Commit 09704906 authored by Renato Figueiro Maia's avatar Renato Figueiro Maia
Browse files

[OPENBUS-2502] Nova configuração para permitir limitar o número de...

[OPENBUS-2502] Nova configuração para permitir limitar o número de autenticações inválidas junto aos validadores de senha
- Correções no código.


git-svn-id: https://subversion.tecgraf.puc-rio.br/engdist/openbus/core/branches/02_00_00@151280 ae0415b3-e90b-0410-900d-d0be9363c56b
parent 94e38f43
......@@ -250,7 +250,7 @@ function AccessControl:__init(data)
self.leaseTime = data.leaseTime
self.expirationGap = data.expirationGap
self.loginAttempts = PasswordAttempts{
limit = data.passwordTries,
limit = data.passwordLimitedTries,
period = data.passwordPenaltyTime,
}
self.validationAttempts = PasswordAttempts{
......
......@@ -12,17 +12,17 @@ local class = oo.class
local modes = {
AngryDog = function (self, now, before)
ShortMemory = function (self, before, now)
local wait = self.period-(now-before.time)
if wait > 0 then
return wait
end
end,
LeakyBucket = function (self, now, before)
LeakyBucket = function (self, before, now)
local rate = self.limit/self.period
count = count - (now-before.time)*rate -- leak the bucket
before.time = now
local count = before.count - (now-before.time)*rate -- leak the bucket
if count > 0 then
before.time = now
before.count = count
return 1/rate
end
......@@ -31,7 +31,7 @@ local modes = {
local PasswordAttempts = class{
modes = modes,
mode = modes.AngryDog,
mode = modes.ShortMemory,
}
function PasswordAttempts:__init()
......@@ -42,13 +42,14 @@ function PasswordAttempts:allow(sourceid)
local attemptsOf = self.attemptsOf
local attempts = attemptsOf[sourceid]
if attempts ~= nil then
local blocked = self:mode(time(), attempts)
local blocked = self:mode(attempts, time())
if blocked == nil then
attemptsOf[sourceid] = nil
else
if attempts.count >= self.limit then
return false, wait
end
elseif attempts.count >= self.limit then
_G.print(">>>", attempts.count, self.limit)
return false, blocked
end
end
return true
......@@ -77,11 +78,9 @@ function PasswordAttempts:clean()
local now = time()
local attemptsOf = self.attemptsOf
for sourceid, attempts in pairs(attemptsOf) do
local count = self:mode(now, attempts.time, attempts.count)
if count == nil then
local blocked = self:mode(attempts, now)
if blocked == nil then
attemptsOf[sourceid] = nil
else
attempts.count = count
end
end
return now
......
......@@ -60,10 +60,10 @@ return function(...)
leasetime = 30*60,
expirationgap = 10,
passwordpenalty = 3*60,
passwordtries = 3,
validationburst = inf,
validationrate = inf,
badpasswordpenalty = 3*60,
badpasswordtries = 3,
badpasswordlimit = inf,
badpasswordrate = inf,
admin = {},
validator = {},
......@@ -102,10 +102,10 @@ Options:
-leasetime <seconds> tempo de lease dos logins de acesso
-expirationgap <seconds> tempo que os logins ficam vlidas aps o lease
-passwordpenalty <seconds> perodo com tentativas de login limitadas aps falha de senha
-passwordtries <number> nmero de tentativas durante o perodo de 'passwordpenalty'
-validationburst <number> nmero mximo de validaes de senha simultneas
-validationrate <number> frequncia mxima de validaes de senha (validao/segundo)
-badpasswordpenalty <sec.> perodo com tentativas de login limitadas aps falha de senha
-badpasswordtries <number> nmero de tentativas durante o perodo de 'passwordpenalty'
-badpasswordlimit <number> nmero mximo de autenticaes simultneas com senha incorreta
-badpasswordrate <number> frequncia mxima de autenticaes com senha incoreta (autenticao/segundo)
-admin <user> usurio com privilgio de administrao
-validator <name> nome de pacote de validao de login
......@@ -164,20 +164,20 @@ Options:
msg.InvalidLeaseTime:tag{value=Configs.leasetime})
assert(Configs.expirationgap > 0,
msg.InvalidExpirationGap:tag{value=Configs.expirationgap})
assert(Configs.passwordpenalty >= 0,
msg.InvalidPasswordPenaltyTime:tag{value=Configs.passwordpenalty})
assert(Configs.passwordtries > 0 and Configs.passwordtries%1 == 0,
msg.InvalidNumberOfPasswordLimitedTries:tag{value=Configs.passwordtries})
assert((Configs.validationburst ~= inf) == (Configs.validationrate ~= inf),
assert(Configs.badpasswordpenalty >= 0,
msg.InvalidPasswordPenaltyTime:tag{value=Configs.badpasswordpenalty})
assert(Configs.badpasswordtries > 0 and Configs.badpasswordtries%1 == 0,
msg.InvalidNumberOfPasswordLimitedTries:tag{value=Configs.badpasswordtries})
assert((Configs.badpasswordlimit ~= inf) == (Configs.badpasswordrate ~= inf),
msg.MissingPasswordValidationParameter:tag{
missing = (Configs.validationburst == inf)
and "validationburst"
or "validationrate"
missing = (Configs.badpasswordlimit == inf)
and "badpasswordlimit"
or "badpasswordrate"
})
assert(Configs.validationburst >= 1,
msg.InvalidPasswordValidationLimit:tag{value=Configs.validationburst})
assert(Configs.validationrate > 0,
msg.InvalidPasswordValidationRate:tag{value=Configs.validationrate})
assert(Configs.badpasswordlimit >= 1,
msg.InvalidPasswordValidationLimit:tag{value=Configs.badpasswordlimit})
assert(Configs.badpasswordrate > 0,
msg.InvalidPasswordValidationRate:tag{value=Configs.badpasswordlimitrate})
-- create a set of admin users
local adminUsers = {}
......@@ -246,10 +246,10 @@ Options:
database = assert(opendb(Configs.database)),
leaseTime = Configs.leasetime,
expirationGap = Configs.expirationgap,
passwordPenaltyTime = Configs.passwordpenalty,
passwordTries = Configs.passwordtries,
passwordFailureLimit = Configs.validationrate,
passwordFailureRate = Configs.validationrate,
passwordPenaltyTime = Configs.badpasswordpenalty,
passwordLimitedTries = Configs.badpasswordtries,
passwordFailureLimit = Configs.badpasswordlimit,
passwordFailureRate = Configs.badpasswordrate,
admins = adminUsers,
validators = validators,
enforceAuth = not Configs.noauthorizations,
......@@ -258,8 +258,10 @@ Options:
log:config(msg.LoadedBusPrivateKey:tag{path=Configs.privatekey})
log:config(msg.SetupLoginLeaseTime:tag{seconds=params.leaseTime})
log:config(msg.SetupLoginExpirationGap:tag{seconds=params.expirationGap})
log:config(msg.WrongPasswordPenaltyTime:tag{seconds=Configs.passwordpenalty})
log:config(msg.WrongPasswordLimitedTries:tag{maxtries=Configs.passwordtries})
log:config(msg.BadPasswordPenaltyTime:tag{seconds=Configs.badpasswordpenalty})
log:config(msg.BadPasswordLimitedTries:tag{limit=Configs.badpasswordtries})
log:config(msg.BadPasswordTotalLimit:tag{value=Configs.badpasswordlimit})
log:config(msg.BadPasswordMaxRate:tag{value=Configs.badpasswordrate})
if not params.enforceAuth then
log:config(msg.OfferAuthorizationDisabled)
end
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment