diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2017-04-12 20:32:48 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2017-04-13 12:00:16 +0200 |
| commit | 66835476b59b8be7593d4cfa03a51c4f265d7e26 (patch) | |
| tree | 91770c8fe403da25af50e6336727ab55fe57cd27 /lib | |
| parent | 5505faa3d7b6f5a95f18fe5027355d700d69f396 (diff) | |
| download | nextcloud-server-66835476b59b8be7593d4cfa03a51c4f265d7e26.tar.gz nextcloud-server-66835476b59b8be7593d4cfa03a51c4f265d7e26.zip | |
Add support for ratelimiting via annotations
This allows adding rate limiting via annotations to controllers, as one example:
```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```
Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'lib')
9 files changed, 483 insertions, 108 deletions
diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php index 4fb13b09ae0..a414772c4d6 100644 --- a/lib/private/AppFramework/DependencyInjection/DIContainer.php +++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php @@ -53,11 +53,13 @@ use OCP\AppFramework\QueryException; use OCP\Files\Folder; use OCP\Files\IAppData; use OCP\IL10N; +use OCP\IMemcache; use OCP\IRequest; use OCP\IServerContainer; use OCP\IUserSession; use OCP\RichObjectStrings\IValidator; use OCP\Util; +use SearchDAV\XML\Limit; class DIContainer extends SimpleContainer implements IAppContainer { @@ -162,6 +164,22 @@ class DIContainer extends SimpleContainer implements IAppContainer { return $c->query(Validator::class); }); + $this->registerService(OC\Security\RateLimiting\Limiter::class, function($c) { + return new OC\Security\RateLimiting\Limiter( + $this->getServer()->getUserSession(), + $this->getServer()->getRequest(), + new OC\AppFramework\Utility\TimeFactory(), + $c->query(OC\Security\RateLimiting\Backend\IBackend::class) + ); + }); + + $this->registerService(OC\Security\RateLimiting\Backend\IBackend::class, function($c) { + return new OC\Security\RateLimiting\Backend\MemoryCache( + $this->getServer()->getMemCacheFactory(), + new OC\AppFramework\Utility\TimeFactory() + ); + }); + $this->registerService(\OC\Security\IdentityProof\Manager::class, function ($c) { return new \OC\Security\IdentityProof\Manager( $this->getServer()->getAppDataDir('identityproof'), @@ -169,7 +187,6 @@ class DIContainer extends SimpleContainer implements IAppContainer { ); }); - /** * App Framework APIs */ @@ -220,12 +237,13 @@ class DIContainer extends SimpleContainer implements IAppContainer { $server->getLogger(), $server->getSession(), $c['AppName'], - $app->isLoggedIn(), + $server->getUserSession(), $app->isAdminUser(), $server->getContentSecurityPolicyManager(), $server->getCsrfTokenManager(), $server->getContentSecurityPolicyNonceManager(), - $server->getBruteForceThrottler() + $server->getBruteForceThrottler(), + $c->query(OC\Security\RateLimiting\Limiter::class) ); }); diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index edba6a3e759..d8bbe84c86e 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -26,7 +26,6 @@ * */ - namespace OC\AppFramework\Middleware\Security; use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException; @@ -40,6 +39,7 @@ use OC\Security\Bruteforce\Throttler; use OC\Security\CSP\ContentSecurityPolicyManager; use OC\Security\CSP\ContentSecurityPolicyNonceManager; use OC\Security\CSRF\CsrfTokenManager; +use OC\Security\RateLimiting\Limiter; use OCP\AppFramework\Http\ContentSecurityPolicy; use OCP\AppFramework\Http\EmptyContentSecurityPolicy; use OCP\AppFramework\Http\RedirectResponse; @@ -54,6 +54,7 @@ use OCP\IURLGenerator; use OCP\IRequest; use OCP\ILogger; use OCP\AppFramework\Controller; +use OCP\IUserSession; use OCP\Util; use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; @@ -78,8 +79,8 @@ class SecurityMiddleware extends Middleware { private $logger; /** @var ISession */ private $session; - /** @var bool */ - private $isLoggedIn; + /** @var IUserSession */ + private $userSession; /** @var bool */ private $isAdminUser; /** @var ContentSecurityPolicyManager */ @@ -90,6 +91,8 @@ class SecurityMiddleware extends Middleware { private $cspNonceManager; /** @var Throttler */ private $throttler; + /** @var Limiter */ + private $limiter; /** * @param IRequest $request @@ -99,12 +102,13 @@ class SecurityMiddleware extends Middleware { * @param ILogger $logger * @param ISession $session * @param string $appName - * @param bool $isLoggedIn + * @param IUserSession $userSession * @param bool $isAdminUser * @param ContentSecurityPolicyManager $contentSecurityPolicyManager * @param CSRFTokenManager $csrfTokenManager * @param ContentSecurityPolicyNonceManager $cspNonceManager * @param Throttler $throttler + * @param Limiter $limiter */ public function __construct(IRequest $request, ControllerMethodReflector $reflector, @@ -113,12 +117,13 @@ class SecurityMiddleware extends Middleware { ILogger $logger, ISession $session, $appName, - $isLoggedIn, + IUserSession $userSession, $isAdminUser, ContentSecurityPolicyManager $contentSecurityPolicyManager, CsrfTokenManager $csrfTokenManager, ContentSecurityPolicyNonceManager $cspNonceManager, - Throttler $throttler) { + Throttler $throttler, + Limiter $limiter) { $this->navigationManager = $navigationManager; $this->request = $request; $this->reflector = $reflector; @@ -126,15 +131,15 @@ class SecurityMiddleware extends Middleware { $this->urlGenerator = $urlGenerator; $this->logger = $logger; $this->session = $session; - $this->isLoggedIn = $isLoggedIn; + $this->userSession = $userSession; $this->isAdminUser = $isAdminUser; $this->contentSecurityPolicyManager = $contentSecurityPolicyManager; $this->csrfTokenManager = $csrfTokenManager; $this->cspNonceManager = $cspNonceManager; $this->throttler = $throttler; + $this->limiter = $limiter; } - /** * This runs all the security checks before a method call. The * security checks are determined by inspecting the controller method @@ -152,7 +157,7 @@ class SecurityMiddleware extends Middleware { // security checks $isPublicPage = $this->reflector->hasAnnotation('PublicPage'); if(!$isPublicPage) { - if(!$this->isLoggedIn) { + if(!$this->userSession->isLoggedIn()) { throw new NotLoggedInException(); } @@ -191,8 +196,29 @@ class SecurityMiddleware extends Middleware { } } + $anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit'); + $anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period'); + $userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit'); + $userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period'); + $rateLimitIdentifier = get_class($controller) . '::' . $methodName; + if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) { + $this->limiter->registerUserRequest( + $rateLimitIdentifier, + $userLimit, + $userPeriod, + $this->userSession->getUser() + ); + } elseif ($anonLimit !== '' && $anonPeriod !== '') { + $this->limiter->registerAnonRequest( + $rateLimitIdentifier, + $anonLimit, + $anonPeriod, + $this->request->getRemoteAddress() + ); + } + if($this->reflector->hasAnnotation('BruteForceProtection')) { - $action = $this->reflector->getAnnotationParameter('BruteForceProtection'); + $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); $this->throttler->sleepDelay($this->request->getRemoteAddress(), $action); $this->throttler->registerAttempt($action, $this->request->getRemoteAddress()); } @@ -206,7 +232,6 @@ class SecurityMiddleware extends Middleware { if(\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) { throw new AppNotEnabledException(); } - } /** diff --git a/lib/private/AppFramework/Utility/ControllerMethodReflector.php b/lib/private/AppFramework/Utility/ControllerMethodReflector.php index 034fc3a1759..19eafdb25ac 100644 --- a/lib/private/AppFramework/Utility/ControllerMethodReflector.php +++ b/lib/private/AppFramework/Utility/ControllerMethodReflector.php @@ -24,27 +24,17 @@ * */ - namespace OC\AppFramework\Utility; use \OCP\AppFramework\Utility\IControllerMethodReflector; - /** * Reads and parses annotations from doc comments */ -class ControllerMethodReflector implements IControllerMethodReflector{ - - private $annotations; - private $types; - private $parameters; - - public function __construct() { - $this->types = array(); - $this->parameters = array(); - $this->annotations = array(); - } - +class ControllerMethodReflector implements IControllerMethodReflector { + public $annotations = []; + private $types = []; + private $parameters = []; /** * @param object $object an object or classname @@ -55,9 +45,21 @@ class ControllerMethodReflector implements IControllerMethodReflector{ $docs = $reflection->getDocComment(); // extract everything prefixed by @ and first letter uppercase - preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)(\h+(?P<parameter>\w+))?$/m', $docs, $matches); + preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)((?P<parameter>.*))?$/m', $docs, $matches); foreach($matches['annotation'] as $key => $annontation) { - $this->annotations[$annontation] = $matches['parameter'][$key]; + $annotationValue = $matches['parameter'][$key]; + if($annotationValue[0] === '(' && $annotationValue[strlen($annotationValue) - 1] === ')') { + $cutString = substr($annotationValue, 1, -1); + $cutString = str_replace(' ', '', $cutString); + $splittedArray = explode(',', $cutString); + foreach($splittedArray as $annotationValues) { + list($key, $value) = explode('=', $annotationValues); + $this->annotations[$annontation][$key] = $value; + } + continue; + } + + $this->annotations[$annontation] = [$annotationValue]; } // extract type parameter information @@ -83,7 +85,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{ } } - /** * Inspects the PHPDoc parameters for types * @param string $parameter the parameter whose type comments should be @@ -99,7 +100,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{ } } - /** * @return array the arguments of the method with key => default value */ @@ -107,30 +107,27 @@ class ControllerMethodReflector implements IControllerMethodReflector{ return $this->parameters; } - /** * Check if a method contains an annotation * @param string $name the name of the annotation * @return bool true if the annotation is found */ - public function hasAnnotation($name){ + public function hasAnnotation($name) { return array_key_exists($name, $this->annotations); } - /** - * Get optional annotation parameter + * Get optional annotation parameter by key + * * @param string $name the name of the annotation + * @param string $key the string of the annotation * @return string */ - public function getAnnotationParameter($name){ - $parameter = ''; - if($this->hasAnnotation($name)) { - $parameter = $this->annotations[$name]; + public function getAnnotationParameter($name, $key) { + if(isset($this->annotations[$name][$key])) { + return $this->annotations[$name][$key]; } - return $parameter; + return ''; } - - } diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php index 73a27b677b0..b2524b63c63 100644 --- a/lib/private/Security/Bruteforce/Throttler.php +++ b/lib/private/Security/Bruteforce/Throttler.php @@ -23,6 +23,7 @@ namespace OC\Security\Bruteforce; +use OC\Security\Normalizer\IpAddress; use OCP\AppFramework\Utility\ITimeFactory; use OCP\IConfig; use OCP\IDBConnection; @@ -83,67 +84,6 @@ class Throttler { } /** - * Return the given subnet for an IPv4 address and mask bits - * - * @param string $ip - * @param int $maskBits - * @return string - */ - private function getIPv4Subnet($ip, - $maskBits = 32) { - $binary = \inet_pton($ip); - for ($i = 32; $i > $maskBits; $i -= 8) { - $j = \intdiv($i, 8) - 1; - $k = (int) \min(8, $i - $maskBits); - $mask = (0xff - ((pow(2, $k)) - 1)); - $int = \unpack('C', $binary[$j]); - $binary[$j] = \pack('C', $int[1] & $mask); - } - return \inet_ntop($binary).'/'.$maskBits; - } - - /** - * Return the given subnet for an IPv6 address and mask bits - * - * @param string $ip - * @param int $maskBits - * @return string - */ - private function getIPv6Subnet($ip, $maskBits = 48) { - $binary = \inet_pton($ip); - for ($i = 128; $i > $maskBits; $i -= 8) { - $j = \intdiv($i, 8) - 1; - $k = (int) \min(8, $i - $maskBits); - $mask = (0xff - ((pow(2, $k)) - 1)); - $int = \unpack('C', $binary[$j]); - $binary[$j] = \pack('C', $int[1] & $mask); - } - return \inet_ntop($binary).'/'.$maskBits; - } - - /** - * Return the given subnet for an IP and the configured mask bits - * - * Determine if the IP is an IPv4 or IPv6 address, then pass to the correct - * method for handling that specific type. - * - * @param string $ip - * @return string - */ - private function getSubnet($ip) { - if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)) { - return $this->getIPv4Subnet( - $ip, - 32 - ); - } - return $this->getIPv6Subnet( - $ip, - 128 - ); - } - - /** * Register a failed attempt to bruteforce a security control * * @param string $action @@ -158,11 +98,12 @@ class Throttler { return; } + $ipAddress = new IpAddress($ip); $values = [ 'action' => $action, 'occurred' => $this->timeFactory->getTime(), - 'ip' => $ip, - 'subnet' => $this->getSubnet($ip), + 'ip' => (string)$ipAddress, + 'subnet' => $ipAddress->getSubnet(), 'metadata' => json_encode($metadata), ]; @@ -254,7 +195,8 @@ class Throttler { * @return int */ public function getDelay($ip, $action = '') { - if ($this->isIPWhitelisted($ip)) { + $ipAddress = new IpAddress($ip); + if ($this->isIPWhitelisted((string)$ipAddress)) { return 0; } @@ -266,7 +208,7 @@ class Throttler { $qb->select('*') ->from('bruteforce_attempts') ->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime))) - ->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($this->getSubnet($ip)))); + ->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($ipAddress->getSubnet()))); if ($action !== '') { $qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action))); diff --git a/lib/private/Security/Normalizer/IpAddress.php b/lib/private/Security/Normalizer/IpAddress.php new file mode 100644 index 00000000000..c44a5556678 --- /dev/null +++ b/lib/private/Security/Normalizer/IpAddress.php @@ -0,0 +1,106 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Security\Normalizer; + +/** + * Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security + * relevant contexts in Nextcloud. + * + * @package OC\Security\Normalizer + */ +class IpAddress { + /** @var string */ + private $ip; + + /** + * @param string $ip IP to normalized + */ + public function __construct($ip) { + $this->ip = $ip; + } + + /** + * Return the given subnet for an IPv4 address and mask bits + * + * @param string $ip + * @param int $maskBits + * @return string + */ + private function getIPv4Subnet($ip, + $maskBits = 32) { + $binary = \inet_pton($ip); + for ($i = 32; $i > $maskBits; $i -= 8) { + $j = \intdiv($i, 8) - 1; + $k = (int) \min(8, $i - $maskBits); + $mask = (0xff - ((pow(2, $k)) - 1)); + $int = \unpack('C', $binary[$j]); + $binary[$j] = \pack('C', $int[1] & $mask); + } + return \inet_ntop($binary).'/'.$maskBits; + } + + /** + * Return the given subnet for an IPv6 address and mask bits + * + * @param string $ip + * @param int $maskBits + * @return string + */ + private function getIPv6Subnet($ip, $maskBits = 48) { + $binary = \inet_pton($ip); + for ($i = 128; $i > $maskBits; $i -= 8) { + $j = \intdiv($i, 8) - 1; + $k = (int) \min(8, $i - $maskBits); + $mask = (0xff - ((pow(2, $k)) - 1)); + $int = \unpack('C', $binary[$j]); + $binary[$j] = \pack('C', $int[1] & $mask); + } + return \inet_ntop($binary).'/'.$maskBits; + } + + /** + * Gets either the /32 (IPv4) or the /128 (IPv6) subnet of an IP address + * + * @return string + */ + public function getSubnet() { + if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $this->ip)) { + return $this->getIPv4Subnet( + $this->ip, + 32 + ); + } + return $this->getIPv6Subnet( + $this->ip, + 128 + ); + } + + /** + * Returns the specified IP address + * + * @return string + */ + public function __toString() { + return $this->ip; + } +} diff --git a/lib/private/Security/RateLimiting/Backend/IBackend.php b/lib/private/Security/RateLimiting/Backend/IBackend.php new file mode 100644 index 00000000000..092c0e7bb8a --- /dev/null +++ b/lib/private/Security/RateLimiting/Backend/IBackend.php @@ -0,0 +1,50 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Security\RateLimiting\Backend; + +/** + * Interface IBackend defines a storage backend for the rate limiting data. It + * should be noted that writing and reading rate limiting data is an expensive + * operation and one should thus make sure to only use sufficient fast backends. + * + * @package OC\Security\RateLimiting\Backend + */ +interface IBackend { + /** + * Gets the amount of attempts within the last specified seconds + * + * @param string $methodIdentifier + * @param string $userIdentifier + * @param int $seconds + * @return int + */ + public function getAttempts($methodIdentifier, $userIdentifier, $seconds); + + /** + * Registers an attempt + * + * @param string $methodIdentifier + * @param string $userIdentifier + * @param int $timestamp + */ + public function registerAttempt($methodIdentifier, $userIdentifier, $timestamp); +} diff --git a/lib/private/Security/RateLimiting/Backend/MemoryCache.php b/lib/private/Security/RateLimiting/Backend/MemoryCache.php new file mode 100644 index 00000000000..a0c53335bcf --- /dev/null +++ b/lib/private/Security/RateLimiting/Backend/MemoryCache.php @@ -0,0 +1,100 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Security\RateLimiting\Backend; + +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\ICache; +use OCP\ICacheFactory; + +/** + * Class MemoryCache uses the configured distributed memory cache for storing + * rate limiting data. + * + * @package OC\Security\RateLimiting\Backend + */ +class MemoryCache implements IBackend { + /** @var ICache */ + private $cache; + /** @var ITimeFactory */ + private $timeFactory; + + /** + * @param ICacheFactory $cacheFactory + * @param ITimeFactory $timeFactory + */ + public function __construct(ICacheFactory $cacheFactory, + ITimeFactory $timeFactory) { + $this->cache = $cacheFactory->create(__CLASS__); + $this->timeFactory = $timeFactory; + } + + /** + * @param string $methodIdentifier + * @param string $userIdentifier + * @return string + */ + private function hash($methodIdentifier, $userIdentifier) { + return hash('sha512', $methodIdentifier . $userIdentifier); + } + + /** + * @param string $identifier + * @return array + */ + private function getExistingAttempts($identifier) { + $cachedAttempts = json_decode($this->cache->get($identifier), true); + if(is_array($cachedAttempts)) { + return $cachedAttempts; + } + + return []; + } + + /** + * {@inheritDoc} + */ + public function getAttempts($methodIdentifier, $userIdentifier, $seconds) { + $identifier = $this->hash($methodIdentifier, $userIdentifier); + $existingAttempts = $this->getExistingAttempts($identifier); + + $count = 0; + $currentTime = $this->timeFactory->getTime(); + /** @var array $existingAttempts */ + foreach ($existingAttempts as $attempt) { + if(($attempt + $seconds) > $currentTime) { + $count++; + } + } + + return $count; + } + + /** + * {@inheritDoc} + */ + public function registerAttempt($methodIdentifier, $userIdentifier, $timestamp) { + $identifier = $this->hash($methodIdentifier, $userIdentifier); + $existingAttempts = $this->getExistingAttempts($identifier); + $existingAttempts[] = (string)$timestamp; + $this->cache->set($identifier, json_encode($existingAttempts)); + } +} diff --git a/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php new file mode 100644 index 00000000000..34cbec31c73 --- /dev/null +++ b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php @@ -0,0 +1,31 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Security\RateLimiting\Exception; + +use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; +use OCP\AppFramework\Http; + +class RateLimitExceededException extends SecurityException { + public function __construct() { + parent::__construct('Rate limit exceeded', Http::STATUS_TOO_MANY_REQUESTS); + } +} diff --git a/lib/private/Security/RateLimiting/Limiter.php b/lib/private/Security/RateLimiting/Limiter.php new file mode 100644 index 00000000000..5c084eb934b --- /dev/null +++ b/lib/private/Security/RateLimiting/Limiter.php @@ -0,0 +1,106 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Security\RateLimiting; + +use OC\Security\Normalizer\IpAddress; +use OC\Security\RateLimiting\Backend\IBackend; +use OC\Security\RateLimiting\Exception\RateLimitExceededException; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\IRequest; +use OCP\IUser; +use OCP\IUserSession; + +class Limiter { + /** @var IBackend */ + private $backend; + /** @var ITimeFactory */ + private $timeFactory; + + /** + * @param IUserSession $userSession + * @param IRequest $request + * @param ITimeFactory $timeFactory + * @param IBackend $backend + */ + public function __construct(IUserSession $userSession, + IRequest $request, + ITimeFactory $timeFactory, + IBackend $backend) { + $this->backend = $backend; + $this->timeFactory = $timeFactory; + } + + /** + * @param string $methodIdentifier + * @param string $userIdentifier + * @param int $period + * @param int $limit + * @throws RateLimitExceededException + */ + private function register($methodIdentifier, + $userIdentifier, + $period, + $limit) { + $existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, (int)$period); + if ($existingAttempts >= (int)$limit) { + throw new RateLimitExceededException(); + } + + $this->backend->registerAttempt($methodIdentifier, $userIdentifier, $this->timeFactory->getTime()); + } + + /** + * Registers attempt for an anonymous request + * + * @param string $identifier + * @param int $anonLimit + * @param int $anonPeriod + * @param string $ip + * @throws RateLimitExceededException + */ + public function registerAnonRequest($identifier, + $anonLimit, + $anonPeriod, + $ip) { + $ipSubnet = (new IpAddress($ip))->getSubnet(); + + $anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet); + $this->register($identifier, $anonHashIdentifier, $anonPeriod, $anonLimit); + } + + /** + * Registers attempt for an authenticated request + * + * @param string $identifier + * @param int $userLimit + * @param int $userPeriod + * @param IUser $user + * @throws RateLimitExceededException + */ + public function registerUserRequest($identifier, + $userLimit, + $userPeriod, + IUser $user) { + $userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID()); + $this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit); + } +} |