Add code to Implement account lockout after configured failed attempts

 - Provide default values to the account lockout config

Author: Sae126V

iam-login-service/src/main/java/it/infn/mw/iam/api/account/lockout/AccountLockoutController.java

@@ -0,0 +1,61 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.api.account.lockout;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+
+import it.infn.mw.iam.persistence.model.IamAccountLoginLockout;
+import it.infn.mw.iam.persistence.repository.IamAccountLoginLockoutRepository;
+
+@RestController
+public class AccountLockoutController {
+
+  private final IamAccountLoginLockoutRepository lockoutRepo;
+
+  public AccountLockoutController(IamAccountLoginLockoutRepository lockoutRepo) {
+    this.lockoutRepo = lockoutRepo;
+  }
+
+  @GetMapping("/iam/account/{uuid}/lockout")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  public ResponseEntity<?> getLockoutStatus(@PathVariable String uuid) {
+    Optional<IamAccountLoginLockout> lockout = lockoutRepo.findByAccountUuid(uuid);
+
+    if (lockout.isPresent() && lockout.get().getSuspendedUntil() != null
+        && System.currentTimeMillis() < lockout.get().getSuspendedUntil().getTime()) {
+      return ResponseEntity.ok(Map.of(
+          "suspended", true,
+          "suspendedUntil", lockout.get().getSuspendedUntil().getTime()));
+    }
+
+    return ResponseEntity.ok(Map.of("suspended", false));
+  }
+
+  @GetMapping("/iam/account/lockout/suspended")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  public ResponseEntity<?> getAllSuspendedUsers() {
+    List<String> suspendedUsers = lockoutRepo.findAllSuspendedUsers();
+    return ResponseEntity.ok(suspendedUsers);
+  }
+}

iam-login-service/src/main/java/it/infn/mw/iam/authn/lockout/DefaultLoginLockoutService.java

@@ -0,0 +1,205 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.authn.lockout;
+
+import java.util.Date;
+import java.util.Optional;
+
+import javax.annotation.PostConstruct;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.LockedException;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import it.infn.mw.iam.config.IamProperties;
+import it.infn.mw.iam.config.IamProperties.LoginLockoutProperties;
+import it.infn.mw.iam.persistence.model.IamAccount;
+import it.infn.mw.iam.persistence.model.IamAccountLoginLockout;
+import it.infn.mw.iam.persistence.repository.IamAccountRepository;
+import it.infn.mw.iam.persistence.repository.IamAccountLoginLockoutRepository;
+
+@Service
+public class DefaultLoginLockoutService implements LoginLockoutService {
+
+  private static final Logger LOG = LoggerFactory.getLogger(DefaultLoginLockoutService.class);
+
+  private final IamAccountLoginLockoutRepository lockoutRepo;
+  private final IamAccountRepository accountRepo;
+  private final LoginLockoutProperties properties;
+
+  public DefaultLoginLockoutService(IamAccountLoginLockoutRepository lockoutRepo,
+      IamAccountRepository accountRepo, IamProperties iamProperties) {
+    this.lockoutRepo = lockoutRepo;
+    this.accountRepo = accountRepo;
+    this.properties = iamProperties.getLoginLockout();
+  }
+
+  @PostConstruct
+  void validateConfiguration() {
+    if (!properties.isEnabled()) {
+      LOG.info("Iam Account Login lockout feature is disabled");
+      return;
+    }
+
+    if (properties.getMaxFailedAttempts() < 1) {
+      throw new IllegalStateException(
+          "iam.login-lockout.max-failed-attempts must be >= 1. "
+              + "Please provide the maximum number of failed login attempts allowed before suspension.");
+    }
+
+    if (properties.getLockoutMinutes() < 1) {
+      throw new IllegalStateException(
+          "iam.login-lockout.lockout-minutes must be >= 1. "
+              + "Please provide the suspension duration in minutes.");
+    }
+
+    if (properties.getMaxConcurrentFailures() < 1) {
+      throw new IllegalStateException(
+          "iam.login-lockout.max-concurrent-failures must be >= 1. "
+              + "Please provide the maximum number of suspension rounds allowed before the account is permanently disabled.");
+    }
+
+    LOG.info("Iam Account Login lockout enabled: max-failed-attempts={}, lockout-minutes={}, "
+        + "max-concurrent-failures={}", properties.getMaxFailedAttempts(),
+        properties.getLockoutMinutes(), properties.getMaxConcurrentFailures());
+  }
+
+  @Override
+  @Transactional
+  public void checkIamAccountLockout(String username) {
+
+    if (!properties.isEnabled()) {
+      return;
+    }
+
+    Optional<IamAccountLoginLockout> lockoutOpt = lockoutRepo.findByAccountUsername(username);
+
+    if (lockoutOpt.isEmpty()) {
+      return;
+    }
+
+    IamAccountLoginLockout lockout = lockoutOpt.get();
+
+    if (isSuspended(lockout)) {
+      LOG.info("Login blocked: account '{}' is suspended until {}", username,
+          lockout.getSuspendedUntil());
+      throw new LockedException(
+          "Account is temporarily suspended. Please try again later or contact support for assistance.");
+    }
+
+    // Previous suspension has expired; reset the attempt counter for a fresh round
+    if (lockout.getSuspendedUntil() != null) {
+      LOG.debug("Suspension for '{}' has expired, starting fresh round", username);
+      lockout.setFailedAttempts(0);
+      lockout.setFirstFailureTime(null);
+      lockout.setSuspendedUntil(null);
+      lockoutRepo.save(lockout);
+    }
+  }
+
+  @Override
+  @Transactional
+  public void recordFailedAttempt(String username) {
+
+    if (!properties.isEnabled()) {
+      return;
+    }
+
+    Optional<IamAccount> accountOpt = accountRepo.findByUsername(username);
+
+    if (accountOpt.isEmpty()) {
+      return;
+    }
+
+    IamAccount account = accountOpt.get();
+
+    if (!account.isActive()) {
+      return;
+    }
+
+    IamAccountLoginLockout lockout = lockoutRepo.findByAccountUsername(username)
+        .orElseGet(() -> new IamAccountLoginLockout(account));
+
+    if (isSuspended(lockout)) {
+      return;
+    }
+
+    // if a previous suspension has expired but checkLockout was not called,
+    // reset the counter so we don't carry over stale failedAttempts from the prior round.
+    if (lockout.getSuspendedUntil() != null) {
+      lockout.setFailedAttempts(0);
+      lockout.setFirstFailureTime(null);
+      lockout.setSuspendedUntil(null);
+    }
+
+    Date now = new Date();
+
+    if (lockout.getFailedAttempts() == 0) {
+      lockout.setFirstFailureTime(now);
+    }
+
+    lockout.setFailedAttempts(lockout.getFailedAttempts() + 1);
+
+    LOG.info("Failed login attempt {} of {} for account '{}'", lockout.getFailedAttempts(),
+        properties.getMaxFailedAttempts(), username);
+
+    if (lockout.getFailedAttempts() >= properties.getMaxFailedAttempts()) {
+
+      lockout.setLockoutCount(lockout.getLockoutCount() + 1);
+
+      if (lockout.getLockoutCount() > properties.getMaxConcurrentFailures()) {
+        // All suspension rounds exhausted; disable the account and clean up
+        account.setActive(false);
+        accountRepo.save(account);
+        lockoutRepo.delete(lockout);
+        LOG.warn("Account '{}' disabled after {} suspension rounds", username,
+            properties.getMaxConcurrentFailures());
+        return;
+      }
+
+      // Suspend for the configured duration
+      long suspendUntilMs = now.getTime() + ((long) properties.getLockoutMinutes() * 60 * 1000);
+      lockout.setSuspendedUntil(new Date(suspendUntilMs));
+
+      LOG.warn("Account '{}' suspended until {} (round {} of {})", username,
+          lockout.getSuspendedUntil(), lockout.getLockoutCount(),
+          properties.getMaxConcurrentFailures());
+    }
+
+    lockoutRepo.save(lockout);
+  }
+
+  @Override
+  @Transactional
+  public void resetFailedAttempts(String username) {
+
+    if (!properties.isEnabled()) {
+      return;
+    }
+
+    lockoutRepo.findByAccountUsername(username).ifPresent(lockout -> {
+      lockoutRepo.delete(lockout);
+      LOG.debug("Lockout record deleted for account '{}'", username);
+    });
+  }
+
+  private boolean isSuspended(IamAccountLoginLockout lockout) {
+    return lockout.getSuspendedUntil() != null
+        && System.currentTimeMillis() < lockout.getSuspendedUntil().getTime();
+  }
+}

iam-login-service/src/main/java/it/infn/mw/iam/authn/lockout/LoginLockoutService.java

@@ -0,0 +1,50 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.authn.lockout;
+
+/**
+ * Tracks failed login attempts and enforces temporary suspensions and permanent account disabling.
+ *
+ * Password failures and TOTP failures share the same counter. The lifecycle:
+ *
+ *   User fails {@code max-failed-attempts} times => suspended for {@code lockout-minutes}
+ *   Suspension expires => counter resets, user gets another round of attempts
+ *   After {@code max-concurrent-failures} suspension rounds, the next round of failures
+ *       disables the account ({@code active = false}) and the lockout row is deleted
+ *   An admin can re-enable the account since the lockout row is gone, the user starts fresh
+ */
+public interface LoginLockoutService {
+
+  /**
+   * Throws {@link org.springframework.security.authentication.LockedException} if the account
+   * is currently suspended. If a previous suspension has expired, silently resets the attempt
+   * counter for a fresh round.
+   */
+  void checkIamAccountLockout(String username);
+
+  /**
+   * Records a single failed attempt (password or TOTP). When the attempt count reaches the
+   * threshold the account is suspended. When all suspension rounds are exhausted the account
+   * is disabled and the lockout row is deleted.
+   */
+  void recordFailedAttempt(String username);
+
+  /**
+   * Deletes the lockout row for the given username. Called after a fully successful
+   * authentication (password-only login, or TOTP verification).
+   */
+  void resetFailedAttempts(String username);
+}

iam-login-service/src/main/java/it/infn/mw/iam/authn/multi_factor_authentication/MultiFactorTotpCheckProvider.java

@@ -27,6 +27,7 @@
 
 import it.infn.mw.iam.api.account.multi_factor_authentication.IamTotpMfaService;
 import it.infn.mw.iam.authn.AbstractExternalAuthenticationToken;
+import it.infn.mw.iam.authn.lockout.LoginLockoutService;
 import it.infn.mw.iam.core.ExtendedAuthenticationToken;
 import it.infn.mw.iam.core.user.exception.MfaSecretNotFoundException;
 import it.infn.mw.iam.persistence.model.IamAccount;
@@ -40,11 +41,13 @@ public class MultiFactorTotpCheckProvider implements AuthenticationProvider {
 
   private final IamAccountRepository accountRepo;
   private final IamTotpMfaService totpMfaService;
+  private final LoginLockoutService lockoutService;
 
   public MultiFactorTotpCheckProvider(IamAccountRepository accountRepo,
-      IamTotpMfaService totpMfaService) {
+      IamTotpMfaService totpMfaService, LoginLockoutService lockoutService) {
     this.accountRepo = accountRepo;
     this.totpMfaService = totpMfaService;
+    this.lockoutService = lockoutService;
   }
 
   @Override
@@ -62,13 +65,21 @@ private Authentication processAuthentication(Authentication authentication) {
       return null;
     }
 
-    IamAccount account = accountRepo.findByUsername(authentication.getName())
+    String username = authentication.getName();
+
+    lockoutService.checkIamAccountLockout(username);
+
+    IamAccount account = accountRepo.findByUsername(username)
       .orElseThrow(() -> new BadCredentialsException("Invalid login details"));
 
     if (!isValidTotp(account, totp)) {
+      lockoutService.recordFailedAttempt(username);
       throw new BadCredentialsException("Bad TOTP");
     }
 
+    // TOTP verified; full authentication achieved. Clear lockout state.
+    lockoutService.resetFailedAttempts(username);
+
     return createSuccessfulAuthentication(authentication);
   }