feat: Expose if the own IP is allowed to bypass bruteforce protection

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/private/Security/Bruteforce/Capabilities.php b/lib/private/Security/Bruteforce/Capabilities.php
index 60cf3086f2db9c30bbcde2e9eba553966f3c1eba..4eada3d05f51c8631806fd62e70f79b223381f2f 100644 (file)
--- a/lib/private/Security/Bruteforce/Capabilities.php
+++ b/lib/private/Security/Bruteforce/Capabilities.php
@@ -3,9 +3,11 @@
 declare(strict_types=1);
 
 /**
+ * @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
  * @copyright Copyright (c) 2017 Roeland Jago Douma <roeland@famdouma.nl>
  *
  * @author J0WI <J0WI@users.noreply.github.com>
+ * @author Joas Schilling <coding@schilljs.com>
  * @author Julius Härtl <jus@bitgrid.net>
  * @author Roeland Jago Douma <roeland@famdouma.nl>
  *
@@ -32,33 +34,21 @@ use OCP\Capabilities\IInitialStateExcludedCapability;
 use OCP\IRequest;
 
 class Capabilities implements IPublicCapability, IInitialStateExcludedCapability {
-       /** @var IRequest */
-       private $request;
-
-       /** @var Throttler */
-       private $throttler;
+       public function __construct(
+               private IRequest $request,
+               private Throttler $throttler,
+       ) {
+       }
 
        /**
-        * Capabilities constructor.
-        *
-        * @param IRequest $request
-        * @param Throttler $throttler
+        * @return array{bruteforce: array{delay: int, allow-listed: bool}}
         */
-       public function __construct(IRequest $request,
-                                                               Throttler $throttler) {
-               $this->request = $request;
-               $this->throttler = $throttler;
-       }
-
        public function getCapabilities(): array {
-               if (version_compare(\OC::$server->getConfig()->getSystemValueString('version', '0.0.0.0'), '12.0.0.0', '<')) {
-                       return [];
-               }
-
                return [
                        'bruteforce' => [
-                               'delay' => $this->throttler->getDelay($this->request->getRemoteAddress())
-                       ]
+                               'delay' => $this->throttler->getDelay($this->request->getRemoteAddress()),
+                               'allow-listed' => $this->throttler->isIPWhitelisted($this->request->getRemoteAddress()),
+                       ],
                ];
        }
 }

diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
index 01032c415ff017e9896716b0e89c841afb0e12f9..ce70d091f7c408bbb7980b998eb3b61c9f73ce9a 100644 (file)
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@@ -110,7 +110,7 @@ class Throttler implements IThrottler {
         * @param string $ip
         * @return bool
         */
-       private function isIPWhitelisted(string $ip): bool {
+       public function isIPWhitelisted(string $ip): bool {
                if (isset($this->ipIsWhitelisted[$ip])) {
                        return $this->ipIsWhitelisted[$ip];
                }

diff --git a/tests/lib/Security/Bruteforce/CapabilitiesTest.php b/tests/lib/Security/Bruteforce/CapabilitiesTest.php
index 1c2bbb6bc53b298e4550355c46d12c6b39a84adf..d3463d307c00eaf936022f592bafc517847cb87f 100644 (file)
--- a/tests/lib/Security/Bruteforce/CapabilitiesTest.php
+++ b/tests/lib/Security/Bruteforce/CapabilitiesTest.php
@@ -52,18 +52,24 @@ class CapabilitiesTest extends TestCase {
                );
        }
 
-       public function testGetCapabilities() {
+       public function testGetCapabilities(): void {
                $this->throttler->expects($this->atLeastOnce())
                        ->method('getDelay')
                        ->with('10.10.10.10')
                        ->willReturn(42);
 
+               $this->throttler->expects($this->atLeastOnce())
+                       ->method('isIPWhitelisted')
+                       ->with('10.10.10.10')
+                       ->willReturn(true);
+
                $this->request->method('getRemoteAddress')
                        ->willReturn('10.10.10.10');
 
                $expected = [
                        'bruteforce' => [
-                               'delay' => 42
+                               'delay' => 42,
+                               'allow-listed' => true,
                        ]
                ];
                $result = $this->capabilities->getCapabilities();
@@ -71,7 +77,7 @@ class CapabilitiesTest extends TestCase {
                $this->assertEquals($expected, $result);
        }
 
-       public function testGetCapabilitiesOnCli() {
+       public function testGetCapabilitiesOnCli(): void {
                $this->throttler->expects($this->atLeastOnce())
                        ->method('getDelay')
                        ->with('')
@@ -82,7 +88,8 @@ class CapabilitiesTest extends TestCase {
 
                $expected = [
                        'bruteforce' => [
-                               'delay' => 0
+                               'delay' => 0,
+                               'allow-listed' => false,
                        ]
                ];
                $result = $this->capabilities->getCapabilities();