Only authenticate logins when password is set (#13147)

* auth: never authenticate passwords shorter than 4 chars. * auth: refactoring password length check. * auth: does not authenticate when password is empty. * auth: removes unneccesary change.

Only authenticate logins when password is set (#13147)
* auth: never authenticate passwords shorter than 4 chars. * auth: refactoring password length check. * auth: does not authenticate when password is empty. * auth: removes unneccesary change.
275f6130 · Leonard Gram · Torkel Ödegaard · c9ae585d · 275f6130 · 275f6130
Commit 275f6130 authored Sep 05, 2018 by Leonard Gram Committed by Torkel Ödegaard Sep 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 1 deletions

pkg/login/auth.go
+12 -1

pkg/login/auth_test.go
+18 -0

No files found.
--- a/pkg/login/auth.go
+++ b/pkg/login/auth.go
@@ -2,7 +2,6 @@ package login

 import (
 	"errors"
-
 	"github.com/grafana/grafana/pkg/bus"
 	m "github.com/grafana/grafana/pkg/models"
 )
@@ -14,6 +13,7 @@ var (
 	ErrProviderDeniedRequest = errors.New("Login provider denied login request")
 	ErrSignUpNotAllowed      = errors.New("Signup is not allowed for this adapter")
 	ErrTooManyLoginAttempts  = errors.New("Too many consecutive incorrect login attempts for user. Login for user temporarily blocked")
+	ErrPasswordEmpty         = errors.New("No password provided.")
 	ErrUsersQuotaReached     = errors.New("Users quota reached")
 	ErrGettingUserQuota      = errors.New("Error getting user quota")
 )
@@ -28,6 +28,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error {
 		return err
 	}

+	if err := validatePasswordSet(query.Password); err != nil {
+		return err
+	}
+
 	err := loginUsingGrafanaDB(query)
 	if err == nil || (err != m.ErrUserNotFound && err != ErrInvalidCredentials) {
 		return err
@@ -52,3 +56,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error {

 	return err
 }
+func validatePasswordSet(password string) error {
+	if len(password) == 0 {
+		return ErrPasswordEmpty
+	}
+
+	return nil
+}
--- a/pkg/login/auth_test.go
+++ b/pkg/login/auth_test.go
@@ -10,6 +10,24 @@ import (

 func TestAuthenticateUser(t *testing.T) {
 	Convey("Authenticate user", t, func() {
+		authScenario("When a user authenticates without setting a password", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(nil, sc)
+			mockLoginUsingLdap(false, nil, sc)
+
+			loginQuery := m.LoginUserQuery{
+				Username: "user",
+				Password: "",
+			}
+			err := AuthenticateUser(&loginQuery)
+
+			Convey("login should fail", func() {
+				So(sc.grafanaLoginWasCalled, ShouldBeFalse)
+				So(sc.ldapLoginWasCalled, ShouldBeFalse)
+				So(err, ShouldEqual, ErrPasswordEmpty)
+			})
+		})
+
 		authScenario("When a user authenticates having too many login attempts", func(sc *authScenarioContext) {
 			mockLoginAttemptValidation(ErrTooManyLoginAttempts, sc)
 			mockLoginUsingGrafanaDB(nil, sc)