diff options
author | Joas Schilling <coding@schilljs.com> | 2023-08-17 08:45:46 +0200 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2023-08-23 06:44:08 +0200 |
commit | 866a8a236861a5d1dff26458da04637099877e5e (patch) | |
tree | 46d297ea0aab84424fca9ca6d27ab1712eea124b | |
parent | 759fc11f39839801e75a46ea619508b587448727 (diff) | |
download | nextcloud-server-866a8a236861a5d1dff26458da04637099877e5e.tar.gz nextcloud-server-866a8a236861a5d1dff26458da04637099877e5e.zip |
feat(admin): Show an error when the admin is throttled
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r-- | apps/settings/lib/Controller/CheckSetupController.php | 7 | ||||
-rw-r--r-- | apps/settings/tests/Controller/CheckSetupControllerTest.php | 8 | ||||
-rw-r--r-- | core/js/setupchecks.js | 8 | ||||
-rw-r--r-- | core/js/tests/specs/setupchecksSpec.js | 61 |
4 files changed, 84 insertions, 0 deletions
diff --git a/apps/settings/lib/Controller/CheckSetupController.php b/apps/settings/lib/Controller/CheckSetupController.php index a55596358e5..29ef0343399 100644 --- a/apps/settings/lib/Controller/CheckSetupController.php +++ b/apps/settings/lib/Controller/CheckSetupController.php @@ -86,6 +86,7 @@ use OCP\ITempManager; use OCP\IURLGenerator; use OCP\Lock\ILockingProvider; use OCP\Notification\IManager; +use OCP\Security\Bruteforce\IThrottler; use OCP\Security\ISecureRandom; use Psr\Log\LoggerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; @@ -122,6 +123,8 @@ class CheckSetupController extends Controller { private $iniGetWrapper; /** @var IDBConnection */ private $connection; + /** @var IThrottler */ + private $throttler; /** @var ITempManager */ private $tempManager; /** @var IManager */ @@ -148,6 +151,7 @@ class CheckSetupController extends Controller { ISecureRandom $secureRandom, IniGetWrapper $iniGetWrapper, IDBConnection $connection, + IThrottler $throttler, ITempManager $tempManager, IManager $manager, IAppManager $appManager, @@ -163,6 +167,7 @@ class CheckSetupController extends Controller { $this->eventDispatcher = $eventDispatcher; $this->dispatcher = $dispatcher; $this->db = $db; + $this->throttler = $throttler; $this->lockingProvider = $lockingProvider; $this->dateTimeFormatter = $dateTimeFormatter; $this->memoryInfo = $memoryInfo; @@ -909,6 +914,8 @@ Raw output 'cronInfo' => $this->getLastCronInfo(), 'cronErrors' => $this->getCronErrors(), 'isFairUseOfFreePushService' => $this->isFairUseOfFreePushService(), + 'isBruteforceThrottled' => $this->throttler->getAttempts($this->request->getRemoteAddress()) !== 0, + 'bruteforceRemoteAddress' => $this->request->getRemoteAddress(), 'serverHasInternetConnectionProblems' => $this->hasInternetConnectivityProblems(), 'isMemcacheConfigured' => $this->isMemcacheConfigured(), 'memcacheDocs' => $this->urlGenerator->linkToDocs('admin-performance'), diff --git a/apps/settings/tests/Controller/CheckSetupControllerTest.php b/apps/settings/tests/Controller/CheckSetupControllerTest.php index 390166cb947..2d2d43434b1 100644 --- a/apps/settings/tests/Controller/CheckSetupControllerTest.php +++ b/apps/settings/tests/Controller/CheckSetupControllerTest.php @@ -59,6 +59,7 @@ use OCP\ITempManager; use OCP\IURLGenerator; use OCP\Lock\ILockingProvider; use OCP\Notification\IManager; +use OCP\Security\Bruteforce\IThrottler; use PHPUnit\Framework\MockObject\MockObject; use Psr\Http\Message\ResponseInterface; use Psr\Log\LoggerInterface; @@ -148,6 +149,7 @@ class CheckSetupControllerTest extends TestCase { $this->logger = $this->getMockBuilder(LoggerInterface::class)->getMock(); $this->db = $this->getMockBuilder(Connection::class) ->disableOriginalConstructor()->getMock(); + $this->throttler = $this->createMock(IThrottler::class); $this->lockingProvider = $this->getMockBuilder(ILockingProvider::class)->getMock(); $this->dateTimeFormatter = $this->getMockBuilder(IDateTimeFormatter::class)->getMock(); $this->memoryInfo = $this->getMockBuilder(MemoryInfo::class) @@ -180,6 +182,7 @@ class CheckSetupControllerTest extends TestCase { $this->secureRandom, $this->iniGetWrapper, $this->connection, + $this->throttler, $this->tempManager, $this->notificationManager, $this->appManager, @@ -665,6 +668,8 @@ class CheckSetupControllerTest extends TestCase { 'isFairUseOfFreePushService' => false, 'temporaryDirectoryWritable' => false, \OCA\Settings\SetupChecks\LdapInvalidUuids::class => ['pass' => true, 'description' => 'Invalid UUIDs of LDAP users or groups have been found. Please review your "Override UUID detection" settings in the Expert part of the LDAP configuration and use "occ ldap:update-uuid" to update them.', 'severity' => 'warning'], + 'isBruteforceThrottled' => false, + 'bruteforceRemoteAddress' => '', ] ); $this->assertEquals($expected, $this->checkSetupController->check()); @@ -690,6 +695,7 @@ class CheckSetupControllerTest extends TestCase { $this->secureRandom, $this->iniGetWrapper, $this->connection, + $this->throttler, $this->tempManager, $this->notificationManager, $this->appManager, @@ -1455,6 +1461,7 @@ Array $this->secureRandom, $this->iniGetWrapper, $this->connection, + $this->throttler, $this->tempManager, $this->notificationManager, $this->appManager, @@ -1510,6 +1517,7 @@ Array $this->secureRandom, $this->iniGetWrapper, $this->connection, + $this->throttler, $this->tempManager, $this->notificationManager, $this->appManager, diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 4fb020e44a3..c3e892de294 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -215,6 +215,14 @@ type: OC.SetupChecks.MESSAGE_TYPE_INFO }); } + if (data.isBruteforceThrottled) { + messages.push({ + msg: t('core', 'Your remote address was identified as "{remoteAddress}" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly. Further information can be found in the {linkstart}documentation ↗{linkend}.', { remoteAddress: data.bruteforceRemoteAddress }) + .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="' + data.reverseProxyDocs + '">') + .replace('{linkend}', '</a>'), + type: OC.SetupChecks.MESSAGE_TYPE_ERROR + }); + } if(!data.hasWorkingFileLocking) { messages.push({ msg: t('core', 'Transactional file locking is disabled, this might lead to issues with race conditions. Enable "filelocking.enabled" in config.php to avoid these problems. See the {linkstart}documentation ↗{linkend} for more information.') diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 43f42d2610e..163a21c46a7 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -814,6 +814,67 @@ describe('OC.SetupChecks tests', function() { }); }); + it('should return an error if the admin IP is bruteforce throttled', function(done) { + var async = OC.SetupChecks.checkSetup(); + + suite.server.requests[0].respond( + 200, + { + 'Content-Type': 'application/json', + }, + JSON.stringify({ + hasFileinfoInstalled: true, + isGetenvServerWorking: true, + isReadOnlyConfig: false, + wasEmailTestSuccessful: true, + hasWorkingFileLocking: true, + hasDBFileLocking: false, + hasValidTransactionIsolationLevel: true, + suggestedOverwriteCliURL: '', + isRandomnessSecure: true, + isFairUseOfFreePushService: true, + isBruteforceThrottled: true, + bruteforceRemoteAddress: '::1', + serverHasInternetConnectionProblems: false, + isMemcacheConfigured: true, + forwardedForHeadersWorking: true, + reverseProxyDocs: 'https://docs.nextcloud.com/foo/bar.html', + isCorrectMemcachedPHPModuleInstalled: true, + hasPassedCodeIntegrityCheck: true, + OpcacheSetupRecommendations: [], + isSettimelimitAvailable: true, + hasFreeTypeSupport: true, + missingIndexes: [], + missingPrimaryKeys: [], + missingColumns: [], + cronErrors: [], + cronInfo: { + diffInSeconds: 0 + }, + isMemoryLimitSufficient: true, + appDirsWithDifferentOwner: [], + isImagickEnabled: true, + areWebauthnExtensionsEnabled: true, + is64bit: true, + recommendedPHPModules: [], + pendingBigIntConversionColumns: [], + isMysqlUsedWithoutUTF8MB4: false, + isDefaultPhoneRegionSet: true, + isEnoughTempSpaceAvailableIfS3PrimaryStorageIsUsed: true, + reverseProxyGeneratedURL: 'https://server', + temporaryDirectoryWritable: true, + }) + ); + + async.done(function( data, s, x ){ + expect(data).toEqual([{ + msg: 'Your remote address was identified as "::1" and is bruteforce throttled at the moment slowing down the performance of various requests. If the remote address is not your address this can be an indication that a proxy is not configured correctly. Further information can be found in the <a target="_blank" rel="noreferrer noopener" class="external" href="https://docs.nextcloud.com/foo/bar.html">documentation ↗</a>.', + type: OC.SetupChecks.MESSAGE_TYPE_ERROR + }]); + done(); + }); + }); + it('should return an error if set_time_limit is unavailable', function(done) { var async = OC.SetupChecks.checkSetup(); |