~ubuntu-branches/ubuntu/raring/trac-accountmanager/raring

Committer: Package Import Robot
Author(s): Leo Costela
Date: 2012-06-30 20:40:10 UTC
mfrom: (1.1.4)
mto: This revision was merged to the branch mainline in revision 7.
Revision ID: package-import@ubuntu.com-20120630204010-xyoy9dnabof4jsbo

http://bugs.debian.org/654292

* new upstream checkout (closes: #654292)
* convert to dh short style and "--with python2"
* bump dh compat to 9
* update watch file for new version (0.3.2 based on setup.py; no
official release)
* move packaging to git (dump old out-of-sync history)
* debian/control: bump policy to 3.9.3 (no changes)

files added:
.pc

.pc/.quilt_patches

.pc/.quilt_series

.pc/.version

README.hashes

acct_mgr-md5sums

acct_mgr-md5sums.sig

acct_mgr-sha1sums

acct_mgr-sha1sums.sig

acct_mgr/guard.py

acct_mgr/htdocs

acct_mgr/htdocs/acct_mgr.css

acct_mgr/htdocs/locked.png

acct_mgr/htdocs/time-locked.png

acct_mgr/locale

acct_mgr/locale/.placeholder

acct_mgr/locale/cs

acct_mgr/locale/cs/LC_MESSAGES

acct_mgr/locale/cs/LC_MESSAGES/acct_mgr.po

acct_mgr/locale/de

acct_mgr/locale/de/LC_MESSAGES

acct_mgr/locale/de/LC_MESSAGES/acct_mgr.po

acct_mgr/locale/es

acct_mgr/locale/es/LC_MESSAGES

acct_mgr/locale/es/LC_MESSAGES/acct_mgr.po

acct_mgr/locale/fr

acct_mgr/locale/fr/LC_MESSAGES

acct_mgr/locale/fr/LC_MESSAGES/acct_mgr.po

acct_mgr/locale/it

acct_mgr/locale/it/LC_MESSAGES

acct_mgr/locale/it/LC_MESSAGES/acct_mgr.po

acct_mgr/locale/ja

acct_mgr/locale/ja/LC_MESSAGES

acct_mgr/locale/ja/LC_MESSAGES/acct_mgr.po

acct_mgr/locale/messages.pot

acct_mgr/locale/nl

acct_mgr/locale/nl/LC_MESSAGES

acct_mgr/locale/nl/LC_MESSAGES/acct_mgr.po

acct_mgr/locale/ru

acct_mgr/locale/ru/LC_MESSAGES

acct_mgr/locale/ru/LC_MESSAGES/acct_mgr.po

acct_mgr/locale/sv

acct_mgr/locale/sv/LC_MESSAGES

acct_mgr/locale/sv/LC_MESSAGES/acct_mgr.po

acct_mgr/templates/account_details.html

changelog

contrib/signatures.py

contrib/style.css

files modified:
README

acct_mgr/admin.py

acct_mgr/api.py

acct_mgr/db.py

acct_mgr/hashlib_compat.py

acct_mgr/htfile.py

acct_mgr/http.py

acct_mgr/md5crypt.py

acct_mgr/notification.py

acct_mgr/pwhash.py

acct_mgr/svnserve.py

acct_mgr/templates/admin_accountsconfig.html

acct_mgr/templates/admin_accountsnotification.html

acct_mgr/templates/admin_users.html

acct_mgr/templates/login.html

acct_mgr/templates/prefs_account.html

acct_mgr/templates/register.html

acct_mgr/templates/reset_password.html

acct_mgr/templates/verify_email.html

acct_mgr/tests/db.py

acct_mgr/tests/htfile.py

acct_mgr/util.py

acct_mgr/web_ui.py

debian/README.source

debian/changelog

debian/compat

debian/control

debian/copyright

debian/rules

debian/watch

setup.cfg

setup.py

Show diffs side-by-side

added added

removed removed

acct_mgr/guard.py

# -*- coding: utf-8 -*-

# Author: Steffen Hoffmann <hoff.st@web.de>

from datetime import timedelta

from trac.config import Configuration, IntOption, Option

from trac.core import Component

from trac.util.datefmt import format_datetime, pretty_timedelta, \

to_datetime

try:

from trac.util.datefmt import to_utimestamp

except ImportError:

# Fallback for Trac 0.11 compatibility

from trac.util.datefmt import to_timestamp as to_utimestamp

from acct_mgr.api import AccountManager

class AccountGuard(Component):

"""The AccountGuard component protects against brute-force attacks

on user passwords.

It does so by adding logging of failed login attempts,

account status tracking and administative user account locking.

Configurable time-locks with exponential lock time prolongation

allow to balance graceful handling of failed login attempts and

reasonable protection against attempted brute-force attacks.

"""

login_attempt_max_count = IntOption(

'account-manager', 'login_attempt_max_count', 0,

doc="""Lock user account after specified number of login attempts.

Value zero means no limit.""")

user_lock_time = IntOption(

'account-manager', 'user_lock_time', '0',

doc="""Drop user account lock after specified time (seconds).

Value zero means unlimited lock time.""")

user_lock_max_time = IntOption(

'account-manager', 'user_lock_max_time', '86400',

doc="""Limit user account lock time to specified time (seconds).

This is relevant only with user_lock_time_progression > 1.""")

user_lock_time_progression = Option(

'account-manager', 'user_lock_time_progression', '1',

doc="""Extend user account lock time incrementally. This is

based on logarithmic calculation and decimal numbers accepted:

Value '1' means constant lock time per failed login attempt.

Value '2' means double locktime after 2nd lock activation,

four times the initial locktime after 3rd, and so on.""")

def __init__(self):

self.mgr = AccountManager(self.env)

# adjust related value to promote sane configurations

if not self.login_attempt_max_count > 0:

self.config.set('account-manager', 'user_lock_max_time', '0')

def failed_count(self, user, ipnr = None, reset = False):

"""Report number of previously logged failed login attempts.

Enforce login policy with regards to tracking of login attempts

and user account lock behavior.

Default `False` for reset value causes logging of another attempt.

`None` value for reset just reads failed login attempts count.

`True` value for reset triggers final log deletion.

"""

db = self.env.get_db_cnx()

cursor = db.cursor()

cursor.execute("""

SELECT value

FROM session_attribute

WHERE authenticated=1 AND

name='failed_logins_count' AND sid=%s

""", (user,))

count = None

for row in cursor:

count = eval(row[0])

break

if count is None:

count = 0

if reset is None:

# report failed attempts count

return count

if reset is not True:

# failed attempt logger

attempts = self.get_failed_log(user)

log_length = len(attempts)

if log_length > self.login_attempt_max_count:

# truncate attempts list

del attempts[:(log_length - self.login_attempt_max_count)]

attempts.append({'ipnr': ipnr,

'time': to_utimestamp(to_datetime(None))})

count += 1

# update or create existing attempts list

for key, value in [('failed_logins', str(attempts)),

('failed_logins_count', count)]:

sql = """

WHERE authenticated=1

100

AND name=%s

101

AND sid=%s

102

"""

103

cursor.execute("""

104

UPDATE session_attribute

105

SET value=%s

106

""" + sql, (value, key, user))

107

cursor.execute("""

108

SELECT value

109

FROM session_attribute

110

""" + sql, (key, user))

111

if cursor.fetchone() is None:

112

cursor.execute("""

113

INSERT

114

INTO session_attribute

115

(sid,authenticated,name,value)

116

VALUES (%s,1,%s,%s)

117

""", (user, key, value))

118

db.commit()

119

self.log.debug(

120

'AcctMgr:failed_count(%s): ' % user + str(count))

121

return count

122

else:

123

# delete existing attempts list

124

cursor.execute("""

125

DELETE

126

FROM session_attribute

127

WHERE authenticated=1

128

AND (name='failed_logins'

129

OR name='failed_logins_count')

130

AND sid=%s

131

""", (user,))

132

db.commit()

133

# delete lock count too

134

self.lock_count(user, 'reset')

135

return count

136

137

def get_failed_log(self, user):

138

"""Returns an iterable of previously logged failed login attempts.

139

140

Iterable content: {'ipnr': ipnr, 'time': posix_microsec_time_stamp}

141

"""

142

db = self.env.get_db_cnx()

143

cursor = db.cursor()

144

cursor.execute("""

145

SELECT value

146

FROM session_attribute

147

WHERE authenticated=1

148

AND name='failed_logins'

149

AND sid=%s

150

""", (user,))

151

# read list and add new attempt

152

attempts = []

153

for row in cursor:

154

attempts = eval(row[0])

155

break

156

return attempts

157

158

def lock_count(self, user, action = 'get'):

159

"""Count, log and report, how often in succession user account

160

lock conditions have been met.

161

162

This is the exponent for lock time prolongation calculation too.

163

"""

164

db = self.env.get_db_cnx()

165

cursor = db.cursor()

166

if not action == 'reset':

167

sql = """

168

WHERE authenticated=1

169

AND name='lock_count'

170

AND sid=%s

171

"""

172

cursor.execute("""

173

SELECT value

174

FROM session_attribute

175

""" + sql, (user,))

176

lock_count = None

177

for row in cursor:

178

lock_count = eval(row[0])

179

break

180

if action == 'get':

181

return (lock_count or 0)

182

else:

183

# push and update cached lock_count

184

if lock_count is None:

185

# create lock_count cache

186

cursor.execute("""

187

INSERT INTO session_attribute

188

(sid,authenticated,name,value)

189

VALUES (%s,1,'lock_count',%s)

190

""", (user, 1))

191

lock_count = 1

192

else:

193

lock_count += 1

194

cursor.execute("""

195

UPDATE session_attribute

196

SET value=%s

197

""" + sql, (lock_count, user))

198

db.commit()

199

return lock_count

200

else:

201

# reset/delete lock_count cache

202

cursor.execute("""

203

DELETE

204

FROM session_attribute

205

WHERE authenticated=1

206

AND name='lock_count'

207

AND sid=%s

208

""", (user,))

209

db.commit()

210

return 0

211

212

def lock_time(self, user, next = False):

213

"""Calculate current time-lock length a user.

214

"""

215

base = float(self.user_lock_time_progression)

216

lock_count = self.lock_count(user)

217

if not lock_count > 0:

218

return 0

219

else:

220

if next is False:

221

exponent = lock_count - 1

222

else:

223

exponent = lock_count

224

t_lock = self.user_lock_time * 1000000 * base ** exponent

225

# limit maximum lock time

226

t_lock_max = self.user_lock_max_time * 1000000

227

if t_lock > t_lock_max:

228

t_lock = t_lock_max

229

self.log.debug('AcctMgr:lock_time(%s): ' % user + str(t_lock))

230

return t_lock

231

232

def pretty_lock_time(self, user, next = False):

233

"""Convenience method for formatting lock time to string.

234

"""

235

t_lock = self.lock_time(user, next)

236

return (t_lock > 0) and pretty_timedelta(to_datetime(None) - \

237

timedelta(microseconds = t_lock)) or None

238

239

def pretty_release_time(self, req, user):

240

"""Convenience method for formatting lock time to string.

241

"""

242

ts_release = self.release_time(user)

243

if ts_release is None:

244

return None

245

return format_datetime(to_datetime(

246

self.release_time(user)), tzinfo=req.tz)

247

248

def release_time(self, user):

249

# logged attempts required for further checking

250

attempts = self.get_failed_log(user)

251

if len(attempts) > 0:

252

t_lock = self.lock_time(user)

253

if t_lock == 0:

254

return None

255

return (attempts[-1]['time'] + t_lock)

256

257

def user_locked(self, user):

258

"""Returns whether the user account is currently locked.

259

260

Expect False, if not, and True, if locked.

261

"""

262

if not self.login_attempt_max_count > 0:

263

# account locking turned off by configuration

264

return None

265

count = self.failed_count(user, reset=None)

266

ts_release = self.release_time(user)

267

if count < self.login_attempt_max_count:

268

self.log.debug(

269

'AcctMgr:user_locked(%s): False (try left)' % user)

270

return False

271

else:

272

if ts_release is None:

273

# permanently locked

274

self.log.debug(

275

'AcctMgr:user_locked(%s): True (permanently)' % user)

276

return True

277

# time-locked or time-lock expired

278

self.log.debug(

279

'AcctMgr:user_locked(%s): ' % user + \

280

str((ts_release - to_utimestamp(to_datetime(None))) > 0))

281

return ((ts_release - to_utimestamp(to_datetime(None))) > 0)

Older »