Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TASK-6013 - Extend User Management capabilities #2432

Merged
merged 29 commits into from
Jul 5, 2024
Merged

TASK-6013 - Extend User Management capabilities #2432

merged 29 commits into from
Jul 5, 2024

Conversation

pfurio
Copy link
Member

@pfurio pfurio commented Apr 19, 2024
edited by j-coll
Loading

@pfurio pfurio requested a review from j-coll April 19, 2024 11:14
j-coll
j-coll requested changes Apr 19, 2024
View reviewed changes
opencga-catalog/src/main/java/org/opencb/opencga/catalog/managers/UserManager.java Outdated
// We can only lock the account if it is not the root user
int failedAttempts = userOpenCGAResult.first().getInternal().getFailedAttempts();
ObjectMap updateParams = new ObjectMap(UserDBAdaptor.QueryParams.INTERNAL_FAILED_ATTEMPTS.key(), failedAttempts + 1);
if (failedAttempts >= 4) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The number of maxFailedAttemps should be configurable

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are not aware of any software that let's you decide the maximum number of login attempts before blocking an account, so that is going to be the number of times a user is allowed to make a login attempt before blocking the account. Obviously, we will review this decision depending on how users react.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be configurable so it can be disabled 🤷‍♂️

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, check:
pwdMaxFailure
https://www.openldap.org/doc/admin24/guide.html

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or...

deny – used to define the number of attempts (3 in this case), after which the user account should be locked.

https://www.tecmint.com/lock-failed-ssh-login-attempts-linux/#How_to_Lock_User_After_Failed_SSH_Logins

opencga-catalog/src/main/java/org/opencb/opencga/catalog/managers/UserManager.java Outdated
@@ -768,6 +801,10 @@ public AuthenticationResponse login(String organizationId, String username, Stri
throw CatalogAuthenticationException.incorrectUserOrPassword();
}

// Reset login failed attempts counter
ObjectMap updateParams = new ObjectMap(UserDBAdaptor.QueryParams.INTERNAL_FAILED_ATTEMPTS.key(), 0);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth checking if the current value is already 0 or not? Worth skipping a mongo update on each login when non needed, which might be the general scenario

opencga-catalog/src/main/java/org/opencb/opencga/catalog/managers/UserManager.java
@@ -130,7 +130,14 @@ public OpenCGAResult<User> create(User user, String password, String token) thro
}
user.setAccount(ParamUtils.defaultObject(user.getAccount(), Account::new));
user.getAccount().setCreationDate(TimeUtils.getTime());
user.getAccount().setExpirationDate(ParamUtils.defaultString(user.getAccount().getExpirationDate(), ""));
if (StringUtils.isEmpty(user.getAccount().getExpirationDate())) {
// By default, user accounts will be valid for 1 year when they are created.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is harsh...
I'd make this configurable.
Also, what if the user is "sync" from LDAP? Does it expire? Do we want these to expire?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These things will only apply to local users. It will not apply to existing LDAP, AzureAD or SSO users.

opencga-app/src/main/java/org/opencb/opencga/app/migrations/v3_1_0/UserBanMigration.java Outdated Show resolved Hide resolved
opencga-catalog/src/main/java/org/opencb/opencga/catalog/managers/UserManager.java Show resolved Hide resolved
@pfurio pfurio requested a review from j-coll April 23, 2024 09:40
j-coll
j-coll previously approved these changes Apr 25, 2024
View reviewed changes
@pfurio pfurio requested a review from j-coll April 29, 2024 10:37
j-coll
j-coll previously approved these changes Apr 29, 2024
View reviewed changes
j-coll
j-coll previously approved these changes May 22, 2024
View reviewed changes
j-coll
j-coll previously approved these changes Jun 5, 2024
View reviewed changes
j-coll
j-coll previously approved these changes Jun 17, 2024
View reviewed changes
j-coll
j-coll previously approved these changes Jun 28, 2024
View reviewed changes
j-coll
j-coll previously approved these changes Jul 2, 2024
View reviewed changes
j-coll
j-coll previously approved these changes Jul 3, 2024
View reviewed changes
@pfurio pfurio merged commit fa638a0 into develop Jul 5, 2024
7 of 9 checks passed
@pfurio pfurio deleted the TASK-6013 branch July 5, 2024 07:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@j-coll j-coll j-coll approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pfurio @j-coll