Fix information disclosure when lockout enabled

When lockout is enabled, enhanced response error messages allow an
attacker to enumerate valid usernames.  Change adds new configuration
option to disable username enumeration by returning the same error
message for both invalid usernames and locked out accounts.

The option is enabled by default.

Issue: #240
Signed-off-by: Mitch Gaffigan <mitch.gaffigan@comcast.net>

Author: mgaffigan

server/src/com/mirth/connect/model/PasswordRequirements.java

@@ -29,6 +29,7 @@ public class PasswordRequirements implements Serializable {
     private int gracePeriod;
     private int reusePeriod;
     private int reuseLimit;
+    private boolean allowEnumeration;
 
     public PasswordRequirements() {
         this.minLength = 0;
@@ -42,6 +43,7 @@ public PasswordRequirements() {
         this.gracePeriod = 0;
         this.reusePeriod = 0;
         this.reuseLimit = 0;
+        this.allowEnumeration = false;
     }
 
     public PasswordRequirements(int minLength, int minUpper, int minLower, int minNumeric, int minSpecial, int retryLimit, int lockoutPeriod, int expiration, int gracePeriod, int reusePeriod, int reuseLimit) {
@@ -145,4 +147,12 @@ public int getReuseLimit() {
     public void setReuseLimit(int reuseLimit) {
         this.reuseLimit = reuseLimit;
     }
+
+    public boolean getAllowEnumeration() {
+        return allowEnumeration;
+    }
+
+    public void setAllowEnumeration(boolean allowEnumeration) {
+        this.allowEnumeration = allowEnumeration;
+    }
 }

server/src/com/mirth/connect/server/controllers/DefaultUserController.java

@@ -43,6 +43,7 @@
 public class DefaultUserController extends UserController {
     public static final String VACUUM_LOCK_PERSON_STATEMENT_ID = "User.vacuumPersonTable";
     public static final String VACUUM_LOCK_PREFERENCES_STATEMENT_ID = "User.vacuumPersonPreferencesTable";
+    private static final String INCORRECT_CREDENTIALS_MESSAGE = "Incorrect username or password.";
 
     private Logger logger = LogManager.getLogger(this.getClass());
     private ExtensionController extensionController = null;
@@ -292,6 +293,7 @@ public LoginStatus authorizeUser(String username, String plainPassword, String s
             boolean authorized = false;
             Credentials credentials = null;
             LoginRequirementsChecker loginRequirementsChecker = null;
+            PasswordRequirements passwordRequirements = ControllerFactory.getFactory().createConfigurationController().getPasswordRequirements();
 
             // Retrieve the matching User
             User validUser = getUser(null, username);
@@ -300,7 +302,11 @@ public LoginStatus authorizeUser(String username, String plainPassword, String s
                 Digester digester = ControllerFactory.getFactory().createConfigurationController().getDigester();
                 loginRequirementsChecker = new LoginRequirementsChecker(validUser);
                 if (loginRequirementsChecker.isUserLockedOut()) {
-                    return new LoginStatus(LoginStatus.Status.FAIL_LOCKED_OUT, "User account \"" + username + "\" has been locked. You may attempt to login again in " + loginRequirementsChecker.getPrintableStrikeTimeRemaining() + ".");
+                    if (passwordRequirements.getAllowEnumeration()) {
+                        return new LoginStatus(LoginStatus.Status.FAIL_LOCKED_OUT, "User account \"" + username + "\" has been locked. You may attempt to login again in " + loginRequirementsChecker.getPrintableStrikeTimeRemaining() + ".");
+                    } else {
+                        return new LoginStatus(LoginStatus.Status.FAIL, INCORRECT_CREDENTIALS_MESSAGE);
+                    }
                 }
 
                 loginRequirementsChecker.resetExpiredStrikes();
@@ -320,7 +326,6 @@ public LoginStatus authorizeUser(String username, String plainPassword, String s
                 }
             }
 
-            PasswordRequirements passwordRequirements = ControllerFactory.getFactory().createConfigurationController().getPasswordRequirements();
             LoginStatus loginStatus = null;
 
             if (authorized) {
@@ -383,12 +388,12 @@ public LoginStatus authorizeUser(String username, String plainPassword, String s
                 }
             } else {
                 LoginStatus.Status status = LoginStatus.Status.FAIL;
-                String failMessage = "Incorrect username or password.";
+                String failMessage = INCORRECT_CREDENTIALS_MESSAGE;
 
                 if (loginRequirementsChecker != null) {
                     loginRequirementsChecker.incrementStrikes();
 
-                    if (loginRequirementsChecker.isLockoutEnabled()) {
+                    if (loginRequirementsChecker.isLockoutEnabled() && passwordRequirements.getAllowEnumeration()) {
                         if (loginRequirementsChecker.isUserLockedOut()) {
                             status = LoginStatus.Status.FAIL_LOCKED_OUT;
                             failMessage += " User account \"" + username + "\" has been locked. You may attempt to login again in " + loginRequirementsChecker.getPrintableStrikeTimeRemaining() + ".";

server/src/com/mirth/connect/server/util/PasswordRequirementsChecker.java

@@ -57,6 +57,7 @@ public class PasswordRequirementsChecker implements Serializable {
     private static final String PASSWORD_LOCKOUT_PERIOD = "password.lockoutperiod";
     private static final String PASSWORD_REUSE_PERIOD = "password.reuseperiod";
     private static final String PASSWORD_REUSE_LIMIT = "password.reuselimit";
+    private static final String PASSWORD_ALLOW_ENUMERATION = "password.allowEnumeration";
 
     private static PasswordRequirementsChecker instance = null;
 
@@ -88,6 +89,7 @@ public PasswordRequirements loadPasswordRequirements(PropertiesConfiguration sec
         passwordRequirements.setLockoutPeriod(securityProperties.getInt(PASSWORD_LOCKOUT_PERIOD, 0));
         passwordRequirements.setReusePeriod(securityProperties.getInt(PASSWORD_REUSE_PERIOD, 0));
         passwordRequirements.setReuseLimit(securityProperties.getInt(PASSWORD_REUSE_LIMIT, 0));
+        passwordRequirements.setAllowEnumeration(securityProperties.getBoolean(PASSWORD_ALLOW_ENUMERATION, false));
 
         return passwordRequirements;
     }