Merge pull request #479 from nextcloud/add-bruteforce-throttler

Implement brute force protection
This commit is contained in:
Lukas Reschke 2016-07-21 00:31:02 +02:00 committed by GitHub
commit c385423d10
25 changed files with 699 additions and 66 deletions

View File

@ -35,6 +35,7 @@ $authBackend = new Auth(
\OC::$server->getUserSession(), \OC::$server->getUserSession(),
\OC::$server->getRequest(), \OC::$server->getRequest(),
\OC::$server->getTwoFactorAuthManager(), \OC::$server->getTwoFactorAuthManager(),
\OC::$server->getBruteForceThrottler(),
'principals/' 'principals/'
); );
$principalBackend = new Principal( $principalBackend = new Principal(

View File

@ -36,6 +36,7 @@ $authBackend = new Auth(
\OC::$server->getUserSession(), \OC::$server->getUserSession(),
\OC::$server->getRequest(), \OC::$server->getRequest(),
\OC::$server->getTwoFactorAuthManager(), \OC::$server->getTwoFactorAuthManager(),
\OC::$server->getBruteForceThrottler(),
'principals/' 'principals/'
); );
$principalBackend = new Principal( $principalBackend = new Principal(

View File

@ -43,6 +43,7 @@ $authBackend = new \OCA\DAV\Connector\Sabre\Auth(
\OC::$server->getUserSession(), \OC::$server->getUserSession(),
\OC::$server->getRequest(), \OC::$server->getRequest(),
\OC::$server->getTwoFactorAuthManager(), \OC::$server->getTwoFactorAuthManager(),
\OC::$server->getBruteForceThrottler(),
'principals/' 'principals/'
); );
$requestUri = \OC::$server->getRequest()->getRequestUri(); $requestUri = \OC::$server->getRequest()->getRequestUri();

View File

@ -33,6 +33,7 @@ use Exception;
use OC\AppFramework\Http\Request; use OC\AppFramework\Http\Request;
use OC\Authentication\Exceptions\PasswordLoginForbiddenException; use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
use OC\Authentication\TwoFactorAuth\Manager; use OC\Authentication\TwoFactorAuth\Manager;
use OC\Security\Bruteforce\Throttler;
use OC\User\Session; use OC\User\Session;
use OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden; use OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden;
use OCP\IRequest; use OCP\IRequest;
@ -58,23 +59,28 @@ class Auth extends AbstractBasic {
private $currentUser; private $currentUser;
/** @var Manager */ /** @var Manager */
private $twoFactorManager; private $twoFactorManager;
/** @var Throttler */
private $throttler;
/** /**
* @param ISession $session * @param ISession $session
* @param Session $userSession * @param Session $userSession
* @param IRequest $request * @param IRequest $request
* @param Manager $twoFactorManager * @param Manager $twoFactorManager
* @param Throttler $throttler
* @param string $principalPrefix * @param string $principalPrefix
*/ */
public function __construct(ISession $session, public function __construct(ISession $session,
Session $userSession, Session $userSession,
IRequest $request, IRequest $request,
Manager $twoFactorManager, Manager $twoFactorManager,
Throttler $throttler,
$principalPrefix = 'principals/users/') { $principalPrefix = 'principals/users/') {
$this->session = $session; $this->session = $session;
$this->userSession = $userSession; $this->userSession = $userSession;
$this->twoFactorManager = $twoFactorManager; $this->twoFactorManager = $twoFactorManager;
$this->request = $request; $this->request = $request;
$this->throttler = $throttler;
$this->principalPrefix = $principalPrefix; $this->principalPrefix = $principalPrefix;
// setup realm // setup realm
@ -107,6 +113,7 @@ class Auth extends AbstractBasic {
* @param string $username * @param string $username
* @param string $password * @param string $password
* @return bool * @return bool
* @throws PasswordLoginForbidden
*/ */
protected function validateUserPass($username, $password) { protected function validateUserPass($username, $password) {
if ($this->userSession->isLoggedIn() && if ($this->userSession->isLoggedIn() &&
@ -118,7 +125,7 @@ class Auth extends AbstractBasic {
} else { } else {
\OC_Util::setupFS(); //login hooks may need early access to the filesystem \OC_Util::setupFS(); //login hooks may need early access to the filesystem
try { try {
if ($this->userSession->logClientIn($username, $password, $this->request)) { if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
\OC_Util::setupFS($this->userSession->getUser()->getUID()); \OC_Util::setupFS($this->userSession->getUser()->getUID());
$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID()); $this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
$this->session->close(); $this->session->close();

View File

@ -64,7 +64,8 @@ class Server {
\OC::$server->getSession(), \OC::$server->getSession(),
\OC::$server->getUserSession(), \OC::$server->getUserSession(),
\OC::$server->getRequest(), \OC::$server->getRequest(),
\OC::$server->getTwoFactorAuthManager() \OC::$server->getTwoFactorAuthManager(),
\OC::$server->getBruteForceThrottler()
); );
// Set URL explicitly due to reverse-proxy situations // Set URL explicitly due to reverse-proxy situations

View File

@ -28,6 +28,7 @@
namespace OCA\DAV\Tests\unit\Connector\Sabre; namespace OCA\DAV\Tests\unit\Connector\Sabre;
use OC\Authentication\TwoFactorAuth\Manager; use OC\Authentication\TwoFactorAuth\Manager;
use OC\Security\Bruteforce\Throttler;
use OC\User\Session; use OC\User\Session;
use OCP\IRequest; use OCP\IRequest;
use OCP\ISession; use OCP\ISession;
@ -51,6 +52,8 @@ class AuthTest extends TestCase {
private $request; private $request;
/** @var Manager */ /** @var Manager */
private $twoFactorManager; private $twoFactorManager;
/** @var Throttler */
private $throttler;
public function setUp() { public function setUp() {
parent::setUp(); parent::setUp();
@ -63,11 +66,15 @@ class AuthTest extends TestCase {
$this->twoFactorManager = $this->getMockBuilder('\OC\Authentication\TwoFactorAuth\Manager') $this->twoFactorManager = $this->getMockBuilder('\OC\Authentication\TwoFactorAuth\Manager')
->disableOriginalConstructor() ->disableOriginalConstructor()
->getMock(); ->getMock();
$this->throttler = $this->getMockBuilder('\OC\Security\Bruteforce\Throttler')
->disableOriginalConstructor()
->getMock();
$this->auth = new \OCA\DAV\Connector\Sabre\Auth( $this->auth = new \OCA\DAV\Connector\Sabre\Auth(
$this->session, $this->session,
$this->userSession, $this->userSession,
$this->request, $this->request,
$this->twoFactorManager $this->twoFactorManager,
$this->throttler
); );
} }

View File

@ -9,6 +9,9 @@ else
exit 1 exit 1
fi fi
# Disable bruteforce protection because the integration tests do trigger them
../../occ config:system:set auth.bruteforce.protection.enabled --value false --type bool
composer install composer install
SCENARIO_TO_RUN=$1 SCENARIO_TO_RUN=$1

View File

@ -207,6 +207,13 @@ $CONFIG = array(
*/ */
'token_auth_enforced' => false, 'token_auth_enforced' => false,
/**
* Whether the bruteforce protection shipped with Nextcloud should be enabled or not.
*
* Disabling this is discouraged for security reasons.
*/
'auth.bruteforce.protection.enabled' => true,
/** /**
* The directory where the skeleton files are located. These files will be * The directory where the skeleton files are located. These files will be
* copied to the data directory of new users. Leave empty to not copy any * copied to the data directory of new users. Leave empty to not copy any

View File

@ -103,7 +103,8 @@ class Application extends App {
$c->query('Session'), $c->query('Session'),
$c->query('UserSession'), $c->query('UserSession'),
$c->query('URLGenerator'), $c->query('URLGenerator'),
$c->query('TwoFactorAuthManager') $c->query('TwoFactorAuthManager'),
$c->query('ServerContainer')->getBruteforceThrottler()
); );
}); });
$container->registerService('TwoFactorChallengeController', function (SimpleContainer $c) { $container->registerService('TwoFactorChallengeController', function (SimpleContainer $c) {

View File

@ -22,7 +22,9 @@
namespace OC\Core\Controller; namespace OC\Core\Controller;
use OC\AppFramework\Utility\TimeFactory;
use OC\Authentication\TwoFactorAuth\Manager; use OC\Authentication\TwoFactorAuth\Manager;
use OC\Security\Bruteforce\Throttler;
use OC\User\Session; use OC\User\Session;
use OC_App; use OC_App;
use OC_Util; use OC_Util;
@ -37,24 +39,20 @@ use OCP\IUser;
use OCP\IUserManager; use OCP\IUserManager;
class LoginController extends Controller { class LoginController extends Controller {
/** @var IUserManager */ /** @var IUserManager */
private $userManager; private $userManager;
/** @var IConfig */ /** @var IConfig */
private $config; private $config;
/** @var ISession */ /** @var ISession */
private $session; private $session;
/** @var Session */ /** @var Session */
private $userSession; private $userSession;
/** @var IURLGenerator */ /** @var IURLGenerator */
private $urlGenerator; private $urlGenerator;
/** @var Manager */ /** @var Manager */
private $twoFactorManager; private $twoFactorManager;
/** @var Throttler */
private $throttler;
/** /**
* @param string $appName * @param string $appName
@ -65,9 +63,17 @@ class LoginController extends Controller {
* @param Session $userSession * @param Session $userSession
* @param IURLGenerator $urlGenerator * @param IURLGenerator $urlGenerator
* @param Manager $twoFactorManager * @param Manager $twoFactorManager
* @param Throttler $throttler
*/ */
function __construct($appName, IRequest $request, IUserManager $userManager, IConfig $config, ISession $session, function __construct($appName,
Session $userSession, IURLGenerator $urlGenerator, Manager $twoFactorManager) { IRequest $request,
IUserManager $userManager,
IConfig $config,
ISession $session,
Session $userSession,
IURLGenerator $urlGenerator,
Manager $twoFactorManager,
Throttler $throttler) {
parent::__construct($appName, $request); parent::__construct($appName, $request);
$this->userManager = $userManager; $this->userManager = $userManager;
$this->config = $config; $this->config = $config;
@ -75,6 +81,7 @@ class LoginController extends Controller {
$this->userSession = $userSession; $this->userSession = $userSession;
$this->urlGenerator = $urlGenerator; $this->urlGenerator = $urlGenerator;
$this->twoFactorManager = $twoFactorManager; $this->twoFactorManager = $twoFactorManager;
$this->throttler = $throttler;
} }
/** /**
@ -171,6 +178,9 @@ class LoginController extends Controller {
* @return RedirectResponse * @return RedirectResponse
*/ */
public function tryLogin($user, $password, $redirect_url) { public function tryLogin($user, $password, $redirect_url) {
$currentDelay = $this->throttler->getDelay($this->request->getRemoteAddress());
$this->throttler->sleepDelay($this->request->getRemoteAddress());
$originalUser = $user; $originalUser = $user;
// TODO: Add all the insane error handling // TODO: Add all the insane error handling
/* @var $loginResult IUser */ /* @var $loginResult IUser */
@ -184,6 +194,10 @@ class LoginController extends Controller {
} }
} }
if ($loginResult === false) { if ($loginResult === false) {
$this->throttler->registerAttempt('login', $this->request->getRemoteAddress(), ['user' => $originalUser]);
if($currentDelay === 0) {
$this->throttler->sleepDelay($this->request->getRemoteAddress());
}
$this->session->set('loginMessages', [ $this->session->set('loginMessages', [
['invalidpassword'] ['invalidpassword']
]); ]);

View File

@ -1,5 +1,4 @@
<?php <?php
/** /**
* @author Christoph Wurst <christoph@owncloud.com> * @author Christoph Wurst <christoph@owncloud.com>
* *
@ -23,6 +22,7 @@
namespace OC\Core\Controller; namespace OC\Core\Controller;
use OC\AppFramework\Http; use OC\AppFramework\Http;
use OC\AppFramework\Utility\TimeFactory;
use OC\Authentication\Token\DefaultTokenProvider; use OC\Authentication\Token\DefaultTokenProvider;
use OC\Authentication\Token\IProvider; use OC\Authentication\Token\IProvider;
use OC\Authentication\Token\IToken; use OC\Authentication\Token\IToken;
@ -35,27 +35,29 @@ use OCP\IRequest;
use OCP\Security\ISecureRandom; use OCP\Security\ISecureRandom;
class TokenController extends Controller { class TokenController extends Controller {
/** @var UserManager */ /** @var UserManager */
private $userManager; private $userManager;
/** @var IProvider */ /** @var IProvider */
private $tokenProvider; private $tokenProvider;
/** @var TwoFactorAuthManager */ /** @var TwoFactorAuthManager */
private $twoFactorAuthManager; private $twoFactorAuthManager;
/** @var ISecureRandom */ /** @var ISecureRandom */
private $secureRandom; private $secureRandom;
/** /**
* @param string $appName * @param string $appName
* @param IRequest $request * @param IRequest $request
* @param Manager $userManager * @param UserManager $userManager
* @param DefaultTokenProvider $tokenProvider * @param IProvider $tokenProvider
* @param TwoFactorAuthManager $twoFactorAuthManager
* @param ISecureRandom $secureRandom * @param ISecureRandom $secureRandom
*/ */
public function __construct($appName, IRequest $request, UserManager $userManager, IProvider $tokenProvider, TwoFactorAuthManager $twoFactorAuthManager, ISecureRandom $secureRandom) { public function __construct($appName,
IRequest $request,
UserManager $userManager,
IProvider $tokenProvider,
TwoFactorAuthManager $twoFactorAuthManager,
ISecureRandom $secureRandom) {
parent::__construct($appName, $request); parent::__construct($appName, $request);
$this->userManager = $userManager; $this->userManager = $userManager;
$this->tokenProvider = $tokenProvider; $this->tokenProvider = $tokenProvider;

View File

@ -1163,6 +1163,84 @@
</declaration> </declaration>
</table> </table>
<table>
<!--
List of usernames, their display name and login password.
-->
<name>*dbprefix*bruteforce_attempts</name>
<declaration>
<field>
<name>id</name>
<type>integer</type>
<default>0</default>
<notnull>true</notnull>
<autoincrement>1</autoincrement>
<unsigned>true</unsigned>
<length>4</length>
</field>
<field>
<name>action</name>
<type>text</type>
<default></default>
<notnull>true</notnull>
<length>64</length>
</field>
<field>
<name>occurred</name>
<type>integer</type>
<default>0</default>
<notnull>true</notnull>
<unsigned>true</unsigned>
<length>4</length>
</field>
<field>
<name>ip</name>
<type>text</type>
<default></default>
<notnull>true</notnull>
<length>255</length>
</field>
<field>
<name>subnet</name>
<type>text</type>
<default></default>
<notnull>true</notnull>
<length>255</length>
</field>
<field>
<name>metadata</name>
<type>text</type>
<default></default>
<notnull>true</notnull>
<length>255</length>
</field>
<index>
<name>bruteforce_attempts_ip</name>
<field>
<name>ip</name>
<sorting>ascending</sorting>
</field>
</index>
<index>
<name>bruteforce_attempts_subnet</name>
<field>
<name>subnet</name>
<sorting>ascending</sorting>
</field>
</index>
</declaration>
</table>
<table> <table>
<!-- <!--

View File

@ -993,7 +993,7 @@ class OC {
if ($userSession->tryTokenLogin($request)) { if ($userSession->tryTokenLogin($request)) {
return true; return true;
} }
if ($userSession->tryBasicAuthLogin($request)) { if ($userSession->tryBasicAuthLogin($request, \OC::$server->getBruteForceThrottler())) {
return true; return true;
} }
return false; return false;

View File

@ -352,7 +352,8 @@ class DIContainer extends SimpleContainer implements IAppContainer {
return new CORSMiddleware( return new CORSMiddleware(
$c['Request'], $c['Request'],
$c['ControllerMethodReflector'], $c['ControllerMethodReflector'],
$c['OCP\IUserSession'] $c['OCP\IUserSession'],
$c->getServer()->getBruteForceThrottler()
); );
}); });

View File

@ -27,6 +27,7 @@ namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
use OC\AppFramework\Utility\ControllerMethodReflector; use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Authentication\Exceptions\PasswordLoginForbiddenException; use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
use OC\Security\Bruteforce\Throttler;
use OC\User\Session; use OC\User\Session;
use OCP\AppFramework\Controller; use OCP\AppFramework\Controller;
use OCP\AppFramework\Http; use OCP\AppFramework\Http;
@ -42,33 +43,29 @@ use OCP\IRequest;
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
*/ */
class CORSMiddleware extends Middleware { class CORSMiddleware extends Middleware {
/** @var IRequest */
/**
* @var IRequest
*/
private $request; private $request;
/** @var ControllerMethodReflector */
/**
* @var ControllerMethodReflector
*/
private $reflector; private $reflector;
/** @var Session */
/**
* @var Session
*/
private $session; private $session;
/** @var Throttler */
private $throttler;
/** /**
* @param IRequest $request * @param IRequest $request
* @param ControllerMethodReflector $reflector * @param ControllerMethodReflector $reflector
* @param Session $session * @param Session $session
* @param Throttler $throttler
*/ */
public function __construct(IRequest $request, public function __construct(IRequest $request,
ControllerMethodReflector $reflector, ControllerMethodReflector $reflector,
Session $session) { Session $session,
Throttler $throttler) {
$this->request = $request; $this->request = $request;
$this->reflector = $reflector; $this->reflector = $reflector;
$this->session = $session; $this->session = $session;
$this->throttler = $throttler;
} }
/** /**
@ -91,7 +88,7 @@ class CORSMiddleware extends Middleware {
$this->session->logout(); $this->session->logout();
try { try {
if (!$this->session->logClientIn($user, $pass, $this->request)) { if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
} }
} catch (PasswordLoginForbiddenException $ex) { } catch (PasswordLoginForbiddenException $ex) {

View File

@ -0,0 +1,230 @@
<?php
/**
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\Bruteforce;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\IDBConnection;
use OCP\ILogger;
/**
* Class Throttler implements the bruteforce protection for security actions in
* Nextcloud.
*
* It is working by logging invalid login attempts to the database and slowing
* down all login attempts from the same subnet. The max delay is 30 seconds and
* the starting delay are 200 milliseconds. (after the first failed login)
*
* This is based on Paragonie's AirBrake for Airship CMS. You can find the original
* code at https://github.com/paragonie/airship/blob/7e5bad7e3c0fbbf324c11f963fd1f80e59762606/src/Engine/Security/AirBrake.php
*
* @package OC\Security\Bruteforce
*/
class Throttler {
const LOGIN_ACTION = 'login';
/** @var IDBConnection */
private $db;
/** @var ITimeFactory */
private $timeFactory;
/** @var ILogger */
private $logger;
/** @var IConfig */
private $config;
/**
* @param IDBConnection $db
* @param ITimeFactory $timeFactory
* @param ILogger $logger
* @param IConfig $config
*/
public function __construct(IDBConnection $db,
ITimeFactory $timeFactory,
ILogger $logger,
IConfig $config) {
$this->db = $db;
$this->timeFactory = $timeFactory;
$this->logger = $logger;
$this->config = $config;
}
/**
* Convert a number of seconds into the appropriate DateInterval
*
* @param int $expire
* @return \DateInterval
*/
private function getCutoff($expire) {
$d1 = new \DateTime();
$d2 = clone $d1;
$d2->sub(new \DateInterval('PT' . $expire . 'S'));
return $d2->diff($d1);
}
/**
* Return the given subnet for an IPv4 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv4Subnet($ip,
$maskBits = 32) {
$binary = \inet_pton($ip);
for ($i = 32; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Return the given subnet for an IPv6 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv6Subnet($ip, $maskBits = 48) {
$binary = \inet_pton($ip);
for ($i = 128; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Return the given subnet for an IP and the configured mask bits
*
* Determine if the IP is an IPv4 or IPv6 address, then pass to the correct
* method for handling that specific type.
*
* @param string $ip
* @return string
*/
private function getSubnet($ip) {
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)) {
return $this->getIPv4Subnet(
$ip,
32
);
}
return $this->getIPv6Subnet(
$ip,
128
);
}
/**
* Register a failed attempt to bruteforce a security control
*
* @param string $action
* @param string $ip
* @param array $metadata Optional metadata logged to the database
*/
public function registerAttempt($action,
$ip,
array $metadata = []) {
// No need to log if the bruteforce protection is disabled
if($this->config->getSystemValue('auth.bruteforce.protection.enabled', true) === false) {
return;
}
$values = [
'action' => $action,
'occurred' => $this->timeFactory->getTime(),
'ip' => $ip,
'subnet' => $this->getSubnet($ip),
'metadata' => json_encode($metadata),
];
$this->logger->notice(
sprintf(
'Bruteforce attempt from "%s" detected for action "%s".',
$ip,
$action
),
[
'app' => 'core',
]
);
$qb = $this->db->getQueryBuilder();
$qb->insert('bruteforce_attempts');
foreach($values as $column => $value) {
$qb->setValue($column, $qb->createNamedParameter($value));
}
$qb->execute();
}
/**
* Get the throttling delay (in milliseconds)
*
* @param string $ip
* @return int
*/
public function getDelay($ip) {
$cutoffTime = (new \DateTime())
->sub($this->getCutoff(43200))
->getTimestamp();
$qb = $this->db->getQueryBuilder();
$qb->select('*')
->from('bruteforce_attempts')
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($this->getSubnet($ip))));
$attempts = count($qb->execute()->fetchAll());
if ($attempts === 0) {
return 0;
}
$maxDelay = 30;
$firstDelay = 0.1;
if ($attempts > (8 * PHP_INT_SIZE - 1)) {
// Don't ever overflow. Just assume the maxDelay time:s
$firstDelay = $maxDelay;
} else {
$firstDelay *= pow(2, $attempts);
if ($firstDelay > $maxDelay) {
$firstDelay = $maxDelay;
}
}
return (int) \ceil($firstDelay * 1000);
}
/**
* Will sleep for the defined amount of time
*
* @param string $ip
*/
public function sleepDelay($ip) {
usleep($this->getDelay($ip) * 1000);
}
}

View File

@ -66,6 +66,7 @@ use OC\Lock\NoopLockingProvider;
use OC\Mail\Mailer; use OC\Mail\Mailer;
use OC\Memcache\ArrayCache; use OC\Memcache\ArrayCache;
use OC\Notification\Manager; use OC\Notification\Manager;
use OC\Security\Bruteforce\Throttler;
use OC\Security\CertificateManager; use OC\Security\CertificateManager;
use OC\Security\CSP\ContentSecurityPolicyManager; use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\Crypto; use OC\Security\Crypto;
@ -503,6 +504,14 @@ class Server extends ServerContainer implements IServerContainer {
$this->registerService('TrustedDomainHelper', function ($c) { $this->registerService('TrustedDomainHelper', function ($c) {
return new TrustedDomainHelper($this->getConfig()); return new TrustedDomainHelper($this->getConfig());
}); });
$this->registerService('Throttler', function(Server $c) {
return new Throttler(
$c->getDatabaseConnection(),
new TimeFactory(),
$c->getLogger(),
$c->getConfig()
);
});
$this->registerService('IntegrityCodeChecker', function (Server $c) { $this->registerService('IntegrityCodeChecker', function (Server $c) {
// IConfig and IAppManager requires a working database. This code // IConfig and IAppManager requires a working database. This code
// might however be called when ownCloud is not yet setup. // might however be called when ownCloud is not yet setup.
@ -1330,6 +1339,13 @@ class Server extends ServerContainer implements IServerContainer {
return $this->query('CsrfTokenManager'); return $this->query('CsrfTokenManager');
} }
/**
* @return Throttler
*/
public function getBruteForceThrottler() {
return $this->query('Throttler');
}
/** /**
* @return IContentSecurityPolicyManager * @return IContentSecurityPolicyManager
*/ */

View File

@ -95,7 +95,11 @@ class Session implements IUserSession, Emitter {
* @param IProvider $tokenProvider * @param IProvider $tokenProvider
* @param IConfig $config * @param IConfig $config
*/ */
public function __construct(IUserManager $manager, ISession $session, ITimeFactory $timeFacory, $tokenProvider, IConfig $config) { public function __construct(IUserManager $manager,
ISession $session,
ITimeFactory $timeFacory,
$tokenProvider,
IConfig $config) {
$this->manager = $manager; $this->manager = $manager;
$this->session = $session; $this->session = $session;
$this->timeFacory = $timeFacory; $this->timeFacory = $timeFacory;
@ -280,7 +284,6 @@ class Session implements IUserSession, Emitter {
*/ */
public function login($uid, $password) { public function login($uid, $password) {
$this->session->regenerateId(); $this->session->regenerateId();
if ($this->validateToken($password, $uid)) { if ($this->validateToken($password, $uid)) {
return $this->loginWithToken($password); return $this->loginWithToken($password);
} else { } else {
@ -298,11 +301,18 @@ class Session implements IUserSession, Emitter {
* @param string $user * @param string $user
* @param string $password * @param string $password
* @param IRequest $request * @param IRequest $request
* @param OC\Security\Bruteforce\Throttler $throttler
* @throws LoginException * @throws LoginException
* @throws PasswordLoginForbiddenException * @throws PasswordLoginForbiddenException
* @return boolean * @return boolean
*/ */
public function logClientIn($user, $password, IRequest $request) { public function logClientIn($user,
$password,
IRequest $request,
OC\Security\Bruteforce\Throttler $throttler) {
$currentDelay = $throttler->getDelay($request->getRemoteAddress());
$throttler->sleepDelay($request->getRemoteAddress());
$isTokenPassword = $this->isTokenPassword($password); $isTokenPassword = $this->isTokenPassword($password);
if (!$isTokenPassword && $this->isTokenAuthEnforced()) { if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
throw new PasswordLoginForbiddenException(); throw new PasswordLoginForbiddenException();
@ -315,6 +325,11 @@ class Session implements IUserSession, Emitter {
if (count($users) === 1) { if (count($users) === 1) {
return $this->login($users[0]->getUID(), $password); return $this->login($users[0]->getUID(), $password);
} }
$throttler->registerAttempt('login', $request->getRemoteAddress(), ['uid' => $user]);
if($currentDelay === 0) {
$throttler->sleepDelay($request->getRemoteAddress());
}
return false; return false;
} }
@ -391,10 +406,11 @@ class Session implements IUserSession, Emitter {
* @param IRequest $request * @param IRequest $request
* @return boolean if the login was successful * @return boolean if the login was successful
*/ */
public function tryBasicAuthLogin(IRequest $request) { public function tryBasicAuthLogin(IRequest $request,
OC\Security\Bruteforce\Throttler $throttler) {
if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) { if (!empty($request->server['PHP_AUTH_USER']) && !empty($request->server['PHP_AUTH_PW'])) {
try { try {
if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request)) { if ($this->logClientIn($request->server['PHP_AUTH_USER'], $request->server['PHP_AUTH_PW'], $request, $throttler)) {
/** /**
* Add DAV authenticated. This should in an ideal world not be * Add DAV authenticated. This should in an ideal world not be
* necessary but the iOS App reads cookies from anywhere instead * necessary but the iOS App reads cookies from anywhere instead

View File

@ -364,7 +364,7 @@ class OC_API {
try { try {
$loginSuccess = $userSession->tryTokenLogin($request); $loginSuccess = $userSession->tryTokenLogin($request);
if (!$loginSuccess) { if (!$loginSuccess) {
$loginSuccess = $userSession->tryBasicAuthLogin($request); $loginSuccess = $userSession->tryBasicAuthLogin($request, \OC::$server->getBruteForceThrottler());
} }
} catch (\OC\User\LoginException $e) { } catch (\OC\User\LoginException $e) {
return false; return false;

View File

@ -23,6 +23,7 @@ namespace Tests\Core\Controller;
use OC\Authentication\TwoFactorAuth\Manager; use OC\Authentication\TwoFactorAuth\Manager;
use OC\Core\Controller\LoginController; use OC\Core\Controller\LoginController;
use OC\Security\Bruteforce\Throttler;
use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\RedirectResponse;
use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Http\TemplateResponse;
use OCP\IConfig; use OCP\IConfig;
@ -51,6 +52,8 @@ class LoginControllerTest extends TestCase {
private $urlGenerator; private $urlGenerator;
/** @var Manager | \PHPUnit_Framework_MockObject_MockObject */ /** @var Manager | \PHPUnit_Framework_MockObject_MockObject */
private $twoFactorManager; private $twoFactorManager;
/** @var Throttler */
private $throttler;
public function setUp() { public function setUp() {
parent::setUp(); parent::setUp();
@ -65,6 +68,9 @@ class LoginControllerTest extends TestCase {
$this->twoFactorManager = $this->getMockBuilder('\OC\Authentication\TwoFactorAuth\Manager') $this->twoFactorManager = $this->getMockBuilder('\OC\Authentication\TwoFactorAuth\Manager')
->disableOriginalConstructor() ->disableOriginalConstructor()
->getMock(); ->getMock();
$this->throttler = $this->getMockBuilder('\OC\Security\Bruteforce\Throttler')
->disableOriginalConstructor()
->getMock();
$this->loginController = new LoginController( $this->loginController = new LoginController(
'core', 'core',
@ -74,7 +80,8 @@ class LoginControllerTest extends TestCase {
$this->session, $this->session,
$this->userSession, $this->userSession,
$this->urlGenerator, $this->urlGenerator,
$this->twoFactorManager $this->twoFactorManager,
$this->throttler
); );
} }
@ -277,10 +284,27 @@ class LoginControllerTest extends TestCase {
} }
public function testLoginWithInvalidCredentials() { public function testLoginWithInvalidCredentials() {
$user = $this->getMock('\OCP\IUser'); $user = 'MyUserName';
$password = 'secret'; $password = 'secret';
$loginPageUrl = 'some url'; $loginPageUrl = 'some url';
$this->request
->expects($this->exactly(4))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
$this->throttler
->expects($this->exactly(2))
->method('sleepDelay')
->with('192.168.0.1');
$this->throttler
->expects($this->once())
->method('getDelay')
->with('192.168.0.1')
->willReturn(0);
$this->throttler
->expects($this->once())
->method('registerAttempt')
->with('login', '192.168.0.1', ['user' => 'MyUserName']);
$this->userManager->expects($this->once()) $this->userManager->expects($this->once())
->method('checkPassword') ->method('checkPassword')
->will($this->returnValue(false)); ->will($this->returnValue(false));
@ -302,6 +326,19 @@ class LoginControllerTest extends TestCase {
$password = 'secret'; $password = 'secret';
$indexPageUrl = 'some url'; $indexPageUrl = 'some url';
$this->request
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
$this->throttler
->expects($this->once())
->method('sleepDelay')
->with('192.168.0.1');
$this->throttler
->expects($this->once())
->method('getDelay')
->with('192.168.0.1')
->willReturn(200);
$this->userManager->expects($this->once()) $this->userManager->expects($this->once())
->method('checkPassword') ->method('checkPassword')
->will($this->returnValue($user)); ->will($this->returnValue($user));
@ -334,6 +371,19 @@ class LoginControllerTest extends TestCase {
$originalUrl = 'another%20url'; $originalUrl = 'another%20url';
$redirectUrl = 'http://localhost/another url'; $redirectUrl = 'http://localhost/another url';
$this->request
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
$this->throttler
->expects($this->once())
->method('sleepDelay')
->with('192.168.0.1');
$this->throttler
->expects($this->once())
->method('getDelay')
->with('192.168.0.1')
->willReturn(200);
$this->userManager->expects($this->once()) $this->userManager->expects($this->once())
->method('checkPassword') ->method('checkPassword')
->with('Jane', $password) ->with('Jane', $password)
@ -363,6 +413,19 @@ class LoginControllerTest extends TestCase {
$password = 'secret'; $password = 'secret';
$challengeUrl = 'challenge/url'; $challengeUrl = 'challenge/url';
$this->request
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
$this->throttler
->expects($this->once())
->method('sleepDelay')
->with('192.168.0.1');
$this->throttler
->expects($this->once())
->method('getDelay')
->with('192.168.0.1')
->willReturn(200);
$this->userManager->expects($this->once()) $this->userManager->expects($this->once())
->method('checkPassword') ->method('checkPassword')
->will($this->returnValue($user)); ->will($this->returnValue($user));
@ -412,6 +475,23 @@ class LoginControllerTest extends TestCase {
->method('linkToRoute') ->method('linkToRoute')
->with('core.login.showLoginForm', ['user' => 'john@doe.com']) ->with('core.login.showLoginForm', ['user' => 'john@doe.com'])
->will($this->returnValue('')); ->will($this->returnValue(''));
$this->request
->expects($this->exactly(3))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
$this->throttler
->expects($this->once())
->method('getDelay')
->with('192.168.0.1')
->willReturn(200);
$this->throttler
->expects($this->once())
->method('sleepDelay')
->with('192.168.0.1');
$this->throttler
->expects($this->once())
->method('registerAttempt')
->with('login', '192.168.0.1', ['user' => 'john@doe.com']);
$expected = new RedirectResponse(''); $expected = new RedirectResponse('');
$this->assertEquals($expected, $this->loginController->tryLogin('john@doe.com', 'just wrong', null)); $this->assertEquals($expected, $this->loginController->tryLogin('john@doe.com', 'just wrong', null));

View File

@ -29,6 +29,9 @@ namespace Test\AppFramework\DependencyInjection;
use \OC\AppFramework\Http\Request; use \OC\AppFramework\Http\Request;
/**
* @group DB
*/
class DIContainerTest extends \Test\TestCase { class DIContainerTest extends \Test\TestCase {
private $container; private $container;
@ -74,7 +77,6 @@ class DIContainerTest extends \Test\TestCase {
$this->assertEquals('name', $this->container['AppName']); $this->assertEquals('name', $this->container['AppName']);
} }
public function testMiddlewareDispatcherIncludesSecurityMiddleware(){ public function testMiddlewareDispatcherIncludesSecurityMiddleware(){
$this->container['Request'] = new Request( $this->container['Request'] = new Request(
['method' => 'GET'], ['method' => 'GET'],

View File

@ -16,6 +16,7 @@ use OC\AppFramework\Http\Request;
use OC\AppFramework\Middleware\Security\CORSMiddleware; use OC\AppFramework\Middleware\Security\CORSMiddleware;
use OC\AppFramework\Utility\ControllerMethodReflector; use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
use OC\Security\Bruteforce\Throttler;
use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\Response;
@ -24,6 +25,8 @@ class CORSMiddlewareTest extends \Test\TestCase {
private $reflector; private $reflector;
private $session; private $session;
/** @var Throttler */
private $throttler;
protected function setUp() { protected function setUp() {
parent::setUp(); parent::setUp();
@ -31,6 +34,9 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->session = $this->getMockBuilder('\OC\User\Session') $this->session = $this->getMockBuilder('\OC\User\Session')
->disableOriginalConstructor() ->disableOriginalConstructor()
->getMock(); ->getMock();
$this->throttler = $this->getMockBuilder('\OC\Security\Bruteforce\Throttler')
->disableOriginalConstructor()
->getMock();
} }
/** /**
@ -47,7 +53,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->getMockBuilder('\OCP\IConfig')->getMock() $this->getMockBuilder('\OCP\IConfig')->getMock()
); );
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$response = $middleware->afterController($this, __FUNCTION__, new Response()); $response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders(); $headers = $response->getHeaders();
@ -65,7 +71,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(), $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
$this->getMockBuilder('\OCP\IConfig')->getMock() $this->getMockBuilder('\OCP\IConfig')->getMock()
); );
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$response = $middleware->afterController($this, __FUNCTION__, new Response()); $response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders(); $headers = $response->getHeaders();
@ -83,7 +89,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->getMockBuilder('\OCP\IConfig')->getMock() $this->getMockBuilder('\OCP\IConfig')->getMock()
); );
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$response = $middleware->afterController($this, __FUNCTION__, new Response()); $response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders(); $headers = $response->getHeaders();
@ -106,7 +112,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->getMockBuilder('\OCP\IConfig')->getMock() $this->getMockBuilder('\OCP\IConfig')->getMock()
); );
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$response = new Response(); $response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE'); $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
@ -124,7 +130,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->getMockBuilder('\OCP\IConfig')->getMock() $this->getMockBuilder('\OCP\IConfig')->getMock()
); );
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$this->session->expects($this->never()) $this->session->expects($this->never())
->method('logout'); ->method('logout');
$this->session->expects($this->never()) $this->session->expects($this->never())
@ -155,7 +161,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
->with($this->equalTo('user'), $this->equalTo('pass')) ->with($this->equalTo('user'), $this->equalTo('pass'))
->will($this->returnValue(true)); ->will($this->returnValue(true));
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware->beforeController($this, __FUNCTION__, new Response()); $middleware->beforeController($this, __FUNCTION__, new Response());
} }
@ -180,7 +186,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
->with($this->equalTo('user'), $this->equalTo('pass')) ->with($this->equalTo('user'), $this->equalTo('pass'))
->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException)); ->will($this->throwException(new \OC\Authentication\Exceptions\PasswordLoginForbiddenException));
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware->beforeController($this, __FUNCTION__, new Response()); $middleware->beforeController($this, __FUNCTION__, new Response());
} }
@ -205,7 +211,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
->with($this->equalTo('user'), $this->equalTo('pass')) ->with($this->equalTo('user'), $this->equalTo('pass'))
->will($this->returnValue(false)); ->will($this->returnValue(false));
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware->beforeController($this, __FUNCTION__, new Response()); $middleware->beforeController($this, __FUNCTION__, new Response());
} }
@ -219,7 +225,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(), $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
$this->getMockBuilder('\OCP\IConfig')->getMock() $this->getMockBuilder('\OCP\IConfig')->getMock()
); );
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$response = $middleware->afterException($this, __FUNCTION__, new SecurityException('A security exception')); $response = $middleware->afterException($this, __FUNCTION__, new SecurityException('A security exception'));
$expected = new JSONResponse(['message' => 'A security exception'], 500); $expected = new JSONResponse(['message' => 'A security exception'], 500);
@ -235,7 +241,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(), $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
$this->getMockBuilder('\OCP\IConfig')->getMock() $this->getMockBuilder('\OCP\IConfig')->getMock()
); );
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$response = $middleware->afterException($this, __FUNCTION__, new SecurityException('A security exception', 501)); $response = $middleware->afterException($this, __FUNCTION__, new SecurityException('A security exception', 501));
$expected = new JSONResponse(['message' => 'A security exception'], 501); $expected = new JSONResponse(['message' => 'A security exception'], 501);
@ -255,7 +261,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(), $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
$this->getMockBuilder('\OCP\IConfig')->getMock() $this->getMockBuilder('\OCP\IConfig')->getMock()
); );
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$middleware->afterException($this, __FUNCTION__, new \Exception('A regular exception')); $middleware->afterException($this, __FUNCTION__, new \Exception('A regular exception'));
} }

View File

@ -0,0 +1,123 @@
<?php
/**
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Security\Bruteforce;
use OC\AppFramework\Utility\TimeFactory;
use OC\Security\Bruteforce\Throttler;
use OCP\IConfig;
use OCP\IDBConnection;
use OCP\ILogger;
use Test\TestCase;
/**
* Based on the unit tests from Paragonie's Airship CMS
* Ref: https://github.com/paragonie/airship/blob/7e5bad7e3c0fbbf324c11f963fd1f80e59762606/test/unit/Engine/Security/AirBrakeTest.php
*
* @package Test\Security\Bruteforce
*/
class ThrottlerTest extends TestCase {
/** @var Throttler */
private $throttler;
/** @var IDBConnection */
private $dbConnection;
/** @var ILogger */
private $logger;
/** @var IConfig */
private $config;
public function setUp() {
$this->dbConnection = $this->getMock('\OCP\IDBConnection');
$this->logger = $this->getMock('\OCP\ILogger');
$this->config = $this->getMock('\OCP\IConfig');
$this->throttler = new Throttler(
$this->dbConnection,
new TimeFactory(),
$this->logger,
$this->config
);
return parent::setUp();
}
public function testCutoff() {
// precisely 31 second shy of 12 hours
$cutoff = $this->invokePrivate($this->throttler, 'getCutoff', [43169]);
$this->assertSame(0, $cutoff->y);
$this->assertSame(0, $cutoff->m);
$this->assertSame(0, $cutoff->d);
$this->assertSame(11, $cutoff->h);
$this->assertSame(59, $cutoff->i);
$this->assertSame(29, $cutoff->s);
$cutoff = $this->invokePrivate($this->throttler, 'getCutoff', [86401]);
$this->assertSame(0, $cutoff->y);
$this->assertSame(0, $cutoff->m);
$this->assertSame(1, $cutoff->d);
$this->assertSame(0, $cutoff->h);
$this->assertSame(0, $cutoff->i);
// Leap second tolerance:
$this->assertLessThan(2, $cutoff->s);
}
public function testSubnet() {
// IPv4
$this->assertSame(
'64.233.191.254/32',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 32])
);
$this->assertSame(
'64.233.191.252/30',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 30])
);
$this->assertSame(
'64.233.191.240/28',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 28])
);
$this->assertSame(
'64.233.191.0/24',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 24])
);
$this->assertSame(
'64.233.188.0/22',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 22])
);
// IPv6
$this->assertSame(
'2001:db8:85a3::8a2e:370:7334/127',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 127])
);
$this->assertSame(
'2001:db8:85a3::8a2e:370:7300/120',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7300', 120])
);
$this->assertSame(
'2001:db8:85a3::/64',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 64])
);
$this->assertSame(
'2001:db8:85a3::/48',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 48])
);
$this->assertSame(
'2001:db8:8500::/40',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 40])
);
}
}

View File

@ -9,6 +9,7 @@
namespace Test\User; namespace Test\User;
use OC\Security\Bruteforce\Throttler;
use OC\Session\Memory; use OC\Session\Memory;
use OC\User\User; use OC\User\User;
@ -17,15 +18,14 @@ use OC\User\User;
* @package Test\User * @package Test\User
*/ */
class SessionTest extends \Test\TestCase { class SessionTest extends \Test\TestCase {
/** @var \OCP\AppFramework\Utility\ITimeFactory */ /** @var \OCP\AppFramework\Utility\ITimeFactory */
private $timeFactory; private $timeFactory;
/** @var \OC\Authentication\Token\DefaultTokenProvider */ /** @var \OC\Authentication\Token\DefaultTokenProvider */
protected $tokenProvider; protected $tokenProvider;
/** @var \OCP\IConfig */ /** @var \OCP\IConfig */
private $config; private $config;
/** @var Throttler */
private $throttler;
protected function setUp() { protected function setUp() {
parent::setUp(); parent::setUp();
@ -36,6 +36,8 @@ class SessionTest extends \Test\TestCase {
->will($this->returnValue(10000)); ->will($this->returnValue(10000));
$this->tokenProvider = $this->getMock('\OC\Authentication\Token\IProvider'); $this->tokenProvider = $this->getMock('\OC\Authentication\Token\IProvider');
$this->config = $this->getMock('\OCP\IConfig'); $this->config = $this->getMock('\OCP\IConfig');
$this->throttler = $this->getMockBuilder('\OC\Security\Bruteforce\Throttler')
->disableOriginalConstructor()->getMock();
} }
public function testGetUser() { public function testGetUser() {
@ -353,7 +355,6 @@ class SessionTest extends \Test\TestCase {
->getMock(); ->getMock();
$session = $this->getMock('\OCP\ISession'); $session = $this->getMock('\OCP\ISession');
$request = $this->getMock('\OCP\IRequest'); $request = $this->getMock('\OCP\IRequest');
$user = $this->getMock('\OCP\IUser');
/** @var \OC\User\Session $userSession */ /** @var \OC\User\Session $userSession */
$userSession = $this->getMockBuilder('\OC\User\Session') $userSession = $this->getMockBuilder('\OC\User\Session')
@ -369,8 +370,21 @@ class SessionTest extends \Test\TestCase {
->method('getSystemValue') ->method('getSystemValue')
->with('token_auth_enforced', false) ->with('token_auth_enforced', false)
->will($this->returnValue(true)); ->will($this->returnValue(true));
$request
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
$this->throttler
->expects($this->once())
->method('sleepDelay')
->with('192.168.0.1');
$this->throttler
->expects($this->once())
->method('getDelay')
->with('192.168.0.1')
->willReturn(0);
$userSession->logClientIn('john', 'doe', $request); $userSession->logClientIn('john', 'doe', $request, $this->throttler);
} }
public function testLogClientInWithTokenPassword() { public function testLogClientInWithTokenPassword() {
@ -379,7 +393,6 @@ class SessionTest extends \Test\TestCase {
->getMock(); ->getMock();
$session = $this->getMock('\OCP\ISession'); $session = $this->getMock('\OCP\ISession');
$request = $this->getMock('\OCP\IRequest'); $request = $this->getMock('\OCP\IRequest');
$user = $this->getMock('\OCP\IUser');
/** @var \OC\User\Session $userSession */ /** @var \OC\User\Session $userSession */
$userSession = $this->getMockBuilder('\OC\User\Session') $userSession = $this->getMockBuilder('\OC\User\Session')
@ -398,8 +411,21 @@ class SessionTest extends \Test\TestCase {
$session->expects($this->once()) $session->expects($this->once())
->method('set') ->method('set')
->with('app_password', 'I-AM-AN-APP-PASSWORD'); ->with('app_password', 'I-AM-AN-APP-PASSWORD');
$request
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
$this->throttler
->expects($this->once())
->method('sleepDelay')
->with('192.168.0.1');
$this->throttler
->expects($this->once())
->method('getDelay')
->with('192.168.0.1')
->willReturn(0);
$this->assertTrue($userSession->logClientIn('john', 'I-AM-AN-APP-PASSWORD', $request)); $this->assertTrue($userSession->logClientIn('john', 'I-AM-AN-APP-PASSWORD', $request, $this->throttler));
} }
/** /**
@ -410,7 +436,6 @@ class SessionTest extends \Test\TestCase {
->disableOriginalConstructor() ->disableOriginalConstructor()
->getMock(); ->getMock();
$session = $this->getMock('\OCP\ISession'); $session = $this->getMock('\OCP\ISession');
$user = $this->getMock('\OCP\IUser');
$request = $this->getMock('\OCP\IRequest'); $request = $this->getMock('\OCP\IRequest');
/** @var \OC\User\Session $userSession */ /** @var \OC\User\Session $userSession */
@ -433,7 +458,21 @@ class SessionTest extends \Test\TestCase {
->with('john') ->with('john')
->will($this->returnValue(true)); ->will($this->returnValue(true));
$userSession->logClientIn('john', 'doe', $request); $request
->expects($this->exactly(2))
->method('getRemoteAddress')
->willReturn('192.168.0.1');
$this->throttler
->expects($this->once())
->method('sleepDelay')
->with('192.168.0.1');
$this->throttler
->expects($this->once())
->method('getDelay')
->with('192.168.0.1')
->willReturn(0);
$userSession->logClientIn('john', 'doe', $request, $this->throttler);
} }
public function testRememberLoginValidToken() { public function testRememberLoginValidToken() {

View File

@ -25,7 +25,7 @@
// We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades // We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades
// between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel // between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
// when updating major/minor version number. // when updating major/minor version number.
$OC_Version = array(9, 1, 0, 12); $OC_Version = array(9, 1, 0, 13);
// The human readable string // The human readable string
$OC_VersionString = '9.1.0 RC1'; $OC_VersionString = '9.1.0 RC1';