service.impl/src/main/java/com/hack23/cia/service/impl/action/application/access/LoginBlockedAccessImpl.java

Summary

Maintainability
A
2 hrs
Test Coverage
/*
 * Copyright 2010-2021 James Pether Sörling
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 *    $Id$
 *  $HeadURL$
*/
package com.hack23.cia.service.impl.action.application.access;

import java.util.Date;
import java.util.List;

import javax.annotation.PostConstruct;

import org.apache.commons.lang3.math.NumberUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;

import com.hack23.cia.model.internal.application.system.impl.ApplicationActionEvent;
import com.hack23.cia.model.internal.application.system.impl.ApplicationActionEvent_;
import com.hack23.cia.model.internal.application.system.impl.ApplicationConfiguration;
import com.hack23.cia.model.internal.application.system.impl.ApplicationOperationType;
import com.hack23.cia.model.internal.application.system.impl.ApplicationSession;
import com.hack23.cia.model.internal.application.system.impl.ApplicationSession_;
import com.hack23.cia.model.internal.application.system.impl.ConfigurationGroup;
import com.hack23.cia.model.internal.application.user.impl.UserAccount;
import com.hack23.cia.model.internal.application.user.impl.UserAccount_;
import com.hack23.cia.service.api.action.common.ServiceResponse.ServiceResult;
import com.hack23.cia.service.data.api.ApplicationActionEventDAO;
import com.hack23.cia.service.data.api.ApplicationConfigurationService;
import com.hack23.cia.service.data.api.ApplicationSessionDAO;
import com.hack23.cia.service.data.api.UserDAO;

/**
 * The Class LoginBlockedAccessImpl.
 */
@Service
@Transactional(propagation = Propagation.REQUIRED)
public final class LoginBlockedAccessImpl implements LoginBlockedAccess {

    /** The Constant DEFAULT_MAX_LOGINS. */
    private static final int DEFAULT_MAX_LOGINS = 5;

    /** The Constant DEFAULT_MAX_LOGINS_BY_IP. */
    private static final int DEFAULT_MAX_LOGINS_BY_IP = 10;

    private static final int ONE_HOUR = 3600 * 1000;

    /** The Constant DEFAULT_MAX_LOGIN_ATTEMPTS. */
    private static final String DEFAULT_MAX_LOGIN_ATTEMPTS = "5";

    /**
     * The Constant APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_IP.
     */
    private static final String APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_IP = "application.authentication.allow.max.recent.failed.logins.by.ip";

    /**
     * The Constant
     * APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_SESSION.
     */
    private static final String APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_SESSION = "application.authentication.allow.max.recent.failed.logins.by.session";

    /** The Constant BLOCKS_LOGIN_ATTEMPTS. */
    private static final String BLOCKS_LOGIN_ATTEMPTS = "Blocks login attempts";

    /** The Constant LOGIN_BLOCKER. */
    private static final String LOGIN_BLOCKER = "LoginBlocker";

    /** The Constant MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_IP. */
    private static final String MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_IP = "Max failed login attempts recent hour per ip";

    /** The Constant MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_SESSION. */
    private static final String MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_SESSION = "Max failed login attempts recent hour per session";

    /** The Constant MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_USER. */
    private static final String MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_USER = "Max failed login attempts recent hour per user";

    /**
     * The Constant
     * APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_USER.
     */
    private static final String APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_USER = "application.authentication.allow.max.recent.failed.logins.by.user";

    /** The Constant BLOCKS_ANY_LOGIN_ATTEMPTS_AFTER_THIS_NUMBER_IS_REACHED. */
    private static final String BLOCKS_ANY_LOGIN_ATTEMPTS_AFTER_THIS_NUMBER_IS_REACHED = "Blocks any login attempts after this number is reached";

    /** The Constant LOGIN_BLOCK_SETTINGS. */
    private static final String LOGIN_BLOCK_SETTINGS = "LoginBlock settings:{}";

    /** The Constant BLOCKED_BY_MORE_THAN_5_RECENT_LOGIN_ATTEMPTS_BY_THIS_IP. */
    private static final String BLOCKED_BY_MORE_THAN_5_RECENT_LOGIN_ATTEMPTS_BY_THIS_IP = "Blocked by more than 5 recent login attempts by this ip";

    /** The Constant BLOCKED_BY_MORE_THAN_5_LOGIN_ATTEMPTS_BY_THIS_SESSION. */
    private static final String BLOCKED_BY_MORE_THAN_5_LOGIN_ATTEMPTS_BY_THIS_SESSION = "Blocked by more than 5 login attempts by this session";

    /** The Constant BLOCKED_BY_MORE_THAN_5_RECENT_LOGIN_ATTEMPTS_BY_THIS_USER. */
    private static final String BLOCKED_BY_MORE_THAN_5_RECENT_LOGIN_ATTEMPTS_BY_THIS_USER = "Blocked by more than 5 recent login attempts by this user";

    /** The Constant LOGGER. */
    private static final Logger LOGGER = LoggerFactory.getLogger(LoginBlockedAccessImpl.class);

    /** The user DAO. */
    @Autowired
    private UserDAO userDAO;

    /** The application session DAO. */
    @Autowired
    private ApplicationSessionDAO applicationSessionDAO;

    /** The application action event DAO. */
    @Autowired
    private ApplicationActionEventDAO applicationActionEventDAO;

    /** The application configuration service. */
    @Autowired
    private ApplicationConfigurationService applicationConfigurationService;

    /**
     * Instantiates a new login blocked access impl.
     */
    public LoginBlockedAccessImpl() {
        super();
    }

    /**
     * Inits the settings.
     */
    @PostConstruct
    public void initSettings() {
        final Authentication authentication = new UsernamePasswordAuthenticationToken("system.init", "n/a", AuthorityUtils.createAuthorityList("ROLE_ADMIN"));
        SecurityContextHolder.getContext().setAuthentication(authentication);
        LOGGER.info(LOGIN_BLOCK_SETTINGS,applicationConfigurationService.checkValueOrLoadDefault(MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_USER, BLOCKS_ANY_LOGIN_ATTEMPTS_AFTER_THIS_NUMBER_IS_REACHED, ConfigurationGroup.AUTHENTICATION, LoginBlockedAccessImpl.class.getSimpleName(), LOGIN_BLOCKER, BLOCKS_LOGIN_ATTEMPTS, APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_USER, DEFAULT_MAX_LOGIN_ATTEMPTS));
        LOGGER.info(LOGIN_BLOCK_SETTINGS,applicationConfigurationService.checkValueOrLoadDefault(MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_SESSION, BLOCKS_ANY_LOGIN_ATTEMPTS_AFTER_THIS_NUMBER_IS_REACHED, ConfigurationGroup.AUTHENTICATION, LoginBlockedAccessImpl.class.getSimpleName(), LOGIN_BLOCKER, BLOCKS_LOGIN_ATTEMPTS, APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_SESSION,DEFAULT_MAX_LOGIN_ATTEMPTS));
        LOGGER.info(LOGIN_BLOCK_SETTINGS,applicationConfigurationService.checkValueOrLoadDefault(MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_IP, BLOCKS_ANY_LOGIN_ATTEMPTS_AFTER_THIS_NUMBER_IS_REACHED, ConfigurationGroup.AUTHENTICATION, LoginBlockedAccessImpl.class.getSimpleName(), LOGIN_BLOCKER, BLOCKS_LOGIN_ATTEMPTS, APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_IP, DEFAULT_MAX_LOGIN_ATTEMPTS));
        SecurityContextHolder.getContext().setAuthentication(null);
    }


    @Override
    public LoginBlockResult isBlocked(final String sessionId, final String email) {
        final LoginBlockResultImpl loginBlockResultImpl = new LoginBlockResultImpl();
        blockByUserFailedLoginAttempts(email, loginBlockResultImpl);
        blockBySessionOrIpFailedLoginAttempts(sessionId, loginBlockResultImpl);
        return loginBlockResultImpl;
    }

    /**
     * Block by user failed login attempts.
     *
     * @param email
     *            the email
     * @param loginBlockResultImpl
     *            the login block result impl
     */
    private void blockByUserFailedLoginAttempts(final String email, final LoginBlockResultImpl loginBlockResultImpl) {
        final UserAccount userExist = userDAO.findFirstByProperty(UserAccount_.email, email);

        if (userExist != null) {

            final ApplicationConfiguration maxLoginAttemptsByUser = applicationConfigurationService.checkValueOrLoadDefault(MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_USER, BLOCKS_ANY_LOGIN_ATTEMPTS_AFTER_THIS_NUMBER_IS_REACHED, ConfigurationGroup.AUTHENTICATION, LoginBlockedAccessImpl.class.getSimpleName(), LOGIN_BLOCKER, BLOCKS_LOGIN_ATTEMPTS, APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_USER, DEFAULT_MAX_LOGIN_ATTEMPTS);

            final Date oneHourAgo = new Date(System.currentTimeMillis() - ONE_HOUR);
            final List<ApplicationActionEvent> failedLoginsByThisUser = applicationActionEventDAO.findListByPropertyBeforeDate(oneHourAgo,ApplicationActionEvent_.createdDate,
                    new Object[] { email, ApplicationOperationType.AUTHENTICATION, ServiceResult.FAILURE.toString() },
                    ApplicationActionEvent_.elementId, ApplicationActionEvent_.applicationOperation,
                    ApplicationActionEvent_.applicationMessage);

            if (failedLoginsByThisUser != null && failedLoginsByThisUser.size() > NumberUtils.toInt(maxLoginAttemptsByUser.getPropertyValue(),DEFAULT_MAX_LOGINS)) {
                loginBlockResultImpl.setBlocked(true);
                loginBlockResultImpl.addMessages(BLOCKED_BY_MORE_THAN_5_RECENT_LOGIN_ATTEMPTS_BY_THIS_USER);
            }
        }
    }

    /**
     * Block by session or ip failed login attempts.
     *
     * @param sessionId
     *            the session id
     * @param loginBlockResultImpl
     *            the login block result impl
     */
    private void blockBySessionOrIpFailedLoginAttempts(final String sessionId, final LoginBlockResultImpl loginBlockResultImpl) {
        final ApplicationSession applicationSession = applicationSessionDAO
                .findFirstByProperty(ApplicationSession_.sessionId, sessionId);

        if (applicationSession != null) {

            final ApplicationConfiguration maxLoginAttemptsBySession = applicationConfigurationService.checkValueOrLoadDefault(MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_SESSION, BLOCKS_ANY_LOGIN_ATTEMPTS_AFTER_THIS_NUMBER_IS_REACHED, ConfigurationGroup.AUTHENTICATION, LoginBlockedAccessImpl.class.getSimpleName(), LOGIN_BLOCKER, BLOCKS_LOGIN_ATTEMPTS, APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_SESSION,DEFAULT_MAX_LOGIN_ATTEMPTS);
            final List<ApplicationActionEvent> failedLoginsByThisSession = applicationActionEventDAO.findListByProperty(
                    new Object[] { sessionId, ApplicationOperationType.AUTHENTICATION,
                            ServiceResult.FAILURE.toString() },
                    ApplicationActionEvent_.sessionId, ApplicationActionEvent_.applicationOperation,
                    ApplicationActionEvent_.applicationMessage);
            if (failedLoginsByThisSession.size() > NumberUtils.toInt(maxLoginAttemptsBySession.getPropertyValue(),DEFAULT_MAX_LOGINS)) {
                loginBlockResultImpl.setBlocked(true);
                loginBlockResultImpl.addMessages(BLOCKED_BY_MORE_THAN_5_LOGIN_ATTEMPTS_BY_THIS_SESSION);
            }

            final Date oneHourAgo = new Date(System.currentTimeMillis() - ONE_HOUR);
            final List<ApplicationSession> applicationSessionsByIp = applicationSessionDAO
                    .findListByPropertyBeforeDate(oneHourAgo, ApplicationSession_.createdDate,new Object[] {applicationSession.getIpInformation()},ApplicationSession_.ipInformation);

            final List<String> sessionIdsWithIp = applicationSessionsByIp.stream().map(ApplicationSession::getSessionId).toList();

            final List<ApplicationActionEvent> applicationEventsWithIp = applicationActionEventDAO
                    .findListByPropertyInList(ApplicationActionEvent_.sessionId,
                            sessionIdsWithIp.toArray(new Object[0]));

            final List<ApplicationActionEvent> recentFailedLogins = applicationEventsWithIp
                    .stream()
                    .filter((final ApplicationActionEvent x) -> x.getApplicationOperation() == ApplicationOperationType.AUTHENTICATION
                            && x.getApplicationMessage().equals(ServiceResult.FAILURE.toString())).toList();

            final ApplicationConfiguration maxLoginAttemptsByIp = applicationConfigurationService.checkValueOrLoadDefault(MAX_FAILED_LOGIN_ATTEMPTS_RECENT_HOUR_PER_IP, BLOCKS_ANY_LOGIN_ATTEMPTS_AFTER_THIS_NUMBER_IS_REACHED, ConfigurationGroup.AUTHENTICATION, LoginBlockedAccessImpl.class.getSimpleName(), LOGIN_BLOCKER, BLOCKS_LOGIN_ATTEMPTS, APPLICATION_AUTHENTICATION_ALLOW_MAX_RECENT_FAILED_LOGINS_BY_IP, DEFAULT_MAX_LOGIN_ATTEMPTS);
            if (recentFailedLogins != null && recentFailedLogins.size() > NumberUtils.toInt(maxLoginAttemptsByIp.getPropertyValue(),DEFAULT_MAX_LOGINS_BY_IP)) {
                loginBlockResultImpl.setBlocked(true);
                loginBlockResultImpl.addMessages(BLOCKED_BY_MORE_THAN_5_RECENT_LOGIN_ATTEMPTS_BY_THIS_IP);
            }
        }
    }

}