satellite/console: add audit logs for failed logins
This change adds login failure logs for specific userID/email. see: https://github.com/storj/storj/issues/4987 Change-Id: I58529145d7bd65abe47e002f34ec88018f641268
This commit is contained in:
parent
f507de67f9
commit
cff8158054
@ -981,7 +981,6 @@ func (s *Service) Token(ctx context.Context, request AuthUser) (token consoleaut
|
|||||||
valid, err := s.loginCaptchaHandler.Verify(ctx, request.CaptchaResponse, request.IP)
|
valid, err := s.loginCaptchaHandler.Verify(ctx, request.CaptchaResponse, request.IP)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
mon.Counter("login_user_captcha_error").Inc(1) //mon:locked
|
mon.Counter("login_user_captcha_error").Inc(1) //mon:locked
|
||||||
s.log.Error("captcha authorization failed", zap.Error(err))
|
|
||||||
return consoleauth.Token{}, ErrCaptcha.Wrap(err)
|
return consoleauth.Token{}, ErrCaptcha.Wrap(err)
|
||||||
}
|
}
|
||||||
if !valid {
|
if !valid {
|
||||||
@ -994,8 +993,10 @@ func (s *Service) Token(ctx context.Context, request AuthUser) (token consoleaut
|
|||||||
if user == nil {
|
if user == nil {
|
||||||
if len(unverified) > 0 {
|
if len(unverified) > 0 {
|
||||||
mon.Counter("login_email_unverified").Inc(1) //mon:locked
|
mon.Counter("login_email_unverified").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed email unverified", nil, request.Email)
|
||||||
} else {
|
} else {
|
||||||
mon.Counter("login_email_invalid").Inc(1) //mon:locked
|
mon.Counter("login_email_invalid").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed invalid email", nil, request.Email)
|
||||||
}
|
}
|
||||||
return consoleauth.Token{}, ErrLoginCredentials.New(credentialsErrMsg)
|
return consoleauth.Token{}, ErrLoginCredentials.New(credentialsErrMsg)
|
||||||
}
|
}
|
||||||
@ -1004,6 +1005,7 @@ func (s *Service) Token(ctx context.Context, request AuthUser) (token consoleaut
|
|||||||
|
|
||||||
if user.LoginLockoutExpiration.After(now) {
|
if user.LoginLockoutExpiration.After(now) {
|
||||||
mon.Counter("login_locked_out").Inc(1) //mon:locked
|
mon.Counter("login_locked_out").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed account locked out", &user.ID, request.Email)
|
||||||
return consoleauth.Token{}, ErrLoginCredentials.New(credentialsErrMsg)
|
return consoleauth.Token{}, ErrLoginCredentials.New(credentialsErrMsg)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1018,10 +1020,12 @@ func (s *Service) Token(ctx context.Context, request AuthUser) (token consoleaut
|
|||||||
|
|
||||||
if user.FailedLoginCount == s.config.LoginAttemptsWithoutPenalty {
|
if user.FailedLoginCount == s.config.LoginAttemptsWithoutPenalty {
|
||||||
mon.Counter("login_lockout_initiated").Inc(1) //mon:locked
|
mon.Counter("login_lockout_initiated").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed login count reached maximum attempts", &user.ID, request.Email)
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.FailedLoginCount > s.config.LoginAttemptsWithoutPenalty {
|
if user.FailedLoginCount > s.config.LoginAttemptsWithoutPenalty {
|
||||||
mon.Counter("login_lockout_reinitiated").Inc(1) //mon:locked
|
mon.Counter("login_lockout_reinitiated").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed locked account", &user.ID, request.Email)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
@ -1034,12 +1038,14 @@ func (s *Service) Token(ctx context.Context, request AuthUser) (token consoleaut
|
|||||||
return consoleauth.Token{}, err
|
return consoleauth.Token{}, err
|
||||||
}
|
}
|
||||||
mon.Counter("login_invalid_password").Inc(1) //mon:locked
|
mon.Counter("login_invalid_password").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed password invalid", &user.ID, user.Email)
|
||||||
return consoleauth.Token{}, ErrLoginPassword.New(credentialsErrMsg)
|
return consoleauth.Token{}, ErrLoginPassword.New(credentialsErrMsg)
|
||||||
}
|
}
|
||||||
|
|
||||||
if user.MFAEnabled {
|
if user.MFAEnabled {
|
||||||
if request.MFARecoveryCode != "" && request.MFAPasscode != "" {
|
if request.MFARecoveryCode != "" && request.MFAPasscode != "" {
|
||||||
mon.Counter("login_mfa_conflict").Inc(1) //mon:locked
|
mon.Counter("login_mfa_conflict").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed mfa conflict", &user.ID, user.Email)
|
||||||
return consoleauth.Token{}, ErrMFAConflict.New(mfaConflictErrMsg)
|
return consoleauth.Token{}, ErrMFAConflict.New(mfaConflictErrMsg)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1059,6 +1065,7 @@ func (s *Service) Token(ctx context.Context, request AuthUser) (token consoleaut
|
|||||||
return consoleauth.Token{}, err
|
return consoleauth.Token{}, err
|
||||||
}
|
}
|
||||||
mon.Counter("login_mfa_recovery_failure").Inc(1) //mon:locked
|
mon.Counter("login_mfa_recovery_failure").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed mfa recovery", &user.ID, user.Email)
|
||||||
return consoleauth.Token{}, ErrMFARecoveryCode.New(mfaRecoveryInvalidErrMsg)
|
return consoleauth.Token{}, ErrMFARecoveryCode.New(mfaRecoveryInvalidErrMsg)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1088,11 +1095,13 @@ func (s *Service) Token(ctx context.Context, request AuthUser) (token consoleaut
|
|||||||
return consoleauth.Token{}, err
|
return consoleauth.Token{}, err
|
||||||
}
|
}
|
||||||
mon.Counter("login_mfa_passcode_failure").Inc(1) //mon:locked
|
mon.Counter("login_mfa_passcode_failure").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed mfa passcode invalid", &user.ID, user.Email)
|
||||||
return consoleauth.Token{}, ErrMFAPasscode.New(mfaPasscodeInvalidErrMsg)
|
return consoleauth.Token{}, ErrMFAPasscode.New(mfaPasscodeInvalidErrMsg)
|
||||||
}
|
}
|
||||||
mon.Counter("login_mfa_passcode_success").Inc(1) //mon:locked
|
mon.Counter("login_mfa_passcode_success").Inc(1) //mon:locked
|
||||||
} else {
|
} else {
|
||||||
mon.Counter("login_mfa_missing").Inc(1) //mon:locked
|
mon.Counter("login_mfa_missing").Inc(1) //mon:locked
|
||||||
|
s.auditLog(ctx, "login: failed mfa missing", &user.ID, user.Email)
|
||||||
return consoleauth.Token{}, ErrMFAMissing.New(mfaRequiredErrMsg)
|
return consoleauth.Token{}, ErrMFAMissing.New(mfaRequiredErrMsg)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user