Vault 8305 Prevent Brute Forcing in Auth methods : Setting user lockout configuration #17338
Conversation
akshya96
changed the title
akshya96
changed the title
akshya96
requested review from
raskchanky,
ncabatoff,
mpalmi,
VioletHynes,
hghaf099 and
ccapurso
| } | ||
|
|
||
| } | ||
| if userLockoutConfig.DisableLockoutRaw != nil { |
There was a problem hiding this comment.
The raw entries in this function are parsed if they are non-nil. I believe we have this practice in parsing config options that if a raw entry is parsed, it is being set to nil afterwards. Would you think doing the same would be better for consistency? I do notice that these raw values are relied upon to set default values in setMissingUserLockoutValuesInMap function. But, those logics could be changed to checking the non-raw entries and if they have not set before, setting them to the default values.
There was a problem hiding this comment.
Yes, I agree that the usual way is to set nil for 'raw' values as soon as they are parsed. The issue with checking non-raw entries is because of fields lockout threshold (uint) and disable lockout (bool). It will be difficult to figure out if the user configured lockout threshold with value 0 or if the user did not configure this value at all. In case of other configurations like Listeners, we append values after the parse but in this case, we parse through the map values to set default values for each "type" mentioned in config in result.UserLockouts.
There was a problem hiding this comment.
One way to get away from this is set these values to defaults before parsing raw values. But, I guess then there are values that are populated by all type.
| switch apiuserLockoutConfig.LockoutCounterResetDuration { | ||
| case "": | ||
| newUserLockoutCounterReset = oldUserLockoutCounterReset | ||
| case "system": |
There was a problem hiding this comment.
Just out of curiosity, what does "system" mean here? Why would the value for counter reset be passed in as system?
There was a problem hiding this comment.
And, Is there a default value for the counter reset? or time.Duration(0) is the default value?
There was a problem hiding this comment.
In command/auth_tune.go , we set lockout duration as LockoutDuration = ttlToAPI(c.flagUserLockoutDuration). ttlToApi converts user-supplied ttl into an API-compatible string. If the TTL is 0, this returns the empty string. If the TTL is negative, this returns "system" to indicate to use the system values. Otherwise, the time.Duration ttl is used. In the api part, if we do not have any values for this string, we use the already existing values that is present in the entry. If the string is system, we set time.Duration(0) else we use the input ttl.
There was a problem hiding this comment.
Yes, we have a default value of 15 minutes for lockout duration and lockout counter reset if not configured by the user using config file / auth tune.
| } | ||
|
|
||
| } | ||
| if userLockoutConfig.DisableLockoutRaw != nil { |
There was a problem hiding this comment.
One way to get away from this is set these values to defaults before parsing raw values. But, I guess then there are values that are populated by all type.
| { | ||
| Type: "all", | ||
| LockoutThreshold: 5, | ||
| LockoutThresholdRaw: nil, |
There was a problem hiding this comment.
nit: Would you think removing the nil values here would help readability? Seems like they are unnecessary.
There was a problem hiding this comment.
The test would failed if we remove this as it compares with what the values in SharedConfig would look like.
There was a problem hiding this comment.
I see. I am curious to know what is the failure. The zero value for an interface is nil, so if you don't set it nil explicitly, it should still be nil, no?
There was a problem hiding this comment.
Sorry, the test was flaky before and the comparison failed for config and expected config sometimes due to arrangement of array elements. When I removed raw entries then, the comparison failed and I felt it was because of that. I think the flaky test fix fixed that and on removing the nil fields, the comparison is successful.
| @@ -0,0 +1,3 @@ | |||
| ```release-note:feature | |||
| core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods | |||
There was a problem hiding this comment.
@akshya96 - I left a comment on the enterprise PR as well - for new features, they only need one changelog entry per new feature. If you want to make separate changelog entries per PR, those entries shouldn't be in the "features" section (and you may or may not need to make separate additional changelog entries).
For new features, they have a different format for changelog entries. Could you please open a new PR (or use the enterprise PR) to consolidate the changelog entries for this feature and change the formatting?
…ut configuration (hashicorp#17338) * config file changes * lockout config changes * auth tune r/w and auth tune * removing changes at enable * removing q.Q * go mod tidy * removing comments * changing struct name for config file * fixing mount tune * adding test file for user lockout * fixing comments and add changelog * addressing comments * fixing mount table updates * updating consts in auth_tune * small fixes * adding hcl parse test * fixing config compare * fixing github comments * optimize userlockouts.go * fixing test * minor changes * adding comments * adding sort to flaky test * fix flaky test
Jira: https://hashicorp.atlassian.net/browse/VAULT-8305
RFC: https://docs.google.com/document/d/1ypCRDMrjmKkElN51PcRSHJtyYNmolhdTu_M_EkPPv5U/edit?usp=sharing
Includes:
Adding user lockout configuration for each auth method using config file
Modifying user lockout configuration for each auth mount using auth tune cli and api
Example of user lockout in config file:
user_lockout "all" {
lockout_threshold = "25"
lockout_duration = "40m"
lockout_counter_reset = "45m"
disable_lockout = "false"
}
user_lockout "userpass" {
lockout_threshold = "100"
lockout_duration = "20m"
}