VAULT-5422: Add rate limit for TOTP passcode attempts (#14864)

* VAULT-5422: Add rate limit for TOTP passcode attempts * fixing the docs * CL * feedback * Additional info in doc * rate limit is done per entity per methodID * refactoring a test * rate limit OSS work for policy MFA * adding max_validation_attempts to TOTP config * feedback * checking for non-nil reference
hashicorp · Apr 24, 2022 · 3fe56cb · 3fe56cb
1 parent fb5a7a5
commit 3fe56cb
Show file tree

Hide file tree

Showing 11 changed files with 434 additions and 304 deletions.
diff --git a/changelog/14864.txt b/changelog/14864.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth: enforce a rate limit for TOTP passcode validation attempts
+```
diff --git a/helper/identity/mfa/types.pb.go b/helper/identity/mfa/types.pb.go
diff --git a/helper/identity/mfa/types.proto b/helper/identity/mfa/types.proto
@@ -50,6 +50,8 @@ message TOTPConfig {
 	uint32 key_size = 6;
 	// @inject_tag: sentinel:"-"
 	int32 qr_size = 7;
+	// @inject_tag: sentinel:"-"
+	uint32 max_validation_attempts = 8;
 }
 
 // DuoConfig represents the configuration information required to perform

diff --git a/vault/core.go b/vault/core.go
@@ -81,6 +81,12 @@ const (
 	// MfaAuthResponse when the value is not specified in the server config
 	defaultMFAAuthResponseTTL = 300 * time.Second
 
+	// defaultMaxTOTPValidateAttempts is the default value for the number
+	// of failed attempts to validate a request subject to TOTP MFA. If the
+	// number of failed totp passcode validations exceeds this max value, the
+	// user needs to wait until a fresh totp passcode is generated.
+	defaultMaxTOTPValidateAttempts = 5
+
 	// ForwardSSCTokenToActive is the value that must be set in the
 	// forwardToActive to trigger forwarding if a perf standby encounters
 	// an SSC Token that it does not have the WAL state for.
@@ -2264,6 +2270,9 @@ func (c *Core) postUnseal(ctx context.Context, ctxCancelFunc context.CancelFunc,
 		c.logger.Warn("disabling entities for local auth mounts through env var", "env", EnvVaultDisableLocalAuthMountEntities)
 	}
 	c.loginMFABackend.usedCodes = cache.New(0, 30*time.Second)
+	if c.systemBackend != nil && c.systemBackend.mfaBackend != nil {
+		c.systemBackend.mfaBackend.usedCodes = cache.New(0, 30*time.Second)
+	}
 	c.logger.Info("post-unseal setup complete")
 	return nil
 }
@@ -2340,6 +2349,9 @@ func (c *Core) preSeal() error {
 	}
 
 	c.loginMFABackend.usedCodes = nil
+	if c.systemBackend != nil && c.systemBackend.mfaBackend != nil {
+		c.systemBackend.mfaBackend.usedCodes = nil
+	}
 	preSealPhysical(c)
 
 	c.logger.Info("pre-seal teardown complete")