DatabaseBackend.php 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright (c) 2023 Joas Schilling <coding@schilljs.com>
  5. * @copyright Copyright (c) 2021 Lukas Reschke <lukas@statuscode.ch>
  6. *
  7. * @author Joas Schilling <coding@schilljs.com>
  8. * @author Lukas Reschke <lukas@statuscode.ch>
  9. *
  10. * @license GNU AGPL version 3 or any later version
  11. *
  12. * This program is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License as
  14. * published by the Free Software Foundation, either version 3 of the
  15. * License, or (at your option) any later version.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  24. *
  25. */
  26. namespace OC\Security\RateLimiting\Backend;
  27. use OCP\AppFramework\Utility\ITimeFactory;
  28. use OCP\DB\Exception;
  29. use OCP\DB\QueryBuilder\IQueryBuilder;
  30. use OCP\IConfig;
  31. use OCP\IDBConnection;
  32. class DatabaseBackend implements IBackend {
  33. private const TABLE_NAME = 'ratelimit_entries';
  34. public function __construct(
  35. private IConfig $config,
  36. private IDBConnection $dbConnection,
  37. private ITimeFactory $timeFactory
  38. ) {
  39. }
  40. private function hash(
  41. string $methodIdentifier,
  42. string $userIdentifier,
  43. ): string {
  44. return hash('sha512', $methodIdentifier . $userIdentifier);
  45. }
  46. /**
  47. * @throws Exception
  48. */
  49. private function getExistingAttemptCount(
  50. string $identifier
  51. ): int {
  52. $currentTime = $this->timeFactory->getDateTime();
  53. $qb = $this->dbConnection->getQueryBuilder();
  54. $qb->delete(self::TABLE_NAME)
  55. ->where(
  56. $qb->expr()->lte('delete_after', $qb->createNamedParameter($currentTime, IQueryBuilder::PARAM_DATE))
  57. )
  58. ->executeStatement();
  59. $qb = $this->dbConnection->getQueryBuilder();
  60. $qb->select($qb->func()->count())
  61. ->from(self::TABLE_NAME)
  62. ->where(
  63. $qb->expr()->eq('hash', $qb->createNamedParameter($identifier, IQueryBuilder::PARAM_STR))
  64. );
  65. $cursor = $qb->executeQuery();
  66. $row = $cursor->fetchOne();
  67. $cursor->closeCursor();
  68. return (int)$row;
  69. }
  70. /**
  71. * {@inheritDoc}
  72. */
  73. public function getAttempts(
  74. string $methodIdentifier,
  75. string $userIdentifier,
  76. ): int {
  77. $identifier = $this->hash($methodIdentifier, $userIdentifier);
  78. return $this->getExistingAttemptCount($identifier);
  79. }
  80. /**
  81. * {@inheritDoc}
  82. */
  83. public function registerAttempt(
  84. string $methodIdentifier,
  85. string $userIdentifier,
  86. int $period,
  87. ): void {
  88. $identifier = $this->hash($methodIdentifier, $userIdentifier);
  89. $deleteAfter = $this->timeFactory->getDateTime()->add(new \DateInterval("PT{$period}S"));
  90. $qb = $this->dbConnection->getQueryBuilder();
  91. $qb->insert(self::TABLE_NAME)
  92. ->values([
  93. 'hash' => $qb->createNamedParameter($identifier, IQueryBuilder::PARAM_STR),
  94. 'delete_after' => $qb->createNamedParameter($deleteAfter, IQueryBuilder::PARAM_DATE),
  95. ]);
  96. if (!$this->config->getSystemValueBool('ratelimit.protection.enabled', true)) {
  97. return;
  98. }
  99. $qb->executeStatement();
  100. }
  101. }