def _do_login(self) -> None: """handle the sent login form""" if not html.request.var('_login'): return try: if not config.user_login: raise MKUserError(None, _('Login is not allowed on this site.')) username_var = html.request.get_unicode_input('_username', '') assert username_var is not None username = UserId(username_var.rstrip()) if not username: raise MKUserError('_username', _('No username given.')) password = html.request.var('_password', '') if not password: raise MKUserError('_password', _('No password given.')) default_origtarget = config.url_prefix() + "check_mk/" origtarget = html.get_url_input("_origtarget", default_origtarget) # Disallow redirections to: # - logout.py: Happens after login # - side.py: Happens when invalid login is detected during sidebar refresh if "logout.py" in origtarget or 'side.py' in origtarget: origtarget = default_origtarget result = userdb.check_credentials(username, password) if result: # use the username provided by the successful login function, this function # might have transformed the username provided by the user. e.g. switched # from mixed case to lower case. username = result session_id = userdb.on_succeeded_login(username) # The login succeeded! Now: # a) Set the auth cookie # b) Unset the login vars in further processing # c) Redirect to really requested page _create_auth_session(username, session_id) # Never use inplace redirect handling anymore as used in the past. This results # in some unexpected situations. We simpy use 302 redirects now. So we have a # clear situation. # userdb.need_to_change_pw returns either False or the reason description why the # password needs to be changed change_pw_result = userdb.need_to_change_pw(username) if change_pw_result: raise HTTPRedirect( 'user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(origtarget), change_pw_result)) raise HTTPRedirect(origtarget) userdb.on_failed_login(username) raise MKUserError(None, _('Invalid credentials.')) except MKUserError as e: html.add_user_error(e.varname, e)
def test_on_failed_login_count_reset_on_succeeded_login(user_id): assert config.lock_on_logon_failures is False assert userdb._load_failed_logins(user_id) == 0 assert userdb._user_locked(user_id) is False userdb.on_failed_login(user_id) assert userdb._load_failed_logins(user_id) == 1 assert userdb._user_locked(user_id) is False userdb.on_succeeded_login(user_id) assert userdb._load_failed_logins(user_id) == 0 assert userdb._user_locked(user_id) is False
def test_on_failed_login_count_reset_on_succeeded_login( user_id: UserId) -> None: now = datetime.now() assert active_config.lock_on_logon_failures is None assert userdb._load_failed_logins(user_id) == 0 assert not userdb.user_locked(user_id) userdb.on_failed_login(user_id, now) assert userdb._load_failed_logins(user_id) == 1 assert not userdb.user_locked(user_id) userdb.on_succeeded_login(user_id, now) assert userdb._load_failed_logins(user_id) == 0 assert not userdb.user_locked(user_id)
def test_on_failed_login_with_locking(user_id: UserId) -> None: assert config.lock_on_logon_failures == 3 assert userdb._load_failed_logins(user_id) == 0 assert userdb.user_locked(user_id) is False userdb.on_failed_login(user_id) assert userdb._load_failed_logins(user_id) == 1 assert userdb.user_locked(user_id) is False userdb.on_failed_login(user_id) assert userdb._load_failed_logins(user_id) == 2 assert userdb.user_locked(user_id) is False userdb.on_failed_login(user_id) assert userdb._load_failed_logins(user_id) == 3 assert userdb.user_locked(user_id) is True
def test_on_failed_login_no_locking(user_id): assert config.lock_on_logon_failures is False assert userdb._load_failed_logins(user_id) == 0 assert userdb._user_locked(user_id) is False userdb.on_failed_login(user_id) assert userdb._load_failed_logins(user_id) == 1 assert userdb._user_locked(user_id) is False userdb.on_failed_login(user_id) assert userdb._load_failed_logins(user_id) == 2 assert userdb._user_locked(user_id) is False userdb.on_failed_login(user_id) assert userdb._load_failed_logins(user_id) == 3 assert userdb._user_locked(user_id) is False
def test_on_failed_login_with_locking(monkeypatch: MonkeyPatch, user_id: UserId) -> None: now = datetime.now() monkeypatch.setattr(active_config, "lock_on_logon_failures", 3) assert active_config.lock_on_logon_failures == 3 assert userdb._load_failed_logins(user_id) == 0 assert not userdb.user_locked(user_id) userdb.on_failed_login(user_id, now) assert userdb._load_failed_logins(user_id) == 1 assert not userdb.user_locked(user_id) userdb.on_failed_login(user_id, now) assert userdb._load_failed_logins(user_id) == 2 assert not userdb.user_locked(user_id) userdb.on_failed_login(user_id, now) assert userdb._load_failed_logins(user_id) == 3 assert userdb.user_locked(user_id)
def do_login(): # handle the sent login form if html.request.var('_login'): try: username = html.get_unicode_input('_username', '').rstrip() if username == '': raise MKUserError('_username', _('No username given.')) password = html.request.var('_password', '') if password == '': raise MKUserError('_password', _('No password given.')) default_origtarget = config.url_prefix() + "check_mk/" origtarget = html.get_url_input("_origtarget", default_origtarget) # Disallow redirections to: # - logout.py: Happens after login # - side.py: Happens when invalid login is detected during sidebar refresh if "logout.py" in origtarget or 'side.py' in origtarget: origtarget = default_origtarget # None -> User unknown, means continue with other connectors # '<user_id>' -> success # False -> failed result = userdb.hook_login(username, password) if result: # use the username provided by the successful login function, this function # might have transformed the username provided by the user. e.g. switched # from mixed case to lower case. username = result # When single user session mode is enabled, check that there is not another # active session userdb.ensure_user_can_init_session(username) # reset failed login counts userdb.on_succeeded_login(username) # The login succeeded! Now: # a) Set the auth cookie # b) Unset the login vars in further processing # c) Redirect to really requested page create_auth_session(username) # Never use inplace redirect handling anymore as used in the past. This results # in some unexpected situations. We simpy use 302 redirects now. So we have a # clear situation. # userdb.need_to_change_pw returns either False or the reason description why the # password needs to be changed result = userdb.need_to_change_pw(username) if result: raise HTTPRedirect('user_change_pw.py?_origtarget=%s&reason=%s' % (html.urlencode(origtarget), result)) else: raise HTTPRedirect(origtarget) else: userdb.on_failed_login(username) raise MKUserError(None, _('Invalid credentials.')) except MKUserError as e: html.add_user_error(e.varname, e) return "%s" % e
def _do_login(self) -> None: """handle the sent login form""" if not request.var("_login"): return try: if not active_config.user_login: raise MKUserError(None, _("Login is not allowed on this site.")) username_var = request.get_str_input("_username", "") assert username_var is not None username = UserId(username_var.rstrip()) if not username: raise MKUserError("_username", _("Missing username")) password = request.var("_password", "") if not password: raise MKUserError("_password", _("Missing password")) default_origtarget = url_prefix() + "check_mk/" origtarget = request.get_url_input("_origtarget", default_origtarget) # Disallow redirections to: # - logout.py: Happens after login # - side.py: Happens when invalid login is detected during sidebar refresh if "logout.py" in origtarget or "side.py" in origtarget: origtarget = default_origtarget result = userdb.check_credentials(username, password) if result: # use the username provided by the successful login function, this function # might have transformed the username provided by the user. e.g. switched # from mixed case to lower case. username = result session_id = userdb.on_succeeded_login(username) # The login succeeded! Now: # a) Set the auth cookie # b) Unset the login vars in further processing # c) Redirect to really requested page _create_auth_session(username, session_id) # Never use inplace redirect handling anymore as used in the past. This results # in some unexpected situations. We simpy use 302 redirects now. So we have a # clear situation. # userdb.need_to_change_pw returns either False or the reason description why the # password needs to be changed change_pw_result = userdb.need_to_change_pw(username) if change_pw_result: raise HTTPRedirect( "user_change_pw.py?_origtarget=%s&reason=%s" % (urlencode(origtarget), change_pw_result)) if userdb.is_two_factor_login_enabled(username): raise HTTPRedirect( "user_login_two_factor.py?_origtarget=%s" % urlencode(makeuri(request, []))) raise HTTPRedirect(origtarget) userdb.on_failed_login(username) raise MKUserError(None, _("Invalid login")) except MKUserError as e: user_errors.add(e)