Make tests pass, rename jail threshold

This commit is contained in:
Simponic 2022-12-29 17:49:42 -07:00
parent 1a2bdccf12
commit 0aab3c2027
Signed by untrusted user who does not match committer: simponic
GPG Key ID: 52B3774857EB24B1
7 changed files with 32 additions and 109 deletions

View File

@ -8,7 +8,7 @@ config :chessh,
config :chessh, RateLimits,
jail_timeout_ms: 5 * 60 * 1000,
jail_threshold: 15,
jail_attempt_threshold: 15,
max_concurrent_user_sessions: 5
config :hammer,

View File

@ -2,7 +2,7 @@ import Config
config :chessh, RateLimits,
jail_timeout_ms: 1000,
jail_threshold: 2
jail_attempt_threshold: 3
config :chessh, Chessh.Repo,
database: "chessh-test",

View File

@ -22,24 +22,24 @@ defmodule Chessh.SSH.Daemon do
end
def pwd_authenticate(username, password, inet) do
[jail_timeout_ms, jail_threshold] =
[jail_timeout_ms, jail_attempt_threshold] =
Application.get_env(:chessh, RateLimits)
|> Keyword.take([:jail_timeout_ms, :jail_threshold])
|> Keyword.take([:jail_timeout_ms, :jail_attempt_threshold])
|> Keyword.values()
{ip, _port} = inet
rateId = "failed_password_attempts:#{Enum.join(Tuple.to_list(ip), ".")}"
case Hammer.check_rate(rateId, jail_timeout_ms, jail_threshold) do
{:allow, _count} ->
pwd_authenticate(username, password) ||
(fn ->
Hammer.check_rate_inc(rateId, jail_timeout_ms, jail_threshold, 1)
false
end).()
if pwd_authenticate(username, password) do
true
else
case Hammer.check_rate_inc(rateId, jail_timeout_ms, jail_attempt_threshold, 1) do
{:allow, _count} ->
false
{:deny, _limit} ->
:disconnect
{:deny, _limit} ->
:disconnect
end
end
end

View File

@ -5,7 +5,8 @@ defmodule Chessh.Auth.PasswordAuthenticatorTest do
@valid_user %{username: "logan", password: "password"}
setup_all do
:ok = Ecto.Adapters.SQL.Sandbox.checkout(Chessh.Repo)
Ecto.Adapters.SQL.Sandbox.checkout(Repo)
Ecto.Adapters.SQL.Sandbox.mode(Repo, {:shared, self()})
{:ok, _user} = Repo.insert(Player.registration_changeset(%Player{}, @valid_user))

View File

@ -9,7 +9,8 @@ defmodule Chessh.Auth.PublicKeyAuthenticatorTest do
}
setup_all do
:ok = Ecto.Adapters.SQL.Sandbox.checkout(Chessh.Repo)
Ecto.Adapters.SQL.Sandbox.checkout(Repo)
Ecto.Adapters.SQL.Sandbox.mode(Repo, {:shared, self()})
{:ok, player} = Repo.insert(Player.registration_changeset(%Player{}, @valid_user))

View File

@ -1,81 +0,0 @@
defmodule Chessh.SSH.AuthTest do
use ExUnit.Case
alias Chessh.{Player, Repo, Key}
@localhost '127.0.0.1'
@key_name "The Gamer Machine"
@valid_user %{username: "logan", password: "password"}
@client_test_keys_dir Path.join(Application.compile_env!(:chessh, :key_dir), "client_keys")
@client_pub_key 'id_ed25519.pub'
setup_all do
case Ecto.Adapters.SQL.Sandbox.checkout(Repo) do
:ok -> nil
{:already, :owner} -> nil
end
Ecto.Adapters.SQL.Sandbox.mode(Repo, {:shared, self()})
{:ok, player} = Repo.insert(Player.registration_changeset(%Player{}, @valid_user))
{:ok, key_text} = File.read(Path.join(@client_test_keys_dir, @client_pub_key))
{:ok, _key} =
Repo.insert(
Key.changeset(%Key{}, %{key: key_text, name: @key_name})
|> Ecto.Changeset.put_assoc(:player, player)
)
:ok
end
test "Password attempts are rate limited" do
assert :disconnect ==
Enum.reduce(
1..Application.fetch_env!(:chessh, RateLimits, :jail_threshold),
fn _, _ ->
Chessh.SSH.Daemon.pwd_authenticate(
@valid_user.username,
'wrong_password',
@localhost
) do
end
)
end
test "INTEGRATION - Can ssh into daemon with password or public key" do
{:ok, sup} = Task.Supervisor.start_link()
test_pid = self()
Task.Supervisor.start_child(sup, fn ->
{:ok, _pid} =
:ssh.connect(@localhost, Application.fetch_env!(:chessh, :port),
user: String.to_charlist(@valid_user.username),
password: String.to_charlist(@valid_user.password),
auth_methods: 'password',
silently_accept_hosts: true
)
send(test_pid, :connected_via_password)
end)
Task.Supervisor.start_child(sup, fn ->
{:ok, _pid} =
:ssh.connect(@localhost, Application.fetch_env!(:chessh, :port),
user: String.to_charlist(@valid_user.username),
auth_methods: 'publickey',
silently_accept_hosts: true,
user_dir: String.to_charlist(@client_test_keys_dir)
)
send(test_pid, :connected_via_public_key)
end)
assert_receive(:connected_via_password, 500)
assert_receive(:connected_via_public_key, 500)
end
test "INTEGRATION - User cannot have more than specified concurrent sessions" do
:ok
end
end

View File

@ -3,17 +3,14 @@ defmodule Chessh.SSH.AuthTest do
alias Chessh.{Player, Repo, Key}
@localhost '127.0.0.1'
@localhost_inet {{127, 0, 0, 1}, 1}
@key_name "The Gamer Machine"
@valid_user %{username: "logan", password: "password"}
@client_test_keys_dir Path.join(Application.compile_env!(:chessh, :key_dir), "client_keys")
@client_pub_key 'id_ed25519.pub'
setup_all do
case Ecto.Adapters.SQL.Sandbox.checkout(Repo) do
:ok -> nil
{:already, :owner} -> nil
end
Ecto.Adapters.SQL.Sandbox.checkout(Repo)
Ecto.Adapters.SQL.Sandbox.mode(Repo, {:shared, self()})
{:ok, player} = Repo.insert(Player.registration_changeset(%Player{}, @valid_user))
@ -30,15 +27,19 @@ defmodule Chessh.SSH.AuthTest do
end
test "Password attempts are rate limited" do
jail_attempt_threshold =
Application.get_env(:chessh, RateLimits)
|> Keyword.get(:jail_attempt_threshold)
assert :disconnect ==
Enum.reduce(
1..Application.fetch_env!(:chessh, RateLimits, :jail_threshold),
0..(jail_attempt_threshold + 1),
fn _, _ ->
Chessh.SSH.Daemon.pwd_authenticate(
@valid_user.username,
'wrong_password',
@localhost
) do
@valid_user.username,
"wrong_password",
@localhost_inet
)
end
)
end
@ -75,7 +76,8 @@ defmodule Chessh.SSH.AuthTest do
assert_receive(:connected_via_public_key, 500)
end
test "INTEGRATION - User cannot have more than specified concurrent sessions" do
:ok
end
# TODO
# test "INTEGRATION - User cannot have more than specified concurrent sessions" do
# :ok
# end
end