Brute forcing unlock user bug (#18890)
* brute forcing unlock user bug * add changelog * fix changelog
This commit is contained in:
parent
20c1645329
commit
16ce923ddb
|
@ -39,7 +39,7 @@ func pathLogin(b *backend) *framework.Path {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
||||||
username := strings.ToLower(d.Get("username").(string))
|
username := d.Get("username").(string)
|
||||||
if username == "" {
|
if username == "" {
|
||||||
return nil, fmt.Errorf("missing username")
|
return nil, fmt.Errorf("missing username")
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
```release-note:bug
|
||||||
|
core: removes strings.ToLower for alias name from pathLoginAliasLookahead function in userpass. This fixes
|
||||||
|
the storage entry for locked users by having the correct alias name in path.
|
||||||
|
``
|
|
@ -374,6 +374,13 @@ func TestIdentityStore_UnlockUserTest(t *testing.T) {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// create another user for userpass with a different case
|
||||||
|
if _, err = standby.Logical().Write("auth/userpass/users/bSmith", map[string]interface{}{
|
||||||
|
"password": "training",
|
||||||
|
}); err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
// login failure count 1
|
// login failure count 1
|
||||||
standby.Logical().Write("auth/userpass/login/bsmith", map[string]interface{}{
|
standby.Logical().Write("auth/userpass/login/bsmith", map[string]interface{}{
|
||||||
"password": "wrongPassword",
|
"password": "wrongPassword",
|
||||||
|
@ -404,6 +411,36 @@ func TestIdentityStore_UnlockUserTest(t *testing.T) {
|
||||||
t.Fatal("expected login to succeed as user is unlocked")
|
t.Fatal("expected login to succeed as user is unlocked")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// login failure count 1 for user bSmith
|
||||||
|
standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
|
||||||
|
"password": "wrongPassword",
|
||||||
|
})
|
||||||
|
// login failure count 2 for user bSmith
|
||||||
|
standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
|
||||||
|
"password": "wrongPassword",
|
||||||
|
})
|
||||||
|
// login : permission denied as user locked out for user bSmith
|
||||||
|
if _, err = standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
|
||||||
|
"password": "training",
|
||||||
|
}); err == nil {
|
||||||
|
t.Fatal("expected login to fail as user locked out")
|
||||||
|
}
|
||||||
|
if !strings.Contains(err.Error(), logical.ErrPermissionDenied.Error()) {
|
||||||
|
t.Fatalf("expected to see permission denied error as user locked out, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// unlock user bSmith
|
||||||
|
if _, err = standby.Logical().Write("sys/locked-users/"+mountAccessor+"/unlock/bSmith", nil); err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// login: should be successful as user bSmith unlocked
|
||||||
|
if _, err = standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
|
||||||
|
"password": "training",
|
||||||
|
}); err != nil {
|
||||||
|
t.Fatal("expected login to succeed as user is unlocked")
|
||||||
|
}
|
||||||
|
|
||||||
// unlock unlocked user
|
// unlock unlocked user
|
||||||
if _, err = active.Logical().Write("sys/locked-users/mountAccessor/unlock/bsmith", nil); err != nil {
|
if _, err = active.Logical().Write("sys/locked-users/mountAccessor/unlock/bsmith", nil); err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
|
Loading…
Reference in New Issue