Vault 8305 Prevent Brute Forcing in Auth methods : Setting user lockout configuration (#17338)

* config file changes * lockout config changes * auth tune r/w and auth tune * removing changes at enable * removing q.Q * go mod tidy * removing comments * changing struct name for config file * fixing mount tune * adding test file for user lockout * fixing comments and add changelog * addressing comments * fixing mount table updates * updating consts in auth_tune * small fixes * adding hcl parse test * fixing config compare * fixing github comments * optimize userlockouts.go * fixing test * minor changes * adding comments * adding sort to flaky test * fix flaky test
2025-10-31 02:28:09 +00:00 · 2022-11-01 11:02:07 -07:00
parent 80c2dec816
commit 746b089472
14 changed files with 624 additions and 38 deletions
--- a/command/server/config_test_helpers.go
+++ b/command/server/config_test_helpers.go
@@ -3,6 +3,7 @@ package server
 import (
 	"fmt"
 	"reflect"
+	"sort"
 	"strings"
 	"testing"
 	"time"
@@ -892,6 +893,67 @@ listener "tcp" {
 	}
 }

+func testParseUserLockouts(t *testing.T) {
+	obj, _ := hcl.Parse(strings.TrimSpace(`
+	user_lockout "all" {
+		lockout_duration = "40m"
+		lockout_counter_reset = "45m"
+		disable_lockout = "false"
+	}
+	  user_lockout "userpass" {
+	     lockout_threshold = "100"
+	     lockout_duration = "20m"
+	  }
+	  user_lockout "ldap" {
+		disable_lockout = "true"
+	 }`))
+
+	config := Config{
+		SharedConfig: &configutil.SharedConfig{},
+	}
+	list, _ := obj.Node.(*ast.ObjectList)
+	objList := list.Filter("user_lockout")
+	configutil.ParseUserLockouts(config.SharedConfig, objList)
+
+	sort.Slice(config.SharedConfig.UserLockouts[:], func(i, j int) bool {
+		return config.SharedConfig.UserLockouts[i].Type < config.SharedConfig.UserLockouts[j].Type
+	})
+
+	expected := &Config{
+		SharedConfig: &configutil.SharedConfig{
+			UserLockouts: []*configutil.UserLockout{
+				{
+					Type:                "all",
+					LockoutThreshold:    5,
+					LockoutDuration:     2400000000000,
+					LockoutCounterReset: 2700000000000,
+					DisableLockout:      false,
+				},
+				{
+					Type:                "userpass",
+					LockoutThreshold:    100,
+					LockoutDuration:     1200000000000,
+					LockoutCounterReset: 2700000000000,
+					DisableLockout:      false,
+				},
+				{
+					Type:                "ldap",
+					LockoutThreshold:    5,
+					LockoutDuration:     2400000000000,
+					LockoutCounterReset: 2700000000000,
+					DisableLockout:      true,
+				},
+			},
+		},
+	}
+
+	sort.Slice(expected.SharedConfig.UserLockouts[:], func(i, j int) bool {
+		return expected.SharedConfig.UserLockouts[i].Type < expected.SharedConfig.UserLockouts[j].Type
+	})
+	config.Prune()
+	require.Equal(t, config, *expected)
+}
+
 func testParseSockaddrTemplate(t *testing.T) {
 	config, err := ParseConfig(`
 api_addr = <<EOF