Add support for ratelimiting via annotations
This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
parent
5505faa3d7
commit
66835476b5
12
.drone.yml
12
.drone.yml
|
@ -277,6 +277,17 @@ pipeline:
|
||||||
when:
|
when:
|
||||||
matrix:
|
matrix:
|
||||||
TESTS: integration-maintenance-mode
|
TESTS: integration-maintenance-mode
|
||||||
|
integration-ratelimiting:
|
||||||
|
image: nextcloudci/integration-php7.0:integration-php7.0-3
|
||||||
|
commands:
|
||||||
|
- ./occ maintenance:install --admin-pass=admin
|
||||||
|
- ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.local
|
||||||
|
- ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.distributed
|
||||||
|
- cd build/integration
|
||||||
|
- ./run.sh features/ratelimiting.feature
|
||||||
|
when:
|
||||||
|
matrix:
|
||||||
|
TESTS: integration-ratelimiting
|
||||||
integration-carddav:
|
integration-carddav:
|
||||||
image: nextcloudci/integration-php7.0:integration-php7.0-3
|
image: nextcloudci/integration-php7.0:integration-php7.0-3
|
||||||
commands:
|
commands:
|
||||||
|
@ -516,6 +527,7 @@ matrix:
|
||||||
- TESTS: integration-capabilities_features
|
- TESTS: integration-capabilities_features
|
||||||
- TESTS: integration-federation_features
|
- TESTS: integration-federation_features
|
||||||
- TESTS: integration-maintenance-mode
|
- TESTS: integration-maintenance-mode
|
||||||
|
- TESTS: integration-ratelimiting
|
||||||
- TESTS: integration-auth
|
- TESTS: integration-auth
|
||||||
- TESTS: integration-carddav
|
- TESTS: integration-carddav
|
||||||
- TESTS: integration-dav-v2
|
- TESTS: integration-dav-v2
|
||||||
|
|
|
@ -120,7 +120,7 @@ class MountPublicLinkController extends Controller {
|
||||||
*
|
*
|
||||||
* @NoCSRFRequired
|
* @NoCSRFRequired
|
||||||
* @PublicPage
|
* @PublicPage
|
||||||
* @BruteForceProtection publicLink2FederatedShare
|
* @BruteForceProtection(action=publicLink2FederatedShare)
|
||||||
*
|
*
|
||||||
* @param string $shareWith
|
* @param string $shareWith
|
||||||
* @param string $token
|
* @param string $token
|
||||||
|
|
|
@ -160,7 +160,7 @@ class ShareController extends Controller {
|
||||||
/**
|
/**
|
||||||
* @PublicPage
|
* @PublicPage
|
||||||
* @UseSession
|
* @UseSession
|
||||||
* @BruteForceProtection publicLinkAuth
|
* @BruteForceProtection(action=publicLinkAuth)
|
||||||
*
|
*
|
||||||
* Authenticates against password-protected shares
|
* Authenticates against password-protected shares
|
||||||
* @param string $token
|
* @param string $token
|
||||||
|
|
|
@ -25,12 +25,32 @@ namespace OCA\Testing\AppInfo;
|
||||||
use OCA\Testing\Config;
|
use OCA\Testing\Config;
|
||||||
use OCA\Testing\Locking\Provisioning;
|
use OCA\Testing\Locking\Provisioning;
|
||||||
use OCP\API;
|
use OCP\API;
|
||||||
|
use OCP\AppFramework\App;
|
||||||
|
|
||||||
$config = new Config(
|
$config = new Config(
|
||||||
\OC::$server->getConfig(),
|
\OC::$server->getConfig(),
|
||||||
\OC::$server->getRequest()
|
\OC::$server->getRequest()
|
||||||
);
|
);
|
||||||
|
|
||||||
|
$app = new App('testing');
|
||||||
|
$app->registerRoutes(
|
||||||
|
$this,
|
||||||
|
[
|
||||||
|
'routes' => [
|
||||||
|
[
|
||||||
|
'name' => 'RateLimitTest#userAndAnonProtected',
|
||||||
|
'url' => '/userAndAnonProtected',
|
||||||
|
'verb' => 'GET',
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'name' => 'RateLimitTest#onlyAnonProtected',
|
||||||
|
'url' => '/anonProtected',
|
||||||
|
'verb' => 'GET',
|
||||||
|
],
|
||||||
|
]
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
API::register(
|
API::register(
|
||||||
'post',
|
'post',
|
||||||
'/apps/testing/api/v1/app/{appid}/{configkey}',
|
'/apps/testing/api/v1/app/{appid}/{configkey}',
|
||||||
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace OCA\Testing\Controller;
|
||||||
|
|
||||||
|
use OCP\AppFramework\Controller;
|
||||||
|
use OCP\AppFramework\Http\JSONResponse;
|
||||||
|
|
||||||
|
class RateLimitTestController extends Controller {
|
||||||
|
/**
|
||||||
|
* @PublicPage
|
||||||
|
* @NoCSRFRequired
|
||||||
|
*
|
||||||
|
* @UserRateThrottle(limit=5, period=100)
|
||||||
|
* @AnonRateThrottle(limit=1, period=100)
|
||||||
|
*
|
||||||
|
* @return JSONResponse
|
||||||
|
*/
|
||||||
|
public function userAndAnonProtected() {
|
||||||
|
return new JSONResponse();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @PublicPage
|
||||||
|
* @NoCSRFRequired
|
||||||
|
*
|
||||||
|
* @AnonRateThrottle(limit=1, period=10)
|
||||||
|
*
|
||||||
|
* @return JSONResponse
|
||||||
|
*/
|
||||||
|
public function onlyAnonProtected() {
|
||||||
|
return new JSONResponse();
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,58 @@
|
||||||
|
Feature: ratelimiting
|
||||||
|
|
||||||
|
Background:
|
||||||
|
Given user "user0" exists
|
||||||
|
Given As an "admin"
|
||||||
|
Given app "testing" is enabled
|
||||||
|
|
||||||
|
Scenario: Accessing a page with only an AnonRateThrottle as user
|
||||||
|
Given user "user0" exists
|
||||||
|
# First request should work
|
||||||
|
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
# Second one should fail
|
||||||
|
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "429"
|
||||||
|
# After 11 seconds the next request should work
|
||||||
|
And Sleep for "11" seconds
|
||||||
|
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
|
||||||
|
Scenario: Accessing a page with only an AnonRateThrottle as guest
|
||||||
|
Given Sleep for "11" seconds
|
||||||
|
# First request should work
|
||||||
|
When requesting "/index.php/apps/testing/anonProtected" with "GET"
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
# Second one should fail
|
||||||
|
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "429"
|
||||||
|
# After 11 seconds the next request should work
|
||||||
|
And Sleep for "11" seconds
|
||||||
|
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
|
||||||
|
Scenario: Accessing a page with UserRateThrottle and AnonRateThrottle
|
||||||
|
# First request should work as guest
|
||||||
|
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
# Second request should fail as guest
|
||||||
|
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
|
||||||
|
Then the HTTP status code should be "429"
|
||||||
|
# First request should work as user
|
||||||
|
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
# Second request should work as user
|
||||||
|
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
# Third request should work as user
|
||||||
|
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
# Fourth request should work as user
|
||||||
|
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
# Fifth request should work as user
|
||||||
|
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||||
|
Then the HTTP status code should be "200"
|
||||||
|
# Sixth request should fail as user
|
||||||
|
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
|
||||||
|
Then the HTTP status code should be "429"
|
|
@ -204,7 +204,7 @@ class LostController extends Controller {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @PublicPage
|
* @PublicPage
|
||||||
* @BruteForceProtection passwordResetEmail
|
* @BruteForceProtection(action=passwordResetEmail)
|
||||||
*
|
*
|
||||||
* @param string $user
|
* @param string $user
|
||||||
* @return array
|
* @return array
|
||||||
|
|
|
@ -53,11 +53,13 @@ use OCP\AppFramework\QueryException;
|
||||||
use OCP\Files\Folder;
|
use OCP\Files\Folder;
|
||||||
use OCP\Files\IAppData;
|
use OCP\Files\IAppData;
|
||||||
use OCP\IL10N;
|
use OCP\IL10N;
|
||||||
|
use OCP\IMemcache;
|
||||||
use OCP\IRequest;
|
use OCP\IRequest;
|
||||||
use OCP\IServerContainer;
|
use OCP\IServerContainer;
|
||||||
use OCP\IUserSession;
|
use OCP\IUserSession;
|
||||||
use OCP\RichObjectStrings\IValidator;
|
use OCP\RichObjectStrings\IValidator;
|
||||||
use OCP\Util;
|
use OCP\Util;
|
||||||
|
use SearchDAV\XML\Limit;
|
||||||
|
|
||||||
class DIContainer extends SimpleContainer implements IAppContainer {
|
class DIContainer extends SimpleContainer implements IAppContainer {
|
||||||
|
|
||||||
|
@ -162,6 +164,22 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
||||||
return $c->query(Validator::class);
|
return $c->query(Validator::class);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
$this->registerService(OC\Security\RateLimiting\Limiter::class, function($c) {
|
||||||
|
return new OC\Security\RateLimiting\Limiter(
|
||||||
|
$this->getServer()->getUserSession(),
|
||||||
|
$this->getServer()->getRequest(),
|
||||||
|
new OC\AppFramework\Utility\TimeFactory(),
|
||||||
|
$c->query(OC\Security\RateLimiting\Backend\IBackend::class)
|
||||||
|
);
|
||||||
|
});
|
||||||
|
|
||||||
|
$this->registerService(OC\Security\RateLimiting\Backend\IBackend::class, function($c) {
|
||||||
|
return new OC\Security\RateLimiting\Backend\MemoryCache(
|
||||||
|
$this->getServer()->getMemCacheFactory(),
|
||||||
|
new OC\AppFramework\Utility\TimeFactory()
|
||||||
|
);
|
||||||
|
});
|
||||||
|
|
||||||
$this->registerService(\OC\Security\IdentityProof\Manager::class, function ($c) {
|
$this->registerService(\OC\Security\IdentityProof\Manager::class, function ($c) {
|
||||||
return new \OC\Security\IdentityProof\Manager(
|
return new \OC\Security\IdentityProof\Manager(
|
||||||
$this->getServer()->getAppDataDir('identityproof'),
|
$this->getServer()->getAppDataDir('identityproof'),
|
||||||
|
@ -169,7 +187,6 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* App Framework APIs
|
* App Framework APIs
|
||||||
*/
|
*/
|
||||||
|
@ -220,12 +237,13 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
||||||
$server->getLogger(),
|
$server->getLogger(),
|
||||||
$server->getSession(),
|
$server->getSession(),
|
||||||
$c['AppName'],
|
$c['AppName'],
|
||||||
$app->isLoggedIn(),
|
$server->getUserSession(),
|
||||||
$app->isAdminUser(),
|
$app->isAdminUser(),
|
||||||
$server->getContentSecurityPolicyManager(),
|
$server->getContentSecurityPolicyManager(),
|
||||||
$server->getCsrfTokenManager(),
|
$server->getCsrfTokenManager(),
|
||||||
$server->getContentSecurityPolicyNonceManager(),
|
$server->getContentSecurityPolicyNonceManager(),
|
||||||
$server->getBruteForceThrottler()
|
$server->getBruteForceThrottler(),
|
||||||
|
$c->query(OC\Security\RateLimiting\Limiter::class)
|
||||||
);
|
);
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
|
@ -26,7 +26,6 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
namespace OC\AppFramework\Middleware\Security;
|
namespace OC\AppFramework\Middleware\Security;
|
||||||
|
|
||||||
use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
|
use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
|
||||||
|
@ -40,6 +39,7 @@ use OC\Security\Bruteforce\Throttler;
|
||||||
use OC\Security\CSP\ContentSecurityPolicyManager;
|
use OC\Security\CSP\ContentSecurityPolicyManager;
|
||||||
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
||||||
use OC\Security\CSRF\CsrfTokenManager;
|
use OC\Security\CSRF\CsrfTokenManager;
|
||||||
|
use OC\Security\RateLimiting\Limiter;
|
||||||
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
use OCP\AppFramework\Http\ContentSecurityPolicy;
|
||||||
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
||||||
use OCP\AppFramework\Http\RedirectResponse;
|
use OCP\AppFramework\Http\RedirectResponse;
|
||||||
|
@ -54,6 +54,7 @@ use OCP\IURLGenerator;
|
||||||
use OCP\IRequest;
|
use OCP\IRequest;
|
||||||
use OCP\ILogger;
|
use OCP\ILogger;
|
||||||
use OCP\AppFramework\Controller;
|
use OCP\AppFramework\Controller;
|
||||||
|
use OCP\IUserSession;
|
||||||
use OCP\Util;
|
use OCP\Util;
|
||||||
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
|
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
|
||||||
|
|
||||||
|
@ -78,8 +79,8 @@ class SecurityMiddleware extends Middleware {
|
||||||
private $logger;
|
private $logger;
|
||||||
/** @var ISession */
|
/** @var ISession */
|
||||||
private $session;
|
private $session;
|
||||||
/** @var bool */
|
/** @var IUserSession */
|
||||||
private $isLoggedIn;
|
private $userSession;
|
||||||
/** @var bool */
|
/** @var bool */
|
||||||
private $isAdminUser;
|
private $isAdminUser;
|
||||||
/** @var ContentSecurityPolicyManager */
|
/** @var ContentSecurityPolicyManager */
|
||||||
|
@ -90,6 +91,8 @@ class SecurityMiddleware extends Middleware {
|
||||||
private $cspNonceManager;
|
private $cspNonceManager;
|
||||||
/** @var Throttler */
|
/** @var Throttler */
|
||||||
private $throttler;
|
private $throttler;
|
||||||
|
/** @var Limiter */
|
||||||
|
private $limiter;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param IRequest $request
|
* @param IRequest $request
|
||||||
|
@ -99,12 +102,13 @@ class SecurityMiddleware extends Middleware {
|
||||||
* @param ILogger $logger
|
* @param ILogger $logger
|
||||||
* @param ISession $session
|
* @param ISession $session
|
||||||
* @param string $appName
|
* @param string $appName
|
||||||
* @param bool $isLoggedIn
|
* @param IUserSession $userSession
|
||||||
* @param bool $isAdminUser
|
* @param bool $isAdminUser
|
||||||
* @param ContentSecurityPolicyManager $contentSecurityPolicyManager
|
* @param ContentSecurityPolicyManager $contentSecurityPolicyManager
|
||||||
* @param CSRFTokenManager $csrfTokenManager
|
* @param CSRFTokenManager $csrfTokenManager
|
||||||
* @param ContentSecurityPolicyNonceManager $cspNonceManager
|
* @param ContentSecurityPolicyNonceManager $cspNonceManager
|
||||||
* @param Throttler $throttler
|
* @param Throttler $throttler
|
||||||
|
* @param Limiter $limiter
|
||||||
*/
|
*/
|
||||||
public function __construct(IRequest $request,
|
public function __construct(IRequest $request,
|
||||||
ControllerMethodReflector $reflector,
|
ControllerMethodReflector $reflector,
|
||||||
|
@ -113,12 +117,13 @@ class SecurityMiddleware extends Middleware {
|
||||||
ILogger $logger,
|
ILogger $logger,
|
||||||
ISession $session,
|
ISession $session,
|
||||||
$appName,
|
$appName,
|
||||||
$isLoggedIn,
|
IUserSession $userSession,
|
||||||
$isAdminUser,
|
$isAdminUser,
|
||||||
ContentSecurityPolicyManager $contentSecurityPolicyManager,
|
ContentSecurityPolicyManager $contentSecurityPolicyManager,
|
||||||
CsrfTokenManager $csrfTokenManager,
|
CsrfTokenManager $csrfTokenManager,
|
||||||
ContentSecurityPolicyNonceManager $cspNonceManager,
|
ContentSecurityPolicyNonceManager $cspNonceManager,
|
||||||
Throttler $throttler) {
|
Throttler $throttler,
|
||||||
|
Limiter $limiter) {
|
||||||
$this->navigationManager = $navigationManager;
|
$this->navigationManager = $navigationManager;
|
||||||
$this->request = $request;
|
$this->request = $request;
|
||||||
$this->reflector = $reflector;
|
$this->reflector = $reflector;
|
||||||
|
@ -126,15 +131,15 @@ class SecurityMiddleware extends Middleware {
|
||||||
$this->urlGenerator = $urlGenerator;
|
$this->urlGenerator = $urlGenerator;
|
||||||
$this->logger = $logger;
|
$this->logger = $logger;
|
||||||
$this->session = $session;
|
$this->session = $session;
|
||||||
$this->isLoggedIn = $isLoggedIn;
|
$this->userSession = $userSession;
|
||||||
$this->isAdminUser = $isAdminUser;
|
$this->isAdminUser = $isAdminUser;
|
||||||
$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
|
$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
|
||||||
$this->csrfTokenManager = $csrfTokenManager;
|
$this->csrfTokenManager = $csrfTokenManager;
|
||||||
$this->cspNonceManager = $cspNonceManager;
|
$this->cspNonceManager = $cspNonceManager;
|
||||||
$this->throttler = $throttler;
|
$this->throttler = $throttler;
|
||||||
|
$this->limiter = $limiter;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This runs all the security checks before a method call. The
|
* This runs all the security checks before a method call. The
|
||||||
* security checks are determined by inspecting the controller method
|
* security checks are determined by inspecting the controller method
|
||||||
|
@ -152,7 +157,7 @@ class SecurityMiddleware extends Middleware {
|
||||||
// security checks
|
// security checks
|
||||||
$isPublicPage = $this->reflector->hasAnnotation('PublicPage');
|
$isPublicPage = $this->reflector->hasAnnotation('PublicPage');
|
||||||
if(!$isPublicPage) {
|
if(!$isPublicPage) {
|
||||||
if(!$this->isLoggedIn) {
|
if(!$this->userSession->isLoggedIn()) {
|
||||||
throw new NotLoggedInException();
|
throw new NotLoggedInException();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -191,8 +196,29 @@ class SecurityMiddleware extends Middleware {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
|
||||||
|
$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
|
||||||
|
$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
|
||||||
|
$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
|
||||||
|
$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
|
||||||
|
if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
|
||||||
|
$this->limiter->registerUserRequest(
|
||||||
|
$rateLimitIdentifier,
|
||||||
|
$userLimit,
|
||||||
|
$userPeriod,
|
||||||
|
$this->userSession->getUser()
|
||||||
|
);
|
||||||
|
} elseif ($anonLimit !== '' && $anonPeriod !== '') {
|
||||||
|
$this->limiter->registerAnonRequest(
|
||||||
|
$rateLimitIdentifier,
|
||||||
|
$anonLimit,
|
||||||
|
$anonPeriod,
|
||||||
|
$this->request->getRemoteAddress()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
if($this->reflector->hasAnnotation('BruteForceProtection')) {
|
if($this->reflector->hasAnnotation('BruteForceProtection')) {
|
||||||
$action = $this->reflector->getAnnotationParameter('BruteForceProtection');
|
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
|
||||||
$this->throttler->sleepDelay($this->request->getRemoteAddress(), $action);
|
$this->throttler->sleepDelay($this->request->getRemoteAddress(), $action);
|
||||||
$this->throttler->registerAttempt($action, $this->request->getRemoteAddress());
|
$this->throttler->registerAttempt($action, $this->request->getRemoteAddress());
|
||||||
}
|
}
|
||||||
|
@ -206,7 +232,6 @@ class SecurityMiddleware extends Middleware {
|
||||||
if(\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) {
|
if(\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) {
|
||||||
throw new AppNotEnabledException();
|
throw new AppNotEnabledException();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -24,27 +24,17 @@
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
namespace OC\AppFramework\Utility;
|
namespace OC\AppFramework\Utility;
|
||||||
|
|
||||||
use \OCP\AppFramework\Utility\IControllerMethodReflector;
|
use \OCP\AppFramework\Utility\IControllerMethodReflector;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Reads and parses annotations from doc comments
|
* Reads and parses annotations from doc comments
|
||||||
*/
|
*/
|
||||||
class ControllerMethodReflector implements IControllerMethodReflector{
|
class ControllerMethodReflector implements IControllerMethodReflector {
|
||||||
|
public $annotations = [];
|
||||||
private $annotations;
|
private $types = [];
|
||||||
private $types;
|
private $parameters = [];
|
||||||
private $parameters;
|
|
||||||
|
|
||||||
public function __construct() {
|
|
||||||
$this->types = array();
|
|
||||||
$this->parameters = array();
|
|
||||||
$this->annotations = array();
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param object $object an object or classname
|
* @param object $object an object or classname
|
||||||
|
@ -55,9 +45,21 @@ class ControllerMethodReflector implements IControllerMethodReflector{
|
||||||
$docs = $reflection->getDocComment();
|
$docs = $reflection->getDocComment();
|
||||||
|
|
||||||
// extract everything prefixed by @ and first letter uppercase
|
// extract everything prefixed by @ and first letter uppercase
|
||||||
preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)(\h+(?P<parameter>\w+))?$/m', $docs, $matches);
|
preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)((?P<parameter>.*))?$/m', $docs, $matches);
|
||||||
foreach($matches['annotation'] as $key => $annontation) {
|
foreach($matches['annotation'] as $key => $annontation) {
|
||||||
$this->annotations[$annontation] = $matches['parameter'][$key];
|
$annotationValue = $matches['parameter'][$key];
|
||||||
|
if($annotationValue[0] === '(' && $annotationValue[strlen($annotationValue) - 1] === ')') {
|
||||||
|
$cutString = substr($annotationValue, 1, -1);
|
||||||
|
$cutString = str_replace(' ', '', $cutString);
|
||||||
|
$splittedArray = explode(',', $cutString);
|
||||||
|
foreach($splittedArray as $annotationValues) {
|
||||||
|
list($key, $value) = explode('=', $annotationValues);
|
||||||
|
$this->annotations[$annontation][$key] = $value;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->annotations[$annontation] = [$annotationValue];
|
||||||
}
|
}
|
||||||
|
|
||||||
// extract type parameter information
|
// extract type parameter information
|
||||||
|
@ -83,7 +85,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Inspects the PHPDoc parameters for types
|
* Inspects the PHPDoc parameters for types
|
||||||
* @param string $parameter the parameter whose type comments should be
|
* @param string $parameter the parameter whose type comments should be
|
||||||
|
@ -99,7 +100,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return array the arguments of the method with key => default value
|
* @return array the arguments of the method with key => default value
|
||||||
*/
|
*/
|
||||||
|
@ -107,30 +107,27 @@ class ControllerMethodReflector implements IControllerMethodReflector{
|
||||||
return $this->parameters;
|
return $this->parameters;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check if a method contains an annotation
|
* Check if a method contains an annotation
|
||||||
* @param string $name the name of the annotation
|
* @param string $name the name of the annotation
|
||||||
* @return bool true if the annotation is found
|
* @return bool true if the annotation is found
|
||||||
*/
|
*/
|
||||||
public function hasAnnotation($name){
|
public function hasAnnotation($name) {
|
||||||
return array_key_exists($name, $this->annotations);
|
return array_key_exists($name, $this->annotations);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get optional annotation parameter
|
* Get optional annotation parameter by key
|
||||||
|
*
|
||||||
* @param string $name the name of the annotation
|
* @param string $name the name of the annotation
|
||||||
|
* @param string $key the string of the annotation
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public function getAnnotationParameter($name){
|
public function getAnnotationParameter($name, $key) {
|
||||||
$parameter = '';
|
if(isset($this->annotations[$name][$key])) {
|
||||||
if($this->hasAnnotation($name)) {
|
return $this->annotations[$name][$key];
|
||||||
$parameter = $this->annotations[$name];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return $parameter;
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,6 +23,7 @@
|
||||||
|
|
||||||
namespace OC\Security\Bruteforce;
|
namespace OC\Security\Bruteforce;
|
||||||
|
|
||||||
|
use OC\Security\Normalizer\IpAddress;
|
||||||
use OCP\AppFramework\Utility\ITimeFactory;
|
use OCP\AppFramework\Utility\ITimeFactory;
|
||||||
use OCP\IConfig;
|
use OCP\IConfig;
|
||||||
use OCP\IDBConnection;
|
use OCP\IDBConnection;
|
||||||
|
@ -82,67 +83,6 @@ class Throttler {
|
||||||
return $d2->diff($d1);
|
return $d2->diff($d1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Return the given subnet for an IPv4 address and mask bits
|
|
||||||
*
|
|
||||||
* @param string $ip
|
|
||||||
* @param int $maskBits
|
|
||||||
* @return string
|
|
||||||
*/
|
|
||||||
private function getIPv4Subnet($ip,
|
|
||||||
$maskBits = 32) {
|
|
||||||
$binary = \inet_pton($ip);
|
|
||||||
for ($i = 32; $i > $maskBits; $i -= 8) {
|
|
||||||
$j = \intdiv($i, 8) - 1;
|
|
||||||
$k = (int) \min(8, $i - $maskBits);
|
|
||||||
$mask = (0xff - ((pow(2, $k)) - 1));
|
|
||||||
$int = \unpack('C', $binary[$j]);
|
|
||||||
$binary[$j] = \pack('C', $int[1] & $mask);
|
|
||||||
}
|
|
||||||
return \inet_ntop($binary).'/'.$maskBits;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Return the given subnet for an IPv6 address and mask bits
|
|
||||||
*
|
|
||||||
* @param string $ip
|
|
||||||
* @param int $maskBits
|
|
||||||
* @return string
|
|
||||||
*/
|
|
||||||
private function getIPv6Subnet($ip, $maskBits = 48) {
|
|
||||||
$binary = \inet_pton($ip);
|
|
||||||
for ($i = 128; $i > $maskBits; $i -= 8) {
|
|
||||||
$j = \intdiv($i, 8) - 1;
|
|
||||||
$k = (int) \min(8, $i - $maskBits);
|
|
||||||
$mask = (0xff - ((pow(2, $k)) - 1));
|
|
||||||
$int = \unpack('C', $binary[$j]);
|
|
||||||
$binary[$j] = \pack('C', $int[1] & $mask);
|
|
||||||
}
|
|
||||||
return \inet_ntop($binary).'/'.$maskBits;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Return the given subnet for an IP and the configured mask bits
|
|
||||||
*
|
|
||||||
* Determine if the IP is an IPv4 or IPv6 address, then pass to the correct
|
|
||||||
* method for handling that specific type.
|
|
||||||
*
|
|
||||||
* @param string $ip
|
|
||||||
* @return string
|
|
||||||
*/
|
|
||||||
private function getSubnet($ip) {
|
|
||||||
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)) {
|
|
||||||
return $this->getIPv4Subnet(
|
|
||||||
$ip,
|
|
||||||
32
|
|
||||||
);
|
|
||||||
}
|
|
||||||
return $this->getIPv6Subnet(
|
|
||||||
$ip,
|
|
||||||
128
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Register a failed attempt to bruteforce a security control
|
* Register a failed attempt to bruteforce a security control
|
||||||
*
|
*
|
||||||
|
@ -158,11 +98,12 @@ class Throttler {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$ipAddress = new IpAddress($ip);
|
||||||
$values = [
|
$values = [
|
||||||
'action' => $action,
|
'action' => $action,
|
||||||
'occurred' => $this->timeFactory->getTime(),
|
'occurred' => $this->timeFactory->getTime(),
|
||||||
'ip' => $ip,
|
'ip' => (string)$ipAddress,
|
||||||
'subnet' => $this->getSubnet($ip),
|
'subnet' => $ipAddress->getSubnet(),
|
||||||
'metadata' => json_encode($metadata),
|
'metadata' => json_encode($metadata),
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -254,7 +195,8 @@ class Throttler {
|
||||||
* @return int
|
* @return int
|
||||||
*/
|
*/
|
||||||
public function getDelay($ip, $action = '') {
|
public function getDelay($ip, $action = '') {
|
||||||
if ($this->isIPWhitelisted($ip)) {
|
$ipAddress = new IpAddress($ip);
|
||||||
|
if ($this->isIPWhitelisted((string)$ipAddress)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -266,7 +208,7 @@ class Throttler {
|
||||||
$qb->select('*')
|
$qb->select('*')
|
||||||
->from('bruteforce_attempts')
|
->from('bruteforce_attempts')
|
||||||
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
|
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
|
||||||
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($this->getSubnet($ip))));
|
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($ipAddress->getSubnet())));
|
||||||
|
|
||||||
if ($action !== '') {
|
if ($action !== '') {
|
||||||
$qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)));
|
$qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)));
|
||||||
|
|
|
@ -0,0 +1,106 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace OC\Security\Normalizer;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security
|
||||||
|
* relevant contexts in Nextcloud.
|
||||||
|
*
|
||||||
|
* @package OC\Security\Normalizer
|
||||||
|
*/
|
||||||
|
class IpAddress {
|
||||||
|
/** @var string */
|
||||||
|
private $ip;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $ip IP to normalized
|
||||||
|
*/
|
||||||
|
public function __construct($ip) {
|
||||||
|
$this->ip = $ip;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the given subnet for an IPv4 address and mask bits
|
||||||
|
*
|
||||||
|
* @param string $ip
|
||||||
|
* @param int $maskBits
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
private function getIPv4Subnet($ip,
|
||||||
|
$maskBits = 32) {
|
||||||
|
$binary = \inet_pton($ip);
|
||||||
|
for ($i = 32; $i > $maskBits; $i -= 8) {
|
||||||
|
$j = \intdiv($i, 8) - 1;
|
||||||
|
$k = (int) \min(8, $i - $maskBits);
|
||||||
|
$mask = (0xff - ((pow(2, $k)) - 1));
|
||||||
|
$int = \unpack('C', $binary[$j]);
|
||||||
|
$binary[$j] = \pack('C', $int[1] & $mask);
|
||||||
|
}
|
||||||
|
return \inet_ntop($binary).'/'.$maskBits;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the given subnet for an IPv6 address and mask bits
|
||||||
|
*
|
||||||
|
* @param string $ip
|
||||||
|
* @param int $maskBits
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
private function getIPv6Subnet($ip, $maskBits = 48) {
|
||||||
|
$binary = \inet_pton($ip);
|
||||||
|
for ($i = 128; $i > $maskBits; $i -= 8) {
|
||||||
|
$j = \intdiv($i, 8) - 1;
|
||||||
|
$k = (int) \min(8, $i - $maskBits);
|
||||||
|
$mask = (0xff - ((pow(2, $k)) - 1));
|
||||||
|
$int = \unpack('C', $binary[$j]);
|
||||||
|
$binary[$j] = \pack('C', $int[1] & $mask);
|
||||||
|
}
|
||||||
|
return \inet_ntop($binary).'/'.$maskBits;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets either the /32 (IPv4) or the /128 (IPv6) subnet of an IP address
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getSubnet() {
|
||||||
|
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $this->ip)) {
|
||||||
|
return $this->getIPv4Subnet(
|
||||||
|
$this->ip,
|
||||||
|
32
|
||||||
|
);
|
||||||
|
}
|
||||||
|
return $this->getIPv6Subnet(
|
||||||
|
$this->ip,
|
||||||
|
128
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the specified IP address
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function __toString() {
|
||||||
|
return $this->ip;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,50 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace OC\Security\RateLimiting\Backend;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Interface IBackend defines a storage backend for the rate limiting data. It
|
||||||
|
* should be noted that writing and reading rate limiting data is an expensive
|
||||||
|
* operation and one should thus make sure to only use sufficient fast backends.
|
||||||
|
*
|
||||||
|
* @package OC\Security\RateLimiting\Backend
|
||||||
|
*/
|
||||||
|
interface IBackend {
|
||||||
|
/**
|
||||||
|
* Gets the amount of attempts within the last specified seconds
|
||||||
|
*
|
||||||
|
* @param string $methodIdentifier
|
||||||
|
* @param string $userIdentifier
|
||||||
|
* @param int $seconds
|
||||||
|
* @return int
|
||||||
|
*/
|
||||||
|
public function getAttempts($methodIdentifier, $userIdentifier, $seconds);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Registers an attempt
|
||||||
|
*
|
||||||
|
* @param string $methodIdentifier
|
||||||
|
* @param string $userIdentifier
|
||||||
|
* @param int $timestamp
|
||||||
|
*/
|
||||||
|
public function registerAttempt($methodIdentifier, $userIdentifier, $timestamp);
|
||||||
|
}
|
|
@ -0,0 +1,100 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace OC\Security\RateLimiting\Backend;
|
||||||
|
|
||||||
|
use OCP\AppFramework\Utility\ITimeFactory;
|
||||||
|
use OCP\ICache;
|
||||||
|
use OCP\ICacheFactory;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class MemoryCache uses the configured distributed memory cache for storing
|
||||||
|
* rate limiting data.
|
||||||
|
*
|
||||||
|
* @package OC\Security\RateLimiting\Backend
|
||||||
|
*/
|
||||||
|
class MemoryCache implements IBackend {
|
||||||
|
/** @var ICache */
|
||||||
|
private $cache;
|
||||||
|
/** @var ITimeFactory */
|
||||||
|
private $timeFactory;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param ICacheFactory $cacheFactory
|
||||||
|
* @param ITimeFactory $timeFactory
|
||||||
|
*/
|
||||||
|
public function __construct(ICacheFactory $cacheFactory,
|
||||||
|
ITimeFactory $timeFactory) {
|
||||||
|
$this->cache = $cacheFactory->create(__CLASS__);
|
||||||
|
$this->timeFactory = $timeFactory;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $methodIdentifier
|
||||||
|
* @param string $userIdentifier
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
private function hash($methodIdentifier, $userIdentifier) {
|
||||||
|
return hash('sha512', $methodIdentifier . $userIdentifier);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $identifier
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
private function getExistingAttempts($identifier) {
|
||||||
|
$cachedAttempts = json_decode($this->cache->get($identifier), true);
|
||||||
|
if(is_array($cachedAttempts)) {
|
||||||
|
return $cachedAttempts;
|
||||||
|
}
|
||||||
|
|
||||||
|
return [];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* {@inheritDoc}
|
||||||
|
*/
|
||||||
|
public function getAttempts($methodIdentifier, $userIdentifier, $seconds) {
|
||||||
|
$identifier = $this->hash($methodIdentifier, $userIdentifier);
|
||||||
|
$existingAttempts = $this->getExistingAttempts($identifier);
|
||||||
|
|
||||||
|
$count = 0;
|
||||||
|
$currentTime = $this->timeFactory->getTime();
|
||||||
|
/** @var array $existingAttempts */
|
||||||
|
foreach ($existingAttempts as $attempt) {
|
||||||
|
if(($attempt + $seconds) > $currentTime) {
|
||||||
|
$count++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $count;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* {@inheritDoc}
|
||||||
|
*/
|
||||||
|
public function registerAttempt($methodIdentifier, $userIdentifier, $timestamp) {
|
||||||
|
$identifier = $this->hash($methodIdentifier, $userIdentifier);
|
||||||
|
$existingAttempts = $this->getExistingAttempts($identifier);
|
||||||
|
$existingAttempts[] = (string)$timestamp;
|
||||||
|
$this->cache->set($identifier, json_encode($existingAttempts));
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace OC\Security\RateLimiting\Exception;
|
||||||
|
|
||||||
|
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
|
||||||
|
use OCP\AppFramework\Http;
|
||||||
|
|
||||||
|
class RateLimitExceededException extends SecurityException {
|
||||||
|
public function __construct() {
|
||||||
|
parent::__construct('Rate limit exceeded', Http::STATUS_TOO_MANY_REQUESTS);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,106 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace OC\Security\RateLimiting;
|
||||||
|
|
||||||
|
use OC\Security\Normalizer\IpAddress;
|
||||||
|
use OC\Security\RateLimiting\Backend\IBackend;
|
||||||
|
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
|
||||||
|
use OCP\AppFramework\Utility\ITimeFactory;
|
||||||
|
use OCP\IRequest;
|
||||||
|
use OCP\IUser;
|
||||||
|
use OCP\IUserSession;
|
||||||
|
|
||||||
|
class Limiter {
|
||||||
|
/** @var IBackend */
|
||||||
|
private $backend;
|
||||||
|
/** @var ITimeFactory */
|
||||||
|
private $timeFactory;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param IUserSession $userSession
|
||||||
|
* @param IRequest $request
|
||||||
|
* @param ITimeFactory $timeFactory
|
||||||
|
* @param IBackend $backend
|
||||||
|
*/
|
||||||
|
public function __construct(IUserSession $userSession,
|
||||||
|
IRequest $request,
|
||||||
|
ITimeFactory $timeFactory,
|
||||||
|
IBackend $backend) {
|
||||||
|
$this->backend = $backend;
|
||||||
|
$this->timeFactory = $timeFactory;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $methodIdentifier
|
||||||
|
* @param string $userIdentifier
|
||||||
|
* @param int $period
|
||||||
|
* @param int $limit
|
||||||
|
* @throws RateLimitExceededException
|
||||||
|
*/
|
||||||
|
private function register($methodIdentifier,
|
||||||
|
$userIdentifier,
|
||||||
|
$period,
|
||||||
|
$limit) {
|
||||||
|
$existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, (int)$period);
|
||||||
|
if ($existingAttempts >= (int)$limit) {
|
||||||
|
throw new RateLimitExceededException();
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->backend->registerAttempt($methodIdentifier, $userIdentifier, $this->timeFactory->getTime());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Registers attempt for an anonymous request
|
||||||
|
*
|
||||||
|
* @param string $identifier
|
||||||
|
* @param int $anonLimit
|
||||||
|
* @param int $anonPeriod
|
||||||
|
* @param string $ip
|
||||||
|
* @throws RateLimitExceededException
|
||||||
|
*/
|
||||||
|
public function registerAnonRequest($identifier,
|
||||||
|
$anonLimit,
|
||||||
|
$anonPeriod,
|
||||||
|
$ip) {
|
||||||
|
$ipSubnet = (new IpAddress($ip))->getSubnet();
|
||||||
|
|
||||||
|
$anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet);
|
||||||
|
$this->register($identifier, $anonHashIdentifier, $anonPeriod, $anonLimit);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Registers attempt for an authenticated request
|
||||||
|
*
|
||||||
|
* @param string $identifier
|
||||||
|
* @param int $userLimit
|
||||||
|
* @param int $userPeriod
|
||||||
|
* @param IUser $user
|
||||||
|
* @throws RateLimitExceededException
|
||||||
|
*/
|
||||||
|
public function registerUserRequest($identifier,
|
||||||
|
$userLimit,
|
||||||
|
$userPeriod,
|
||||||
|
IUser $user) {
|
||||||
|
$userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID());
|
||||||
|
$this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit);
|
||||||
|
}
|
||||||
|
}
|
|
@ -40,6 +40,7 @@ use OC\Security\CSP\ContentSecurityPolicyManager;
|
||||||
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
|
||||||
use OC\Security\CSRF\CsrfToken;
|
use OC\Security\CSRF\CsrfToken;
|
||||||
use OC\Security\CSRF\CsrfTokenManager;
|
use OC\Security\CSRF\CsrfTokenManager;
|
||||||
|
use OC\Security\RateLimiting\Limiter;
|
||||||
use OCP\AppFramework\Controller;
|
use OCP\AppFramework\Controller;
|
||||||
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
|
||||||
use OCP\AppFramework\Http\RedirectResponse;
|
use OCP\AppFramework\Http\RedirectResponse;
|
||||||
|
@ -52,6 +53,7 @@ use OCP\INavigationManager;
|
||||||
use OCP\IRequest;
|
use OCP\IRequest;
|
||||||
use OCP\ISession;
|
use OCP\ISession;
|
||||||
use OCP\IURLGenerator;
|
use OCP\IURLGenerator;
|
||||||
|
use OCP\IUserSession;
|
||||||
use OCP\Security\ISecureRandom;
|
use OCP\Security\ISecureRandom;
|
||||||
|
|
||||||
|
|
||||||
|
@ -83,6 +85,10 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
||||||
private $csrfTokenManager;
|
private $csrfTokenManager;
|
||||||
/** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */
|
/** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
private $cspNonceManager;
|
private $cspNonceManager;
|
||||||
|
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $userSession;
|
||||||
|
/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $limiter;
|
||||||
/** @var Throttler|\PHPUnit_Framework_MockObject_MockObject */
|
/** @var Throttler|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
private $bruteForceThrottler;
|
private $bruteForceThrottler;
|
||||||
|
|
||||||
|
@ -93,6 +99,8 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
||||||
$this->reader = new ControllerMethodReflector();
|
$this->reader = new ControllerMethodReflector();
|
||||||
$this->logger = $this->createMock(ILogger::class);
|
$this->logger = $this->createMock(ILogger::class);
|
||||||
$this->navigationManager = $this->createMock(INavigationManager::class);
|
$this->navigationManager = $this->createMock(INavigationManager::class);
|
||||||
|
$this->userSession = $this->createMock(IUserSession::class);
|
||||||
|
$this->limiter = $this->createMock(Limiter::class);
|
||||||
$this->urlGenerator = $this->createMock(IURLGenerator::class);
|
$this->urlGenerator = $this->createMock(IURLGenerator::class);
|
||||||
$this->session = $this->createMock(ISession::class);
|
$this->session = $this->createMock(ISession::class);
|
||||||
$this->request = $this->createMock(IRequest::class);
|
$this->request = $this->createMock(IRequest::class);
|
||||||
|
@ -111,6 +119,11 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
||||||
* @return SecurityMiddleware
|
* @return SecurityMiddleware
|
||||||
*/
|
*/
|
||||||
private function getMiddleware($isLoggedIn, $isAdminUser) {
|
private function getMiddleware($isLoggedIn, $isAdminUser) {
|
||||||
|
$this->userSession
|
||||||
|
->expects($this->any())
|
||||||
|
->method('isLoggedIn')
|
||||||
|
->willReturn($isLoggedIn);
|
||||||
|
|
||||||
return new SecurityMiddleware(
|
return new SecurityMiddleware(
|
||||||
$this->request,
|
$this->request,
|
||||||
$this->reader,
|
$this->reader,
|
||||||
|
@ -119,12 +132,13 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
||||||
$this->logger,
|
$this->logger,
|
||||||
$this->session,
|
$this->session,
|
||||||
'files',
|
'files',
|
||||||
$isLoggedIn,
|
$this->userSession,
|
||||||
$isAdminUser,
|
$isAdminUser,
|
||||||
$this->contentSecurityPolicyManager,
|
$this->contentSecurityPolicyManager,
|
||||||
$this->csrfTokenManager,
|
$this->csrfTokenManager,
|
||||||
$this->cspNonceManager,
|
$this->cspNonceManager,
|
||||||
$this->bruteForceThrottler
|
$this->bruteForceThrottler,
|
||||||
|
$this->limiter
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -673,14 +687,36 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
||||||
$this->logger,
|
$this->logger,
|
||||||
$this->session,
|
$this->session,
|
||||||
'files',
|
'files',
|
||||||
false,
|
$this->userSession,
|
||||||
false,
|
false,
|
||||||
$this->contentSecurityPolicyManager,
|
$this->contentSecurityPolicyManager,
|
||||||
$this->csrfTokenManager,
|
$this->csrfTokenManager,
|
||||||
$this->cspNonceManager,
|
$this->cspNonceManager,
|
||||||
$this->bruteForceThrottler
|
$this->bruteForceThrottler,
|
||||||
|
$this->limiter
|
||||||
);
|
);
|
||||||
|
|
||||||
|
$reader
|
||||||
|
->expects($this->at(0))
|
||||||
|
->method('getAnnotationParameter')
|
||||||
|
->with('AnonRateThrottle', 'limit')
|
||||||
|
->willReturn('');
|
||||||
|
$reader
|
||||||
|
->expects($this->at(1))
|
||||||
|
->method('getAnnotationParameter')
|
||||||
|
->with('AnonRateThrottle', 'period')
|
||||||
|
->willReturn('');
|
||||||
|
$reader
|
||||||
|
->expects($this->at(2))
|
||||||
|
->method('getAnnotationParameter')
|
||||||
|
->with('UserRateThrottle', 'limit')
|
||||||
|
->willReturn('');
|
||||||
|
$reader
|
||||||
|
->expects($this->at(3))
|
||||||
|
->method('getAnnotationParameter')
|
||||||
|
->with('UserRateThrottle', 'period')
|
||||||
|
->willReturn('');
|
||||||
|
|
||||||
$reader->expects($this->any())->method('hasAnnotation')
|
$reader->expects($this->any())->method('hasAnnotation')
|
||||||
->willReturnCallback(
|
->willReturnCallback(
|
||||||
function($annotation) use ($bruteForceProtectionEnabled) {
|
function($annotation) use ($bruteForceProtectionEnabled) {
|
||||||
|
|
|
@ -76,51 +76,6 @@ class ThrottlerTest extends TestCase {
|
||||||
$this->assertLessThan(2, $cutoff->s);
|
$this->assertLessThan(2, $cutoff->s);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testSubnet() {
|
|
||||||
// IPv4
|
|
||||||
$this->assertSame(
|
|
||||||
'64.233.191.254/32',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 32])
|
|
||||||
);
|
|
||||||
$this->assertSame(
|
|
||||||
'64.233.191.252/30',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 30])
|
|
||||||
);
|
|
||||||
$this->assertSame(
|
|
||||||
'64.233.191.240/28',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 28])
|
|
||||||
);
|
|
||||||
$this->assertSame(
|
|
||||||
'64.233.191.0/24',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 24])
|
|
||||||
);
|
|
||||||
$this->assertSame(
|
|
||||||
'64.233.188.0/22',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 22])
|
|
||||||
);
|
|
||||||
// IPv6
|
|
||||||
$this->assertSame(
|
|
||||||
'2001:db8:85a3::8a2e:370:7334/127',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 127])
|
|
||||||
);
|
|
||||||
$this->assertSame(
|
|
||||||
'2001:db8:85a3::8a2e:370:7300/120',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7300', 120])
|
|
||||||
);
|
|
||||||
$this->assertSame(
|
|
||||||
'2001:db8:85a3::/64',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 64])
|
|
||||||
);
|
|
||||||
$this->assertSame(
|
|
||||||
'2001:db8:85a3::/48',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 48])
|
|
||||||
);
|
|
||||||
$this->assertSame(
|
|
||||||
'2001:db8:8500::/40',
|
|
||||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 40])
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
public function dataIsIPWhitelisted() {
|
public function dataIsIPWhitelisted() {
|
||||||
return [
|
return [
|
||||||
[
|
[
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Test\Security\Normalizer;
|
||||||
|
|
||||||
|
use OC\Security\Normalizer\IpAddress;
|
||||||
|
use Test\TestCase;
|
||||||
|
|
||||||
|
class IpAddressTest extends TestCase {
|
||||||
|
|
||||||
|
public function subnetDataProvider() {
|
||||||
|
return [
|
||||||
|
[
|
||||||
|
'64.233.191.254',
|
||||||
|
'64.233.191.254/32',
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'192.168.0.123',
|
||||||
|
'192.168.0.123/32',
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'2001:0db8:85a3:0000:0000:8a2e:0370:7334',
|
||||||
|
'2001:db8:85a3::8a2e:370:7334/128',
|
||||||
|
],
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider subnetDataProvider
|
||||||
|
*
|
||||||
|
* @param string $input
|
||||||
|
* @param string $expected
|
||||||
|
*/
|
||||||
|
public function testGetSubnet($input, $expected) {
|
||||||
|
$this->assertSame($expected, (new IpAddress($input))->getSubnet());
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testToString() {
|
||||||
|
$this->assertSame('127.0.0.1', (string)(new IpAddress('127.0.0.1')));
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,138 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Test\Security\RateLimiting\Backend;
|
||||||
|
|
||||||
|
use OC\Security\RateLimiting\Backend\MemoryCache;
|
||||||
|
use OCP\AppFramework\Utility\ITimeFactory;
|
||||||
|
use OCP\ICache;
|
||||||
|
use OCP\ICacheFactory;
|
||||||
|
use Test\TestCase;
|
||||||
|
|
||||||
|
class MemoryCacheTest extends TestCase {
|
||||||
|
/** @var ICacheFactory|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $cacheFactory;
|
||||||
|
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $timeFactory;
|
||||||
|
/** @var ICache|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $cache;
|
||||||
|
/** @var MemoryCache */
|
||||||
|
private $memoryCache;
|
||||||
|
|
||||||
|
public function setUp() {
|
||||||
|
parent::setUp();
|
||||||
|
|
||||||
|
$this->cacheFactory = $this->createMock(ICacheFactory::class);
|
||||||
|
$this->timeFactory = $this->createMock(ITimeFactory::class);
|
||||||
|
$this->cache = $this->createMock(ICache::class);
|
||||||
|
|
||||||
|
$this->cacheFactory
|
||||||
|
->expects($this->once())
|
||||||
|
->method('create')
|
||||||
|
->with('OC\Security\RateLimiting\Backend\MemoryCache')
|
||||||
|
->willReturn($this->cache);
|
||||||
|
|
||||||
|
$this->memoryCache = new MemoryCache(
|
||||||
|
$this->cacheFactory,
|
||||||
|
$this->timeFactory
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetAttemptsWithNoAttemptsBefore() {
|
||||||
|
$this->cache
|
||||||
|
->expects($this->once())
|
||||||
|
->method('get')
|
||||||
|
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
|
||||||
|
->willReturn(false);
|
||||||
|
|
||||||
|
$this->assertSame(0, $this->memoryCache->getAttempts('Method', 'User', 123));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testGetAttempts() {
|
||||||
|
$this->timeFactory
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getTime')
|
||||||
|
->willReturn(210);
|
||||||
|
$this->cache
|
||||||
|
->expects($this->once())
|
||||||
|
->method('get')
|
||||||
|
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
|
||||||
|
->willReturn(json_encode([
|
||||||
|
'1',
|
||||||
|
'2',
|
||||||
|
'87',
|
||||||
|
'123',
|
||||||
|
'123',
|
||||||
|
'124',
|
||||||
|
]));
|
||||||
|
|
||||||
|
$this->assertSame(3, $this->memoryCache->getAttempts('Method', 'User', 123));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testRegisterAttemptWithNoAttemptsBefore() {
|
||||||
|
$this->cache
|
||||||
|
->expects($this->once())
|
||||||
|
->method('get')
|
||||||
|
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
|
||||||
|
->willReturn(false);
|
||||||
|
$this->cache
|
||||||
|
->expects($this->once())
|
||||||
|
->method('set')
|
||||||
|
->with(
|
||||||
|
'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
|
||||||
|
json_encode(['123'])
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->memoryCache->registerAttempt('Method', 'User', 123);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testRegisterAttempts() {
|
||||||
|
$this->cache
|
||||||
|
->expects($this->once())
|
||||||
|
->method('get')
|
||||||
|
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
|
||||||
|
->willReturn(json_encode([
|
||||||
|
'1',
|
||||||
|
'2',
|
||||||
|
'87',
|
||||||
|
'123',
|
||||||
|
'123',
|
||||||
|
'124',
|
||||||
|
]));
|
||||||
|
$this->cache
|
||||||
|
->expects($this->once())
|
||||||
|
->method('set')
|
||||||
|
->with(
|
||||||
|
'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
|
||||||
|
json_encode([
|
||||||
|
'1',
|
||||||
|
'2',
|
||||||
|
'87',
|
||||||
|
'123',
|
||||||
|
'123',
|
||||||
|
'124',
|
||||||
|
'129',
|
||||||
|
])
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->memoryCache->registerAttempt('Method', 'User', 129);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,161 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as
|
||||||
|
* published by the Free Software Foundation, either version 3 of the
|
||||||
|
* License, or (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Test\Security\RateLimiting;
|
||||||
|
|
||||||
|
use OC\Security\RateLimiting\Backend\IBackend;
|
||||||
|
use OC\Security\RateLimiting\Limiter;
|
||||||
|
use OCP\AppFramework\Utility\ITimeFactory;
|
||||||
|
use OCP\ICacheFactory;
|
||||||
|
use OCP\IRequest;
|
||||||
|
use OCP\IUser;
|
||||||
|
use OCP\IUserSession;
|
||||||
|
use Test\TestCase;
|
||||||
|
|
||||||
|
class LimiterTest extends TestCase {
|
||||||
|
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $userSession;
|
||||||
|
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $request;
|
||||||
|
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $timeFactory;
|
||||||
|
/** @var IBackend|\PHPUnit_Framework_MockObject_MockObject */
|
||||||
|
private $backend;
|
||||||
|
/** @var Limiter */
|
||||||
|
private $limiter;
|
||||||
|
|
||||||
|
public function setUp() {
|
||||||
|
parent::setUp();
|
||||||
|
|
||||||
|
$this->userSession = $this->createMock(IUserSession::class);
|
||||||
|
$this->request = $this->createMock(IRequest::class);
|
||||||
|
$this->timeFactory = $this->createMock(ITimeFactory::class);
|
||||||
|
$this->backend = $this->createMock(IBackend::class);
|
||||||
|
|
||||||
|
$this->limiter = new Limiter(
|
||||||
|
$this->userSession,
|
||||||
|
$this->request,
|
||||||
|
$this->timeFactory,
|
||||||
|
$this->backend
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
|
||||||
|
* @expectedExceptionMessage Rate limit exceeded
|
||||||
|
*/
|
||||||
|
public function testRegisterAnonRequestExceeded() {
|
||||||
|
$this->backend
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getAttempts')
|
||||||
|
->with(
|
||||||
|
'MyIdentifier',
|
||||||
|
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
|
||||||
|
100
|
||||||
|
)
|
||||||
|
->willReturn(101);
|
||||||
|
|
||||||
|
$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testRegisterAnonRequestSuccess() {
|
||||||
|
$this->timeFactory
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getTime')
|
||||||
|
->willReturn(2000);
|
||||||
|
$this->backend
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getAttempts')
|
||||||
|
->with(
|
||||||
|
'MyIdentifier',
|
||||||
|
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
|
||||||
|
100
|
||||||
|
)
|
||||||
|
->willReturn(99);
|
||||||
|
$this->backend
|
||||||
|
->expects($this->once())
|
||||||
|
->method('registerAttempt')
|
||||||
|
->with(
|
||||||
|
'MyIdentifier',
|
||||||
|
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
|
||||||
|
2000
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
|
||||||
|
* @expectedExceptionMessage Rate limit exceeded
|
||||||
|
*/
|
||||||
|
public function testRegisterUserRequestExceeded() {
|
||||||
|
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
|
||||||
|
$user = $this->createMock(IUser::class);
|
||||||
|
$user
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getUID')
|
||||||
|
->willReturn('MyUid');
|
||||||
|
$this->backend
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getAttempts')
|
||||||
|
->with(
|
||||||
|
'MyIdentifier',
|
||||||
|
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
|
||||||
|
100
|
||||||
|
)
|
||||||
|
->willReturn(101);
|
||||||
|
|
||||||
|
$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testRegisterUserRequestSuccess() {
|
||||||
|
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
|
||||||
|
$user = $this->createMock(IUser::class);
|
||||||
|
$user
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getUID')
|
||||||
|
->willReturn('MyUid');
|
||||||
|
|
||||||
|
$this->timeFactory
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getTime')
|
||||||
|
->willReturn(2000);
|
||||||
|
$this->backend
|
||||||
|
->expects($this->once())
|
||||||
|
->method('getAttempts')
|
||||||
|
->with(
|
||||||
|
'MyIdentifier',
|
||||||
|
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
|
||||||
|
100
|
||||||
|
)
|
||||||
|
->willReturn(99);
|
||||||
|
$this->backend
|
||||||
|
->expects($this->once())
|
||||||
|
->method('registerAttempt')
|
||||||
|
->with(
|
||||||
|
'MyIdentifier',
|
||||||
|
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
|
||||||
|
2000
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue