a5ccb31e85
Currently, when disabling the brute force protection no new brute force attempts are logged. However, the ones logged within the last 24 hours will still be used for throttling. This is quite an unexpected behaviour and caused some support issues. With this change when the brute force protection is disabled also the existing attempts within the last 24 hours will be disregarded. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
209 lines
5 KiB
PHP
209 lines
5 KiB
PHP
<?php
|
|
/**
|
|
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
|
|
*
|
|
* @license GNU AGPL version 3 or any later version
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as
|
|
* published by the Free Software Foundation, either version 3 of the
|
|
* License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
namespace Test\Security\Bruteforce;
|
|
|
|
use OC\AppFramework\Utility\TimeFactory;
|
|
use OC\Security\Bruteforce\Throttler;
|
|
use OCP\IConfig;
|
|
use OCP\IDBConnection;
|
|
use OCP\ILogger;
|
|
use Test\TestCase;
|
|
|
|
/**
|
|
* Based on the unit tests from Paragonie's Airship CMS
|
|
* Ref: https://github.com/paragonie/airship/blob/7e5bad7e3c0fbbf324c11f963fd1f80e59762606/test/unit/Engine/Security/AirBrakeTest.php
|
|
*
|
|
* @package Test\Security\Bruteforce
|
|
*/
|
|
class ThrottlerTest extends TestCase {
|
|
/** @var Throttler */
|
|
private $throttler;
|
|
/** @var IDBConnection */
|
|
private $dbConnection;
|
|
/** @var ILogger */
|
|
private $logger;
|
|
/** @var IConfig|\PHPUnit_Framework_MockObject_MockObject */
|
|
private $config;
|
|
|
|
public function setUp() {
|
|
$this->dbConnection = $this->createMock(IDBConnection::class);
|
|
$this->logger = $this->createMock(ILogger::class);
|
|
$this->config = $this->createMock(IConfig::class);
|
|
|
|
$this->throttler = new Throttler(
|
|
$this->dbConnection,
|
|
new TimeFactory(),
|
|
$this->logger,
|
|
$this->config
|
|
);
|
|
parent::setUp();
|
|
}
|
|
|
|
public function testCutoff() {
|
|
// precisely 31 second shy of 12 hours
|
|
$cutoff = self::invokePrivate($this->throttler, 'getCutoff', [43169]);
|
|
$this->assertSame(0, $cutoff->y);
|
|
$this->assertSame(0, $cutoff->m);
|
|
$this->assertSame(0, $cutoff->d);
|
|
$this->assertSame(11, $cutoff->h);
|
|
$this->assertSame(59, $cutoff->i);
|
|
$this->assertSame(29, $cutoff->s);
|
|
$cutoff = self::invokePrivate($this->throttler, 'getCutoff', [86401]);
|
|
$this->assertSame(0, $cutoff->y);
|
|
$this->assertSame(0, $cutoff->m);
|
|
$this->assertSame(1, $cutoff->d);
|
|
$this->assertSame(0, $cutoff->h);
|
|
$this->assertSame(0, $cutoff->i);
|
|
// Leap second tolerance:
|
|
$this->assertLessThan(2, $cutoff->s);
|
|
}
|
|
|
|
public function dataIsIPWhitelisted() {
|
|
return [
|
|
[
|
|
'10.10.10.10',
|
|
[
|
|
'whitelist_0' => '10.10.10.0/24',
|
|
],
|
|
true,
|
|
],
|
|
[
|
|
'10.10.10.10',
|
|
[
|
|
'whitelist_0' => '192.168.0.0/16',
|
|
],
|
|
false,
|
|
],
|
|
[
|
|
'10.10.10.10',
|
|
[
|
|
'whitelist_0' => '192.168.0.0/16',
|
|
'whitelist_1' => '10.10.10.0/24',
|
|
],
|
|
true,
|
|
],
|
|
[
|
|
'dead:beef:cafe::1',
|
|
[
|
|
'whitelist_0' => '192.168.0.0/16',
|
|
'whitelist_1' => '10.10.10.0/24',
|
|
'whitelist_2' => 'deaf:beef:cafe:1234::/64'
|
|
],
|
|
false,
|
|
],
|
|
[
|
|
'dead:beef:cafe::1',
|
|
[
|
|
'whitelist_0' => '192.168.0.0/16',
|
|
'whitelist_1' => '10.10.10.0/24',
|
|
'whitelist_2' => 'deaf:beef::/64'
|
|
],
|
|
false,
|
|
],
|
|
[
|
|
'dead:beef:cafe::1',
|
|
[
|
|
'whitelist_0' => '192.168.0.0/16',
|
|
'whitelist_1' => '10.10.10.0/24',
|
|
'whitelist_2' => 'deaf:cafe::/8'
|
|
],
|
|
true,
|
|
],
|
|
[
|
|
'invalid',
|
|
[],
|
|
false,
|
|
],
|
|
];
|
|
}
|
|
|
|
/**
|
|
* @param string $ip
|
|
* @param string[]$whitelists
|
|
* @param bool $isWhiteListed
|
|
* @param bool $enabled
|
|
*/
|
|
private function isIpWhiteListedHelper($ip,
|
|
$whitelists,
|
|
$isWhiteListed,
|
|
$enabled) {
|
|
$this->config->method('getAppKeys')
|
|
->with($this->equalTo('bruteForce'))
|
|
->willReturn(array_keys($whitelists));
|
|
$this->config
|
|
->expects($this->once())
|
|
->method('getSystemValue')
|
|
->with('auth.bruteforce.protection.enabled', true)
|
|
->willReturn($enabled);
|
|
|
|
$this->config->method('getAppValue')
|
|
->will($this->returnCallback(function($app, $key, $default) use ($whitelists) {
|
|
if ($app !== 'bruteForce') {
|
|
return $default;
|
|
}
|
|
if (isset($whitelists[$key])) {
|
|
return $whitelists[$key];
|
|
}
|
|
return $default;
|
|
}));
|
|
|
|
$this->assertSame(
|
|
($enabled === false) ? true : $isWhiteListed,
|
|
self::invokePrivate($this->throttler, 'isIPWhitelisted', [$ip])
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @dataProvider dataIsIPWhitelisted
|
|
*
|
|
* @param string $ip
|
|
* @param string[] $whitelists
|
|
* @param bool $isWhiteListed
|
|
*/
|
|
public function testIsIpWhiteListedWithEnabledProtection($ip,
|
|
$whitelists,
|
|
$isWhiteListed) {
|
|
$this->isIpWhiteListedHelper(
|
|
$ip,
|
|
$whitelists,
|
|
$isWhiteListed,
|
|
true
|
|
);
|
|
}
|
|
|
|
/**
|
|
* @dataProvider dataIsIPWhitelisted
|
|
*
|
|
* @param string $ip
|
|
* @param string[] $whitelists
|
|
* @param bool $isWhiteListed
|
|
*/
|
|
public function testIsIpWhiteListedWithDisabledProtection($ip,
|
|
$whitelists,
|
|
$isWhiteListed) {
|
|
$this->isIpWhiteListedHelper(
|
|
$ip,
|
|
$whitelists,
|
|
$isWhiteListed,
|
|
false
|
|
);
|
|
}
|
|
}
|