Temporary fix for user enumeration via password reset API

There is a noticable delay when providing a valid username to the password reset API. Ideally we want to fix this by handling request in an async fashion, but that will likely have to wait until we have moved to the planned worker/api model. This just makes the API always take at least 3 seconds. Change-Id: I82d46e9d64c65930dbe7d8821941ee9173431d56
2018-09-12 12:21:05 +12:00 · 2018-09-12 12:21:05 +12:00 · 3fe9d171cb
commit 3fe9d171cb
parent 8e2b734398
2 changed files with 23 additions and 0 deletions
--- a/adjutant/api/utils.py
+++ b/adjutant/api/utils.py
@ -12,6 +12,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+from datetime import datetime
+import time
+import sys
+
 from decorator import decorator

 from rest_framework.response import Response
@ -75,3 +79,21 @@ def authenticated(func, *args, **kwargs):
                        401)

    return func(*args, **kwargs)
+
+
+@decorator
+def minimal_duration(func, min_time=1, *args, **kwargs):
+    """
+    Make a function (or API call) take at least some time.
+    """
+    # doesn't apply during tests
+    if 'test' in sys.argv:
+        return func(*args, **kwargs)
+
+    start = datetime.utcnow()
+    return_val = func(*args, **kwargs)
+    end = datetime.utcnow()
+    duration = end - start
+    if duration.total_seconds() < min_time:
+        time.sleep(min_time - duration.total_seconds())
+    return return_val
--- a/adjutant/api/v1/tasks.py
+++ b/adjutant/api/v1/tasks.py
@ -395,6 +395,7 @@ class ResetPassword(TaskView):

    default_actions = ['ResetUserPasswordAction', ]

+    @utils.minimal_duration(min_time=3)
    def post(self, request, format=None):
        """
        Unauthenticated endpoint bound to the password reset action.