Merge pull request #1803 from OpenConext/feature/add-in-flight-authentications-limit

Add in flight authentication limit

Author: pablothedude

app/config/parameters.yml.dist

@@ -192,6 +192,7 @@ parameters:
     ## Settings for detecting whether the user is stuck in a authentication loop within his session
     time_frame_for_authentication_loop_in_seconds: 60
     maximum_authentication_procedures_allowed: 5
+    maximum_authentications_per_session: 20
 
     ## Store attributes with their values, meaning that if an Idp suddenly
     ## sends a new value (like a new e-mail address) consent has to be

ci/qa/behat.sh

@@ -23,7 +23,7 @@ chown -R www-data app/cache/
 chmod -R 0777 /tmp/eb-fixtures
 
 echo -e "\nRun the Behat tests\n"
-./vendor/bin/behat -c ./tests/behat-ci.yml --suite default -vv --format progress --strict
+./vendor/bin/behat -c ./tests/behat-ci.yml --suite default -vv --format progress --strict $@
 
 #echo -e "\nBehat tests (with selenium and headless Chrome)\n"
 #./vendor/bin/behat -c ./tests/behat-ci.yml --suite selenium -vv --format progress --strict

ci/qa/phpcbf.sh

@@ -5,3 +5,6 @@ cd $(dirname $0)/../../
 
 echo -e "\nPHP CodeSniffer\n"
 ./vendor/bin/phpcbf --standard=ci/qa-config/phpcs.xml src
+
+echo -e "\nPHP CodeSniffer (legacy code)\n"
+./vendor/bin/phpcs --standard=ci/qa-config/phpcs-legacy.xml library

languages/messages.en.php

@@ -222,6 +222,8 @@
     'error_stuck_in_authentication_loop_desc_no_idp_name' => 'You\'ve successfully authenticated at your %organisationNoun% but %spName% sends you back again to %suiteName%. Because you are already logged in, %suiteName% then sends you back to %spName%, which results in an infinite black hole. Likely, this is caused by an error at %spName%.',
     'error_stuck_in_authentication_loop_desc_no_sp_name' => 'You\'ve successfully authenticated at %idpName% but the service you are trying to access sends you back again to %suiteName%. Because you are already logged in, %suiteName% then sends you back to the service, which results in an infinite black hole. Likely, this is caused by an error at the Service Provider.',
     'error_stuck_in_authentication_loop_desc_no_name' => 'You\'ve successfully authenticated at your %organisationNoun% but the service you are trying to access sends you back again to %suiteName%. Because you are already logged in, %suiteName% then sends you back to the service, which results in an infinite black hole. Likely, this is caused by an error at the Service Provider.',
+    'error_authentication_limit_exceeded' => 'Error - too many authentications in progress',
+    'error_authentication_limit_exceeded_desc' => 'Too many authentications in progress',
     'error_no_authentication_request_received' => 'Error - No authentication request received.',
     'error_authn_context_class_ref_blacklisted'                     => 'Error - AuthnContextClassRef value is not allowed',
     'error_authn_context_class_ref_blacklisted_desc'                => 'You cannot login because %idpName% sent a value for AuthnContextClassRef that is not allowed. Please contact the service desk of %idpName% to solve this.',

languages/messages.nl.php

@@ -219,6 +219,8 @@
     'error_stuck_in_authentication_loop_desc_no_idp_name' => 'Je bent succesvol ingelogd bij je %organisationNoun% maar %spName% stuurt je weer terug naar %suiteName%. Omdat je succesvol bent ingelogd, stuurt %suiteName% je weer naar %spName%, wat resulteert in een oneindig zwart gat. Dit komt waarschijnlijk door een foutje aan de kant van %spName%.',
     'error_stuck_in_authentication_loop_desc_no_sp_name' => 'Je bent succesvol ingelogd bij %idpName% maar de dienst waar je naartoe wilt stuurt je weer terug naar %suiteName%. Omdat je succesvol bent ingelogd, stuurt %suiteName% je weer naar de dienst, wat resulteert in een oneindig zwart gat. Dit komt waarschijnlijk door een foutje aan de kant van de dienst.',
     'error_stuck_in_authentication_loop_desc_no_name' => 'Je bent succesvol ingelogd bij je %organisationNoun% maar de dienst waar je naartoe wilt stuurt je weer terug naar %suiteName%. Omdat je succesvol bent ingelogd, stuurt %suiteName% je weer naar de dienst, wat resulteert in een oneindig zwart gat. Dit komt waarschijnlijk door een foutje aan de kant van de dienst.',
+    'error_authentication_limit_exceeded' => 'Fout - teveel onafgeronde authenticaties tegelijkertijd.',
+    'error_authentication_limit_exceeded_desc' => 'Teveel onafgeronde authenticaties tegelijkertijd.',
     'error_no_authentication_request_received' => 'Fout - Geen authenticatie-aanvraag ontvangen.',
     'error_authn_context_class_ref_blacklisted' => 'Fout - Waarde van AuthnContextClassRef is niet toegestaan',
     'error_authn_context_class_ref_blacklisted_desc' => 'Je kunt niet inloggen omdat %idpName% een waarde stuurde voor AuthnContextClassRef die niet is toegestaan. Neem contact op met de helpdesk van %idpName% om dit op te lossen.',

languages/messages.pt.php

@@ -216,6 +216,8 @@
     'error_stuck_in_authentication_loop_desc_no_idp_name' => 'Autenticou-se com sucesso no seu Fornecedor de Identidade, mas o %spName% reencaminhou-o de volta para %suiteName%. Como já está autenticado, o %suiteName% o reencaminha de volta para o %spName%, o que resulta num ciclo infinito. Muito provavelmente, isto é provocado por um erro no %spName%.',
     'error_stuck_in_authentication_loop_desc_no_sp_name' => 'Autenticou-se com sucesso no seu %idpName%, mas o serviço reencaminhou-o de volta para %suiteName%. Como já está autenticado, o %suiteName% o reencaminha de volta para o serviço, o que resulta num ciclo infinito. Muito provavelmente, isto é provocado por um erro no Fornecedor de Serviço.',
     'error_stuck_in_authentication_loop_desc_no_name' => 'Autenticou-se com sucesso no seu Fornecedor de Identidade, mas o serviço ao qual está a tentar aceder reencaminhou-o de volta para %suiteName%. Como já está autenticado, o %suiteName% o reencaminha de volta para o serviço, o que resulta num ciclo infinito. Muito provavelmente, isto é provocado por um erro no Fornecedor de Serviço.',
+    'error_authentication_limit_exceeded' => 'Error - too many authentications in progress',
+    'error_authentication_limit_exceeded_desc' => 'Too many authentications in progress',
     'error_authn_context_class_ref_blacklisted'                     => 'Erro - O valor para AuthnContextClassRef não é permitido',
     'error_authn_context_class_ref_blacklisted_desc'                => '<p>Não pode autenticar-se porque a %idpName% enviou um valor para AuthnContextClassRef que não é permitido.</p>',
     'error_authn_context_class_ref_blacklisted_desc_no_idp_name'                => '<p>Não pode autenticar-se porque a sua %organisationNoun% enviou um valor para AuthnContextClassRef que não é permitido.</p>',

src/OpenConext/EngineBlockBundle/Authentication/AuthenticationLoopGuard.php

@@ -34,9 +34,15 @@ final class AuthenticationLoopGuard implements AuthenticationLoopGuardInterface
      */
     private $timeFrameForAuthenticationLoopInSeconds;
 
+    /**
+     * @var int
+     */
+    private $maximumAuthenticationsPerSession;
+
     public function __construct(
         $maximumAuthenticationProceduresAllowed,
-        $timeFrameForAuthenticationLoopInSeconds
+        $timeFrameForAuthenticationLoopInSeconds,
+        $maximumAuthenticationsPerSession
     ) {
         Assertion::integer(
             $maximumAuthenticationProceduresAllowed,
@@ -46,20 +52,20 @@ public function __construct(
             $timeFrameForAuthenticationLoopInSeconds,
             'Expected time frame for determining authentication loop in seconds to be an integer, got "%s"'
         );
+        Assertion::integer(
+            $maximumAuthenticationsPerSession,
+            'Expected maximum authentication per session to be an integer, got "%s"'
+        );
 
         $this->maximumAuthenticationProceduresAllowed  = $maximumAuthenticationProceduresAllowed;
         $this->timeFrameForAuthenticationLoopInSeconds = $timeFrameForAuthenticationLoopInSeconds;
+        $this->maximumAuthenticationsPerSession  = $maximumAuthenticationsPerSession;
     }
 
-    /**
-     * @param Entity $serviceProvider
-     * @param AuthenticationProcedureMap $pastAuthenticationProcedures
-     * @return bool
-     */
     public function detectsAuthenticationLoop(
         Entity $serviceProvider,
         AuthenticationProcedureMap $pastAuthenticationProcedures
-    ) {
+    ): bool {
         $now  = new DateTimeImmutable;
         $startDate = $now->modify(sprintf('-%d seconds', $this->timeFrameForAuthenticationLoopInSeconds));
 
@@ -70,4 +76,18 @@ public function detectsAuthenticationLoop(
 
         return $processedLoginProcedures >= $this->maximumAuthenticationProceduresAllowed;
     }
+
+
+    /**
+     * @param AuthenticationProcedureMap $pastAuthenticationProcedures
+     * @return bool
+     */
+    public function detectsAuthenticationLimit(
+        AuthenticationProcedureMap $pastAuthenticationProcedures
+    ): bool {
+        $processedLoginProcedures = $pastAuthenticationProcedures
+            ->count();
+
+        return $processedLoginProcedures >= $this->maximumAuthenticationsPerSession;
+    }
 }

src/OpenConext/EngineBlockBundle/Authentication/AuthenticationLoopGuardInterface.php

@@ -22,13 +22,12 @@
 
 interface AuthenticationLoopGuardInterface
 {
-    /**
-     * @param Entity $serviceProvider
-     * @param AuthenticationProcedureMap $pastAuthenticationProcedures
-     * @return
-     */
     public function detectsAuthenticationLoop(
         Entity $serviceProvider,
         AuthenticationProcedureMap $pastAuthenticationProcedures
-    );
+    ): bool;
+
+    public function detectsAuthenticationLimit(
+        AuthenticationProcedureMap $pastAuthenticationProcedures
+    ): bool;
 }

src/OpenConext/EngineBlockBundle/Authentication/AuthenticationState.php

@@ -21,6 +21,7 @@
 use Assert\AssertionFailedException;
 use DateTimeImmutable;
 use OpenConext\EngineBlock\Assert\Assertion;
+use OpenConext\EngineBlockBundle\Exception\AuthenticationSessionLimitExceededException;
 use OpenConext\EngineBlockBundle\Exception\LogicException;
 use OpenConext\EngineBlockBundle\Exception\StuckInAuthenticationLoopException;
 use OpenConext\Value\Saml\Entity;
@@ -54,6 +55,23 @@ public function startAuthenticationOnBehalfOf(string $requestId, Entity $service
         Assertion::string($requestId, 'The requestId must be a string (XML ID) value');
         $currentAuthenticationProcedure = AuthenticationProcedure::onBehalfOf($serviceProvider);
 
+        // Validate if the processed authentications this session do not exceed the configured maximum of authentications
+        $authenticationLimitExceeded = $this->authenticationLoopGuard->detectsAuthenticationLimit(
+            $this->authenticationProcedures
+        );
+
+        if ($authenticationLimitExceeded) {
+            session_destroy();
+
+            throw new AuthenticationSessionLimitExceededException(
+                'More than the configured maximum authentication procedures for this session'
+                    . ' the user seems to have started too much authentications this session. '
+                    . ' Resetting the session.'
+            );
+        }
+
+        // Validate if the processed authentications for the service provider for this session do not exceed
+        // the configured maximum authentications in a configured time frame.
         $inAuthenticationLoop = $this->authenticationLoopGuard->detectsAuthenticationLoop(
             $serviceProvider,
             $this->authenticationProcedures

src/OpenConext/EngineBlockBundle/Controller/FeedbackController.php

@@ -454,6 +454,14 @@ public function stuckInAuthenticationLoopAction()
         );
     }
 
+    public function authenticationLimitExceededAction()
+    {
+        return new Response(
+            $this->twig->render('@theme/Authentication/View/Feedback/authentication-limit-exceeded.html.twig'),
+            429
+        );
+    }
+
     /**
      * @return Response
      */