grafana/pkg/login/auth.go

package login

import (
	"errors"

	"github.com/grafana/grafana/pkg/bus"
	m "github.com/grafana/grafana/pkg/models"
)

var (
	ErrEmailNotAllowed       = errors.New("Required email domain not fulfilled")
	ErrInvalidCredentials    = errors.New("Invalid Username or Password")
	ErrNoEmail               = errors.New("Login provider didn't return an email address")
	ErrProviderDeniedRequest = errors.New("Login provider denied login request")
	ErrSignUpNotAllowed      = errors.New("Signup is not allowed for this adapter")
	ErrTooManyLoginAttempts  = errors.New("Too many consecutive incorrect login attempts for user. Login for user temporarily blocked")
	ErrPasswordEmpty         = errors.New("No password provided")
	ErrUsersQuotaReached     = errors.New("Users quota reached")
	ErrGettingUserQuota      = errors.New("Error getting user quota")
)

func Init() {
	bus.AddHandler("auth", AuthenticateUser)
	loadLdapConfig()
}

func AuthenticateUser(query *m.LoginUserQuery) error {
	if err := validateLoginAttempts(query.Username); err != nil {
		return err
	}

	if err := validatePasswordSet(query.Password); err != nil {
		return err
	}

	err := loginUsingGrafanaDB(query)
	if err == nil || (err != m.ErrUserNotFound && err != ErrInvalidCredentials) {
		return err
	}

	ldapEnabled, ldapErr := loginUsingLdap(query)
	if ldapEnabled {
		if ldapErr == nil || ldapErr != ErrInvalidCredentials {
			return ldapErr
		}

		err = ldapErr
	}

	if err == ErrInvalidCredentials {
		saveInvalidLoginAttempt(query)
	}

	if err == m.ErrUserNotFound {
		return ErrInvalidCredentials
	}

	return err
}
func validatePasswordSet(password string) error {
	if len(password) == 0 {
		return ErrPasswordEmpty
	}

	return nil
}
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`package login`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00
			`import (`
			`"errors"`
application lifecycle event support 2018-10-26 19:57:31 +08:00
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00			`"github.com/grafana/grafana/pkg/bus"`
			`m "github.com/grafana/grafana/pkg/models"`
			`)`

			`var (`
shared library for managing external user accounts 2018-02-09 06:13:58 +08:00			`ErrEmailNotAllowed = errors.New("Required email domain not fulfilled")`
			`ErrInvalidCredentials = errors.New("Invalid Username or Password")`
			`ErrNoEmail = errors.New("Login provider didn't return an email address")`
			`ErrProviderDeniedRequest = errors.New("Login provider denied login request")`
			`ErrSignUpNotAllowed = errors.New("Signup is not allowed for this adapter")`
			`ErrTooManyLoginAttempts = errors.New("Too many consecutive incorrect login attempts for user. Login for user temporarily blocked")`
Chore: a bit of spring cleaning (#16710) * Chore: use early return technic everywhere And enable "indent-error-flow" revive rule * Chore: remove if-return rule from revive config * Chore: improve error messages And enable "error-strings" revive rule * Chore: enable "error-naming" revive rule * Chore: make linter happy * Chore: do not duplicate gofmt execution * Chore: make linter happy * Chore: address the pull review comments 2019-04-23 16:24:47 +08:00			`ErrPasswordEmpty = errors.New("No password provided")`
shared library for managing external user accounts 2018-02-09 06:13:58 +08:00			`ErrUsersQuotaReached = errors.New("Users quota reached")`
			`ErrGettingUserQuota = errors.New("Error getting user quota")`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00			`)`

revert application lifecycle event support 2018-10-30 19:31:28 +08:00			`func Init() {`
			`bus.AddHandler("auth", AuthenticateUser)`
			`loadLdapConfig()`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00			`}`

switch to passing ReqContext as a property 2018-03-24 03:50:07 +08:00			`func AuthenticateUser(query *m.LoginUserQuery) error {`
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 17:41:41 +08:00			`if err := validateLoginAttempts(query.Username); err != nil {`
Started work on LDAP again, #1450 2015-07-10 17:10:48 +08:00			`return err`
			`}`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00
Only authenticate logins when password is set (#13147) * auth: never authenticate passwords shorter than 4 chars. * auth: refactoring password length check. * auth: does not authenticate when password is empty. * auth: removes unneccesary change. 2018-09-05 18:12:46 +08:00			`if err := validatePasswordSet(query.Password); err != nil {`
			`return err`
			`}`

WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 17:41:41 +08:00			`err := loginUsingGrafanaDB(query)`
			`if err == nil \|\| (err != m.ErrUserNotFound && err != ErrInvalidCredentials) {`
			`return err`
Started work on LDAP again, #1450 2015-07-10 17:10:48 +08:00			`}`

switch to passing ReqContext as a property 2018-03-24 03:50:07 +08:00			`ldapEnabled, ldapErr := loginUsingLdap(query)`
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 17:41:41 +08:00			`if ldapEnabled {`
			`if ldapErr == nil \|\| ldapErr != ErrInvalidCredentials {`
			`return ldapErr`
Started work on LDAP again, #1450 2015-07-10 17:10:48 +08:00			`}`
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 17:41:41 +08:00
			`err = ldapErr`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00			`}`

WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 17:41:41 +08:00			`if err == ErrInvalidCredentials {`
			`saveInvalidLoginAttempt(query)`
			`}`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 17:41:41 +08:00			`if err == m.ErrUserNotFound {`
Started work on LDAP again, #1450 2015-07-10 17:10:48 +08:00			`return ErrInvalidCredentials`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00			`}`

WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 17:41:41 +08:00			`return err`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00			`}`
Only authenticate logins when password is set (#13147) * auth: never authenticate passwords shorter than 4 chars. * auth: refactoring password length check. * auth: does not authenticate when password is empty. * auth: removes unneccesary change. 2018-09-05 18:12:46 +08:00			`func validatePasswordSet(password string) error {`
			`if len(password) == 0 {`
			`return ErrPasswordEmpty`
			`}`

			`return nil`
			`}`