open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Move to dedicated MiddleWare

Browse Source 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
pull/4336/head
Lukas Reschke 8 years ago
parent a05471eb43
commit a1ae5275f9
No known key found for this signature in database
GPG Key ID: B9F6980CF6E759B1
5 changed files with 447 additions and 78 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 19
      lib/private/AppFramework/DependencyInjection/DIContainer.php
  2. 134
      lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php
  3. 45
      lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
  4. 283
      tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php
  5. 44
      tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php

19
lib/private/AppFramework/DependencyInjection/DIContainer.php
Unescape View File

@ -40,6 +40,7 @@ use OC\AppFramework\Http\Output;
use OC\AppFramework\Middleware\MiddlewareDispatcher;
use OC\AppFramework\Middleware\Security\CORSMiddleware;
use OC\AppFramework\Middleware\OCSMiddleware;
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
use OC\AppFramework\Middleware\Security\SecurityMiddleware;
use OC\AppFramework\Middleware\SessionMiddleware;
use OC\AppFramework\Utility\SimpleContainer;
@ -219,17 +220,28 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$server->getLogger(),
$server->getSession(),
$c['AppName'],
$server->getUserSession(),
$app->isLoggedIn(),
$app->isAdminUser(),
$server->getContentSecurityPolicyManager(),
$server->getCsrfTokenManager(),
$server->getContentSecurityPolicyNonceManager(),
$server->getBruteForceThrottler(),
$c->query(OC\Security\RateLimiting\Limiter::class)
$server->getBruteForceThrottler()
);
});
$this->registerService('RateLimitingMiddleware', function($c) use ($app) {
/** @var \OC\Server $server */
$server = $app->getServer();
return new RateLimitingMiddleware(
$server->getRequest(),
$server->getUserSession(),
$c['ControllerMethodReflector'],
$c->query(OC\Security\RateLimiting\Limiter::class)
);
});
$this->registerService('CORSMiddleware', function($c) {
return new CORSMiddleware(
$c['Request'],
@ -270,6 +282,7 @@ class DIContainer extends SimpleContainer implements IAppContainer {
$dispatcher->registerMiddleware($c['OCSMiddleware']);
$dispatcher->registerMiddleware($c['SecurityMiddleware']);
$dispatcher->registerMiddleWare($c['TwoFactorMiddleware']);
$dispatcher->registerMiddleware($c['RateLimitingMiddleware']);
foreach($middleWares as $middleWare) {
$dispatcher->registerMiddleware($c[$middleWare]);

134
lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php
Unescape View File

@ -0,0 +1,134 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Middleware;
use OCP\IRequest;
use OCP\IUserSession;
/**
* Class RateLimitingMiddleware is the middleware responsible for implementing the
* ratelimiting in Nextcloud.
*
* It parses annotations such as:
*
* @UserRateThrottle(limit=5, period=100)
* @AnonRateThrottle(limit=1, period=100)
*
* Those annotations above would mean that logged-in users can access the page 5
* times within 100 seconds, and anonymous users 1 time within 100 seconds. If
* only an AnonRateThrottle is specified that one will also be applied to logged-in
* users.
*
* @package OC\AppFramework\Middleware\Security
*/
class RateLimitingMiddleware extends Middleware {
/** @var IRequest $request */
private $request;
/** @var IUserSession */
private $userSession;
/** @var ControllerMethodReflector */
private $reflector;
/** @var Limiter */
private $limiter;
/**
* @param IRequest $request
* @param IUserSession $userSession
* @param ControllerMethodReflector $reflector
* @param Limiter $limiter
*/
public function __construct(IRequest $request,
IUserSession $userSession,
ControllerMethodReflector $reflector,
Limiter $limiter) {
$this->request = $request;
$this->userSession = $userSession;
$this->reflector = $reflector;
$this->limiter = $limiter;
}
/**
* {@inheritDoc}
* @throws RateLimitExceededException
*/
public function beforeController($controller, $methodName) {
parent::beforeController($controller, $methodName);
$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
$this->limiter->registerUserRequest(
$rateLimitIdentifier,
$userLimit,
$userPeriod,
$this->userSession->getUser()
);
} elseif ($anonLimit !== '' && $anonPeriod !== '') {
$this->limiter->registerAnonRequest(
$rateLimitIdentifier,
$anonLimit,
$anonPeriod,
$this->request->getRemoteAddress()
);
}
}
/**
* {@inheritDoc}
*/
public function afterException($controller, $methodName, \Exception $exception) {
if($exception instanceof RateLimitExceededException) {
if (stripos($this->request->getHeader('Accept'),'html') === false) {
$response = new JSONResponse(
[
'message' => $exception->getMessage(),
],
$exception->getCode()
);
} else {
$response = new TemplateResponse(
'core',
'403',
[
'file' => $exception->getMessage()
],
'guest'
);
$response->setStatus($exception->getCode());
}
return $response;
}
throw $exception;
}
}

45
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
Unescape View File

@ -26,6 +26,7 @@
*
*/
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
@ -39,7 +40,6 @@ use OC\Security\Bruteforce\Throttler;
use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Http\ContentSecurityPolicy;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
use OCP\AppFramework\Http\RedirectResponse;
@ -54,7 +54,6 @@ use OCP\IURLGenerator;
use OCP\IRequest;
use OCP\ILogger;
use OCP\AppFramework\Controller;
use OCP\IUserSession;
use OCP\Util;
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
@ -79,8 +78,8 @@ class SecurityMiddleware extends Middleware {
private $logger;
/** @var ISession */
private $session;
/** @var IUserSession */
private $userSession;
/** @var bool */
private $isLoggedIn;
/** @var bool */
private $isAdminUser;
/** @var ContentSecurityPolicyManager */
@ -91,8 +90,6 @@ class SecurityMiddleware extends Middleware {
private $cspNonceManager;
/** @var Throttler */
private $throttler;
/** @var Limiter */
private $limiter;
/**
* @param IRequest $request
@ -102,13 +99,12 @@ class SecurityMiddleware extends Middleware {
* @param ILogger $logger
* @param ISession $session
* @param string $appName
* @param IUserSession $userSession
* @param bool $isLoggedIn
* @param bool $isAdminUser
* @param ContentSecurityPolicyManager $contentSecurityPolicyManager
* @param CSRFTokenManager $csrfTokenManager
* @param ContentSecurityPolicyNonceManager $cspNonceManager
* @param Throttler $throttler
* @param Limiter $limiter
*/
public function __construct(IRequest $request,
ControllerMethodReflector $reflector,
@ -117,13 +113,12 @@ class SecurityMiddleware extends Middleware {
ILogger $logger,
ISession $session,
$appName,
IUserSession $userSession,
$isLoggedIn,
$isAdminUser,
ContentSecurityPolicyManager $contentSecurityPolicyManager,
CsrfTokenManager $csrfTokenManager,
ContentSecurityPolicyNonceManager $cspNonceManager,
Throttler $throttler,
Limiter $limiter) {
Throttler $throttler) {
$this->navigationManager = $navigationManager;
$this->request = $request;
$this->reflector = $reflector;
@ -131,15 +126,15 @@ class SecurityMiddleware extends Middleware {
$this->urlGenerator = $urlGenerator;
$this->logger = $logger;
$this->session = $session;
$this->userSession = $userSession;
$this->isLoggedIn = $isLoggedIn;
$this->isAdminUser = $isAdminUser;
$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
$this->csrfTokenManager = $csrfTokenManager;
$this->cspNonceManager = $cspNonceManager;
$this->throttler = $throttler;
$this->limiter = $limiter;
}
/**
* This runs all the security checks before a method call. The
* security checks are determined by inspecting the controller method
@ -157,7 +152,7 @@ class SecurityMiddleware extends Middleware {
// security checks
$isPublicPage = $this->reflector->hasAnnotation('PublicPage');
if(!$isPublicPage) {
if(!$this->userSession->isLoggedIn()) {
if(!$this->isLoggedIn) {
throw new NotLoggedInException();
}
@ -196,27 +191,6 @@ class SecurityMiddleware extends Middleware {
}
}
$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
$this->limiter->registerUserRequest(
$rateLimitIdentifier,
$userLimit,
$userPeriod,
$this->userSession->getUser()
);
} elseif ($anonLimit !== '' && $anonPeriod !== '') {
$this->limiter->registerAnonRequest(
$rateLimitIdentifier,
$anonLimit,
$anonPeriod,
$this->request->getRemoteAddress()
);
}
if($this->reflector->hasAnnotation('BruteForceProtection')) {
$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
$this->throttler->sleepDelay($this->request->getRemoteAddress(), $action);
@ -232,6 +206,7 @@ class SecurityMiddleware extends Middleware {
if(\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) {
throw new AppNotEnabledException();
}
}
/**

283
tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php
Unescape View File

@ -0,0 +1,283 @@
<?php
/**
* @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace Test\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\RateLimitingMiddleware;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Security\RateLimiting\Exception\RateLimitExceededException;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\IRequest;
use OCP\IUser;
use OCP\IUserSession;
use Test\TestCase;
class RateLimitingMiddlewareTest extends TestCase {
/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
private $request;
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
private $userSession;
/** @var ControllerMethodReflector|\PHPUnit_Framework_MockObject_MockObject */
private $reflector;
/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
private $limiter;
/** @var RateLimitingMiddleware */
private $rateLimitingMiddleware;
public function setUp() {
parent::setUp();
$this->request = $this->createMock(IRequest::class);
$this->userSession = $this->createMock(IUserSession::class);
$this->reflector = $this->createMock(ControllerMethodReflector::class);
$this->limiter = $this->createMock(Limiter::class);
$this->rateLimitingMiddleware = new RateLimitingMiddleware(
$this->request,
$this->userSession,
$this->reflector,
$this->limiter
);
}
public function testBeforeControllerWithoutAnnotation() {
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->never())
->method('registerAnonRequest');
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerForAnon() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getRemoteAddress')
->willReturn('127.0.0.1');
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('10');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->once())
->method('registerAnonRequest')
->with(get_class($controller) . '::testMethod', '100', '10', '127.0.0.1');
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerForLoggedIn() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
$user = $this->createMock(IUser::class);
$this->userSession
->expects($this->once())
->method('isLoggedIn')
->willReturn(true);
$this->userSession
->expects($this->once())
->method('getUser')
->willReturn($user);
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('10');
$this->limiter
->expects($this->never())
->method('registerAnonRequest');
$this->limiter
->expects($this->once())
->method('registerUserRequest')
->with(get_class($controller) . '::testMethod', '100', '10', $user);
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
public function testBeforeControllerAnonWithFallback() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getRemoteAddress')
->willReturn('127.0.0.1');
$this->userSession
->expects($this->once())
->method('isLoggedIn')
->willReturn(false);
$this->reflector
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('200');
$this->reflector
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('20');
$this->reflector
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('100');
$this->reflector
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('10');
$this->limiter
->expects($this->never())
->method('registerUserRequest');
$this->limiter
->expects($this->once())
->method('registerAnonRequest')
->with(get_class($controller) . '::testMethod', '200', '20', '127.0.0.1');
$this->rateLimitingMiddleware->beforeController($controller, 'testMethod');
}
/**
* @expectedException \Exception
* @expectedExceptionMessage My test exception
*/
public function testAfterExceptionWithOtherException() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->rateLimitingMiddleware->afterException($controller, 'testMethod', new \Exception('My test exception'));
}
public function testAfterExceptionWithJsonBody() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getHeader')
->with('Accept')
->willReturn('JSON');
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
$expected = new JSONResponse(
[
'message' => 'Rate limit exceeded',
],
429
);
$this->assertEquals($expected, $result);
}
public function testAfterExceptionWithHtmlBody() {
/** @var Controller|\PHPUnit_Framework_MockObject_MockObject $controller */
$controller = $this->createMock(Controller::class);
$this->request
->expects($this->once())
->method('getHeader')
->with('Accept')
->willReturn('html');
$result = $this->rateLimitingMiddleware->afterException($controller, 'testMethod', new RateLimitExceededException());
$expected = new TemplateResponse(
'core',
'403',
[
'file' => 'Rate limit exceeded',
],
'guest'
);
$expected->setStatus(429);
$this->assertEquals($expected, $result);
}
}

44
tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
Unescape View File

@ -40,7 +40,6 @@ use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfToken;
use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\RateLimiting\Limiter;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
use OCP\AppFramework\Http\RedirectResponse;
@ -53,7 +52,6 @@ use OCP\INavigationManager;
use OCP\IRequest;
use OCP\ISession;
use OCP\IURLGenerator;
use OCP\IUserSession;
use OCP\Security\ISecureRandom;
@ -85,10 +83,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
private $csrfTokenManager;
/** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */
private $cspNonceManager;
/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
private $userSession;
/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
private $limiter;
/** @var Throttler|\PHPUnit_Framework_MockObject_MockObject */
private $bruteForceThrottler;
@ -99,8 +93,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
$this->reader = new ControllerMethodReflector();
$this->logger = $this->createMock(ILogger::class);
$this->navigationManager = $this->createMock(INavigationManager::class);
$this->userSession = $this->createMock(IUserSession::class);
$this->limiter = $this->createMock(Limiter::class);
$this->urlGenerator = $this->createMock(IURLGenerator::class);
$this->session = $this->createMock(ISession::class);
$this->request = $this->createMock(IRequest::class);
@ -119,11 +111,6 @@ class SecurityMiddlewareTest extends \Test\TestCase {
* @return SecurityMiddleware
*/
private function getMiddleware($isLoggedIn, $isAdminUser) {
$this->userSession
->expects($this->any())
->method('isLoggedIn')
->willReturn($isLoggedIn);
return new SecurityMiddleware(
$this->request,
$this->reader,
@ -132,13 +119,12 @@ class SecurityMiddlewareTest extends \Test\TestCase {
$this->logger,
$this->session,
'files',
$this->userSession,
$isLoggedIn,
$isAdminUser,
$this->contentSecurityPolicyManager,
$this->csrfTokenManager,
$this->cspNonceManager,
$this->bruteForceThrottler,
$this->limiter
$this->bruteForceThrottler
);
}
@ -687,36 +673,14 @@ class SecurityMiddlewareTest extends \Test\TestCase {
$this->logger,
$this->session,
'files',
$this->userSession,
false,
false,
$this->contentSecurityPolicyManager,
$this->csrfTokenManager,
$this->cspNonceManager,
$this->bruteForceThrottler,
$this->limiter
$this->bruteForceThrottler
);
$reader
->expects($this->at(0))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'limit')
->willReturn('');
$reader
->expects($this->at(1))
->method('getAnnotationParameter')
->with('AnonRateThrottle', 'period')
->willReturn('');
$reader
->expects($this->at(2))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'limit')
->willReturn('');
$reader
->expects($this->at(3))
->method('getAnnotationParameter')
->with('UserRateThrottle', 'period')
->willReturn('');
$reader->expects($this->any())->method('hasAnnotation')
->willReturnCallback(
function($annotation) use ($bruteForceProtectionEnabled) {

Write Preview
Loading…
Cancel
Save