Merge branch 'master' into feat/create_admin_endpoint

Author: Yashin Santos

README.md

@@ -6,8 +6,8 @@
 
 ## Requirements
 
-- Elixir `1.10` using `OTP-23`;
-- Erlang `23.0`;
+- Elixir `1.11` using `OTP-23`;
+- Erlang `23.1`;
 - Docker-compose (Just when running in dev enviroment);
 
 ## Running it locally
@@ -36,11 +36,11 @@ To get the user and application data check out the database on `localhost:8181`
 ```elixir
 # Getting all user identities
 # The user password will be `admin`
-ResourceManager.Repo.all(ResourceManager.Identity.Schemas.User) |> ResourceManager.Repo.preload([:scopes])
+ResourceManager.Repo.all(ResourceManager.Identities.Schemas.User) |> ResourceManager.Repo.preload([:scopes])
 
 # Getting all client application identities
 # Check out for the client secret
-ResourceManager.Repo.all(ResourceManager.Identity.Schemas.ClientApplication) |> ResourceManager.Repo.preload([:scopes])
+ResourceManager.Repo.all(ResourceManager.Identities.Schemas.ClientApplication) |> ResourceManager.Repo.preload([:scopes])
 ```
 
 ### Making requests
@@ -57,4 +57,4 @@ We use some libraries in order to keep our code as consistent as possible.
 
 - [Credo](https://github.com/rrrene/credo) (run using `mix credo --strict`);
 - [Dialyzer](https://github.com/jeremyjh/dialyxir) (run using `mix dialyzer`);
-- [Coveralls](https://github.com/parroty/excoveralls) (run using `mix coveralls`);
+- [Coveralls](https://github.com/parroty/excoveralls) (run using `mix coveralls`);

apps/authenticator/lib/crypto/commands/fake_verify_hash.ex

@@ -3,9 +3,11 @@ defmodule Authenticator.Crypto.Commands.FakeVerifyHash do
   Simulates a hash verification using the given algorithm.
   """
 
-  @behaviour ResourceManager.Credentials.Ports.FakeVerifyHash
+  @typedoc "All possible hash algorithms"
+  @type algorithms :: :argon2 | :bcrypt | :pbkdf2
 
-  @impl true
+  @doc "Fake a hash verification using the given algorithm"
+  @spec execute(algorithm :: algorithms()) :: false
   def execute(:argon2), do: Argon2.no_user_verify()
   def execute(:bcrypt), do: Bcrypt.no_user_verify()
   def execute(:pbkdf2), do: Pbkdf2.no_user_verify()

apps/authenticator/lib/crypto/commands/generate_hash.ex

@@ -23,9 +23,11 @@ defmodule Authenticator.Crypto.Commands.GenerateHash do
   with a sliding computational cost and generally used to reduce vulnerabilities to brute force attacks.
   """
 
-  @behaviour ResourceManager.Credentials.Ports.GenerateHash
+  @typedoc "All possible hash algorithms"
+  @type algorithms :: :argon2 | :bcrypt | :pbkdf2
 
-  @impl true
+  @doc "Generates a hash using the given algorithm"
+  @spec execute(value :: String.t(), algorithm :: algorithms()) :: String.t()
   def execute(value, :argon2) when is_binary(value), do: Argon2.hash_pwd_salt(value)
   def execute(value, :bcrypt) when is_binary(value), do: Bcrypt.hash_pwd_salt(value)
   def execute(value, :pbkdf2) when is_binary(value), do: Pbkdf2.hash_pwd_salt(value)

apps/authenticator/lib/crypto/commands/verify_hash.ex

@@ -3,14 +3,17 @@ defmodule Authenticator.Crypto.Commands.VerifyHash do
   Verify if a given hash matches the given value.
   """
 
-  @behaviour ResourceManager.Credentials.Ports.VerifyHash
+  @typedoc "All possible hash algorithms"
+  @type algorithms :: :argon2 | :bcrypt | :pbkdf2
 
-  @impl true
+  @doc "Verifies if a credential matches the given secret"
+  @spec execute(credential :: map(), value :: String.t()) :: boolean()
   def execute(%{password: %{password_hash: hash, algorithm: algorithm}}, password)
       when is_binary(password),
       do: execute(password, hash, String.to_atom(algorithm))
 
-  @impl true
+  @doc "Verifies if a hash matches the given credential using the passed algorithm"
+  @spec execute(value :: String.t(), hash :: String.t(), algorithm :: algorithms()) :: boolean()
   def execute(value, hash, :argon2)
       when is_binary(value) and is_binary(hash),
       do: Argon2.verify_pass(value, hash)

apps/authenticator/lib/sign_in/commands/get_temporarilly_blocked.ex

@@ -0,0 +1,28 @@
+defmodule Authenticator.SignIn.Commands.GetTemporarillyBlocked do
+  @moduledoc """
+  Get subject authentication attempts that failed consecutively and return
+  it's username or client_id.
+  """
+
+  require Logger
+
+  alias Authenticator.SignIn.{ApplicationAttempts, UserAttempts}
+
+  # Maximum failed attempts before block
+  @max_attempts 5
+
+  # 10 minutes interval
+  @max_interval 60 * 10 * -1
+
+  @doc """
+  Return the identities that failed more than #{@max_attempts} times on sign in
+  in #{@max_interval} seconds.
+  """
+  @spec execute(identity_type :: :user | :application) :: {:ok, list(String.t())}
+  def execute(:user), do: {:ok, UserAttempts.list(get_filters())}
+  def execute(:application), do: {:ok, ApplicationAttempts.list(get_filters())}
+
+  # Query filters
+  defp get_filters, do: [temporarilly_blocked: {@max_attempts, created_after()}]
+  defp created_after, do: NaiveDateTime.add(NaiveDateTime.utc_now(), @max_interval, :second)
+end

apps/authenticator/lib/sign_in/schemas/application_attempt.ex

@@ -47,4 +47,12 @@ defmodule Authenticator.SignIn.Schemas.ApplicationAttempt do
   defp custom_query(query, {:ids, ids}), do: where(query, [c], c.id in ^ids)
   defp custom_query(query, {:created_after, date}), do: where(query, [c], c.inserted_at > ^date)
   defp custom_query(query, {:created_before, date}), do: where(query, [c], c.inserted_at < ^date)
+
+  defp custom_query(query, {:temporarilly_blocked, {max_attempts, date}}) do
+    query
+    |> where([c], c.inserted_at > ^date)
+    |> group_by([c], c.client_id)
+    |> having([c], count(c.client_id) > ^max_attempts)
+    |> select([c], c.client_id)
+  end
 end

apps/authenticator/lib/sign_in/schemas/user_attempt.ex

@@ -47,4 +47,12 @@ defmodule Authenticator.SignIn.Schemas.UserAttempt do
   defp custom_query(query, {:ids, ids}), do: where(query, [c], c.id in ^ids)
   defp custom_query(query, {:created_after, date}), do: where(query, [c], c.inserted_at > ^date)
   defp custom_query(query, {:created_before, date}), do: where(query, [c], c.inserted_at < ^date)
+
+  defp custom_query(query, {:temporarilly_blocked, {max_attempts, date}}) do
+    query
+    |> where([c], c.inserted_at > ^date)
+    |> group_by([c], c.username)
+    |> having([c], count(c.username) > ^max_attempts)
+    |> select([c], c.username)
+  end
 end

apps/authenticator/test/authenticator/sign_in/commands/get_temporarilly_blocked_test.exs

@@ -0,0 +1,28 @@
+defmodule Authenticator.SignIn.Commands.GetTemporarillyBlockedTest do
+  use Authenticator.DataCase, async: true
+
+  alias Authenticator.SignIn.Commands.GetTemporarillyBlocked
+
+  describe "#{GetTemporarillyBlocked}.execute/1" do
+    test "succeeds and return users to block temporarilly" do
+      assert [%{username: username} | _] =
+               Enum.map(1..15, fn _ ->
+                 insert!(:user_sign_in_attempt, username: "myusername", was_successful: false)
+               end)
+
+      assert {:ok, [^username | _]} = GetTemporarillyBlocked.execute(:user)
+    end
+
+    test "succeeds and return applications to block temporarilly" do
+      assert [%{client_id: client_id} | _] =
+               Enum.map(1..15, fn _ ->
+                 insert!(:application_sign_in_attempt,
+                   client_id: "myclientid",
+                   was_successful: false
+                 )
+               end)
+
+      assert {:ok, [^client_id | _]} = GetTemporarillyBlocked.execute(:application)
+    end
+  end
+end

apps/resource_manager/lib/credentials/blocklist_password_manager.ex

@@ -37,7 +37,7 @@ defmodule ResourceManager.Credentials.BlocklistPasswordManager do
 
   # coveralls-ignore-stop
 
-  @doc "Update session statuses and save on cache"
+  @doc "Update blocked password list on cache"
   @spec execute() :: {:ok, :managed} | {:error, :update_failed | :failed_to_cache}
   def execute, do: manage_passwords()