Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
161a05b9
Commit
161a05b9
authored
Mar 22, 2018
by
Tiago Botelho
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Writes specs
parent
f7420102
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
88 additions
and
45 deletions
+88
-45
app/controllers/omniauth_callbacks_controller.rb
app/controllers/omniauth_callbacks_controller.rb
+4
-2
changelogs/unreleased/43525-limit-number-of-failed-logins-using-ldap.yml
...leased/43525-limit-number-of-failed-logins-using-ldap.yml
+5
-0
spec/controllers/omniauth_callbacks_controller_spec.rb
spec/controllers/omniauth_callbacks_controller_spec.rb
+79
-43
No files found.
app/controllers/omniauth_callbacks_controller.rb
View file @
161a05b9
...
...
@@ -21,9 +21,11 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
# Extend the standard implementation to also increment
# the number of failed sign in attempts
def
failure
user
=
User
.
find_by_username
(
params
[
:username
])
if
params
[
:username
].
present?
&&
AuthHelper
.
form_based_provider?
(
failed_strategy
.
name
)
user
=
User
.
by_login
(
params
[
:username
])
user
&
.
increment_failed_attempts!
user
&
.
increment_failed_attempts!
end
super
end
...
...
changelogs/unreleased/43525-limit-number-of-failed-logins-using-ldap.yml
0 → 100644
View file @
161a05b9
---
title
:
Limit the number of failed logins when using LDAP for authentication
merge_request
:
43525
author
:
type
:
added
spec/controllers/omniauth_callbacks_controller_spec.rb
View file @
161a05b9
...
...
@@ -10,83 +10,119 @@ describe OmniauthCallbacksController do
stub_omniauth_provider
(
provider
,
context:
request
)
end
context
'
github
'
do
context
'
when the user is on the last sign in attempt
'
do
let
(
:extern_uid
)
{
'my-uid'
}
let
(
:provider
)
{
:github
}
it
'allows sign in'
do
post
provider
expect
(
request
.
env
[
'warden'
]).
to
be_authenticated
before
do
user
.
update
(
failed_attempts:
User
.
maximum_attempts
.
pred
)
subject
.
response
=
ActionDispatch
::
Response
.
new
end
shared_context
'sign_up'
do
let
(
:user
)
{
double
(
email:
'new@example.com'
)
}
context
'when using a form based provider'
do
let
(
:provider
)
{
:ldap
}
it
'locks the user when sign in fails'
do
allow
(
subject
).
to
receive
(
:params
).
and_return
(
ActionController
::
Parameters
.
new
(
username:
user
.
username
))
request
.
env
[
'omniauth.error.strategy'
]
=
OmniAuth
::
Strategies
::
LDAP
.
new
(
nil
)
subject
.
send
(
:failure
)
before
do
stub_omniauth_setting
(
block_auto_created_users:
false
)
expect
(
user
.
reload
).
to
be_access_locked
end
end
context
'
sign up
'
do
include_context
'sign_up'
context
'
when using a button based provider
'
do
let
(
:provider
)
{
:github
}
it
'
is allowed
'
do
post
provider
it
'
does not lock the user when sign in fails
'
do
request
.
env
[
'omniauth.error.strategy'
]
=
OmniAuth
::
Strategies
::
GitHub
.
new
(
nil
)
expect
(
request
.
env
[
'warden'
]).
to
be_authenticated
subject
.
send
(
:failure
)
expect
(
user
.
reload
).
not_to
be_access_locked
end
end
end
context
'when OAuth is disabled'
do
before
do
stub_env
(
'IN_MEMORY_APPLICATION_SETTINGS'
,
'false'
)
settings
=
Gitlab
::
CurrentSettings
.
current_application_settings
settings
.
update
(
disabled_oauth_sign_in_sources:
[
provider
.
to_s
])
end
context
'strategies'
do
context
'github'
do
let
(
:extern_uid
)
{
'my-uid'
}
let
(
:provider
)
{
:github
}
it
'
prevents login via POST
'
do
it
'
allows sign in
'
do
post
provider
expect
(
request
.
env
[
'warden'
]).
not_
to
be_authenticated
expect
(
request
.
env
[
'warden'
]).
to
be_authenticated
end
it
'shows warning when attempting login
'
do
post
provider
shared_context
'sign_up
'
do
let
(
:user
)
{
double
(
email:
'new@example.com'
)
}
expect
(
response
).
to
redirect_to
new_user_session_path
expect
(
flash
[
:alert
]).
to
eq
(
'Signing in using GitHub has been disabled'
)
before
do
stub_omniauth_setting
(
block_auto_created_users:
false
)
end
end
it
'allows linking the disabled provider'
do
user
.
identities
.
destroy_all
sign_in
(
user
)
context
'sign up'
do
include_context
'sign_up'
it
'is allowed'
do
post
provider
expect
{
post
provider
}.
to
change
{
user
.
reload
.
identities
.
count
}.
by
(
1
)
expect
(
request
.
env
[
'warden'
]).
to
be_authenticated
end
end
context
'sign up'
do
include_context
'sign_up'
context
'when OAuth is disabled'
do
before
do
stub_env
(
'IN_MEMORY_APPLICATION_SETTINGS'
,
'false'
)
settings
=
Gitlab
::
CurrentSettings
.
current_application_settings
settings
.
update
(
disabled_oauth_sign_in_sources:
[
provider
.
to_s
])
end
it
'
is prevented
'
do
it
'
prevents login via POST
'
do
post
provider
expect
(
request
.
env
[
'warden'
]).
not_to
be_authenticated
end
it
'shows warning when attempting login'
do
post
provider
expect
(
response
).
to
redirect_to
new_user_session_path
expect
(
flash
[
:alert
]).
to
eq
(
'Signing in using GitHub has been disabled'
)
end
it
'allows linking the disabled provider'
do
user
.
identities
.
destroy_all
sign_in
(
user
)
expect
{
post
provider
}.
to
change
{
user
.
reload
.
identities
.
count
}.
by
(
1
)
end
context
'sign up'
do
include_context
'sign_up'
it
'is prevented'
do
post
provider
expect
(
request
.
env
[
'warden'
]).
not_to
be_authenticated
end
end
end
end
end
context
'auth0'
do
let
(
:extern_uid
)
{
''
}
let
(
:provider
)
{
:auth0
}
context
'auth0'
do
let
(
:extern_uid
)
{
''
}
let
(
:provider
)
{
:auth0
}
it
'does not allow sign in without extern_uid'
do
post
'auth0'
it
'does not allow sign in without extern_uid'
do
post
'auth0'
expect
(
request
.
env
[
'warden'
]).
not_to
be_authenticated
expect
(
response
.
status
).
to
eq
(
302
)
expect
(
controller
).
to
set_flash
[
:alert
].
to
(
'Wrong extern UID provided. Make sure Auth0 is configured correctly.'
)
expect
(
request
.
env
[
'warden'
]).
not_to
be_authenticated
expect
(
response
.
status
).
to
eq
(
302
)
expect
(
controller
).
to
set_flash
[
:alert
].
to
(
'Wrong extern UID provided. Make sure Auth0 is configured correctly.'
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment