[2/2] allura git commit: [#8155] record failed, successful, and partial multifactor logins to the user audit log

[ke...@apache.org]

[#8155] record failed, successful, and partial multifactor logins to the user audit log


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/1a1d8cd3
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/1a1d8cd3
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/1a1d8cd3

Branch: refs/heads/master
Commit: 1a1d8cd3357d90e400f9a5f98fa342655bf9e619
Parents: 48bdb32
Author: Dave Brondsema <da...@brondsema.net>
Authored: Tue Jun 27 17:46:20 2017 -0400
Committer: Kenton Taylor <kt...@slashdotmedia.com>
Committed: Thu Jul 6 14:54:06 2017 +0000

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py           |  2 ++
 Allura/allura/lib/plugin.py                 |  9 ++++++-
 Allura/allura/tests/functional/test_auth.py | 32 ++++++++++++++++--------
 3 files changed, 31 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/1a1d8cd3/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 284f750..e3ed706 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -367,9 +367,11 @@ class AuthController(BaseController):
                 h.auditlog_user('Logged in using a multifactor recovery code', user=user)
         except (InvalidToken, InvalidRecoveryCode):
             c.form_errors['code'] = 'Invalid code, please try again.'
+            h.auditlog_user('Multifactor login - invalid code', user=user)
             return self.multifactor(mode=mode, **kwargs)
         except MultifactorRateLimitError:
             c.form_errors['code'] = 'Multifactor rate limit exceeded, slow down and try again later.'
+            h.auditlog_user('Multifactor login - rate limit', user=user)
             return self.multifactor(mode=mode, **kwargs)
         else:
             plugin.AuthenticationProvider.get(request).login(user=user, multifactor_success=True)

http://git-wip-us.apache.org/repos/asf/allura/blob/1a1d8cd3/Allura/allura/lib/plugin.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index a0c20bf..a8008ed 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -164,11 +164,17 @@ class AuthenticationProvider(object):
         raise NotImplementedError('_login')
 
     def login(self, user=None, multifactor_success=False):
+        from allura import model as M
         if user is None:
-            user = self._login()  # raises exception if auth fails
+            try:
+                user = self._login()  # raises exception if auth fails
+            except exc.HTTPUnauthorized:
+                h.auditlog_user('Failed login', user=M.User.by_username(self.request.params['username']))
+                raise
 
         if user.get_pref('multifactor') and not multifactor_success:
             self.session['multifactor-username'] = user.username
+            h.auditlog_user('Multifactor login - password ok, code not entered yet', user=user)
             self.session.save()
             return None
         else:
@@ -180,6 +186,7 @@ class AuthenticationProvider(object):
             h.auditlog_user('Password expired', user=user)
         else:
             self.session['username'] = user.username
+            h.auditlog_user('Successful login', user=user)
 
         if 'rememberme' in self.request.params:
             remember_for = int(config.get('auth.remember_for', 365))

http://git-wip-us.apache.org/repos/asf/allura/blob/1a1d8cd3/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index b7b28be..bd8dc9c 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -71,13 +71,19 @@ class TestAuth(TestController):
         r = self.app.get('/auth/verify_addr', params=dict(a=ea.nonce))
         assert json.loads(self.webflash(r))['status'] == 'ok', self.webflash(r)
         r = self.app.get('/auth/logout')
-        r = self.app.post('/auth/do_login', params=dict(
-            username='test-user', password='foo',
-            _session_id=self.app.cookies['_session_id']))
-        r = self.app.post('/auth/do_login', params=dict(
-            username='test-user', password='food',
-            _session_id=self.app.cookies['_session_id']))
-        assert 'Invalid login' in str(r), r.showbrowser()
+
+        with audits('Successful login', user=True):
+            r = self.app.post('/auth/do_login', params=dict(
+                username='test-user', password='foo',
+                _session_id=self.app.cookies['_session_id']))
+            assert_equal(r.headers['Location'], 'http://localhost/')
+
+        with audits('Failed login', user=True):
+            r = self.app.post('/auth/do_login', params=dict(
+                username='test-user', password='food',
+                _session_id=self.app.cookies['_session_id']))
+            assert 'Invalid login' in str(r), r.showbrowser()
+
         r = self.app.post('/auth/do_login', params=dict(
             username='test-usera', password='foo',
             _session_id=self.app.cookies['_session_id']))
@@ -2222,7 +2228,8 @@ class TestTwoFactor(TestController):
         r = self.app.get('/auth/?return_to=/p/foo')
         r.form['username'] = 'test-admin'
         r.form['password'] = 'foo'
-        r = r.form.submit()
+        with audits('Multifactor login - password ok, code not entered yet', user=True):
+            r = r.form.submit()
 
         # check results
         assert r.location.endswith('/auth/multifactor?return_to=%2Fp%2Ffoo'), r
@@ -2231,7 +2238,8 @@ class TestTwoFactor(TestController):
 
         # try an invalid code
         r.form['code'] = 'invalid-code'
-        r = r.form.submit()
+        with audits('Multifactor login - invalid code', user=True):
+            r = r.form.submit()
         assert_in('Invalid code', r)
         assert not r.session.get('username')
 
@@ -2239,7 +2247,8 @@ class TestTwoFactor(TestController):
         totp = TotpService().Totp(self.sample_key)
         code = totp.generate(time_time())
         r.form['code'] = code
-        r = r.form.submit()
+        with audits('Successful login', user=True):
+            r = r.form.submit()
 
         # confirm login and final page
         assert_equal(r.session['username'], 'test-admin')
@@ -2268,7 +2277,8 @@ class TestTwoFactor(TestController):
         totp = TotpService().Totp(self.sample_key)
         code = totp.generate(time_time())
         r.form['code'] = code
-        r = r.form.submit()
+        with audits('Multifactor login - rate limit', user=True):
+            r = r.form.submit()
 
         assert_in('rate limit exceeded', r)
         assert not r.session.get('username')