[SYNCOPE-1971] Add authentication failure throttling to avoid brute-force attack

client/idrepo/common-ui/src/main/java/org/apache/syncope/client/ui/commons/wizards/any/PasswordPanel.java

@@ -44,6 +44,7 @@ public PasswordPanel(
             final UserWrapper wrapper,
             final Boolean storePasswordInSyncope,
             final boolean templateMode,
+            final String token,
             final AnonymousRestClient restClient) {
 
         super(id);
@@ -95,6 +96,7 @@ public void validate(final Form<?> form) {
                     ComplianceQuery quey = new ComplianceQuery.Builder().
                             realm(wrapper.getInnerObject().getRealm()).
                             password(password.getField().getInput()).
+                            token(token).
                             resources(wrapper.getInnerObject().getResources()).
                             build();
                     try {

client/idrepo/console/src/main/java/org/apache/syncope/client/console/status/ChangePasswordModal.java

@@ -64,7 +64,8 @@ public ChangePasswordModal(
         super(baseModal, pageRefer);
         this.wrapper = wrapper;
 
-        PasswordPanel passwordPanel = new PasswordPanel("passwordPanel", wrapper, false, false, anonymousRestClient);
+        PasswordPanel passwordPanel = new PasswordPanel(
+                "passwordPanel", wrapper, false, false, null, anonymousRestClient);
         passwordPanel.setOutputMarkupId(true);
         add(passwordPanel);
 

client/idrepo/console/src/main/java/org/apache/syncope/client/console/wizards/any/UserDetails.java

@@ -176,7 +176,7 @@ public EditUserPasswordPanel(final String id, final UserWrapper wrapper, final b
             super(id);
             setOutputMarkupId(true);
             add(new Label("warning", new ResourceModel("password.change.warning")));
-            add(new PasswordPanel("passwordPanel", wrapper, false, templateMode, anonymousRestClient));
+            add(new PasswordPanel("passwordPanel", wrapper, false, templateMode, null, anonymousRestClient));
         }
     }
 }

client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/pages/EditSecurityQuestion.java

@@ -70,10 +70,15 @@ public class EditSecurityQuestion extends BaseReauthPage {
 
     protected final UserTO userTO;
 
+    protected final UserUR userUR;
+
     public EditSecurityQuestion(final PageParameters parameters) {
         super(parameters, EDIT_SECURITY_QUESTION);
 
         userTO = SyncopeEnduserSession.get().getSelfTO(true);
+        userUR = new UserUR.Builder(userTO.getKey()).
+                securityQuestion(new StringReplacePatchItem.Builder().value(userTO.getSecurityQuestion()).build()).
+                build();
 
         WebMarkupContainer content = new WebMarkupContainer("content");
         content.setOutputMarkupId(true);
@@ -84,7 +89,7 @@ public EditSecurityQuestion(final PageParameters parameters) {
         content.add(form);
 
         securityQuestion = new AjaxDropDownChoicePanel<>("securityQuestion",
-                "securityQuestion", new PropertyModel<>(userTO, "securityQuestion"));
+                "securityQuestion", new PropertyModel<>(userUR, "securityQuestion.value"));
         securityQuestion.setNullValid(true);
         securityQuestion.setRequired(true);
 
@@ -126,7 +131,7 @@ protected void onEvent(final AjaxRequestTarget target) {
         form.add(securityQuestion);
 
         securityAnswer = new AjaxTextFieldPanel("securityAnswer", "securityAnswer",
-                new PropertyModel<>(userTO, "securityAnswer"), false);
+                new PropertyModel<>(userUR, "securityAnswer.value"), false);
         form.add(securityAnswer.setOutputMarkupId(true).setOutputMarkupPlaceholderTag(true).
                 setEnabled(StringUtils.isNotBlank(securityQuestion.getModelObject())));
         securityAnswer.setRequired(true);
@@ -151,13 +156,7 @@ protected void onSubmit(final AjaxRequestTarget target) {
                 } else {
                     try {
                         ProvisioningResult<UserTO> provisioningResult =
-                                userSelfRestClient.update(
-                                        userTO.getETagValue(),
-                                        new UserUR.Builder(userTO.getKey())
-                                                .securityQuestion(new StringReplacePatchItem.Builder().
-                                                        value(securityQuestion.getModelObject()).build())
-                                                .securityAnswer(new StringReplacePatchItem.Builder().
-                                                        value(securityAnswer.getModelObject()).build()).build());
+                                userSelfRestClient.update(userTO.getETagValue(), userUR);
                         setResponsePage(new SelfResult(provisioningResult,
                                 ProvisioningUtils.managePageParams(EditSecurityQuestion.this,
                                         "securityquestion.change",

client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/pages/SelfConfirmPasswordReset.java

@@ -49,7 +49,7 @@ public SelfConfirmPasswordReset(final PageParameters parameters) {
         setDomain(parameters);
         disableSidebarAndNavbar();
 
-        if (parameters == null || parameters.get("token").isEmpty()) {
+        if (parameters.get("token").isEmpty()) {
             LOG.error("No token parameter found in the request url");
 
             PageParameters homeParameters = new PageParameters();
@@ -72,6 +72,7 @@ public SelfConfirmPasswordReset(final PageParameters parameters) {
                 new UserWrapper(fakeUserTO),
                 false,
                 false,
+                parameters.get("token").toString(),
                 anonymousRestClient);
         passwordPanel.setOutputMarkupId(true);
 

client/idrepo/enduser/src/main/java/org/apache/syncope/client/enduser/panels/any/UserDetails.java

@@ -124,6 +124,7 @@ protected EditUserPasswordPanel(final String id, final UserWrapper wrapper) {
                     wrapper,
                     wrapper.getInnerObject().getKey() == null,
                     false,
+                    null,
                     restClient));
         }
     }

common/idrepo/rest-api/src/main/java/org/apache/syncope/common/rest/api/beans/ComplianceQuery.java

@@ -46,6 +46,11 @@ public Builder password(final String password) {
             return this;
         }
 
+        public Builder token(final String token) {
+            instance.setToken(token);
+            return this;
+        }
+
         public Builder realm(final String realm) {
             instance.setRealm(realm);
             return this;
@@ -79,6 +84,8 @@ public Builder resources(final Collection<String> resources) {
 
     private String password;
 
+    private String token;
+
     private String realm;
 
     private Set<String> resources = new HashSet<>();
@@ -99,6 +106,14 @@ public void setPassword(final String password) {
         this.password = password;
     }
 
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(final String token) {
+        this.token = token;
+    }
+
     public String getRealm() {
         return realm;
     }
@@ -120,7 +135,7 @@ public boolean isEmpty() {
         if (StringUtils.isBlank(username) && StringUtils.isBlank(password)) {
             return true;
         }
-        return StringUtils.isEmpty(realm) && resources.isEmpty();
+        return StringUtils.isEmpty(token) && StringUtils.isEmpty(realm) && resources.isEmpty();
     }
 
     @Override
@@ -138,6 +153,7 @@ public boolean equals(final Object obj) {
         return new EqualsBuilder().
                 append(username, other.username).
                 append(password, other.password).
+                append(token, other.token).
                 append(realm, other.realm).
                 append(resources, other.resources).
                 build();
@@ -148,6 +164,7 @@ public int hashCode() {
         return new HashCodeBuilder().
                 append(username).
                 append(password).
+                append(token).
                 append(realm).
                 append(resources).
                 build();

core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/UserSelfLogic.java

@@ -19,6 +19,7 @@
 package org.apache.syncope.core.logic;
 
 import java.time.OffsetDateTime;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@@ -212,12 +213,23 @@ public void compliance(final ComplianceQuery query) {
         }
 
         Realm realm = null;
-        if (StringUtils.isNotBlank(query.getRealm())) {
-            realm = realmSearchDAO.findByFullPath(query.getRealm()).
-                    orElseThrow(() -> new NotFoundException("Realm " + query.getRealm()));
+        Set<ExternalResource> resources;
+        if (StringUtils.isNotBlank(query.getToken())) {
+            String key = userDAO.findByToken(query.getToken()).
+                    orElseThrow(() -> new NotFoundException("User with token " + query.getToken()));
+            User user = userDAO.findById(key).
+                    orElseThrow(() -> new NotFoundException("User with key " + key));
+            realm = user.getRealm();
+            resources = new HashSet<>(user.getResources());
+        } else {
+            if (StringUtils.isNotBlank(query.getRealm())) {
+                realm = realmSearchDAO.findByFullPath(query.getRealm()).
+                        orElseThrow(() -> new NotFoundException("Realm " + query.getRealm()));
+            }
+            resources = query.getResources().stream().
+                    map(resourceDAO::findById).flatMap(Optional::stream).collect(Collectors.toSet());
         }
-        Set<ExternalResource> resources = query.getResources().stream().
-                map(resourceDAO::findById).flatMap(Optional::stream).collect(Collectors.toSet());
+
         if (realm == null && resources.isEmpty()) {
             sce.getElements().add("Nothing to check");
             throw sce;

core/self-keymaster-starter/src/main/java/org/apache/syncope/core/keymaster/rest/security/SelfKeymasterUsernamePasswordAuthenticationProvider.java

@@ -18,11 +18,13 @@
  */
 package org.apache.syncope.core.keymaster.rest.security;
 
+import javax.cache.Cache;
 import org.apache.syncope.common.keymaster.client.api.DomainOps;
 import org.apache.syncope.common.keymaster.client.api.KeymasterProperties;
 import org.apache.syncope.core.persistence.api.EncryptorManager;
 import org.apache.syncope.core.provisioning.api.UserProvisioningManager;
 import org.apache.syncope.core.spring.security.AuthDataAccessor;
+import org.apache.syncope.core.spring.security.AuthenticationAttemptThrottler;
 import org.apache.syncope.core.spring.security.SecurityProperties;
 import org.apache.syncope.core.spring.security.SyncopeAuthenticationDetails;
 import org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider;
@@ -38,9 +40,16 @@ public SelfKeymasterUsernamePasswordAuthenticationProvider(
             final UserProvisioningManager provisioningManager,
             final SecurityProperties securityProperties,
             final EncryptorManager encryptorManager,
+            final Cache<String, AuthenticationAttemptThrottler.Attempts> authenticationAttemptCache,
             final KeymasterProperties keymasterProperties) {
 
-        super(domainOps, dataAccessor, provisioningManager, securityProperties, encryptorManager);
+        super(
+                domainOps,
+                dataAccessor,
+                provisioningManager,
+                securityProperties,
+                encryptorManager,
+                authenticationAttemptCache);
         this.keymasterProperties = keymasterProperties;
     }
 
@@ -50,6 +59,7 @@ public Authentication authenticate(final Authentication authentication) {
             return finalizeAuthentication(
                     SyncopeAuthenticationDetails.class.cast(authentication.getDetails()).getDomain(),
                     keymasterProperties.getUsername(),
+                    keymasterProperties.getUsername(),
                     new AuthDataAccessor.UsernamePasswordAuthResult(
                             null,
                             authentication.getCredentials().toString().equals(keymasterProperties.getPassword()),

core/self-keymaster-starter/src/main/java/org/apache/syncope/core/starter/SelfKeymasterContext.java

@@ -29,6 +29,7 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.regex.Pattern;
+import javax.cache.Cache;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.cxf.Bus;
 import org.apache.cxf.endpoint.Server;
@@ -72,12 +73,14 @@
 import org.apache.syncope.core.rest.cxf.JavaDocUtils;
 import org.apache.syncope.core.rest.cxf.RestServiceExceptionMapper;
 import org.apache.syncope.core.spring.security.AuthDataAccessor;
+import org.apache.syncope.core.spring.security.AuthenticationAttemptThrottler;
 import org.apache.syncope.core.spring.security.SecurityProperties;
 import org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider;
 import org.apache.syncope.core.spring.security.WebSecurityContext;
 import org.apache.syncope.core.starter.SelfKeymasterContext.SelfKeymasterCondition;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.condition.ConditionOutcome;
 import org.springframework.boot.autoconfigure.condition.SpringBootCondition;
@@ -222,6 +225,8 @@ public UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProv
             final UserProvisioningManager provisioningManager,
             final SecurityProperties securityProperties,
             final EncryptorManager encryptorManager,
+            @Qualifier(AuthenticationAttemptThrottler.CACHE_NAME)
+            final Cache<String, AuthenticationAttemptThrottler.Attempts> authenticationAttemptCache,
             final KeymasterProperties keymasterProperties) {
 
         return new SelfKeymasterUsernamePasswordAuthenticationProvider(
@@ -230,6 +235,7 @@ public UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProv
                 provisioningManager,
                 securityProperties,
                 encryptorManager,
+                authenticationAttemptCache,
                 keymasterProperties);
     }
 

core/spring/src/main/java/org/apache/syncope/core/spring/implementation/GroovySandboxScriptEngineImpl.java

@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.spring.implementation;
+
+import groovy.grape.GrabAnnotationTransformation;
+import groovy.lang.GroovyClassLoader;
+import java.io.Reader;
+import java.util.Set;
+import javax.script.ScriptContext;
+import javax.script.ScriptException;
+import org.codehaus.groovy.control.CompilerConfiguration;
+import org.codehaus.groovy.jsr223.GroovyScriptEngineImpl;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.blacklists.Blacklist;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.RejectASTTransformsCustomizer;
+import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor;
+import org.kohsuke.groovy.sandbox.GroovyInterceptor;
+import org.kohsuke.groovy.sandbox.SandboxTransformer;
+import org.springframework.util.function.ThrowingSupplier;
+
+public class GroovySandboxScriptEngineImpl extends GroovyScriptEngineImpl {
+
+    private static final GroovyClassLoader GROOVY_CLASSLOADER;
+
+    static {
+        CompilerConfiguration cc = new CompilerConfiguration();
+        cc.addCompilationCustomizers(new RejectASTTransformsCustomizer(), new SandboxTransformer());
+        cc.setDisabledGlobalASTTransformations(Set.of(GrabAnnotationTransformation.class.getName()));
+
+        GROOVY_CLASSLOADER = new GroovyClassLoader(Thread.currentThread().getContextClassLoader(), cc);
+    }
+
+    protected final Blacklist blackList;
+
+    public GroovySandboxScriptEngineImpl(final Blacklist blackList) {
+        super(GROOVY_CLASSLOADER);
+        this.blackList = blackList;
+    }
+
+    protected Object sandboxEval(final ThrowingSupplier<Object> eval) {
+        GroovyInterceptor interceptor = null;
+        try {
+            interceptor = new SandboxInterceptor(blackList);
+            interceptor.register();
+        } catch (NoClassDefFoundError noClassDefFound) {
+            // ignore
+        }
+
+        try {
+            return eval.get();
+        } finally {
+            if (interceptor != null) {
+                try {
+                    interceptor.unregister();
+                } catch (NoClassDefFoundError noClassDefFound) {
+                    // ignore
+                }
+            }
+        }
+    }
+
+    @Override
+    public Object eval(final Reader reader, final ScriptContext ctx) throws ScriptException {
+        return sandboxEval(() -> super.eval(reader, ctx));
+    }
+
+    @Override
+    public Object eval(final String script, final ScriptContext ctx) throws ScriptException {
+        return sandboxEval(() -> super.eval(script, ctx));
+    }
+}