mirror of https://github.com/nextcloud/server.git
Add database ratelimiting backend
In case no distributed memory cache is specified this adds a database backend for ratelimit purposes. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>pull/28818/head
parent
0cfbc41ab7
commit
201bf52c04
@ -0,0 +1,43 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace OC\Core\Migrations;
|
||||
|
||||
use Closure;
|
||||
use OCP\DB\ISchemaWrapper;
|
||||
use OCP\Migration\IOutput;
|
||||
use OCP\Migration\SimpleMigrationStep;
|
||||
|
||||
class Version23000Date20210906132259 extends SimpleMigrationStep {
|
||||
private const TABLE_NAME = 'ratelimit_entries';
|
||||
|
||||
/**
|
||||
* @param IOutput $output
|
||||
* @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
|
||||
* @param array $options
|
||||
* @return null|ISchemaWrapper
|
||||
*/
|
||||
public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
|
||||
/** @var ISchemaWrapper $schema */
|
||||
$schema = $schemaClosure();
|
||||
|
||||
$hasTable = $schema->hasTable(self::TABLE_NAME);
|
||||
|
||||
if (!$hasTable) {
|
||||
$table = $schema->createTable(self::TABLE_NAME);
|
||||
$table->addColumn('hash', 'string', [
|
||||
'notnull' => true,
|
||||
'length' => 128,
|
||||
]);
|
||||
$table->addColumn('delete_after', 'datetime', [
|
||||
'notnull' => true,
|
||||
]);
|
||||
$table->addIndex(['hash'], 'ratelimit_hash');
|
||||
$table->addIndex(['delete_after'], 'ratelimit_delete_after');
|
||||
return $schema;
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
}
|
@ -0,0 +1,122 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* @copyright Copyright (c) 2021 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @author Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
namespace OC\Security\RateLimiting\Backend;
|
||||
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\DB\QueryBuilder\IQueryBuilder;
|
||||
use OCP\IDBConnection;
|
||||
|
||||
class DatabaseBackend implements IBackend {
|
||||
private const TABLE_NAME = 'ratelimit_entries';
|
||||
|
||||
/** @var IDBConnection */
|
||||
private $dbConnection;
|
||||
/** @var ITimeFactory */
|
||||
private $timeFactory;
|
||||
|
||||
/**
|
||||
* @param IDBConnection $dbConnection
|
||||
* @param ITimeFactory $timeFactory
|
||||
*/
|
||||
public function __construct(
|
||||
IDBConnection $dbConnection,
|
||||
ITimeFactory $timeFactory
|
||||
) {
|
||||
$this->dbConnection = $dbConnection;
|
||||
$this->timeFactory = $timeFactory;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $methodIdentifier
|
||||
* @param string $userIdentifier
|
||||
* @return string
|
||||
*/
|
||||
private function hash(string $methodIdentifier,
|
||||
string $userIdentifier): string {
|
||||
return hash('sha512', $methodIdentifier . $userIdentifier);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $identifier
|
||||
* @return int
|
||||
*/
|
||||
private function getExistingAttemptCount(
|
||||
string $identifier
|
||||
): int {
|
||||
$currentTime = $this->timeFactory->getDateTime();
|
||||
|
||||
$qb = $this->dbConnection->getQueryBuilder();
|
||||
$qb->delete(self::TABLE_NAME)
|
||||
->where(
|
||||
$qb->expr()->lte('delete_after', $qb->createNamedParameter($currentTime, IQueryBuilder::PARAM_DATE))
|
||||
)
|
||||
->execute();
|
||||
|
||||
$qb = $this->dbConnection->getQueryBuilder();
|
||||
$qb->select($qb->func()->count('*', 'attempts'))
|
||||
->from(self::TABLE_NAME)
|
||||
->where(
|
||||
$qb->expr()->eq('hash', $qb->createNamedParameter($identifier, IQueryBuilder::PARAM_STR))
|
||||
)
|
||||
->andWhere(
|
||||
$qb->expr()->gte('delete_after', $qb->createNamedParameter($currentTime, IQueryBuilder::PARAM_DATE))
|
||||
);
|
||||
|
||||
$cursor = $qb->execute();
|
||||
$row = $cursor->fetch();
|
||||
$cursor->closeCursor();
|
||||
|
||||
return (int)$row['attempts'];
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function getAttempts(string $methodIdentifier,
|
||||
string $userIdentifier): int {
|
||||
$identifier = $this->hash($methodIdentifier, $userIdentifier);
|
||||
return $this->getExistingAttemptCount($identifier);
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function registerAttempt(string $methodIdentifier,
|
||||
string $userIdentifier,
|
||||
int $period) {
|
||||
$identifier = $this->hash($methodIdentifier, $userIdentifier);
|
||||
$deleteAfter = $this->timeFactory->getDateTime()->add(new \DateInterval("PT{$period}S"));
|
||||
|
||||
$qb = $this->dbConnection->getQueryBuilder();
|
||||
|
||||
$qb->insert(self::TABLE_NAME)
|
||||
->values([
|
||||
'hash' => $qb->createNamedParameter($identifier, IQueryBuilder::PARAM_STR),
|
||||
'delete_after' => $qb->createNamedParameter($deleteAfter, IQueryBuilder::PARAM_DATE),
|
||||
])
|
||||
->execute();
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue