def check_password(self, userid, password):
# The very first thing we want to do is check to see if we've hit our
# global rate limit or not, assuming that we've been configured with a
# global rate limiter anyways.
if not self.ratelimiters["global"].test():
logger.warning("Global failed login threshold reached.")
raise TooManyFailedLogins(resets_in=self.ratelimiters["global"].resets_in())
user = self.get_user(userid)
if user is not None:
# Now, check to make sure that we haven't hitten a rate limit on a
# per user basis.
if not self.ratelimiters["user"].test(user.id):
raise TooManyFailedLogins(
resets_in=self.ratelimiters["user"].resets_in(user.id)
)
# Check LDAP for valid credentials
try:
res = self.ldap.simple_bind_s(
"uid={},{}".format(user.username, LDAP_BASE_DN),
password
)
return res[0] == 97
except ldap.LDAPError:
return False
# If we've gotten here, then we'll want to record a failed login in our
# rate limiting before returning False to indicate a failed password
# verification.
if user is not None:
self.ratelimiters["user"].hit(user.id)
self.ratelimiters["global"].hit()
return False
def check_recovery_code(self, user_id, code):
self._metrics.increment("warehouse.authentication.recovery_code.start")
# The very first thing we want to do is check to see if we've hit our
# global rate limit or not, assuming that we've been configured with a
# global rate limiter anyways.
if not self.ratelimiters["global"].test():
logger.warning("Global failed login threshold reached.")
self._metrics.increment(
"warehouse.authentication.recovery_code.ratelimited",
tags=["ratelimiter:global"],
)
raise TooManyFailedLogins(resets_in=self.ratelimiters["global"].resets_in())
# Now, check to make sure that we haven't hitten a rate limit on a
# per user basis.
if not self.ratelimiters["user"].test(user_id):
self._metrics.increment(
"warehouse.authentication.recovery_code.ratelimited",
tags=["ratelimiter:user"],
)
raise TooManyFailedLogins(
resets_in=self.ratelimiters["user"].resets_in(user_id)
)
user = self.get_user(user_id)
if not user.has_recovery_codes:
self._metrics.increment(
"warehouse.authentication.recovery_code.failure",
tags=["failure_reason:no_recovery_codes"],
)
# If we've gotten here, then we'll want to record a failed attempt in our
# rate limiting before returning False to indicate a failed recovery code
# verification.
self.ratelimiters["user"].hit(user_id)
self.ratelimiters["global"].hit()
return False
valid = False
for stored_recovery_code in self.get_recovery_codes(user.id):
if self.hasher.verify(code, stored_recovery_code.code):
self.db.delete(stored_recovery_code)
self.db.flush()
valid = True
if valid:
self._metrics.increment("warehouse.authentication.recovery_code.ok")
else:
self._metrics.increment(
"warehouse.authentication.recovery_code.failure",
tags=["failure_reason:invalid_recovery_code"],
)
# If we've gotten here, then we'll want to record a failed attempt in our
# rate limiting before returning False to indicate a failed recovery code
# verification.
self.ratelimiters["user"].hit(user_id)
self.ratelimiters["global"].hit()
return valid
def check_totp_value(self, user_id, totp_value, *, tags=None):
"""
Returns True if the given TOTP is valid against the user's secret.
If the user doesn't have a TOTP secret or isn't allowed
to use second factor methods, returns False.
"""
tags = tags if tags is not None else []
self._metrics.increment("warehouse.authentication.two_factor.start",
tags=tags)
# The very first thing we want to do is check to see if we've hit our
# global rate limit or not, assuming that we've been configured with a
# global rate limiter anyways.
if not self.ratelimiters["global"].test():
logger.warning("Global failed login threshold reached.")
self._metrics.increment(
"warehouse.authentication.two_factor.ratelimited",
tags=tags + ["ratelimiter:global"],
)
raise TooManyFailedLogins(
resets_in=self.ratelimiters["global"].resets_in())
# Now, check to make sure that we haven't hitten a rate limit on a
# per user basis.
if not self.ratelimiters["user"].test(user_id):
self._metrics.increment(
"warehouse.authentication.two_factor.ratelimited",
tags=tags + ["ratelimiter:user"],
)
raise TooManyFailedLogins(
resets_in=self.ratelimiters["user"].resets_in(user_id))
totp_secret = self.get_totp_secret(user_id)
if totp_secret is None:
self._metrics.increment(
"warehouse.authentication.two_factor.failure",
tags=tags + ["failure_reason:no_totp"],
)
return False
valid = otp.verify_totp(totp_secret, totp_value)
if valid:
self._metrics.increment("warehouse.authentication.two_factor.ok",
tags=tags)
else:
self._metrics.increment(
"warehouse.authentication.two_factor.failure",
tags=tags + ["failure_reason:invalid_totp"],
)
return valid
def test_validate_password_too_many_failed(self):
request = pretend.stub(remote_addr="1.2.3.4")
user_service = pretend.stub(
find_userid=pretend.call_recorder(lambda userid: 1),
check_password=pretend.call_recorder(
pretend.raiser(TooManyFailedLogins(resets_in=None))),
is_disabled=pretend.call_recorder(lambda userid: (False, None)),
)
breach_service = pretend.stub()
form = forms.LoginForm(
data={"username": "******"},
request=request,
user_service=user_service,
breach_service=breach_service,
)
field = pretend.stub(data="pw")
with pytest.raises(wtforms.validators.ValidationError):
form.validate_password(field)
assert user_service.find_userid.calls == [
pretend.call("my_username"),
pretend.call("my_username"),
]
assert user_service.is_disabled.calls == [pretend.call(1)]
assert user_service.check_password.calls == [
pretend.call(1, "pw", tags=None)
]
def check_password(self, userid, password):
# The very first thing we want to do is check to see if we've hit our
# global rate limit or not, assuming that we've been configured with a
# global rate limiter anyways.
if not self.ratelimiters["global"].test():
logger.warning("Global failed login threshold reached.")
raise TooManyFailedLogins(
resets_in=self.ratelimiters["global"].resets_in(),
)
user = self.get_user(userid)
if user is not None:
# Now, check to make sure that we haven't hitten a rate limit on a
# per user basis.
if not self.ratelimiters["user"].test(user.id):
raise TooManyFailedLogins(
resets_in=self.ratelimiters["user"].resets_in(user.id),
)
# Actually check our hash, optionally getting a new hash for it if
# we should upgrade our saved hashed.
ok, new_hash = self.hasher.verify_and_update(
password,
user.password,
)
# First, check to see if the password that we were given was OK.
if ok:
# Then, if the password was OK check to see if we've been given
# a new password hash from the hasher, if so we'll want to save
# that hash.
if new_hash:
user.password = new_hash
return True
# If we've gotten here, then we'll want to record a failed login in our
# rate limiting before returning False to indicate a failed password
# verification.
if user is not None:
self.ratelimiters["user"].hit(user.id)
self.ratelimiters["global"].hit()
return False
class TestFailedLoginView:
exc = TooManyFailedLogins(resets_in=datetime.timedelta(seconds=600))
request = pretend.stub()
resp = views.failed_logins(exc, request)
assert resp.status == "429 Too Many Failed Login Attempts"
assert resp.detail == (
"There have been too many unsuccessful login attempts. "
"Try again later.")
assert dict(resp.headers).get("Retry-After") == "600"
def _check_ratelimits(self, userid=None, tags=None):
tags = tags if tags is not None else []
# First we want to check if a single IP is exceeding our rate limiter.
if self.remote_addr is not None:
if not self.ratelimiters["ip.login"].test(self.remote_addr):
logger.warning("IP failed login threshold reached.")
self._metrics.increment(
"warehouse.authentication.ratelimited",
tags=tags + ["ratelimiter:ip"],
)
raise TooManyFailedLogins(
resets_in=self.ratelimiters["ip.login"].resets_in(self.remote_addr)
)
# Next check to see if we've hit our global rate limit or not,
# assuming that we've been configured with a global rate limiter anyways.
if not self.ratelimiters["global.login"].test():
logger.warning("Global failed login threshold reached.")
self._metrics.increment(
"warehouse.authentication.ratelimited",
tags=tags + ["ratelimiter:global"],
)
raise TooManyFailedLogins(
resets_in=self.ratelimiters["global.login"].resets_in()
)
# Now, check to make sure that we haven't hitten a rate limit on a
# per user basis.
if userid is not None:
if not self.ratelimiters["user.login"].test(userid):
self._metrics.increment(
"warehouse.authentication.ratelimited",
tags=tags + ["ratelimiter:user"],
)
raise TooManyFailedLogins(
resets_in=self.ratelimiters["user.login"].resets_in(userid)
)
def check_password(userid, password, tags=None):
raise TooManyFailedLogins(resets_in=None)
def check_password(self, userid, password, *, tags=None):
tags = tags if tags is not None else []
self._metrics.increment("warehouse.authentication.start", tags=tags)
# The very first thing we want to do is check to see if we've hit our
# global rate limit or not, assuming that we've been configured with a
# global rate limiter anyways.
if not self.ratelimiters["global.login"].test():
logger.warning("Global failed login threshold reached.")
self._metrics.increment(
"warehouse.authentication.ratelimited",
tags=tags + ["ratelimiter:global"],
)
raise TooManyFailedLogins(
resets_in=self.ratelimiters["global.login"].resets_in())
user = self.get_user(userid)
if user is not None:
# Now, check to make sure that we haven't hitten a rate limit on a
# per user basis.
if not self.ratelimiters["user.login"].test(user.id):
self._metrics.increment(
"warehouse.authentication.ratelimited",
tags=tags + ["ratelimiter:user"],
)
raise TooManyFailedLogins(
resets_in=self.ratelimiters["user.login"].resets_in(
user.id))
# Actually check our hash, optionally getting a new hash for it if
# we should upgrade our saved hashed.
ok, new_hash = self.hasher.verify_and_update(
password, user.password)
# First, check to see if the password that we were given was OK.
if ok:
# Then, if the password was OK check to see if we've been given
# a new password hash from the hasher, if so we'll want to save
# that hash.
if new_hash:
user.password = new_hash
self._metrics.increment("warehouse.authentication.ok",
tags=tags)
return True
else:
self._metrics.increment(
"warehouse.authentication.failure",
tags=tags + ["failure_reason:password"],
)
else:
self._metrics.increment("warehouse.authentication.failure",
tags=tags + ["failure_reason:user"])
# If we've gotten here, then we'll want to record a failed login in our
# rate limiting before returning False to indicate a failed password
# verification.
if user is not None:
self.ratelimiters["user.login"].hit(user.id)
self.ratelimiters["global.login"].hit()
return False
