aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Security/RateLimiting/Backend
diff options
context:
space:
mode:
Diffstat (limited to 'lib/private/Security/RateLimiting/Backend')
-rw-r--r--lib/private/Security/RateLimiting/Backend/DatabaseBackend.php84
-rw-r--r--lib/private/Security/RateLimiting/Backend/IBackend.php37
-rw-r--r--lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php78
3 files changed, 70 insertions, 129 deletions
diff --git a/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php b/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php
index ea4bd87d6cd..9fb237f2f72 100644
--- a/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php
+++ b/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php
@@ -3,77 +3,46 @@
declare(strict_types=1);
/**
- * @copyright Copyright (c) 2021 Lukas Reschke <lukas@statuscode.ch>
- *
- * @author Lukas Reschke <lukas@statuscode.ch>
- *
- * @license GNU AGPL version 3 or any later version
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
+ * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Security\RateLimiting\Backend;
use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\DB\Exception;
use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IConfig;
use OCP\IDBConnection;
class DatabaseBackend implements IBackend {
private const TABLE_NAME = 'ratelimit_entries';
- /** @var IDBConnection */
- private $dbConnection;
- /** @var ITimeFactory */
- private $timeFactory;
-
- /**
- * @param IDBConnection $dbConnection
- * @param ITimeFactory $timeFactory
- */
public function __construct(
- IDBConnection $dbConnection,
- ITimeFactory $timeFactory
+ private IConfig $config,
+ private IDBConnection $dbConnection,
+ private ITimeFactory $timeFactory,
) {
- $this->dbConnection = $dbConnection;
- $this->timeFactory = $timeFactory;
}
- /**
- * @param string $methodIdentifier
- * @param string $userIdentifier
- * @return string
- */
- private function hash(string $methodIdentifier,
- string $userIdentifier): string {
+ private function hash(
+ string $methodIdentifier,
+ string $userIdentifier,
+ ): string {
return hash('sha512', $methodIdentifier . $userIdentifier);
}
/**
- * @param string $identifier
- * @param int $seconds
- * @return int
- * @throws \OCP\DB\Exception
+ * @throws Exception
*/
private function getExistingAttemptCount(
- string $identifier
+ string $identifier,
): int {
$currentTime = $this->timeFactory->getDateTime();
$qb = $this->dbConnection->getQueryBuilder();
$qb->delete(self::TABLE_NAME)
->where(
- $qb->expr()->lte('delete_after', $qb->createNamedParameter($currentTime, IQueryBuilder::PARAM_DATE))
+ $qb->expr()->lte('delete_after', $qb->createNamedParameter($currentTime, IQueryBuilder::PARAM_DATETIME_MUTABLE))
)
->executeStatement();
@@ -94,8 +63,10 @@ class DatabaseBackend implements IBackend {
/**
* {@inheritDoc}
*/
- public function getAttempts(string $methodIdentifier,
- string $userIdentifier): int {
+ public function getAttempts(
+ string $methodIdentifier,
+ string $userIdentifier,
+ ): int {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
return $this->getExistingAttemptCount($identifier);
}
@@ -103,9 +74,11 @@ class DatabaseBackend implements IBackend {
/**
* {@inheritDoc}
*/
- public function registerAttempt(string $methodIdentifier,
- string $userIdentifier,
- int $period) {
+ public function registerAttempt(
+ string $methodIdentifier,
+ string $userIdentifier,
+ int $period,
+ ): void {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$deleteAfter = $this->timeFactory->getDateTime()->add(new \DateInterval("PT{$period}S"));
@@ -114,8 +87,13 @@ class DatabaseBackend implements IBackend {
$qb->insert(self::TABLE_NAME)
->values([
'hash' => $qb->createNamedParameter($identifier, IQueryBuilder::PARAM_STR),
- 'delete_after' => $qb->createNamedParameter($deleteAfter, IQueryBuilder::PARAM_DATE),
- ])
- ->executeStatement();
+ 'delete_after' => $qb->createNamedParameter($deleteAfter, IQueryBuilder::PARAM_DATETIME_MUTABLE),
+ ]);
+
+ if (!$this->config->getSystemValueBool('ratelimit.protection.enabled', true)) {
+ return;
+ }
+
+ $qb->executeStatement();
}
}
diff --git a/lib/private/Security/RateLimiting/Backend/IBackend.php b/lib/private/Security/RateLimiting/Backend/IBackend.php
index 960bfd2d159..43eff5dcf02 100644
--- a/lib/private/Security/RateLimiting/Backend/IBackend.php
+++ b/lib/private/Security/RateLimiting/Backend/IBackend.php
@@ -3,26 +3,8 @@
declare(strict_types=1);
/**
- * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
- *
- * @author Lukas Reschke <lukas@statuscode.ch>
- * @author Roeland Jago Douma <roeland@famdouma.nl>
- *
- * @license GNU AGPL version 3 or any later version
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
+ * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Security\RateLimiting\Backend;
@@ -39,10 +21,11 @@ interface IBackend {
*
* @param string $methodIdentifier Identifier for the method
* @param string $userIdentifier Identifier for the user
- * @return int
*/
- public function getAttempts(string $methodIdentifier,
- string $userIdentifier): int;
+ public function getAttempts(
+ string $methodIdentifier,
+ string $userIdentifier,
+ ): int;
/**
* Registers an attempt
@@ -51,7 +34,9 @@ interface IBackend {
* @param string $userIdentifier Identifier for the user
* @param int $period Period in seconds how long this attempt should be stored
*/
- public function registerAttempt(string $methodIdentifier,
- string $userIdentifier,
- int $period);
+ public function registerAttempt(
+ string $methodIdentifier,
+ string $userIdentifier,
+ int $period,
+ );
}
diff --git a/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php b/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php
index f4880fb239c..4c33b49d05e 100644
--- a/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php
+++ b/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php
@@ -3,34 +3,15 @@
declare(strict_types=1);
/**
- * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
- *
- * @author Christoph Wurst <christoph@winzerhof-wurst.at>
- * @author Lukas Reschke <lukas@statuscode.ch>
- * @author Morris Jobke <hey@morrisjobke.de>
- * @author Roeland Jago Douma <roeland@famdouma.nl>
- *
- * @license GNU AGPL version 3 or any later version
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
+ * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Security\RateLimiting\Backend;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICache;
use OCP\ICacheFactory;
+use OCP\IConfig;
/**
* Class MemoryCacheBackend uses the configured distributed memory cache for storing
@@ -39,35 +20,23 @@ use OCP\ICacheFactory;
* @package OC\Security\RateLimiting\Backend
*/
class MemoryCacheBackend implements IBackend {
- /** @var ICache */
- private $cache;
- /** @var ITimeFactory */
- private $timeFactory;
+ private ICache $cache;
- /**
- * @param ICacheFactory $cacheFactory
- * @param ITimeFactory $timeFactory
- */
- public function __construct(ICacheFactory $cacheFactory,
- ITimeFactory $timeFactory) {
- $this->cache = $cacheFactory->createDistributed(__CLASS__);
- $this->timeFactory = $timeFactory;
+ public function __construct(
+ private IConfig $config,
+ ICacheFactory $cacheFactory,
+ private ITimeFactory $timeFactory,
+ ) {
+ $this->cache = $cacheFactory->createDistributed(self::class);
}
- /**
- * @param string $methodIdentifier
- * @param string $userIdentifier
- * @return string
- */
- private function hash(string $methodIdentifier,
- string $userIdentifier): string {
+ private function hash(
+ string $methodIdentifier,
+ string $userIdentifier,
+ ): string {
return hash('sha512', $methodIdentifier . $userIdentifier);
}
- /**
- * @param string $identifier
- * @return array
- */
private function getExistingAttempts(string $identifier): array {
$cachedAttempts = $this->cache->get($identifier);
if ($cachedAttempts === null) {
@@ -85,8 +54,10 @@ class MemoryCacheBackend implements IBackend {
/**
* {@inheritDoc}
*/
- public function getAttempts(string $methodIdentifier,
- string $userIdentifier): int {
+ public function getAttempts(
+ string $methodIdentifier,
+ string $userIdentifier,
+ ): int {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$existingAttempts = $this->getExistingAttempts($identifier);
@@ -104,9 +75,11 @@ class MemoryCacheBackend implements IBackend {
/**
* {@inheritDoc}
*/
- public function registerAttempt(string $methodIdentifier,
- string $userIdentifier,
- int $period) {
+ public function registerAttempt(
+ string $methodIdentifier,
+ string $userIdentifier,
+ int $period,
+ ): void {
$identifier = $this->hash($methodIdentifier, $userIdentifier);
$existingAttempts = $this->getExistingAttempts($identifier);
$currentTime = $this->timeFactory->getTime();
@@ -121,6 +94,11 @@ class MemoryCacheBackend implements IBackend {
// Store the new attempt
$existingAttempts[] = (string)($currentTime + $period);
+
+ if (!$this->config->getSystemValueBool('ratelimit.protection.enabled', true)) {
+ return;
+ }
+
$this->cache->set($identifier, json_encode($existingAttempts));
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-16 07:14:59 +0000