diff options
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/dav/appinfo/v1/publicwebdav.php | 3 | ||||
| -rw-r--r-- | apps/dav/lib/Connector/PublicAuth.php | 16 | ||||
| -rw-r--r-- | apps/dav/tests/unit/Connector/PublicAuthTest.php | 9 |
3 files changed, 25 insertions, 3 deletions
diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php index 556dd35de58..32451e02af6 100644 --- a/apps/dav/appinfo/v1/publicwebdav.php +++ b/apps/dav/appinfo/v1/publicwebdav.php @@ -42,7 +42,8 @@ OC_Util::obEnd(); $authBackend = new OCA\DAV\Connector\PublicAuth( \OC::$server->getRequest(), \OC::$server->getShareManager(), - \OC::$server->getSession() + \OC::$server->getSession(), + \OC::$server->getBruteForceThrottler() ); $authPlugin = new \Sabre\DAV\Auth\Plugin($authBackend); diff --git a/apps/dav/lib/Connector/PublicAuth.php b/apps/dav/lib/Connector/PublicAuth.php index 45021772293..9d4ef8ba9b2 100644 --- a/apps/dav/lib/Connector/PublicAuth.php +++ b/apps/dav/lib/Connector/PublicAuth.php @@ -31,6 +31,7 @@ namespace OCA\DAV\Connector; +use OC\Security\Bruteforce\Throttler; use OCP\IRequest; use OCP\ISession; use OCP\Share\Exceptions\ShareNotFound; @@ -44,6 +45,7 @@ use Sabre\DAV\Auth\Backend\AbstractBasic; * @package OCA\DAV\Connector */ class PublicAuth extends AbstractBasic { + private const BRUTEFORCE_ACTION = 'public_webdav_auth'; /** @var \OCP\Share\IShare */ private $share; @@ -57,17 +59,23 @@ class PublicAuth extends AbstractBasic { /** @var IRequest */ private $request; + /** @var Throttler */ + private $throttler; + /** * @param IRequest $request * @param IManager $shareManager * @param ISession $session + * @param Throttler $throttler */ public function __construct(IRequest $request, IManager $shareManager, - ISession $session) { + ISession $session, + Throttler $throttler) { $this->request = $request; $this->shareManager = $shareManager; $this->session = $session; + $this->throttler = $throttler; // setup realm $defaults = new \OCP\Defaults(); @@ -87,9 +95,12 @@ class PublicAuth extends AbstractBasic { * @throws \Sabre\DAV\Exception\NotAuthenticated */ protected function validateUserPass($username, $password) { + $this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION); + try { $share = $this->shareManager->getShareByToken($username); } catch (ShareNotFound $e) { + $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress()); return false; } @@ -114,11 +125,14 @@ class PublicAuth extends AbstractBasic { header('WWW-Authenticate: DummyBasic realm="' . $this->realm . '"'); throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls'); } + + $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress()); return false; } } elseif ($share->getShareType() === IShare::TYPE_REMOTE) { return true; } else { + $this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress()); return false; } } else { diff --git a/apps/dav/tests/unit/Connector/PublicAuthTest.php b/apps/dav/tests/unit/Connector/PublicAuthTest.php index bcec84d414c..0ac41295cb0 100644 --- a/apps/dav/tests/unit/Connector/PublicAuthTest.php +++ b/apps/dav/tests/unit/Connector/PublicAuthTest.php @@ -27,6 +27,7 @@ namespace OCA\DAV\Tests\unit\Connector; +use OC\Security\Bruteforce\Throttler; use OCP\IRequest; use OCP\ISession; use OCP\Share\Exceptions\ShareNotFound; @@ -50,6 +51,8 @@ class PublicAuthTest extends \Test\TestCase { private $shareManager; /** @var \OCA\DAV\Connector\PublicAuth */ private $auth; + /** @var Throttler|\PHPUnit\Framework\MockObject\MockObject */ + private $throttler; /** @var string */ private $oldUser; @@ -66,11 +69,15 @@ class PublicAuthTest extends \Test\TestCase { $this->shareManager = $this->getMockBuilder(IManager::class) ->disableOriginalConstructor() ->getMock(); + $this->throttler = $this->getMockBuilder(Throttler::class) + ->disableOriginalConstructor() + ->getMock(); $this->auth = new \OCA\DAV\Connector\PublicAuth( $this->request, $this->shareManager, - $this->session + $this->session, + $this->throttler ); // Store current user |