Merge pull request #4336 from nextcloud/add-ratelimiting

Add support for ratelimiting via annotations
This commit is contained in:
Lukas Reschke 2017-04-13 18:53:56 +02:00 committed by GitHub
commit f3dbfd68a2
26 changed files with 1437 additions and 150 deletions

View File

@ -277,6 +277,18 @@ pipeline:
when:
matrix:
TESTS: integration-maintenance-mode
integration-ratelimiting:
image: nextcloudci/integration-php7.0:integration-php7.0-3
commands:
- ./occ maintenance:install --admin-pass=admin
- ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.local
- ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.distributed
- ./occ app:enable testing
- cd build/integration
- ./run.sh features/ratelimiting.feature
when:
matrix:
TESTS: integration-ratelimiting
integration-carddav:
image: nextcloudci/integration-php7.0:integration-php7.0-3
commands:
@ -516,6 +528,7 @@ matrix:
- TESTS: integration-capabilities_features
- TESTS: integration-federation_features
- TESTS: integration-maintenance-mode
- TESTS: integration-ratelimiting
- TESTS: integration-auth
- TESTS: integration-carddav
- TESTS: integration-dav-v2

View File

@ -120,7 +120,7 @@ class MountPublicLinkController extends Controller {
*
* @NoCSRFRequired
* @PublicPage
* @BruteForceProtection publicLink2FederatedShare
* @BruteForceProtection(action=publicLink2FederatedShare)
*
* @param string $shareWith
* @param string $token

View File

@ -160,7 +160,7 @@ class ShareController extends Controller {
/**
* @PublicPage
* @UseSession
* @BruteForceProtection publicLinkAuth
* @BruteForceProtection(action=publicLinkAuth)
*
* Authenticates against password-protected shares
* @param string $token

View File

@ -25,12 +25,32 @@ namespace OCA\Testing\AppInfo;
use OCA\Testing\Config;
use OCA\Testing\Locking\Provisioning;
use OCP\API;
use OCP\AppFramework\App;
$config = new Config(
\OC::$server->getConfig(),
\OC::$server->getRequest()
);
$app = new App('testing');
$app->registerRoutes(
$this,
[
'routes' => [
[
'name' => 'RateLimitTest#userAndAnonProtected',
'url' => '/userAndAnonProtected',
'verb' => 'GET',
],
[
'name' => 'RateLimitTest#onlyAnonProtected',
'url' => '/anonProtected',
'verb' => 'GET',
],
]
]
);
API::register(
'post',
'/apps/testing/api/v1/app/{appid}/{configkey}',

View File

@ -0,0 +1,52 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\Testing\Controller;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
class RateLimitTestController extends Controller {
/**
* @PublicPage
* @NoCSRFRequired
*
* @UserRateThrottle(limit=5, period=100)
* @AnonRateThrottle(limit=1, period=100)
*
* @return JSONResponse
*/
public function userAndAnonProtected() {
return new JSONResponse();
}
/**
* @PublicPage
* @NoCSRFRequired
*
* @AnonRateThrottle(limit=1, period=10)
*
* @return JSONResponse
*/
public function onlyAnonProtected() {
return new JSONResponse();
}
}

View File

@ -0,0 +1,58 @@
Feature: ratelimiting
Background:
Given user "user0" exists
Given As an "admin"
Given app "testing" is enabled
Scenario: Accessing a page with only an AnonRateThrottle as user
Given user "user0" exists
# First request should work
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Second one should fail
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "429"
# After 11 seconds the next request should work
And Sleep for "11" seconds
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
Scenario: Accessing a page with only an AnonRateThrottle as guest
Given Sleep for "11" seconds
# First request should work
When requesting "/index.php/apps/testing/anonProtected" with "GET"
Then the HTTP status code should be "200"
# Second one should fail
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "429"
# After 11 seconds the next request should work
And Sleep for "11" seconds
When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
Scenario: Accessing a page with UserRateThrottle and AnonRateThrottle
# First request should work as guest
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
Then the HTTP status code should be "200"
# Second request should fail as guest
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
Then the HTTP status code should be "429"
# First request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Second request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Third request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Fourth request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Fifth request should work as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
Then the HTTP status code should be "200"
# Sixth request should fail as user
When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
Then the HTTP status code should be "429"

View File

@ -204,7 +204,7 @@ class LostController extends Controller {
/**
* @PublicPage
* @BruteForceProtection passwordResetEmail
* @BruteForceProtection(action=passwordResetEmail)
*
* @param string $user
* @return array

View File

@ -298,6 +298,7 @@ return array(
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotLoggedInException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\SecurityException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\StrictCookieMissingException' => $baseDir . '/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php',
'OC\\AppFramework\\Middleware\\Security\\RateLimitingMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php',
'OC\\AppFramework\\Middleware\\SessionMiddleware' => $baseDir . '/lib/private/AppFramework/Middleware/SessionMiddleware.php',
'OC\\AppFramework\\OCS\\BaseResponse' => $baseDir . '/lib/private/AppFramework/OCS/BaseResponse.php',
@ -742,6 +743,11 @@ return array(
'OC\\Security\\IdentityProof\\Key' => $baseDir . '/lib/private/Security/IdentityProof/Key.php',
'OC\\Security\\IdentityProof\\Manager' => $baseDir . '/lib/private/Security/IdentityProof/Manager.php',
'OC\\Security\\IdentityProof\\Signer' => $baseDir . '/lib/private/Security/IdentityProof/Signer.php',
'OC\\Security\\Normalizer\\IpAddress' => $baseDir . '/lib/private/Security/Normalizer/IpAddress.php',
'OC\\Security\\RateLimiting\\Backend\\IBackend' => $baseDir . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
'OC\\Security\\RateLimiting\\Backend\\MemoryCache' => $baseDir . '/lib/private/Security/RateLimiting/Backend/MemoryCache.php',
'OC\\Security\\RateLimiting\\Exception\\RateLimitExceededException' => $baseDir . '/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php',
'OC\\Security\\RateLimiting\\Limiter' => $baseDir . '/lib/private/Security/RateLimiting/Limiter.php',
'OC\\Security\\SecureRandom' => $baseDir . '/lib/private/Security/SecureRandom.php',
'OC\\Security\\TrustedDomainHelper' => $baseDir . '/lib/private/Security/TrustedDomainHelper.php',
'OC\\Server' => $baseDir . '/lib/private/Server.php',

View File

@ -328,6 +328,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/NotLoggedInException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\SecurityException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/SecurityException.php',
'OC\\AppFramework\\Middleware\\Security\\Exceptions\\StrictCookieMissingException' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php',
'OC\\AppFramework\\Middleware\\Security\\RateLimitingMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php',
'OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php',
'OC\\AppFramework\\Middleware\\SessionMiddleware' => __DIR__ . '/../../..' . '/lib/private/AppFramework/Middleware/SessionMiddleware.php',
'OC\\AppFramework\\OCS\\BaseResponse' => __DIR__ . '/../../..' . '/lib/private/AppFramework/OCS/BaseResponse.php',
@ -772,6 +773,11 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\Security\\IdentityProof\\Key' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Key.php',
'OC\\Security\\IdentityProof\\Manager' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Manager.php',
'OC\\Security\\IdentityProof\\Signer' => __DIR__ . '/../../..' . '/lib/private/Security/IdentityProof/Signer.php',
'OC\\Security\\Normalizer\\IpAddress' => __DIR__ . '/../../..' . '/lib/private/Security/Normalizer/IpAddress.php',
'OC\\Security\\RateLimiting\\Backend\\IBackend' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
'OC\\Security\\RateLimiting\\Backend\\MemoryCache' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/MemoryCache.php',
'OC\\Security\\RateLimiting\\Exception\\RateLimitExceededException' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php',
'OC\\Security\\RateLimiting\\Limiter' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Limiter.php',
'OC\\Security\\SecureRandom' => __DIR__ . '/../../..' . '/lib/private/Security/SecureRandom.php',
'OC\\Security\\TrustedDomainHelper' => __DIR__ . '/../../..' . '/lib/private/Security/TrustedDomainHelper.php',
'OC\\Server' => __DIR__ . '/../../..' . '/lib/private/Server.php',

View File

@ -40,6 +40,7 @@ use OC\AppFramework\Http\Output;
use OC\AppFramework\Middleware\MiddlewareDispatcher;
use OC\AppFramework\Middleware\Security\CORSMiddleware;
use OC\AppFramework\Middleware\OCSMiddleware;
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
use OC\AppFramework\Middleware\Security\SecurityMiddleware;
use OC\AppFramework\Middleware\SessionMiddleware;
use OC\AppFramework\Utility\SimpleContainer;
@ -169,7 +170,6 @@ class DIContainer extends SimpleContainer implements IAppContainer {
);
});
/**
* App Framework APIs
*/
@ -230,6 +230,18 @@ class DIContainer extends SimpleContainer implements IAppContainer {
});
$this->registerService('RateLimitingMiddleware', function($c) use ($app) {
/** @var \OC\Server $server */
$server = $app->getServer();
return new RateLimitingMiddleware(
$server->getRequest(),
$server->getUserSession(),
$c['ControllerMethodReflector'],
$c->query(OC\Security\RateLimiting\Limiter::class)
);
});
$this->registerService('CORSMiddleware', function($c) {
return new CORSMiddleware(
$c['Request'],
@ -270,6 +282,7 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$dispatcher->registerMiddleware($c['OCSMiddleware']);
$dispatcher->registerMiddleware($c['SecurityMiddleware']);
$dispatcher->registerMiddleWare($c['TwoFactorMiddleware']);
$dispatcher->registerMiddleware($c['RateLimitingMiddleware']);
foreach($middleWares as $middleWare) {
$dispatcher->registerMiddleware($c[$middleWare]);

View File

@ -0,0 +1,134 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Middleware;
use OCP\IRequest;
use OCP\IUserSession;
/**
* Class RateLimitingMiddleware is the middleware responsible for implementing the
* ratelimiting in Nextcloud.
*
* It parses annotations such as:
*
* @UserRateThrottle(limit=5, period=100)
* @AnonRateThrottle(limit=1, period=100)
*
* Those annotations above would mean that logged-in users can access the page 5
* times within 100 seconds, and anonymous users 1 time within 100 seconds. If
* only an AnonRateThrottle is specified that one will also be applied to logged-in
* users.
*
* @package OC\AppFramework\Middleware\Security
*/
class RateLimitingMiddleware extends Middleware {
/** @var IRequest $request */
private $request;
/** @var IUserSession */
private $userSession;
/** @var ControllerMethodReflector */
private $reflector;
/** @var Limiter */
private $limiter;
/**
* @param IRequest $request
* @param IUserSession $userSession
* @param ControllerMethodReflector $reflector
* @param Limiter $limiter
*/
public function __construct(IRequest $request,
IUserSession $userSession,
ControllerMethodReflector $reflector,
Limiter $limiter) {
$this->request = $request;
$this->userSession = $userSession;
$this->reflector = $reflector;
$this->limiter = $limiter;
}
/**
* {@inheritDoc}
* @throws RateLimitExceededException
*/
public function beforeController($controller, $methodName) {
parent::beforeController($controller, $methodName);
$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
$this->limiter->registerUserRequest(
$rateLimitIdentifier,
$userLimit,
$userPeriod,
$this->userSession->getUser()
);
} elseif ($anonLimit !== '' && $anonPeriod !== '') {
$this->limiter->registerAnonRequest(
$rateLimitIdentifier,
$anonLimit,
$anonPeriod,
$this->request->getRemoteAddress()
);
}
}
/**
* {@inheritDoc}
*/
public function afterException($controller, $methodName, \Exception $exception) {
if($exception instanceof RateLimitExceededException) {
if (stripos($this->request->getHeader('Accept'),'html') === false) {
$response = new JSONResponse(
[
'message' => $exception->getMessage(),
],
$exception->getCode()
);
} else {
$response = new TemplateResponse(
'core',
'403',
[
'file' => $exception->getMessage()
],
'guest'
);
$response->setStatus($exception->getCode());
}
return $response;
}
throw $exception;
}
}

View File

@ -192,7 +192,7 @@ class SecurityMiddleware extends Middleware {
}
if($this->reflector->hasAnnotation('BruteForceProtection')) {
$action = $this->reflector->getAnnotationParameter('BruteForceProtection');
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
$this->throttler->sleepDelay($this->request->getRemoteAddress(), $action);
$this->throttler->registerAttempt($action, $this->request->getRemoteAddress());
}

View File

@ -24,27 +24,17 @@
*
*/
namespace OC\AppFramework\Utility;
use \OCP\AppFramework\Utility\IControllerMethodReflector;
/**
* Reads and parses annotations from doc comments
*/
class ControllerMethodReflector implements IControllerMethodReflector{
private $annotations;
private $types;
private $parameters;
public function __construct() {
$this->types = array();
$this->parameters = array();
$this->annotations = array();
}
class ControllerMethodReflector implements IControllerMethodReflector {
public $annotations = [];
private $types = [];
private $parameters = [];
/**
* @param object $object an object or classname
@ -55,9 +45,21 @@ class ControllerMethodReflector implements IControllerMethodReflector{
$docs = $reflection->getDocComment();
// extract everything prefixed by @ and first letter uppercase
preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)(\h+(?P<parameter>\w+))?$/m', $docs, $matches);
preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)((?P<parameter>.*))?$/m', $docs, $matches);
foreach($matches['annotation'] as $key => $annontation) {
$this->annotations[$annontation] = $matches['parameter'][$key];
$annotationValue = $matches['parameter'][$key];
if(isset($annotationValue[0]) && $annotationValue[0] === '(' && $annotationValue[strlen($annotationValue) - 1] === ')') {
$cutString = substr($annotationValue, 1, -1);
$cutString = str_replace(' ', '', $cutString);
$splittedArray = explode(',', $cutString);
foreach($splittedArray as $annotationValues) {
list($key, $value) = explode('=', $annotationValues);
$this->annotations[$annontation][$key] = $value;
}
continue;
}
$this->annotations[$annontation] = [$annotationValue];
}
// extract type parameter information
@ -83,7 +85,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
}
}
/**
* Inspects the PHPDoc parameters for types
* @param string $parameter the parameter whose type comments should be
@ -99,7 +100,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
}
}
/**
* @return array the arguments of the method with key => default value
*/
@ -107,30 +107,27 @@ class ControllerMethodReflector implements IControllerMethodReflector{
return $this->parameters;
}
/**
* Check if a method contains an annotation
* @param string $name the name of the annotation
* @return bool true if the annotation is found
*/
public function hasAnnotation($name){
public function hasAnnotation($name) {
return array_key_exists($name, $this->annotations);
}
/**
* Get optional annotation parameter
* Get optional annotation parameter by key
*
* @param string $name the name of the annotation
* @param string $key the string of the annotation
* @return string
*/
public function getAnnotationParameter($name){
$parameter = '';
if($this->hasAnnotation($name)) {
$parameter = $this->annotations[$name];
public function getAnnotationParameter($name, $key) {
if(isset($this->annotations[$name][$key])) {
return $this->annotations[$name][$key];
}
return $parameter;
return '';
}
}

View File

@ -23,6 +23,7 @@
namespace OC\Security\Bruteforce;
use OC\Security\Normalizer\IpAddress;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\IDBConnection;
@ -82,67 +83,6 @@ class Throttler {
return $d2->diff($d1);
}
/**
* Return the given subnet for an IPv4 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv4Subnet($ip,
$maskBits = 32) {
$binary = \inet_pton($ip);
for ($i = 32; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Return the given subnet for an IPv6 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv6Subnet($ip, $maskBits = 48) {
$binary = \inet_pton($ip);
for ($i = 128; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Return the given subnet for an IP and the configured mask bits
*
* Determine if the IP is an IPv4 or IPv6 address, then pass to the correct
* method for handling that specific type.
*
* @param string $ip
* @return string
*/
private function getSubnet($ip) {
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)) {
return $this->getIPv4Subnet(
$ip,
32
);
}
return $this->getIPv6Subnet(
$ip,
128
);
}
/**
* Register a failed attempt to bruteforce a security control
*
@ -158,11 +98,12 @@ class Throttler {
return;
}
$ipAddress = new IpAddress($ip);
$values = [
'action' => $action,
'occurred' => $this->timeFactory->getTime(),
'ip' => $ip,
'subnet' => $this->getSubnet($ip),
'ip' => (string)$ipAddress,
'subnet' => $ipAddress->getSubnet(),
'metadata' => json_encode($metadata),
];
@ -254,7 +195,8 @@ class Throttler {
* @return int
*/
public function getDelay($ip, $action = '') {
if ($this->isIPWhitelisted($ip)) {
$ipAddress = new IpAddress($ip);
if ($this->isIPWhitelisted((string)$ipAddress)) {
return 0;
}
@ -266,7 +208,7 @@ class Throttler {
$qb->select('*')
->from('bruteforce_attempts')
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($this->getSubnet($ip))));
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($ipAddress->getSubnet())));
if ($action !== '') {
$qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)));

View File

@ -0,0 +1,106 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\Normalizer;
/**
* Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security
* relevant contexts in Nextcloud.
*
* @package OC\Security\Normalizer
*/
class IpAddress {
/** @var string */
private $ip;
/**
* @param string $ip IP to normalized
*/
public function __construct($ip) {
$this->ip = $ip;
}
/**
* Return the given subnet for an IPv4 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv4Subnet($ip,
$maskBits = 32) {
$binary = \inet_pton($ip);
for ($i = 32; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Return the given subnet for an IPv6 address and mask bits
*
* @param string $ip
* @param int $maskBits
* @return string
*/
private function getIPv6Subnet($ip, $maskBits = 48) {
$binary = \inet_pton($ip);
for ($i = 128; $i > $maskBits; $i -= 8) {
$j = \intdiv($i, 8) - 1;
$k = (int) \min(8, $i - $maskBits);
$mask = (0xff - ((pow(2, $k)) - 1));
$int = \unpack('C', $binary[$j]);
$binary[$j] = \pack('C', $int[1] & $mask);
}
return \inet_ntop($binary).'/'.$maskBits;
}
/**
* Gets either the /32 (IPv4) or the /128 (IPv6) subnet of an IP address
*
* @return string
*/
public function getSubnet() {
if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $this->ip)) {
return $this->getIPv4Subnet(
$this->ip,
32
);
}
return $this->getIPv6Subnet(
$this->ip,
128
);
}
/**
* Returns the specified IP address
*
* @return string
*/
public function __toString() {
return $this->ip;
}
}

View File

@ -0,0 +1,54 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\RateLimiting\Backend;
/**
* Interface IBackend defines a storage backend for the rate limiting data. It
* should be noted that writing and reading rate limiting data is an expensive
* operation and one should thus make sure to only use sufficient fast backends.
*
* @package OC\Security\RateLimiting\Backend
*/
interface IBackend {
/**
* Gets the amount of attempts within the last specified seconds
*
* @param string $methodIdentifier Identifier for the method
* @param string $userIdentifier Identifier for the user
* @param int $seconds Seconds to look back at
* @return int
*/
public function getAttempts($methodIdentifier,
$userIdentifier,
$seconds);
/**
* Registers an attempt
*
* @param string $methodIdentifier Identifier for the method
* @param string $userIdentifier Identifier for the user
* @param int $period Period in seconds how long this attempt should be stored
*/
public function registerAttempt($methodIdentifier,
$userIdentifier,
$period);
}

View File

@ -0,0 +1,116 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\RateLimiting\Backend;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICache;
use OCP\ICacheFactory;
/**
* Class MemoryCache uses the configured distributed memory cache for storing
* rate limiting data.
*
* @package OC\Security\RateLimiting\Backend
*/
class MemoryCache implements IBackend {
/** @var ICache */
private $cache;
/** @var ITimeFactory */
private $timeFactory;
/**
* @param ICacheFactory $cacheFactory
* @param ITimeFactory $timeFactory
*/
public function __construct(ICacheFactory $cacheFactory,
ITimeFactory $timeFactory) {
$this->cache = $cacheFactory->create(__CLASS__);
$this->timeFactory = $timeFactory;
}
/**
* @param string $methodIdentifier
* @param string $userIdentifier
* @return string
*/
private function hash($methodIdentifier,
$userIdentifier) {
return hash('sha512', $methodIdentifier . $userIdentifier);
}
/**
* @param string $identifier
* @return array
*/
private function getExistingAttempts($identifier) {
$cachedAttempts = json_decode($this->cache->get($identifier), true);
if(is_array($cachedAttempts)) {
return $cachedAttempts;
}
return [];
}
/**
* {@inheritDoc}
*/
public function getAttempts($methodIdentifier,
$userIdentifier,
$seconds) {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$existingAttempts = $this->getExistingAttempts($identifier);
$count = 0;
$currentTime = $this->timeFactory->getTime();
/** @var array $existingAttempts */
foreach ($existingAttempts as $attempt) {
if(($attempt + $seconds) > $currentTime) {
$count++;
}
}
return $count;
}
/**
* {@inheritDoc}
*/
public function registerAttempt($methodIdentifier,
$userIdentifier,
$period) {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$existingAttempts = $this->getExistingAttempts($identifier);
$currentTime = $this->timeFactory->getTime();
// Unset all attempts older than $period
foreach ($existingAttempts as $key => $attempt) {
if(($attempt + $period) < $currentTime) {
unset($existingAttempts[$key]);
}
}
$existingAttempts = array_values($existingAttempts);
// Store the new attempt
$existingAttempts[] = (string)$currentTime;
$this->cache->set($identifier, json_encode($existingAttempts));
}
}

View File

@ -0,0 +1,31 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\RateLimiting\Exception;
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
use OCP\AppFramework\Http;
class RateLimitExceededException extends SecurityException {
public function __construct() {
parent::__construct('Rate limit exceeded', Http::STATUS_TOO_MANY_REQUESTS);
}
}

View File

@ -0,0 +1,106 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\RateLimiting;
use OC\Security\Normalizer\IpAddress;
use OC\Security\RateLimiting\Backend\IBackend;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
class Limiter {
/** @var IBackend */
private $backend;
/** @var ITimeFactory */
private $timeFactory;
/**
* @param IUserSession $userSession
* @param IRequest $request
* @param ITimeFactory $timeFactory
* @param IBackend $backend
*/
public function __construct(IUserSession $userSession,
IRequest $request,
ITimeFactory $timeFactory,
IBackend $backend) {
$this->backend = $backend;
$this->timeFactory = $timeFactory;
}
/**
* @param string $methodIdentifier
* @param string $userIdentifier
* @param int $period
* @param int $limit
* @throws RateLimitExceededException
*/
private function register($methodIdentifier,
$userIdentifier,
$period,
$limit) {
$existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, (int)$period);
if ($existingAttempts >= (int)$limit) {
throw new RateLimitExceededException();
}
$this->backend->registerAttempt($methodIdentifier, $userIdentifier, $this->timeFactory->getTime());
}
/**
* Registers attempt for an anonymous request
*
* @param string $identifier
* @param int $anonLimit
* @param int $anonPeriod
* @param string $ip
* @throws RateLimitExceededException
*/
public function registerAnonRequest($identifier,
$anonLimit,
$anonPeriod,
$ip) {
$ipSubnet = (new IpAddress($ip))->getSubnet();
$anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet);
$this->register($identifier, $anonHashIdentifier, $anonPeriod, $anonLimit);
}
/**
* Registers attempt for an authenticated request
*
* @param string $identifier
* @param int $userLimit
* @param int $userPeriod
* @param IUser $user
* @throws RateLimitExceededException
*/
public function registerUserRequest($identifier,
$userLimit,
$userPeriod,
IUser $user) {
$userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID());
$this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit);
}
}

View File

@ -516,6 +516,21 @@ class Server extends ServerContainer implements IServerContainer {
});
$this->registerAlias('Search', \OCP\ISearch::class);
$this->registerService(\OC\Security\RateLimiting\Limiter::class, function($c) {
return new \OC\Security\RateLimiting\Limiter(
$this->getUserSession(),
$this->getRequest(),
new \OC\AppFramework\Utility\TimeFactory(),
$c->query(\OC\Security\RateLimiting\Backend\IBackend::class)
);
});
$this->registerService(\OC\Security\RateLimiting\Backend\IBackend::class, function($c) {
return new \OC\Security\RateLimiting\Backend\MemoryCache(
$this->getMemCacheFactory(),
new \OC\AppFramework\Utility\TimeFactory()
);
});
$this->registerService(\OCP\Security\ISecureRandom::class, function ($c) {
return new SecureRandom();
});

View File

@ -0,0 +1,283 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
use Test\TestCase;
class RateLimitingMiddlewareTest extends TestCase {
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
private $request;
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
private $userSession;
/** @var ControllerMethodReflector|\PHPUnit_Framework_MockObject_MockObject */
private $reflector;
/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
private $limiter;
/** @var RateLimitingMiddleware */
private $rateLimitingMiddleware;
public function setUp() {
parent::setUp();
$this->request = $this->createMock(IRequest::class);
$this->userSession = $this->createMock(IUserSession::class);
$this->reflector = $this->createMock(ControllerMethodReflector::class);
$this->limiter = $this->createMock(Limiter::class);
$this->rateLimitingMiddleware = new RateLimitingMiddleware(
$this->request,
$this->userSession,
$this->reflector,
$this->limiter
);
}
public function testBeforeControllerWithoutAnnotation() {
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->never())
->method('registerAnonRequest');
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerForAnon() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getRemoteAddress')
->willReturn('127.0.0.1');
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('10');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->once())
->method('registerAnonRequest')
->with(get_class($controller) . '::testMethod', '100', '10', '127.0.0.1');
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerForLoggedIn() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->createMock(IUser::class);
$this->userSession
->expects($this->once())
->method('isLoggedIn')
->willReturn(true);
$this->userSession
->expects($this->once())
->method('getUser')
->willReturn($user);
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('10');
$this->limiter
->expects($this->never())
->method('registerAnonRequest');
$this->limiter
->expects($this->once())
->method('registerUserRequest')
->with(get_class($controller) . '::testMethod', '100', '10', $user);
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerAnonWithFallback() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getRemoteAddress')
->willReturn('127.0.0.1');
$this->userSession
->expects($this->once())
->method('isLoggedIn')
->willReturn(false);
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('200');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('20');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('10');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->once())
->method('registerAnonRequest')
->with(get_class($controller) . '::testMethod', '200', '20', '127.0.0.1');
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
/**
* @expectedException \Exception
* @expectedExceptionMessage My test exception
*/
public function testAfterExceptionWithOtherException() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->rateLimitingMiddleware->afterException($controller, 'testMethod', new \Exception('My test exception'));
}
public function testAfterExceptionWithJsonBody() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getHeader')
->with('Accept')
->willReturn('JSON');
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
$expected = new JSONResponse(
[
'message' => 'Rate limit exceeded',
],
429
);
$this->assertEquals($expected, $result);
}
public function testAfterExceptionWithHtmlBody() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getHeader')
->with('Accept')
->willReturn('html');
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
$expected = new TemplateResponse(
'core',
'403',
[
'file' => 'Rate limit exceeded',
],
'guest'
);
$expected->setStatus(429);
$this->assertEquals($expected, $result);
}
}

View File

@ -75,18 +75,32 @@ class ControllerMethodReflectorTest extends \Test\TestCase {
$this->assertTrue($reader->hasAnnotation('Annotation'));
}
/**
* @Annotation parameter
* @Annotation(parameter=value)
*/
public function testGetAnnotationParameter(){
public function testGetAnnotationParameterSingle() {
$reader = new ControllerMethodReflector();
$reader->reflect(
'\Test\AppFramework\Utility\ControllerMethodReflectorTest',
'testGetAnnotationParameter'
__CLASS__,
__FUNCTION__
);
$this->assertSame('parameter', $reader->getAnnotationParameter('Annotation'));
$this->assertSame('value', $reader->getAnnotationParameter('Annotation', 'parameter'));
}
/**
* @Annotation(parameter1=value1, parameter2=value2,parameter3=value3)
*/
public function testGetAnnotationParameterMultiple() {
$reader = new ControllerMethodReflector();
$reader->reflect(
__CLASS__,
__FUNCTION__
);
$this->assertSame('value1', $reader->getAnnotationParameter('Annotation', 'parameter1'));
$this->assertSame('value2', $reader->getAnnotationParameter('Annotation', 'parameter2'));
$this->assertSame('value3', $reader->getAnnotationParameter('Annotation', 'parameter3'));
}
/**

View File

@ -76,51 +76,6 @@ class ThrottlerTest extends TestCase {
$this->assertLessThan(2, $cutoff->s);
}
public function testSubnet() {
// IPv4
$this->assertSame(
'64.233.191.254/32',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 32])
);
$this->assertSame(
'64.233.191.252/30',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 30])
);
$this->assertSame(
'64.233.191.240/28',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 28])
);
$this->assertSame(
'64.233.191.0/24',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 24])
);
$this->assertSame(
'64.233.188.0/22',
$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 22])
);
// IPv6
$this->assertSame(
'2001:db8:85a3::8a2e:370:7334/127',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 127])
);
$this->assertSame(
'2001:db8:85a3::8a2e:370:7300/120',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7300', 120])
);
$this->assertSame(
'2001:db8:85a3::/64',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 64])
);
$this->assertSame(
'2001:db8:85a3::/48',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 48])
);
$this->assertSame(
'2001:db8:8500::/40',
$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 40])
);
}
public function dataIsIPWhitelisted() {
return [
[

View File

@ -0,0 +1,59 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Security\Normalizer;
use OC\Security\Normalizer\IpAddress;
use Test\TestCase;
class IpAddressTest extends TestCase {
public function subnetDataProvider() {
return [
[
'64.233.191.254',
'64.233.191.254/32',
],
[
'192.168.0.123',
'192.168.0.123/32',
],
[
'2001:0db8:85a3:0000:0000:8a2e:0370:7334',
'2001:db8:85a3::8a2e:370:7334/128',
],
];
}
/**
* @dataProvider subnetDataProvider
*
* @param string $input
* @param string $expected
*/
public function testGetSubnet($input, $expected) {
$this->assertSame($expected, (new IpAddress($input))->getSubnet());
}
public function testToString() {
$this->assertSame('127.0.0.1', (string)(new IpAddress('127.0.0.1')));
}
}

View File

@ -0,0 +1,146 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Security\RateLimiting\Backend;
use OC\Security\RateLimiting\Backend\MemoryCache;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICache;
use OCP\ICacheFactory;
use Test\TestCase;
class MemoryCacheTest extends TestCase {
/** @var ICacheFactory|\PHPUnit_Framework_MockObject_MockObject */
private $cacheFactory;
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
private $timeFactory;
/** @var ICache|\PHPUnit_Framework_MockObject_MockObject */
private $cache;
/** @var MemoryCache */
private $memoryCache;
public function setUp() {
parent::setUp();
$this->cacheFactory = $this->createMock(ICacheFactory::class);
$this->timeFactory = $this->createMock(ITimeFactory::class);
$this->cache = $this->createMock(ICache::class);
$this->cacheFactory
->expects($this->once())
->method('create')
->with('OC\Security\RateLimiting\Backend\MemoryCache')
->willReturn($this->cache);
$this->memoryCache = new MemoryCache(
$this->cacheFactory,
$this->timeFactory
);
}
public function testGetAttemptsWithNoAttemptsBefore() {
$this->cache
->expects($this->once())
->method('get')
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
->willReturn(false);
$this->assertSame(0, $this->memoryCache->getAttempts('Method', 'User', 123));
}
public function testGetAttempts() {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(210);
$this->cache
->expects($this->once())
->method('get')
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
->willReturn(json_encode([
'1',
'2',
'87',
'123',
'123',
'124',
]));
$this->assertSame(3, $this->memoryCache->getAttempts('Method', 'User', 123));
}
public function testRegisterAttemptWithNoAttemptsBefore() {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(123);
$this->cache
->expects($this->once())
->method('get')
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
->willReturn(false);
$this->cache
->expects($this->once())
->method('set')
->with(
'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
json_encode(['123'])
);
$this->memoryCache->registerAttempt('Method', 'User', 100);
}
public function testRegisterAttempt() {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(129);
$this->cache
->expects($this->once())
->method('get')
->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
->willReturn(json_encode([
'1',
'2',
'87',
'123',
'123',
'124',
]));
$this->cache
->expects($this->once())
->method('set')
->with(
'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
json_encode([
'87',
'123',
'123',
'124',
'129',
])
);
$this->memoryCache->registerAttempt('Method', 'User', 100);
}
}

View File

@ -0,0 +1,161 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Security\RateLimiting;
use OC\Security\RateLimiting\Backend\IBackend;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICacheFactory;
use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
use Test\TestCase;
class LimiterTest extends TestCase {
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
private $userSession;
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
private $request;
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
private $timeFactory;
/** @var IBackend|\PHPUnit_Framework_MockObject_MockObject */
private $backend;
/** @var Limiter */
private $limiter;
public function setUp() {
parent::setUp();
$this->userSession = $this->createMock(IUserSession::class);
$this->request = $this->createMock(IRequest::class);
$this->timeFactory = $this->createMock(ITimeFactory::class);
$this->backend = $this->createMock(IBackend::class);
$this->limiter = new Limiter(
$this->userSession,
$this->request,
$this->timeFactory,
$this->backend
);
}
/**
* @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
* @expectedExceptionMessage Rate limit exceeded
*/
public function testRegisterAnonRequestExceeded() {
$this->backend
->expects($this->once())
->method('getAttempts')
->with(
'MyIdentifier',
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
100
)
->willReturn(101);
$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
}
public function testRegisterAnonRequestSuccess() {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(2000);
$this->backend
->expects($this->once())
->method('getAttempts')
->with(
'MyIdentifier',
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
100
)
->willReturn(99);
$this->backend
->expects($this->once())
->method('registerAttempt')
->with(
'MyIdentifier',
'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
2000
);
$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
}
/**
* @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
* @expectedExceptionMessage Rate limit exceeded
*/
public function testRegisterUserRequestExceeded() {
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->createMock(IUser::class);
$user
->expects($this->once())
->method('getUID')
->willReturn('MyUid');
$this->backend
->expects($this->once())
->method('getAttempts')
->with(
'MyIdentifier',
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
100
)
->willReturn(101);
$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
}
public function testRegisterUserRequestSuccess() {
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->createMock(IUser::class);
$user
->expects($this->once())
->method('getUID')
->willReturn('MyUid');
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(2000);
$this->backend
->expects($this->once())
->method('getAttempts')
->with(
'MyIdentifier',
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
100
)
->willReturn(99);
$this->backend
->expects($this->once())
->method('registerAttempt')
->with(
'MyIdentifier',
'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
2000
);
$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
}
}