From 051893eb71fab121b9aa5055f29d3a90d93df059 Mon Sep 17 00:00:00 2001 From: zryfish Date: Sat, 25 Jul 2020 14:27:03 +0800 Subject: [PATCH] Use 429 for auth limit exceeded requests (#2591) * fix login with email Signed-off-by: Jeff * use 429 for auth limit exceeded error Signed-off-by: Jeff --- pkg/apiserver/filters/authentication.go | 8 ++++-- pkg/kapis/oauth/handler.go | 33 +++++++++++-------------- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/pkg/apiserver/filters/authentication.go b/pkg/apiserver/filters/authentication.go index 3955e3431..41934c5d9 100644 --- a/pkg/apiserver/filters/authentication.go +++ b/pkg/apiserver/filters/authentication.go @@ -58,7 +58,7 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR if err != nil || !ok { if err != nil { klog.Errorf("Unable to authenticate the request due to error: %v", err) - if usingBasicAuth { // log failed login attempts + if usingBasicAuth && err.Error() == im.AuthFailedIncorrectPassword.Error() { // log failed login attempts go func(user string) { if loginRecorder != nil && len(user) != 0 { err = loginRecorder.RecordLogin(user, iamv1alpha2.BasicAuth, "", err, req) @@ -76,7 +76,11 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR } gv := schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion} - responsewriters.ErrorNegotiated(apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)), s, gv, w, req) + if err != nil && err.Error() == im.AuthRateLimitExceeded.Error() { + responsewriters.ErrorNegotiated(apierrors.NewTooManyRequests(fmt.Sprintf("Unauthorized: %s", err), 60), s, gv, w, req) + } else { + responsewriters.ErrorNegotiated(apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)), s, gv, w, req) + } return } diff --git a/pkg/kapis/oauth/handler.go b/pkg/kapis/oauth/handler.go index c33125304..5b4479a29 100644 --- a/pkg/kapis/oauth/handler.go +++ b/pkg/kapis/oauth/handler.go @@ -272,40 +272,35 @@ func (h *handler) Token(req *restful.Request, response *restful.Response) { func (h *handler) passwordGrant(username string, password string, req *restful.Request, response *restful.Response) { authenticated, err := h.authenticator.Authenticate(username, password) if err != nil { - if err == im.AuthFailedIncorrectPassword { + klog.Error(err) + switch err { + case im.AuthFailedIncorrectPassword: if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, "", err, req.Request); err != nil { klog.Error(err) - err = apierrors.NewInternalError(err) - response.WriteError(http.StatusInternalServerError, err) - return + response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err)) } - } - if err == im.AuthFailedIncorrectPassword || - err == im.AuthFailedIdentityMappingNotMatch || - err == im.AuthRateLimitExceeded { - klog.V(4).Info(err) - err = apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) - response.WriteError(http.StatusUnauthorized, err) return + case im.AuthFailedIdentityMappingNotMatch: + response.WriteError(http.StatusUnauthorized, apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))) + return + case im.AuthRateLimitExceeded: + response.WriteError(http.StatusTooManyRequests, apierrors.NewTooManyRequests(fmt.Sprintf("Unauthorized: %s", err), 60)) + return + default: + response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err)) } - klog.Error(err) - err := apierrors.NewInternalError(err) - response.WriteError(http.StatusInternalServerError, err) - return } result, err := h.tokenOperator.IssueTo(authenticated) if err != nil { klog.Error(err) - err := apierrors.NewInternalError(err) - response.WriteError(http.StatusInternalServerError, err) + response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err)) return } if err = h.loginRecorder.RecordLogin(authenticated.GetName(), iamv1alpha2.Token, "", nil, req.Request); err != nil { klog.Error(err) - err := apierrors.NewInternalError(err) - response.WriteError(http.StatusInternalServerError, err) + response.WriteError(http.StatusInternalServerError, apierrors.NewInternalError(err)) return }