Vault-8306 User Lockout RPCs oss changes (#17765)

* adding oss file changes * updating changes from ent
2022-11-15 15:07:52 -08:00 · 2022-11-15 15:07:52 -08:00 · f3c9e98fd5
parent 94739c1af6
commit f3c9e98fd5
4 changed files with 41 additions and 0 deletions
--- a/vault/core.go
+++ b/vault/core.go
@ -519,6 +519,11 @@ type Core struct {
 	// pluginCatalog is used to manage plugin configurations
 	pluginCatalog *PluginCatalog

+	// The userFailedLoginInfo map has user failed login information.
+	// It has user information (alias-name and mount accessor) as a key
+	// and login counter, last failed login time as value
+	userFailedLoginInfo map[FailedLoginUser]*FailedLoginInfo
+
 	enableMlock bool

 	// This can be used to trigger operations to stop running when Vault is
@ -925,6 +930,7 @@ func CreateCore(conf *CoreConfig) (*Core, error) {
 		mountMigrationTracker:          &sync.Map{},
 		disableSSCTokens:               conf.DisableSSCTokens,
 		effectiveSDKVersion:            effectiveSDKVersion,
+		userFailedLoginInfo:            make(map[FailedLoginUser]*FailedLoginInfo),
 	}

 	c.standbyStopCh.Store(make(chan struct{}))
--- a/vault/mount.go
+++ b/vault/mount.go
@ -394,6 +394,16 @@ type APIMountConfig struct {
 	PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
 }

+type FailedLoginUser struct {
+	aliasName     string
+	mountAccessor string
+}
+
+type FailedLoginInfo struct {
+	count               uint
+	lastFailedLoginTime int
+}
+
 // Clone returns a deep copy of the mount entry
 func (e *MountEntry) Clone() (*MountEntry, error) {
 	cp, err := copystructure.Copy(e)
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -1815,6 +1815,23 @@ func (c *Core) RegisterAuth(ctx context.Context, tokenTTL time.Duration, path st
 	return nil
 }

+// GetUserFailedLoginInfo gets the failed login information for a user based on alias name and mountAccessor
+func (c *Core) GetUserFailedLoginInfo(ctx context.Context, userKey FailedLoginUser) *FailedLoginInfo {
+	return c.userFailedLoginInfo[userKey]
+}
+
+// UpdateUserFailedLoginInfo updates the failed login information for a user based on alias name and mountAccessor
+func (c *Core) UpdateUserFailedLoginInfo(ctx context.Context, userKey FailedLoginUser, failedLoginInfo FailedLoginInfo) error {
+	c.userFailedLoginInfo[userKey] = &failedLoginInfo
+
+	// check if the update worked
+	failedLoginResp := c.GetUserFailedLoginInfo(ctx, userKey)
+	if failedLoginResp == nil {
+		return fmt.Errorf("failed to update entry in userFailedLoginInfo map")
+	}
+	return nil
+}
+
 // PopulateTokenEntry looks up req.ClientToken in the token store and uses
 // it to set other fields in req.  Does nothing if ClientToken is empty
 // or a JWT token, or for service tokens that don't exist in the token store.
--- a/vault/request_handling_util.go
+++ b/vault/request_handling_util.go
@ -50,6 +50,14 @@ func getAuthRegisterFunc(c *Core) (RegisterAuthFunc, error) {
 	return c.RegisterAuth, nil
 }

+func getUserFailedLoginInfo(ctx context.Context, c *Core, userInfo FailedLoginUser) *FailedLoginInfo {
+	return c.GetUserFailedLoginInfo(ctx, userInfo)
+}
+
+func (c *Core) updateUserFailedLoginInfo(ctx context.Context, userInfo FailedLoginUser, failedLoginInfo FailedLoginInfo) error {
+	return c.UpdateUserFailedLoginInfo(ctx, userInfo, failedLoginInfo)
+}
+
 func possiblyForwardAliasCreation(ctx context.Context, c *Core, inErr error, auth *logical.Auth, entity *identity.Entity) (*identity.Entity, bool, error) {
 	return entity, false, inErr
 }