Trying to login with correct username and password but no otp does no…

…t increase the lockout error counter anymore
eclipse · Aug 3, 2021 · 34ae366 · 34ae366
1 parent f9dc165
commit 34ae366
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/...ava/org/eclipse/kapua/service/authentication/shiro/realm/UserPassAuthenticatingRealm.java b/...ava/org/eclipse/kapua/service/authentication/shiro/realm/UserPassAuthenticatingRealm.java
@@ -28,6 +28,7 @@
 import org.eclipse.kapua.KapuaRuntimeException;
 import org.eclipse.kapua.commons.security.KapuaSecurityUtils;
 import org.eclipse.kapua.locator.KapuaLocator;
+import org.eclipse.kapua.model.id.KapuaId;
 import org.eclipse.kapua.service.account.Account;
 import org.eclipse.kapua.service.account.AccountService;
 import org.eclipse.kapua.service.authentication.UsernamePasswordCredentials;
@@ -36,6 +37,7 @@
 import org.eclipse.kapua.service.authentication.credential.CredentialService;
 import org.eclipse.kapua.service.authentication.credential.CredentialStatus;
 import org.eclipse.kapua.service.authentication.credential.CredentialType;
+import org.eclipse.kapua.service.authentication.credential.mfa.MfaOptionService;
 import org.eclipse.kapua.service.authentication.shiro.UsernamePasswordCredentialsImpl;
 import org.eclipse.kapua.service.authentication.shiro.exceptions.ExpiredAccountException;
 import org.eclipse.kapua.service.authentication.shiro.exceptions.TemporaryLockedAccountException;
@@ -211,6 +213,20 @@ protected void assertCredentialsMatch(AuthenticationToken authcToken, Authentica
             throws AuthenticationException {
         LoginAuthenticationInfo kapuaInfo = (LoginAuthenticationInfo) info;
         CredentialService credentialService = LOCATOR.getService(CredentialService.class);
+        MfaOptionService mfaOptionService = LOCATOR.getService(MfaOptionService.class);
+        KapuaId userId = kapuaInfo.getUser().getId();
+        KapuaId scopeId = kapuaInfo.getUser().getScopeId();
+        boolean hasMfa = false;
+        boolean userAndPasswordMatch = ((UserPassCredentialsMatcher) getCredentialsMatcher()).doUsernameAndPasswordMatch(authcToken, info);
+        try {
+            if (KapuaSecurityUtils.doPrivileged(() -> mfaOptionService.findByUserId(userId, scopeId) != null)) {
+                hasMfa = true;
+            }
+        } catch (KapuaException e) {
+            e.printStackTrace();
+        }
+
+        final boolean hasMfaAndUserPasswordMatch = hasMfa && userAndPasswordMatch;
         try {
             super.assertCredentialsMatch(authcToken, info);
         } catch (AuthenticationException authenticationEx) {
@@ -223,7 +239,7 @@ protected void assertCredentialsMatch(AuthenticationToken authcToken, Authentica
                         Date now = new Date();
                         int resetAfterSeconds = (int)credentialServiceConfig.get("lockoutPolicy.resetAfter");
                         Date firstLoginFailure;
-                        boolean resetAttempts = failedCredential.getFirstLoginFailure() == null || now.after(failedCredential.getLoginFailuresReset());
+                        boolean resetAttempts = failedCredential.getFirstLoginFailure() == null || now.after(failedCredential.getLoginFailuresReset()) || hasMfaAndUserPasswordMatch;
                         if (resetAttempts) {
                             firstLoginFailure = now;
                             failedCredential.setLoginFailures(1);
@@ -261,8 +277,8 @@ protected void assertCredentialsMatch(AuthenticationToken authcToken, Authentica
         }
         Subject currentSubject = SecurityUtils.getSubject();
         Session session = currentSubject.getSession();
-        session.setAttribute("scopeId", kapuaInfo.getUser().getScopeId());
-        session.setAttribute("userId", kapuaInfo.getUser().getId());
+        session.setAttribute("scopeId", userId);
+        session.setAttribute("userId", scopeId);
     }
 
     @Override

diff --git a/...java/org/eclipse/kapua/service/authentication/shiro/realm/UserPassCredentialsMatcher.java b/...java/org/eclipse/kapua/service/authentication/shiro/realm/UserPassCredentialsMatcher.java
@@ -166,4 +166,16 @@ public boolean doCredentialsMatch(AuthenticationToken authenticationToken, Authe
         return credentialMatch;
     }
 
+    public boolean doUsernameAndPasswordMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
+        UsernamePasswordCredentials token = (UsernamePasswordCredentials) authenticationToken;
+        String tokenUsername = token.getUsername();
+        String tokenPassword = token.getPassword();
+        LoginAuthenticationInfo loginAuthInfo = (LoginAuthenticationInfo) authenticationInfo;
+        User infoUser = (User) loginAuthInfo.getPrincipals().getPrimaryPrincipal();
+        Credential infoCredential = (Credential) loginAuthInfo.getCredentials();
+        return tokenUsername.equals(infoUser.getName()) &&
+                CredentialType.PASSWORD.equals(infoCredential.getCredentialType()) &&
+                BCrypt.checkpw(tokenPassword, infoCredential.getCredentialKey());
+    }
+
 }