diff options
Diffstat (limited to 'lib/private/Security/RateLimiting')
5 files changed, 106 insertions, 199 deletions
diff --git a/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php b/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php index ea4bd87d6cd..9fb237f2f72 100644 --- a/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php +++ b/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php @@ -3,77 +3,46 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2021 Lukas Reschke <lukas@statuscode.ch> - * - * @author Lukas Reschke <lukas@statuscode.ch> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OC\Security\RateLimiting\Backend; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\DB\Exception; use OCP\DB\QueryBuilder\IQueryBuilder; +use OCP\IConfig; use OCP\IDBConnection; class DatabaseBackend implements IBackend { private const TABLE_NAME = 'ratelimit_entries'; - /** @var IDBConnection */ - private $dbConnection; - /** @var ITimeFactory */ - private $timeFactory; - - /** - * @param IDBConnection $dbConnection - * @param ITimeFactory $timeFactory - */ public function __construct( - IDBConnection $dbConnection, - ITimeFactory $timeFactory + private IConfig $config, + private IDBConnection $dbConnection, + private ITimeFactory $timeFactory, ) { - $this->dbConnection = $dbConnection; - $this->timeFactory = $timeFactory; } - /** - * @param string $methodIdentifier - * @param string $userIdentifier - * @return string - */ - private function hash(string $methodIdentifier, - string $userIdentifier): string { + private function hash( + string $methodIdentifier, + string $userIdentifier, + ): string { return hash('sha512', $methodIdentifier . $userIdentifier); } /** - * @param string $identifier - * @param int $seconds - * @return int - * @throws \OCP\DB\Exception + * @throws Exception */ private function getExistingAttemptCount( - string $identifier + string $identifier, ): int { $currentTime = $this->timeFactory->getDateTime(); $qb = $this->dbConnection->getQueryBuilder(); $qb->delete(self::TABLE_NAME) ->where( - $qb->expr()->lte('delete_after', $qb->createNamedParameter($currentTime, IQueryBuilder::PARAM_DATE)) + $qb->expr()->lte('delete_after', $qb->createNamedParameter($currentTime, IQueryBuilder::PARAM_DATETIME_MUTABLE)) ) ->executeStatement(); @@ -94,8 +63,10 @@ class DatabaseBackend implements IBackend { /** * {@inheritDoc} */ - public function getAttempts(string $methodIdentifier, - string $userIdentifier): int { + public function getAttempts( + string $methodIdentifier, + string $userIdentifier, + ): int { $identifier = $this->hash($methodIdentifier, $userIdentifier); return $this->getExistingAttemptCount($identifier); } @@ -103,9 +74,11 @@ class DatabaseBackend implements IBackend { /** * {@inheritDoc} */ - public function registerAttempt(string $methodIdentifier, - string $userIdentifier, - int $period) { + public function registerAttempt( + string $methodIdentifier, + string $userIdentifier, + int $period, + ): void { $identifier = $this->hash($methodIdentifier, $userIdentifier); $deleteAfter = $this->timeFactory->getDateTime()->add(new \DateInterval("PT{$period}S")); @@ -114,8 +87,13 @@ class DatabaseBackend implements IBackend { $qb->insert(self::TABLE_NAME) ->values([ 'hash' => $qb->createNamedParameter($identifier, IQueryBuilder::PARAM_STR), - 'delete_after' => $qb->createNamedParameter($deleteAfter, IQueryBuilder::PARAM_DATE), - ]) - ->executeStatement(); + 'delete_after' => $qb->createNamedParameter($deleteAfter, IQueryBuilder::PARAM_DATETIME_MUTABLE), + ]); + + if (!$this->config->getSystemValueBool('ratelimit.protection.enabled', true)) { + return; + } + + $qb->executeStatement(); } } diff --git a/lib/private/Security/RateLimiting/Backend/IBackend.php b/lib/private/Security/RateLimiting/Backend/IBackend.php index 960bfd2d159..43eff5dcf02 100644 --- a/lib/private/Security/RateLimiting/Backend/IBackend.php +++ b/lib/private/Security/RateLimiting/Backend/IBackend.php @@ -3,26 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> - * - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OC\Security\RateLimiting\Backend; @@ -39,10 +21,11 @@ interface IBackend { * * @param string $methodIdentifier Identifier for the method * @param string $userIdentifier Identifier for the user - * @return int */ - public function getAttempts(string $methodIdentifier, - string $userIdentifier): int; + public function getAttempts( + string $methodIdentifier, + string $userIdentifier, + ): int; /** * Registers an attempt @@ -51,7 +34,9 @@ interface IBackend { * @param string $userIdentifier Identifier for the user * @param int $period Period in seconds how long this attempt should be stored */ - public function registerAttempt(string $methodIdentifier, - string $userIdentifier, - int $period); + public function registerAttempt( + string $methodIdentifier, + string $userIdentifier, + int $period, + ); } diff --git a/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php b/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php index f4880fb239c..4c33b49d05e 100644 --- a/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php +++ b/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php @@ -3,34 +3,15 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OC\Security\RateLimiting\Backend; use OCP\AppFramework\Utility\ITimeFactory; use OCP\ICache; use OCP\ICacheFactory; +use OCP\IConfig; /** * Class MemoryCacheBackend uses the configured distributed memory cache for storing @@ -39,35 +20,23 @@ use OCP\ICacheFactory; * @package OC\Security\RateLimiting\Backend */ class MemoryCacheBackend implements IBackend { - /** @var ICache */ - private $cache; - /** @var ITimeFactory */ - private $timeFactory; + private ICache $cache; - /** - * @param ICacheFactory $cacheFactory - * @param ITimeFactory $timeFactory - */ - public function __construct(ICacheFactory $cacheFactory, - ITimeFactory $timeFactory) { - $this->cache = $cacheFactory->createDistributed(__CLASS__); - $this->timeFactory = $timeFactory; + public function __construct( + private IConfig $config, + ICacheFactory $cacheFactory, + private ITimeFactory $timeFactory, + ) { + $this->cache = $cacheFactory->createDistributed(self::class); } - /** - * @param string $methodIdentifier - * @param string $userIdentifier - * @return string - */ - private function hash(string $methodIdentifier, - string $userIdentifier): string { + private function hash( + string $methodIdentifier, + string $userIdentifier, + ): string { return hash('sha512', $methodIdentifier . $userIdentifier); } - /** - * @param string $identifier - * @return array - */ private function getExistingAttempts(string $identifier): array { $cachedAttempts = $this->cache->get($identifier); if ($cachedAttempts === null) { @@ -85,8 +54,10 @@ class MemoryCacheBackend implements IBackend { /** * {@inheritDoc} */ - public function getAttempts(string $methodIdentifier, - string $userIdentifier): int { + public function getAttempts( + string $methodIdentifier, + string $userIdentifier, + ): int { $identifier = $this->hash($methodIdentifier, $userIdentifier); $existingAttempts = $this->getExistingAttempts($identifier); @@ -104,9 +75,11 @@ class MemoryCacheBackend implements IBackend { /** * {@inheritDoc} */ - public function registerAttempt(string $methodIdentifier, - string $userIdentifier, - int $period) { + public function registerAttempt( + string $methodIdentifier, + string $userIdentifier, + int $period, + ): void { $identifier = $this->hash($methodIdentifier, $userIdentifier); $existingAttempts = $this->getExistingAttempts($identifier); $currentTime = $this->timeFactory->getTime(); @@ -121,6 +94,11 @@ class MemoryCacheBackend implements IBackend { // Store the new attempt $existingAttempts[] = (string)($currentTime + $period); + + if (!$this->config->getSystemValueBool('ratelimit.protection.enabled', true)) { + return; + } + $this->cache->set($identifier, json_encode($existingAttempts)); } } diff --git a/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php index 08091e997ca..19defc2d896 100644 --- a/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php +++ b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php @@ -3,32 +3,16 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> - * - * @author Lukas Reschke <lukas@statuscode.ch> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OC\Security\RateLimiting\Exception; use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; use OCP\AppFramework\Http; +use OCP\Security\RateLimiting\IRateLimitExceededException; -class RateLimitExceededException extends SecurityException { +class RateLimitExceededException extends SecurityException implements IRateLimitExceededException { public function __construct() { parent::__construct('Rate limit exceeded', Http::STATUS_TOO_MANY_REQUESTS); } diff --git a/lib/private/Security/RateLimiting/Limiter.php b/lib/private/Security/RateLimiting/Limiter.php index 7848a5b75a7..316becfa009 100644 --- a/lib/private/Security/RateLimiting/Limiter.php +++ b/lib/private/Security/RateLimiting/Limiter.php @@ -3,26 +3,8 @@ declare(strict_types=1); /** - * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> - * - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ namespace OC\Security\RateLimiting; @@ -30,31 +12,33 @@ use OC\Security\Normalizer\IpAddress; use OC\Security\RateLimiting\Backend\IBackend; use OC\Security\RateLimiting\Exception\RateLimitExceededException; use OCP\IUser; +use OCP\Security\RateLimiting\ILimiter; +use Psr\Log\LoggerInterface; -class Limiter { - /** @var IBackend */ - private $backend; - - /** - * @param IBackend $backend - */ - public function __construct(IBackend $backend) { - $this->backend = $backend; +class Limiter implements ILimiter { + public function __construct( + private IBackend $backend, + private LoggerInterface $logger, + ) { } /** - * @param string $methodIdentifier - * @param string $userIdentifier * @param int $period in seconds - * @param int $limit * @throws RateLimitExceededException */ - private function register(string $methodIdentifier, - string $userIdentifier, - int $period, - int $limit): void { + private function register( + string $methodIdentifier, + string $userIdentifier, + int $period, + int $limit, + ): void { $existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier); if ($existingAttempts >= $limit) { + $this->logger->info('Request blocked because it exceeds the rate limit [method: {method}, limit: {limit}, period: {period}]', [ + 'method' => $methodIdentifier, + 'limit' => $limit, + 'period' => $period, + ]); throw new RateLimitExceededException(); } @@ -64,16 +48,15 @@ class Limiter { /** * Registers attempt for an anonymous request * - * @param string $identifier - * @param int $anonLimit * @param int $anonPeriod in seconds - * @param string $ip * @throws RateLimitExceededException */ - public function registerAnonRequest(string $identifier, - int $anonLimit, - int $anonPeriod, - string $ip): void { + public function registerAnonRequest( + string $identifier, + int $anonLimit, + int $anonPeriod, + string $ip, + ): void { $ipSubnet = (new IpAddress($ip))->getSubnet(); $anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet); @@ -83,16 +66,15 @@ class Limiter { /** * Registers attempt for an authenticated request * - * @param string $identifier - * @param int $userLimit * @param int $userPeriod in seconds - * @param IUser $user * @throws RateLimitExceededException */ - public function registerUserRequest(string $identifier, - int $userLimit, - int $userPeriod, - IUser $user): void { + public function registerUserRequest( + string $identifier, + int $userLimit, + int $userPeriod, + IUser $user, + ): void { $userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID()); $this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit); } |