mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #4336 from nextcloud/add-ratelimiting 

Add support for ratelimiting via annotations
This commit is contained in:
Lukas Reschke 2017-04-13 18:53:56 +02:00 committed by GitHub
parent 9b9ca0b34d e39e6d0605
commit f3dbfd68a2
26 changed files with 1437 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.drone.yml
View File

@ -277,6 +277,18 @@ pipeline:
when:
matrix:
TESTS: integration-maintenance-mode
integration-ratelimiting:
image: nextcloudci/integration-php7.0:integration-php7.0-3
commands:
- ./occ maintenance:install --admin-pass=admin
- ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.local
- ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.distributed
- ./occ app:enable testing
- cd build/integration
- ./run.sh features/ratelimiting.feature
when:
matrix:
TESTS: integration-ratelimiting
integration-carddav:
image: nextcloudci/integration-php7.0:integration-php7.0-3
commands:
@ -516,6 +528,7 @@ matrix:
- TESTS: integration-capabilities_features
- TESTS: integration-federation_features
- TESTS: integration-maintenance-mode
- TESTS: integration-ratelimiting
- TESTS: integration-auth
- TESTS: integration-carddav
- TESTS: integration-dav-v2

2
apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
View File

@ -120,7 +120,7 @@ class MountPublicLinkController extends Controller {
*
* @NoCSRFRequired
* @PublicPage
* @BruteForceProtection publicLink2FederatedShare
* @BruteForceProtection(action=publicLink2FederatedShare)
*
* @param string $shareWith
* @param string $token

2
apps/files_sharing/lib/Controller/ShareController.php
View File

@ -160,7 +160,7 @@ class ShareController extends Controller {
/**
* @PublicPage
* @UseSession
* @BruteForceProtection publicLinkAuth
* @BruteForceProtection(action=publicLinkAuth)
*
* Authenticates against password-protected shares
* @param string $token

20
apps/testing/appinfo/routes.php
View File

@ -25,12 +25,32 @@ namespace OCA\Testing\AppInfo;
use OCA\Testing\Config;
use OCA\Testing\Locking\Provisioning;
use OCP\API;
use OCP\AppFramework\App;
$config = new Config(
\OC::$server->getConfig(),
\OC::$server->getRequest()
);
$app = new App('testing');
$app->registerRoutes(
$this,
[
'routes' => [
[
'name' => 'RateLimitTest#userAndAnonProtected',
'url' => '/userAndAnonProtected',
'verb' => 'GET',
],
[
'name' => 'RateLimitTest#onlyAnonProtected',
'url' => '/anonProtected',
'verb' => 'GET',
],
]
]
);
API::register(
'post',
'/apps/testing/api/v1/app/{appid}/{configkey}',

52
apps/testing/lib/Controller/RateLimitTestController.php Normal file
View File

@ -0,0 +1,52 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\Testing\Controller;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
class RateLimitTestController extends Controller {
/**
* @PublicPage
* @NoCSRFRequired
*
* @UserRateThrottle(limit=5, period=100)
* @AnonRateThrottle(limit=1, period=100)
*
* @return JSONResponse
*/
public function userAndAnonProtected() {
return new JSONResponse();
}
/**
* @PublicPage
* @NoCSRFRequired
*
* @AnonRateThrottle(limit=1, period=10)
*
* @return JSONResponse
*/
public function onlyAnonProtected() {
return new JSONResponse();
}
}

58
build/integration/features/ratelimiting.feature Normal file
View File

@ -0,0 +1,58 @@
Feature: ratelimiting
Background:
Given user "user0" exists
Given As an "admin"
Given app "testing" is enabled
Scenario: Accessing a page with only an AnonRateThrottle as user
Given user "user0" exists
# First request should work
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Second one should fail
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "429"
# After 11 seconds the next request should work
And Sleep for "11" seconds
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
Scenario: Accessing a page with only an AnonRateThrottle as guest
Given Sleep for "11" seconds
# First request should work
When requesting "/index.php/apps/testing/anonProtected" with "GET"
Then the HTTP status code should be "200"
# Second one should fail
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "429"
# After 11 seconds the next request should work
And Sleep for "11" seconds
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
Scenario: Accessing a page with UserRateThrottle and AnonRateThrottle
# First request should work as guest
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
Then the HTTP status code should be "200"
# Second request should fail as guest
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
Then the HTTP status code should be "429"
# First request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Second request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Third request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Fourth request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Fifth request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Sixth request should fail as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
Then the HTTP status code should be "429"

2
core/Controller/LostController.php
View File

@ -204,7 +204,7 @@ class LostController extends Controller {
/**
* @PublicPage
* @BruteForceProtection passwordResetEmail
* @BruteForceProtection(action=passwordResetEmail)
*
* @param string $user
* @return array

6
lib/composer/composer/autoload_classmap.php
View File

@ -298,6 +298,7 @@ return array(
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotLoggedInException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\SecurityException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\StrictCookieMissingException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php',
'OC\\AppFramework\\Middleware\\Security\\RateLimitingMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php',
'OC\\AppFramework\\Middleware\\SessionMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/SessionMiddleware.php',
'OC\\AppFramework\\OCS\\BaseResponse' => $baseDir . '/lib/private/AppFramework/OCS/BaseResponse.php',
@ -742,6 +743,11 @@ return array(
'OC\\Security\\IdentityProof\\Key' => $baseDir . '/lib/private/Security/IdentityProof/Key.php',
'OC\\Security\\IdentityProof\\Manager' => $baseDir . '/lib/private/Security/IdentityProof/Manager.php',
'OC\\Security\\IdentityProof\\Signer' => $baseDir . '/lib/private/Security/IdentityProof/Signer.php',
'OC\\Security\\Normalizer\\IpAddress' => $baseDir . '/lib/private/Security/Normalizer/IpAddress.php',
'OC\\Security\\RateLimiting\\Backend\\IBackend' => $baseDir . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
'OC\\Security\\RateLimiting\\Backend\\MemoryCache' => $baseDir . '/lib/private/Security/RateLimiting/Backend/MemoryCache.php',
'OC\\Security\\RateLimiting\\Exception\\RateLimitExceededException' => $baseDir . '/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php',
'OC\\Security\\RateLimiting\\Limiter' => $baseDir . '/lib/private/Security/RateLimiting/Limiter.php',
'OC\\Security\\SecureRandom' => $baseDir . '/lib/private/Security/SecureRandom.php',
'OC\\Security\\TrustedDomainHelper' => $baseDir . '/lib/private/Security/TrustedDomainHelper.php',
'OC\\Server' => $baseDir . '/lib/private/Server.php',

6
lib/composer/composer/autoload_static.php
View File

@ -328,6 +328,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotLoggedInException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\SecurityException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\StrictCookieMissingException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php',
'OC\\AppFramework\\Middleware\\Security\\RateLimitingMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php',
'OC\\AppFramework\\Middleware\\SessionMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/SessionMiddleware.php',
'OC\\AppFramework\\OCS\\BaseResponse' => __DIR__ . '/../../..' . '/lib/private/AppFramework/OCS/BaseResponse.php',
@ -772,6 +773,11 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\Security\\IdentityProof\\Key' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Key.php',
'OC\\Security\\IdentityProof\\Manager' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Manager.php',
'OC\\Security\\IdentityProof\\Signer' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Signer.php',
'OC\\Security\\Normalizer\\IpAddress' => __DIR__ . '/../../..' . '/lib/private/Security/Normalizer/IpAddress.php',
'OC\\Security\\RateLimiting\\Backend\\IBackend' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
'OC\\Security\\RateLimiting\\Backend\\MemoryCache' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/MemoryCache.php',
'OC\\Security\\RateLimiting\\Exception\\RateLimitExceededException' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php',
'OC\\Security\\RateLimiting\\Limiter' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Limiter.php',
'OC\\Security\\SecureRandom' => __DIR__ . '/../../..' . '/lib/private/Security/SecureRandom.php',
'OC\\Security\\TrustedDomainHelper' => __DIR__ . '/../../..' . '/lib/private/Security/TrustedDomainHelper.php',
'OC\\Server' => __DIR__ . '/../../..' . '/lib/private/Server.php',

15
lib/private/AppFramework/DependencyInjection/DIContainer.php
View File

@ -40,6 +40,7 @@ use OC\AppFramework\Http\Output;
use OC\AppFramework\Middleware\MiddlewareDispatcher;
use OC\AppFramework\Middleware\Security\CORSMiddleware;
use OC\AppFramework\Middleware\OCSMiddleware;
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
use OC\AppFramework\Middleware\Security\SecurityMiddleware;
use OC\AppFramework\Middleware\SessionMiddleware;
use OC\AppFramework\Utility\SimpleContainer;
@ -169,7 +170,6 @@ class DIContainer extends SimpleContainer implements IAppContainer {
);
});
/**
* App Framework APIs
*/
@ -230,6 +230,18 @@ class DIContainer extends SimpleContainer implements IAppContainer {
});
$this->registerService('RateLimitingMiddleware', function($c) use ($app) {
/** @var \OC\Server $server */
$server = $app->getServer();
return new RateLimitingMiddleware(
$server->getRequest(),
$server->getUserSession(),
$c['ControllerMethodReflector'],
$c->query(OC\Security\RateLimiting\Limiter::class)
);
});
$this->registerService('CORSMiddleware', function($c) {
return new CORSMiddleware(
$c['Request'],
@ -270,6 +282,7 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$dispatcher->registerMiddleware($c['OCSMiddleware']);
$dispatcher->registerMiddleware($c['SecurityMiddleware']);
$dispatcher->registerMiddleWare($c['TwoFactorMiddleware']);
$dispatcher->registerMiddleware($c['RateLimitingMiddleware']);
foreach($middleWares as $middleWare) {
$dispatcher->registerMiddleware($c[$middleWare]);

134
lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php Normal file
View File

@ -0,0 +1,134 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Middleware;
use OCP\IRequest;
use OCP\IUserSession;
/**
* Class RateLimitingMiddleware is the middleware responsible for implementing the
* ratelimiting in Nextcloud.
*
* It parses annotations such as:
*
* @UserRateThrottle(limit=5, period=100)
* @AnonRateThrottle(limit=1, period=100)
*
* Those annotations above would mean that logged-in users can access the page 5
* times within 100 seconds, and anonymous users 1 time within 100 seconds. If
* only an AnonRateThrottle is specified that one will also be applied to logged-in
* users.
*
* @package OC\AppFramework\Middleware\Security
*/
class RateLimitingMiddleware extends Middleware {
/** @var IRequest $request */
private $request;
/** @var IUserSession */
private $userSession;
/** @var ControllerMethodReflector */
private $reflector;
/** @var Limiter */
private $limiter;
/**
* @param IRequest $request
* @param IUserSession $userSession
* @param ControllerMethodReflector $reflector
* @param Limiter $limiter
*/
public function __construct(IRequest $request,
IUserSession $userSession,
ControllerMethodReflector $reflector,
Limiter $limiter) {
$this->request = $request;
$this->userSession = $userSession;
$this->reflector = $reflector;
$this->limiter = $limiter;
}
/**
* {@inheritDoc}
* @throws RateLimitExceededException
*/
public function beforeController($controller, $methodName) {
parent::beforeController($controller, $methodName);
$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
$this->limiter->registerUserRequest(
$rateLimitIdentifier,
$userLimit,
$userPeriod,
$this->userSession->getUser()
);
} elseif ($anonLimit !== '' && $anonPeriod !== '') {
$this->limiter->registerAnonRequest(
$rateLimitIdentifier,
$anonLimit,
$anonPeriod,
$this->request->getRemoteAddress()
);
}
}
/**
* {@inheritDoc}
*/
public function afterException($controller, $methodName, \Exception $exception) {
if($exception instanceof RateLimitExceededException) {
if (stripos($this->request->getHeader('Accept'),'html') === false) {
$response = new JSONResponse(
[
'message' => $exception->getMessage(),
],
$exception->getCode()
);
} else {
$response = new TemplateResponse(
'core',
'403',
[
'file' => $exception->getMessage()
],
'guest'
);
$response->setStatus($exception->getCode());
}
return $response;
}
throw $exception;
}
}

2
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
View File

@ -192,7 +192,7 @@ class SecurityMiddleware extends Middleware {
}
if($this->reflector->hasAnnotation('BruteForceProtection')) {
$action = $this->reflector->getAnnotationParameter('BruteForceProtection');
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
$this->throttler->sleepDelay($this->request->getRemoteAddress(), $action);
$this->throttler->registerAttempt($action, $this->request->getRemoteAddress());
}

55
lib/private/AppFramework/Utility/ControllerMethodReflector.php
View File

@ -24,27 +24,17 @@
*
*/
namespace OC\AppFramework\Utility;
use \OCP\AppFramework\Utility\IControllerMethodReflector;
/**
* Reads and parses annotations from doc comments
*/
class ControllerMethodReflector implements IControllerMethodReflector{
private $annotations;
private $types;
private $parameters;
public function __construct() {
$this->types = array();
$this->parameters = array();
$this->annotations = array();
}
class ControllerMethodReflector implements IControllerMethodReflector {
public $annotations = [];
private $types = [];
private $parameters = [];
/**
* @param object $object an object or classname
@ -55,9 +45,21 @@ class ControllerMethodReflector implements IControllerMethodReflector{
$docs = $reflection->getDocComment();
// extract everything prefixed by @ and first letter uppercase
preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)(\h+(?P<parameter>\w+))?$/m', $docs, $matches);
preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)((?P<parameter>.*))?$/m', $docs, $matches);
foreach($matches['annotation'] as $key => $annontation) {
$this->annotations[$annontation] = $matches['parameter'][$key];
$annotationValue = $matches['parameter'][$key];
if(isset($annotationValue[0]) && $annotationValue[0] === '(' && $annotationValue[strlen($annotationValue) - 1] === ')') {
$cutString = substr($annotationValue, 1, -1);
$cutString = str_replace(' ', '', $cutString);
$splittedArray = explode(',', $cutString);
foreach($splittedArray as $annotationValues) {
list($key, $value) = explode('=', $annotationValues);
$this->annotations[$annontation][$key] = $value;
}
continue;
}
$this->annotations[$annontation] = [$annotationValue];
}
// extract type parameter information
@ -83,7 +85,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
}
}
/**
* Inspects the PHPDoc parameters for types
* @param string $parameter the parameter whose type comments should be
@ -99,7 +100,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
}
}
/**
* @return array the arguments of the method with key => default value
*/
@ -107,30 +107,27 @@ class ControllerMethodReflector implements IControllerMethodReflector{
return $this->parameters;
}
/**
* Check if a method contains an annotation
* @param string $name the name of the annotation
* @return bool true if the annotation is found
*/
public function hasAnnotation($name){
public function hasAnnotation($name) {
return array_key_exists($name, $this->annotations);
}
/**
* Get optional annotation parameter
* Get optional annotation parameter by key
*
* @param string $name the name of the annotation
* @param string $key the string of the annotation
* @return string
*/
public function getAnnotationParameter($name){
$parameter = '';
if($this->hasAnnotation($name)) {
$parameter = $this->annotations[$name];
public function getAnnotationParameter($name, $key) {
if(isset($this->annotations[$name][$key])) {
return $this->annotations[$name][$key];
}
return $parameter;
return '';
}
}

72
lib/private/Security/Bruteforce/Throttler.php
View File

@ -23,6 +23,7 @@
namespace OC\Security\Bruteforce;
use OC\Security\Normalizer\IpAddress;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\IDBConnection;
@ -82,67 +83,6 @@ class Throttler {
return $d2->diff($d1);
}
/**
* Return the given subnet for an IPv4 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv4Subnet($ip,
$maskBits = 32) {
$binary = \inet_pton($ip);
for ($i = 32; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Return the given subnet for an IPv6 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv6Subnet($ip, $maskBits = 48) {
$binary = \inet_pton($ip);
for ($i = 128; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Return the given subnet for an IP and the configured mask bits
*
* Determine if the IP is an IPv4 or IPv6 address, then pass to the correct
* method for handling that specific type.
*
* @param string $ip
* @return string
*/
private function getSubnet($ip) {
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)) {
return $this->getIPv4Subnet(
$ip,
32
);
}
return $this->getIPv6Subnet(
$ip,
128
);
}
/**
* Register a failed attempt to bruteforce a security control
*
@ -158,11 +98,12 @@ class Throttler {
return;
}
$ipAddress = new IpAddress($ip);
$values = [
'action' => $action,
'occurred' => $this->timeFactory->getTime(),
'ip' => $ip,
'subnet' => $this->getSubnet($ip),
'ip' => (string)$ipAddress,
'subnet' => $ipAddress->getSubnet(),
'metadata' => json_encode($metadata),
];
@ -254,7 +195,8 @@ class Throttler {
* @return int
*/
public function getDelay($ip, $action = '') {
if ($this->isIPWhitelisted($ip)) {
$ipAddress = new IpAddress($ip);
if ($this->isIPWhitelisted((string)$ipAddress)) {
return 0;
}
@ -266,7 +208,7 @@ class Throttler {
$qb->select('*')
->from('bruteforce_attempts')
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($this->getSubnet($ip))));
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($ipAddress->getSubnet())));
if ($action !== '') {
$qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)));

106
lib/private/Security/Normalizer/IpAddress.php Normal file
View File

@ -0,0 +1,106 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\Normalizer;
/**
* Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security
* relevant contexts in Nextcloud.
*
* @package OC\Security\Normalizer
*/
class IpAddress {
/** @var string */
private $ip;
/**
* @param string $ip IP to normalized
*/
public function __construct($ip) {
$this->ip = $ip;
}
/**
* Return the given subnet for an IPv4 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv4Subnet($ip,
$maskBits = 32) {
$binary = \inet_pton($ip);
for ($i = 32; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Return the given subnet for an IPv6 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv6Subnet($ip, $maskBits = 48) {
$binary = \inet_pton($ip);
for ($i = 128; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Gets either the /32 (IPv4) or the /128 (IPv6) subnet of an IP address
*
* @return string
*/
public function getSubnet() {
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $this->ip)) {
return $this->getIPv4Subnet(
$this->ip,
32
);
}
return $this->getIPv6Subnet(
$this->ip,
128
);
}
/**
* Returns the specified IP address
*
* @return string
*/
public function __toString() {
return $this->ip;
}
}

54
lib/private/Security/RateLimiting/Backend/IBackend.php Normal file
View File

@ -0,0 +1,54 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\RateLimiting\Backend;
/**
* Interface IBackend defines a storage backend for the rate limiting data. It
* should be noted that writing and reading rate limiting data is an expensive
* operation and one should thus make sure to only use sufficient fast backends.
*
* @package OC\Security\RateLimiting\Backend
*/
interface IBackend {
/**
* Gets the amount of attempts within the last specified seconds
*
* @param string $methodIdentifier Identifier for the method
* @param string $userIdentifier Identifier for the user
* @param int $seconds Seconds to look back at
* @return int
*/
public function getAttempts($methodIdentifier,
$userIdentifier,
$seconds);
/**
* Registers an attempt
*
* @param string $methodIdentifier Identifier for the method
* @param string $userIdentifier Identifier for the user
* @param int $period Period in seconds how long this attempt should be stored
*/
public function registerAttempt($methodIdentifier,
$userIdentifier,
$period);
}

116
lib/private/Security/RateLimiting/Backend/MemoryCache.php Normal file
View File

@ -0,0 +1,116 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\RateLimiting\Backend;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICache;
use OCP\ICacheFactory;
/**
* Class MemoryCache uses the configured distributed memory cache for storing
* rate limiting data.
*
* @package OC\Security\RateLimiting\Backend
*/
class MemoryCache implements IBackend {
/** @var ICache */
private $cache;
/** @var ITimeFactory */
private $timeFactory;
/**
* @param ICacheFactory $cacheFactory
* @param ITimeFactory $timeFactory
*/
public function __construct(ICacheFactory $cacheFactory,
ITimeFactory $timeFactory) {
$this->cache = $cacheFactory->create(__CLASS__);
$this->timeFactory = $timeFactory;
}
/**
* @param string $methodIdentifier
* @param string $userIdentifier
* @return string
*/
private function hash($methodIdentifier,
$userIdentifier) {
return hash('sha512', $methodIdentifier . $userIdentifier);
}
/**
* @param string $identifier
* @return array
*/
private function getExistingAttempts($identifier) {
$cachedAttempts = json_decode($this->cache->get($identifier), true);
if(is_array($cachedAttempts)) {
return $cachedAttempts;
}
return [];
}
/**
* {@inheritDoc}
*/
public function getAttempts($methodIdentifier,
$userIdentifier,
$seconds) {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$existingAttempts = $this->getExistingAttempts($identifier);
$count = 0;
$currentTime = $this->timeFactory->getTime();
/** @var array $existingAttempts */
foreach ($existingAttempts as $attempt) {
if(($attempt + $seconds) > $currentTime) {
$count++;
}
}
return $count;
}
/**
* {@inheritDoc}
*/
public function registerAttempt($methodIdentifier,
$userIdentifier,
$period) {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$existingAttempts = $this->getExistingAttempts($identifier);
$currentTime = $this->timeFactory->getTime();
// Unset all attempts older than $period
foreach ($existingAttempts as $key => $attempt) {
if(($attempt + $period) < $currentTime) {
unset($existingAttempts[$key]);
}
}
$existingAttempts = array_values($existingAttempts);
// Store the new attempt
$existingAttempts[] = (string)$currentTime;
$this->cache->set($identifier, json_encode($existingAttempts));
}
}

31
lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php Normal file
View File

@ -0,0 +1,31 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\RateLimiting\Exception;
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
use OCP\AppFramework\Http;
class RateLimitExceededException extends SecurityException {
public function __construct() {
parent::__construct('Rate limit exceeded', Http::STATUS_TOO_MANY_REQUESTS);
}
}

106
lib/private/Security/RateLimiting/Limiter.php Normal file
View File

@ -0,0 +1,106 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\RateLimiting;
use OC\Security\Normalizer\IpAddress;
use OC\Security\RateLimiting\Backend\IBackend;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
class Limiter {
/** @var IBackend */
private $backend;
/** @var ITimeFactory */
private $timeFactory;
/**
* @param IUserSession $userSession
* @param IRequest $request
* @param ITimeFactory $timeFactory
* @param IBackend $backend
*/
public function __construct(IUserSession $userSession,
IRequest $request,
ITimeFactory $timeFactory,
IBackend $backend) {
$this->backend = $backend;
$this->timeFactory = $timeFactory;
}
/**
* @param string $methodIdentifier
* @param string $userIdentifier
* @param int $period
* @param int $limit
* @throws RateLimitExceededException
*/
private function register($methodIdentifier,
$userIdentifier,
$period,
$limit) {
$existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, (int)$period);
if ($existingAttempts >= (int)$limit) {
throw new RateLimitExceededException();
}
$this->backend->registerAttempt($methodIdentifier, $userIdentifier, $this->timeFactory->getTime());
}
/**
* Registers attempt for an anonymous request
*
* @param string $identifier
* @param int $anonLimit
* @param int $anonPeriod
* @param string $ip
* @throws RateLimitExceededException
*/
public function registerAnonRequest($identifier,
$anonLimit,
$anonPeriod,
$ip) {
$ipSubnet = (new IpAddress($ip))->getSubnet();
$anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet);
$this->register($identifier, $anonHashIdentifier, $anonPeriod, $anonLimit);
}
/**
* Registers attempt for an authenticated request
*
* @param string $identifier
* @param int $userLimit
* @param int $userPeriod
* @param IUser $user
* @throws RateLimitExceededException
*/
public function registerUserRequest($identifier,
$userLimit,
$userPeriod,
IUser $user) {
$userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID());
$this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit);
}
}

15
lib/private/Server.php
View File

@ -516,6 +516,21 @@ class Server extends ServerContainer implements IServerContainer {
});
$this->registerAlias('Search', \OCP\ISearch::class);
$this->registerService(\OC\Security\RateLimiting\Limiter::class, function($c) {
return new \OC\Security\RateLimiting\Limiter(
$this->getUserSession(),
$this->getRequest(),
new \OC\AppFramework\Utility\TimeFactory(),
$c->query(\OC\Security\RateLimiting\Backend\IBackend::class)
);
});
$this->registerService(\OC\Security\RateLimiting\Backend\IBackend::class, function($c) {
return new \OC\Security\RateLimiting\Backend\MemoryCache(
$this->getMemCacheFactory(),
new \OC\AppFramework\Utility\TimeFactory()
);
});
$this->registerService(\OCP\Security\ISecureRandom::class, function ($c) {
return new SecureRandom();
});

283
tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php Normal file
View File

@ -0,0 +1,283 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
use Test\TestCase;
class RateLimitingMiddlewareTest extends TestCase {
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
private $request;
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
private $userSession;
/** @var ControllerMethodReflector|\PHPUnit_Framework_MockObject_MockObject */
private $reflector;
/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
private $limiter;
/** @var RateLimitingMiddleware */
private $rateLimitingMiddleware;
public function setUp() {
parent::setUp();
$this->request = $this->createMock(IRequest::class);
$this->userSession = $this->createMock(IUserSession::class);
$this->reflector = $this->createMock(ControllerMethodReflector::class);
$this->limiter = $this->createMock(Limiter::class);
$this->rateLimitingMiddleware = new RateLimitingMiddleware(
$this->request,
$this->userSession,
$this->reflector,
$this->limiter
);
}
public function testBeforeControllerWithoutAnnotation() {
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->never())
->method('registerAnonRequest');
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerForAnon() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getRemoteAddress')
->willReturn('127.0.0.1');
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('10');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->once())
->method('registerAnonRequest')
->with(get_class($controller) . '::testMethod', '100', '10', '127.0.0.1');
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerForLoggedIn() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->createMock(IUser::class);
$this->userSession
->expects($this->once())
->method('isLoggedIn')
->willReturn(true);
$this->userSession
->expects($this->once())
->method('getUser')
->willReturn($user);
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('10');
$this->limiter
->expects($this->never())
->method('registerAnonRequest');
$this->limiter
->expects($this->once())
->method('registerUserRequest')
->with(get_class($controller) . '::testMethod', '100', '10', $user);
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerAnonWithFallback() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getRemoteAddress')
->willReturn('127.0.0.1');
$this->userSession
->expects($this->once())
->method('isLoggedIn')
->willReturn(false);
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('200');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('20');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('10');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->once())
->method('registerAnonRequest')
->with(get_class($controller) . '::testMethod', '200', '20', '127.0.0.1');
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
/**
* @expectedException \Exception
* @expectedExceptionMessage My test exception
*/
public function testAfterExceptionWithOtherException() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->rateLimitingMiddleware->afterException($controller, 'testMethod', new \Exception('My test exception'));
}
public function testAfterExceptionWithJsonBody() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getHeader')
->with('Accept')
->willReturn('JSON');
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
$expected = new JSONResponse(
[
'message' => 'Rate limit exceeded',
],
429
);
$this->assertEquals($expected, $result);
}
public function testAfterExceptionWithHtmlBody() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getHeader')
->with('Accept')
->willReturn('html');
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
$expected = new TemplateResponse(
'core',
'403',
[
'file' => 'Rate limit exceeded',
],
'guest'
);
$expected->setStatus(429);
$this->assertEquals($expected, $result);
}
}

26
tests/lib/AppFramework/Utility/ControllerMethodReflectorTest.php
View File

@ -75,18 +75,32 @@ class ControllerMethodReflectorTest extends \Test\TestCase {
$this->assertTrue($reader->hasAnnotation('Annotation'));
}
/**
* @Annotation parameter
* @Annotation(parameter=value)
*/
public function testGetAnnotationParameter(){
public function testGetAnnotationParameterSingle() {
$reader = new ControllerMethodReflector();
$reader->reflect(
'\Test\AppFramework\Utility\ControllerMethodReflectorTest',
'testGetAnnotationParameter'
__CLASS__,
__FUNCTION__
);
$this->assertSame('parameter', $reader->getAnnotationParameter('Annotation'));
$this->assertSame('value', $reader->getAnnotationParameter('Annotation', 'parameter'));
}
/**
* @Annotation(parameter1=value1, parameter2=value2,parameter3=value3)
*/
public function testGetAnnotationParameterMultiple() {
$reader = new ControllerMethodReflector();
$reader->reflect(
__CLASS__,
__FUNCTION__
);
$this->assertSame('value1', $reader->getAnnotationParameter('Annotation', 'parameter1'));
$this->assertSame('value2', $reader->getAnnotationParameter('Annotation', 'parameter2'));
$this->assertSame('value3', $reader->getAnnotationParameter('Annotation', 'parameter3'));
}
/**

45
tests/lib/Security/Bruteforce/ThrottlerTest.php
View File

@ -76,51 +76,6 @@ class ThrottlerTest extends TestCase {
$this->assertLessThan(2, $cutoff->s);
}
public function testSubnet() {
// IPv4
$this->assertSame(
'64.233.191.254/32',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 32])
);
$this->assertSame(
'64.233.191.252/30',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 30])
);
$this->assertSame(
'64.233.191.240/28',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 28])
);
$this->assertSame(
'64.233.191.0/24',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 24])
);
$this->assertSame(
'64.233.188.0/22',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 22])
);
// IPv6
$this->assertSame(
'2001:db8:85a3::8a2e:370:7334/127',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 127])
);
$this->assertSame(
'2001:db8:85a3::8a2e:370:7300/120',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7300', 120])
);
$this->assertSame(
'2001:db8:85a3::/64',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 64])
);
$this->assertSame(
'2001:db8:85a3::/48',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 48])
);
$this->assertSame(
'2001:db8:8500::/40',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 40])
);
}
public function dataIsIPWhitelisted() {
return [
[

59
tests/lib/Security/Normalizer/IpAddressTest.php Normal file
View File

@ -0,0 +1,59 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Security\Normalizer;
use OC\Security\Normalizer\IpAddress;
use Test\TestCase;
class IpAddressTest extends TestCase {
public function subnetDataProvider() {
return [
[
'64.233.191.254',
'64.233.191.254/32',
],
[
'192.168.0.123',
'192.168.0.123/32',
],
[
'2001:0db8:85a3:0000:0000:8a2e:0370:7334',
'2001:db8:85a3::8a2e:370:7334/128',
],
];
}
/**
* @dataProvider subnetDataProvider
*
* @param string $input
* @param string $expected
*/
public function testGetSubnet($input, $expected) {
$this->assertSame($expected, (new IpAddress($input))->getSubnet());
}
public function testToString() {
$this->assertSame('127.0.0.1', (string)(new IpAddress('127.0.0.1')));
}
}

146
tests/lib/Security/RateLimiting/Backend/MemoryCacheTest.php Normal file
View File

@ -0,0 +1,146 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Security\RateLimiting\Backend;
use OC\Security\RateLimiting\Backend\MemoryCache;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICache;
use OCP\ICacheFactory;
use Test\TestCase;
class MemoryCacheTest extends TestCase {
/** @var ICacheFactory|\PHPUnit_Framework_MockObject_MockObject */
private $cacheFactory;
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
private $timeFactory;
/** @var ICache|\PHPUnit_Framework_MockObject_MockObject */
private $cache;
/** @var MemoryCache */
private $memoryCache;
public function setUp() {
parent::setUp();
$this->cacheFactory = $this->createMock(ICacheFactory::class);
$this->timeFactory = $this->createMock(ITimeFactory::class);
$this->cache = $this->createMock(ICache::class);
$this->cacheFactory
->expects($this->once())
->method('create')
->with('OC\Security\RateLimiting\Backend\MemoryCache')
->willReturn($this->cache);
$this->memoryCache = new MemoryCache(
$this->cacheFactory,
$this->timeFactory
);
}
public function testGetAttemptsWithNoAttemptsBefore() {
$this->cache
->expects($this->once())
->method('get')
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
->willReturn(false);
$this->assertSame(0, $this->memoryCache->getAttempts('Method', 'User', 123));
}
public function testGetAttempts() {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(210);
$this->cache
->expects($this->once())
->method('get')
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
->willReturn(json_encode([
'1',
'2',
'87',
'123',
'123',
'124',
]));
$this->assertSame(3, $this->memoryCache->getAttempts('Method', 'User', 123));
}
public function testRegisterAttemptWithNoAttemptsBefore() {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(123);
$this->cache
->expects($this->once())
->method('get')
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
->willReturn(false);
$this->cache
->expects($this->once())
->method('set')
->with(
'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
json_encode(['123'])
);
$this->memoryCache->registerAttempt('Method', 'User', 100);
}
public function testRegisterAttempt() {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(129);
$this->cache
->expects($this->once())
->method('get')
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
->willReturn(json_encode([
'1',
'2',
'87',
'123',
'123',
'124',
]));
$this->cache
->expects($this->once())
->method('set')
->with(
'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
json_encode([
'87',
'123',
'123',
'124',
'129',
])
);
$this->memoryCache->registerAttempt('Method', 'User', 100);
}
}

161
tests/lib/Security/RateLimiting/LimiterTest.php Normal file
View File

@ -0,0 +1,161 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Security\RateLimiting;
use OC\Security\RateLimiting\Backend\IBackend;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICacheFactory;
use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
use Test\TestCase;
class LimiterTest extends TestCase {
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
private $userSession;
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
private $request;
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
private $timeFactory;
/** @var IBackend|\PHPUnit_Framework_MockObject_MockObject */
private $backend;
/** @var Limiter */
private $limiter;
public function setUp() {
parent::setUp();
$this->userSession = $this->createMock(IUserSession::class);
$this->request = $this->createMock(IRequest::class);
$this->timeFactory = $this->createMock(ITimeFactory::class);
$this->backend = $this->createMock(IBackend::class);
$this->limiter = new Limiter(
$this->userSession,
$this->request,
$this->timeFactory,
$this->backend
);
}
/**
* @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
* @expectedExceptionMessage Rate limit exceeded
*/
public function testRegisterAnonRequestExceeded() {
$this->backend
->expects($this->once())
->method('getAttempts')
->with(
'MyIdentifier',
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
100
)
->willReturn(101);
$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
}
public function testRegisterAnonRequestSuccess() {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(2000);
$this->backend
->expects($this->once())
->method('getAttempts')
->with(
'MyIdentifier',
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
100
)
->willReturn(99);
$this->backend
->expects($this->once())
->method('registerAttempt')
->with(
'MyIdentifier',
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
2000
);
$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
}
/**
* @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
* @expectedExceptionMessage Rate limit exceeded
*/
public function testRegisterUserRequestExceeded() {
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->createMock(IUser::class);
$user
->expects($this->once())
->method('getUID')
->willReturn('MyUid');
$this->backend
->expects($this->once())
->method('getAttempts')
->with(
'MyIdentifier',
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
100
)
->willReturn(101);
$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
}
public function testRegisterUserRequestSuccess() {
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->createMock(IUser::class);
$user
->expects($this->once())
->method('getUID')
->willReturn('MyUid');
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(2000);
$this->backend
->expects($this->once())
->method('getAttempts')
->with(
'MyIdentifier',
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
100
)
->willReturn(99);
$this->backend
->expects($this->once())
->method('registerAttempt')
->with(
'MyIdentifier',
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
2000
);
$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
}
}