You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2017/07/06 15:07:35 UTC
[2/2] allura git commit: [#8155] record failed, successful,
and partial multifactor logins to the user audit log
[#8155] record failed, successful, and partial multifactor logins to the user audit log
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/1a1d8cd3
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/1a1d8cd3
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/1a1d8cd3
Branch: refs/heads/master
Commit: 1a1d8cd3357d90e400f9a5f98fa342655bf9e619
Parents: 48bdb32
Author: Dave Brondsema <da...@brondsema.net>
Authored: Tue Jun 27 17:46:20 2017 -0400
Committer: Kenton Taylor <kt...@slashdotmedia.com>
Committed: Thu Jul 6 14:54:06 2017 +0000
----------------------------------------------------------------------
Allura/allura/controllers/auth.py | 2 ++
Allura/allura/lib/plugin.py | 9 ++++++-
Allura/allura/tests/functional/test_auth.py | 32 ++++++++++++++++--------
3 files changed, 31 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/1a1d8cd3/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 284f750..e3ed706 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -367,9 +367,11 @@ class AuthController(BaseController):
h.auditlog_user('Logged in using a multifactor recovery code', user=user)
except (InvalidToken, InvalidRecoveryCode):
c.form_errors['code'] = 'Invalid code, please try again.'
+ h.auditlog_user('Multifactor login - invalid code', user=user)
return self.multifactor(mode=mode, **kwargs)
except MultifactorRateLimitError:
c.form_errors['code'] = 'Multifactor rate limit exceeded, slow down and try again later.'
+ h.auditlog_user('Multifactor login - rate limit', user=user)
return self.multifactor(mode=mode, **kwargs)
else:
plugin.AuthenticationProvider.get(request).login(user=user, multifactor_success=True)
http://git-wip-us.apache.org/repos/asf/allura/blob/1a1d8cd3/Allura/allura/lib/plugin.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index a0c20bf..a8008ed 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -164,11 +164,17 @@ class AuthenticationProvider(object):
raise NotImplementedError('_login')
def login(self, user=None, multifactor_success=False):
+ from allura import model as M
if user is None:
- user = self._login() # raises exception if auth fails
+ try:
+ user = self._login() # raises exception if auth fails
+ except exc.HTTPUnauthorized:
+ h.auditlog_user('Failed login', user=M.User.by_username(self.request.params['username']))
+ raise
if user.get_pref('multifactor') and not multifactor_success:
self.session['multifactor-username'] = user.username
+ h.auditlog_user('Multifactor login - password ok, code not entered yet', user=user)
self.session.save()
return None
else:
@@ -180,6 +186,7 @@ class AuthenticationProvider(object):
h.auditlog_user('Password expired', user=user)
else:
self.session['username'] = user.username
+ h.auditlog_user('Successful login', user=user)
if 'rememberme' in self.request.params:
remember_for = int(config.get('auth.remember_for', 365))
http://git-wip-us.apache.org/repos/asf/allura/blob/1a1d8cd3/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index b7b28be..bd8dc9c 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -71,13 +71,19 @@ class TestAuth(TestController):
r = self.app.get('/auth/verify_addr', params=dict(a=ea.nonce))
assert json.loads(self.webflash(r))['status'] == 'ok', self.webflash(r)
r = self.app.get('/auth/logout')
- r = self.app.post('/auth/do_login', params=dict(
- username='test-user', password='foo',
- _session_id=self.app.cookies['_session_id']))
- r = self.app.post('/auth/do_login', params=dict(
- username='test-user', password='food',
- _session_id=self.app.cookies['_session_id']))
- assert 'Invalid login' in str(r), r.showbrowser()
+
+ with audits('Successful login', user=True):
+ r = self.app.post('/auth/do_login', params=dict(
+ username='test-user', password='foo',
+ _session_id=self.app.cookies['_session_id']))
+ assert_equal(r.headers['Location'], 'http://localhost/')
+
+ with audits('Failed login', user=True):
+ r = self.app.post('/auth/do_login', params=dict(
+ username='test-user', password='food',
+ _session_id=self.app.cookies['_session_id']))
+ assert 'Invalid login' in str(r), r.showbrowser()
+
r = self.app.post('/auth/do_login', params=dict(
username='test-usera', password='foo',
_session_id=self.app.cookies['_session_id']))
@@ -2222,7 +2228,8 @@ class TestTwoFactor(TestController):
r = self.app.get('/auth/?return_to=/p/foo')
r.form['username'] = 'test-admin'
r.form['password'] = 'foo'
- r = r.form.submit()
+ with audits('Multifactor login - password ok, code not entered yet', user=True):
+ r = r.form.submit()
# check results
assert r.location.endswith('/auth/multifactor?return_to=%2Fp%2Ffoo'), r
@@ -2231,7 +2238,8 @@ class TestTwoFactor(TestController):
# try an invalid code
r.form['code'] = 'invalid-code'
- r = r.form.submit()
+ with audits('Multifactor login - invalid code', user=True):
+ r = r.form.submit()
assert_in('Invalid code', r)
assert not r.session.get('username')
@@ -2239,7 +2247,8 @@ class TestTwoFactor(TestController):
totp = TotpService().Totp(self.sample_key)
code = totp.generate(time_time())
r.form['code'] = code
- r = r.form.submit()
+ with audits('Successful login', user=True):
+ r = r.form.submit()
# confirm login and final page
assert_equal(r.session['username'], 'test-admin')
@@ -2268,7 +2277,8 @@ class TestTwoFactor(TestController):
totp = TotpService().Totp(self.sample_key)
code = totp.generate(time_time())
r.form['code'] = code
- r = r.form.submit()
+ with audits('Multifactor login - rate limit', user=True):
+ r = r.form.submit()
assert_in('rate limit exceeded', r)
assert not r.session.get('username')