Josef Reidinger write:

Martin Kudlvasr write:

...

On Monday 02 November 2009 16:31:56 Josef Reidinger wrote:

...

ref: refs/heads/master commit 4f74fe5c2ec8c1927b9ebac0073e5b703fb484df Author: Josef Reidinger <jreidinger@suse.cz> Date: Mon Nov 2 16:24:21 2009 +0100

add Brute force protection --- webservice/app/controllers/sessions_controller.rb | 6 ++- webservice/lib/brute_force_protection.rb | 63 ++++++++++++++++++++ webservice/package/yast2-webservice.changes

| 5 ++

.../test/unit/brute_force_protection_test.rb | 33 ++++++++++ 4 files changed, 106 insertions(+), 1 deletions(-)

diff --git a/webservice/app/controllers/sessions_controller.rb b/webservice/app/controllers/sessions_controller.rb index 86295c2..d88f3e0 100644 --- a/webservice/app/controllers/sessions_controller.rb +++ b/webservice/app/controllers/sessions_controller.rb @@ -34,7 +34,10 @@ class SessionsController < ApplicationController self.current_account = Account.authenticate(params[:login], params[:password]) end @cmd_ret = Hash.new - if logged_in? + if BruteForceProtection.instance.blocked? + @cmd_ret["login"] = "blocked" + @cmd_ret["remain"] = BruteForceProtection.instance.last_fail + BruteForceProtection::BAN_TIMEOUT + elsif logged_in? if params[:remember_me] current_account.remember_me unless current_account.remember_token? cookies[:auth_token] = { :value => self.current_account.remember_token , :expires => self.current_account.remember_token_expires_at } @@ -44,6 +47,7 @@ class SessionsController < ApplicationController @cmd_ret["auth_token"] = {

:value => self.current_account.remember_token , :expires =>

self.current_account.remember_token_expires_at } else @cmd_ret["login"] = "denied" + BruteForceProtection.instance.fail_attempt end end

diff --git a/webservice/lib/brute_force_protection.rb b/webservice/lib/brute_force_protection.rb new file mode 100644 index 0000000..b5fc899 --- /dev/null +++ b/webservice/lib/brute_force_protection.rb @@ -0,0 +1,63 @@ +# == Brute force Protection class +# === Overview +# +# Singleton class thant remember fail attempts to log to REST-SERVICE. +# After specified time period is failed attemps cleared. +# +# === Usage +# +# When user tries to login ensure that it is not blocked by BruteForceProtection.instance.blocked? +# When user failed to login call BruteForceProtection.instance.fail_attempt + +class BruteForceProtection + include Singleton +

Maybe I misunderstood the code, but using Singleton module will not preserve the instance between requests. Just try to create a simple Singleton counter and view it a few times in some controller. Singletons are regular instances of regular ruby class. The only difference is, that you can make (new) only one of them. But they are lost at the end of request like any other instance. For storing values between requests AFAIK only database and module namespace hacks work. I don't have anything against storing values in module namespace, but I suggest doing it readable. For instance by writing some "ModuleStorage" class/module whose only purpose would be to store and retrieve values using module namespace.

Hi, Can you reproduce it? I am not able to do it. Also if singleton doesn't preserve between request then something is very bad with ruby garbage collector (if rails doesn't restart itself after each request), because there exist reference to instance of class and it should not be destroyed. What you maybe find is problem with class reloading in development mode (it affects also singleton, as it reloads also its only instance), but maybe I have some gaps in my ruby knowledge. I also know why is singleton bad http://code.google.com/p/google-singleton- detector/wiki/WhySingletonsAreControversial but I think that in this case is adequate to use singleton as it is small class coupled with only one class which must survive between requests.

Just link to similar problem and explanation http://groups.google.com/group/rubyonrails- talk/browse_thread/thread/ee8e7888dfc51833 So I think that in production mode where class is not reloaded on request it works. -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, webyast modules language and time -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org

Josef Reidinger write:

Martin Kudlvasr write:

...

On Monday 02 November 2009 16:31:56 Josef Reidinger wrote:

...

ref: refs/heads/master commit 4f74fe5c2ec8c1927b9ebac0073e5b703fb484df Author: Josef Reidinger <jreidinger@suse.cz> Date: Mon Nov 2 16:24:21 2009 +0100

add Brute force protection --- webservice/app/controllers/sessions_controller.rb | 6 ++- webservice/lib/brute_force_protection.rb | 63 ++++++++++++++++++++ webservice/package/yast2-webservice.changes

| 5 ++

.../test/unit/brute_force_protection_test.rb | 33 ++++++++++ 4 files changed, 106 insertions(+), 1 deletions(-)

diff --git a/webservice/app/controllers/sessions_controller.rb b/webservice/app/controllers/sessions_controller.rb index 86295c2..d88f3e0 100644 --- a/webservice/app/controllers/sessions_controller.rb +++ b/webservice/app/controllers/sessions_controller.rb @@ -34,7 +34,10 @@ class SessionsController < ApplicationController self.current_account = Account.authenticate(params[:login], params[:password]) end @cmd_ret = Hash.new - if logged_in? + if BruteForceProtection.instance.blocked? + @cmd_ret["login"] = "blocked" + @cmd_ret["remain"] = BruteForceProtection.instance.last_fail + BruteForceProtection::BAN_TIMEOUT + elsif logged_in? if params[:remember_me] current_account.remember_me unless current_account.remember_token? cookies[:auth_token] = { :value => self.current_account.remember_token , :expires => self.current_account.remember_token_expires_at } @@ -44,6 +47,7 @@ class SessionsController < ApplicationController @cmd_ret["auth_token"] = {

:value => self.current_account.remember_token , :expires =>

self.current_account.remember_token_expires_at } else @cmd_ret["login"] = "denied" + BruteForceProtection.instance.fail_attempt end end

diff --git a/webservice/lib/brute_force_protection.rb b/webservice/lib/brute_force_protection.rb new file mode 100644 index 0000000..b5fc899 --- /dev/null +++ b/webservice/lib/brute_force_protection.rb @@ -0,0 +1,63 @@ +# == Brute force Protection class +# === Overview +# +# Singleton class thant remember fail attempts to log to REST-SERVICE. +# After specified time period is failed attemps cleared. +# +# === Usage +# +# When user tries to login ensure that it is not blocked by BruteForceProtection.instance.blocked? +# When user failed to login call BruteForceProtection.instance.fail_attempt + +class BruteForceProtection + include Singleton +

Maybe I misunderstood the code, but using Singleton module will not preserve the instance between requests. Just try to create a simple Singleton counter and view it a few times in some controller. Singletons are regular instances of regular ruby class. The only difference is, that you can make (new) only one of them. But they are lost at the end of request like any other instance. For storing values between requests AFAIK only database and module namespace hacks work. I don't have anything against storing values in module namespace, but I suggest doing it readable. For instance by writing some "ModuleStorage" class/module whose only purpose would be to store and retrieve values using module namespace.

Hi, Can you reproduce it? I am not able to do it. Also if singleton doesn't preserve between request then something is very bad with ruby garbage collector (if rails doesn't restart itself after each request), because there exist reference to instance of class and it should not be destroyed. What you maybe find is problem with class reloading in development mode (it affects also singleton, as it reloads also its only instance), but maybe I have some gaps in my ruby knowledge. I also know why is singleton bad http://code.google.com/p/google-singleton- detector/wiki/WhySingletonsAreControversial but I think that in this case is adequate to use singleton as it is small class coupled with only one class which must survive between requests.

Just link to similar problem and explanation http://groups.google.com/group/rubyonrails- talk/browse_thread/thread/ee8e7888dfc51833 So I think that in production mode where class is not reloaded on request it works. -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, webyast modules language and time -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org