infrastructure/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2025-06-28 02:28:15 +03:00
Code Issues Packages Projects Releases Wiki Activity
mox/store/loginattempt_test.go
Mechiel Lukkien 1277d78cb1
keep track of login attempts, both successful and failures 
and show them in the account and admin interfaces. this should help with
debugging, to find misconfigured clients, and potentially find attackers trying
to login.

we include details like login name, account name, protocol, authentication
mechanism, ip addresses, tls connection properties, user-agent. and of course
the result.

we group entries by their details. repeat connections don't cause new records
in the database, they just increase the count on the existing record.

we keep data for at most 30 days. and we keep at most 10k entries per account.
to prevent unbounded growth. for successful login attempts, we store them all
for 30d. if a bad user causes so many entries this becomes a problem, it will
be time to talk to the user...

there is no pagination/searching yet in the admin/account interfaces. so the
list may be long. we only show the 10 most recent login attempts by default.
the rest is only shown on a separate page.

there is no way yet to disable this. may come later, either as global setting
or per account.
2025-02-06 14:16:13 +01:00

113 lines
2.8 KiB
Go
Raw Blame History

package store
import (
"context"
"fmt"
"os"
"path/filepath"
"testing"
"time"
"github.com/mjl-/mox/mox-"
)
func TestLoginAttempt(t *testing.T) {
os.RemoveAll("../testdata/store/data")
mox.ConfigStaticPath = filepath.FromSlash("../testdata/store/mox.conf")
mox.MustLoadConfig(true, false)
xctx, xcancel := context.WithCancel(ctxbg)
err := Init(xctx)
tcheck(t, err, "store init")
// Stop the background LoginAttempt writer for synchronous tests.
xcancel()
<-writeLoginAttemptStopped
defer func() {
err := Close()
tcheck(t, err, "store close")
}()
a1 := LoginAttempt{
Last: time.Now(),
First: time.Now(),
AccountName: "mjl1",
UserAgent: "0", // "0" so we update instead of insert when testing automatic cleanup below.
Result: AuthError,
}
a2 := a1
a2.AccountName = "mjl2"
a3 := a1
a3.AccountName = "mjl3"
a3.Last = a3.Last.Add(-31 * 24 * time.Hour) // Will be cleaned up.
a3.First = a3.Last
LoginAttemptAdd(ctxbg, pkglog, a1)
LoginAttemptAdd(ctxbg, pkglog, a2)
LoginAttemptAdd(ctxbg, pkglog, a3)
// Ensure there are no LoginAttempts that still need to be written.
loginAttemptDrain := func() {
for {
select {
case la := <-writeLoginAttempt:
loginAttemptWrite(la)
default:
return
}
}
}
loginAttemptDrain()
l, err := LoginAttemptList(ctxbg, "", 0)
tcheck(t, err, "list login attempts")
tcompare(t, len(l), 3)
// Test limit.
l, err = LoginAttemptList(ctxbg, "", 2)
tcheck(t, err, "list login attempts")
tcompare(t, len(l), 2)
// Test account filter.
l, err = LoginAttemptList(ctxbg, "mjl1", 2)
tcheck(t, err, "list login attempts")
tcompare(t, len(l), 1)
// Cleanup will remove the entry for mjl3 and leave others.
err = LoginAttemptCleanup(ctxbg)
tcheck(t, err, "cleanup login attempt")
l, err = LoginAttemptList(ctxbg, "", 0)
tcheck(t, err, "list login attempts")
tcompare(t, len(l), 2)
// Removing account will keep last entry for mjl2.
err = LoginAttemptRemoveAccount(ctxbg, "mjl1")
tcheck(t, err, "remove login attempt account")
l, err = LoginAttemptList(ctxbg, "", 0)
tcheck(t, err, "list login attempts")
tcompare(t, len(l), 1)
l, err = LoginAttemptList(ctxbg, "mjl2", 0)
tcheck(t, err, "list login attempts")
tcompare(t, len(l), 1)
// Insert 3 failing entries. Then add another and see we still have 3.
loginAttemptsMaxPerAccount = 3
for i := 0; i < loginAttemptsMaxPerAccount; i++ {
a := a2
a.UserAgent = fmt.Sprintf("%d", i)
LoginAttemptAdd(ctxbg, pkglog, a)
}
loginAttemptDrain()
l, err = LoginAttemptList(ctxbg, "", 0)
tcheck(t, err, "list login attempts")
tcompare(t, len(l), loginAttemptsMaxPerAccount)
a := a2
a.UserAgent = fmt.Sprintf("%d", loginAttemptsMaxPerAccount)
LoginAttemptAdd(ctxbg, pkglog, a)
loginAttemptDrain()
l, err = LoginAttemptList(ctxbg, "", 0)
tcheck(t, err, "list login attempts")
tcompare(t, len(l), loginAttemptsMaxPerAccount)
}
Reference in New Issue View Git Blame Copy Permalink