Add rate limit on the built-in request password reset handler for purely local accounts to limit the annoyance / abuse potential associated with somebody triggering a huge amount of password reset request emails to another known user. Thanks to Parth Narula (ScriptJacker) for reporting a similar issue in a different vendor software context. That inspired us to check and address this issue in our own software.

jonasbardino · jonasbardino · commit 055004d684cb · 2024-06-04T16:41:54.000Z
git-svn-id: svn+ssh://svn.code.sf.net/p/migrid/code/trunk@6046 b75ad72c-e7d7-11dd-a971-7dbc132099af
diff --git a/mig/shared/functionality/reqpwresetaction.py b/mig/shared/functionality/reqpwresetaction.py
@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # reqpwresetaction - handle account password reset requests and send email to user
-# Copyright (C) 2003-2023  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
 #
 # This file is part of MiG.
 #
@@ -30,16 +30,20 @@
 from __future__ import absolute_import
 
 import os
-import time
 import tempfile
+import time
 
 from mig.shared import returnvalues
 from mig.shared.base import canonical_user_with_peers, generate_https_urls, \
     fill_distinguished_name, cert_field_map, auth_type_description, \
     mask_creds, is_gdp_user
 from mig.shared.defaults import keyword_auto, RESET_TOKEN_TTL
 from mig.shared.functional import validate_input, REJECT_UNSET
+from mig.shared.griddaemons.https import default_max_user_hits, \
+    default_user_abuse_hits, default_proto_abuse_hits, hit_rate_limit, \
+    expire_rate_limit, validate_auth_attempt
 from mig.shared.handlers import safe_handler, get_csrf_limit
+from mig.shared.html import themed_styles, themed_scripts
 from mig.shared.init import initialize_main_variables, find_entry
 from mig.shared.notification import send_email
 from mig.shared.pwcrypto import generate_reset_token
@@ -61,7 +65,22 @@ def main(client_id, user_arguments_dict):
     """Main function used by front end"""
 
     (configuration, logger, output_objects, op_name) = \
-        initialize_main_variables(client_id, op_header=False, op_menu=False)
+        initialize_main_variables(client_id, op_header=False, op_title=False,
+                                  op_menu=False)
+    # IMPORTANT: no title in init above so we MUST call it immediately here
+    #            or basic styling will break on e.g. the check user result.
+    styles = themed_styles(configuration)
+    scripts = themed_scripts(configuration, logged_in=False)
+    title_entry = {'object_type': 'title',
+                   'text': '%s reset account password request' %
+                   configuration.short_title,
+                   'skipmenu': True, 'style': styles, 'script': scripts}
+    output_objects.append(title_entry)
+    output_objects.append({'object_type': 'header', 'text':
+                           '%s reset account password request' %
+                           configuration.short_title
+                           })
+
     defaults = signature(configuration)[1]
     (validate_status, accepted) = validate_input(user_arguments_dict,
                                                  defaults, output_objects,
@@ -71,15 +90,20 @@ def main(client_id, user_arguments_dict):
         logger.warning('%s invalid input: %s' % (op_name, accepted))
         return (accepted, returnvalues.CLIENT_ERROR)
 
-    title_entry = find_entry(output_objects, 'title')
-    title_entry['text'] = '%s reset account password request' % \
-                          configuration.short_title
-    title_entry['skipmenu'] = True
-    output_objects.append({'object_type': 'header', 'text':
-                           '%s reset account password request' %
-                           configuration.short_title
-                           })
-
+    # Seconds to delay next reset attempt after hitting rate limit
+    delay_retry = 900
+    scripts['init'] += '''
+function update_reload_counter(cnt, delay) {
+    var remain = (delay - cnt);
+    $("#reload_counter").html(remain.toString());
+    if (cnt >= delay) {
+        /* Load previous page again without re-posting last attempt */
+        location = history.back();
+    } else {
+        setTimeout(function() { update_reload_counter(cnt+1, delay); }, 1000);
+    }
+}
+    '''
     smtp_server = configuration.smtp_server
 
     cert_id = accepted['cert_id'][-1].strip()
@@ -118,8 +142,68 @@ def main(client_id, user_arguments_dict):
         return (output_objects, returnvalues.CLIENT_ERROR)
 
     mig_user = os.environ.get('USER', 'mig')
+    client_addr = os.environ.get('REMOTE_ADDR', None)
+    tcp_port = int(os.environ.get('REMOTE_PORT', '0'))
     anon_migoid_url = configuration.migserver_https_sid_url
 
+    status = returnvalues.OK
+
+    # Rate limit password reset attempts for any cert_id from source addr
+    # to prevent excessive requests spamming users or overloading server.
+    # We do so no matter if cert_id matches a valid user to prevent disclosure.
+    # Rate limit does not affect reset for another ID from same address as
+    # that may be perfectly valid e.g. if behind a shared NAT-gateway.
+    proto = 'https'
+    disconnect, exceeded_rate_limit = False, False
+    # Clean up expired entries in persistent rate limit cache
+    expire_rate_limit(configuration, proto, fail_cache=delay_retry,
+                      expire_delay=delay_retry)
+    if hit_rate_limit(configuration, proto, client_addr, cert_id,
+                      max_user_hits=1):
+        exceeded_rate_limit = True
+    # Update rate limits and write to auth log
+    (authorized, disconnect) = validate_auth_attempt(
+        configuration,
+        proto,
+        op_name,
+        cert_id,
+        client_addr,
+        tcp_port,
+        secret=None,
+        authtype_enabled=True,
+        auth_reset=True,
+        exceeded_rate_limit=exceeded_rate_limit,
+        user_abuse_hits=default_user_abuse_hits,
+        proto_abuse_hits=default_proto_abuse_hits,
+        max_secret_hits=1,
+        skip_notify=True,
+    )
+
+    if exceeded_rate_limit or disconnect:
+        logger.warning('Throttle %s for %s from %s - past rate limit' %
+                       (op_name, cert_id, client_addr))
+        # NOTE: we keep actual result in plain text for json extract
+        output_objects.append({'object_type': 'html_form', 'text': '''
+<div class="vertical-spacer"></div>
+<div class="error leftpad errortext">
+'''})
+        output_objects.append({'object_type': 'text', 'text': """
+Invalid input or rate limit exceeded - please wait %d seconds before retrying.
+""" % delay_retry
+                               })
+        output_objects.append({'object_type': 'html_form', 'text': '''
+</div>
+<div class="vertical-spacer"></div>
+<div class="info leftpad">
+Origin will reload automatically in <span id="reload_counter">%d</span> seconds.
+</div>
+</div>
+''' % delay_retry})
+        scripts['ready'] += '''
+    setTimeout(function() { update_reload_counter(1, %d); }, 1000);
+''' % delay_retry
+        return (output_objects, status)
+
     search_filter = default_search()
     if '/' in cert_id:
         search_filter['distinguished_name'] = cert_id
@@ -215,4 +299,4 @@ def main(client_id, user_arguments_dict):
     output_objects.append(
         {'object_type': 'link', 'destination': 'javascript:history.back();',
          'class': 'genericbutton', 'text': "Back"})
-    return (output_objects, returnvalues.OK)
+    return (output_objects, status)
diff --git a/mig/shared/functionality/twofactor.py b/mig/shared/functionality/twofactor.py
@@ -48,7 +48,7 @@
 from mig.shared.defaults import twofactor_cookie_ttl, AUTH_MIG_OID, \
     AUTH_EXT_OID, AUTH_MIG_OIDC, AUTH_EXT_OIDC
 from mig.shared.functional import validate_input
-from mig.shared.griddaemons.openid import default_max_user_hits, \
+from mig.shared.griddaemons.https import default_max_user_hits, \
     default_user_abuse_hits, default_proto_abuse_hits, hit_rate_limit, \
     expire_rate_limit, validate_auth_attempt
 from mig.shared.init import initialize_main_variables
@@ -324,8 +324,8 @@ def main(client_id, user_arguments_dict, environ=None):
             )
 
         if exceeded_rate_limit or disconnect:
-            logger.warning('Throttle twofactor from %s (%s) - past rate limit'
-                           % (client_id, client_addr))
+            logger.warning('Throttle %s from %s (%s) - past rate limit' %
+                           (op_name, client_id, client_addr))
             # NOTE: we keep actual result in plain text for json extract
             output_objects.append({'object_type': 'html_form', 'text': '''
 <div class="vertical-spacer"></div>
diff --git a/mig/shared/griddaemons/auth.py b/mig/shared/griddaemons/auth.py
@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # auth - grid daemon auth helper functions
-# Copyright (C) 2010-2023  The MiG Project lead by Brian Vinter
+# Copyright (C) 2010-2024  The MiG Project lead by Brian Vinter
 #
 # This file is part of MiG.
 #
@@ -187,6 +187,7 @@ def validate_auth_attempt(configuration,
                           valid_twofa=False,
                           authtype_enabled=False,
                           valid_auth=False,
+                          auth_reset=False,
                           exceeded_rate_limit=False,
                           exceeded_max_sessions=False,
                           user_abuse_hits=default_user_abuse_hits,
@@ -228,6 +229,8 @@ def validate_auth_attempt(configuration,
                  % valid_twofa
                  + "authtype_enabled: %s, valid_auth: %s\n"
                  % (authtype_enabled, valid_auth)
+                 + "auth_reset: %s\n"
+                 % auth_reset
                  + "exceeded_rate_limit: %s\n"
                  % exceeded_rate_limit
                  + "exceeded_max_sessions: %s\n"
@@ -261,11 +264,11 @@ def validate_auth_attempt(configuration,
             and authtype in configuration.user_sftp_auth:
         pass
     elif protocol == 'sftp-subsys' \
-            and (authtype in configuration.user_sftp_auth \
-            or authtype in ["session"]):
+            and (authtype in configuration.user_sftp_auth
+                 or authtype in ["session"]):
         pass
     elif protocol == 'https' \
-            and authtype in ["twofactor"]:
+            and authtype in ["twofactor", "reqpwresetaction"]:
         pass
     elif protocol == 'openid' \
             and authtype in configuration.user_openid_auth:
@@ -395,6 +398,16 @@ def validate_auth_attempt(configuration,
         authlog(configuration, 'WARNING', protocol, authtype,
                 username, ip_addr, auth_msg,
                 notify=notify, hint=mount_hint)
+    elif authtype_enabled and auth_reset:
+        # IMPORTANT: leave unauthorized here to enforce rate limit on resets
+        authorized = False
+        auth_msg = "Allow %s" % authtype
+        log_msg = auth_msg + " for %s from %s" % (username, ip_addr)
+        if tcp_port > 0:
+            log_msg += ":%s" % tcp_port
+        logger.info(log_msg)
+        authlog(configuration, 'INFO', protocol, authtype,
+                username, ip_addr, auth_msg, notify=notify)
     elif authtype_enabled and not valid_auth:
         auth_msg = "Failed %s" % authtype
         mount_hint = ''
@@ -450,7 +463,7 @@ def validate_auth_attempt(configuration,
                               username, authorized,
                               secret=max_secret)
 
-    # Check if we should log abuse messages for use by eg. fail2ban
+    # Check if we should log abuse messages for use by e.g. fail2ban
 
     if user_abuse_hits > 0 and user_hits > user_abuse_hits:
         auth_msg = "Abuse limit reached"
diff --git a/mig/shared/griddaemons/https.py b/mig/shared/griddaemons/https.py
@@ -0,0 +1,34 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# --- BEGIN_HEADER ---
+#
+# https - Wrapper for https web page helper import
+# Copyright (C) 2010-2024  The MiG Project lead by Brian Vinter
+#
+# This file is part of MiG.
+#
+# MiG is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# MiG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# -- END_HEADER ---
+#
+
+"""This imports all modules needed by the https web pages"""
+
+from mig.shared.griddaemons.base import default_username_validator
+from mig.shared.griddaemons.ratelimits import default_max_user_hits, \
+    default_user_abuse_hits, default_proto_abuse_hits, \
+    hit_rate_limit, expire_rate_limit
+from mig.shared.griddaemons.auth import validate_auth_attempt
