mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Mark IP as whitelisted if brute force protection is disabled 

Currently, when disabling the brute force protection no new brute force attempts are logged. However, the ones logged within the last 24 hours will still be used for throttling.

This is quite an unexpected behaviour and caused some support issues. With this change when the brute force protection is disabled also the existing attempts within the last 24 hours will be disregarded.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2017-05-01 18:31:45 +02:00
parent a2f6fea408
commit a5ccb31e85
No known key found for this signature in database
GPG Key ID: B9F6980CF6E759B1
2 changed files with 55 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/private/Security/Bruteforce/Throttler.php
View File

@ -133,6 +133,10 @@ class Throttler {
* @return bool
*/
private function isIPWhitelisted($ip) {
if($this->config->getSystemValue('auth.bruteforce.protection.enabled', true) === false) {
return true;
}
$keys = $this->config->getAppKeys('bruteForce');
$keys = array_filter($keys, function($key) {
$regex = '/^whitelist_/S';

59
tests/lib/Security/Bruteforce/ThrottlerTest.php
View File

@ -54,19 +54,19 @@ class ThrottlerTest extends TestCase {
$this->logger,
$this->config
);
return parent::setUp();
parent::setUp();
}
public function testCutoff() {
// precisely 31 second shy of 12 hours
$cutoff = $this->invokePrivate($this->throttler, 'getCutoff', [43169]);
$cutoff = self::invokePrivate($this->throttler, 'getCutoff', [43169]);
$this->assertSame(0, $cutoff->y);
$this->assertSame(0, $cutoff->m);
$this->assertSame(0, $cutoff->d);
$this->assertSame(11, $cutoff->h);
$this->assertSame(59, $cutoff->i);
$this->assertSame(29, $cutoff->s);
$cutoff = $this->invokePrivate($this->throttler, 'getCutoff', [86401]);
$cutoff = self::invokePrivate($this->throttler, 'getCutoff', [86401]);
$this->assertSame(0, $cutoff->y);
$this->assertSame(0, $cutoff->m);
$this->assertSame(1, $cutoff->d);
@ -136,16 +136,23 @@ class ThrottlerTest extends TestCase {
}
/**
* @dataProvider dataIsIPWhitelisted
*
* @param string $ip
* @param string[] $whitelists
* @param string[]$whitelists
* @param bool $isWhiteListed
* @param bool $enabled
*/
public function testIsIPWhitelisted($ip, $whitelists, $isWhiteListed) {
private function isIpWhiteListedHelper($ip,
$whitelists,
$isWhiteListed,
$enabled) {
$this->config->method('getAppKeys')
->with($this->equalTo('bruteForce'))
->willReturn(array_keys($whitelists));
$this->config
->expects($this->once())
->method('getSystemValue')
->with('auth.bruteforce.protection.enabled', true)
->willReturn($enabled);
$this->config->method('getAppValue')
->will($this->returnCallback(function($app, $key, $default) use ($whitelists) {
@ -159,8 +166,44 @@ class ThrottlerTest extends TestCase {
}));
$this->assertSame(
($enabled === false) ? true : $isWhiteListed,
self::invokePrivate($this->throttler, 'isIPWhitelisted', [$ip])
);
}
/**
* @dataProvider dataIsIPWhitelisted
*
* @param string $ip
* @param string[] $whitelists
* @param bool $isWhiteListed
*/
public function testIsIpWhiteListedWithEnabledProtection($ip,
$whitelists,
$isWhiteListed) {
$this->isIpWhiteListedHelper(
$ip,
$whitelists,
$isWhiteListed,
$this->invokePrivate($this->throttler, 'isIPWhitelisted', [$ip])
true
);
}
/**
* @dataProvider dataIsIPWhitelisted
*
* @param string $ip
* @param string[] $whitelists
* @param bool $isWhiteListed
*/
public function testIsIpWhiteListedWithDisabledProtection($ip,
$whitelists,
$isWhiteListed) {
$this->isIpWhiteListedHelper(
$ip,
$whitelists,
$isWhiteListed,
false
);
}
}