feat: Expose if the own IP is allowed to bypass bruteforce protection

Signed-off-by: Joas Schilling <coding@schilljs.com>
2 years ago · fd9b2d488e
parent 2f06f2355d
commit fd9b2d488e
3 changed files with 23 additions and 26 deletions
--- a/lib/private/Security/Bruteforce/Capabilities.php
+++ b/lib/private/Security/Bruteforce/Capabilities.php
@ -3,9 +3,11 @@
 declare(strict_types=1);

 /**
+ * @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
 * @copyright Copyright (c) 2017 Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @author J0WI <J0WI@users.noreply.github.com>
+ * @author Joas Schilling <coding@schilljs.com>
 * @author Julius Härtl <jus@bitgrid.net>
 * @author Roeland Jago Douma <roeland@famdouma.nl>
 *
@ -32,33 +34,21 @@ use OCP\Capabilities\IInitialStateExcludedCapability;
 use OCP\IRequest;

 class Capabilities implements IPublicCapability, IInitialStateExcludedCapability {
-	/** @var IRequest */
-	private $request;
-
-	/** @var Throttler */
-	private $throttler;
+	public function __construct(
+		private IRequest $request,
+		private Throttler $throttler,
+	) {
+	}

 	/**
-	 * Capabilities constructor.
-	 *
-	 * @param IRequest $request
-	 * @param Throttler $throttler
+	 * @return array{bruteforce: array{delay: int, allow-listed: bool}}
 	 */
-	public function __construct(IRequest $request,
-								Throttler $throttler) {
-		$this->request = $request;
-		$this->throttler = $throttler;
-	}
-
 	public function getCapabilities(): array {
-		if (version_compare(\OC::$server->getConfig()->getSystemValueString('version', '0.0.0.0'), '12.0.0.0', '<')) {
-			return [];
-		}
-
 		return [
 			'bruteforce' => [
-				'delay' => $this->throttler->getDelay($this->request->getRemoteAddress())
-			]
+				'delay' => $this->throttler->getDelay($this->request->getRemoteAddress()),
+				'allow-listed' => $this->throttler->isIPWhitelisted($this->request->getRemoteAddress()),
+			],
 		];
 	}
 }
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@ -110,7 +110,7 @@ class Throttler implements IThrottler {
 	 * @param string $ip
 	 * @return bool
 	 */
-	private function isIPWhitelisted(string $ip): bool {
+	public function isIPWhitelisted(string $ip): bool {
 		if (isset($this->ipIsWhitelisted[$ip])) {
 			return $this->ipIsWhitelisted[$ip];
 		}
--- a/tests/lib/Security/Bruteforce/CapabilitiesTest.php
+++ b/tests/lib/Security/Bruteforce/CapabilitiesTest.php
@ -52,18 +52,24 @@ class CapabilitiesTest extends TestCase {
 		);
 	}

-	public function testGetCapabilities() {
+	public function testGetCapabilities(): void {
 		$this->throttler->expects($this->atLeastOnce())
 			->method('getDelay')
 			->with('10.10.10.10')
 			->willReturn(42);

+		$this->throttler->expects($this->atLeastOnce())
+			->method('isIPWhitelisted')
+			->with('10.10.10.10')
+			->willReturn(true);
+
 		$this->request->method('getRemoteAddress')
 			->willReturn('10.10.10.10');

 		$expected = [
 			'bruteforce' => [
-				'delay' => 42
+				'delay' => 42,
+				'allow-listed' => true,
 			]
 		];
 		$result = $this->capabilities->getCapabilities();
@ -71,7 +77,7 @@ class CapabilitiesTest extends TestCase {
 		$this->assertEquals($expected, $result);
 	}

-	public function testGetCapabilitiesOnCli() {
+	public function testGetCapabilitiesOnCli(): void {
 		$this->throttler->expects($this->atLeastOnce())
 			->method('getDelay')
 			->with('')
@ -82,7 +88,8 @@ class CapabilitiesTest extends TestCase {

 		$expected = [
 			'bruteforce' => [
-				'delay' => 0
+				'delay' => 0,
+				'allow-listed' => false,
 			]
 		];
 		$result = $this->capabilities->getCapabilities();