mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-02 05:59:18 +01:00
lock users from frequently login
This commit is contained in:
parent
5dafb3d684
commit
3cdac3161d
@ -1,9 +1,40 @@
|
||||
/*
|
||||
Copyright (c) 2016 VMware, Inc. All Rights Reserved.
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
package auth
|
||||
|
||||
import (
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
func TestMain(t *testing.T) {
|
||||
}
|
||||
var l = NewUserLock(2 * time.Second)
|
||||
|
||||
func TestLock(t *testing.T) {
|
||||
t.Log("Locking john")
|
||||
l.Lock("john")
|
||||
if !l.IsLocked("john") {
|
||||
t.Errorf("John should be locked")
|
||||
}
|
||||
t.Log("Locking jack")
|
||||
l.Lock("jack")
|
||||
t.Log("Sleep for 2 seconds and check...")
|
||||
time.Sleep(2 * time.Second)
|
||||
if l.IsLocked("jack") {
|
||||
t.Errorf("After 2 seconds, jack shouldn't be locked")
|
||||
}
|
||||
if l.IsLocked("daniel") {
|
||||
t.Errorf("daniel has never been locked, he should not be locked")
|
||||
}
|
||||
}
|
||||
|
@ -17,13 +17,18 @@ package auth
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/vmware/harbor/utils/log"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/vmware/harbor/models"
|
||||
)
|
||||
|
||||
// 1.5 seconds
|
||||
const frozenTime time.Duration = 1500 * time.Millisecond
|
||||
|
||||
var lock = NewUserLock(frozenTime)
|
||||
|
||||
// Authenticator provides interface to authenticate user credentials.
|
||||
type Authenticator interface {
|
||||
|
||||
@ -55,5 +60,15 @@ func Login(m models.AuthModel) (*models.User, error) {
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("Unrecognized auth_mode: %s", authMode)
|
||||
}
|
||||
return authenticator.Authenticate(m)
|
||||
if lock.IsLocked(m.Principal) {
|
||||
log.Debugf("%s is locked due to login failure, login failed", m.Principal)
|
||||
return nil, nil
|
||||
}
|
||||
user, err := authenticator.Authenticate(m)
|
||||
if user == nil && err == nil {
|
||||
log.Debugf("Login failed, locking %s, and sleep for %v", m.Principal, frozenTime)
|
||||
lock.Lock(m.Principal)
|
||||
time.Sleep(frozenTime)
|
||||
}
|
||||
return user, err
|
||||
}
|
||||
|
52
auth/lock.go
Normal file
52
auth/lock.go
Normal file
@ -0,0 +1,52 @@
|
||||
/*
|
||||
Copyright (c) 2016 VMware, Inc. All Rights Reserved.
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package auth
|
||||
|
||||
import (
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
// UserLock maintains a lock to block user from logging in within a short period of time.
|
||||
type UserLock struct {
|
||||
failures map[string]time.Time
|
||||
d time.Duration
|
||||
rw *sync.RWMutex
|
||||
}
|
||||
|
||||
// NewUserLock ...
|
||||
func NewUserLock(freeze time.Duration) *UserLock {
|
||||
return &UserLock{
|
||||
make(map[string]time.Time),
|
||||
freeze,
|
||||
&sync.RWMutex{},
|
||||
}
|
||||
}
|
||||
|
||||
// Lock marks a new login failure with the time it happens
|
||||
func (ul *UserLock) Lock(username string) {
|
||||
ul.rw.Lock()
|
||||
defer ul.rw.Unlock()
|
||||
ul.failures[username] = time.Now()
|
||||
}
|
||||
|
||||
// IsLocked checks whether a login request is happened within a period of time or not
|
||||
// if it is, the authenticator should ignore the login request and return a failure immediately
|
||||
func (ul *UserLock) IsLocked(username string) bool {
|
||||
ul.rw.RLock()
|
||||
defer ul.rw.RUnlock()
|
||||
return time.Now().Sub(ul.failures[username]) <= ul.d
|
||||
}
|
Loading…
Reference in New Issue
Block a user