Lockout middleware for ec2 api

1 files changed, 69 insertions, 1 deletions

diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index a6ee16c33..19eb666cd 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -22,12 +22,13 @@ Starting point for routing EC2 requests.
 
 import logging
 import routes
+import time
 import webob
 import webob.dec
 import webob.exc
 
-from nova import exception
 from nova import context
+from nova import exception
 from nova import flags
 from nova import wsgi
 from nova.api.ec2 import apirequest
@@ -37,6 +38,16 @@ from nova.auth import manager
 
 
 FLAGS = flags.FLAGS
+flags.DEFINE_boolean('use_lockout', False,
+                     'Whether or not to use lockout middleware.')
+flags.DEFINE_integer('lockout_attempts', 5,
+                     'Number of failed auths before lockout.')
+flags.DEFINE_integer('lockout_minutes', 15,
+                     'Number of minutes to lockout if triggered.')
+flags.DEFINE_list('lockout_memcached_servers', None,
+                  'Memcached servers or None for in process cache.')
+
+
 _log = logging.getLogger("api")
 _log.setLevel(logging.DEBUG)
 
@@ -47,6 +58,63 @@ class API(wsgi.Middleware):
 
     def __init__(self):
         self.application = Authenticate(Router(Authorizer(Executor())))
+        if FLAGS.use_lockout:
+            self.application = Lockout(self.application)
+
+
+class Lockout(wsgi.Middleware):
+    """Only allow x failed auths in a y minute period.
+
+    x = lockout_attempts flag
+    y = lockout_timeout flag
+
+    Uses memcached if lockout_memcached_servers flag is set, otherwise it
+    uses a very simple in-proccess cache. Due to the simplicity of
+    the implementation, the timeout window is reset with every failed
+    request, so it actually blocks if there are x failed logins with no
+    more than y minutes between any two failures.
+
+    There is a possible race condition where simultaneous requests could
+    sneak in before the lockout hits, but this is extremely rare and would
+    only result in a couple of extra failed attempts."""
+
+    def __init__(self, application, time_fn=time.time):
+        """The middleware can use a custom time function for testing."""
+        self.time_fn = time_fn
+        if FLAGS.lockout_memcached_servers:
+            import memcache
+        else:
+            from nova import fakememcache as memcache
+        self.mc = memcache.Client(FLAGS.lockout_memcached_servers, debug=0)
+        super(Lockout, self).__init__(application)
+
+    @webob.dec.wsgify
+    def __call__(self, req):
+        access_key = req.params['AWSAccessKeyId']
+        failures_key = "%s-failures" % access_key
+        last_key = "%s-last" % access_key
+        now = self.time_fn()
+        timeout = now - FLAGS.lockout_minutes * 60
+        # NOTE(vish): To use incr, failures has to be a string.
+        failures = int(self.mc.get(failures_key) or 0)
+        last = self.mc.get(last_key)
+        if (failures and failures >= FLAGS.lockout_attempts
+            and last > timeout):
+            self.mc.set(last_key, now)
+            detail = "Too many failed authentications."
+            raise webob.exc.HTTPForbidden(detail=detail)
+        res = req.get_response(self.application)
+        if res.status_int == 403:
+            if last > timeout:
+                failures = int(self.mc.incr(failures_key))
+                if failures >= FLAGS.lockout_attempts:
+                    _log.warn('Access key %s has had %d failed authentications'
+                              ' and will be locked out for %d minutes.' %
+                              (access_key, failures, FLAGS.lockout_minutes))
+            else:
+                self.mc.set(failures_key, '1')
+            self.mc.set(last_key, now)
+        return res
 
 
 class Authenticate(wsgi.Middleware):