User: Add login_max_attempt_before_blocking_account configuration setting - refs BT#20083

Block a user account if there are multiple failed login attempts. It requires DB changes:

```sql
CREATE TABLE track_e_login_attempt
(
    login_id   INT AUTO_INCREMENT NOT NULL,
    username   VARCHAR(100)       NOT NULL,
    login_date DATETIME           NOT NULL,
    user_ip    VARCHAR(39)        NOT NULL,
    success    TINYINT(1)         NOT NULL,
    INDEX idx_track_e_login_attempt_username_success (username, success),
    PRIMARY KEY (login_id)
) DEFAULT CHARACTER SET utf8
  COLLATE utf8_unicode_ci
  ENGINE = InnoDB;
```

Then add the "@" symbol to TrackELoginAttempt` class in the `ORM\Entity()` line.

Author: AngelFQC

main/inc/lib/events.lib.php

@@ -3,6 +3,7 @@
 /* See license terms in /license.txt */
 
 use Chamilo\CoreBundle\Component\Utils\ChamiloApi;
+use Chamilo\CoreBundle\Entity\TrackELoginAttempt;
 use ChamiloSession as Session;
 
 /**
@@ -52,6 +53,28 @@ public static function open()
         return 1;
     }
 
+    /**
+     * @throws Exception
+     */
+    public static function eventLoginAttempt(string $username, bool $success = false)
+    {
+        if ((int) api_get_configuration_value('login_max_attempt_before_blocking_account') <= 0) {
+            return;
+        }
+
+        $attempt = new TrackELoginAttempt();
+        $attempt
+            ->setUsername($username)
+            ->setLoginDate(api_get_utc_datetime(null, false, true))
+            ->setUserIp(api_get_real_ip())
+            ->setSuccess($success)
+        ;
+
+        $em = Database::getManager();
+        $em->persist($attempt);
+        $em->flush();
+    }
+
     /**
      * @author Sebastien Piraux <[email protected]> old code
      * @author Julio Montoya

main/inc/lib/usermanager.lib.php

@@ -7,6 +7,7 @@
 use Chamilo\CoreBundle\Entity\Session as SessionEntity;
 use Chamilo\CoreBundle\Entity\SkillRelUser;
 use Chamilo\CoreBundle\Entity\SkillRelUserComment;
+use Chamilo\CoreBundle\Entity\TrackELoginAttempt;
 use Chamilo\UserBundle\Entity\User;
 use Chamilo\UserBundle\Repository\UserRepository;
 use ChamiloSession as Session;
@@ -6809,6 +6810,59 @@ public static function logInAsFirstAdmin()
         return [];
     }
 
+    public static function blockIfMaxLoginAttempts(array $userInfo)
+    {
+        if (false === (bool) $userInfo['active'] || null === $userInfo['last_login']) {
+            return;
+        }
+
+        $maxAllowed = (int) api_get_configuration_value('login_max_attempt_before_blocking_account');
+
+        if ($maxAllowed <= 0) {
+            return;
+        }
+
+        $em = Database::getManager();
+
+        $countFailedAttempts = $em
+            ->getRepository(TrackELoginAttempt::class)
+            ->createQueryBuilder('la')
+            ->select('COUNT(la)')
+            ->where('la.username = :username')
+            ->andWhere('la.loginDate >= :last_login')
+            ->andWhere('la.success <> TRUE')
+            ->setParameters(
+                [
+                    'username' => $userInfo['username'],
+                    'last_login' => $userInfo['last_login'],
+                ]
+            )
+            ->getQuery()
+            ->getSingleScalarResult()
+        ;
+
+        if ($countFailedAttempts >= $maxAllowed) {
+            Database::update(
+                Database::get_main_table(TABLE_MAIN_USER),
+                ['active' => false],
+                ['username = ?' => $userInfo['username']]
+            );
+            //XAccountDisabledByYAttempts
+
+            Display::addFlash(
+                Display::return_message(
+                    sprintf(
+                        get_lang('The account for username <i>%s</i> was disabled after %d failed login attempts.'),
+                        $userInfo['username'],
+                        $countFailedAttempts
+                    ),
+                    'error',
+                    false
+                )
+            );
+        }
+    }
+
     /**
      * Check if user is teacher of a student based in their courses.
      *

main/inc/local.inc.php

@@ -449,7 +449,7 @@
 
         // Lookup the user in the main database
         $user_table = Database::get_main_table(TABLE_MAIN_USER);
-        $sql = "SELECT user_id, username, password, auth_source, active, expiration_date, status, salt
+        $sql = "SELECT user_id, username, password, auth_source, active, expiration_date, status, salt, last_login
                 FROM $user_table
                 WHERE username = '".Database::escape_string($login)."'";
         $result = Database::query($sql);
@@ -608,13 +608,15 @@
                                         $_user['user_id'] = $uData['user_id'];
                                         $_user['status'] = $uData['status'];
                                         Session::write('_user', $_user);
+                                        Event::eventLoginAttempt($uData['username'], true);
                                         Event::eventLogin($_user['user_id']);
                                         $logging_in = true;
                                     } else {
                                         $loginFailed = true;
                                         Session::erase('_uid');
                                         Session::write('loginFailed', '1');
-
+                                        Event::eventLoginAttempt($uData['username']);
+                                        UserManager::blockIfMaxLoginAttempts($uData);
                                         // Fix cas redirection loop
                                         // https://support.chamilo.org/issues/6124
                                         $location = api_get_path(WEB_PATH)
@@ -631,6 +633,7 @@
                                         $_user['status'] = $uData['status'];
                                         Session::write('_user', $_user);
                                         Event::eventLogin($_user['user_id']);
+                                        Event::eventLoginAttempt($uData['username'], true);
                                         $logging_in = true;
                                     } else {
                                         //This means a secondary admin wants to login so we check as he's a normal user
@@ -640,11 +643,14 @@
                                             $_user['status'] = $uData['status'];
                                             Session::write('_user', $_user);
                                             Event::eventLogin($_user['user_id']);
+                                            Event::eventLoginAttempt($uData['username'], true);
                                             $logging_in = true;
                                         } else {
                                             $loginFailed = true;
                                             Session::erase('_uid');
                                             Session::write('loginFailed', '1');
+                                            Event::eventLoginAttempt($uData['username']);
+                                            UserManager::blockIfMaxLoginAttempts($uData);
                                             header(
                                                 'Location: '.api_get_path(WEB_PATH)
                                                 .'index.php?loginFailed=1&error=access_url_inactive'
@@ -661,6 +667,7 @@
 
                                 Session::write('_user', $_user);
                                 Event::eventLogin($uData['user_id']);
+                                Event::eventLoginAttempt($uData['username'], true);
                                 $logging_in = true;
                             }
                         } else {
@@ -688,6 +695,8 @@
                     $loginFailed = true;
                     Session::erase('_uid');
                     Session::write('loginFailed', '1');
+                    Event::eventLoginAttempt($uData['username']);
+                    UserManager::blockIfMaxLoginAttempts($uData);
 
                     if ($allowCaptcha) {
                         if (isset($_SESSION['loginFailedCount'])) {
@@ -768,6 +777,9 @@
                 );
             }
         } else {
+            Event::eventLoginAttempt($login);
+            UserManager::blockIfMaxLoginAttempts(['username' => $login, 'last_login' => null]);
+
             $extraFieldValue = new ExtraFieldValue('user');
             $uData = $extraFieldValue->get_item_id_from_field_variable_and_field_value(
                 'organisationemail',

main/install/configuration.dist.php

@@ -2091,6 +2091,24 @@
 // Enable admin-only APIs: get_users_api_keys, get_user_api_key
 //$_configuration['webservice_enable_adminonly_api'] = false;
 
+// Block a user account if there are multiple failed login attempts. It requires DB changes:
+/*
+CREATE TABLE track_e_login_attempt
+(
+    login_id   INT AUTO_INCREMENT NOT NULL,
+    username   VARCHAR(100)       NOT NULL,
+    login_date DATETIME           NOT NULL,
+    user_ip    VARCHAR(39)        NOT NULL,
+    success    TINYINT(1)         NOT NULL,
+    INDEX idx_track_e_login_attempt_username_success (username, success),
+    PRIMARY KEY (login_id)
+) DEFAULT CHARACTER SET utf8
+  COLLATE utf8_unicode_ci
+  ENGINE = InnoDB;
+*/
+// Then add the "@" symbol to TrackELoginAttempt class in the ORM\Entity() line.
+//$_configuration['login_max_attempt_before_blocking_account'] = 0;
+
 // Ask user to renew password at first login.
 // Requires a user checkbox extra field called "ask_new_password".
 //$_configuration['force_renew_password_at_first_login'] = true;

src/Chamilo/CoreBundle/Entity/TrackELoginAttempt.php

@@ -0,0 +1,115 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+namespace Chamilo\CoreBundle\Entity;
+
+use Doctrine\ORM\Mapping as ORM;
+
+/**
+ * @ORM\Table(
+ *     name="track_e_login_attempt",
+ *     indexes={
+ *         @ORM\Index(name="idx_track_e_login_attempt_username_success", columns={"username", "success"})
+ *     }
+ * )
+ * Add @ to the next line if api_get_configuration_value('login_max_attempt_before_blocking_account') is enabled.
+ * ORM\Entity
+ */
+class TrackELoginAttempt
+{
+    /**
+     * @var int
+     *
+     * @ORM\Column(name="login_id", type="integer")
+     * @ORM\Id
+     * @ORM\GeneratedValue(strategy="IDENTITY")
+     */
+    protected $id;
+
+    /**
+     * @var string
+     *
+     * @ORM\Column(name="username", type="string", length=100)
+     */
+    protected $username;
+
+    /**
+     * @var \DateTime
+     *
+     * @ORM\Column(name="login_date", type="datetime")
+     */
+    protected $loginDate;
+
+    /**
+     * @var string
+     *
+     * @ORM\Column(name="user_ip", type="string", length=39)
+     */
+    protected $userIp;
+
+    /**
+     * @var bool
+     *
+     * @ORM\Column(name="success", type="boolean")
+     */
+    protected $success;
+
+    public function __construct()
+    {
+        $this->success = false;
+    }
+
+    public function getId(): int
+    {
+        return $this->id;
+    }
+
+    public function getUsername(): string
+    {
+        return $this->username;
+    }
+
+    public function setUsername(string $username): TrackELoginAttempt
+    {
+        $this->username = $username;
+
+        return $this;
+    }
+
+    public function getLoginDate(): \DateTime
+    {
+        return $this->loginDate;
+    }
+
+    public function setLoginDate(\DateTime $loginDate): TrackELoginAttempt
+    {
+        $this->loginDate = $loginDate;
+
+        return $this;
+    }
+
+    public function getUserIp(): string
+    {
+        return $this->userIp;
+    }
+
+    public function setUserIp(string $userIp): TrackELoginAttempt
+    {
+        $this->userIp = $userIp;
+
+        return $this;
+    }
+
+    public function isSuccess(): bool
+    {
+        return $this->success;
+    }
+
+    public function setSuccess(bool $success): TrackELoginAttempt
+    {
+        $this->success = $success;
+
+        return $this;
+    }
+}