Documentation
¶
Index ¶
Constants ¶
View Source
const PwHistGateScript = `` /* 363-byte string literal not displayed */
PwHistGateScript is a Lua script that atomically updates password history counters. It enforces a maximum number of fields in the password-history hash to avoid unbounded growth and reduces client/server round-trips to a single EVAL call.
KEYS:
[1] = password-history hash key (HINCRBY + EXPIRE) [2] = optional total counter key (INCR + EXPIRE) – may be omitted
ARGV:
[1] = field (password hash) [2] = ttl seconds [3] = max fields allowed in the hash
Returns:
1 if the operation was performed (under limit), 0 if max fields reached (no-op)
Variables ¶
This section is empty.
Functions ¶
func GetPWHistIPsRedisKey ¶
GetPWHistIPsRedisKey generates the Redis key for storing password history associated with IPs for a specific account.
Types ¶
type BucketManager ¶
type BucketManager interface {
// GetLoginAttempts returns the number of login attempts monitored by the bucket manager as an unsigned integer.
GetLoginAttempts() uint
// GetPasswordsAccountSeen returns the number of accounts for which passwords have been tracked or seen.
GetPasswordsAccountSeen() uint
// GetPasswordsTotalSeen retrieves the total number of unique passwords encountered across all accounts.
GetPasswordsTotalSeen() uint
// GetFeatureName returns the name "brute_force" if the system triggered.
GetFeatureName() string
// GetBruteForceName retrieves the name associated with the specific brute force bucket that triggered.
GetBruteForceName() string
// GetBruteForceCounter returns a map containing brute force detection counters associated with specific criteria or keys.
GetBruteForceCounter() map[string]uint
// GetBruteForceBucketRedisKey generates and returns the Redis key for tracking the brute force bucket associated with the given rule.
GetBruteForceBucketRedisKey(rule *config.BruteForceRule) (key string)
// GetPasswordHistory retrieves the password history as a mapping of hashed passwords with their associated failure counters.
GetPasswordHistory() *PasswordHistory
// WithUsername sets the username for the bucket manager, typically for tracking or processing account-specific data.
WithUsername(username string) BucketManager
// WithPassword sets the password for the current bucket manager instance.
WithPassword(password string) BucketManager
// WithAccountName sets the account name for the BucketManager instance and returns the updated BucketManager.
WithAccountName(accountName string) BucketManager
// WithProtocol sets the protocol for the BucketManager instance and returns the updated BucketManager.
WithProtocol(protocol string) BucketManager
// WithOIDCCID sets the OIDC Client ID for the BucketManager instance and returns the updated BucketManager.
WithOIDCCID(oidcCID string) BucketManager
// LoadAllPasswordHistories retrieves all recorded password history entries for further processing or analysis.
LoadAllPasswordHistories()
// CheckRepeatingBruteForcer evaluates if a repeating brute force attack is occurring based on the provided rules and IP network.
// It returns whether processing should abort, if a rule is already triggered, and the index of the triggered rule.
CheckRepeatingBruteForcer(rules []config.BruteForceRule, network **net.IPNet, message *string) (withError bool, alreadyTriggered bool, ruleNumber int)
// CheckBucketOverLimit checks if any brute force rule is violated based on request data, updating the message if necessary.
// It returns whether an error occurred, if a rule was triggered, and the rule number that was triggered (if any).
CheckBucketOverLimit(rules []config.BruteForceRule, message *string) (withError bool, ruleTriggered bool, ruleNumber int)
// ProcessBruteForce processes and evaluates whether a brute force rule should trigger an action based on given parameters.
// It returns true if the brute force condition for the specified rule is met and properly handled, false otherwise.
ProcessBruteForce(ruleTriggered, alreadyTriggered bool, rule *config.BruteForceRule, network *net.IPNet, message string, setter func()) bool
// ProcessPWHist processes the password history for a user and returns the associated account name.
ProcessPWHist() (accountName string)
// SaveBruteForceBucketCounterToRedis stores the current brute force bucket counter in Redis for the given rule.
SaveBruteForceBucketCounterToRedis(rule *config.BruteForceRule)
// SaveFailedPasswordCounterInRedis updates the Redis counter for failed password attempts for a specific user or session.
SaveFailedPasswordCounterInRedis()
// DeleteIPBruteForceRedis removes the Redis key associated with a brute force rule for a specific IP address.
DeleteIPBruteForceRedis(rule *config.BruteForceRule, ruleName string) (removedKey string, err error)
// IsIPAddressBlocked checks if an IP address is blocked due to triggering brute force rules and returns related buckets.
IsIPAddressBlocked() (buckets []string, found bool)
// PrepareNetcalc precomputes parsed IP, IP family and unique CIDR networks for active rules.
// It is idempotent and safe to call multiple times.
PrepareNetcalc(rules []config.BruteForceRule)
}
BucketManager defines an interface for managing brute force and password history buckets in a system.
func NewBucketManager ¶
func NewBucketManager(ctx context.Context, guid, clientIP string) BucketManager
NewBucketManager creates and returns a new instance of BucketManager with the provided context, GUID, and client IP.
type PasswordHistory ¶
PasswordHistory is a map of hashed passwords with their failure counter.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.