Use 429 for auth limit exceeded requests (#2591)

* fix login with email

Signed-off-by: Jeff <zw0948@gmail.com>

* use 429 for auth limit exceeded error

Signed-off-by: Jeff <zw0948@gmail.com>

pkg/apiserver/filters/authentication.go

@@ -58,7 +58,7 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR
 		if err != nil || !ok {
 			if err != nil {
 				klog.Errorf("Unable to authenticate the request due to error: %v", err)
-				if usingBasicAuth { // log failed login attempts
+				if usingBasicAuth && err.Error() == im.AuthFailedIncorrectPassword.Error() { // log failed login attempts
 					go func(user string) {
 						if loginRecorder != nil && len(user) != 0 {
 							err = loginRecorder.RecordLogin(user, iamv1alpha2.BasicAuth, "", err, req)
@@ -76,7 +76,11 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR
 			}
 
 			gv := schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion}
-			responsewriters.ErrorNegotiated(apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)), s, gv, w, req)
+			if err != nil && err.Error() == im.AuthRateLimitExceeded.Error() {
+				responsewriters.ErrorNegotiated(apierrors.NewTooManyRequests(fmt.Sprintf("Unauthorized: %s", err), 60), s, gv, w, req)
+			} else {
+				responsewriters.ErrorNegotiated(apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)), s, gv, w, req)
+			}
 			return
 		}
 

pkg/kapis/oauth/handler.go

@@ -272,40 +272,35 @@ func (h *handler) Token(req *restful.Request, response *restful.Response) {
 func (h *handler) passwordGrant(username string, password string, req *restful.Request, response *restful.Response) {
 	authenticated, err := h.authenticator.Authenticate(username, password)
 	if err != nil {
-		if err == im.AuthFailedIncorrectPassword {
+		klog.Error(err)
+		switch err {
+		case im.AuthFailedIncorrectPassword:
 			if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, "", err, req.Request); err != nil {
 				klog.Error(err)
-				err = apierrors.NewInternalError(err)
-				response.WriteError(http.StatusInternalServerError, err)
-				return
+				response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err))
 			}
-		}
-		if err == im.AuthFailedIncorrectPassword ||
-			err == im.AuthFailedIdentityMappingNotMatch ||
-			err == im.AuthRateLimitExceeded {
-			klog.V(4).Info(err)
-			err = apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
-			response.WriteError(http.StatusUnauthorized, err)
 			return
+		case im.AuthFailedIdentityMappingNotMatch:
+			response.WriteError(http.StatusUnauthorized, apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)))
+			return
+		case im.AuthRateLimitExceeded:
+			response.WriteError(http.StatusTooManyRequests, apierrors.NewTooManyRequests(fmt.Sprintf("Unauthorized: %s", err), 60))
+			return
+		default:
+			response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err))
 		}
-		klog.Error(err)
-		err := apierrors.NewInternalError(err)
-		response.WriteError(http.StatusInternalServerError, err)
-		return
 	}
 
 	result, err := h.tokenOperator.IssueTo(authenticated)
 	if err != nil {
 		klog.Error(err)
-		err := apierrors.NewInternalError(err)
-		response.WriteError(http.StatusInternalServerError, err)
+		response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err))
 		return
 	}
 
 	if err = h.loginRecorder.RecordLogin(authenticated.GetName(), iamv1alpha2.Token, "", nil, req.Request); err != nil {
 		klog.Error(err)
-		err := apierrors.NewInternalError(err)
-		response.WriteError(http.StatusInternalServerError, err)
+		response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err))
 		return
 	}