From a6bb27c6e4882febe4d68118932ea67c402226ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20H=C3=A4ssig?= <phil@nine.ch>
Date: Fri, 12 Aug 2016 10:37:48 +0200
Subject: [PATCH] Reject login when a user is locked

When a user is locked (locked_until is in the future) he can't log in anymore.
---
 app/controllers/casino/sessions_controller.rb |  9 +++++++++
 config/locales/de.yml                         |  1 +
 config/locales/en.yml                         |  1 +
 config/locales/fr.yml                         |  1 +
 spec/controllers/sessions_controller_spec.rb  | 19 ++++++++++++++++++-
 5 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/app/controllers/casino/sessions_controller.rb b/app/controllers/casino/sessions_controller.rb
index 5f9ea1d7..4b9673a9 100644
--- a/app/controllers/casino/sessions_controller.rb
+++ b/app/controllers/casino/sessions_controller.rb
@@ -25,6 +25,8 @@ def create
     if !validation_result
       handle_failed_login params[:username]
       show_login_error I18n.t('login_credential_acceptor.invalid_login_credentials')
+    elsif user_from_validation_result(validation_result).locked?
+      show_login_error I18n.t('sessions.create.user_locked')
     else
       sign_in(validation_result, long_term: params[:rememberMe], credentials_supplied: true)
     end
@@ -83,4 +85,11 @@ def load_ticket_granting_ticket_from_parameter
     @ticket_granting_ticket = find_valid_ticket_granting_ticket(params[:tgt], request.user_agent, ignore_two_factor: true)
     redirect_to login_path if @ticket_granting_ticket.nil?
   end
+
+  def user_from_validation_result(validation_result)
+      user_data = validation_result[:user_data]
+      load_or_initialize_user(validation_result[:authenticator],
+                              user_data[:username],
+                              user_data[:extra_attributes])
+  end
 end
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 43aba4e4..3a03737d 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -2,6 +2,7 @@ de:
   login_credential_acceptor:
     invalid_login_ticket: "Ihre Anfrage enthielt kein gültiges Login-Ticket."
     invalid_login_credentials: "Benutzername oder Passwort falsch."
+    user_is_locked: "Ihr Account ist wegen zu vieler falscher Loginversuche gesperrt. Bitte versuchen Sie es später nochmal."
   login:
     label_username: "Benutzername"
     label_password: "Passwort"
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 0356f5d5..ecee1dbe 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2,6 +2,7 @@ en:
   login_credential_acceptor:
     invalid_login_ticket: "Your login request did not include a valid login ticket."
     invalid_login_credentials: "Incorrect username or password."
+    user_is_locked: "Your user is currently locked because of failed login attempts. Please try again later."
   login:
     label_username: "Username"
     label_password: "Password"
diff --git a/config/locales/fr.yml b/config/locales/fr.yml
index 9c74ea5d..e9cffa73 100644
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@@ -2,6 +2,7 @@ fr:
   login_credential_acceptor:
     invalid_login_ticket: "La demande de connexion n'inclue pas un ticket de connexion valide."
     invalid_login_credentials: "Nom d'utilisateur ou mot de passe incorrect."
+    user_is_locked: "Votre utilisateur est actuellement bloqué dû à des tentatives de connexions échouées. Veuillez réessayer ultérieurement."
   login:
     label_username: "Nom d'utilisateur"
     label_password: "Mot de passe"
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 264898c0..0741ddec 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -188,7 +188,8 @@
       let(:login_ticket) { FactoryGirl.create :login_ticket }
       let(:username) { 'testuser' }
       let(:params) { { lt: login_ticket.ticket, username: username, password: 'wrrooonnng' }}
-      let!(:user) { FactoryGirl.create :user, username: username }
+      let(:locked_until) { nil }
+      let!(:user) { FactoryGirl.create :user, authenticator: 'static', username: username, locked_until: locked_until }
 
       context 'with invalid credentials' do
         it 'renders the new template' do
@@ -328,6 +329,8 @@
           end
 
           context 'when the user does not exist yet' do
+            before { CASino::User.destroy_all }
+
             it 'generates exactly one user' do
               lambda do
                 post :create, params
@@ -385,6 +388,20 @@
             end.should change(CASino::TicketGrantingTicket, :count).by(1)
           end
         end
+
+        context 'when the user is locked' do
+          let(:locked_until) { 5.minutes.from_now }
+
+          it 'renders the new template' do
+            post :create, params
+            expect(response).to render_template(:new)
+          end
+
+          it 'sets a flash to inform the user' do
+            post :create, params
+            expect(flash[:error]).to be_present
+          end
+        end
       end
     end
   end