feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple #36928
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,6 +3,7 @@ | |
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * @copyright Copyright (c) 2023 Joas Schilling <[email protected]> | ||
| * @copyright Copyright (c) 2017 Lukas Reschke <[email protected]> | ||
| * | ||
| * @author Christoph Wurst <[email protected]> | ||
|
|
@@ -31,13 +32,16 @@ | |
| use OC\Security\Bruteforce\Throttler; | ||
| use OCP\AppFramework\Controller; | ||
| use OCP\AppFramework\Http; | ||
| use OCP\AppFramework\Http\Attribute\BruteForceProtection; | ||
| use OCP\AppFramework\Http\Response; | ||
| use OCP\AppFramework\Http\TooManyRequestsResponse; | ||
| use OCP\AppFramework\Middleware; | ||
| use OCP\AppFramework\OCS\OCSException; | ||
| use OCP\AppFramework\OCSController; | ||
| use OCP\IRequest; | ||
| use OCP\Security\Bruteforce\MaxDelayReached; | ||
| use Psr\Log\LoggerInterface; | ||
| use ReflectionMethod; | ||
|
|
||
| /** | ||
| * Class BruteForceMiddleware performs the bruteforce protection for controllers | ||
|
|
@@ -47,16 +51,12 @@ | |
| * @package OC\AppFramework\Middleware\Security | ||
| */ | ||
| class BruteForceMiddleware extends Middleware { | ||
| public function __construct( | ||
| protected ControllerMethodReflector $reflector, | ||
| protected Throttler $throttler, | ||
| protected IRequest $request, | ||
| protected LoggerInterface $logger, | ||
| ) { | ||
| } | ||
|
|
||
| /** | ||
|
|
@@ -68,18 +68,55 @@ public function beforeController($controller, $methodName) { | |
| if ($this->reflector->hasAnnotation('BruteForceProtection')) { | ||
| $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); | ||
| $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), $action); | ||
| } else { | ||
| $reflectionMethod = new ReflectionMethod($controller, $methodName); | ||
| $attributes = $reflectionMethod->getAttributes(BruteForceProtection::class); | ||
|
|
||
| if (!empty($attributes)) { | ||
| $remoteAddress = $this->request->getRemoteAddress(); | ||
|
|
||
| foreach ($attributes as $attribute) { | ||
| /** @var BruteForceProtection $protection */ | ||
| $protection = $attribute->newInstance(); | ||
| $action = $protection->getAction(); | ||
| $this->throttler->sleepDelayOrThrowOnMax($remoteAddress, $action); | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * {@inheritDoc} | ||
| */ | ||
| public function afterController($controller, $methodName, Response $response) { | ||
| if ($response->isThrottled()) { | ||
| if ($this->reflector->hasAnnotation('BruteForceProtection')) { | ||
| $action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action'); | ||
| $ip = $this->request->getRemoteAddress(); | ||
| $this->throttler->sleepDelay($ip, $action); | ||
| $this->throttler->registerAttempt($action, $ip, $response->getThrottleMetadata()); | ||
| } else { | ||
| $reflectionMethod = new ReflectionMethod($controller, $methodName); | ||
| $attributes = $reflectionMethod->getAttributes(BruteForceProtection::class); | ||
|
|
||
| if (!empty($attributes)) { | ||
| $ip = $this->request->getRemoteAddress(); | ||
| $metaData = $response->getThrottleMetadata(); | ||
|
|
||
| foreach ($attributes as $attribute) { | ||
| /** @var BruteForceProtection $protection */ | ||
| $protection = $attribute->newInstance(); | ||
| $action = $protection->getAction(); | ||
|
|
||
| if (!isset($metaData['action']) || $metaData['action'] === $action) { | ||
| $this->throttler->sleepDelay($ip, $action); | ||
| $this->throttler->registerAttempt($action, $ip, $metaData); | ||
| } | ||
| } | ||
| } else { | ||
| $this->logger->debug('Response for ' . get_class($controller) . '::' . $methodName . ' got bruteforce throttled but has no annotation nor attribute defined.'); | ||
| } | ||
| } | ||
|
Comment on lines
+92
to
+119
There was a problem hiding this comment. Is a good piece of code to refactor and split the responsibility at separated method to make the reading more easy. Maybe anything like: |
||
| } | ||
|
|
||
| return parent::afterController($controller, $methodName, $response); | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * @copyright Copyright (c) 2023 Joas Schilling <[email protected]> | ||
| * | ||
| * @author Joas Schilling <[email protected]> | ||
| * | ||
| * @license GNU AGPL version 3 or any later version | ||
| * | ||
| * This program is free software: you can redistribute it and/or modify | ||
| * it under the terms of the GNU Affero General Public License as | ||
| * published by the Free Software Foundation, either version 3 of the | ||
| * License, or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU Affero General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU Affero General Public License | ||
| * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| */ | ||
|
|
||
| namespace OCP\AppFramework\Http\Attribute; | ||
|
|
||
| use Attribute; | ||
|
|
||
| /** | ||
| * Attribute for controller methods that want to protect passwords, keys, tokens | ||
| * or other data against brute force | ||
| * | ||
| * @since 27.0.0 | ||
| */ | ||
| #[Attribute(Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)] | ||
| class BruteForceProtection { | ||
| /** | ||
| * @since 27.0.0 | ||
| */ | ||
| public function __construct( | ||
| protected string $action | ||
| ) { | ||
| } | ||
|
|
||
| /** | ||
| * @since 27.0.0 | ||
| */ | ||
| public function getAction(): string { | ||
| return $this->action; | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ | |
|
|
||
| declare(strict_types=1); | ||
|
|
||
| /** | ||
| * @copyright 2023 Christoph Wurst <[email protected]> | ||
| * | ||
| * @author 2023 Christoph Wurst <[email protected]> | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to add
hasAttribute/getAttributestoControllerMethodReflector?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
THought about that too. I'm still up for it as a follow up, to combine the logic our for UseSession and this one.
Just thought it's easier to first get this in and then do more rework.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’m always afraid the follow-up never comes in these cases :-)
We should try to make the new way as easy to use as the previous one if we want the code to get migrated at some point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess you have a point, at the same time there is the RateLimit annotation waiting for me as a task this and next month, so will come.