open-vault/internalshared/configutil/userlockout.go

194 lines
7.8 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package configutil
import (
"errors"
"fmt"
"strconv"
"strings"
"time"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/hcl"
"github.com/hashicorp/hcl/hcl/ast"
)
const (
UserLockoutThresholdDefault = 5
UserLockoutDurationDefault = 15 * time.Minute
UserLockoutCounterResetDefault = 15 * time.Minute
DisableUserLockoutDefault = false
)
type UserLockout struct {
Type string
LockoutThreshold uint64 `hcl:"-"`
LockoutThresholdRaw interface{} `hcl:"lockout_threshold"`
LockoutDuration time.Duration `hcl:"-"`
LockoutDurationRaw interface{} `hcl:"lockout_duration"`
LockoutCounterReset time.Duration `hcl:"-"`
LockoutCounterResetRaw interface{} `hcl:"lockout_counter_reset"`
DisableLockout bool `hcl:"-"`
DisableLockoutRaw interface{} `hcl:"disable_lockout"`
}
func GetSupportedUserLockoutsAuthMethods() []string {
return []string{"userpass", "approle", "ldap"}
}
func ParseUserLockouts(result *SharedConfig, list *ast.ObjectList) error {
var err error
result.UserLockouts = make([]*UserLockout, 0, len(list.Items))
userLockoutsMap := make(map[string]*UserLockout)
for i, item := range list.Items {
var userLockoutConfig UserLockout
if err := hcl.DecodeObject(&userLockoutConfig, item.Val); err != nil {
return multierror.Prefix(err, fmt.Sprintf("userLockouts.%d:", i))
}
// Base values
{
switch {
case userLockoutConfig.Type != "":
case len(item.Keys) == 1:
userLockoutConfig.Type = strings.ToLower(item.Keys[0].Token.Value().(string))
default:
return multierror.Prefix(errors.New("auth type for user lockout must be specified, if it applies to all auth methods specify \"all\" "), fmt.Sprintf("user_lockouts.%d:", i))
}
userLockoutConfig.Type = strings.ToLower(userLockoutConfig.Type)
// Supported auth methods for user lockout configuration: ldap, approle, userpass
// "all" is used to apply the configuration to all supported auth methods
switch userLockoutConfig.Type {
case "all", "ldap", "approle", "userpass":
result.found(userLockoutConfig.Type, userLockoutConfig.Type)
default:
return multierror.Prefix(fmt.Errorf("unsupported auth type %q", userLockoutConfig.Type), fmt.Sprintf("user_lockouts.%d:", i))
}
}
// Lockout Parameters
// Not setting raw entries to nil here as soon as they are parsed
// as they are used to set the missing user lockout configuration values later.
{
if userLockoutConfig.LockoutThresholdRaw != nil {
userLockoutThresholdString := fmt.Sprintf("%v", userLockoutConfig.LockoutThresholdRaw)
if userLockoutConfig.LockoutThreshold, err = strconv.ParseUint(userLockoutThresholdString, 10, 64); err != nil {
return multierror.Prefix(fmt.Errorf("error parsing lockout_threshold: %w", err), fmt.Sprintf("user_lockouts.%d", i))
}
}
if userLockoutConfig.LockoutDurationRaw != nil {
if userLockoutConfig.LockoutDuration, err = parseutil.ParseDurationSecond(userLockoutConfig.LockoutDurationRaw); err != nil {
return multierror.Prefix(fmt.Errorf("error parsing lockout_duration: %w", err), fmt.Sprintf("user_lockouts.%d", i))
}
if userLockoutConfig.LockoutDuration < 0 {
return multierror.Prefix(errors.New("lockout_duration cannot be negative"), fmt.Sprintf("user_lockouts.%d", i))
}
}
if userLockoutConfig.LockoutCounterResetRaw != nil {
if userLockoutConfig.LockoutCounterReset, err = parseutil.ParseDurationSecond(userLockoutConfig.LockoutCounterResetRaw); err != nil {
return multierror.Prefix(fmt.Errorf("error parsing lockout_counter_reset: %w", err), fmt.Sprintf("user_lockouts.%d", i))
}
if userLockoutConfig.LockoutCounterReset < 0 {
return multierror.Prefix(errors.New("lockout_counter_reset cannot be negative"), fmt.Sprintf("user_lockouts.%d", i))
}
}
if userLockoutConfig.DisableLockoutRaw != nil {
if userLockoutConfig.DisableLockout, err = parseutil.ParseBool(userLockoutConfig.DisableLockoutRaw); err != nil {
return multierror.Prefix(fmt.Errorf("invalid value for disable_lockout: %w", err), fmt.Sprintf("user_lockouts.%d", i))
}
}
}
userLockoutsMap[userLockoutConfig.Type] = &userLockoutConfig
}
// Use raw entries to set values for user lockout configurations fields
// that were not configured using config file.
// The raw entries would mean that the entry was configured by the user using the config file.
// If any of these fields are not configured using the config file (missing fields),
// we set values for these fields with defaults
// The issue with not being able to use non-raw entries is because of fields lockout threshold
// and disable lockout. We cannot differentiate using non-raw entries if the user configured these fields
// with values (0 and false) or if the the user did not configure these values in config file at all.
// The raw fields are set to nil after setting missing values in setNilValuesForRawUserLockoutFields function
userLockoutsMap = setMissingUserLockoutValuesInMap(userLockoutsMap)
for _, userLockoutValues := range userLockoutsMap {
result.UserLockouts = append(result.UserLockouts, userLockoutValues)
}
return nil
}
// setUserLockoutValueAllInMap sets default user lockout values for key "all" (all auth methods)
// for user lockout fields that are not configured using config file
func setUserLockoutValueAllInMap(userLockoutAll *UserLockout) *UserLockout {
if userLockoutAll.Type == "" {
userLockoutAll.Type = "all"
}
if userLockoutAll.LockoutThresholdRaw == nil {
userLockoutAll.LockoutThreshold = UserLockoutThresholdDefault
}
if userLockoutAll.LockoutDurationRaw == nil {
userLockoutAll.LockoutDuration = UserLockoutDurationDefault
}
if userLockoutAll.LockoutCounterResetRaw == nil {
userLockoutAll.LockoutCounterReset = UserLockoutCounterResetDefault
}
if userLockoutAll.DisableLockoutRaw == nil {
userLockoutAll.DisableLockout = DisableUserLockoutDefault
}
return setNilValuesForRawUserLockoutFields(userLockoutAll)
}
// setDefaultUserLockoutValuesInMap sets missing user lockout fields for auth methods
// with default values (from key "all") that are not configured using config file
func setMissingUserLockoutValuesInMap(userLockoutsMap map[string]*UserLockout) map[string]*UserLockout {
// set values for "all" key with default values for "all" user lockout fields that are not configured
// the "all" key values will be used as default values for other auth methods
userLockoutAll, ok := userLockoutsMap["all"]
switch ok {
case true:
userLockoutsMap["all"] = setUserLockoutValueAllInMap(userLockoutAll)
default:
userLockoutsMap["all"] = setUserLockoutValueAllInMap(&UserLockout{})
}
for _, userLockoutAuth := range userLockoutsMap {
if userLockoutAuth.Type == "all" {
continue
}
// set missing values
if userLockoutAuth.LockoutThresholdRaw == nil {
userLockoutAuth.LockoutThreshold = userLockoutsMap["all"].LockoutThreshold
}
if userLockoutAuth.LockoutDurationRaw == nil {
userLockoutAuth.LockoutDuration = userLockoutsMap["all"].LockoutDuration
}
if userLockoutAuth.LockoutCounterResetRaw == nil {
userLockoutAuth.LockoutCounterReset = userLockoutsMap["all"].LockoutCounterReset
}
if userLockoutAuth.DisableLockoutRaw == nil {
userLockoutAuth.DisableLockout = userLockoutsMap["all"].DisableLockout
}
userLockoutAuth = setNilValuesForRawUserLockoutFields(userLockoutAuth)
userLockoutsMap[userLockoutAuth.Type] = userLockoutAuth
}
return userLockoutsMap
}
// setNilValuesForRawUserLockoutFields sets nil values for user lockout Raw fields
func setNilValuesForRawUserLockoutFields(userLockout *UserLockout) *UserLockout {
userLockout.LockoutThresholdRaw = nil
userLockout.LockoutDurationRaw = nil
userLockout.LockoutCounterResetRaw = nil
userLockout.DisableLockoutRaw = nil
return userLockout
}