Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT-5422: Add rate limit for TOTP passcode attempts #14864

Merged
merged 12 commits into from
Apr 14, 2022
Merged

VAULT-5422: Add rate limit for TOTP passcode attempts #14864

merged 12 commits into from
Apr 14, 2022

Conversation

hghaf099
Copy link
Contributor

@hghaf099 hghaf099 commented Apr 3, 2022
edited

In this PR, we are adding a rate limit to the totp passcode validation. The default allowed number of totp failed passcode validations is set to 5. If the number of failed validations attempts exceeds the configured amount, the user is blocked for the amount of time equal to the totp period configuration. There is no backdoor process to reset the counter right now. If needed that could be added as well.
Addresses VAULT-5422

hghaf099
hghaf099 commented Apr 3, 2022
View reviewed changes
vault/login_mfa.go Outdated Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 3, 2022 17:24 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 3, 2022 17:27 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 3, 2022 17:27 Inactive
raskchanky
raskchanky reviewed Apr 5, 2022
View reviewed changes
changelog/14864.txt Outdated Show resolved Hide resolved
command/server/config.go Outdated Show resolved Hide resolved
vault/login_mfa.go Outdated Show resolved Hide resolved
vault/login_mfa.go Show resolved Hide resolved
vault/login_mfa.go Outdated Show resolved Hide resolved
mickael-hc
mickael-hc reviewed Apr 5, 2022
View reviewed changes
website/content/docs/auth/login-mfa/index.mdx Outdated Show resolved Hide resolved
vault/core.go Outdated Show resolved Hide resolved
vault/login_mfa.go Outdated Show resolved Hide resolved
vault/login_mfa.go Outdated Show resolved Hide resolved
vault/login_mfa.go Outdated Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 5, 2022 21:31 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 5, 2022 21:36 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 6, 2022 20:20 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 6, 2022 20:20 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 6, 2022 21:28 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 6, 2022 21:28 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 6, 2022 23:23 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 6, 2022 23:23 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 13, 2022 14:00 Inactive
raskchanky
raskchanky reviewed Apr 13, 2022
View reviewed changes
vault/external_tests/identity/login_mfa_totp_test.go Outdated Show resolved Hide resolved
vault/external_tests/identity/login_mfa_totp_test.go Outdated Show resolved Hide resolved
vault/external_tests/identity/login_mfa_totp_test.go Outdated Show resolved Hide resolved
vault/external_tests/identity/login_mfa_totp_test.go Outdated Show resolved Hide resolved
vault/login_mfa.go Outdated Show resolved Hide resolved
website/content/docs/auth/login-mfa/index.mdx Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – vault April 13, 2022 20:01 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 13, 2022 20:01 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 14, 2022 12:28 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 14, 2022 12:28 Inactive
@hghaf099 hghaf099 added this to the 1.10.1 milestone Apr 14, 2022
@hghaf099 hghaf099 merged commit 7b1aad0 into main Apr 14, 2022
@hghaf099 hghaf099 deleted the rate-limit-totp-verification branch April 14, 2022 17:48
Closed
hghaf099 added a commit that referenced this pull request Apr 14, 2022
@hghaf099
VAULT-5422: Add rate limit for TOTP passcode attempts (#14864)
765cefe 
* VAULT-5422: Add rate limit for TOTP passcode attempts

* fixing the docs

* CL

* feedback

* Additional info in doc

* rate limit is done per entity per methodID

* refactoring a test

* rate limit OSS work for policy MFA

* adding max_validation_attempts to TOTP config

* feedback

* checking for non-nil reference
hghaf099 added a commit that referenced this pull request Apr 15, 2022
@hghaf099
VAULT-5422: Add rate limit for TOTP passcode attempts (#14864) (#15049)
94d056c 
* VAULT-5422: Add rate limit for TOTP passcode attempts (#14864)

* VAULT-5422: Add rate limit for TOTP passcode attempts

* fixing the docs

* CL

* feedback

* Additional info in doc

* rate limit is done per entity per methodID

* refactoring a test

* rate limit OSS work for policy MFA

* adding max_validation_attempts to TOTP config

* feedback

* checking for non-nil reference

* remove WithContext functions from a test
kitography pushed a commit that referenced this pull request Apr 24, 2022
@hghaf099 @kitography
VAULT-5422: Add rate limit for TOTP passcode attempts (#14864)
3fe56cb 
* VAULT-5422: Add rate limit for TOTP passcode attempts

* fixing the docs

* CL

* feedback

* Additional info in doc

* rate limit is done per entity per methodID

* refactoring a test

* rate limit OSS work for policy MFA

* adding max_validation_attempts to TOTP config

* feedback

* checking for non-nil reference
schultz-is pushed a commit that referenced this pull request Apr 27, 2022
@hghaf099
VAULT-5422: Add rate limit for TOTP passcode attempts (#14864)
a2211ac 
* VAULT-5422: Add rate limit for TOTP passcode attempts

* fixing the docs

* CL

* feedback

* Additional info in doc

* rate limit is done per entity per methodID

* refactoring a test

* rate limit OSS work for policy MFA

* adding max_validation_attempts to TOTP config

* feedback

* checking for non-nil reference
@zofskeez zofskeez mentioned this pull request Apr 28, 2022
Merged
schultz-is pushed a commit that referenced this pull request May 2, 2022
@hghaf099
VAULT-5422: Add rate limit for TOTP passcode attempts (#14864)
9925c4d 
* VAULT-5422: Add rate limit for TOTP passcode attempts

* fixing the docs

* CL

* feedback

* Additional info in doc

* rate limit is done per entity per methodID

* refactoring a test

* rate limit OSS work for policy MFA

* adding max_validation_attempts to TOTP config

* feedback

* checking for non-nil reference
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raskchanky raskchanky raskchanky approved these changes

@taoism4504 taoism4504 Awaiting requested review from taoism4504

@ncabatoff ncabatoff Awaiting requested review from ncabatoff

@mickael-hc mickael-hc Awaiting requested review from mickael-hc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.10.1
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hghaf099 @raskchanky @mickael-hc