Skip to content

Commit

Permalink
Code optimization, if the mfa is disabled now only one username/passw…
Browse files Browse the repository at this point in the history 
…ord verification is done
  • Loading branch information
@MDeLuise @Coduz
MDeLuise authored and Coduz committed Aug 3, 2021
1 parent 6114f84 commit 661c223
Showing 1 changed file with 25 additions and 5 deletions.
30 changes: 25 additions & 5 deletions ...ava/org/eclipse/kapua/service/authentication/shiro/realm/UserPassAuthenticatingRealm.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.ExpiredCredentialsException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm;
Expand All @@ -45,6 +46,9 @@
import org.eclipse.kapua.service.user.UserService;
import org.eclipse.kapua.service.user.UserStatus;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.util.Date;
import java.util.Map;

Expand All @@ -55,6 +59,7 @@
*/
public class UserPassAuthenticatingRealm extends AuthenticatingRealm {

private static final Logger logger = LoggerFactory.getLogger(UserPassAuthenticatingRealm.class);
private static final KapuaLocator LOCATOR = KapuaLocator.getInstance();
/**
* Realm name
Expand Down Expand Up @@ -217,29 +222,44 @@ protected void assertCredentialsMatch(AuthenticationToken authcToken, Authentica
KapuaId userId = kapuaInfo.getUser().getId();
KapuaId scopeId = kapuaInfo.getUser().getScopeId();
boolean hasMfa = false;
boolean userAndPasswordMatch = ((UserPassCredentialsMatcher) getCredentialsMatcher()).doUsernameAndPasswordMatch(authcToken, info);
boolean checkedUsernameAndPasswordMatch = false;
boolean userPasswordMatch = true;
try {
if (KapuaSecurityUtils.doPrivileged(() -> mfaOptionService.findByUserId(userId, scopeId) != null)) {
hasMfa = true;
}
} catch (KapuaException e) {
e.printStackTrace();
logger.warn(e.toString());
throw new ShiroException("Error while find user!", e);
}

final boolean hasMfaAndUserPasswordMatch = hasMfa && userAndPasswordMatch;
try {
super.assertCredentialsMatch(authcToken, info);
if (hasMfa) {
super.assertCredentialsMatch(authcToken, info);
} else {
userPasswordMatch = ((UserPassCredentialsMatcher) getCredentialsMatcher()).doUsernameAndPasswordMatch(authcToken, info);
checkedUsernameAndPasswordMatch = true;
if (!userPasswordMatch) {
String msg = "Submitted credentials for token [" + authcToken + "] did not match the expected credentials.";
throw new IncorrectCredentialsException(msg);
}
}
} catch (AuthenticationException authenticationEx) {
try {
Credential failedCredential = (Credential) kapuaInfo.getCredentials();
userPasswordMatch = checkedUsernameAndPasswordMatch ?
userPasswordMatch : ((UserPassCredentialsMatcher) getCredentialsMatcher()).doUsernameAndPasswordMatch(authcToken, info);
final boolean hasMfaAndUserPasswordMatch = hasMfa && userPasswordMatch;
KapuaSecurityUtils.doPrivileged(() -> {
Map<String, Object> credentialServiceConfig = kapuaInfo.getCredentialServiceConfig();
boolean lockoutPolicyEnabled = (boolean) credentialServiceConfig.get("lockoutPolicy.enabled");
if (lockoutPolicyEnabled) {
Date now = new Date();
int resetAfterSeconds = (int)credentialServiceConfig.get("lockoutPolicy.resetAfter");
Date firstLoginFailure;
boolean resetAttempts = failedCredential.getFirstLoginFailure() == null || now.after(failedCredential.getLoginFailuresReset()) || hasMfaAndUserPasswordMatch;
boolean resetAttempts = failedCredential.getFirstLoginFailure() == null ||
now.after(failedCredential.getLoginFailuresReset()) ||
hasMfaAndUserPasswordMatch;
if (resetAttempts) {
firstLoginFailure = now;
failedCredential.setLoginFailures(1);
Expand Down

0 comments on commit 661c223

Please sign in to comment.