Brute forcing unlock user bug (#18890)

* brute forcing unlock user bug * add changelog * fix changelog
2023-01-30 13:06:10 -08:00 · 2023-01-30 13:06:10 -08:00 · 16ce923ddb
parent 20c1645329
commit 16ce923ddb
3 changed files with 42 additions and 1 deletions
--- a/builtin/credential/userpass/path_login.go
+++ b/builtin/credential/userpass/path_login.go
@ -39,7 +39,7 @@ func pathLogin(b *backend) *framework.Path {
 }

 func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	username := strings.ToLower(d.Get("username").(string))
+	username := d.Get("username").(string)
 	if username == "" {
 		return nil, fmt.Errorf("missing username")
 	}
--- a/changelog/18890.txt
+++ b/changelog/18890.txt
@ -0,0 +1,4 @@
+```release-note:bug
+core: removes strings.ToLower for alias name from pathLoginAliasLookahead function in userpass. This fixes
+the storage entry for locked users by having the correct alias name in path. 
+``
--- a/vault/external_tests/identity/userlockouts_test.go
+++ b/vault/external_tests/identity/userlockouts_test.go
@ -374,6 +374,13 @@ func TestIdentityStore_UnlockUserTest(t *testing.T) {
 		t.Fatal(err)
 	}

+	// create another user for userpass with a different case
+	if _, err = standby.Logical().Write("auth/userpass/users/bSmith", map[string]interface{}{
+		"password": "training",
+	}); err != nil {
+		t.Fatal(err)
+	}
+
 	// login failure count 1
 	standby.Logical().Write("auth/userpass/login/bsmith", map[string]interface{}{
 		"password": "wrongPassword",
@ -404,6 +411,36 @@ func TestIdentityStore_UnlockUserTest(t *testing.T) {
 		t.Fatal("expected login to succeed as user is unlocked")
 	}

+	// login failure count 1 for user bSmith
+	standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
+		"password": "wrongPassword",
+	})
+	// login failure count 2 for user bSmith
+	standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
+		"password": "wrongPassword",
+	})
+	// login : permission denied as user locked out for user bSmith
+	if _, err = standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
+		"password": "training",
+	}); err == nil {
+		t.Fatal("expected login to fail as user locked out")
+	}
+	if !strings.Contains(err.Error(), logical.ErrPermissionDenied.Error()) {
+		t.Fatalf("expected to see permission denied error as user locked out, got %v", err)
+	}
+
+	// unlock user bSmith
+	if _, err = standby.Logical().Write("sys/locked-users/"+mountAccessor+"/unlock/bSmith", nil); err != nil {
+		t.Fatal(err)
+	}
+
+	// login: should be successful as user bSmith unlocked
+	if _, err = standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
+		"password": "training",
+	}); err != nil {
+		t.Fatal("expected login to succeed as user is unlocked")
+	}
+
 	// unlock unlocked user
 	if _, err = active.Logical().Write("sys/locked-users/mountAccessor/unlock/bsmith", nil); err != nil {
 		t.Fatal(err)