mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Move to dedicated MiddleWare 

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2017-04-12 22:14:11 +02:00
parent a05471eb43
commit a1ae5275f9
No known key found for this signature in database
GPG Key ID: B9F6980CF6E759B1
5 changed files with 447 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/private/AppFramework/DependencyInjection/DIContainer.php
View File

@ -40,6 +40,7 @@ use OC\AppFramework\Http\Output;
use OC\AppFramework\Middleware\MiddlewareDispatcher;
use OC\AppFramework\Middleware\Security\CORSMiddleware;
use OC\AppFramework\Middleware\OCSMiddleware;
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
use OC\AppFramework\Middleware\Security\SecurityMiddleware;
use OC\AppFramework\Middleware\SessionMiddleware;
use OC\AppFramework\Utility\SimpleContainer;
@ -219,17 +220,28 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$server->getLogger(),
$server->getSession(),
$c['AppName'],
$server->getUserSession(),
$app->isLoggedIn(),
$app->isAdminUser(),
$server->getContentSecurityPolicyManager(),
$server->getCsrfTokenManager(),
$server->getContentSecurityPolicyNonceManager(),
$server->getBruteForceThrottler(),
$c->query(OC\Security\RateLimiting\Limiter::class)
$server->getBruteForceThrottler()
);
});
$this->registerService('RateLimitingMiddleware', function($c) use ($app) {
/** @var \OC\Server $server */
$server = $app->getServer();
return new RateLimitingMiddleware(
$server->getRequest(),
$server->getUserSession(),
$c['ControllerMethodReflector'],
$c->query(OC\Security\RateLimiting\Limiter::class)
);
});
$this->registerService('CORSMiddleware', function($c) {
return new CORSMiddleware(
$c['Request'],
@ -270,6 +282,7 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$dispatcher->registerMiddleware($c['OCSMiddleware']);
$dispatcher->registerMiddleware($c['SecurityMiddleware']);
$dispatcher->registerMiddleWare($c['TwoFactorMiddleware']);
$dispatcher->registerMiddleware($c['RateLimitingMiddleware']);
foreach($middleWares as $middleWare) {
$dispatcher->registerMiddleware($c[$middleWare]);

134
lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php Normal file
View File

@ -0,0 +1,134 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Middleware;
use OCP\IRequest;
use OCP\IUserSession;
/**
* Class RateLimitingMiddleware is the middleware responsible for implementing the
* ratelimiting in Nextcloud.
*
* It parses annotations such as:
*
* @UserRateThrottle(limit=5, period=100)
* @AnonRateThrottle(limit=1, period=100)
*
* Those annotations above would mean that logged-in users can access the page 5
* times within 100 seconds, and anonymous users 1 time within 100 seconds. If
* only an AnonRateThrottle is specified that one will also be applied to logged-in
* users.
*
* @package OC\AppFramework\Middleware\Security
*/
class RateLimitingMiddleware extends Middleware {
/** @var IRequest $request */
private $request;
/** @var IUserSession */
private $userSession;
/** @var ControllerMethodReflector */
private $reflector;
/** @var Limiter */
private $limiter;
/**
* @param IRequest $request
* @param IUserSession $userSession
* @param ControllerMethodReflector $reflector
* @param Limiter $limiter
*/
public function __construct(IRequest $request,
IUserSession $userSession,
ControllerMethodReflector $reflector,
Limiter $limiter) {
$this->request = $request;
$this->userSession = $userSession;
$this->reflector = $reflector;
$this->limiter = $limiter;
}
/**
* {@inheritDoc}
* @throws RateLimitExceededException
*/
public function beforeController($controller, $methodName) {
parent::beforeController($controller, $methodName);
$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
$this->limiter->registerUserRequest(
$rateLimitIdentifier,
$userLimit,
$userPeriod,
$this->userSession->getUser()
);
} elseif ($anonLimit !== '' && $anonPeriod !== '') {
$this->limiter->registerAnonRequest(
$rateLimitIdentifier,
$anonLimit,
$anonPeriod,
$this->request->getRemoteAddress()
);
}
}
/**
* {@inheritDoc}
*/
public function afterException($controller, $methodName, \Exception $exception) {
if($exception instanceof RateLimitExceededException) {
if (stripos($this->request->getHeader('Accept'),'html') === false) {
$response = new JSONResponse(
[
'message' => $exception->getMessage(),
],
$exception->getCode()
);
} else {
$response = new TemplateResponse(
'core',
'403',
[
'file' => $exception->getMessage()
],
'guest'
);
$response->setStatus($exception->getCode());
}
return $response;
}
throw $exception;
}
}

45
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
View File

@ -26,6 +26,7 @@
*
*/
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
@ -39,7 +40,6 @@ use OC\Security\Bruteforce\Throttler;
use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Http\ContentSecurityPolicy;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
use OCP\AppFramework\Http\RedirectResponse;
@ -54,7 +54,6 @@ use OCP\IURLGenerator;
use OCP\IRequest;
use OCP\ILogger;
use OCP\AppFramework\Controller;
use OCP\IUserSession;
use OCP\Util;
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
@ -79,8 +78,8 @@ class SecurityMiddleware extends Middleware {
private $logger;
/** @var ISession */
private $session;
/** @var IUserSession */
private $userSession;
/** @var bool */
private $isLoggedIn;
/** @var bool */
private $isAdminUser;
/** @var ContentSecurityPolicyManager */
@ -91,8 +90,6 @@ class SecurityMiddleware extends Middleware {
private $cspNonceManager;
/** @var Throttler */
private $throttler;
/** @var Limiter */
private $limiter;
/**
* @param IRequest $request
@ -102,13 +99,12 @@ class SecurityMiddleware extends Middleware {
* @param ILogger $logger
* @param ISession $session
* @param string $appName
* @param IUserSession $userSession
* @param bool $isLoggedIn
* @param bool $isAdminUser
* @param ContentSecurityPolicyManager $contentSecurityPolicyManager
* @param CSRFTokenManager $csrfTokenManager
* @param ContentSecurityPolicyNonceManager $cspNonceManager
* @param Throttler $throttler
* @param Limiter $limiter
*/
public function __construct(IRequest $request,
ControllerMethodReflector $reflector,
@ -117,13 +113,12 @@ class SecurityMiddleware extends Middleware {
ILogger $logger,
ISession $session,
$appName,
IUserSession $userSession,
$isLoggedIn,
$isAdminUser,
ContentSecurityPolicyManager $contentSecurityPolicyManager,
CsrfTokenManager $csrfTokenManager,
ContentSecurityPolicyNonceManager $cspNonceManager,
Throttler $throttler,
Limiter $limiter) {
Throttler $throttler) {
$this->navigationManager = $navigationManager;
$this->request = $request;
$this->reflector = $reflector;
@ -131,15 +126,15 @@ class SecurityMiddleware extends Middleware {
$this->urlGenerator = $urlGenerator;
$this->logger = $logger;
$this->session = $session;
$this->userSession = $userSession;
$this->isLoggedIn = $isLoggedIn;
$this->isAdminUser = $isAdminUser;
$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
$this->csrfTokenManager = $csrfTokenManager;
$this->cspNonceManager = $cspNonceManager;
$this->throttler = $throttler;
$this->limiter = $limiter;
}
/**
* This runs all the security checks before a method call. The
* security checks are determined by inspecting the controller method
@ -157,7 +152,7 @@ class SecurityMiddleware extends Middleware {
// security checks
$isPublicPage = $this->reflector->hasAnnotation('PublicPage');
if(!$isPublicPage) {
if(!$this->userSession->isLoggedIn()) {
if(!$this->isLoggedIn) {
throw new NotLoggedInException();
}
@ -196,27 +191,6 @@ class SecurityMiddleware extends Middleware {
}
}
$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
$this->limiter->registerUserRequest(
$rateLimitIdentifier,
$userLimit,
$userPeriod,
$this->userSession->getUser()
);
} elseif ($anonLimit !== '' && $anonPeriod !== '') {
$this->limiter->registerAnonRequest(
$rateLimitIdentifier,
$anonLimit,
$anonPeriod,
$this->request->getRemoteAddress()
);
}
if($this->reflector->hasAnnotation('BruteForceProtection')) {
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
$this->throttler->sleepDelay($this->request->getRemoteAddress(), $action);
@ -232,6 +206,7 @@ class SecurityMiddleware extends Middleware {
if(\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) {
throw new AppNotEnabledException();
}
}
/**

283
tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php Normal file
View File

@ -0,0 +1,283 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
use Test\TestCase;
class RateLimitingMiddlewareTest extends TestCase {
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
private $request;
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
private $userSession;
/** @var ControllerMethodReflector|\PHPUnit_Framework_MockObject_MockObject */
private $reflector;
/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
private $limiter;
/** @var RateLimitingMiddleware */
private $rateLimitingMiddleware;
public function setUp() {
parent::setUp();
$this->request = $this->createMock(IRequest::class);
$this->userSession = $this->createMock(IUserSession::class);
$this->reflector = $this->createMock(ControllerMethodReflector::class);
$this->limiter = $this->createMock(Limiter::class);
$this->rateLimitingMiddleware = new RateLimitingMiddleware(
$this->request,
$this->userSession,
$this->reflector,
$this->limiter
);
}
public function testBeforeControllerWithoutAnnotation() {
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->never())
->method('registerAnonRequest');
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerForAnon() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getRemoteAddress')
->willReturn('127.0.0.1');
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('10');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->once())
->method('registerAnonRequest')
->with(get_class($controller) . '::testMethod', '100', '10', '127.0.0.1');
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerForLoggedIn() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->createMock(IUser::class);
$this->userSession
->expects($this->once())
->method('isLoggedIn')
->willReturn(true);
$this->userSession
->expects($this->once())
->method('getUser')
->willReturn($user);
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('10');
$this->limiter
->expects($this->never())
->method('registerAnonRequest');
$this->limiter
->expects($this->once())
->method('registerUserRequest')
->with(get_class($controller) . '::testMethod', '100', '10', $user);
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerAnonWithFallback() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getRemoteAddress')
->willReturn('127.0.0.1');
$this->userSession
->expects($this->once())
->method('isLoggedIn')
->willReturn(false);
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('200');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('20');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('10');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->once())
->method('registerAnonRequest')
->with(get_class($controller) . '::testMethod', '200', '20', '127.0.0.1');
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
/**
* @expectedException \Exception
* @expectedExceptionMessage My test exception
*/
public function testAfterExceptionWithOtherException() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->rateLimitingMiddleware->afterException($controller, 'testMethod', new \Exception('My test exception'));
}
public function testAfterExceptionWithJsonBody() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getHeader')
->with('Accept')
->willReturn('JSON');
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
$expected = new JSONResponse(
[
'message' => 'Rate limit exceeded',
],
429
);
$this->assertEquals($expected, $result);
}
public function testAfterExceptionWithHtmlBody() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getHeader')
->with('Accept')
->willReturn('html');
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
$expected = new TemplateResponse(
'core',
'403',
[
'file' => 'Rate limit exceeded',
],
'guest'
);
$expected->setStatus(429);
$this->assertEquals($expected, $result);
}
}

44
tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
View File

@ -40,7 +40,6 @@ use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfToken;
use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
use OCP\AppFramework\Http\RedirectResponse;
@ -53,7 +52,6 @@ use OCP\INavigationManager;
use OCP\IRequest;
use OCP\ISession;
use OCP\IURLGenerator;
use OCP\IUserSession;
use OCP\Security\ISecureRandom;
@ -85,10 +83,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
private $csrfTokenManager;
/** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */
private $cspNonceManager;
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
private $userSession;
/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
private $limiter;
/** @var Throttler|\PHPUnit_Framework_MockObject_MockObject */
private $bruteForceThrottler;
@ -99,8 +93,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
$this->reader = new ControllerMethodReflector();
$this->logger = $this->createMock(ILogger::class);
$this->navigationManager = $this->createMock(INavigationManager::class);
$this->userSession = $this->createMock(IUserSession::class);
$this->limiter = $this->createMock(Limiter::class);
$this->urlGenerator = $this->createMock(IURLGenerator::class);
$this->session = $this->createMock(ISession::class);
$this->request = $this->createMock(IRequest::class);
@ -119,11 +111,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
* @return SecurityMiddleware
*/
private function getMiddleware($isLoggedIn, $isAdminUser) {
$this->userSession
->expects($this->any())
->method('isLoggedIn')
->willReturn($isLoggedIn);
return new SecurityMiddleware(
$this->request,
$this->reader,
@ -132,13 +119,12 @@ class SecurityMiddlewareTest extends \Test\TestCase {
$this->logger,
$this->session,
'files',
$this->userSession,
$isLoggedIn,
$isAdminUser,
$this->contentSecurityPolicyManager,
$this->csrfTokenManager,
$this->cspNonceManager,
$this->bruteForceThrottler,
$this->limiter
$this->bruteForceThrottler
);
}
@ -687,36 +673,14 @@ class SecurityMiddlewareTest extends \Test\TestCase {
$this->logger,
$this->session,
'files',
$this->userSession,
false,
false,
$this->contentSecurityPolicyManager,
$this->csrfTokenManager,
$this->cspNonceManager,
$this->bruteForceThrottler,
$this->limiter
$this->bruteForceThrottler
);
$reader
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$reader
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$reader
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$reader
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$reader->expects($this->any())->method('hasAnnotation')
->willReturnCallback(
function($annotation) use ($bruteForceProtectionEnabled) {