Brute forcing unlock user bug (#18890)

* brute forcing unlock user bug

* add changelog

* fix changelog
This commit is contained in:
akshya96 2023-01-30 13:06:10 -08:00 committed by GitHub
parent 20c1645329
commit 16ce923ddb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 1 deletions

View File

@ -39,7 +39,7 @@ func pathLogin(b *backend) *framework.Path {
} }
func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) { func (b *backend) pathLoginAliasLookahead(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
username := strings.ToLower(d.Get("username").(string)) username := d.Get("username").(string)
if username == "" { if username == "" {
return nil, fmt.Errorf("missing username") return nil, fmt.Errorf("missing username")
} }

4
changelog/18890.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:bug
core: removes strings.ToLower for alias name from pathLoginAliasLookahead function in userpass. This fixes
the storage entry for locked users by having the correct alias name in path.
``

View File

@ -374,6 +374,13 @@ func TestIdentityStore_UnlockUserTest(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
// create another user for userpass with a different case
if _, err = standby.Logical().Write("auth/userpass/users/bSmith", map[string]interface{}{
"password": "training",
}); err != nil {
t.Fatal(err)
}
// login failure count 1 // login failure count 1
standby.Logical().Write("auth/userpass/login/bsmith", map[string]interface{}{ standby.Logical().Write("auth/userpass/login/bsmith", map[string]interface{}{
"password": "wrongPassword", "password": "wrongPassword",
@ -404,6 +411,36 @@ func TestIdentityStore_UnlockUserTest(t *testing.T) {
t.Fatal("expected login to succeed as user is unlocked") t.Fatal("expected login to succeed as user is unlocked")
} }
// login failure count 1 for user bSmith
standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
"password": "wrongPassword",
})
// login failure count 2 for user bSmith
standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
"password": "wrongPassword",
})
// login : permission denied as user locked out for user bSmith
if _, err = standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
"password": "training",
}); err == nil {
t.Fatal("expected login to fail as user locked out")
}
if !strings.Contains(err.Error(), logical.ErrPermissionDenied.Error()) {
t.Fatalf("expected to see permission denied error as user locked out, got %v", err)
}
// unlock user bSmith
if _, err = standby.Logical().Write("sys/locked-users/"+mountAccessor+"/unlock/bSmith", nil); err != nil {
t.Fatal(err)
}
// login: should be successful as user bSmith unlocked
if _, err = standby.Logical().Write("auth/userpass/login/bSmith", map[string]interface{}{
"password": "training",
}); err != nil {
t.Fatal("expected login to succeed as user is unlocked")
}
// unlock unlocked user // unlock unlocked user
if _, err = active.Logical().Write("sys/locked-users/mountAccessor/unlock/bsmith", nil); err != nil { if _, err = active.Logical().Write("sys/locked-users/mountAccessor/unlock/bsmith", nil); err != nil {
t.Fatal(err) t.Fatal(err)