upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25

Merge pull request #39870 from nextcloud/perf/noid/memcache-bfp-backend

Browse source 
feat(security): Add a bruteforce protection backend base on memcache
This commit is contained in:
Joas Schilling 2023-08-22 08:32:54 +02:00 committed by GitHub
commit 82835eaa46
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 882 additions and 196 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
apps/settings/lib/Controller/CheckSetupController.php
View file

@ -90,6 +90,7 @@ use OCP\ITempManager;
use OCP\IURLGenerator;
use OCP\Lock\ILockingProvider;
use OCP\Notification\IManager;
use OCP\Security\Bruteforce\IThrottler;
use OCP\Security\ISecureRandom;
use Psr\Log\LoggerInterface;
@ -123,6 +124,8 @@ class CheckSetupController extends Controller {
private $iniGetWrapper;
/** @var IDBConnection */
private $connection;
/** @var IThrottler */
private $throttler;
/** @var ITempManager */
private $tempManager;
/** @var IManager */
@ -148,6 +151,7 @@ class CheckSetupController extends Controller {
ISecureRandom $secureRandom,
IniGetWrapper $iniGetWrapper,
IDBConnection $connection,
IThrottler $throttler,
ITempManager $tempManager,
IManager $manager,
IAppManager $appManager,
@ -162,6 +166,7 @@ class CheckSetupController extends Controller {
$this->logger = $logger;
$this->dispatcher = $dispatcher;
$this->db = $db;
$this->throttler = $throttler;
$this->lockingProvider = $lockingProvider;
$this->dateTimeFormatter = $dateTimeFormatter;
$this->memoryInfo = $memoryInfo;
@ -920,6 +925,8 @@ Raw output
'cronInfo' => $this->getLastCronInfo(),
'cronErrors' => $this->getCronErrors(),
'isFairUseOfFreePushService' => $this->isFairUseOfFreePushService(),
'isBruteforceThrottled' => $this->throttler->getAttempts($this->request->getRemoteAddress()) !== 0,
'bruteforceRemoteAddress' => $this->request->getRemoteAddress(),
'serverHasInternetConnectionProblems' => $this->hasInternetConnectivityProblems(),
'isMemcacheConfigured' => $this->isMemcacheConfigured(),
'memcacheDocs' => $this->urlGenerator->linkToDocs('admin-performance'),

8
apps/settings/tests/Controller/CheckSetupControllerTest.php
View file

@ -59,6 +59,7 @@ use OCP\ITempManager;
use OCP\IURLGenerator;
use OCP\Lock\ILockingProvider;
use OCP\Notification\IManager;
use OCP\Security\Bruteforce\IThrottler;
use PHPUnit\Framework\MockObject\MockObject;
use Psr\Http\Message\ResponseInterface;
use Psr\Log\LoggerInterface;
@ -143,6 +144,7 @@ class CheckSetupControllerTest extends TestCase {
$this->logger = $this->getMockBuilder(LoggerInterface::class)->getMock();
$this->db = $this->getMockBuilder(Connection::class)
->disableOriginalConstructor()->getMock();
$this->throttler = $this->createMock(IThrottler::class);
$this->lockingProvider = $this->getMockBuilder(ILockingProvider::class)->getMock();
$this->dateTimeFormatter = $this->getMockBuilder(IDateTimeFormatter::class)->getMock();
$this->memoryInfo = $this->getMockBuilder(MemoryInfo::class)
@ -174,6 +176,7 @@ class CheckSetupControllerTest extends TestCase {
$this->secureRandom,
$this->iniGetWrapper,
$this->connection,
$this->throttler,
$this->tempManager,
$this->notificationManager,
$this->appManager,
@ -659,6 +662,8 @@ class CheckSetupControllerTest extends TestCase {
'isFairUseOfFreePushService' => false,
'temporaryDirectoryWritable' => false,
\OCA\Settings\SetupChecks\LdapInvalidUuids::class => ['pass' => true, 'description' => 'Invalid UUIDs of LDAP users or groups have been found. Please review your "Override UUID detection" settings in the Expert part of the LDAP configuration and use "occ ldap:update-uuid" to update them.', 'severity' => 'warning'],
'isBruteforceThrottled' => false,
'bruteforceRemoteAddress' => '',
]
);
$this->assertEquals($expected, $this->checkSetupController->check());
@ -683,6 +688,7 @@ class CheckSetupControllerTest extends TestCase {
$this->secureRandom,
$this->iniGetWrapper,
$this->connection,
$this->throttler,
$this->tempManager,
$this->notificationManager,
$this->appManager,
@ -1410,6 +1416,7 @@ Array
$this->secureRandom,
$this->iniGetWrapper,
$this->connection,
$this->throttler,
$this->tempManager,
$this->notificationManager,
$this->appManager,
@ -1464,6 +1471,7 @@ Array
$this->secureRandom,
$this->iniGetWrapper,
$this->connection,
$this->throttler,
$this->tempManager,
$this->notificationManager,
$this->appManager,

13
config/config.sample.php
View file

@ -352,6 +352,19 @@ $CONFIG = [
*/
'auth.bruteforce.protection.enabled' => true,
/**
* Whether the bruteforce protection shipped with Nextcloud should be set to testing mode.
*
* In testing mode bruteforce attempts are still recorded, but the requests do
* not sleep/wait for the specified time. They will still abort with
* "429 Too Many Requests" when the maximum delay is reached.
* Enabling this is discouraged for security reasons
* and should only be done for debugging and on CI when running tests.
*
* Defaults to ``false``
*/
'auth.bruteforce.protection.testing' => false,
/**
* Whether the rate limit protection shipped with Nextcloud should be enabled or not.
*

82
core/Command/Security/BruteforceAttempts.php Normal file
View file

@ -0,0 +1,82 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
*
* @author Joas Schilling <coding@schilljs.com>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Core\Command\Security;
use OC\Core\Command\Base;
use OCP\Security\Bruteforce\IThrottler;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
class BruteforceAttempts extends Base {
public function __construct(
protected IThrottler $throttler,
) {
parent::__construct();
}
protected function configure(): void {
parent::configure();
$this
->setName('security:bruteforce:attempts')
->setDescription('resets bruteforce attempts for given IP address')
->addArgument(
'ipaddress',
InputArgument::REQUIRED,
'IP address for which the attempts are to be reset',
)
->addArgument(
'action',
InputArgument::OPTIONAL,
'Only count attempts for the given action',
)
;
}
protected function execute(InputInterface $input, OutputInterface $output): int {
$ip = $input->getArgument('ipaddress');
if (!filter_var($ip, FILTER_VALIDATE_IP)) {
$output->writeln('<error>"' . $ip . '" is not a valid IP address</error>');
return 1;
}
$data = [
'bypass-listed' => $this->throttler->isBypassListed($ip),
'attempts' => $this->throttler->getAttempts(
$ip,
(string) $input->getArgument('action'),
),
'delay' => $this->throttler->getDelay(
$ip,
(string) $input->getArgument('action'),
),
];
$this->writeArrayInOutputFormat($input, $output, $data);
return 0;
}
}

12
core/Command/Security/ResetBruteforceAttempts.php → core/Command/Security/BruteforceResetAttempts.php
View file

@ -1,4 +1,6 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2020, Johannes Riedel (johannes@johannes-riedel.de)
*
@ -24,22 +26,22 @@
namespace OC\Core\Command\Security;
use OC\Core\Command\Base;
use OC\Security\Bruteforce\Throttler;
use OCP\Security\Bruteforce\IThrottler;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
class ResetBruteforceAttempts extends Base {
class BruteforceResetAttempts extends Base {
public function __construct(
protected Throttler $throttler,
protected IThrottler $throttler,
) {
parent::__construct();
}
protected function configure() {
protected function configure(): void {
$this
->setName('security:bruteforce:reset')
->setDescription('resets bruteforce attemps for given IP address')
->setDescription('resets bruteforce attempts for given IP address')
->addArgument(
'ipaddress',
InputArgument::REQUIRED,

8
core/js/setupchecks.js
View file

@ -215,6 +215,14 @@
type: OC.SetupChecks.MESSAGE_TYPE_INFO
});
}
if (data.isBruteforceThrottled) {
messages.push({
msg: t('core', 'Your remote address was identified as "{remoteAddress}" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly. Further information can be found in the {linkstart}documentation ↗{linkend}.', { remoteAddress: data.bruteforceRemoteAddress })
.replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + data.reverseProxyDocs + '">')
.replace('{linkend}', '</a>'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
});
}
if(!data.hasWorkingFileLocking) {
messages.push({
msg: t('core', 'Transactional file locking is disabled, this might lead to issues with race conditions. Enable "filelocking.enabled" in config.php to avoid these problems. See the {linkstart}documentation ↗{linkend} for more information.')

61
core/js/tests/specs/setupchecksSpec.js
View file

@ -814,6 +814,67 @@ describe('OC.SetupChecks tests', function() {
});
});
it('should return an error if the admin IP is bruteforce throttled', function(done) {
var async = OC.SetupChecks.checkSetup();
suite.server.requests[0].respond(
200,
{
'Content-Type': 'application/json',
},
JSON.stringify({
hasFileinfoInstalled: true,
isGetenvServerWorking: true,
isReadOnlyConfig: false,
wasEmailTestSuccessful: true,
hasWorkingFileLocking: true,
hasDBFileLocking: false,
hasValidTransactionIsolationLevel: true,
suggestedOverwriteCliURL: '',
isRandomnessSecure: true,
isFairUseOfFreePushService: true,
isBruteforceThrottled: true,
bruteforceRemoteAddress: '::1',
serverHasInternetConnectionProblems: false,
isMemcacheConfigured: true,
forwardedForHeadersWorking: true,
reverseProxyDocs: 'https://docs.nextcloud.com/foo/bar.html',
isCorrectMemcachedPHPModuleInstalled: true,
hasPassedCodeIntegrityCheck: true,
OpcacheSetupRecommendations: [],
isSettimelimitAvailable: true,
hasFreeTypeSupport: true,
missingIndexes: [],
missingPrimaryKeys: [],
missingColumns: [],
cronErrors: [],
cronInfo: {
diffInSeconds: 0
},
isMemoryLimitSufficient: true,
appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
is64bit: true,
recommendedPHPModules: [],
pendingBigIntConversionColumns: [],
isMysqlUsedWithoutUTF8MB4: false,
isDefaultPhoneRegionSet: true,
isEnoughTempSpaceAvailableIfS3PrimaryStorageIsUsed: true,
reverseProxyGeneratedURL: 'https://server',
temporaryDirectoryWritable: true,
})
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'Your remote address was identified as "::1" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly. Further information can be found in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.nextcloud.com/foo/bar.html">documentation ↗</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
}]);
done();
});
});
it('should return an error if set_time_limit is unavailable', function(done) {
var async = OC.SetupChecks.checkSetup();

3
core/register_command.php
View file

@ -209,7 +209,8 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) {
$application->add(new OC\Core\Command\Security\ListCertificates(\OC::$server->getCertificateManager(), \OC::$server->getL10N('core')));
$application->add(new OC\Core\Command\Security\ImportCertificate(\OC::$server->getCertificateManager()));
$application->add(new OC\Core\Command\Security\RemoveCertificate(\OC::$server->getCertificateManager()));
$application->add(new OC\Core\Command\Security\ResetBruteforceAttempts(\OC::$server->getBruteForceThrottler()));
$application->add(\OC::$server->get(\OC\Core\Command\Security\BruteforceAttempts::class));
$application->add(\OC::$server->get(\OC\Core\Command\Security\BruteforceResetAttempts::class));
} else {
$application->add(\OC::$server->get(\OC\Core\Command\Maintenance\Install::class));
}

6
lib/composer/composer/autoload_classmap.php
View file

@ -1021,10 +1021,11 @@ return array(
'OC\\Core\\Command\\Preview\\Generate' => $baseDir . '/core/Command/Preview/Generate.php',
'OC\\Core\\Command\\Preview\\Repair' => $baseDir . '/core/Command/Preview/Repair.php',
'OC\\Core\\Command\\Preview\\ResetRenderedTexts' => $baseDir . '/core/Command/Preview/ResetRenderedTexts.php',
'OC\\Core\\Command\\Security\\BruteforceAttempts' => $baseDir . '/core/Command/Security/BruteforceAttempts.php',
'OC\\Core\\Command\\Security\\BruteforceResetAttempts' => $baseDir . '/core/Command/Security/BruteforceResetAttempts.php',
'OC\\Core\\Command\\Security\\ImportCertificate' => $baseDir . '/core/Command/Security/ImportCertificate.php',
'OC\\Core\\Command\\Security\\ListCertificates' => $baseDir . '/core/Command/Security/ListCertificates.php',
'OC\\Core\\Command\\Security\\RemoveCertificate' => $baseDir . '/core/Command/Security/RemoveCertificate.php',
'OC\\Core\\Command\\Security\\ResetBruteforceAttempts' => $baseDir . '/core/Command/Security/ResetBruteforceAttempts.php',
'OC\\Core\\Command\\Status' => $baseDir . '/core/Command/Status.php',
'OC\\Core\\Command\\SystemTag\\Add' => $baseDir . '/core/Command/SystemTag/Add.php',
'OC\\Core\\Command\\SystemTag\\Delete' => $baseDir . '/core/Command/SystemTag/Delete.php',
@ -1584,6 +1585,9 @@ return array(
'OC\\Search\\Result\\Image' => $baseDir . '/lib/private/Search/Result/Image.php',
'OC\\Search\\SearchComposer' => $baseDir . '/lib/private/Search/SearchComposer.php',
'OC\\Search\\SearchQuery' => $baseDir . '/lib/private/Search/SearchQuery.php',
'OC\\Security\\Bruteforce\\Backend\\DatabaseBackend' => $baseDir . '/lib/private/Security/Bruteforce/Backend/DatabaseBackend.php',
'OC\\Security\\Bruteforce\\Backend\\IBackend' => $baseDir . '/lib/private/Security/Bruteforce/Backend/IBackend.php',
'OC\\Security\\Bruteforce\\Backend\\MemoryCacheBackend' => $baseDir . '/lib/private/Security/Bruteforce/Backend/MemoryCacheBackend.php',
'OC\\Security\\Bruteforce\\Capabilities' => $baseDir . '/lib/private/Security/Bruteforce/Capabilities.php',
'OC\\Security\\Bruteforce\\CleanupJob' => $baseDir . '/lib/private/Security/Bruteforce/CleanupJob.php',
'OC\\Security\\Bruteforce\\Throttler' => $baseDir . '/lib/private/Security/Bruteforce/Throttler.php',

6
lib/composer/composer/autoload_static.php
View file

@ -1054,10 +1054,11 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
'OC\\Core\\Command\\Preview\\Generate' => __DIR__ . '/../../..' . '/core/Command/Preview/Generate.php',
'OC\\Core\\Command\\Preview\\Repair' => __DIR__ . '/../../..' . '/core/Command/Preview/Repair.php',
'OC\\Core\\Command\\Preview\\ResetRenderedTexts' => __DIR__ . '/../../..' . '/core/Command/Preview/ResetRenderedTexts.php',
'OC\\Core\\Command\\Security\\BruteforceAttempts' => __DIR__ . '/../../..' . '/core/Command/Security/BruteforceAttempts.php',
'OC\\Core\\Command\\Security\\BruteforceResetAttempts' => __DIR__ . '/../../..' . '/core/Command/Security/BruteforceResetAttempts.php',
'OC\\Core\\Command\\Security\\ImportCertificate' => __DIR__ . '/../../..' . '/core/Command/Security/ImportCertificate.php',
'OC\\Core\\Command\\Security\\ListCertificates' => __DIR__ . '/../../..' . '/core/Command/Security/ListCertificates.php',
'OC\\Core\\Command\\Security\\RemoveCertificate' => __DIR__ . '/../../..' . '/core/Command/Security/RemoveCertificate.php',
'OC\\Core\\Command\\Security\\ResetBruteforceAttempts' => __DIR__ . '/../../..' . '/core/Command/Security/ResetBruteforceAttempts.php',
'OC\\Core\\Command\\Status' => __DIR__ . '/../../..' . '/core/Command/Status.php',
'OC\\Core\\Command\\SystemTag\\Add' => __DIR__ . '/../../..' . '/core/Command/SystemTag/Add.php',
'OC\\Core\\Command\\SystemTag\\Delete' => __DIR__ . '/../../..' . '/core/Command/SystemTag/Delete.php',
@ -1617,6 +1618,9 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
'OC\\Search\\Result\\Image' => __DIR__ . '/../../..' . '/lib/private/Search/Result/Image.php',
'OC\\Search\\SearchComposer' => __DIR__ . '/../../..' . '/lib/private/Search/SearchComposer.php',
'OC\\Search\\SearchQuery' => __DIR__ . '/../../..' . '/lib/private/Search/SearchQuery.php',
'OC\\Security\\Bruteforce\\Backend\\DatabaseBackend' => __DIR__ . '/../../..' . '/lib/private/Security/Bruteforce/Backend/DatabaseBackend.php',
'OC\\Security\\Bruteforce\\Backend\\IBackend' => __DIR__ . '/../../..' . '/lib/private/Security/Bruteforce/Backend/IBackend.php',
'OC\\Security\\Bruteforce\\Backend\\MemoryCacheBackend' => __DIR__ . '/../../..' . '/lib/private/Security/Bruteforce/Backend/MemoryCacheBackend.php',
'OC\\Security\\Bruteforce\\Capabilities' => __DIR__ . '/../../..' . '/lib/private/Security/Bruteforce/Capabilities.php',
'OC\\Security\\Bruteforce\\CleanupJob' => __DIR__ . '/../../..' . '/lib/private/Security/Bruteforce/CleanupJob.php',
'OC\\Security\\Bruteforce\\Throttler' => __DIR__ . '/../../..' . '/lib/private/Security/Bruteforce/Throttler.php',

18
lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
View file

@ -51,6 +51,8 @@ use ReflectionMethod;
* @package OC\AppFramework\Middleware\Security
*/
class BruteForceMiddleware extends Middleware {
private int $delaySlept = 0;
public function __construct(
protected ControllerMethodReflector $reflector,
protected Throttler $throttler,
@ -67,7 +69,7 @@ class BruteForceMiddleware extends Middleware {
if ($this->reflector->hasAnnotation('BruteForceProtection')) {
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action);
$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action);
} else {
$reflectionMethod = new ReflectionMethod($controller, $methodName);
$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);
@ -79,7 +81,7 @@ class BruteForceMiddleware extends Middleware {
/** @var BruteForceProtection $protection */
$protection = $attribute->newInstance();
$action = $protection->getAction();
$this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action);
$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action);
}
}
}
@ -95,7 +97,7 @@ class BruteForceMiddleware extends Middleware {
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
$ip = $this->request->getRemoteAddress();
$this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata());
$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action);
} else {
$reflectionMethod = new ReflectionMethod($controller, $methodName);
$attributes = $reflectionMethod->getAttributes(BruteForceProtection::class);
@ -111,7 +113,7 @@ class BruteForceMiddleware extends Middleware {
if (!isset($metaData['action']) || $metaData['action'] === $action) {
$this->throttler->registerAttempt($action, $ip, $metaData);
$this->throttler->sleepDelayOrThrowOnMax($ip, $action);
$this->delaySlept += $this->throttler->sleepDelayOrThrowOnMax($ip, $action);
}
}
} else {
@ -127,6 +129,14 @@ class BruteForceMiddleware extends Middleware {
}
}
if ($this->delaySlept) {
$headers = $response->getHeaders();
if (!isset($headers['X-Nextcloud-Bruteforce-Throttled'])) {
$headers['X-Nextcloud-Bruteforce-Throttled'] = $this->delaySlept . 'ms';
$response->setHeaders($headers);
}
}
return parent::afterController($controller, $methodName, $response);
}

116
lib/private/Security/Bruteforce/Backend/DatabaseBackend.php Normal file
View file

@ -0,0 +1,116 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
*
* @author Joas Schilling <coding@schilljs.com>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\Bruteforce\Backend;
use OCP\IDBConnection;
class DatabaseBackend implements IBackend {
private const TABLE_NAME = 'bruteforce_attempts';
public function __construct(
private IDBConnection $db,
) {
}
/**
* {@inheritDoc}
*/
public function getAttempts(
string $ipSubnet,
int $maxAgeTimestamp,
?string $action = null,
?array $metadata = null,
): int {
$query = $this->db->getQueryBuilder();
$query->select($query->func()->count('*', 'attempts'))
->from(self::TABLE_NAME)
->where($query->expr()->gt('occurred', $query->createNamedParameter($maxAgeTimestamp)))
->andWhere($query->expr()->eq('subnet', $query->createNamedParameter($ipSubnet)));
if ($action !== null) {
$query->andWhere($query->expr()->eq('action', $query->createNamedParameter($action)));
if ($metadata !== null) {
$query->andWhere($query->expr()->eq('metadata', $query->createNamedParameter(json_encode($metadata))));
}
}
$result = $query->executeQuery();
$row = $result->fetch();
$result->closeCursor();
return (int) $row['attempts'];
}
/**
* {@inheritDoc}
*/
public function resetAttempts(
string $ipSubnet,
?string $action = null,
?array $metadata = null,
): void {
$query = $this->db->getQueryBuilder();
$query->delete(self::TABLE_NAME)
->where($query->expr()->eq('subnet', $query->createNamedParameter($ipSubnet)));
if ($action !== null) {
$query->andWhere($query->expr()->eq('action', $query->createNamedParameter($action)));
if ($metadata !== null) {
$query->andWhere($query->expr()->eq('metadata', $query->createNamedParameter(json_encode($metadata))));
}
}
$query->executeStatement();
}
/**
* {@inheritDoc}
*/
public function registerAttempt(
string $ip,
string $ipSubnet,
int $timestamp,
string $action,
array $metadata = [],
): void {
$values = [
'ip' => $ip,
'subnet' => $ipSubnet,
'action' => $action,
'metadata' => json_encode($metadata),
'occurred' => $timestamp,
];
$qb = $this->db->getQueryBuilder();
$qb->insert(self::TABLE_NAME);
foreach ($values as $column => $value) {
$qb->setValue($column, $qb->createNamedParameter($value));
}
$qb->executeStatement();
}
}

82
lib/private/Security/Bruteforce/Backend/IBackend.php Normal file
View file

@ -0,0 +1,82 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
*
* @author Joas Schilling <coding@schilljs.com>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\Bruteforce\Backend;
/**
* Interface IBackend defines a storage backend for the bruteforce data. It
* should be noted that writing and reading brute force data is an expensive
* operation and one should thus make sure to only use sufficient fast backends.
*/
interface IBackend {
/**
* Gets the number of attempts for the specified subnet (and further filters)
*
* @param string $ipSubnet
* @param int $maxAgeTimestamp
* @param ?string $action Optional action to further limit attempts
* @param ?array $metadata Optional metadata stored to further limit attempts (Only considered when $action is set)
* @return int
* @since 28.0.0
*/
public function getAttempts(
string $ipSubnet,
int $maxAgeTimestamp,
?string $action = null,
?array $metadata = null,
): int;
/**
* Reset the attempts for the specified subnet (and further filters)
*
* @param string $ipSubnet
* @param ?string $action Optional action to further limit attempts
* @param ?array $metadata Optional metadata stored to further limit attempts(Only considered when $action is set)
* @since 28.0.0
*/
public function resetAttempts(
string $ipSubnet,
?string $action = null,
?array $metadata = null,
): void;
/**
* Register a failed attempt to bruteforce a security control
*
* @param string $ip
* @param string $ipSubnet
* @param int $timestamp
* @param string $action
* @param array $metadata Optional metadata stored to further limit attempts when getting
* @since 28.0.0
*/
public function registerAttempt(
string $ip,
string $ipSubnet,
int $timestamp,
string $action,
array $metadata = [],
): void;
}

161
lib/private/Security/Bruteforce/Backend/MemoryCacheBackend.php Normal file
View file

@ -0,0 +1,161 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
*
* @author Joas Schilling <coding@schilljs.com>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\Security\Bruteforce\Backend;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICache;
use OCP\ICacheFactory;
class MemoryCacheBackend implements IBackend {
private ICache $cache;
public function __construct(
ICacheFactory $cacheFactory,
private ITimeFactory $timeFactory,
) {
$this->cache = $cacheFactory->createDistributed(__CLASS__);
}
private function hash(
null|string|array $data,
): ?string {
if ($data === null) {
return null;
}
if (!is_string($data)) {
$data = json_encode($data);
}
return hash('sha1', $data);
}
private function getExistingAttempts(string $identifier): array {
$cachedAttempts = $this->cache->get($identifier);
if ($cachedAttempts === null) {
return [];
}
$cachedAttempts = json_decode($cachedAttempts, true);
if (\is_array($cachedAttempts)) {
return $cachedAttempts;
}
return [];
}
/**
* {@inheritDoc}
*/
public function getAttempts(
string $ipSubnet,
int $maxAgeTimestamp,
?string $action = null,
?array $metadata = null,
): int {
$identifier = $this->hash($ipSubnet);
$actionHash = $this->hash($action);
$metadataHash = $this->hash($metadata);
$existingAttempts = $this->getExistingAttempts($identifier);
$count = 0;
foreach ($existingAttempts as $info) {
[$occurredTime, $attemptAction, $attemptMetadata] = explode('#', $info, 3);
if ($action === null || $attemptAction === $actionHash) {
if ($metadata === null || $attemptMetadata === $metadataHash) {
if ($occurredTime > $maxAgeTimestamp) {
$count++;
}
}
}
}
return $count;
}
/**
* {@inheritDoc}
*/
public function resetAttempts(
string $ipSubnet,
?string $action = null,
?array $metadata = null,
): void {
$identifier = $this->hash($ipSubnet);
if ($action === null) {
$this->cache->remove($identifier);
} else {
$actionHash = $this->hash($action);
$metadataHash = $this->hash($metadata);
$existingAttempts = $this->getExistingAttempts($identifier);
$maxAgeTimestamp = $this->timeFactory->getTime() - 12 * 3600;
foreach ($existingAttempts as $key => $info) {
[$occurredTime, $attemptAction, $attemptMetadata] = explode('#', $info, 3);
if ($attemptAction === $actionHash) {
if ($metadata === null || $attemptMetadata === $metadataHash) {
unset($existingAttempts[$key]);
} elseif ($occurredTime < $maxAgeTimestamp) {
unset($existingAttempts[$key]);
}
}
}
if (!empty($existingAttempts)) {
$this->cache->set($identifier, json_encode($existingAttempts), 12 * 3600);
} else {
$this->cache->remove($identifier);
}
}
}
/**
* {@inheritDoc}
*/
public function registerAttempt(
string $ip,
string $ipSubnet,
int $timestamp,
string $action,
array $metadata = [],
): void {
$identifier = $this->hash($ipSubnet);
$existingAttempts = $this->getExistingAttempts($identifier);
$maxAgeTimestamp = $this->timeFactory->getTime() - 12 * 3600;
// Unset all attempts that are already expired
foreach ($existingAttempts as $key => $info) {
[$occurredTime,] = explode('#', $info, 3);
if ($occurredTime < $maxAgeTimestamp) {
unset($existingAttempts[$key]);
}
}
$existingAttempts = array_values($existingAttempts);
// Store the new attempt
$existingAttempts[] = $timestamp . '#' . $this->hash($action) . '#' . $this->hash($metadata);
$this->cache->set($identifier, json_encode($existingAttempts), 12 * 3600);
}
}

35
lib/private/Security/Bruteforce/Capabilities.php
View file

@ -3,9 +3,11 @@
declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
* @copyright Copyright (c) 2017 Roeland Jago Douma <roeland@famdouma.nl>
*
* @author J0WI <J0WI@users.noreply.github.com>
* @author Joas Schilling <coding@schilljs.com>
* @author Julius Härtl <jus@bitgrid.net>
* @author Roeland Jago Douma <roeland@famdouma.nl>
*
@ -30,35 +32,24 @@ namespace OC\Security\Bruteforce;
use OCP\Capabilities\IPublicCapability;
use OCP\Capabilities\IInitialStateExcludedCapability;
use OCP\IRequest;
use OCP\Security\Bruteforce\IThrottler;
class Capabilities implements IPublicCapability, IInitialStateExcludedCapability {
/** @var IRequest */
private $request;
/** @var Throttler */
private $throttler;
/**
* Capabilities constructor.
*
* @param IRequest $request
* @param Throttler $throttler
*/
public function __construct(IRequest $request,
Throttler $throttler) {
$this->request = $request;
$this->throttler = $throttler;
public function __construct(
private IRequest $request,
private IThrottler $throttler,
) {
}
/**
* @return array{bruteforce: array{delay: int, allow-listed: bool}}
*/
public function getCapabilities(): array {
if (version_compare(\OC::$server->getConfig()->getSystemValueString('version', '0.0.0.0'), '12.0.0.0', '<')) {
return [];
}
return [
'bruteforce' => [
'delay' => $this->throttler->getDelay($this->request->getRemoteAddress())
]
'delay' => $this->throttler->getDelay($this->request->getRemoteAddress()),
'allow-listed' => $this->throttler->isBypassListed($this->request->getRemoteAddress()),
],
];
}
}

209
lib/private/Security/Bruteforce/Throttler.php
View file

@ -3,6 +3,7 @@
declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
*
* @author Bjoern Schiessle <bjoern@schiessle.org>
@ -32,10 +33,10 @@ declare(strict_types=1);
*/
namespace OC\Security\Bruteforce;
use OC\Security\Bruteforce\Backend\IBackend;
use OC\Security\Normalizer\IpAddress;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\IDBConnection;
use OCP\Security\Bruteforce\IThrottler;
use OCP\Security\Bruteforce\MaxDelayReached;
use Psr\Log\LoggerInterface;
@ -54,59 +55,21 @@ use Psr\Log\LoggerInterface;
* @package OC\Security\Bruteforce
*/
class Throttler implements IThrottler {
public const LOGIN_ACTION = 'login';
/** @var IDBConnection */
private $db;
/** @var ITimeFactory */
private $timeFactory;
private LoggerInterface $logger;
/** @var IConfig */
private $config;
/** @var bool[] */
private $hasAttemptsDeleted = [];
private array $hasAttemptsDeleted = [];
/** @var bool[] */
private array $ipIsWhitelisted = [];
public function __construct(IDBConnection $db,
ITimeFactory $timeFactory,
LoggerInterface $logger,
IConfig $config) {
$this->db = $db;
$this->timeFactory = $timeFactory;
$this->logger = $logger;
$this->config = $config;
public function __construct(
private ITimeFactory $timeFactory,
private LoggerInterface $logger,
private IConfig $config,
private IBackend $backend,
) {
}
/**
* Convert a number of seconds into the appropriate DateInterval
*
* @param int $expire
* @return \DateInterval
*/
private function getCutoff(int $expire): \DateInterval {
$d1 = new \DateTime();
$d2 = clone $d1;
$d2->sub(new \DateInterval('PT' . $expire . 'S'));
return $d2->diff($d1);
}
/**
* Calculate the cut off timestamp
*
* @param float $maxAgeHours
* @return int
*/
private function getCutoffTimestamp(float $maxAgeHours = 12.0): int {
return (new \DateTime())
->sub($this->getCutoff((int) ($maxAgeHours * 3600)))
->getTimestamp();
}
/**
* Register a failed attempt to bruteforce a security control
*
* @param string $action
* @param string $ip
* @param array $metadata Optional metadata logged to the database
* {@inheritDoc}
*/
public function registerAttempt(string $action,
string $ip,
@ -117,13 +80,9 @@ class Throttler implements IThrottler {
}
$ipAddress = new IpAddress($ip);
$values = [
'action' => $action,
'occurred' => $this->timeFactory->getTime(),
'ip' => (string)$ipAddress,
'subnet' => $ipAddress->getSubnet(),
'metadata' => json_encode($metadata),
];
if ($this->isBypassListed((string)$ipAddress)) {
return;
}
$this->logger->notice(
sprintf(
@ -136,12 +95,13 @@ class Throttler implements IThrottler {
]
);
$qb = $this->db->getQueryBuilder();
$qb->insert('bruteforce_attempts');
foreach ($values as $column => $value) {
$qb->setValue($column, $qb->createNamedParameter($value));
}
$qb->execute();
$this->backend->registerAttempt(
(string)$ipAddress,
$ipAddress->getSubnet(),
$this->timeFactory->getTime(),
$action,
$metadata
);
}
/**
@ -150,8 +110,13 @@ class Throttler implements IThrottler {
* @param string $ip
* @return bool
*/
private function isIPWhitelisted(string $ip): bool {
public function isBypassListed(string $ip): bool {
if (isset($this->ipIsWhitelisted[$ip])) {
return $this->ipIsWhitelisted[$ip];
}
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.enabled', true)) {
$this->ipIsWhitelisted[$ip] = true;
return true;
}
@ -165,6 +130,7 @@ class Throttler implements IThrottler {
} elseif (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
$type = 6;
} else {
$this->ipIsWhitelisted[$ip] = false;
return false;
}
@ -202,20 +168,26 @@ class Throttler implements IThrottler {
}
if ($valid === true) {
$this->ipIsWhitelisted[$ip] = true;
return true;
}
}
$this->ipIsWhitelisted[$ip] = false;
return false;
}
/**
* Get the throttling delay (in milliseconds)
*
* @param string $ip
* @param string $action optionally filter by action
* @param float $maxAgeHours
* @return int
* {@inheritDoc}
*/
public function showBruteforceWarning(string $ip, string $action = ''): bool {
$attempts = $this->getAttempts($ip, $action);
// 4 failed attempts is the last delay below 5 seconds
return $attempts >= 4;
}
/**
* {@inheritDoc}
*/
public function getAttempts(string $ip, string $action = '', float $maxAgeHours = 12): int {
if ($maxAgeHours > 48) {
@ -228,35 +200,21 @@ class Throttler implements IThrottler {
}
$ipAddress = new IpAddress($ip);
if ($this->isIPWhitelisted((string)$ipAddress)) {
if ($this->isBypassListed((string)$ipAddress)) {
return 0;
}
$cutoffTime = $this->getCutoffTimestamp($maxAgeHours);
$maxAgeTimestamp = (int) ($this->timeFactory->getTime() - 3600 * $maxAgeHours);
$qb = $this->db->getQueryBuilder();
$qb->select($qb->func()->count('*', 'attempts'))
->from('bruteforce_attempts')
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($ipAddress->getSubnet())));
if ($action !== '') {
$qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)));
}
$result = $qb->execute();
$row = $result->fetch();
$result->closeCursor();
return (int) $row['attempts'];
return $this->backend->getAttempts(
$ipAddress->getSubnet(),
$maxAgeTimestamp,
$action !== '' ? $action : null,
);
}
/**
* Get the throttling delay (in milliseconds)
*
* @param string $ip
* @param string $action optionally filter by action
* @return int
* {@inheritDoc}
*/
public function getDelay(string $ip, string $action = ''): int {
$attempts = $this->getAttempts($ip, $action);
@ -278,69 +236,58 @@ class Throttler implements IThrottler {
}
/**
* Reset the throttling delay for an IP address, action and metadata
*
* @param string $ip
* @param string $action
* @param array $metadata
* {@inheritDoc}
*/
public function resetDelay(string $ip, string $action, array $metadata): void {
$ipAddress = new IpAddress($ip);
if ($this->isIPWhitelisted((string)$ipAddress)) {
// No need to log if the bruteforce protection is disabled
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.enabled', true)) {
return;
}
$cutoffTime = $this->getCutoffTimestamp();
$ipAddress = new IpAddress($ip);
if ($this->isBypassListed((string)$ipAddress)) {
return;
}
$qb = $this->db->getQueryBuilder();
$qb->delete('bruteforce_attempts')
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($ipAddress->getSubnet())))
->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)))
->andWhere($qb->expr()->eq('metadata', $qb->createNamedParameter(json_encode($metadata))));
$qb->executeStatement();
$this->backend->resetAttempts(
$ipAddress->getSubnet(),
$action,
$metadata,
);
$this->hasAttemptsDeleted[$action] = true;
}
/**
* Reset the throttling delay for an IP address
*
* @param string $ip
* {@inheritDoc}
*/
public function resetDelayForIP(string $ip): void {
$cutoffTime = $this->getCutoffTimestamp();
// No need to log if the bruteforce protection is disabled
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.enabled', true)) {
return;
}
$qb = $this->db->getQueryBuilder();
$qb->delete('bruteforce_attempts')
->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
->andWhere($qb->expr()->eq('ip', $qb->createNamedParameter($ip)));
$ipAddress = new IpAddress($ip);
if ($this->isBypassListed((string)$ipAddress)) {
return;
}
$qb->execute();
$this->backend->resetAttempts($ipAddress->getSubnet());
}
/**
* Will sleep for the defined amount of time
*
* @param string $ip
* @param string $action optionally filter by action
* @return int the time spent sleeping
* {@inheritDoc}
*/
public function sleepDelay(string $ip, string $action = ''): int {
$delay = $this->getDelay($ip, $action);
usleep($delay * 1000);
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
usleep($delay * 1000);
}
return $delay;
}
/**
* Will sleep for the defined amount of time unless maximum was reached in the last 30 minutes
* In this case a "429 Too Many Request" exception is thrown
*
* @param string $ip
* @param string $action optionally filter by action
* @return int the time spent sleeping
* @throws MaxDelayReached when reached the maximum
* {@inheritDoc}
*/
public function sleepDelayOrThrowOnMax(string $ip, string $action = ''): int {
$delay = $this->getDelay($ip, $action);
@ -359,7 +306,9 @@ class Throttler implements IThrottler {
'delay' => $delay,
]);
}
usleep($delay * 1000);
if (!$this->config->getSystemValueBool('auth.bruteforce.protection.testing')) {
usleep($delay * 1000);
}
return $delay;
}
}

12
lib/private/Server.php
View file

@ -950,6 +950,18 @@ class Server extends ServerContainer implements IServerContainer {
/** @deprecated 19.0.0 */
$this->registerDeprecatedAlias('Throttler', Throttler::class);
$this->registerAlias(IThrottler::class, Throttler::class);
$this->registerService(\OC\Security\Bruteforce\Backend\IBackend::class, function ($c) {
$config = $c->get(\OCP\IConfig::class);
if (ltrim($config->getSystemValueString('memcache.distributed', ''), '\\') === \OC\Memcache\Redis::class) {
$backend = $c->get(\OC\Security\Bruteforce\Backend\MemoryCacheBackend::class);
} else {
$backend = $c->get(\OC\Security\Bruteforce\Backend\DatabaseBackend::class);
}
return $backend;
});
$this->registerService('IntegrityCodeChecker', function (ContainerInterface $c) {
// IConfig and IAppManager requires a working database. This code
// might however be called when ownCloud is not yet setup.

29
lib/public/Security/Bruteforce/IThrottler.php
View file

@ -40,16 +40,19 @@ namespace OCP\Security\Bruteforce;
interface IThrottler {
/**
* @since 25.0.0
* @deprecated 28.0.0
*/
public const MAX_DELAY = 25;
/**
* @since 25.0.0
* @deprecated 28.0.0
*/
public const MAX_DELAY_MS = 25000; // in milliseconds
/**
* @since 25.0.0
* @deprecated 28.0.0
*/
public const MAX_ATTEMPTS = 10;
@ -58,11 +61,21 @@ interface IThrottler {
*
* @param string $action
* @param string $ip
* @param array $metadata Optional metadata logged to the database
* @param array $metadata Optional metadata logged with the attempt
* @since 25.0.0
*/
public function registerAttempt(string $action, string $ip, array $metadata = []): void;
/**
* Check if the IP is allowed to bypass the brute force protection
*
* @param string $ip
* @return bool
* @since 28.0.0
*/
public function isBypassListed(string $ip): bool;
/**
* Get the throttling delay (in milliseconds)
*
@ -71,9 +84,20 @@ interface IThrottler {
* @param float $maxAgeHours
* @return int
* @since 25.0.0
* @deprecated 28.0.0 This method is considered internal as of Nextcloud 28. Use {@see showBruteforceWarning()} to decide whether a warning should be shown.
*/
public function getAttempts(string $ip, string $action = '', float $maxAgeHours = 12): int;
/**
* Whether a warning should be shown about the throttle
*
* @param string $ip
* @param string $action optionally filter by action
* @return bool
* @since 28.0.0
*/
public function showBruteforceWarning(string $ip, string $action = ''): bool;
/**
* Get the throttling delay (in milliseconds)
*
@ -81,6 +105,7 @@ interface IThrottler {
* @param string $action optionally filter by action
* @return int
* @since 25.0.0
* @deprecated 28.0.0 This method is considered internal as of Nextcloud 28. Use {@see showBruteforceWarning()} to decide whether a warning should be shown.
*/
public function getDelay(string $ip, string $action = ''): int;
@ -99,6 +124,7 @@ interface IThrottler {
*
* @param string $ip
* @since 25.0.0
* @deprecated 28.0.0 This method is considered internal as of Nextcloud 28. Use {@see resetDelay()} and only reset the entries of your action and metadata
*/
public function resetDelayForIP(string $ip): void;
@ -109,6 +135,7 @@ interface IThrottler {
* @param string $action optionally filter by action
* @return int the time spent sleeping
* @since 25.0.0
* @deprecated 28.0.0 Use {@see sleepDelayOrThrowOnMax()} instead and abort handling the request when it throws
*/
public function sleepDelay(string $ip, string $action = ''): int;

156
tests/lib/Security/Bruteforce/Backend/MemoryCacheBackendTest.php Normal file
View file

@ -0,0 +1,156 @@
<?php
declare(strict_types=1);
/**
* @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
*
* @author Joas Schilling <coding@schilljs.com>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\Security\Bruteforce\Backend;
use OC\Security\Bruteforce\Backend\IBackend;
use OC\Security\Bruteforce\Backend\MemoryCacheBackend;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICache;
use OCP\ICacheFactory;
use PHPUnit\Framework\MockObject\MockObject;
use Test\TestCase;
class MemoryCacheBackendTest extends TestCase {
/** @var ICacheFactory|MockObject */
private $cacheFactory;
/** @var ITimeFactory|MockObject */
private $timeFactory;
/** @var ICache|MockObject */
private $cache;
private IBackend $backend;
protected function setUp(): void {
parent::setUp();
$this->cacheFactory = $this->createMock(ICacheFactory::class);
$this->timeFactory = $this->createMock(ITimeFactory::class);
$this->cache = $this->createMock(ICache::class);
$this->cacheFactory
->expects($this->once())
->method('createDistributed')
->with('OC\Security\Bruteforce\Backend\MemoryCacheBackend')
->willReturn($this->cache);
$this->backend = new MemoryCacheBackend(
$this->cacheFactory,
$this->timeFactory
);
}
public function testGetAttemptsWithNoAttemptsBefore(): void {
$this->cache
->expects($this->once())
->method('get')
->with('8b9da631d1f7b022bb2c3c489e16092f82b42fd4')
->willReturn(null);
$this->assertSame(0, $this->backend->getAttempts('10.10.10.10/32', 0));
}
public function dataGetAttempts(): array {
return [
[0, null, null, 4],
[100, null, null, 2],
[0, 'action1', null, 2],
[100, 'action1', null, 1],
[0, 'action1', ['metadata2'], 1],
[100, 'action1', ['metadata2'], 1],
[100, 'action1', ['metadata1'], 0],
];
}
/**
* @dataProvider dataGetAttempts
*/
public function testGetAttempts(int $maxAge, ?string $action, ?array $metadata, int $expected): void {
$this->cache
->expects($this->once())
->method('get')
->with('8b9da631d1f7b022bb2c3c489e16092f82b42fd4')
->willReturn(json_encode([
'1' . '#' . hash('sha1', 'action1') . '#' . hash('sha1', json_encode(['metadata1'])),
'300' . '#' . hash('sha1', 'action1') . '#' . hash('sha1', json_encode(['metadata2'])),
'1' . '#' . hash('sha1', 'action2') . '#' . hash('sha1', json_encode(['metadata1'])),
'300' . '#' . hash('sha1', 'action2') . '#' . hash('sha1', json_encode(['metadata2'])),
]));
$this->assertSame($expected, $this->backend->getAttempts('10.10.10.10/32', $maxAge, $action, $metadata));
}
public function testRegisterAttemptWithNoAttemptsBefore(): void {
$this->cache
->expects($this->once())
->method('get')
->with('8b9da631d1f7b022bb2c3c489e16092f82b42fd4')
->willReturn(null);
$this->cache
->expects($this->once())
->method('set')
->with(
'8b9da631d1f7b022bb2c3c489e16092f82b42fd4',
json_encode(['223#' . hash('sha1', 'action1') . '#' . hash('sha1', json_encode(['metadata1']))])
);
$this->backend->registerAttempt('10.10.10.10', '10.10.10.10/32', 223, 'action1', ['metadata1']);
}
public function testRegisterAttempt(): void {
$this->timeFactory
->expects($this->once())
->method('getTime')
->willReturn(12 * 3600 + 86);
$this->cache
->expects($this->once())
->method('get')
->with('8b9da631d1f7b022bb2c3c489e16092f82b42fd4')
->willReturn(json_encode([
'1#' . hash('sha1', 'action1') . '#' . hash('sha1', json_encode(['metadata1'])),
'2#' . hash('sha1', 'action2') . '#' . hash('sha1', json_encode(['metadata1'])),
'87#' . hash('sha1', 'action3') . '#' . hash('sha1', json_encode(['metadata1'])),
'123#' . hash('sha1', 'action4') . '#' . hash('sha1', json_encode(['metadata1'])),
'123#' . hash('sha1', 'action5') . '#' . hash('sha1', json_encode(['metadata1'])),
'124#' . hash('sha1', 'action6') . '#' . hash('sha1', json_encode(['metadata1'])),
]));
$this->cache
->expects($this->once())
->method('set')
->with(
'8b9da631d1f7b022bb2c3c489e16092f82b42fd4',
json_encode([
'87#' . hash('sha1', 'action3') . '#' . hash('sha1', json_encode(['metadata1'])),
'123#' . hash('sha1', 'action4') . '#' . hash('sha1', json_encode(['metadata1'])),
'123#' . hash('sha1', 'action5') . '#' . hash('sha1', json_encode(['metadata1'])),
'124#' . hash('sha1', 'action6') . '#' . hash('sha1', json_encode(['metadata1'])),
'186#' . hash('sha1', 'action7') . '#' . hash('sha1', json_encode(['metadata2'])),
])
);
$this->backend->registerAttempt('10.10.10.10', '10.10.10.10/32', 186, 'action7', ['metadata2']);
}
}

21
tests/lib/Security/Bruteforce/CapabilitiesTest.php
View file

@ -25,8 +25,8 @@ declare(strict_types=1);
namespace Test\Security\Bruteforce;
use OC\Security\Bruteforce\Capabilities;
use OC\Security\Bruteforce\Throttler;
use OCP\IRequest;
use OCP\Security\Bruteforce\IThrottler;
use Test\TestCase;
class CapabilitiesTest extends TestCase {
@ -36,7 +36,7 @@ class CapabilitiesTest extends TestCase {
/** @var IRequest|\PHPUnit\Framework\MockObject\MockObject */
private $request;
/** @var Throttler|\PHPUnit\Framework\MockObject\MockObject */
/** @var IThrottler|\PHPUnit\Framework\MockObject\MockObject */
private $throttler;
protected function setUp(): void {
@ -44,7 +44,7 @@ class CapabilitiesTest extends TestCase {
$this->request = $this->createMock(IRequest::class);
$this->throttler = $this->createMock(Throttler::class);
$this->throttler = $this->createMock(IThrottler::class);
$this->capabilities = new Capabilities(
$this->request,
@ -52,18 +52,24 @@ class CapabilitiesTest extends TestCase {
);
}
public function testGetCapabilities() {
public function testGetCapabilities(): void {
$this->throttler->expects($this->atLeastOnce())
->method('getDelay')
->with('10.10.10.10')
->willReturn(42);
$this->throttler->expects($this->atLeastOnce())
->method('isBypassListed')
->with('10.10.10.10')
->willReturn(true);
$this->request->method('getRemoteAddress')
->willReturn('10.10.10.10');
$expected = [
'bruteforce' => [
'delay' => 42
'delay' => 42,
'allow-listed' => true,
]
];
$result = $this->capabilities->getCapabilities();
@ -71,7 +77,7 @@ class CapabilitiesTest extends TestCase {
$this->assertEquals($expected, $result);
}
public function testGetCapabilitiesOnCli() {
public function testGetCapabilitiesOnCli(): void {
$this->throttler->expects($this->atLeastOnce())
->method('getDelay')
->with('')
@ -82,7 +88,8 @@ class CapabilitiesTest extends TestCase {
$expected = [
'bruteforce' => [
'delay' => 0
'delay' => 0,
'allow-listed' => false,
]
];
$result = $this->capabilities->getCapabilities();

33
tests/lib/Security/Bruteforce/ThrottlerTest.php
View file

@ -24,8 +24,9 @@ declare(strict_types=1);
namespace Test\Security\Bruteforce;
use OC\AppFramework\Utility\TimeFactory;
use OC\Security\Bruteforce\Backend\DatabaseBackend;
use OC\Security\Bruteforce\Throttler;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\IDBConnection;
use Psr\Log\LoggerInterface;
@ -42,6 +43,8 @@ class ThrottlerTest extends TestCase {
private $throttler;
/** @var IDBConnection */
private $dbConnection;
/** @var ITimeFactory */
private $timeFactory;
/** @var LoggerInterface */
private $logger;
/** @var IConfig|\PHPUnit\Framework\MockObject\MockObject */
@ -49,37 +52,19 @@ class ThrottlerTest extends TestCase {
protected function setUp(): void {
$this->dbConnection = $this->createMock(IDBConnection::class);
$this->timeFactory = $this->createMock(ITimeFactory::class);
$this->logger = $this->createMock(LoggerInterface::class);
$this->config = $this->createMock(IConfig::class);
$this->throttler = new Throttler(
$this->dbConnection,
new TimeFactory(),
$this->timeFactory,
$this->logger,
$this->config
$this->config,
new DatabaseBackend($this->dbConnection)
);
parent::setUp();
}
public function testCutoff() {
// precisely 31 second shy of 12 hours
$cutoff = self::invokePrivate($this->throttler, 'getCutoff', [43169]);
$this->assertSame(0, $cutoff->y);
$this->assertSame(0, $cutoff->m);
$this->assertSame(0, $cutoff->d);
$this->assertSame(11, $cutoff->h);
$this->assertSame(59, $cutoff->i);
$this->assertSame(29, $cutoff->s);
$cutoff = self::invokePrivate($this->throttler, 'getCutoff', [86401]);
$this->assertSame(0, $cutoff->y);
$this->assertSame(0, $cutoff->m);
$this->assertSame(1, $cutoff->d);
$this->assertSame(0, $cutoff->h);
$this->assertSame(0, $cutoff->i);
// Leap second tolerance:
$this->assertLessThan(2, $cutoff->s);
}
public function dataIsIPWhitelisted() {
return [
[
@ -200,7 +185,7 @@ class ThrottlerTest extends TestCase {
$this->assertSame(
($enabled === false) ? true : $isWhiteListed,
self::invokePrivate($this->throttler, 'isIPWhitelisted', [$ip])
self::invokePrivate($this->throttler, 'isBypassListed', [$ip])
);
}