WSGI middleware for lockout after failed authentications of ec2 access key.

5 files changed, 251 insertions, 3 deletions

diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index dd87d1f71..d1e2596c3 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -26,8 +26,8 @@ import webob
 import webob.dec
 import webob.exc
 
-from nova import exception
 from nova import context
+from nova import exception
 from nova import flags
 from nova import wsgi
 from nova.api.ec2 import apirequest
@@ -37,16 +37,79 @@ from nova.auth import manager
 
 
 FLAGS = flags.FLAGS
+flags.DEFINE_boolean('use_lockout', False,
+                     'Whether or not to use lockout middleware.')
+flags.DEFINE_integer('lockout_attempts', 5,
+                     'Number of failed auths before lockout.')
+flags.DEFINE_integer('lockout_minutes', 15,
+                     'Number of minutes to lockout if triggered.')
+flags.DEFINE_integer('lockout_window', 15,
+                     'Number of minutes for lockout window.')
+flags.DEFINE_list('lockout_memcached_servers', None,
+                  'Memcached servers or None for in process cache.')
+
+
 _log = logging.getLogger("api")
 _log.setLevel(logging.DEBUG)
 
 
 class API(wsgi.Middleware):
-
     """Routing for all EC2 API requests."""
 
     def __init__(self):
         self.application = Authenticate(Router(Authorizer(Executor())))
+        if FLAGS.use_lockout:
+            self.application = Lockout(self.application)
+
+
+class Lockout(wsgi.Middleware):
+    """Lockout for x minutes on y failed auths in a z minute period.
+
+    x = lockout_timeout flag
+    y = lockout_window flag
+    z = lockout_attempts flag
+
+    Uses memcached if lockout_memcached_servers flag is set, otherwise it
+    uses a very simple in-proccess cache. Due to the simplicity of
+    the implementation, the timeout window is started with the first
+    failed request, so it will block if there are x failed logins within
+    that period.
+
+    There is a possible race condition where simultaneous requests could
+    sneak in before the lockout hits, but this is extremely rare and would
+    only result in a couple of extra failed attempts."""
+
+    def __init__(self, application):
+        """middleware can use fake for testing."""
+        if FLAGS.lockout_memcached_servers:
+            import memcache
+        else:
+            from nova import fakememcache as memcache
+        self.mc = memcache.Client(FLAGS.lockout_memcached_servers,
+                                  debug=0)
+        super(Lockout, self).__init__(application)
+
+    @webob.dec.wsgify
+    def __call__(self, req):
+        access_key = str(req.params['AWSAccessKeyId'])
+        failures_key = "authfailures-%s" % access_key
+        failures = int(self.mc.get(failures_key) or 0)
+        if failures >= FLAGS.lockout_attempts:
+            detail = "Too many failed authentications."
+            raise webob.exc.HTTPForbidden(detail=detail)
+        res = req.get_response(self.application)
+        if res.status_int == 403:
+            failures = self.mc.incr(failures_key)
+            if failures is None:
+                # NOTE(vish): To use incr, failures has to be a string.
+                self.mc.set(failures_key, '1', time=FLAGS.lockout_window * 60)
+            elif failures >= FLAGS.lockout_attempts:
+                _log.warn('Access key %s has had %d failed authentications'
+                          ' and will be locked out for %d minutes.' %
+                          (access_key, failures, FLAGS.lockout_minutes))
+                self.mc.set(failures_key, str(failures),
+                            time=FLAGS.lockout_minutes * 60)
+        return res
 
 
 class Authenticate(wsgi.Middleware):
diff --git a/nova/fakememcache.py b/nova/fakememcache.py
new file mode 100644
index 000000000..67f46dbdc
--- /dev/null
+++ b/nova/fakememcache.py
@@ -0,0 +1,59 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""Super simple fake memcache client."""
+
+import utils
+
+
+class Client(object):
+    """Replicates a tiny subset of memcached client interface."""
+
+    def __init__(self, *args, **kwargs):
+        """Ignores the passed in args"""
+        self.cache = {}
+
+    def get(self, key):
+        """Retrieves the value for a key or None."""
+        (timeout, value) = self.cache.get(key, (0, None))
+        if timeout == 0 or utils.utcnow_ts() < timeout:
+            return value
+        return None
+
+    def set(self, key, value, time=0, min_compress_len=0):
+        """Sets the value for a key."""
+        timeout = 0
+        if time != 0:
+            timeout = utils.utcnow_ts() + time
+        self.cache[key] = (timeout, value)
+        return True
+
+    def add(self, key, value, time=0, min_compress_len=0):
+        """Sets the value for a key if it doesn't exist."""
+        if not self.get(key) is None:
+            return False
+        return self.set(key, value, time, min_compress_len)
+
+    def incr(self, key, delta=1):
+        """Increments the value for a key."""
+        value = self.get(key)
+        if value is None:
+            return None
+        new_value = int(value) + delta
+        self.cache[key] = (self.cache[key][0], str(new_value))
+        return new_value
diff --git a/nova/tests/middleware_unittest.py b/nova/tests/middleware_unittest.py
new file mode 100644
index 000000000..0febf52d6
--- /dev/null
+++ b/nova/tests/middleware_unittest.py
@@ -0,0 +1,86 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2010 United States Government as represented by the
+# Administrator of the National Aeronautics and Space Administration.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import datetime
+import webob
+import webob.dec
+import webob.exc
+
+from nova.api import ec2
+from nova import flags
+from nova import test
+from nova import utils
+
+
+FLAGS = flags.FLAGS
+
+
+@webob.dec.wsgify
+def conditional_forbid(req):
+    """Helper wsgi app returns 403 if param 'die' is 1."""
+    if 'die' in req.params and req.params['die'] == '1':
+        raise webob.exc.HTTPForbidden()
+    return 'OK'
+
+
+class LockoutTestCase(test.TrialTestCase):
+    """Test case for the Lockout middleware."""
+    def setUp(self):  # pylint: disable-msg=C0103
+        super(LockoutTestCase, self).setUp()
+        utils.set_time_override()
+        self.lockout = ec2.Lockout(conditional_forbid)
+
+    def tearDown(self):  # pylint: disable-msg=C0103
+        utils.clear_time_override()
+        super(LockoutTestCase, self).tearDown()
+
+    def _send_bad_attempts(self, access_key, num_attempts=1):
+        """Fail x."""
+        for i in xrange(num_attempts):
+            req = webob.Request.blank('/?AWSAccessKeyId=%s&die=1' % access_key)
+            self.assertEqual(req.get_response(self.lockout).status_int, 403)
+
+    def _is_locked_out(self, access_key):
+        """Sends a test request to see if key is locked out."""
+        req = webob.Request.blank('/?AWSAccessKeyId=%s' % access_key)
+        return (req.get_response(self.lockout).status_int == 403)
+
+    def test_lockout(self):
+        self._send_bad_attempts('test', FLAGS.lockout_attempts)
+        self.assertTrue(self._is_locked_out('test'))
+
+    def test_timeout(self):
+        self._send_bad_attempts('test', FLAGS.lockout_attempts)
+        self.assertTrue(self._is_locked_out('test'))
+        utils.advance_time_seconds(FLAGS.lockout_minutes * 60)
+        self.assertFalse(self._is_locked_out('test'))
+
+    def test_multiple_keys(self):
+        self._send_bad_attempts('test1', FLAGS.lockout_attempts)
+        self.assertTrue(self._is_locked_out('test1'))
+        self.assertFalse(self._is_locked_out('test2'))
+        utils.advance_time_seconds(FLAGS.lockout_minutes * 60)
+        self.assertFalse(self._is_locked_out('test1'))
+        self.assertFalse(self._is_locked_out('test2'))
+
+    def test_window_timeout(self):
+        self._send_bad_attempts('test', FLAGS.lockout_attempts - 1)
+        self.assertFalse(self._is_locked_out('test'))
+        utils.advance_time_seconds(FLAGS.lockout_window * 60)
+        self._send_bad_attempts('test', FLAGS.lockout_attempts - 1)
+        self.assertFalse(self._is_locked_out('test'))
diff --git a/nova/utils.py b/nova/utils.py
index 30fd12db0..b9045a50c 100644
--- a/nova/utils.py
+++ b/nova/utils.py
@@ -29,6 +29,7 @@ import subprocess
 import socket
 import struct
 import sys
+import time
 from xml.sax import saxutils
 
 from eventlet import event
@@ -205,13 +206,51 @@ def get_my_ip():
         return "127.0.0.1"
 
 
+def utcnow():
+    """Overridable version of datetime.datetime.utcnow."""
+    if utcnow.override_time:
+        return utcnow.override_time
+    return datetime.datetime.utcnow()
+
+
+utcnow.override_time = None
+
+
+def utcnow_ts():
+    """Timestamp version of our utcnow function."""
+    return time.mktime(utcnow().timetuple())
+
+
+def set_time_override(override_time=datetime.datetime.utcnow()):
+    """Override utils.utcnow to return a constant time."""
+    utcnow.override_time = override_time
+
+
+def advance_time_delta(timedelta):
+    """Advance overriden time using a datetime.timedelta."""
+    assert(not utcnow.override_time is None)
+    utcnow.override_time += timedelta
+
+
+def advance_time_seconds(seconds):
+    """Advance overriden time by seconds."""
+    advance_time_delta(datetime.timedelta(0, seconds))
+
+
+def clear_time_override():
+    """Remove the overridden time."""
+    utcnow.override_time = None
+
+
 def isotime(at=None):
+    """Returns iso formatted utcnow."""
     if not at:
-        at = datetime.datetime.utcnow()
+        at = utcnow()
     return at.strftime(TIME_FORMAT)
 
 
 def parse_isotime(timestr):
+    """Turn an iso formatted time back into a datetime"""
     return datetime.datetime.strptime(timestr, TIME_FORMAT)
 
 
diff --git a/run_tests.py b/run_tests.py
index 6a4b7f1ab..312ed7ef3 100644
--- a/run_tests.py
+++ b/run_tests.py
@@ -60,6 +60,7 @@ from nova.tests.auth_unittest import *
 from nova.tests.cloud_unittest import *
 from nova.tests.compute_unittest import *
 from nova.tests.flags_unittest import *
+from nova.tests.middleware_unittest import *
 from nova.tests.misc_unittest import *
 from nova.tests.network_unittest import *
 #from nova.tests.objectstore_unittest import *