policies/geoip: fix math in impossible travel (#13141) * policies/geoip: fix math in impossible travel * fix threshold --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
This commit is contained in:
![98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com](/assets/img/avatar_default.png)
committed by
GitHub

parent
adb532fc5d
commit
b2dcf94aba
@ -128,7 +128,7 @@ class GeoIPPolicy(Policy):
|
|||||||
(geoip_data["lat"], geoip_data["long"]),
|
(geoip_data["lat"], geoip_data["long"]),
|
||||||
)
|
)
|
||||||
if self.check_history_distance and dist.km >= (
|
if self.check_history_distance and dist.km >= (
|
||||||
self.history_max_distance_km - self.distance_tolerance_km
|
self.history_max_distance_km + self.distance_tolerance_km
|
||||||
):
|
):
|
||||||
return PolicyResult(
|
return PolicyResult(
|
||||||
False, _("Distance from previous authentication is larger than threshold.")
|
False, _("Distance from previous authentication is larger than threshold.")
|
||||||
@ -139,7 +139,7 @@ class GeoIPPolicy(Policy):
|
|||||||
# clamped to be at least 1 hour
|
# clamped to be at least 1 hour
|
||||||
rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 3600), 1)
|
rel_time_hours = max(int((_now - previous_login.created).total_seconds() / 3600), 1)
|
||||||
if self.check_impossible_travel and dist.km >= (
|
if self.check_impossible_travel and dist.km >= (
|
||||||
(MAX_DISTANCE_HOUR_KM * rel_time_hours) - self.distance_tolerance_km
|
(MAX_DISTANCE_HOUR_KM * rel_time_hours) + self.distance_tolerance_km
|
||||||
):
|
):
|
||||||
return PolicyResult(False, _("Distance is further than possible."))
|
return PolicyResult(False, _("Distance is further than possible."))
|
||||||
return PolicyResult(True)
|
return PolicyResult(True)
|
||||||
|
@ -148,10 +148,10 @@ class PasswordPolicy(Policy):
|
|||||||
user_inputs.append(request.user.email)
|
user_inputs.append(request.user.email)
|
||||||
if request.http_request:
|
if request.http_request:
|
||||||
user_inputs.append(request.http_request.brand.branding_title)
|
user_inputs.append(request.http_request.brand.branding_title)
|
||||||
# Only calculate result for the first 100 characters, as with over 100 char
|
# Only calculate result for the first 72 characters, as with over 100 char
|
||||||
# long passwords we can be reasonably sure that they'll surpass the score anyways
|
# long passwords we can be reasonably sure that they'll surpass the score anyways
|
||||||
# See https://github.com/dropbox/zxcvbn#runtime-latency
|
# See https://github.com/dropbox/zxcvbn#runtime-latency
|
||||||
results = zxcvbn(password[:100], user_inputs)
|
results = zxcvbn(password[:72], user_inputs)
|
||||||
LOGGER.debug("password failed", check="zxcvbn", score=results["score"])
|
LOGGER.debug("password failed", check="zxcvbn", score=results["score"])
|
||||||
result = PolicyResult(results["score"] > self.zxcvbn_score_threshold)
|
result = PolicyResult(results["score"] > self.zxcvbn_score_threshold)
|
||||||
if not result.passing:
|
if not result.passing:
|
||||||
|
@ -105,6 +105,22 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
|
|||||||
)}
|
)}
|
||||||
</p>
|
</p>
|
||||||
</ak-form-element-horizontal>
|
</ak-form-element-horizontal>
|
||||||
|
<ak-form-element-horizontal
|
||||||
|
label=${msg("Maximum distance")}
|
||||||
|
name="historyMaxDistanceKm"
|
||||||
|
>
|
||||||
|
<input
|
||||||
|
type="number"
|
||||||
|
min="1"
|
||||||
|
value="${first(this.instance?.historyMaxDistanceKm, 100)}"
|
||||||
|
class="pf-c-form-control"
|
||||||
|
/>
|
||||||
|
<p class="pf-c-form__helper-text">
|
||||||
|
${msg(
|
||||||
|
"Maximum distance a login attempt is allowed from in kilometers.",
|
||||||
|
)}
|
||||||
|
</p>
|
||||||
|
</ak-form-element-horizontal>
|
||||||
<ak-form-element-horizontal
|
<ak-form-element-horizontal
|
||||||
label=${msg("Distance tolerance")}
|
label=${msg("Distance tolerance")}
|
||||||
name="distanceToleranceKm"
|
name="distanceToleranceKm"
|
||||||
@ -133,27 +149,6 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
|
|||||||
${msg("Amount of previous login events to check against.")}
|
${msg("Amount of previous login events to check against.")}
|
||||||
</p>
|
</p>
|
||||||
</ak-form-element-horizontal>
|
</ak-form-element-horizontal>
|
||||||
<ak-form-element-horizontal
|
|
||||||
label=${msg("Maximum distance")}
|
|
||||||
name="historyMaxDistanceKm"
|
|
||||||
>
|
|
||||||
<input
|
|
||||||
type="number"
|
|
||||||
min="1"
|
|
||||||
value="${first(this.instance?.historyMaxDistanceKm, 100)}"
|
|
||||||
class="pf-c-form-control"
|
|
||||||
/>
|
|
||||||
<p class="pf-c-form__helper-text">
|
|
||||||
${msg(
|
|
||||||
"Maximum distance a login attempt is allowed from in kilometers.",
|
|
||||||
)}
|
|
||||||
</p>
|
|
||||||
</ak-form-element-horizontal>
|
|
||||||
</div>
|
|
||||||
</ak-form-group>
|
|
||||||
<ak-form-group>
|
|
||||||
<span slot="header"> ${msg("Distance settings (Impossible travel)")} </span>
|
|
||||||
<div slot="body" class="pf-c-form">
|
|
||||||
<ak-form-element-horizontal name="checkImpossibleTravel">
|
<ak-form-element-horizontal name="checkImpossibleTravel">
|
||||||
<label class="pf-c-switch">
|
<label class="pf-c-switch">
|
||||||
<input
|
<input
|
||||||
|
Reference in New Issue
Block a user