Implemented account lockout policy backend

[skateman]

So according to the parent issue I added a new column to the users table for counting failed login attempts. I introduced two new parametres under Settings.authentication for setting the maximum number of failed login attempts before a lockout and the timeout after the account gets unlocked by a background job.

I did some changes in the Authenticator::Base class for having a way to retrieve the actual reason of a login failure. If there's no failure provider, it would fall back to the original Authentication failed message. This message is further consumed by the UI and also to the API.

I have this feeling that @abellotti might not like the idea of returning with two things from the _authenticate method instead of one, but I tried to limit the scope of my changes to just the DB authentication as we discussed. If you have a better idea of how do to it, I am willing to change my second commit.

@miq-bot add_reviewer @abellotti
@miq-bot add_reviewer @Fryguy
@miq-bot add_reviewer @jvlcek
@miq-bot add_label enhancement, question

[Fryguy]

This is coming along really nice. Thanks @skateman !

[jvlcek]

In general I am in favor of this PR as long as there is an easy mechanism in place to re-enable any locked out users. When a system admin is setting up a new appliance I want to make sure they can quickly troubleshoot any issues.
It might be best to have this feature disabled by default and require the admin user enable it once the system is configured properly.

[Fryguy]

If a user succeeds, we should set the failed back to 0. Otherwise, they can get 2 fails, succeed, then log out, fail once, and it will say "too many failed attempts", which is weird.

[Fryguy]

Can we also get some specs?

[skateman]

This also works out-of-the box with the API:

{
  "error": {
    "kind": "unauthorized",
    "message": "Your account has been locked due to too many failed login attempts, please contact the administrator.",
    "klass": "Api::BaseController::Authentication::AuthenticationError"
  }
}

[skateman]

@Fryguy created cross repo tests ManageIQ/manageiq-cross_repo-tests#117 they're green

[Fryguy]

Couple of minor things, but this is just about good to go.

[kbrock]

Can the admin user get locked? what do you do in that case?

[skateman]

@kbrock this has been discussed at the issue, the locking is just temporary and it can be unlocked from the rails console

[miq-bot]

Checked commits skateman/manageiq@303c3c6~...beac7c9 with ruby 2.5.7, rubocop 0.69.0, haml-lint 0.28.0, and yamllint
5 files checked, 1 offense detected

spec/models/authenticator/database_spec.rb

• ❗ - Line 92, Col 9 - Style/RescueModifier - Avoid using rescue in its modifier form.

[simaishi]

Jansa backport details:

$ git log -1
commit b74002bab48a9f9d9a2d9850eb8c9e26e90d606d
Author: Jason Frey <[email protected]>
Date:   Mon May 4 16:11:13 2020 -0400

    Merge pull request #20087 from skateman/locked-account

    Implemented account lockout policy backend

    (cherry picked from commit 927b99f526e130cd4e1fdbf07ad66156111c05d8)