Vault 8305 Prevent Brute Forcing in Auth methods : Setting user lockout configuration (#17338)

* config file changes * lockout config changes * auth tune r/w and auth tune * removing changes at enable * removing q.Q * go mod tidy * removing comments * changing struct name for config file * fixing mount tune * adding test file for user lockout * fixing comments and add changelog * addressing comments * fixing mount table updates * updating consts in auth_tune * small fixes * adding hcl parse test * fixing config compare * fixing github comments * optimize userlockouts.go * fixing test * minor changes * adding comments * adding sort to flaky test * fix flaky test
2025-10-30 18:17:55 +00:00 · 2022-11-01 11:02:07 -07:00
parent 80c2dec816
commit 746b089472
14 changed files with 624 additions and 38 deletions
--- a/command/commands.go
+++ b/command/commands.go
@@ -126,6 +126,14 @@ const (
 	flagNameAllowedManagedKeys = "allowed-managed-keys"
 	// flagNamePluginVersion selects what version of a plugin should be used.
 	flagNamePluginVersion = "plugin-version"
+	// flagNameUserLockoutThreshold is the flag name used for tuning the auth mount lockout threshold parameter
+	flagNameUserLockoutThreshold = "user-lockout-threshold"
+	// flagNameUserLockoutDuration is the flag name used for tuning the auth mount lockout duration parameter
+	flagNameUserLockoutDuration = "user-lockout-duration"
+	// flagNameUserLockoutCounterResetDuration is the flag name used for tuning the auth mount lockout counter reset parameter
+	flagNameUserLockoutCounterResetDuration = "user-lockout-counter-reset-duration"
+	// flagNameUserLockoutDisable is the flag name used for tuning the auth mount disable lockout parameter
+	flagNameUserLockoutDisable = "user-lockout-disable"
 	// flagNameDisableRedirects is used to prevent the client from honoring a single redirect as a response to a request
 	flagNameDisableRedirects = "disable-redirects"
 )