.env

@@ -0,0 +1 @@
+NODE_ID=node-one

.env.example

@@ -0,0 +1 @@
+NODE_ID=aUniqueString

config/config.exs

@@ -3,10 +3,14 @@ import Config
 config :chessh,
   ecto_repos: [Chessh.Repo],
   key_dir: Path.join(Path.dirname(__DIR__), "priv/keys"),
-  max_password_attempts: 3,
   port: 42_069,
   max_sessions: 255
 
+config :chessh, RateLimits,
+  jail_timeout_ms: 5 * 60 * 1000,
+  jail_threshold: 15,
+  max_concurrent_user_sessions: 5
+
 config :hammer,
   backend: {Hammer.Backend.ETS, [expiry_ms: 60_000 * 60 * 4, cleanup_interval_ms: 60_000 * 10]}
 

config/test.exs

@@ -1,7 +1,8 @@
 import Config
 
-config :hammer,
-  backend: {Hammer.Backend.ETS, [expiry_ms: 60_000 * 60 * 4, cleanup_interval_ms: 60_000 * 10]}
+config :chessh, RateLimits,
+  jail_timeout_ms: 1000,
+  jail_threshold: 2
 
 config :chessh, Chessh.Repo,
   database: "chessh-test",

lib/chessh/application.ex

@@ -1,9 +1,23 @@
 defmodule Chessh.Application do
+  alias Chessh.{PlayerSession, Node}
   use Application
 
+  def initialize_player_sessions_on_node() do
+    # If we have more than one node running the ssh daemon, we'd want to ensure
+    # this is restarting after every potential crash. Otherwise the player sessions
+    # on the node would hang.
+    node_id = System.fetch_env!("NODE_ID")
+    Node.boot(node_id)
+    PlayerSession.delete_all_on_node(node_id)
+  end
+
   def start(_, _) do
     children = [Chessh.Repo, Chessh.SSH.Daemon]
     opts = [strategy: :one_for_one, name: Chessh.Supervisor]
-    Supervisor.start_link(children, opts)
+
+    with {:ok, pid} <- Supervisor.start_link(children, opts) do
+      initialize_player_sessions_on_node()
+      {:ok, pid}
+    end
   end
 end

lib/chessh/auth/password.ex

@@ -2,8 +2,8 @@ defmodule Chessh.Auth.PasswordAuthenticator do
   alias Chessh.{Player, Repo}
 
   def authenticate(username, password) do
-    case Repo.get_by(Player, username: String.Chars.to_string(username)) do
-      x -> Player.valid_password?(x, String.Chars.to_string(password))
+    case Repo.get_by(Player, username: username) do
+      x -> Player.valid_password?(x, password)
     end
   end
 end

lib/chessh/schema/node.ex

@@ -0,0 +1,24 @@
+defmodule Chessh.Node do
+  alias Chessh.Repo
+  import Ecto.Changeset
+  use Ecto.Schema
+
+  @primary_key {:id, :string, []}
+  schema "nodes" do
+    field(:last_start, :utc_datetime)
+  end
+
+  def changeset(node, attrs) do
+    node
+    |> cast(attrs, [:last_start])
+  end
+
+  def boot(node_id) do
+    case Repo.get(Chessh.Node, node_id) do
+      nil -> %Chessh.Node{id: node_id}
+      node -> node
+    end
+    |> Chessh.Node.changeset(%{last_start: DateTime.utc_now()})
+    |> Repo.insert_or_update()
+  end
+end

lib/chessh/schema/player_session.ex

@@ -0,0 +1,34 @@
+defmodule Chessh.PlayerSession do
+  alias Chessh.Repo
+  use Ecto.Schema
+  import Ecto.{Query, Changeset}
+
+  schema "player_sessions" do
+    field(:login, :utc_datetime)
+
+    belongs_to(:node, Chessh.Node, type: :string)
+    belongs_to(:player, Chessh.Player)
+  end
+
+  def changeset(player_session, attrs) do
+    player_session
+    |> cast(attrs, [:login])
+  end
+
+  def concurrent_sessions(player) do
+    Repo.aggregate(
+      from(p in Chessh.PlayerSession,
+        where: p.player_id == ^player.id
+      ),
+      :count
+    )
+  end
+
+  def delete_all_on_node(node_id) do
+    Repo.delete_all(
+      from(p in Chessh.PlayerSession,
+        where: p.node_id == ^node_id
+      )
+    )
+  end
+end

lib/chessh/ssh/daemon.ex

@@ -1,4 +1,5 @@
 defmodule Chessh.SSH.Daemon do
+  alias Chessh.Auth.PasswordAuthenticator
   use GenServer
 
   def start_link(_) do
@@ -12,24 +13,39 @@ defmodule Chessh.SSH.Daemon do
     {:ok, state}
   end
 
-  def pwd_authenticate(username, password, _address, attempts) do
-    if Chessh.Auth.PasswordAuthenticator.authenticate(username, password) do
-      true
-    else
-      newAttempts =
-        case attempts do
-          :undefined -> 0
-          _ -> attempts
-        end
+  def pwd_authenticate(username, password) do
+    # TODO - check concurrent sessions
+    PasswordAuthenticator.authenticate(
+      String.Chars.to_string(username),
+      String.Chars.to_string(password)
+    )
+  end
 
-      if Application.fetch_env!(:chessh, :max_password_attempts) <= newAttempts do
+  def pwd_authenticate(username, password, inet) do
+    [jail_timeout_ms, jail_threshold] =
+      Application.get_env(:chessh, RateLimits)
+      |> Keyword.take([:jail_timeout_ms, :jail_threshold])
+      |> Keyword.values()
+
+    {ip, _port} = inet
+    rateId = "failed_password_attempts:#{Enum.join(Tuple.to_list(ip), ".")}"
+
+    case Hammer.check_rate(rateId, jail_timeout_ms, jail_threshold) do
+      {:allow, _count} ->
+        pwd_authenticate(username, password) ||
+          (fn ->
+             Hammer.check_rate_inc(rateId, jail_timeout_ms, jail_threshold, 1)
+             false
+           end).()
+
+      {:deny, _limit} ->
         :disconnect
-      else
-        {false, newAttempts + 1}
-      end
     end
   end
 
+  def pwd_authenticate(username, password, inet, _address),
+    do: pwd_authenticate(username, password, inet)
+
   def handle_cast(:start, state) do
     port = Application.fetch_env!(:chessh, :port)
     key_dir = String.to_charlist(Application.fetch_env!(:chessh, :key_dir))
@@ -40,6 +56,7 @@ defmodule Chessh.SSH.Daemon do
            system_dir: key_dir,
            pwdfun: &pwd_authenticate/4,
            key_cb: Chessh.SSH.ServerKey,
+           #          disconnectfun: 
            id_string: :random,
            subsystems: [],
            parallel_login: true,

lib/chessh/ssh/server_key.ex

@@ -1,8 +1,9 @@
 defmodule Chessh.SSH.ServerKey do
+  alias Chessh.Auth.KeyAuthenticator
   @behaviour :ssh_server_key_api
 
   def is_auth_key(key, username, _daemon_options) do
-    Chessh.Auth.KeyAuthenticator.authenticate(username, key)
+    KeyAuthenticator.authenticate(username, key)
   end
 
   def host_key(algorithm, daemon_options) do

mix.exs

@@ -32,7 +32,7 @@ defmodule Chessh.MixProject do
       {:ecto_sql, "~> 3.9"},
       {:postgrex, "~> 0.16.5"},
       {:bcrypt_elixir, "~> 3.0"},
-      {:hammer, "~> 6.0"}
+      {:hammer, "~> 6.1"}
     ]
   end
 

priv/repo/migrations/20221229225556_add_node.exs

@@ -0,0 +1,10 @@
+defmodule Chessh.Repo.Migrations.AddNode do
+  use Ecto.Migration
+
+  def change do
+    create table(:nodes, primary_key: false) do
+      add(:id, :string, primary_key: true)
+      add(:last_start, :utc_datetime)
+    end
+  end
+end

priv/repo/migrations/20221229225559_add_user_session.exs

@@ -0,0 +1,11 @@
+defmodule Chessh.Repo.Migrations.AddUserSession do
+  use Ecto.Migration
+
+  def change do
+    create table(:player_sessions) do
+      add(:login, :utc_datetime)
+      add(:player_id, references(:players))
+      add(:node_id, references(:nodes, type: :string))
+    end
+  end
+end

test/auth/password_test.exs

@@ -14,13 +14,13 @@ defmodule Chessh.Auth.PasswordAuthenticatorTest do
 
   test "Password can authenticate a hashed password" do
     assert Chessh.Auth.PasswordAuthenticator.authenticate(
-             String.to_charlist(@valid_user.username),
-             String.to_charlist(@valid_user.password)
+             @valid_user.username,
+             @valid_user.password
            )
 
     refute Chessh.Auth.PasswordAuthenticator.authenticate(
-             String.to_charlist(@valid_user.username),
-             String.to_charlist("a_bad_password")
+             @valid_user.username,
+             "a_bad_password"
            )
   end
 end

test/ssh/ssh_auth_test-emacs-elixir-format.exs

@@ -0,0 +1,81 @@
+defmodule Chessh.SSH.AuthTest do
+  use ExUnit.Case
+  alias Chessh.{Player, Repo, Key}
+
+  @localhost '127.0.0.1'
+  @key_name "The Gamer Machine"
+  @valid_user %{username: "logan", password: "password"}
+  @client_test_keys_dir Path.join(Application.compile_env!(:chessh, :key_dir), "client_keys")
+  @client_pub_key 'id_ed25519.pub'
+
+  setup_all do
+    case Ecto.Adapters.SQL.Sandbox.checkout(Repo) do
+      :ok -> nil
+      {:already, :owner} -> nil
+    end
+
+    Ecto.Adapters.SQL.Sandbox.mode(Repo, {:shared, self()})
+
+    {:ok, player} = Repo.insert(Player.registration_changeset(%Player{}, @valid_user))
+
+    {:ok, key_text} = File.read(Path.join(@client_test_keys_dir, @client_pub_key))
+
+    {:ok, _key} =
+      Repo.insert(
+        Key.changeset(%Key{}, %{key: key_text, name: @key_name})
+        |> Ecto.Changeset.put_assoc(:player, player)
+      )
+
+    :ok
+  end
+
+  test "Password attempts are rate limited" do
+    assert :disconnect ==
+             Enum.reduce(
+               1..Application.fetch_env!(:chessh, RateLimits, :jail_threshold),
+               fn _, _ ->
+                 Chessh.SSH.Daemon.pwd_authenticate(
+                        @valid_user.username,
+                        'wrong_password',
+                        @localhost
+                      ) do
+               end
+             )
+  end
+
+  test "INTEGRATION - Can ssh into daemon with password or public key" do
+    {:ok, sup} = Task.Supervisor.start_link()
+    test_pid = self()
+
+    Task.Supervisor.start_child(sup, fn ->
+      {:ok, _pid} =
+        :ssh.connect(@localhost, Application.fetch_env!(:chessh, :port),
+          user: String.to_charlist(@valid_user.username),
+          password: String.to_charlist(@valid_user.password),
+          auth_methods: 'password',
+          silently_accept_hosts: true
+        )
+
+      send(test_pid, :connected_via_password)
+    end)
+
+    Task.Supervisor.start_child(sup, fn ->
+      {:ok, _pid} =
+        :ssh.connect(@localhost, Application.fetch_env!(:chessh, :port),
+          user: String.to_charlist(@valid_user.username),
+          auth_methods: 'publickey',
+          silently_accept_hosts: true,
+          user_dir: String.to_charlist(@client_test_keys_dir)
+        )
+
+      send(test_pid, :connected_via_public_key)
+    end)
+
+    assert_receive(:connected_via_password, 500)
+    assert_receive(:connected_via_public_key, 500)
+  end
+
+  test "INTEGRATION - User cannot have more than specified concurrent sessions" do
+    :ok
+  end
+end

test/ssh/ssh_auth_test.exs

@@ -29,26 +29,21 @@ defmodule Chessh.SSH.AuthTest do
     :ok
   end
 
-  test "Fails to authenticate after configured max password attempt" do
+  test "Password attempts are rate limited" do
     assert :disconnect ==
              Enum.reduce(
-               1..Application.fetch_env!(:chessh, :max_password_attempts),
-               %{attempts: 0},
-               fn acc, _ ->
-                 case Chessh.SSH.Daemon.pwd_authenticate(
+               1..Application.fetch_env!(:chessh, RateLimits, :jail_threshold),
+               fn _, _ ->
+                 Chessh.SSH.Daemon.pwd_authenticate(
                         @valid_user.username,
                         'wrong_password',
-                        @localhost,
-                        acc
+                        @localhost
                       ) do
-                   {false, state} -> state
-                   x -> x
-                 end
                end
              )
   end
 
-  test "INTEGRATION TEST - Can ssh into daemon with password or public key" do
+  test "INTEGRATION - Can ssh into daemon with password or public key" do
     {:ok, sup} = Task.Supervisor.start_link()
     test_pid = self()
 
@@ -80,15 +75,7 @@ defmodule Chessh.SSH.AuthTest do
     assert_receive(:connected_via_public_key, 500)
   end
 
-  test "Hosts are rate limited via password attempts" do
-    :ok
-  end
-
-  test "Hosts are also rate limited with public keys" do
-    :ok
-  end
-
-  test "User cannot have more than one current session" do
+  test "INTEGRATION - User cannot have more than specified concurrent sessions" do
     :ok
   end
 end