.user_locked(user_id)
userdb.on_failed_login(user_id, now)
assert userdb._load_failed_logins(user_id) == 1
assert not userdb.user_locked(user_id)
userdb.on_succeeded_login(user_id, now)
assert userdb._load_failed_logins(user_id) == 0
assert not userdb.user_locked(user_id)
def test_on_failed_login_with_locking(user_id: UserId) -> None:
assert config.lock_on_logon_failures == 3
assert userdb._load_failed_logins(user_id) == 0
assert userdb.user_locked(user_id) is False
userdb.on_failed_login(user_id)
assert userdb._load_failed_logins(user_id) == 1
assert userdb.user_locked(user_id) is False
userdb.on_failed_login(user_id)
assert userdb._load_failed_logins(user_id) == 2
assert userdb.user_locked(user_id) is False
userdb.on_failed_login(user_id)
assert userdb._load_failed_logins(user_id) == 3
assert userdb.user_locked(user_id) is True
def test_on_failed_login_no_locking(user_id):
assert config.lock_on_logon_failures is False
assert userdb._load_failed_logins(user_id) == 0
assert userdb._user_locked(user_id) is False
userdb.on_failed_login(user_id)
assert userdb._load_failed_logins(user_id) == 1
assert userdb._user_locked(user_id) is False
userdb.on_failed_login(user_id)
assert userdb._load_failed_logins(user_id) == 2
assert userdb._user_locked(user_id) is False
userdb.on_failed_login(user_id)
assert userdb._load_failed_logins(user_id) == 3
assert userdb._user_locked(user_id) is False
def test_on_failed_login_with_locking(monkeypatch: MonkeyPatch,
user_id: UserId) -> None:
now = datetime.now()
monkeypatch.setattr(active_config, "lock_on_logon_failures", 3)
assert active_config.lock_on_logon_failures == 3
assert userdb._load_failed_logins(user_id) == 0
assert not userdb.user_locked(user_id)
userdb.on_failed_login(user_id, now)
assert userdb._load_failed_logins(user_id) == 1
assert not userdb.user_locked(user_id)
userdb.on_failed_login(user_id, now)
assert userdb._load_failed_logins(user_id) == 2
assert not userdb.user_locked(user_id)
userdb.on_failed_login(user_id, now)
assert userdb._load_failed_logins(user_id) == 3
assert userdb.user_locked(user_id)
def do_login():
# handle the sent login form
if html.request.var('_login'):
try:
username = html.get_unicode_input('_username', '').rstrip()
if username == '':
raise MKUserError('_username', _('No username given.'))
password = html.request.var('_password', '')
if password == '':
raise MKUserError('_password', _('No password given.'))
default_origtarget = config.url_prefix() + "check_mk/"
origtarget = html.get_url_input("_origtarget", default_origtarget)
# Disallow redirections to:
# - logout.py: Happens after login
# - side.py: Happens when invalid login is detected during sidebar refresh
if "logout.py" in origtarget or 'side.py' in origtarget:
origtarget = default_origtarget
# None -> User unknown, means continue with other connectors
# '<user_id>' -> success
# False -> failed
result = userdb.hook_login(username, password)
if result:
# use the username provided by the successful login function, this function
# might have transformed the username provided by the user. e.g. switched
# from mixed case to lower case.
username = result
# When single user session mode is enabled, check that there is not another
# active session
userdb.ensure_user_can_init_session(username)
# reset failed login counts
userdb.on_succeeded_login(username)
# The login succeeded! Now:
# a) Set the auth cookie
# b) Unset the login vars in further processing
# c) Redirect to really requested page
create_auth_session(username)
# Never use inplace redirect handling anymore as used in the past. This results
# in some unexpected situations. We simpy use 302 redirects now. So we have a
# clear situation.
# userdb.need_to_change_pw returns either False or the reason description why the
# password needs to be changed
result = userdb.need_to_change_pw(username)
if result:
raise HTTPRedirect('user_change_pw.py?_origtarget=%s&reason=%s' %
(html.urlencode(origtarget), result))
else:
raise HTTPRedirect(origtarget)
else:
userdb.on_failed_login(username)
raise MKUserError(None, _('Invalid credentials.'))
except MKUserError as e:
html.add_user_error(e.varname, e)
return "%s" % e
def _do_login(self) -> None:
"""handle the sent login form"""
if not request.var("_login"):
return
try:
if not active_config.user_login:
raise MKUserError(None,
_("Login is not allowed on this site."))
username_var = request.get_str_input("_username", "")
assert username_var is not None
username = UserId(username_var.rstrip())
if not username:
raise MKUserError("_username", _("Missing username"))
password = request.var("_password", "")
if not password:
raise MKUserError("_password", _("Missing password"))
default_origtarget = url_prefix() + "check_mk/"
origtarget = request.get_url_input("_origtarget",
default_origtarget)
# Disallow redirections to:
# - logout.py: Happens after login
# - side.py: Happens when invalid login is detected during sidebar refresh
if "logout.py" in origtarget or "side.py" in origtarget:
origtarget = default_origtarget
result = userdb.check_credentials(username, password)
if result:
# use the username provided by the successful login function, this function
# might have transformed the username provided by the user. e.g. switched
# from mixed case to lower case.
username = result
session_id = userdb.on_succeeded_login(username)
# The login succeeded! Now:
# a) Set the auth cookie
# b) Unset the login vars in further processing
# c) Redirect to really requested page
_create_auth_session(username, session_id)
# Never use inplace redirect handling anymore as used in the past. This results
# in some unexpected situations. We simpy use 302 redirects now. So we have a
# clear situation.
# userdb.need_to_change_pw returns either False or the reason description why the
# password needs to be changed
change_pw_result = userdb.need_to_change_pw(username)
if change_pw_result:
raise HTTPRedirect(
"user_change_pw.py?_origtarget=%s&reason=%s" %
(urlencode(origtarget), change_pw_result))
if userdb.is_two_factor_login_enabled(username):
raise HTTPRedirect(
"user_login_two_factor.py?_origtarget=%s" %
urlencode(makeuri(request, [])))
raise HTTPRedirect(origtarget)
userdb.on_failed_login(username)
raise MKUserError(None, _("Invalid login"))
except MKUserError as e:
user_errors.add(e)