added tests, user creation abuse blocklist

+ public static final HasPermissions IP_BLOCKLIST_FOR_BEARER_TOKEN_ABUSE = new SecuredDomainType(

+ "IP_BLOCKLIST_FOR_BEARER_TOKEN_ABUSE", IpBlocklistForBearerTokenAbuseActions.ALL_ACTIONS);

+

+ public static final HasPermissions IP_BLOCKLIST_FOR_USER_CREATION_ABUSE = new SecuredDomainType(

+ "IP_BLOCKLIST_FOR_USER_CREATION_ABUSE", IpBlocklistForUserCreationAbuseActions.ALL_ACTIONS);

+

+ public static enum IpBlocklistForBearerTokenAbuseActions implements Action {

+ GET, UNLOCK;

+

+ private static final Action[] ALL_ACTIONS = DefaultActions.plus(IpBlocklistForBearerTokenAbuseActions.values());

+ }

+

+

+ public static enum IpBlocklistForUserCreationAbuseActions implements Action {

+ GET, UNLOCK;

+

+ private static final Action[] ALL_ACTIONS = DefaultActions.plus(IpBlocklistForUserCreationAbuseActions.values());

+ }

+

+package com.sap.sailing.gwt.ui.adminconsole;

+

+import java.util.ArrayList;

+import java.util.Comparator;

+import java.util.HashMap;

+import java.util.List;

+import java.util.Map.Entry;

+

+import com.google.gwt.user.cellview.client.AbstractCellTable;

+import com.google.gwt.user.cellview.client.ColumnSortEvent.ListHandler;

+import com.google.gwt.user.client.Command;

+import com.google.gwt.user.client.rpc.AsyncCallback;

+import com.google.gwt.user.client.ui.Button;

+import com.google.gwt.user.client.ui.CheckBox;

+import com.google.gwt.user.client.ui.Label;

+import com.sap.sailing.gwt.ui.client.SailingServiceWriteAsync;

+import com.sap.sailing.gwt.ui.client.StringMessages;

+import com.sap.sse.common.TimedLock;

+import com.sap.sse.gwt.client.ErrorReporter;

+import com.sap.sse.gwt.client.celltable.EntityIdentityComparator;

+import com.sap.sse.gwt.client.celltable.RefreshableSelectionModel;

+import com.sap.sse.gwt.client.panels.LabeledAbstractFilterablePanel;

+import com.sap.sse.security.shared.HasPermissions;

+import com.sap.sse.security.ui.client.UserService;

+import com.sap.sse.security.ui.client.component.AccessControlledButtonPanel;

+

+abstract class IPBlocklistTableWrapper

+ extends TableWrapper<IpToTimedLockDTO, RefreshableSelectionModel<IpToTimedLockDTO>> {

+ private final UserService userService;

+ private final LabeledAbstractFilterablePanel<IpToTimedLockDTO> filterField;

+ private final HasPermissions securedDomainType;

+ private final String errorMessageOnDataFailureString;

+

+ protected abstract void fetchData(AsyncCallback<HashMap<String, TimedLock>> callback);

+

+ protected abstract void unlockIP(String ip, AsyncCallback<Void> asyncCallback);

+

+ public IPBlocklistTableWrapper(final SailingServiceWriteAsync sailingServiceWrite, final UserService userService,

+ final HasPermissions securedDomainType, final String errorMessageOnDataFailureString,

+ final StringMessages stringMessages, final ErrorReporter errorReporter) {

+ super(sailingServiceWrite, stringMessages, errorReporter, true, true,

+ new EntityIdentityComparator<IpToTimedLockDTO>() {

+ @Override

+ public boolean representSameEntity(IpToTimedLockDTO dto1, IpToTimedLockDTO dto2) {

+ return dto1.ip.equals(dto2.ip);

+ }

+

+ @Override

+ public int hashCode(IpToTimedLockDTO t) {

+ return t.ip.hashCode();

+ }

+ });

+ this.securedDomainType = securedDomainType;

+ this.userService = userService;

+ this.errorMessageOnDataFailureString = errorMessageOnDataFailureString;

+ this.asWidget().ensureDebugId("wrappedTable");

+ this.table.ensureDebugId("cellTable");

+ filterField = composeFilterField();

+ mainPanel.insert(filterField.asWidget(), 0);

+ mainPanel.insert(composeButtonPanel(), 1);

+ configureColumns();

+ loadDataAndPopulateTable();

+ }

+

+ private AccessControlledButtonPanel composeButtonPanel() {

+ final AccessControlledButtonPanel buttonPanel = new AccessControlledButtonPanel(userService, securedDomainType);

+ final Button refreshbutton = buttonPanel.addAction(getStringMessages().refresh(), () -> true, new Command() {

+ @Override

+ public void execute() {

+ loadDataAndPopulateTable();

+ }

+ });

+ refreshbutton.ensureDebugId("refreshButton");

+ final Button unlockbutton = buttonPanel.addAction(getStringMessages().unlock(), () -> true, new Command() {

+ @Override

+ public void execute() {

+ for (IpToTimedLockDTO e : getSelectionModel().getSelectedSet()) {

+ unlockIP(e.ip, new AsyncCallback<Void>() {

+ @Override

+ public void onFailure(Throwable caught) {

+ errorReporter.reportError(errorMessageOnDataFailureString);

+ }

+

+ @Override

+ public void onSuccess(Void result) {

+ filterField.remove(e);

+ }

+ });

+ }

+ }

+ });

+ unlockbutton.ensureDebugId("unlockButton");

+ return buttonPanel;

+ }

+

+ private void loadDataAndPopulateTable() {

+ final AsyncCallback<HashMap<String, TimedLock>> dataInitializationCallback = new AsyncCallback<HashMap<String, TimedLock>>() {

+ @Override

+ public void onFailure(Throwable caught) {

+ errorReporter.reportError(errorMessageOnDataFailureString);

+ }

+

+ @Override

+ public void onSuccess(HashMap<String, TimedLock> result) {

+ filterField.clear();

+ clear();

+ final ArrayList<IpToTimedLockDTO> iterable = new ArrayList<IpToTimedLockDTO>();

+ for (Entry<String, TimedLock> e : result.entrySet()) {

+ if (e.getValue().isLocked()) {

+ iterable.add(new IpToTimedLockDTO(e.getKey(), e.getValue()));

+ }

+ }

+ filterField.addAll(iterable);

+ }

+ };

+ fetchData(dataInitializationCallback);

+ }

+

+ private void configureColumns() {

+ final ListHandler<IpToTimedLockDTO> columnListHandler = getColumnSortHandler();

+ addColumn(record -> record.ip, getStringMessages().ipAddress());

+ final Comparator<IpToTimedLockDTO> expiryComparator = (o1, o2) -> {

+ return o1.timedLock.getLockedUntil().compareTo(o2.timedLock.getLockedUntil());

+ };

+ addColumn(record -> record.timedLock.getLockedUntil().toString(), getStringMessages().lockedUntil(),

+ expiryComparator);

+ table.addColumnSortHandler(columnListHandler);

+ }

+

+ private LabeledAbstractFilterablePanel<IpToTimedLockDTO> composeFilterField() {

+ final LabeledAbstractFilterablePanel<IpToTimedLockDTO> filterField = new LabeledAbstractFilterablePanel<IpToTimedLockDTO>(

+ new Label(getStringMessages().filterIpAddresses()), new ArrayList<>(), getDataProvider(),

+ getStringMessages()) {

+ @Override

+ public Iterable<String> getSearchableStrings(IpToTimedLockDTO dto) {

+ List<String> string = new ArrayList<String>();

+ string.add(dto.ip);

+ return string;

+ }

+

+ @Override

+ public AbstractCellTable<IpToTimedLockDTO> getCellTable() {

+ return table;

+ }

+ };

+ final CheckBox filterCheckbox = new CheckBox(getStringMessages().filterIpAddresses());

+ filterCheckbox.addValueChangeHandler(checked -> filterField.filter());

+ registerSelectionModelOnNewDataProvider(filterField.getAllListDataProvider());

+ return filterField;

+ }

+}

+package com.sap.sailing.gwt.ui.adminconsole;

+

+import com.sap.sse.common.TimedLock;

+

+public class IpToTimedLockDTO {

+ public final String ip;

+ public final TimedLock timedLock;

+

+ public IpToTimedLockDTO(final String ip, final TimedLock timedLock) {

+ this.ip = ip;

+ this.timedLock = timedLock;

+ }

+

+}

+import java.util.HashMap;

+import com.sap.sailing.domain.common.security.SecuredDomainType;

+import com.sap.sse.common.TimedLock;

+ mainPanel.add(createBearerTokenAbusePanel());

+ mainPanel.add(createUserCreationAbusePanel());

+ private Widget createBearerTokenAbusePanel() {

+ final ServerDataCaptionPanel panel = new ServerDataCaptionPanel(stringMessages.ipsLockedForBearerTokenAbuse(), 3);

+ panel.ensureDebugId("bearerTokenAbusePanel");

+ final IPBlocklistTableWrapper table = new IPBlocklistTableWrapper(sailingService, userService,

+ SecuredDomainType.IP_BLOCKLIST_FOR_BEARER_TOKEN_ABUSE,

+ stringMessages.unableToLoadIpsBlockedForBearerTokenAbuse(), stringMessages, errorReporter) {

+ @Override

+ protected void fetchData(AsyncCallback<HashMap<String, TimedLock>> callback) {

+ sailingServiceWrite.getClientIPBasedTimedLocksForBearerTokenAbuse(callback);

+ }

+

+ @Override

+ protected void unlockIP(String ip, AsyncCallback<Void> asyncCallback) {

+ sailingService.releaseBearerTokenLockOnIp(ip, asyncCallback);

+ }

+ };

+ panel.setContentWidget(table.asWidget());

+ return panel;

+ }

+

+ private Widget createUserCreationAbusePanel() {

+ final ServerDataCaptionPanel panel = new ServerDataCaptionPanel(stringMessages.ipsLockedForUserCreationAbuse(), 3);

+ panel.ensureDebugId("userCreationAbusePanel");

+ final IPBlocklistTableWrapper table = new IPBlocklistTableWrapper(sailingService, userService,

+ SecuredDomainType.IP_BLOCKLIST_FOR_USER_CREATION_ABUSE,

+ stringMessages.unableToLoadIpsBlockedForUserCreationAbuse(), stringMessages, errorReporter) {

+ @Override

+ protected void fetchData(AsyncCallback<HashMap<String, TimedLock>> callback) {

+ sailingServiceWrite.getClientIPBasedTimedLocksForUserCreation(callback);

+ }

+

+ @Override

+ protected void unlockIP(String ip, AsyncCallback<Void> asyncCallback) {

+ sailingService.releaseUserCreationLockOnIp(ip, asyncCallback);

+ }

+ };

+ panel.setContentWidget(table.asWidget());

+ return panel;

+ String unableToLoadIpsBlockedForBearerTokenAbuse();

+ String ipAddress();

+ String filterIpAddresses();

+ String unlock();

+ String ipsLockedForUserCreationAbuse();

+ String unableToLoadIpsBlockedForUserCreationAbuse();

+selectToRaceColumn=Select race colunm to where to copy pairings

+unableToLoadIpsBlockedForBearerTokenAbuse=Unable to load IPs blocked for bearer token abuse

+ipAddress=IP Address

+filterIpAddresses=Filter IP Addresses

+unlock=Unlock

+ipsLockedForUserCreationAbuse=IPs Locked for User Creation Abuse

+unableToLoadIpsBlockedForUserCreationAbuse=Unable to load IPs Blocked for User Creation Abuse

+unableToLoadIpsBlockedForBearerTokenAbuse=Aufgrund von Missbrauch des Inhabertokens blockierte IPs können nicht geladen werden

+ipsLockedForBearerTokenAbuse=IPs wegen Missbrauchs von Bearer-Token gesperrt

+ipAddress=IP-Addresse

+filterIpAddresses=IP-Adressen filtern

+unlock=Entsperren

+ipsLockedForUserCreationAbuse=Wegen Missbrauchs bei der Benutzererstellung gesperrte IPs

+unableToLoadIpsBlockedForUserCreationAbuse=Wegen Missbrauchs der Benutzererstellung blockierte IPs können nicht geladen werden

+ public static final String INVALID_TOKEN_SAMPLE = "INVALID_TOKEN_SAMPLE";

+ * Creates an ApiContext with an invalid token. Useful for testing.

+ *

+ * @param contextRoot

+ * server instance

+ * @param context

+ * web application context

+ * @return ApiContext with invalid token

+ */

+ public static ApiContext createApiContextWithInvalidToken(String contextRoot, String context) {

+ return new ApiContext(contextRoot, context, INVALID_TOKEN_SAMPLE);

+ }

+

+ /**

+package com.sap.sailing.selenium.pages.adminconsole.advanced;

+

+import org.openqa.selenium.WebDriver;

+import org.openqa.selenium.WebElement;

+

+import com.sap.sailing.selenium.core.BySeleniumId;

+import com.sap.sailing.selenium.core.FindBy;

+import com.sap.sailing.selenium.pages.PageArea;

+import com.sap.sailing.selenium.pages.gwt.CellTablePO;

+import com.sap.sailing.selenium.pages.gwt.DataEntryPO;

+

+public class IpBlocklistPanelPO extends PageArea {

+ static class TablePO extends CellTablePO<IPLockEntry> {

+ public TablePO(WebDriver driver, WebElement element) {

+ super(driver, element);

+ }

+

+ @Override

+ protected IPLockEntry createDataEntry(WebElement element) {

+ return new IPLockEntry(this, element);

+ }

+

+ }

+

+ public static class IPLockEntry extends DataEntryPO {

+ private static final String IP_COLUMN = "IP Address";

+ private static final String LOCKED_UNTIL_COLUMN = "Locked until";

+

+ protected IPLockEntry(CellTablePO<IPLockEntry> table, WebElement element) {

+ super(table, element);

+ }

+

+ @Override

+ public String getIdentifier() {

+ return getIp();

+ }

+

+ public String getIp() {

+ return getColumnContent(IP_COLUMN);

+ }

+

+ public String getLockedUntil() {

+ return getColumnContent(LOCKED_UNTIL_COLUMN);

+ }

+ }

+

+ public IpBlocklistPanelPO(WebDriver driver, WebElement element) {

+ super(driver, element);

+ final WebElement cellTableWebElement = driver.findElement(new BySeleniumId("cellTable"));

+ this.cellTable = new TablePO(driver, cellTableWebElement);

+ }

+

+ @FindBy(how = BySeleniumId.class, using = "refreshButton")

+ private WebElement refreshButton;

+

+ @FindBy(how = BySeleniumId.class, using = "unlockButton")

+ private WebElement unlockButton;

+

+ private final TablePO cellTable;

+

+ public void refresh() {

+ refreshButton.click();

+ }

+

+ /**

+ * @return true if IP was found, false if not found

+ */

+ public boolean expectIpInTable(final String ip) {

+ final IPLockEntry entry = cellTable.getEntry(ip);

+ final boolean wasFound = entry != null;

+ return wasFound;

+ }

+

+ public void unblockIP(String ip) {

+ cellTable.getEntry(ip).select();

+ unlockButton.click();

+ }

+}

+

+

+

+ @FindBy(how = BySeleniumId.class, using = "bearerTokenAbusePanel")

+ private WebElement bearerTokenAbusePanel;

+

+ @FindBy(how = BySeleniumId.class, using = "userCreationAbusePanel")

+ private WebElement userCreationAbusePanel;

+

+ public IpBlocklistPanelPO getBearerTokenAbusePO() {

+ final WebElement wrappedTable = bearerTokenAbusePanel.findElement(new BySeleniumId("wrappedTable"));

+ return new IpBlocklistPanelPO(this.driver, wrappedTable);

+ }

+

+ public IpBlocklistPanelPO getUserCreationAbusePO() {

+ final WebElement wrappedTable = userCreationAbusePanel.findElement(new BySeleniumId("wrappedTable"));

+ return new IpBlocklistPanelPO(this.driver, wrappedTable);

+ }

+

+

+package com.sap.sailing.selenium.test.adminconsole;

+

+import static org.junit.jupiter.api.Assertions.assertFalse;

+import static org.junit.jupiter.api.Assertions.assertTrue;

+

+import java.util.HashMap;

+import java.util.Map;

+

+import org.junit.jupiter.api.BeforeEach;

+

+import com.sap.sailing.selenium.api.core.ApiContext;

+import com.sap.sailing.selenium.api.core.HttpException.Unauthorized;

+import com.sap.sailing.selenium.api.event.PreferencesApi;

+import com.sap.sailing.selenium.api.event.SecurityApi;

+import com.sap.sailing.selenium.core.SeleniumTestCase;

+import com.sap.sailing.selenium.pages.adminconsole.AdminConsolePage;

+import com.sap.sailing.selenium.pages.adminconsole.advanced.IpBlocklistPanelPO;

+import com.sap.sailing.selenium.test.AbstractSeleniumTest;

+

+public class TestIpLocking extends AbstractSeleniumTest {

+ @Override

+ @BeforeEach

+ public void setUp() {

+ clearState(getContextRoot());

+ super.setUp();

+ }

+

+ @SeleniumTestCase

+ public void testUnlockingForBearerTokenAbuser() throws InterruptedException {

+ final AdminConsolePage adminConsole = AdminConsolePage.goToPage(getWebDriver(), getContextRoot());

+ final IpBlocklistPanelPO tablePO = adminConsole.goToLocalServerPanel().getBearerTokenAbusePO();

+ attemptBearerTokenAbuse(5);

+ tablePO.refresh();

+ final String ip = "127.0.0.1";

+ assertTrue(tablePO.expectIpInTable(ip));

+ tablePO.unblockIP(ip);

+ assertFalse(tablePO.expectIpInTable(ip));

+ attemptValidBearerTokenUse();

+ }

+

+ private void attemptValidBearerTokenUse() {

+ // prepare api

+ final ApiContext ctx = ApiContext.createAdminApiContext(getContextRoot(), ApiContext.SECURITY_CONTEXT);

+ final Map<String, String> prefObjectAttr = new HashMap<String, String>();

+ prefObjectAttr.put("key1", "value1");

+ PreferencesApi preferencesApi = new PreferencesApi();

+ preferencesApi.createPreference(ctx, "pref1", prefObjectAttr);

+ }

+

+ private void attemptBearerTokenAbuse(final int attempts) throws InterruptedException {

+ // prepare api

+ final ApiContext wrongCtx = ApiContext.createApiContextWithInvalidToken(getContextRoot(),

+ ApiContext.SECURITY_CONTEXT);

+ final Map<String, String> prefObjectAttr = new HashMap<String, String>();

+ prefObjectAttr.put("key1", "value1");

+ final PreferencesApi preferencesApi = new PreferencesApi();

+ for (int i = 0; i < attempts; i++) {

+ // call api

+ try {

+ preferencesApi.createPreference(wrongCtx, "pref1", prefObjectAttr);

+ } catch (Unauthorized e) {

+ // do nothing as this is expected

+ }

+ // wait for lock to expire

+ long lockDuration = (long) Math.pow(2, i) * 1000;

+ boolean isFinalAttempt = i == (attempts - 1);

+ if (!isFinalAttempt) {

+ Thread.sleep(lockDuration);

+ }

+ }

+ }

+

+ @SeleniumTestCase

+ public void testUnlockingForUserCreationAbuser() throws InterruptedException {

+ final AdminConsolePage adminConsole = AdminConsolePage.goToPage(getWebDriver(), getContextRoot());

+ final IpBlocklistPanelPO tablePO = adminConsole.goToLocalServerPanel().getUserCreationAbusePO();

+ attemptUserCreationAbuse(5);

+ tablePO.refresh();

+ final String ip = "127.0.0.1";

+ assertTrue(tablePO.expectIpInTable(ip));

+ tablePO.unblockIP(ip);

+ assertFalse(tablePO.expectIpInTable(ip));

+ attemptValidBearerTokenUse();

+ }

+

+ private void attemptUserCreationAbuse(final int attempts) throws InterruptedException {

+ for (int i = 0; i < attempts; i++) {

+ attemptUserCreation(String.valueOf(i));

+ // wait for lock to expire

+ long lockDuration = (long) Math.pow(2, i) * 1000;

+ boolean isFinalAttempt = i == (attempts - 1);

+ if (!isFinalAttempt) {

+ Thread.sleep(lockDuration);

+ }

+ }

+ }

+

+ private boolean attemptUserCreation(String seed) {

+ try {

+ SecurityApi.createUser("USERNAME" + seed, "PASSWORD").run();

+ return true;

+ } catch (Exception e) {

+ return false;

+ }

+ }

+}

+import java.io.IOException;

+import java.util.Locale;

+ @Test

+ public void testUnlockBearerTokenAbuser() throws UserStoreManagementException, IOException, InterruptedException {

+ final String localhost = "127.0.0.1";

+ final int attempts = 4;

+ for(int i = 0; i < attempts; i++) {

+ securityService.failedBearerTokenAuthentication(localhost);

+ final long lockDuration = (long) Math.pow(2, i) * 1000;

+ final boolean isFinalAttempt = i == (attempts - 1);

+ if (!isFinalAttempt) {

+ Thread.sleep(lockDuration);

+ }

+ }

+ assertTrue(securityService.isClientIPLockedForBearerTokenAuthentication(localhost));

+ securityService.releaseBearerTokenLockOnIp(localhost);

+ assertFalse(securityService.isClientIPLockedForBearerTokenAuthentication(localhost));

+ }

+

+ @Test

+ public void testUnlockUserCreationAbuser() throws UserStoreManagementException, IOException, InterruptedException, MailException {

+ final String localhost = "127.0.0.1";

+ final int attempts = 4;

+ for(int i = 0; i < attempts; i++) {

+ try {

+ securityService.createSimpleUser("USERNAME" + i, "a@b.c", "PASSWORD", "The User", "SAP SE",

+ /* validation URL */ Locale.ENGLISH, null, null, /* clientIP */ localhost,

+ /* enforce strong password */ false);

+ } catch (UserManagementException e) {

+ // do nothing, expected due to lock

+ }

+ final long lockDuration = (long) Math.pow(2, i) * 1000;

+ final boolean isFinalAttempt = i == (attempts - 1);

+ if (!isFinalAttempt) {

+ Thread.sleep(lockDuration);

+ }

+ }

+ assertTrue(securityService.isUserCreationLockedForClientIP(localhost));

+ securityService.releaseUserCreationLockOnIp(localhost);

+ assertFalse(securityService.isUserCreationLockedForClientIP(localhost));

+ }

+

+ * will happen by calling {@link #successfulBearerTokenAuthentication(String)} with an equal combination of

+ * {@code clientIP} and {@code userAgent} or by calling {@link releaseBearerTokenLockOnIp(String)}. Invoking

+ * {@link #failedBearerTokenAuthentication(String)} will establish (if not yet locked) or extend the locking

+ * duration for the combination.

+ boolean isUserCreationLockedForClientIP(String clientIP);

+

+

+

+ logger.info("Releasing timed lock for bearer token abuse at IP "+ip);

+ public boolean isUserCreationLockedForClientIP(String clientIP) {

+ final TimedLock timedLock = clientIPBasedTimedLocksForUserCreation.get(escapeNullClientIP(clientIP));

+ return timedLock != null && timedLock.isLocked();

+ }

+

+ @Override