Commit 275f6130 by Leonard Gram Committed by Torkel Ödegaard

Only authenticate logins when password is set (#13147)

* auth: never authenticate passwords shorter than 4 chars.

* auth: refactoring password length check.

* auth: does not authenticate when password is empty.

* auth: removes unneccesary change.
parent c9ae585d
...@@ -2,7 +2,6 @@ package login ...@@ -2,7 +2,6 @@ package login
import ( import (
"errors" "errors"
"github.com/grafana/grafana/pkg/bus" "github.com/grafana/grafana/pkg/bus"
m "github.com/grafana/grafana/pkg/models" m "github.com/grafana/grafana/pkg/models"
) )
...@@ -14,6 +13,7 @@ var ( ...@@ -14,6 +13,7 @@ var (
ErrProviderDeniedRequest = errors.New("Login provider denied login request") ErrProviderDeniedRequest = errors.New("Login provider denied login request")
ErrSignUpNotAllowed = errors.New("Signup is not allowed for this adapter") ErrSignUpNotAllowed = errors.New("Signup is not allowed for this adapter")
ErrTooManyLoginAttempts = errors.New("Too many consecutive incorrect login attempts for user. Login for user temporarily blocked") ErrTooManyLoginAttempts = errors.New("Too many consecutive incorrect login attempts for user. Login for user temporarily blocked")
ErrPasswordEmpty = errors.New("No password provided.")
ErrUsersQuotaReached = errors.New("Users quota reached") ErrUsersQuotaReached = errors.New("Users quota reached")
ErrGettingUserQuota = errors.New("Error getting user quota") ErrGettingUserQuota = errors.New("Error getting user quota")
) )
...@@ -28,6 +28,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error { ...@@ -28,6 +28,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error {
return err return err
} }
if err := validatePasswordSet(query.Password); err != nil {
return err
}
err := loginUsingGrafanaDB(query) err := loginUsingGrafanaDB(query)
if err == nil || (err != m.ErrUserNotFound && err != ErrInvalidCredentials) { if err == nil || (err != m.ErrUserNotFound && err != ErrInvalidCredentials) {
return err return err
...@@ -52,3 +56,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error { ...@@ -52,3 +56,10 @@ func AuthenticateUser(query *m.LoginUserQuery) error {
return err return err
} }
func validatePasswordSet(password string) error {
if len(password) == 0 {
return ErrPasswordEmpty
}
return nil
}
...@@ -10,6 +10,24 @@ import ( ...@@ -10,6 +10,24 @@ import (
func TestAuthenticateUser(t *testing.T) { func TestAuthenticateUser(t *testing.T) {
Convey("Authenticate user", t, func() { Convey("Authenticate user", t, func() {
authScenario("When a user authenticates without setting a password", func(sc *authScenarioContext) {
mockLoginAttemptValidation(nil, sc)
mockLoginUsingGrafanaDB(nil, sc)
mockLoginUsingLdap(false, nil, sc)
loginQuery := m.LoginUserQuery{
Username: "user",
Password: "",
}
err := AuthenticateUser(&loginQuery)
Convey("login should fail", func() {
So(sc.grafanaLoginWasCalled, ShouldBeFalse)
So(sc.ldapLoginWasCalled, ShouldBeFalse)
So(err, ShouldEqual, ErrPasswordEmpty)
})
})
authScenario("When a user authenticates having too many login attempts", func(sc *authScenarioContext) { authScenario("When a user authenticates having too many login attempts", func(sc *authScenarioContext) {
mockLoginAttemptValidation(ErrTooManyLoginAttempts, sc) mockLoginAttemptValidation(ErrTooManyLoginAttempts, sc)
mockLoginUsingGrafanaDB(nil, sc) mockLoginUsingGrafanaDB(nil, sc)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment