Added login throttling feature based on RateLimiter

wouterj · wouterj · commit 730a56dc19de · 2020-09-16T12:58:41.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
@@ -0,0 +1,68 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
+
+use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ChildDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Http\EventListener\LoginThrottlingListener;
+
+/**
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ *
+ * @internal
+ */
+class LoginThrottlingFactory implements AuthenticatorFactoryInterface, SecurityFactoryInterface
+{
+    public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
+    {
+        throw new \LogicException('Login throttling is not supported when "security.enable_authenticator_manager" is not set to true.');
+    }
+
+    public function getPosition(): string
+    {
+        // this factory doesn't register any authenticators, this position doesn't matter
+        return 'pre_auth';
+    }
+
+    public function getKey(): string
+    {
+        return 'login_throttling';
+    }
+
+    /**
+     * @param ArrayNodeDefinition $builder
+     */
+    public function addConfiguration(NodeDefinition $builder)
+    {
+        $builder
+            ->children()
+                ->scalarNode('limiter')->isRequired()->end()
+            ->end();
+    }
+
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): array
+    {
+        if (!class_exists(LoginThrottlingListener::class)) {
+            throw new \LogicException('Login throttling requires symfony/security-http:^5.2.');
+        }
+
+        $container
+            ->setDefinition('security.listener.login_throttling.'.$firewallName, new ChildDefinition('security.listener.login_throttling'))
+            ->replaceArgument(1, new Reference('limiter.'.$config['limiter']))
+            ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName]);
+
+        return [];
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php
@@ -25,6 +25,7 @@
 use Symfony\Component\Security\Http\Authenticator\X509Authenticator;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 use Symfony\Component\Security\Http\EventListener\CheckCredentialsListener;
+use Symfony\Component\Security\Http\EventListener\LoginThrottlingListener;
 use Symfony\Component\Security\Http\EventListener\PasswordMigratingListener;
 use Symfony\Component\Security\Http\EventListener\RememberMeListener;
 use Symfony\Component\Security\Http\EventListener\SessionStrategyListener;
@@ -113,6 +114,13 @@
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
 
+        ->set('security.listener.login_throttling', LoginThrottlingListener::class)
+            ->abstract()
+            ->args([
+                service('request_stack'),
+                abstract_arg('rate limiter'),
+            ])
+
         // Authenticators
         ->set('security.authenticator.http_basic', HttpBasicAuthenticator::class)
             ->abstract()
diff --git a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
@@ -28,6 +28,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\HttpBasicLdapFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\JsonLoginFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\JsonLoginLdapFactory;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\LoginThrottlingFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RememberMeFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RemoteUserFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\X509Factory;
@@ -64,6 +65,7 @@ public function build(ContainerBuilder $container)
         $extension->addSecurityListenerFactory(new GuardAuthenticationFactory());
         $extension->addSecurityListenerFactory(new AnonymousFactory());
         $extension->addSecurityListenerFactory(new CustomAuthenticatorFactory());
+        $extension->addSecurityListenerFactory(new LoginThrottlingFactory());
 
         $extension->addUserProviderFactory(new InMemoryFactory());
         $extension->addUserProviderFactory(new LdapFactory());
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FormLoginBundle/Resources/views/Login/login.html.twig b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FormLoginBundle/Resources/views/Login/login.html.twig
@@ -3,7 +3,7 @@
 {% block body %}
 
     {% if error %}
-        <div>{{ error.message }}</div>
+        <div>{{ error.messageKey }}</div>
     {% endif %}
 
     <form action="{{ path('form_login_check') }}" method="post">
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/FormLoginTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/FormLoginTest.php
@@ -11,6 +11,8 @@
 
 namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
+use Symfony\Component\Security\Http\EventListener\LoginThrottlingListener;
+
 class FormLoginTest extends AbstractWebTestCase
 {
     /**
@@ -106,6 +108,28 @@ public function testFormLoginRedirectsToProtectedResourceAfterLogin(array $optio
         $this->assertStringContainsString('You\'re browsing to path "/protected_resource".', $text);
     }
 
+    public function testLoginThrottling()
+    {
+        if (!class_exists(LoginThrottlingListener::class)) {
+            $this->markTestSkipped('Login throttling requires symfony/security-http:^5.2');
+        }
+
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'login_throttling.yml', 'enable_authenticator_manager' => true]);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'wrong';
+        $client->submit($form);
+
+        $client->followRedirect()->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'wrong';
+        $client->submit($form);
+
+        $text = $client->followRedirect()->text(null, true);
+        $this->assertStringContainsString('Too many failed login attempts, please try again later.', $text);
+    }
+
     public function provideClientOptions()
     {
         yield [['test_case' => 'StandardFormLogin', 'root_config' => 'config.yml', 'enable_authenticator_manager' => true]];
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/login_throttling.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/StandardFormLogin/login_throttling.yml
@@ -0,0 +1,16 @@
+imports:
+    - { resource: ./config.yml }
+
+framework:
+    lock: ~
+    rate_limiter:
+        login:
+            strategy: token_bucket
+            limit: 1
+            rate: { interval: '10 seconds' }
+
+security:
+    firewalls:
+        default:
+            login_throttling:
+                limiter: login
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -12,6 +12,7 @@ CHANGELOG
  * Added `FirewallListenerInterface` to make the execution order of firewall listeners configurable
  * Added translator to `\Symfony\Component\Security\Http\Authenticator\JsonLoginAuthenticator` and `\Symfony\Component\Security\Http\Firewall\UsernamePasswordJsonAuthenticationListener` to translate authentication failure messages
  * Added a CurrentUser attribute to force the UserValueResolver to resolve an argument to the current user.
+ * Added `LoginThrottlingListener`.
 
 5.1.0
 -----
diff --git a/src/Symfony/Component/Security/Core/Exception/SessionLockedException.php b/src/Symfony/Component/Security/Core/Exception/SessionLockedException.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Exception;
+
+/**
+ * This exception is thrown if there where too many failed login attempts in
+ * this session.
+ *
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ */
+class SessionLockedException extends AuthenticationException
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getMessageKey(): string
+    {
+        return 'Too many failed login attempts, please try again later.';
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Resources/translations/security.en.xlf b/src/Symfony/Component/Security/Core/Resources/translations/security.en.xlf
@@ -62,6 +62,10 @@
                 <source>Account is locked.</source>
                 <target>Account is locked.</target>
             </trans-unit>
+            <trans-unit id="17">
+                <source>Too many failed login attempts, please try again later.</source>
+                <target>Too many failed login attempts, please try again later.</target>
+            </trans-unit>
         </body>
     </file>
 </xliff>
diff --git a/src/Symfony/Component/Security/Core/Resources/translations/security.nl.xlf b/src/Symfony/Component/Security/Core/Resources/translations/security.nl.xlf
@@ -62,6 +62,10 @@
                 <source>Account is locked.</source>
                 <target>Account is geblokkeerd.</target>
             </trans-unit>
+            <trans-unit id="17">
+                <source>Too many failed login attempts, please try again later.</source>
+                <target>Er waren teveel mislukte inlogpogingen, probeer het later opnieuw.</target>
+            </trans-unit>
         </body>
     </file>
 </xliff>
diff --git a/src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/UserBadge.php b/src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/UserBadge.php
@@ -50,6 +50,11 @@ public function __construct(string $userIdentifier, ?callable $userLoader = null
         $this->userLoader = $userLoader;
     }
 
+    public function getUserIdentifier(): string
+    {
+        return $this->userIdentifier;
+    }
+
     public function getUser(): UserInterface
     {
         if (null === $this->user) {
diff --git a/src/Symfony/Component/Security/Http/EventListener/LoginThrottlingListener.php b/src/Symfony/Component/Security/Http/EventListener/LoginThrottlingListener.php
@@ -0,0 +1,77 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\RateLimiter\Limiter;
+use Symfony\Component\Security\Core\Exception\SessionLockedException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
+
+/**
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ *
+ * @final
+ * @experimental in 5.2
+ */
+class LoginThrottlingListener implements EventSubscriberInterface
+{
+    private $requestStack;
+    private $limiter;
+
+    public function __construct(RequestStack $requestStack, Limiter $limiter)
+    {
+        $this->requestStack = $requestStack;
+        $this->limiter = $limiter;
+    }
+
+    public function checkPassport(CheckPassportEvent $event): void
+    {
+        $passport = $event->getPassport();
+        if (!$passport->hasBadge(UserBadge::class)) {
+            return;
+        }
+
+        $request = $this->requestStack->getMasterRequest();
+        $username = $passport->getBadge(UserBadge::class)->getUserIdentifier();
+        $limiterKey = $this->createLimiterKey($username, $request);
+
+        $limiter = $this->limiter->create($limiterKey);
+        if (!$limiter->consume()) {
+            throw new SessionLockedException();
+        }
+    }
+
+    public function onSuccessfulLogin(LoginSuccessEvent $event): void
+    {
+        $limiterKey = $this->createLimiterKey($event->getAuthenticatedToken()->getUsername(), $event->getRequest());
+        $limiter = $this->limiterFactory->createLimiter($limiterKey);
+
+        $limiter->reset();
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            CheckPassportEvent::class => ['checkPassport', 64],
+            LoginSuccessEvent::class => 'onSuccessfulLogin',
+        ];
+    }
+
+    private function createLimiterKey($username, Request $request): string
+    {
+        return $username.$request->getClientIp();
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php
