-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #44664 from nextcloud/fix/dav/rate-limit-create-ad…
…ress-book fix(dav): Rate limit address book creation
- Loading branch information
Showing
6 changed files
with
240 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
87 changes: 87 additions & 0 deletions
87
apps/dav/lib/CardDAV/Security/CardDavRateLimitingPlugin.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
/* | ||
* SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors | ||
* SPDX-License-Identifier: AGPL-3.0-or-later | ||
*/ | ||
|
||
namespace OCA\DAV\CardDAV\Security; | ||
|
||
use OC\Security\RateLimiting\Exception\RateLimitExceededException; | ||
use OC\Security\RateLimiting\Limiter; | ||
use OCA\DAV\CardDAV\CardDavBackend; | ||
use OCA\DAV\Connector\Sabre\Exception\TooManyRequests; | ||
use OCP\IAppConfig; | ||
use OCP\IUserManager; | ||
use Psr\Log\LoggerInterface; | ||
use Sabre\DAV; | ||
use Sabre\DAV\Exception\Forbidden; | ||
use Sabre\DAV\ServerPlugin; | ||
use function count; | ||
use function explode; | ||
|
||
class CardDavRateLimitingPlugin extends ServerPlugin { | ||
private ?string $userId; | ||
|
||
public function __construct(private Limiter $limiter, | ||
private IUserManager $userManager, | ||
private CardDavBackend $cardDavBackend, | ||
private LoggerInterface $logger, | ||
private IAppConfig $config, | ||
?string $userId) { | ||
$this->limiter = $limiter; | ||
$this->userManager = $userManager; | ||
$this->cardDavBackend = $cardDavBackend; | ||
$this->config = $config; | ||
$this->logger = $logger; | ||
$this->userId = $userId; | ||
} | ||
|
||
public function initialize(DAV\Server $server): void { | ||
$server->on('beforeBind', [$this, 'beforeBind'], 1); | ||
} | ||
|
||
public function beforeBind(string $path): void { | ||
if ($this->userId === null) { | ||
// We only care about authenticated users here | ||
return; | ||
} | ||
$user = $this->userManager->get($this->userId); | ||
if ($user === null) { | ||
// We only care about authenticated users here | ||
return; | ||
} | ||
|
||
$pathParts = explode('/', $path); | ||
if (count($pathParts) === 4 && $pathParts[0] === 'addressbooks') { | ||
// Path looks like addressbooks/users/username/addressbooksname so a new addressbook is created | ||
try { | ||
$this->limiter->registerUserRequest( | ||
'carddav-create-address-book', | ||
$this->config->getValueInt('dav', 'rateLimitAddressBookCreation', 10), | ||
$this->config->getValueInt('dav', 'rateLimitPeriodAddressBookCreation', 3600), | ||
$user | ||
); | ||
} catch (RateLimitExceededException $e) { | ||
throw new TooManyRequests('Too many addressbooks created', 0, $e); | ||
} | ||
|
||
$addressBookLimit = $this->config->getValueInt('dav', 'maximumAdressbooks', 10); | ||
if ($addressBookLimit === -1) { | ||
return; | ||
} | ||
$numAddressbooks = $this->cardDavBackend->getAddressBooksForUserCount('principals/users/' . $user->getUID()); | ||
|
||
if ($numAddressbooks >= $addressBookLimit) { | ||
$this->logger->warning('Maximum number of address books reached', [ | ||
'addressbooks' => $numAddressbooks, | ||
'addressBookLimit' => $addressBookLimit, | ||
]); | ||
throw new Forbidden('AddressBook limit reached', 0); | ||
} | ||
} | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
146 changes: 146 additions & 0 deletions
146
apps/dav/tests/unit/CardDAV/Security/CardDavRateLimitingPluginTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
/* | ||
* SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors | ||
* SPDX-License-Identifier: AGPL-3.0-or-later | ||
*/ | ||
|
||
namespace OCA\DAV\Tests\unit\CardDAV\Security; | ||
|
||
use OC\Security\RateLimiting\Exception\RateLimitExceededException; | ||
use OC\Security\RateLimiting\Limiter; | ||
use OCA\DAV\CardDAV\CardDavBackend; | ||
use OCA\DAV\CardDAV\Security\CardDavRateLimitingPlugin; | ||
use OCA\DAV\Connector\Sabre\Exception\TooManyRequests; | ||
use OCP\IAppConfig; | ||
use OCP\IUser; | ||
use OCP\IUserManager; | ||
use PHPUnit\Framework\MockObject\MockObject; | ||
use Psr\Log\LoggerInterface; | ||
use Sabre\DAV\Exception\Forbidden; | ||
use Test\TestCase; | ||
|
||
class CardDavRateLimitingPluginTest extends TestCase { | ||
|
||
private Limiter|MockObject $limiter; | ||
private CardDavBackend|MockObject $cardDavBackend; | ||
private IUserManager|MockObject $userManager; | ||
private LoggerInterface|MockObject $logger; | ||
private IAppConfig|MockObject $config; | ||
private string $userId = 'user123'; | ||
private CardDavRateLimitingPlugin $plugin; | ||
|
||
protected function setUp(): void { | ||
parent::setUp(); | ||
|
||
$this->limiter = $this->createMock(Limiter::class); | ||
$this->userManager = $this->createMock(IUserManager::class); | ||
$this->cardDavBackend = $this->createMock(CardDavBackend::class); | ||
$this->logger = $this->createMock(LoggerInterface::class); | ||
$this->config = $this->createMock(IAppConfig::class); | ||
$this->plugin = new CardDavRateLimitingPlugin( | ||
$this->limiter, | ||
$this->userManager, | ||
$this->cardDavBackend, | ||
$this->logger, | ||
$this->config, | ||
$this->userId, | ||
); | ||
} | ||
|
||
public function testNoUserObject(): void { | ||
$this->limiter->expects(self::never()) | ||
->method('registerUserRequest'); | ||
|
||
$this->plugin->beforeBind('addressbooks/users/foo/addressbookname'); | ||
} | ||
|
||
public function testUnrelated(): void { | ||
$user = $this->createMock(IUser::class); | ||
$this->userManager->expects(self::once()) | ||
->method('get') | ||
->with($this->userId) | ||
->willReturn($user); | ||
$this->limiter->expects(self::never()) | ||
->method('registerUserRequest'); | ||
|
||
$this->plugin->beforeBind('foo/bar'); | ||
} | ||
|
||
public function testRegisterAddressBookrCreation(): void { | ||
$user = $this->createMock(IUser::class); | ||
$this->userManager->expects(self::once()) | ||
->method('get') | ||
->with($this->userId) | ||
->willReturn($user); | ||
$this->config | ||
->method('getValueInt') | ||
->with('dav') | ||
->willReturnArgument(2); | ||
$this->limiter->expects(self::once()) | ||
->method('registerUserRequest') | ||
->with( | ||
'carddav-create-address-book', | ||
10, | ||
3600, | ||
$user, | ||
); | ||
|
||
$this->plugin->beforeBind('addressbooks/users/foo/addressbookname'); | ||
} | ||
|
||
public function testAddressBookCreationRateLimitExceeded(): void { | ||
$user = $this->createMock(IUser::class); | ||
$this->userManager->expects(self::once()) | ||
->method('get') | ||
->with($this->userId) | ||
->willReturn($user); | ||
$this->config | ||
->method('getValueInt') | ||
->with('dav') | ||
->willReturnArgument(2); | ||
$this->limiter->expects(self::once()) | ||
->method('registerUserRequest') | ||
->with( | ||
'carddav-create-address-book', | ||
10, | ||
3600, | ||
$user, | ||
) | ||
->willThrowException(new RateLimitExceededException()); | ||
$this->expectException(TooManyRequests::class); | ||
|
||
$this->plugin->beforeBind('addressbooks/users/foo/addressbookname'); | ||
} | ||
|
||
public function testAddressBookLimitReached(): void { | ||
$user = $this->createMock(IUser::class); | ||
$this->userManager->expects(self::once()) | ||
->method('get') | ||
->with($this->userId) | ||
->willReturn($user); | ||
$user->method('getUID')->willReturn('user123'); | ||
$this->config | ||
->method('getValueInt') | ||
->with('dav') | ||
->willReturnArgument(2); | ||
$this->limiter->expects(self::once()) | ||
->method('registerUserRequest') | ||
->with( | ||
'carddav-create-address-book', | ||
10, | ||
3600, | ||
$user, | ||
); | ||
$this->cardDavBackend->expects(self::once()) | ||
->method('getAddressBooksForUserCount') | ||
->with('principals/users/user123') | ||
->willReturn(11); | ||
$this->expectException(Forbidden::class); | ||
|
||
$this->plugin->beforeBind('addressbooks/users/foo/addressbookname'); | ||
} | ||
|
||
} |