Disable account after failed login attempts

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Author: rullzer

appinfo/info.xml

@@ -6,10 +6,13 @@
 	<description>
 		Allow admin to define certain pre-conditions for password, e.g. enforce a minimum length
 	</description>
-	<version>1.9.0</version>
+	<version>1.9.1</version>
 	<licence>agpl</licence>
 	<author>Bjoern Schiessle</author>
 	<namespace>Password_Policy</namespace>
+	<types>
+		<authentication/>
+	</types>
 	<default_enable/>
 	<category>security</category>
 	<bugs>https://github.com/nextcloud/password_policy/issues</bugs>

js/settings-admin.js

@@ -110,6 +110,10 @@ $(document).ready(function(){
 			elem: '#password-policy-expiration',
 			conf: 'expiration',
 		},
+		{
+			elem: '#password-policy-failed-login',
+			conf: 'maximumLoginAttempts'
+		},
 	].forEach(function (configField) {
 		console.log(configField);
 		$(configField.elem).keyup(function (e) {

lib/AppInfo/Application.php

@@ -27,8 +27,11 @@
 use OCA\Password_Policy\Capabilities;
 use OCA\Password_Policy\ComplianceService;
 use OCA\Password_Policy\Generator;
+use OCA\Password_Policy\Listener\FailedLoginListener;
+use OCA\Password_Policy\Listener\SuccesfullLoginListener;
 use OCA\Password_Policy\PasswordValidator;
 use OCP\AppFramework\App;
+use OCP\Authentication\Events\LoginFailedEvent;
 use OCP\EventDispatcher\Event;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\ILogger;
@@ -37,6 +40,7 @@
 use OCP\User\Events\BeforePasswordUpdatedEvent;
 use OCP\User\Events\BeforeUserLoggedInEvent;
 use OCP\User\Events\PasswordUpdatedEvent;
+use OCP\User\Events\UserLoggedInEvent;
 use Symfony\Component\EventDispatcher\GenericEvent;
 
 class Application extends App {
@@ -109,6 +113,9 @@ function (Event $event) use ($container) {
 			}
 		);
 
+		$eventDispatcher->addServiceListener(LoginFailedEvent::class, FailedLoginListener::class);
+		$eventDispatcher->addServiceListener(UserLoggedInEvent::class, SuccesfullLoginListener::class);
+
 		// TODO: remove these two legacy event listeners
 		$symfonyDispatcher = $server->getEventDispatcher();
 		$symfonyDispatcher->addListener(

lib/FailedLoginCompliance.php

@@ -0,0 +1,88 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Password_Policy;
+
+use OCP\IConfig;
+use OCP\IUser;
+use OCP\IUserManager;
+
+class FailedLoginCompliance {
+
+	/** @var IConfig */
+	private $config;
+
+	/** @var IUserManager */
+	private $userManager;
+
+	/** @var PasswordPolicyConfig */
+	private $passwordPolicyConfig;
+
+	public function __construct(
+		IConfig $config,
+		IUserManager $userManager,
+		PasswordPolicyConfig $passwordPolicyConfig) {
+		$this->config = $config;
+		$this->userManager = $userManager;
+		$this->passwordPolicyConfig = $passwordPolicyConfig;
+	}
+
+	public function onFailedLogin(string $uid) {
+		$user = $this->userManager->get($uid);
+
+		if (!($user instanceof IUser)) {
+			return;
+		}
+
+		if ($user->isEnabled() === false) {
+			// Just ignore this user then
+			return;
+		}
+
+		$allowedAttempts = $this->passwordPolicyConfig->getMaximumLoginAttempts();
+
+		$attempts = $this->getAttempts($uid);
+		$attempts++;
+
+		if ($attempts >= $allowedAttempts) {
+			$this->setAttempts($uid, 0);
+			$user->setEnabled(false);
+			return;
+		}
+
+		$this->setAttempts($uid, $attempts);
+	}
+
+	public function onSucessfullLogin(IUser $user) {
+		$this->setAttempts($user->getUID(), 0);
+	}
+
+	private function getAttempts(string $uid): int {
+		return (int)$this->config->getUserValue($uid, 'password_policy', 'failedLoginAttempts', 0);
+	}
+
+	private function setAttempts(string $uid, int $attempts): void {
+		return $this->config->setUserValue($uid, 'password_policy', 'failedLoginAttempts', $attempts);
+	}
+}

lib/Listener/FailedLoginListener.php

@@ -0,0 +1,49 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Password_Policy\Listener;
+
+use OCA\Password_Policy\FailedLoginCompliance;
+use OCP\Authentication\Events\LoginFailedEvent;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+
+class FailedLoginListener implements IEventListener {
+
+	/** @var FailedLoginCompliance */
+	private $compliance;
+
+	public function __construct(FailedLoginCompliance $compliance) {
+		$this->compliance = $compliance;
+	}
+
+	public function handle(Event $event): void {
+		if (!($event instanceof LoginFailedEvent)) {
+			return;
+		}
+
+		$this->compliance->onFailedLogin($event->getUid());
+	}
+
+}

lib/Listener/SuccesfullLoginListener.php

@@ -0,0 +1,48 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Password_Policy\Listener;
+
+use OCA\Password_Policy\FailedLoginCompliance;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\User\Events\UserLoggedInEvent;
+
+class SuccesfullLoginListener implements IEventListener {
+	/** @var FailedLoginCompliance */
+	private $compliance;
+
+	public function __construct(FailedLoginCompliance $compliance) {
+		$this->compliance = $compliance;
+	}
+
+	public function handle(Event $event): void {
+		if (!($event instanceof UserLoggedInEvent)) {
+			return;
+		}
+
+		$this->compliance->onSucessfullLogin($event->getUser());
+	}
+
+}

lib/PasswordPolicyConfig.php

@@ -193,4 +193,14 @@ public function getExpiryInDays(): int {
 		);
 	}
 
+	/**
+	 * @return int if 0 then there is no limit
+	 */
+	public function getMaximumLoginAttempts(): int {
+		return (int)$this->config->getAppValue(
+			'password_policy',
+			'maximumLoginAttempts',
+			0
+		);
+	}
 }

lib/Settings.php

@@ -47,6 +47,7 @@ public function getForm(): TemplateResponse {
 			'enforceHaveIBeenPwned' => $this->config->getEnforceHaveIBeenPwned(),
 			'historySize' => $this->config->getHistorySize(),
 			'expiration' => $this->config->getExpiryInDays(),
+			'maximumLoginAttempts' => $this->config->getMaximumLoginAttempts(),
 		]);
 
 		return $response;

templates/settings-admin.php

@@ -47,6 +47,12 @@
 			<span><?php p($l->t('days until user password expires')) ?></span>
 		</label>
 	</p>
+	<p>
+		<label class="password-policy-number-option">
+			<input id="password-policy-failed-login" type="number" value="<?php p($_['maximumLoginAttempts']) ?>" />
+			<span><?php p($l->t('login attempts before the user account is blocked. (0 for no limit)')) ?></span>
+		</label>
+	</p>
 	<p id="enforceNonCommonPassword">
 		<input type="checkbox" name="password-policy-enforce-non-common-password" id="password-policy-enforce-non-common-password" class="checkbox"
 			   value="1" <?php if ($_['enforceNonCommonPassword']) print_unescaped('checked="checked"'); ?> />