Merge pull request #4336 from nextcloud/add-ratelimiting
Add support for ratelimiting via annotations
This commit is contained in:
commit
f3dbfd68a2
13
.drone.yml
13
.drone.yml
|
@ -277,6 +277,18 @@ pipeline:
|
|||
when:
|
||||
matrix:
|
||||
TESTS: integration-maintenance-mode
|
||||
integration-ratelimiting:
|
||||
image: nextcloudci/integration-php7.0:integration-php7.0-3
|
||||
commands:
|
||||
- ./occ maintenance:install --admin-pass=admin
|
||||
- ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.local
|
||||
- ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.distributed
|
||||
- ./occ app:enable testing
|
||||
- cd build/integration
|
||||
- ./run.sh features/ratelimiting.feature
|
||||
when:
|
||||
matrix:
|
||||
TESTS: integration-ratelimiting
|
||||
integration-carddav:
|
||||
image: nextcloudci/integration-php7.0:integration-php7.0-3
|
||||
commands:
|
||||
|
@ -516,6 +528,7 @@ matrix:
|
|||
- TESTS: integration-capabilities_features
|
||||
- TESTS: integration-federation_features
|
||||
- TESTS: integration-maintenance-mode
|
||||
- TESTS: integration-ratelimiting
|
||||
- TESTS: integration-auth
|
||||
- TESTS: integration-carddav
|
||||
- TESTS: integration-dav-v2
|
||||
|
|
|
@ -120,7 +120,7 @@ class MountPublicLinkController extends Controller {
|
|||
*
|
||||
* @NoCSRFRequired
|
||||
* @PublicPage
|
||||
* @BruteForceProtection publicLink2FederatedShare
|
||||
* @BruteForceProtection(action=publicLink2FederatedShare)
|
||||
*
|
||||
* @param string $shareWith
|
||||
* @param string $token
|
||||
|
|
|
@ -160,7 +160,7 @@ class ShareController extends Controller {
|
|||
/**
|
||||
* @PublicPage
|
||||
* @UseSession
|
||||
* @BruteForceProtection publicLinkAuth
|
||||
* @BruteForceProtection(action=publicLinkAuth)
|
||||
*
|
||||
* Authenticates against password-protected shares
|
||||
* @param string $token
|
||||
|
|
|
@ -25,12 +25,32 @@ namespace OCA\Testing\AppInfo;
|
|||
use OCA\Testing\Config;
|
||||
use OCA\Testing\Locking\Provisioning;
|
||||
use OCP\API;
|
||||
use OCP\AppFramework\App;
|
||||
|
||||
$config = new Config(
|
||||
\OC::$server->getConfig(),
|
||||
\OC::$server->getRequest()
|
||||
);
|
||||
|
||||
$app = new App('testing');
|
||||
$app->registerRoutes(
|
||||
$this,
|
||||
[
|
||||
'routes' => [
|
||||
[
|
||||
'name' => 'RateLimitTest#userAndAnonProtected',
|
||||
'url' => '/userAndAnonProtected',
|
||||
'verb' => 'GET',
|
||||
],
|
||||
[
|
||||
'name' => 'RateLimitTest#onlyAnonProtected',
|
||||
'url' => '/anonProtected',
|
||||
'verb' => 'GET',
|
||||
],
|
||||
]
|
||||
]
|
||||
);
|
||||
|
||||
API::register(
|
||||
'post',
|
||||
'/apps/testing/api/v1/app/{appid}/{configkey}',
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OCA\Testing\Controller;
|
||||
|
||||
use OCP\AppFramework\Controller;
|
||||
use OCP\AppFramework\Http\JSONResponse;
|
||||
|
||||
class RateLimitTestController extends Controller {
|
||||
/**
|
||||
* @PublicPage
|
||||
* @NoCSRFRequired
|
||||
*
|
||||
* @UserRateThrottle(limit=5, period=100)
|
||||
* @AnonRateThrottle(limit=1, period=100)
|
||||
*
|
||||
* @return JSONResponse
|
||||
*/
|
||||
public function userAndAnonProtected() {
|
||||
return new JSONResponse();
|
||||
}
|
||||
|
||||
/**
|
||||
* @PublicPage
|
||||
* @NoCSRFRequired
|
||||
*
|
||||
* @AnonRateThrottle(limit=1, period=10)
|
||||
*
|
||||
* @return JSONResponse
|
||||
*/
|
||||
public function onlyAnonProtected() {
|
||||
return new JSONResponse();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,58 @@
|
|||
Feature: ratelimiting
|
||||
|
||||
Background:
|
||||
Given user "user0" exists
|
||||
Given As an "admin"
|
||||
Given app "testing" is enabled
|
||||
|
||||
Scenario: Accessing a page with only an AnonRateThrottle as user
|
||||
Given user "user0" exists
|
||||
# First request should work
|
||||
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "200"
|
||||
# Second one should fail
|
||||
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "429"
|
||||
# After 11 seconds the next request should work
|
||||
And Sleep for "11" seconds
|
||||
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "200"
|
||||
|
||||
Scenario: Accessing a page with only an AnonRateThrottle as guest
|
||||
Given Sleep for "11" seconds
|
||||
# First request should work
|
||||
When requesting "/index.php/apps/testing/anonProtected" with "GET"
|
||||
Then the HTTP status code should be "200"
|
||||
# Second one should fail
|
||||
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "429"
|
||||
# After 11 seconds the next request should work
|
||||
And Sleep for "11" seconds
|
||||
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "200"
|
||||
|
||||
Scenario: Accessing a page with UserRateThrottle and AnonRateThrottle
|
||||
# First request should work as guest
|
||||
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
|
||||
Then the HTTP status code should be "200"
|
||||
# Second request should fail as guest
|
||||
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
|
||||
Then the HTTP status code should be "429"
|
||||
# First request should work as user
|
||||
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "200"
|
||||
# Second request should work as user
|
||||
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "200"
|
||||
# Third request should work as user
|
||||
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "200"
|
||||
# Fourth request should work as user
|
||||
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "200"
|
||||
# Fifth request should work as user
|
||||
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
|
||||
Then the HTTP status code should be "200"
|
||||
# Sixth request should fail as user
|
||||
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
|
||||
Then the HTTP status code should be "429"
|
|
@ -204,7 +204,7 @@ class LostController extends Controller {
|
|||
|
||||
/**
|
||||
* @PublicPage
|
||||
* @BruteForceProtection passwordResetEmail
|
||||
* @BruteForceProtection(action=passwordResetEmail)
|
||||
*
|
||||
* @param string $user
|
||||
* @return array
|
||||
|
|
|
@ -298,6 +298,7 @@ return array(
|
|||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotLoggedInException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\SecurityException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\StrictCookieMissingException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\RateLimitingMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\SessionMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/SessionMiddleware.php',
|
||||
'OC\\AppFramework\\OCS\\BaseResponse' => $baseDir . '/lib/private/AppFramework/OCS/BaseResponse.php',
|
||||
|
@ -742,6 +743,11 @@ return array(
|
|||
'OC\\Security\\IdentityProof\\Key' => $baseDir . '/lib/private/Security/IdentityProof/Key.php',
|
||||
'OC\\Security\\IdentityProof\\Manager' => $baseDir . '/lib/private/Security/IdentityProof/Manager.php',
|
||||
'OC\\Security\\IdentityProof\\Signer' => $baseDir . '/lib/private/Security/IdentityProof/Signer.php',
|
||||
'OC\\Security\\Normalizer\\IpAddress' => $baseDir . '/lib/private/Security/Normalizer/IpAddress.php',
|
||||
'OC\\Security\\RateLimiting\\Backend\\IBackend' => $baseDir . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
|
||||
'OC\\Security\\RateLimiting\\Backend\\MemoryCache' => $baseDir . '/lib/private/Security/RateLimiting/Backend/MemoryCache.php',
|
||||
'OC\\Security\\RateLimiting\\Exception\\RateLimitExceededException' => $baseDir . '/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php',
|
||||
'OC\\Security\\RateLimiting\\Limiter' => $baseDir . '/lib/private/Security/RateLimiting/Limiter.php',
|
||||
'OC\\Security\\SecureRandom' => $baseDir . '/lib/private/Security/SecureRandom.php',
|
||||
'OC\\Security\\TrustedDomainHelper' => $baseDir . '/lib/private/Security/TrustedDomainHelper.php',
|
||||
'OC\\Server' => $baseDir . '/lib/private/Server.php',
|
||||
|
|
|
@ -328,6 +328,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
|||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotLoggedInException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\SecurityException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\StrictCookieMissingException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\RateLimitingMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php',
|
||||
'OC\\AppFramework\\Middleware\\SessionMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/SessionMiddleware.php',
|
||||
'OC\\AppFramework\\OCS\\BaseResponse' => __DIR__ . '/../../..' . '/lib/private/AppFramework/OCS/BaseResponse.php',
|
||||
|
@ -772,6 +773,11 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
|||
'OC\\Security\\IdentityProof\\Key' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Key.php',
|
||||
'OC\\Security\\IdentityProof\\Manager' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Manager.php',
|
||||
'OC\\Security\\IdentityProof\\Signer' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Signer.php',
|
||||
'OC\\Security\\Normalizer\\IpAddress' => __DIR__ . '/../../..' . '/lib/private/Security/Normalizer/IpAddress.php',
|
||||
'OC\\Security\\RateLimiting\\Backend\\IBackend' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
|
||||
'OC\\Security\\RateLimiting\\Backend\\MemoryCache' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/MemoryCache.php',
|
||||
'OC\\Security\\RateLimiting\\Exception\\RateLimitExceededException' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php',
|
||||
'OC\\Security\\RateLimiting\\Limiter' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Limiter.php',
|
||||
'OC\\Security\\SecureRandom' => __DIR__ . '/../../..' . '/lib/private/Security/SecureRandom.php',
|
||||
'OC\\Security\\TrustedDomainHelper' => __DIR__ . '/../../..' . '/lib/private/Security/TrustedDomainHelper.php',
|
||||
'OC\\Server' => __DIR__ . '/../../..' . '/lib/private/Server.php',
|
||||
|
|
|
@ -40,6 +40,7 @@ use OC\AppFramework\Http\Output;
|
|||
use OC\AppFramework\Middleware\MiddlewareDispatcher;
|
||||
use OC\AppFramework\Middleware\Security\CORSMiddleware;
|
||||
use OC\AppFramework\Middleware\OCSMiddleware;
|
||||
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
|
||||
use OC\AppFramework\Middleware\Security\SecurityMiddleware;
|
||||
use OC\AppFramework\Middleware\SessionMiddleware;
|
||||
use OC\AppFramework\Utility\SimpleContainer;
|
||||
|
@ -169,7 +170,6 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
|||
);
|
||||
});
|
||||
|
||||
|
||||
/**
|
||||
* App Framework APIs
|
||||
*/
|
||||
|
@ -230,6 +230,18 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
|||
|
||||
});
|
||||
|
||||
$this->registerService('RateLimitingMiddleware', function($c) use ($app) {
|
||||
/** @var \OC\Server $server */
|
||||
$server = $app->getServer();
|
||||
|
||||
return new RateLimitingMiddleware(
|
||||
$server->getRequest(),
|
||||
$server->getUserSession(),
|
||||
$c['ControllerMethodReflector'],
|
||||
$c->query(OC\Security\RateLimiting\Limiter::class)
|
||||
);
|
||||
});
|
||||
|
||||
$this->registerService('CORSMiddleware', function($c) {
|
||||
return new CORSMiddleware(
|
||||
$c['Request'],
|
||||
|
@ -270,6 +282,7 @@ class DIContainer extends SimpleContainer implements IAppContainer {
|
|||
$dispatcher->registerMiddleware($c['OCSMiddleware']);
|
||||
$dispatcher->registerMiddleware($c['SecurityMiddleware']);
|
||||
$dispatcher->registerMiddleWare($c['TwoFactorMiddleware']);
|
||||
$dispatcher->registerMiddleware($c['RateLimitingMiddleware']);
|
||||
|
||||
foreach($middleWares as $middleWare) {
|
||||
$dispatcher->registerMiddleware($c[$middleWare]);
|
||||
|
|
|
@ -0,0 +1,134 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\AppFramework\Middleware\Security;
|
||||
|
||||
use OC\AppFramework\Utility\ControllerMethodReflector;
|
||||
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
|
||||
use OC\Security\RateLimiting\Limiter;
|
||||
use OCP\AppFramework\Http\JSONResponse;
|
||||
use OCP\AppFramework\Http\Response;
|
||||
use OCP\AppFramework\Http\TemplateResponse;
|
||||
use OCP\AppFramework\Middleware;
|
||||
use OCP\IRequest;
|
||||
use OCP\IUserSession;
|
||||
|
||||
/**
|
||||
* Class RateLimitingMiddleware is the middleware responsible for implementing the
|
||||
* ratelimiting in Nextcloud.
|
||||
*
|
||||
* It parses annotations such as:
|
||||
*
|
||||
* @UserRateThrottle(limit=5, period=100)
|
||||
* @AnonRateThrottle(limit=1, period=100)
|
||||
*
|
||||
* Those annotations above would mean that logged-in users can access the page 5
|
||||
* times within 100 seconds, and anonymous users 1 time within 100 seconds. If
|
||||
* only an AnonRateThrottle is specified that one will also be applied to logged-in
|
||||
* users.
|
||||
*
|
||||
* @package OC\AppFramework\Middleware\Security
|
||||
*/
|
||||
class RateLimitingMiddleware extends Middleware {
|
||||
/** @var IRequest $request */
|
||||
private $request;
|
||||
/** @var IUserSession */
|
||||
private $userSession;
|
||||
/** @var ControllerMethodReflector */
|
||||
private $reflector;
|
||||
/** @var Limiter */
|
||||
private $limiter;
|
||||
|
||||
/**
|
||||
* @param IRequest $request
|
||||
* @param IUserSession $userSession
|
||||
* @param ControllerMethodReflector $reflector
|
||||
* @param Limiter $limiter
|
||||
*/
|
||||
public function __construct(IRequest $request,
|
||||
IUserSession $userSession,
|
||||
ControllerMethodReflector $reflector,
|
||||
Limiter $limiter) {
|
||||
$this->request = $request;
|
||||
$this->userSession = $userSession;
|
||||
$this->reflector = $reflector;
|
||||
$this->limiter = $limiter;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
* @throws RateLimitExceededException
|
||||
*/
|
||||
public function beforeController($controller, $methodName) {
|
||||
parent::beforeController($controller, $methodName);
|
||||
|
||||
$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
|
||||
$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
|
||||
$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
|
||||
$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
|
||||
$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
|
||||
if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
|
||||
$this->limiter->registerUserRequest(
|
||||
$rateLimitIdentifier,
|
||||
$userLimit,
|
||||
$userPeriod,
|
||||
$this->userSession->getUser()
|
||||
);
|
||||
} elseif ($anonLimit !== '' && $anonPeriod !== '') {
|
||||
$this->limiter->registerAnonRequest(
|
||||
$rateLimitIdentifier,
|
||||
$anonLimit,
|
||||
$anonPeriod,
|
||||
$this->request->getRemoteAddress()
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function afterException($controller, $methodName, \Exception $exception) {
|
||||
if($exception instanceof RateLimitExceededException) {
|
||||
if (stripos($this->request->getHeader('Accept'),'html') === false) {
|
||||
$response = new JSONResponse(
|
||||
[
|
||||
'message' => $exception->getMessage(),
|
||||
],
|
||||
$exception->getCode()
|
||||
);
|
||||
} else {
|
||||
$response = new TemplateResponse(
|
||||
'core',
|
||||
'403',
|
||||
[
|
||||
'file' => $exception->getMessage()
|
||||
],
|
||||
'guest'
|
||||
);
|
||||
$response->setStatus($exception->getCode());
|
||||
}
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
||||
throw $exception;
|
||||
}
|
||||
}
|
|
@ -192,7 +192,7 @@ class SecurityMiddleware extends Middleware {
|
|||
}
|
||||
|
||||
if($this->reflector->hasAnnotation('BruteForceProtection')) {
|
||||
$action = $this->reflector->getAnnotationParameter('BruteForceProtection');
|
||||
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
|
||||
$this->throttler->sleepDelay($this->request->getRemoteAddress(), $action);
|
||||
$this->throttler->registerAttempt($action, $this->request->getRemoteAddress());
|
||||
}
|
||||
|
|
|
@ -24,27 +24,17 @@
|
|||
*
|
||||
*/
|
||||
|
||||
|
||||
namespace OC\AppFramework\Utility;
|
||||
|
||||
use \OCP\AppFramework\Utility\IControllerMethodReflector;
|
||||
|
||||
|
||||
/**
|
||||
* Reads and parses annotations from doc comments
|
||||
*/
|
||||
class ControllerMethodReflector implements IControllerMethodReflector{
|
||||
|
||||
private $annotations;
|
||||
private $types;
|
||||
private $parameters;
|
||||
|
||||
public function __construct() {
|
||||
$this->types = array();
|
||||
$this->parameters = array();
|
||||
$this->annotations = array();
|
||||
}
|
||||
|
||||
class ControllerMethodReflector implements IControllerMethodReflector {
|
||||
public $annotations = [];
|
||||
private $types = [];
|
||||
private $parameters = [];
|
||||
|
||||
/**
|
||||
* @param object $object an object or classname
|
||||
|
@ -55,9 +45,21 @@ class ControllerMethodReflector implements IControllerMethodReflector{
|
|||
$docs = $reflection->getDocComment();
|
||||
|
||||
// extract everything prefixed by @ and first letter uppercase
|
||||
preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)(\h+(?P<parameter>\w+))?$/m', $docs, $matches);
|
||||
preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)((?P<parameter>.*))?$/m', $docs, $matches);
|
||||
foreach($matches['annotation'] as $key => $annontation) {
|
||||
$this->annotations[$annontation] = $matches['parameter'][$key];
|
||||
$annotationValue = $matches['parameter'][$key];
|
||||
if(isset($annotationValue[0]) && $annotationValue[0] === '(' && $annotationValue[strlen($annotationValue) - 1] === ')') {
|
||||
$cutString = substr($annotationValue, 1, -1);
|
||||
$cutString = str_replace(' ', '', $cutString);
|
||||
$splittedArray = explode(',', $cutString);
|
||||
foreach($splittedArray as $annotationValues) {
|
||||
list($key, $value) = explode('=', $annotationValues);
|
||||
$this->annotations[$annontation][$key] = $value;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
$this->annotations[$annontation] = [$annotationValue];
|
||||
}
|
||||
|
||||
// extract type parameter information
|
||||
|
@ -83,7 +85,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Inspects the PHPDoc parameters for types
|
||||
* @param string $parameter the parameter whose type comments should be
|
||||
|
@ -99,7 +100,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @return array the arguments of the method with key => default value
|
||||
*/
|
||||
|
@ -107,30 +107,27 @@ class ControllerMethodReflector implements IControllerMethodReflector{
|
|||
return $this->parameters;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Check if a method contains an annotation
|
||||
* @param string $name the name of the annotation
|
||||
* @return bool true if the annotation is found
|
||||
*/
|
||||
public function hasAnnotation($name){
|
||||
public function hasAnnotation($name) {
|
||||
return array_key_exists($name, $this->annotations);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get optional annotation parameter
|
||||
* Get optional annotation parameter by key
|
||||
*
|
||||
* @param string $name the name of the annotation
|
||||
* @param string $key the string of the annotation
|
||||
* @return string
|
||||
*/
|
||||
public function getAnnotationParameter($name){
|
||||
$parameter = '';
|
||||
if($this->hasAnnotation($name)) {
|
||||
$parameter = $this->annotations[$name];
|
||||
public function getAnnotationParameter($name, $key) {
|
||||
if(isset($this->annotations[$name][$key])) {
|
||||
return $this->annotations[$name][$key];
|
||||
}
|
||||
|
||||
return $parameter;
|
||||
return '';
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
|
||||
namespace OC\Security\Bruteforce;
|
||||
|
||||
use OC\Security\Normalizer\IpAddress;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\IConfig;
|
||||
use OCP\IDBConnection;
|
||||
|
@ -82,67 +83,6 @@ class Throttler {
|
|||
return $d2->diff($d1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the given subnet for an IPv4 address and mask bits
|
||||
*
|
||||
* @param string $ip
|
||||
* @param int $maskBits
|
||||
* @return string
|
||||
*/
|
||||
private function getIPv4Subnet($ip,
|
||||
$maskBits = 32) {
|
||||
$binary = \inet_pton($ip);
|
||||
for ($i = 32; $i > $maskBits; $i -= 8) {
|
||||
$j = \intdiv($i, 8) - 1;
|
||||
$k = (int) \min(8, $i - $maskBits);
|
||||
$mask = (0xff - ((pow(2, $k)) - 1));
|
||||
$int = \unpack('C', $binary[$j]);
|
||||
$binary[$j] = \pack('C', $int[1] & $mask);
|
||||
}
|
||||
return \inet_ntop($binary).'/'.$maskBits;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the given subnet for an IPv6 address and mask bits
|
||||
*
|
||||
* @param string $ip
|
||||
* @param int $maskBits
|
||||
* @return string
|
||||
*/
|
||||
private function getIPv6Subnet($ip, $maskBits = 48) {
|
||||
$binary = \inet_pton($ip);
|
||||
for ($i = 128; $i > $maskBits; $i -= 8) {
|
||||
$j = \intdiv($i, 8) - 1;
|
||||
$k = (int) \min(8, $i - $maskBits);
|
||||
$mask = (0xff - ((pow(2, $k)) - 1));
|
||||
$int = \unpack('C', $binary[$j]);
|
||||
$binary[$j] = \pack('C', $int[1] & $mask);
|
||||
}
|
||||
return \inet_ntop($binary).'/'.$maskBits;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the given subnet for an IP and the configured mask bits
|
||||
*
|
||||
* Determine if the IP is an IPv4 or IPv6 address, then pass to the correct
|
||||
* method for handling that specific type.
|
||||
*
|
||||
* @param string $ip
|
||||
* @return string
|
||||
*/
|
||||
private function getSubnet($ip) {
|
||||
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)) {
|
||||
return $this->getIPv4Subnet(
|
||||
$ip,
|
||||
32
|
||||
);
|
||||
}
|
||||
return $this->getIPv6Subnet(
|
||||
$ip,
|
||||
128
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Register a failed attempt to bruteforce a security control
|
||||
*
|
||||
|
@ -158,11 +98,12 @@ class Throttler {
|
|||
return;
|
||||
}
|
||||
|
||||
$ipAddress = new IpAddress($ip);
|
||||
$values = [
|
||||
'action' => $action,
|
||||
'occurred' => $this->timeFactory->getTime(),
|
||||
'ip' => $ip,
|
||||
'subnet' => $this->getSubnet($ip),
|
||||
'ip' => (string)$ipAddress,
|
||||
'subnet' => $ipAddress->getSubnet(),
|
||||
'metadata' => json_encode($metadata),
|
||||
];
|
||||
|
||||
|
@ -254,7 +195,8 @@ class Throttler {
|
|||
* @return int
|
||||
*/
|
||||
public function getDelay($ip, $action = '') {
|
||||
if ($this->isIPWhitelisted($ip)) {
|
||||
$ipAddress = new IpAddress($ip);
|
||||
if ($this->isIPWhitelisted((string)$ipAddress)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -266,7 +208,7 @@ class Throttler {
|
|||
$qb->select('*')
|
||||
->from('bruteforce_attempts')
|
||||
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
|
||||
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($this->getSubnet($ip))));
|
||||
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($ipAddress->getSubnet())));
|
||||
|
||||
if ($action !== '') {
|
||||
$qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)));
|
||||
|
|
|
@ -0,0 +1,106 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Security\Normalizer;
|
||||
|
||||
/**
|
||||
* Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security
|
||||
* relevant contexts in Nextcloud.
|
||||
*
|
||||
* @package OC\Security\Normalizer
|
||||
*/
|
||||
class IpAddress {
|
||||
/** @var string */
|
||||
private $ip;
|
||||
|
||||
/**
|
||||
* @param string $ip IP to normalized
|
||||
*/
|
||||
public function __construct($ip) {
|
||||
$this->ip = $ip;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the given subnet for an IPv4 address and mask bits
|
||||
*
|
||||
* @param string $ip
|
||||
* @param int $maskBits
|
||||
* @return string
|
||||
*/
|
||||
private function getIPv4Subnet($ip,
|
||||
$maskBits = 32) {
|
||||
$binary = \inet_pton($ip);
|
||||
for ($i = 32; $i > $maskBits; $i -= 8) {
|
||||
$j = \intdiv($i, 8) - 1;
|
||||
$k = (int) \min(8, $i - $maskBits);
|
||||
$mask = (0xff - ((pow(2, $k)) - 1));
|
||||
$int = \unpack('C', $binary[$j]);
|
||||
$binary[$j] = \pack('C', $int[1] & $mask);
|
||||
}
|
||||
return \inet_ntop($binary).'/'.$maskBits;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the given subnet for an IPv6 address and mask bits
|
||||
*
|
||||
* @param string $ip
|
||||
* @param int $maskBits
|
||||
* @return string
|
||||
*/
|
||||
private function getIPv6Subnet($ip, $maskBits = 48) {
|
||||
$binary = \inet_pton($ip);
|
||||
for ($i = 128; $i > $maskBits; $i -= 8) {
|
||||
$j = \intdiv($i, 8) - 1;
|
||||
$k = (int) \min(8, $i - $maskBits);
|
||||
$mask = (0xff - ((pow(2, $k)) - 1));
|
||||
$int = \unpack('C', $binary[$j]);
|
||||
$binary[$j] = \pack('C', $int[1] & $mask);
|
||||
}
|
||||
return \inet_ntop($binary).'/'.$maskBits;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets either the /32 (IPv4) or the /128 (IPv6) subnet of an IP address
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getSubnet() {
|
||||
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $this->ip)) {
|
||||
return $this->getIPv4Subnet(
|
||||
$this->ip,
|
||||
32
|
||||
);
|
||||
}
|
||||
return $this->getIPv6Subnet(
|
||||
$this->ip,
|
||||
128
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the specified IP address
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function __toString() {
|
||||
return $this->ip;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,54 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Security\RateLimiting\Backend;
|
||||
|
||||
/**
|
||||
* Interface IBackend defines a storage backend for the rate limiting data. It
|
||||
* should be noted that writing and reading rate limiting data is an expensive
|
||||
* operation and one should thus make sure to only use sufficient fast backends.
|
||||
*
|
||||
* @package OC\Security\RateLimiting\Backend
|
||||
*/
|
||||
interface IBackend {
|
||||
/**
|
||||
* Gets the amount of attempts within the last specified seconds
|
||||
*
|
||||
* @param string $methodIdentifier Identifier for the method
|
||||
* @param string $userIdentifier Identifier for the user
|
||||
* @param int $seconds Seconds to look back at
|
||||
* @return int
|
||||
*/
|
||||
public function getAttempts($methodIdentifier,
|
||||
$userIdentifier,
|
||||
$seconds);
|
||||
|
||||
/**
|
||||
* Registers an attempt
|
||||
*
|
||||
* @param string $methodIdentifier Identifier for the method
|
||||
* @param string $userIdentifier Identifier for the user
|
||||
* @param int $period Period in seconds how long this attempt should be stored
|
||||
*/
|
||||
public function registerAttempt($methodIdentifier,
|
||||
$userIdentifier,
|
||||
$period);
|
||||
}
|
|
@ -0,0 +1,116 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Security\RateLimiting\Backend;
|
||||
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\ICache;
|
||||
use OCP\ICacheFactory;
|
||||
|
||||
/**
|
||||
* Class MemoryCache uses the configured distributed memory cache for storing
|
||||
* rate limiting data.
|
||||
*
|
||||
* @package OC\Security\RateLimiting\Backend
|
||||
*/
|
||||
class MemoryCache implements IBackend {
|
||||
/** @var ICache */
|
||||
private $cache;
|
||||
/** @var ITimeFactory */
|
||||
private $timeFactory;
|
||||
|
||||
/**
|
||||
* @param ICacheFactory $cacheFactory
|
||||
* @param ITimeFactory $timeFactory
|
||||
*/
|
||||
public function __construct(ICacheFactory $cacheFactory,
|
||||
ITimeFactory $timeFactory) {
|
||||
$this->cache = $cacheFactory->create(__CLASS__);
|
||||
$this->timeFactory = $timeFactory;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $methodIdentifier
|
||||
* @param string $userIdentifier
|
||||
* @return string
|
||||
*/
|
||||
private function hash($methodIdentifier,
|
||||
$userIdentifier) {
|
||||
return hash('sha512', $methodIdentifier . $userIdentifier);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $identifier
|
||||
* @return array
|
||||
*/
|
||||
private function getExistingAttempts($identifier) {
|
||||
$cachedAttempts = json_decode($this->cache->get($identifier), true);
|
||||
if(is_array($cachedAttempts)) {
|
||||
return $cachedAttempts;
|
||||
}
|
||||
|
||||
return [];
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function getAttempts($methodIdentifier,
|
||||
$userIdentifier,
|
||||
$seconds) {
|
||||
$identifier = $this->hash($methodIdentifier, $userIdentifier);
|
||||
$existingAttempts = $this->getExistingAttempts($identifier);
|
||||
|
||||
$count = 0;
|
||||
$currentTime = $this->timeFactory->getTime();
|
||||
/** @var array $existingAttempts */
|
||||
foreach ($existingAttempts as $attempt) {
|
||||
if(($attempt + $seconds) > $currentTime) {
|
||||
$count++;
|
||||
}
|
||||
}
|
||||
|
||||
return $count;
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function registerAttempt($methodIdentifier,
|
||||
$userIdentifier,
|
||||
$period) {
|
||||
$identifier = $this->hash($methodIdentifier, $userIdentifier);
|
||||
$existingAttempts = $this->getExistingAttempts($identifier);
|
||||
$currentTime = $this->timeFactory->getTime();
|
||||
|
||||
// Unset all attempts older than $period
|
||||
foreach ($existingAttempts as $key => $attempt) {
|
||||
if(($attempt + $period) < $currentTime) {
|
||||
unset($existingAttempts[$key]);
|
||||
}
|
||||
}
|
||||
$existingAttempts = array_values($existingAttempts);
|
||||
|
||||
// Store the new attempt
|
||||
$existingAttempts[] = (string)$currentTime;
|
||||
$this->cache->set($identifier, json_encode($existingAttempts));
|
||||
}
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Security\RateLimiting\Exception;
|
||||
|
||||
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
|
||||
use OCP\AppFramework\Http;
|
||||
|
||||
class RateLimitExceededException extends SecurityException {
|
||||
public function __construct() {
|
||||
parent::__construct('Rate limit exceeded', Http::STATUS_TOO_MANY_REQUESTS);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,106 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Security\RateLimiting;
|
||||
|
||||
use OC\Security\Normalizer\IpAddress;
|
||||
use OC\Security\RateLimiting\Backend\IBackend;
|
||||
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\IRequest;
|
||||
use OCP\IUser;
|
||||
use OCP\IUserSession;
|
||||
|
||||
class Limiter {
|
||||
/** @var IBackend */
|
||||
private $backend;
|
||||
/** @var ITimeFactory */
|
||||
private $timeFactory;
|
||||
|
||||
/**
|
||||
* @param IUserSession $userSession
|
||||
* @param IRequest $request
|
||||
* @param ITimeFactory $timeFactory
|
||||
* @param IBackend $backend
|
||||
*/
|
||||
public function __construct(IUserSession $userSession,
|
||||
IRequest $request,
|
||||
ITimeFactory $timeFactory,
|
||||
IBackend $backend) {
|
||||
$this->backend = $backend;
|
||||
$this->timeFactory = $timeFactory;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $methodIdentifier
|
||||
* @param string $userIdentifier
|
||||
* @param int $period
|
||||
* @param int $limit
|
||||
* @throws RateLimitExceededException
|
||||
*/
|
||||
private function register($methodIdentifier,
|
||||
$userIdentifier,
|
||||
$period,
|
||||
$limit) {
|
||||
$existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, (int)$period);
|
||||
if ($existingAttempts >= (int)$limit) {
|
||||
throw new RateLimitExceededException();
|
||||
}
|
||||
|
||||
$this->backend->registerAttempt($methodIdentifier, $userIdentifier, $this->timeFactory->getTime());
|
||||
}
|
||||
|
||||
/**
|
||||
* Registers attempt for an anonymous request
|
||||
*
|
||||
* @param string $identifier
|
||||
* @param int $anonLimit
|
||||
* @param int $anonPeriod
|
||||
* @param string $ip
|
||||
* @throws RateLimitExceededException
|
||||
*/
|
||||
public function registerAnonRequest($identifier,
|
||||
$anonLimit,
|
||||
$anonPeriod,
|
||||
$ip) {
|
||||
$ipSubnet = (new IpAddress($ip))->getSubnet();
|
||||
|
||||
$anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet);
|
||||
$this->register($identifier, $anonHashIdentifier, $anonPeriod, $anonLimit);
|
||||
}
|
||||
|
||||
/**
|
||||
* Registers attempt for an authenticated request
|
||||
*
|
||||
* @param string $identifier
|
||||
* @param int $userLimit
|
||||
* @param int $userPeriod
|
||||
* @param IUser $user
|
||||
* @throws RateLimitExceededException
|
||||
*/
|
||||
public function registerUserRequest($identifier,
|
||||
$userLimit,
|
||||
$userPeriod,
|
||||
IUser $user) {
|
||||
$userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID());
|
||||
$this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit);
|
||||
}
|
||||
}
|
|
@ -516,6 +516,21 @@ class Server extends ServerContainer implements IServerContainer {
|
|||
});
|
||||
$this->registerAlias('Search', \OCP\ISearch::class);
|
||||
|
||||
$this->registerService(\OC\Security\RateLimiting\Limiter::class, function($c) {
|
||||
return new \OC\Security\RateLimiting\Limiter(
|
||||
$this->getUserSession(),
|
||||
$this->getRequest(),
|
||||
new \OC\AppFramework\Utility\TimeFactory(),
|
||||
$c->query(\OC\Security\RateLimiting\Backend\IBackend::class)
|
||||
);
|
||||
});
|
||||
$this->registerService(\OC\Security\RateLimiting\Backend\IBackend::class, function($c) {
|
||||
return new \OC\Security\RateLimiting\Backend\MemoryCache(
|
||||
$this->getMemCacheFactory(),
|
||||
new \OC\AppFramework\Utility\TimeFactory()
|
||||
);
|
||||
});
|
||||
|
||||
$this->registerService(\OCP\Security\ISecureRandom::class, function ($c) {
|
||||
return new SecureRandom();
|
||||
});
|
||||
|
|
|
@ -0,0 +1,283 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Test\AppFramework\Middleware\Security;
|
||||
|
||||
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
|
||||
use OC\AppFramework\Utility\ControllerMethodReflector;
|
||||
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
|
||||
use OC\Security\RateLimiting\Limiter;
|
||||
use OCP\AppFramework\Controller;
|
||||
use OCP\AppFramework\Http\JSONResponse;
|
||||
use OCP\AppFramework\Http\TemplateResponse;
|
||||
use OCP\IRequest;
|
||||
use OCP\IUser;
|
||||
use OCP\IUserSession;
|
||||
use Test\TestCase;
|
||||
|
||||
class RateLimitingMiddlewareTest extends TestCase {
|
||||
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $request;
|
||||
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $userSession;
|
||||
/** @var ControllerMethodReflector|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $reflector;
|
||||
/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $limiter;
|
||||
/** @var RateLimitingMiddleware */
|
||||
private $rateLimitingMiddleware;
|
||||
|
||||
public function setUp() {
|
||||
parent::setUp();
|
||||
|
||||
$this->request = $this->createMock(IRequest::class);
|
||||
$this->userSession = $this->createMock(IUserSession::class);
|
||||
$this->reflector = $this->createMock(ControllerMethodReflector::class);
|
||||
$this->limiter = $this->createMock(Limiter::class);
|
||||
|
||||
$this->rateLimitingMiddleware = new RateLimitingMiddleware(
|
||||
$this->request,
|
||||
$this->userSession,
|
||||
$this->reflector,
|
||||
$this->limiter
|
||||
);
|
||||
}
|
||||
|
||||
public function testBeforeControllerWithoutAnnotation() {
|
||||
$this->reflector
|
||||
->expects($this->at(0))
|
||||
->method('getAnnotationParameter')
|
||||
->with('AnonRateThrottle', 'limit')
|
||||
->willReturn('');
|
||||
$this->reflector
|
||||
->expects($this->at(1))
|
||||
->method('getAnnotationParameter')
|
||||
->with('AnonRateThrottle', 'period')
|
||||
->willReturn('');
|
||||
$this->reflector
|
||||
->expects($this->at(2))
|
||||
->method('getAnnotationParameter')
|
||||
->with('UserRateThrottle', 'limit')
|
||||
->willReturn('');
|
||||
$this->reflector
|
||||
->expects($this->at(3))
|
||||
->method('getAnnotationParameter')
|
||||
->with('UserRateThrottle', 'period')
|
||||
->willReturn('');
|
||||
|
||||
$this->limiter
|
||||
->expects($this->never())
|
||||
->method('registerUserRequest');
|
||||
$this->limiter
|
||||
->expects($this->never())
|
||||
->method('registerAnonRequest');
|
||||
|
||||
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
|
||||
$controller = $this->createMock(Controller::class);
|
||||
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
|
||||
}
|
||||
|
||||
public function testBeforeControllerForAnon() {
|
||||
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
|
||||
$controller = $this->createMock(Controller::class);
|
||||
$this->request
|
||||
->expects($this->once())
|
||||
->method('getRemoteAddress')
|
||||
->willReturn('127.0.0.1');
|
||||
|
||||
$this->reflector
|
||||
->expects($this->at(0))
|
||||
->method('getAnnotationParameter')
|
||||
->with('AnonRateThrottle', 'limit')
|
||||
->willReturn('100');
|
||||
$this->reflector
|
||||
->expects($this->at(1))
|
||||
->method('getAnnotationParameter')
|
||||
->with('AnonRateThrottle', 'period')
|
||||
->willReturn('10');
|
||||
$this->reflector
|
||||
->expects($this->at(2))
|
||||
->method('getAnnotationParameter')
|
||||
->with('UserRateThrottle', 'limit')
|
||||
->willReturn('');
|
||||
$this->reflector
|
||||
->expects($this->at(3))
|
||||
->method('getAnnotationParameter')
|
||||
->with('UserRateThrottle', 'period')
|
||||
->willReturn('');
|
||||
|
||||
$this->limiter
|
||||
->expects($this->never())
|
||||
->method('registerUserRequest');
|
||||
$this->limiter
|
||||
->expects($this->once())
|
||||
->method('registerAnonRequest')
|
||||
->with(get_class($controller) . '::testMethod', '100', '10', '127.0.0.1');
|
||||
|
||||
|
||||
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
|
||||
}
|
||||
|
||||
public function testBeforeControllerForLoggedIn() {
|
||||
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
|
||||
$controller = $this->createMock(Controller::class);
|
||||
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
|
||||
$user = $this->createMock(IUser::class);
|
||||
|
||||
$this->userSession
|
||||
->expects($this->once())
|
||||
->method('isLoggedIn')
|
||||
->willReturn(true);
|
||||
$this->userSession
|
||||
->expects($this->once())
|
||||
->method('getUser')
|
||||
->willReturn($user);
|
||||
|
||||
$this->reflector
|
||||
->expects($this->at(0))
|
||||
->method('getAnnotationParameter')
|
||||
->with('AnonRateThrottle', 'limit')
|
||||
->willReturn('');
|
||||
$this->reflector
|
||||
->expects($this->at(1))
|
||||
->method('getAnnotationParameter')
|
||||
->with('AnonRateThrottle', 'period')
|
||||
->willReturn('');
|
||||
$this->reflector
|
||||
->expects($this->at(2))
|
||||
->method('getAnnotationParameter')
|
||||
->with('UserRateThrottle', 'limit')
|
||||
->willReturn('100');
|
||||
$this->reflector
|
||||
->expects($this->at(3))
|
||||
->method('getAnnotationParameter')
|
||||
->with('UserRateThrottle', 'period')
|
||||
->willReturn('10');
|
||||
|
||||
$this->limiter
|
||||
->expects($this->never())
|
||||
->method('registerAnonRequest');
|
||||
$this->limiter
|
||||
->expects($this->once())
|
||||
->method('registerUserRequest')
|
||||
->with(get_class($controller) . '::testMethod', '100', '10', $user);
|
||||
|
||||
|
||||
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
|
||||
}
|
||||
|
||||
public function testBeforeControllerAnonWithFallback() {
|
||||
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
|
||||
$controller = $this->createMock(Controller::class);
|
||||
$this->request
|
||||
->expects($this->once())
|
||||
->method('getRemoteAddress')
|
||||
->willReturn('127.0.0.1');
|
||||
|
||||
$this->userSession
|
||||
->expects($this->once())
|
||||
->method('isLoggedIn')
|
||||
->willReturn(false);
|
||||
|
||||
$this->reflector
|
||||
->expects($this->at(0))
|
||||
->method('getAnnotationParameter')
|
||||
->with('AnonRateThrottle', 'limit')
|
||||
->willReturn('200');
|
||||
$this->reflector
|
||||
->expects($this->at(1))
|
||||
->method('getAnnotationParameter')
|
||||
->with('AnonRateThrottle', 'period')
|
||||
->willReturn('20');
|
||||
$this->reflector
|
||||
->expects($this->at(2))
|
||||
->method('getAnnotationParameter')
|
||||
->with('UserRateThrottle', 'limit')
|
||||
->willReturn('100');
|
||||
$this->reflector
|
||||
->expects($this->at(3))
|
||||
->method('getAnnotationParameter')
|
||||
->with('UserRateThrottle', 'period')
|
||||
->willReturn('10');
|
||||
|
||||
$this->limiter
|
||||
->expects($this->never())
|
||||
->method('registerUserRequest');
|
||||
$this->limiter
|
||||
->expects($this->once())
|
||||
->method('registerAnonRequest')
|
||||
->with(get_class($controller) . '::testMethod', '200', '20', '127.0.0.1');
|
||||
|
||||
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Exception
|
||||
* @expectedExceptionMessage My test exception
|
||||
*/
|
||||
public function testAfterExceptionWithOtherException() {
|
||||
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
|
||||
$controller = $this->createMock(Controller::class);
|
||||
|
||||
$this->rateLimitingMiddleware->afterException($controller, 'testMethod', new \Exception('My test exception'));
|
||||
}
|
||||
|
||||
public function testAfterExceptionWithJsonBody() {
|
||||
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
|
||||
$controller = $this->createMock(Controller::class);
|
||||
$this->request
|
||||
->expects($this->once())
|
||||
->method('getHeader')
|
||||
->with('Accept')
|
||||
->willReturn('JSON');
|
||||
|
||||
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
|
||||
$expected = new JSONResponse(
|
||||
[
|
||||
'message' => 'Rate limit exceeded',
|
||||
],
|
||||
429
|
||||
);
|
||||
$this->assertEquals($expected, $result);
|
||||
}
|
||||
|
||||
public function testAfterExceptionWithHtmlBody() {
|
||||
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
|
||||
$controller = $this->createMock(Controller::class);
|
||||
$this->request
|
||||
->expects($this->once())
|
||||
->method('getHeader')
|
||||
->with('Accept')
|
||||
->willReturn('html');
|
||||
|
||||
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
|
||||
$expected = new TemplateResponse(
|
||||
'core',
|
||||
'403',
|
||||
[
|
||||
'file' => 'Rate limit exceeded',
|
||||
],
|
||||
'guest'
|
||||
);
|
||||
$expected->setStatus(429);
|
||||
$this->assertEquals($expected, $result);
|
||||
}
|
||||
}
|
|
@ -75,18 +75,32 @@ class ControllerMethodReflectorTest extends \Test\TestCase {
|
|||
$this->assertTrue($reader->hasAnnotation('Annotation'));
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @Annotation parameter
|
||||
* @Annotation(parameter=value)
|
||||
*/
|
||||
public function testGetAnnotationParameter(){
|
||||
public function testGetAnnotationParameterSingle() {
|
||||
$reader = new ControllerMethodReflector();
|
||||
$reader->reflect(
|
||||
'\Test\AppFramework\Utility\ControllerMethodReflectorTest',
|
||||
'testGetAnnotationParameter'
|
||||
__CLASS__,
|
||||
__FUNCTION__
|
||||
);
|
||||
|
||||
$this->assertSame('parameter', $reader->getAnnotationParameter('Annotation'));
|
||||
$this->assertSame('value', $reader->getAnnotationParameter('Annotation', 'parameter'));
|
||||
}
|
||||
|
||||
/**
|
||||
* @Annotation(parameter1=value1, parameter2=value2,parameter3=value3)
|
||||
*/
|
||||
public function testGetAnnotationParameterMultiple() {
|
||||
$reader = new ControllerMethodReflector();
|
||||
$reader->reflect(
|
||||
__CLASS__,
|
||||
__FUNCTION__
|
||||
);
|
||||
|
||||
$this->assertSame('value1', $reader->getAnnotationParameter('Annotation', 'parameter1'));
|
||||
$this->assertSame('value2', $reader->getAnnotationParameter('Annotation', 'parameter2'));
|
||||
$this->assertSame('value3', $reader->getAnnotationParameter('Annotation', 'parameter3'));
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -76,51 +76,6 @@ class ThrottlerTest extends TestCase {
|
|||
$this->assertLessThan(2, $cutoff->s);
|
||||
}
|
||||
|
||||
public function testSubnet() {
|
||||
// IPv4
|
||||
$this->assertSame(
|
||||
'64.233.191.254/32',
|
||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 32])
|
||||
);
|
||||
$this->assertSame(
|
||||
'64.233.191.252/30',
|
||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 30])
|
||||
);
|
||||
$this->assertSame(
|
||||
'64.233.191.240/28',
|
||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 28])
|
||||
);
|
||||
$this->assertSame(
|
||||
'64.233.191.0/24',
|
||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 24])
|
||||
);
|
||||
$this->assertSame(
|
||||
'64.233.188.0/22',
|
||||
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 22])
|
||||
);
|
||||
// IPv6
|
||||
$this->assertSame(
|
||||
'2001:db8:85a3::8a2e:370:7334/127',
|
||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 127])
|
||||
);
|
||||
$this->assertSame(
|
||||
'2001:db8:85a3::8a2e:370:7300/120',
|
||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7300', 120])
|
||||
);
|
||||
$this->assertSame(
|
||||
'2001:db8:85a3::/64',
|
||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 64])
|
||||
);
|
||||
$this->assertSame(
|
||||
'2001:db8:85a3::/48',
|
||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 48])
|
||||
);
|
||||
$this->assertSame(
|
||||
'2001:db8:8500::/40',
|
||||
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 40])
|
||||
);
|
||||
}
|
||||
|
||||
public function dataIsIPWhitelisted() {
|
||||
return [
|
||||
[
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Test\Security\Normalizer;
|
||||
|
||||
use OC\Security\Normalizer\IpAddress;
|
||||
use Test\TestCase;
|
||||
|
||||
class IpAddressTest extends TestCase {
|
||||
|
||||
public function subnetDataProvider() {
|
||||
return [
|
||||
[
|
||||
'64.233.191.254',
|
||||
'64.233.191.254/32',
|
||||
],
|
||||
[
|
||||
'192.168.0.123',
|
||||
'192.168.0.123/32',
|
||||
],
|
||||
[
|
||||
'2001:0db8:85a3:0000:0000:8a2e:0370:7334',
|
||||
'2001:db8:85a3::8a2e:370:7334/128',
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider subnetDataProvider
|
||||
*
|
||||
* @param string $input
|
||||
* @param string $expected
|
||||
*/
|
||||
public function testGetSubnet($input, $expected) {
|
||||
$this->assertSame($expected, (new IpAddress($input))->getSubnet());
|
||||
}
|
||||
|
||||
public function testToString() {
|
||||
$this->assertSame('127.0.0.1', (string)(new IpAddress('127.0.0.1')));
|
||||
}
|
||||
}
|
|
@ -0,0 +1,146 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Test\Security\RateLimiting\Backend;
|
||||
|
||||
use OC\Security\RateLimiting\Backend\MemoryCache;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\ICache;
|
||||
use OCP\ICacheFactory;
|
||||
use Test\TestCase;
|
||||
|
||||
class MemoryCacheTest extends TestCase {
|
||||
/** @var ICacheFactory|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $cacheFactory;
|
||||
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $timeFactory;
|
||||
/** @var ICache|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $cache;
|
||||
/** @var MemoryCache */
|
||||
private $memoryCache;
|
||||
|
||||
public function setUp() {
|
||||
parent::setUp();
|
||||
|
||||
$this->cacheFactory = $this->createMock(ICacheFactory::class);
|
||||
$this->timeFactory = $this->createMock(ITimeFactory::class);
|
||||
$this->cache = $this->createMock(ICache::class);
|
||||
|
||||
$this->cacheFactory
|
||||
->expects($this->once())
|
||||
->method('create')
|
||||
->with('OC\Security\RateLimiting\Backend\MemoryCache')
|
||||
->willReturn($this->cache);
|
||||
|
||||
$this->memoryCache = new MemoryCache(
|
||||
$this->cacheFactory,
|
||||
$this->timeFactory
|
||||
);
|
||||
}
|
||||
|
||||
public function testGetAttemptsWithNoAttemptsBefore() {
|
||||
$this->cache
|
||||
->expects($this->once())
|
||||
->method('get')
|
||||
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
|
||||
->willReturn(false);
|
||||
|
||||
$this->assertSame(0, $this->memoryCache->getAttempts('Method', 'User', 123));
|
||||
}
|
||||
|
||||
public function testGetAttempts() {
|
||||
$this->timeFactory
|
||||
->expects($this->once())
|
||||
->method('getTime')
|
||||
->willReturn(210);
|
||||
$this->cache
|
||||
->expects($this->once())
|
||||
->method('get')
|
||||
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
|
||||
->willReturn(json_encode([
|
||||
'1',
|
||||
'2',
|
||||
'87',
|
||||
'123',
|
||||
'123',
|
||||
'124',
|
||||
]));
|
||||
|
||||
$this->assertSame(3, $this->memoryCache->getAttempts('Method', 'User', 123));
|
||||
}
|
||||
|
||||
public function testRegisterAttemptWithNoAttemptsBefore() {
|
||||
$this->timeFactory
|
||||
->expects($this->once())
|
||||
->method('getTime')
|
||||
->willReturn(123);
|
||||
|
||||
$this->cache
|
||||
->expects($this->once())
|
||||
->method('get')
|
||||
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
|
||||
->willReturn(false);
|
||||
$this->cache
|
||||
->expects($this->once())
|
||||
->method('set')
|
||||
->with(
|
||||
'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
|
||||
json_encode(['123'])
|
||||
);
|
||||
|
||||
$this->memoryCache->registerAttempt('Method', 'User', 100);
|
||||
}
|
||||
|
||||
public function testRegisterAttempt() {
|
||||
$this->timeFactory
|
||||
->expects($this->once())
|
||||
->method('getTime')
|
||||
->willReturn(129);
|
||||
|
||||
$this->cache
|
||||
->expects($this->once())
|
||||
->method('get')
|
||||
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
|
||||
->willReturn(json_encode([
|
||||
'1',
|
||||
'2',
|
||||
'87',
|
||||
'123',
|
||||
'123',
|
||||
'124',
|
||||
]));
|
||||
$this->cache
|
||||
->expects($this->once())
|
||||
->method('set')
|
||||
->with(
|
||||
'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
|
||||
json_encode([
|
||||
'87',
|
||||
'123',
|
||||
'123',
|
||||
'124',
|
||||
'129',
|
||||
])
|
||||
);
|
||||
|
||||
$this->memoryCache->registerAttempt('Method', 'User', 100);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,161 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Test\Security\RateLimiting;
|
||||
|
||||
use OC\Security\RateLimiting\Backend\IBackend;
|
||||
use OC\Security\RateLimiting\Limiter;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\ICacheFactory;
|
||||
use OCP\IRequest;
|
||||
use OCP\IUser;
|
||||
use OCP\IUserSession;
|
||||
use Test\TestCase;
|
||||
|
||||
class LimiterTest extends TestCase {
|
||||
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $userSession;
|
||||
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $request;
|
||||
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $timeFactory;
|
||||
/** @var IBackend|\PHPUnit_Framework_MockObject_MockObject */
|
||||
private $backend;
|
||||
/** @var Limiter */
|
||||
private $limiter;
|
||||
|
||||
public function setUp() {
|
||||
parent::setUp();
|
||||
|
||||
$this->userSession = $this->createMock(IUserSession::class);
|
||||
$this->request = $this->createMock(IRequest::class);
|
||||
$this->timeFactory = $this->createMock(ITimeFactory::class);
|
||||
$this->backend = $this->createMock(IBackend::class);
|
||||
|
||||
$this->limiter = new Limiter(
|
||||
$this->userSession,
|
||||
$this->request,
|
||||
$this->timeFactory,
|
||||
$this->backend
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
|
||||
* @expectedExceptionMessage Rate limit exceeded
|
||||
*/
|
||||
public function testRegisterAnonRequestExceeded() {
|
||||
$this->backend
|
||||
->expects($this->once())
|
||||
->method('getAttempts')
|
||||
->with(
|
||||
'MyIdentifier',
|
||||
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
|
||||
100
|
||||
)
|
||||
->willReturn(101);
|
||||
|
||||
$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
|
||||
}
|
||||
|
||||
public function testRegisterAnonRequestSuccess() {
|
||||
$this->timeFactory
|
||||
->expects($this->once())
|
||||
->method('getTime')
|
||||
->willReturn(2000);
|
||||
$this->backend
|
||||
->expects($this->once())
|
||||
->method('getAttempts')
|
||||
->with(
|
||||
'MyIdentifier',
|
||||
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
|
||||
100
|
||||
)
|
||||
->willReturn(99);
|
||||
$this->backend
|
||||
->expects($this->once())
|
||||
->method('registerAttempt')
|
||||
->with(
|
||||
'MyIdentifier',
|
||||
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
|
||||
2000
|
||||
);
|
||||
|
||||
$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
|
||||
* @expectedExceptionMessage Rate limit exceeded
|
||||
*/
|
||||
public function testRegisterUserRequestExceeded() {
|
||||
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user
|
||||
->expects($this->once())
|
||||
->method('getUID')
|
||||
->willReturn('MyUid');
|
||||
$this->backend
|
||||
->expects($this->once())
|
||||
->method('getAttempts')
|
||||
->with(
|
||||
'MyIdentifier',
|
||||
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
|
||||
100
|
||||
)
|
||||
->willReturn(101);
|
||||
|
||||
$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
|
||||
}
|
||||
|
||||
public function testRegisterUserRequestSuccess() {
|
||||
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user
|
||||
->expects($this->once())
|
||||
->method('getUID')
|
||||
->willReturn('MyUid');
|
||||
|
||||
$this->timeFactory
|
||||
->expects($this->once())
|
||||
->method('getTime')
|
||||
->willReturn(2000);
|
||||
$this->backend
|
||||
->expects($this->once())
|
||||
->method('getAttempts')
|
||||
->with(
|
||||
'MyIdentifier',
|
||||
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
|
||||
100
|
||||
)
|
||||
->willReturn(99);
|
||||
$this->backend
|
||||
->expects($this->once())
|
||||
->method('registerAttempt')
|
||||
->with(
|
||||
'MyIdentifier',
|
||||
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
|
||||
2000
|
||||
);
|
||||
|
||||
$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue