Merge branch 'develop' of github.com:ngageoint/mage-server into develop

Author: restjohn

CHANGELOG.md

@@ -5,8 +5,15 @@ MAGE adheres to [Semantic Versioning](http://semver.org/).
 ---
 ## Pending on [`develop`](https://github.com/ngageoint/mage-server/tree/develop)
 
+##### Features
+
+##### Bug Fixes
+
+## [5.1.4](https://github.com/ngageoint/mage-server/releases/tag/5.1.4) (08-06-2018)
+
 ##### Features
 * Added GeoPackage layer support. Added server side XYZ urls to retrieve imagery from GeoPackages. The web client will use these URLs to display imagery tiles from a GeoPackage.  Added server side url to retrieve vector tiles from feature GeoPackages. The web client will use these to display vector tiles (with the aid of a leaflet plugin).
+* User account lock settings.  Admins can now configure account lock/disable settings for local accounts.
 * Replace local [environment](environment) NPM packages with a single Node module
 ** No more manually deleting the local module from the `node_modules` directory for script changes
 * Load values from [environment variables](README.md#mage-environment-settings) instead of only from the script

api/user.js

@@ -2,7 +2,6 @@ var UserModel = require('../models/user')
   , log = require('winston')
   , TokenModel = require('../models/token')
   , LoginModel = require('../models/login')
-  , EventModel = require('../models/event')
   , DeviceModel = require('../models/device')
   , path = require('path')
   , fs = require('fs-extra')

authentication/local.js

@@ -1,6 +1,7 @@
 module.exports = function(app, passport, provisioning) {
 
   var log = require('winston')
+    , moment = require('moment')
     , LocalStrategy = require('passport-local').Strategy
     , User = require('../models/user')
     , api = require('../api')
@@ -17,40 +18,69 @@ module.exports = function(app, passport, provisioning) {
     next();
   }
 
+  function authenticate(req, res, next) {
+    passport.authenticate('local', function(err, user, info) {
+      if (err) return next(err);
+
+      info = info || {};
+      if (!user) {
+        return res.status(401).send(info.message);
+      }
+
+      req.user = user;
+      next();
+    })(req, res, next);
+  }
+
   passport.use(new LocalStrategy(
     function(username, password, done) {
       User.getUserByUsername(username, function(err, user) {
         if (err) { return done(err); }
 
         if (!user) {
           log.warn('Failed login attempt: User with username ' + username + ' not found');
-          return done(null, false, { message: "User with username '" + username + "' not found" });
+          return done(null, false);
         }
 
         if (!user.active) {
           log.warn('Failed user login attempt: User ' + user.username + ' is not active');
-          return done(null, false, { message: "User with username '" + username + "' not active" });
+          return done(null, false);
+        }
+
+        if (!user.enabled) {
+          log.warn('Failed user login attempt: User ' + user.username + ' account is disabled.');
+          return done(null, false, { message: 'Your account has been disabled, please contact a MAGE administrator for assistance.' });
+        }
+
+        let security = user.authentication.security;
+        if (security.locked && moment().isBefore(moment(security.lockedUntil))) {
+          log.warn('Failed user login attempt: User ' + user.username + ' account is locked until ' + security.lockedUntil);
+          return done(null, false, { message: 'Your account has been temporarily locked, please try again later or contact a MAGE administrator for assistance.' });
         }
 
         user.validPassword(password, function(err, isValid) {
           if (err) {
             return done(err);
           }
 
-          if (!isValid) {
+          if (isValid) {
+            User.validLogin(user)
+              .then(() => done(null, user))
+              .catch(err => done(err));
+          } else {
             log.warn('Failed login attempt: User with username ' + username + ' provided an invalid password');
-            return done(null, false);
+            User.invalidLogin(user)
+              .then(() => done(null, false, {message: 'Please check your username, UID, and password and try again.'}))
+              .catch(err => done(err));
           }
-
-          return done(null, user);
         });
       });
     }
   ));
 
   app.post(
     '/api/login',
-    passport.authenticate('local'),
+    authenticate,
     provisioning.provision.check(provisioning.strategy),
     parseLoginMetadata,
     function(req, res) {

models/setting.js

@@ -1,9 +1,9 @@
-var mongoose = require('mongoose');
+const mongoose = require('mongoose');
 
 // Creates a new Mongoose Schema object
-var Schema = mongoose.Schema;
+const Schema = mongoose.Schema;
 
-var SettingSchema = new Schema({
+const SettingSchema = new Schema({
   type: { type: String, required: true, unique: true },
   settings: Schema.Types.Mixed
 },{
@@ -22,28 +22,20 @@ SettingSchema.set("toJSON", {
 });
 
 // Creates the Model for the Setting Schema
-var Setting = mongoose.model('Setting', SettingSchema);
+const Setting = mongoose.model('Setting', SettingSchema);
 
-exports.getSettings = function(callback) {
-  Setting.find({}, function(err, settings) {
-    callback(err, settings);
-  });
+exports.getSettings = function() {
+  return Setting.find({}).exec();
 };
 
-exports.getSetting = function(type, callback) {
-  Setting.findOne({type: type}, function(err, setting) {
-    callback(err, setting);
-  });
+exports.getSetting = function(type) {
+  return Setting.findOne({type: type}).exec();
 };
 
-exports.getSettingByType = function(type, callback) {
-  Setting.findOne({type: type}, function(err, setting) {
-    callback(err, setting);
-  });
+exports.getSettingByType = function(type) {
+  return Setting.findOne({type: type}).exec();
 };
 
-exports.updateSettingByType = function(type, update, callback) {
-  Setting.findOneAndUpdate({type: type}, update, {new: true, upsert: true}, function(err, setting) {
-    callback(err, setting);
-  });
+exports.updateSettingByType = function(type, update) {
+  return Setting.findOneAndUpdate({type: type}, update, {new: true, upsert: true}).exec();
 };

models/user.js

@@ -1,13 +1,15 @@
 var mongoose = require('mongoose')
   , async = require("async")
   , hasher = require('../utilities/pbkdf2')()
-  , Token = require('../models/token')
-  , Login = require('../models/login')
-  , Event = require('../models/event')
-  , Team = require('../models/team')
-  , Observation = require('../models/observation')
-  , Location = require('../models/location')
-  , CappedLocation = require('../models/cappedLocation');
+  , moment = require('moment')
+  , Setting = require('./setting')
+  , Token = require('./token')
+  , Login = require('./login')
+  , Event = require('./event')
+  , Team = require('./team')
+  , Observation = require('./observation')
+  , Location = require('./location')
+  , CappedLocation = require('./cappedLocation');
 
 // Creates a new Mongoose Schema object
 var Schema = mongoose.Schema;
@@ -40,13 +42,20 @@ var UserSchema = new Schema({
     relativePath: { type: String, required: false }
   },
   active: { type: Boolean, required: true },
+  enabled: { type: Boolean, default: true, required: true },
   roleId: { type: Schema.Types.ObjectId, ref: 'Role', required: true },
   status: { type: String, required: false, index: 'sparse' },
   recentEventIds: [{type: Number, ref: 'Event'}],
   authentication: {
     type: { type: String, required: false },
     id: { type: String, required: false },
-    password: { type: String, required: false }
+    password: { type: String, required: false },
+    security: {
+      locked: { type: Boolean },
+      lockedUntil: { type: Date },
+      invalidLoginAttempts: { type: Number, default: 0 },
+      numberOfTimesLocked: { type: Number, default: 0 }
+    }
   }
 },{
   versionKey: false,
@@ -183,7 +192,6 @@ UserSchema.pre('remove', function(next) {
     },
     eventAcl: function(done) {
       Event.removeUserFromAllAcls(user, function(err) {
-        console.log('event acl remove', err);
         done(err);
       });
     },
@@ -192,7 +200,6 @@ UserSchema.pre('remove', function(next) {
     }
   },
   function(err) {
-    console.log('remove all user stuff with err', err);
     next(err);
   });
 });
@@ -332,14 +339,46 @@ exports.updateUser = function(user, callback) {
 };
 
 exports.deleteUser = function(user, callback) {
-  console.log('delete user', user._id);
   user.remove(function(err, removedUser) {
-    // console.log('deleted user', err);
-
     callback(err, removedUser);
   });
 };
 
+exports.invalidLogin = function(user) {
+  return Setting.getSetting('security')
+    .then(securitySettings => {
+      let {enabled, max, interval, threshold} = securitySettings.settings.accountLock;
+      if (!enabled) return Promise.resolve(user);
+
+      let security = user.authentication.security;
+      const invalidLoginAttempts = security.invalidLoginAttempts + 1;
+      if (invalidLoginAttempts >= threshold) {
+        const numberOfTimesLocked = security.numberOfTimesLocked + 1;
+        if (numberOfTimesLocked >= max) {
+          user.enabled = false;
+          user.authentication.security = {};
+        } else {
+          user.authentication.security = {
+            locked: true,
+            numberOfTimesLocked: numberOfTimesLocked,
+            lockedUntil: moment().add(interval, 'seconds').toDate()
+          };
+        }
+      } else {
+        security.invalidLoginAttempts = invalidLoginAttempts;
+        security.locked = undefined;
+        security.lockedUntil = undefined;
+      }
+
+      return user.save();
+    });
+};
+
+exports.validLogin = function(user) {
+  user.authentication.security = {};
+  return user.save();
+};
+
 exports.setStatusForUser = function(user, status, callback) {
   var update = { status: status };
   User.findByIdAndUpdate(user._id, update, {new: true}, function(err, user) {

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "mage-server",
-  "version": "5.1.3",
+  "version": "5.1.4",
   "displayName": "MAGE Server",
   "description": "Geospatial situation awareness application.",
   "keywords": [
@@ -77,7 +77,7 @@
     "proxyquire": "~2.0.1",
     "sinon": "~4.5.0",
     "sinon-chai": "~3.0.0",
-    "sinon-mongoose": "2.1.1",
+    "sinon-mongoose": "2.2.1",
     "superagent": "1.4.0",
     "supertest": "1.1.0"
   },

package.json

@@ -2,11 +2,33 @@ var _ = require('underscore');
 
 module.exports = AdminSettingsController;
 
-AdminSettingsController.$inject = ['$scope', 'Settings', 'LocalStorageService'];
+AdminSettingsController.$inject = ['$scope', 'Api', 'Settings', 'LocalStorageService'];
 
-function AdminSettingsController($scope, Settings, LocalStorageService) {
+function AdminSettingsController($scope, Api, Settings, LocalStorageService) {
   $scope.token = LocalStorageService.getToken();
-  $scope.pill = 'banner';
+  $scope.pill = 'security';
+
+  $scope.accountLock = {};
+  $scope.accountLockChoices = [{
+    title: 'Off',
+    description: 'Do not lock MAGE user accounts.',
+    value: false
+  },{
+    title: 'On',
+    description: 'Lock MAGE user accounts for defined time \n after defined number of invalid login attempts.',
+    value: true
+  }];
+
+  $scope.maxLock = {};
+  $scope.maxLockChoices = [{
+    title: 'Off',
+    description: 'Do not disable MAGE user accounts.',
+    value: false
+  },{
+    title: 'On',
+    description: 'Disable MAGE user accounts after account has been locked defined number of times.',
+    value: true
+  }];
 
   $scope.minicolorSettings = {
     position: 'bottom right',
@@ -22,11 +44,26 @@ function AdminSettingsController($scope, Settings, LocalStorageService) {
     footerBackgroundColor: 'FFFFFF'
   };
 
+  Api.get(function(api) {
+    var authenticationStrategies = api.authenticationStrategies || {};
+    $scope.local = authenticationStrategies.local;
+    $scope.pill = authenticationStrategies.local ? 'security' : 'banner';
+  });
+
   Settings.query(function(settings) {
     $scope.settings = _.indexBy(settings, 'type');
 
     $scope.banner = $scope.settings.banner ? $scope.settings.banner.settings : {};
     $scope.disclaimer = $scope.settings.disclaimer ? $scope.settings.disclaimer.settings : {};
+    $scope.security = $scope.settings.security ? $scope.settings.security.settings : {};
+
+    if (!$scope.security.accountLock) {
+      $scope.security.accountLock = {
+        enabled: false
+      };
+    }
+
+    $scope.maxLock.enabled = $scope.security.accountLock && $scope.security.accountLock.max !== undefined;
   });
 
   $scope.saveBanner = function() {
@@ -53,6 +90,22 @@ function AdminSettingsController($scope, Settings, LocalStorageService) {
     });
   };
 
+  $scope.saveSecurity = function() {
+    if (!$scope.maxLock.enabled) {
+      delete $scope.security.accountLock.max;
+    }
+
+    Settings.update({type: 'security'}, $scope.security, function() {
+      $scope.saved = true;
+      $scope.saving = false;
+      $scope.saveStatus = 'Security settings successfully saved.';
+      debounceHideSave();
+    }, function() {
+      $scope.saving = false;
+      $scope.saveStatus = 'Failed to save security settings.';
+    });
+  };
+
   var debounceHideSave = _.debounce(function() {
     $scope.$apply(function() {
       $scope.saved = false;