Implement Client Lockout

Author: romanett

Libraries/Opc.Ua.Server/Session/SessionManager.cs

@@ -28,6 +28,7 @@
  * ======================================================================*/
 
 using System;
+using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Globalization;
 using System.Security.Cryptography.X509Certificates;
@@ -295,6 +296,7 @@ public virtual async ValueTask<CreateSessionResult> CreateSessionAsync(
             ISession session = null;
             IUserIdentityTokenHandler newIdentity = null;
             UserTokenPolicy userTokenPolicy = null;
+            string clientKey = null;
 
             // fast path no lock
             if (!m_sessions.TryGetValue(authenticationToken, out _))
@@ -311,6 +313,22 @@ public virtual async ValueTask<CreateSessionResult> CreateSessionAsync(
                     throw new ServiceResultException(StatusCodes.BadSessionIdInvalid);
                 }
 
+                // get client lockout key.
+                clientKey = GetClientLockoutKey(session);
+
+                // check if client is locked out due to too many failed authentication attempts.
+                if (IsClientLockedOut(clientKey, out long remainingLockoutTicks))
+                {
+                    long remainingSeconds = remainingLockoutTicks / HiResClock.Frequency;
+                    m_logger.LogWarning(
+                        "Client {ClientKey} is locked out. Remaining lockout time: {RemainingSeconds} seconds.",
+                        clientKey,
+                        remainingSeconds);
+                    throw new ServiceResultException(
+                        StatusCodes.BadUserAccessDenied,
+                        $"Too many failed authentication attempts. Try again in {remainingSeconds} seconds.");
+                }
+
                 // check if session timeout has expired.
                 if (session.HasExpired)
                 {
@@ -337,6 +355,11 @@ public virtual async ValueTask<CreateSessionResult> CreateSessionAsync(
 
                 serverNonce = serverNonceObject.Data;
             }
+            catch (ServiceResultException)
+            {
+                RecordFailedAuthentication(clientKey);
+                throw;
+            }
             finally
             {
                 m_semaphoreSlim.Release();
@@ -378,21 +401,31 @@ public virtual async ValueTask<CreateSessionResult> CreateSessionAsync(
                 // use the identity as the effectiveIdentity if not provided.
                 effectiveIdentity ??= identity;
             }
-            catch (Exception e) when (e is not ServiceResultException)
+            catch (Exception e)
             {
-                throw ServiceResultException.Create(
+                RecordFailedAuthentication(clientKey);
+
+                if (e is not ServiceResultException)
+                {
+                    throw ServiceResultException.Create(
                     StatusCodes.BadIdentityTokenInvalid,
                     e,
                     "Could not validate user identity token: {0}",
                     newIdentity);
+                }
+                throw;
             }
 
             // check for validation error.
             if (ServiceResult.IsBad(error))
             {
+                RecordFailedAuthentication(clientKey);
                 throw new ServiceResultException(error);
             }
 
+            // clear failed authentication attempts on successful activation.
+            ClearFailedAuthentication(clientKey);
+
             // activate session.
 
             bool contextChanged = session.Activate(
@@ -694,6 +727,11 @@ await m_server.CloseSessionAsync(null, session.Id, false)
         private readonly int m_maxBrowseContinuationPoints;
         private readonly int m_maxHistoryContinuationPoints;
 
+        private readonly ConcurrentDictionary<string, ClientLockoutInfo> m_clientLockouts = new();
+        private const int MaxFailedAuthenticationAttempts = 5;
+        private static readonly long LockoutDurationTicks = (long)(HiResClock.Frequency * 5 * 60);
+        private static readonly long FailureExpirationTicks = (long)(HiResClock.Frequency * 30 * 60);
+
         private readonly Lock m_eventLock = new();
         private event SessionEventHandler m_SessionCreated;
         private event SessionEventHandler m_SessionActivated;
@@ -852,5 +890,144 @@ public ISession GetSession(NodeId authenticationToken)
             }
             return null;
         }
+
+        /// <summary>
+        /// Gets the lockout key for a client based on certificate thumbprint or application URI.
+        /// </summary>
+        private static string GetClientLockoutKey(ISession session)
+        {
+            if (session?.ClientCertificate != null)
+            {
+                return session.ClientCertificate.Thumbprint;
+            }
+
+            string applicationUri = session?.SessionDiagnostics?.ClientDescription?.ApplicationUri;
+            if (!string.IsNullOrEmpty(applicationUri))
+            {
+                return applicationUri;
+            }
+
+            return session?.SecureChannelId ?? string.Empty;
+        }
+
+        /// <summary>
+        /// Checks if a client is currently locked out due to too many failed authentication attempts.
+        /// </summary>
+        private bool IsClientLockedOut(string clientKey, out long remainingLockoutTicks)
+        {
+            remainingLockoutTicks = 0;
+
+            if (string.IsNullOrEmpty(clientKey))
+            {
+                return false;
+            }
+
+            if (m_clientLockouts.TryGetValue(clientKey, out ClientLockoutInfo lockoutInfo))
+            {
+                long currentTicks = HiResClock.Ticks;
+                if (lockoutInfo.IsLockedOut(currentTicks))
+                {
+                    remainingLockoutTicks = lockoutInfo.LockoutEndTicks - currentTicks;
+                    return true;
+                }
+
+                if (lockoutInfo.IsExpired(currentTicks, FailureExpirationTicks))
+                {
+                    m_clientLockouts.TryRemove(clientKey, out _);
+                }
+            }
+
+            return false;
+        }
+
+        /// <summary>
+        /// Records a failed authentication attempt for a client.
+        /// </summary>
+        private void RecordFailedAuthentication(string clientKey)
+        {
+            if (string.IsNullOrEmpty(clientKey))
+            {
+                return;
+            }
+
+            long currentTicks = HiResClock.Ticks;
+            ClientLockoutInfo lockoutInfo = m_clientLockouts.AddOrUpdate(
+                clientKey,
+                _ => new ClientLockoutInfo(1, currentTicks, LockoutDurationTicks, MaxFailedAuthenticationAttempts),
+                (_, existing) => existing.IncrementFailures(
+                    currentTicks, LockoutDurationTicks, FailureExpirationTicks, MaxFailedAuthenticationAttempts));
+
+            if (lockoutInfo.IsLockedOut(currentTicks))
+            {
+                long remainingSeconds = (lockoutInfo.LockoutEndTicks - currentTicks) / HiResClock.Frequency;
+                m_logger.LogWarning(
+                    "Client {ClientKey} has been locked out after {FailedAttempts} failed authentication attempts. Lockout expires in {RemainingSeconds} seconds.",
+                    clientKey,
+                    lockoutInfo.FailedAttempts,
+                    remainingSeconds);
+            }
+        }
+
+        /// <summary>
+        /// Clears the failed authentication attempts for a client after successful authentication.
+        /// </summary>
+        private void ClearFailedAuthentication(string clientKey)
+        {
+            if (!string.IsNullOrEmpty(clientKey))
+            {
+                m_clientLockouts.TryRemove(clientKey, out _);
+            }
+        }
+
+        /// <summary>
+        /// Tracks failed authentication attempts and lockout state for a client.
+        /// </summary>
+        private sealed class ClientLockoutInfo
+        {
+            public ClientLockoutInfo(
+                int failedAttempts,
+                long lastFailureTicks,
+                long lockoutDurationTicks,
+                int maxAttempts)
+            {
+                FailedAttempts = failedAttempts;
+                LastFailureTicks = lastFailureTicks;
+                LockoutEndTicks = failedAttempts >= maxAttempts
+                    ? lastFailureTicks + lockoutDurationTicks
+                    : 0;
+            }
+
+            public int FailedAttempts { get; }
+            public long LastFailureTicks { get; }
+            public long LockoutEndTicks { get; }
+
+            public bool IsLockedOut(long currentTicks) => LockoutEndTicks > currentTicks;
+
+            public bool IsExpired(long currentTicks, long expirationTicks)
+                => !IsLockedOut(currentTicks) && (currentTicks - LastFailureTicks) > expirationTicks;
+
+            public ClientLockoutInfo IncrementFailures(
+                long currentTicks,
+                long lockoutDurationTicks,
+                long expirationTicks,
+                int maxAttempts)
+            {
+                if (IsLockedOut(currentTicks))
+                {
+                    return this;
+                }
+
+                if (IsExpired(currentTicks, expirationTicks))
+                {
+                    return new ClientLockoutInfo(1, currentTicks, lockoutDurationTicks, maxAttempts);
+                }
+
+                return new ClientLockoutInfo(
+                    FailedAttempts + 1,
+                    currentTicks,
+                    lockoutDurationTicks,
+                    maxAttempts);
+            }
+        }
     }
 }