188 lines
7.3 KiB
Python
188 lines
7.3 KiB
Python
"""Redis-backed brute-force protections for authentication login requests."""
|
|
|
|
from __future__ import annotations
|
|
|
|
from dataclasses import dataclass
|
|
import logging
|
|
|
|
from redis.exceptions import RedisError
|
|
|
|
from app.core.config import Settings, get_settings
|
|
from app.services.authentication import normalize_username
|
|
from app.worker.queue import get_redis
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
USERNAME_SUBJECT_KIND = "username"
|
|
IP_SUBJECT_KIND = "ip"
|
|
UNKNOWN_USERNAME_SUBJECT = "unknown-username"
|
|
UNKNOWN_IP_SUBJECT = "unknown-ip"
|
|
|
|
|
|
@dataclass(frozen=True)
|
|
class LoginThrottlePolicy:
|
|
"""Captures login throttle policy values resolved from runtime settings."""
|
|
|
|
failure_limit: int
|
|
failure_window_seconds: int
|
|
lockout_base_seconds: int
|
|
lockout_max_seconds: int
|
|
|
|
|
|
@dataclass(frozen=True)
|
|
class LoginThrottleStatus:
|
|
"""Represents whether login attempts are currently throttled and retry metadata."""
|
|
|
|
is_throttled: bool
|
|
retry_after_seconds: int = 0
|
|
|
|
|
|
def _bounded_int(value: int, *, minimum: int, maximum: int) -> int:
|
|
"""Clamps one integer value to an inclusive minimum and maximum range."""
|
|
|
|
return max(minimum, min(maximum, int(value)))
|
|
|
|
|
|
def _resolve_policy(settings: Settings) -> LoginThrottlePolicy:
|
|
"""Resolves login throttle policy from settings with defensive value bounds."""
|
|
|
|
failure_limit = _bounded_int(settings.auth_login_failure_limit, minimum=1, maximum=1000)
|
|
failure_window_seconds = _bounded_int(settings.auth_login_failure_window_seconds, minimum=30, maximum=86400)
|
|
lockout_base_seconds = _bounded_int(settings.auth_login_lockout_base_seconds, minimum=1, maximum=3600)
|
|
lockout_max_seconds = _bounded_int(settings.auth_login_lockout_max_seconds, minimum=1, maximum=86400)
|
|
if lockout_max_seconds < lockout_base_seconds:
|
|
lockout_max_seconds = lockout_base_seconds
|
|
return LoginThrottlePolicy(
|
|
failure_limit=failure_limit,
|
|
failure_window_seconds=failure_window_seconds,
|
|
lockout_base_seconds=lockout_base_seconds,
|
|
lockout_max_seconds=lockout_max_seconds,
|
|
)
|
|
|
|
|
|
def _normalize_login_identity(username: str, ip_address: str | None) -> tuple[str, str]:
|
|
"""Normalizes username and source IP identity values used by throttle storage keys."""
|
|
|
|
normalized_username = normalize_username(username) or UNKNOWN_USERNAME_SUBJECT
|
|
normalized_ip = (ip_address or "").strip()[:64] or UNKNOWN_IP_SUBJECT
|
|
return normalized_username, normalized_ip
|
|
|
|
|
|
def _identity_subjects(username: str, ip_address: str | None) -> tuple[tuple[str, str], tuple[str, str]]:
|
|
"""Builds the username and IP throttle subject tuples for one login attempt."""
|
|
|
|
normalized_username, normalized_ip = _normalize_login_identity(username, ip_address)
|
|
return (
|
|
(USERNAME_SUBJECT_KIND, normalized_username),
|
|
(IP_SUBJECT_KIND, normalized_ip),
|
|
)
|
|
|
|
|
|
def _failure_key(*, subject_kind: str, subject_value: str) -> str:
|
|
"""Builds the Redis key used to track failed login counts for one subject."""
|
|
|
|
return f"dcm:auth-login:fail:{subject_kind}:{subject_value}"
|
|
|
|
|
|
def _lock_key(*, subject_kind: str, subject_value: str) -> str:
|
|
"""Builds the Redis key used to store active lockout state for one subject."""
|
|
|
|
return f"dcm:auth-login:lock:{subject_kind}:{subject_value}"
|
|
|
|
|
|
def _next_lockout_seconds(*, failure_count: int, policy: LoginThrottlePolicy) -> int:
|
|
"""Computes exponential lockout duration when failed attempts exceed configured limit."""
|
|
|
|
if failure_count <= policy.failure_limit:
|
|
return 0
|
|
|
|
additional_failures = failure_count - policy.failure_limit - 1
|
|
lockout_seconds = policy.lockout_base_seconds
|
|
while additional_failures > 0 and lockout_seconds < policy.lockout_max_seconds:
|
|
lockout_seconds = min(policy.lockout_max_seconds, lockout_seconds * 2)
|
|
additional_failures -= 1
|
|
return lockout_seconds
|
|
|
|
|
|
def check_login_throttle(*, username: str, ip_address: str | None) -> LoginThrottleStatus:
|
|
"""Returns active login throttle status for the username and source IP identity tuple."""
|
|
|
|
redis_client = get_redis()
|
|
try:
|
|
retry_after_seconds = 0
|
|
for subject_kind, subject_value in _identity_subjects(username, ip_address):
|
|
subject_ttl = int(redis_client.ttl(_lock_key(subject_kind=subject_kind, subject_value=subject_value)))
|
|
if subject_ttl == -1:
|
|
retry_after_seconds = max(retry_after_seconds, 1)
|
|
elif subject_ttl > 0:
|
|
retry_after_seconds = max(retry_after_seconds, subject_ttl)
|
|
except RedisError as error:
|
|
raise RuntimeError("Login throttle backend unavailable") from error
|
|
|
|
return LoginThrottleStatus(
|
|
is_throttled=retry_after_seconds > 0,
|
|
retry_after_seconds=retry_after_seconds,
|
|
)
|
|
|
|
|
|
def record_failed_login_attempt(*, username: str, ip_address: str | None) -> int:
|
|
"""Records one failed login attempt and returns active lockout seconds, if any."""
|
|
|
|
settings = get_settings()
|
|
policy = _resolve_policy(settings)
|
|
normalized_username, normalized_ip = _normalize_login_identity(username, ip_address)
|
|
redis_client = get_redis()
|
|
|
|
try:
|
|
highest_failure_count = 0
|
|
active_lockout_seconds = 0
|
|
for subject_kind, subject_value in (
|
|
(USERNAME_SUBJECT_KIND, normalized_username),
|
|
(IP_SUBJECT_KIND, normalized_ip),
|
|
):
|
|
failure_key = _failure_key(subject_kind=subject_kind, subject_value=subject_value)
|
|
pipeline = redis_client.pipeline(transaction=True)
|
|
pipeline.incr(failure_key, 1)
|
|
pipeline.expire(failure_key, policy.failure_window_seconds + 5)
|
|
count_value, _ = pipeline.execute()
|
|
failure_count = int(count_value)
|
|
highest_failure_count = max(highest_failure_count, failure_count)
|
|
|
|
lockout_seconds = _next_lockout_seconds(failure_count=failure_count, policy=policy)
|
|
if lockout_seconds > 0:
|
|
redis_client.set(
|
|
_lock_key(subject_kind=subject_kind, subject_value=subject_value),
|
|
"1",
|
|
ex=lockout_seconds,
|
|
)
|
|
active_lockout_seconds = max(active_lockout_seconds, lockout_seconds)
|
|
except RedisError as error:
|
|
raise RuntimeError("Login throttle backend unavailable") from error
|
|
|
|
logger.warning(
|
|
"Authentication login failure: username=%s ip=%s failed_attempts=%s lockout_seconds=%s",
|
|
normalized_username,
|
|
normalized_ip,
|
|
highest_failure_count,
|
|
active_lockout_seconds,
|
|
)
|
|
return active_lockout_seconds
|
|
|
|
|
|
def clear_login_throttle(*, username: str, ip_address: str | None) -> None:
|
|
"""Clears username and source-IP login throttle state after successful authentication."""
|
|
|
|
normalized_username, normalized_ip = _normalize_login_identity(username, ip_address)
|
|
redis_client = get_redis()
|
|
keys = [
|
|
_failure_key(subject_kind=USERNAME_SUBJECT_KIND, subject_value=normalized_username),
|
|
_lock_key(subject_kind=USERNAME_SUBJECT_KIND, subject_value=normalized_username),
|
|
_failure_key(subject_kind=IP_SUBJECT_KIND, subject_value=normalized_ip),
|
|
_lock_key(subject_kind=IP_SUBJECT_KIND, subject_value=normalized_ip),
|
|
]
|
|
try:
|
|
redis_client.delete(*keys)
|
|
except RedisError as error:
|
|
raise RuntimeError("Login throttle backend unavailable") from error
|