ThrottlerTest.php 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace Test\Security\Bruteforce;
  8. use OC\Security\Bruteforce\Backend\DatabaseBackend;
  9. use OC\Security\Bruteforce\Throttler;
  10. use OCP\AppFramework\Utility\ITimeFactory;
  11. use OCP\IConfig;
  12. use OCP\IDBConnection;
  13. use Psr\Log\LoggerInterface;
  14. use Test\TestCase;
  15. /**
  16. * Based on the unit tests from Paragonie's Airship CMS
  17. * Ref: https://github.com/paragonie/airship/blob/7e5bad7e3c0fbbf324c11f963fd1f80e59762606/test/unit/Engine/Security/AirBrakeTest.php
  18. *
  19. * @package Test\Security\Bruteforce
  20. */
  21. class ThrottlerTest extends TestCase {
  22. /** @var Throttler */
  23. private $throttler;
  24. /** @var IDBConnection */
  25. private $dbConnection;
  26. /** @var ITimeFactory */
  27. private $timeFactory;
  28. /** @var LoggerInterface */
  29. private $logger;
  30. /** @var IConfig|\PHPUnit\Framework\MockObject\MockObject */
  31. private $config;
  32. protected function setUp(): void {
  33. $this->dbConnection = $this->createMock(IDBConnection::class);
  34. $this->timeFactory = $this->createMock(ITimeFactory::class);
  35. $this->logger = $this->createMock(LoggerInterface::class);
  36. $this->config = $this->createMock(IConfig::class);
  37. $this->throttler = new Throttler(
  38. $this->timeFactory,
  39. $this->logger,
  40. $this->config,
  41. new DatabaseBackend($this->dbConnection)
  42. );
  43. parent::setUp();
  44. }
  45. public function dataIsIPWhitelisted() {
  46. return [
  47. [
  48. '10.10.10.10',
  49. [
  50. 'whitelist_0' => '10.10.10.0/24',
  51. ],
  52. true,
  53. ],
  54. [
  55. '10.10.10.10',
  56. [
  57. 'whitelist_0' => '192.168.0.0/16',
  58. ],
  59. false,
  60. ],
  61. [
  62. '10.10.10.10',
  63. [
  64. 'whitelist_0' => '192.168.0.0/16',
  65. 'whitelist_1' => '10.10.10.0/24',
  66. ],
  67. true,
  68. ],
  69. [
  70. '10.10.10.10',
  71. [
  72. 'whitelist_0' => '10.10.10.11/31',
  73. ],
  74. true,
  75. ],
  76. [
  77. '10.10.10.10',
  78. [
  79. 'whitelist_0' => '10.10.10.9/31',
  80. ],
  81. false,
  82. ],
  83. [
  84. '10.10.10.10',
  85. [
  86. 'whitelist_0' => '10.10.10.15/29',
  87. ],
  88. true,
  89. ],
  90. [
  91. 'dead:beef:cafe::1',
  92. [
  93. 'whitelist_0' => '192.168.0.0/16',
  94. 'whitelist_1' => '10.10.10.0/24',
  95. 'whitelist_2' => 'deaf:beef:cafe:1234::/64'
  96. ],
  97. false,
  98. ],
  99. [
  100. 'dead:beef:cafe::1',
  101. [
  102. 'whitelist_0' => '192.168.0.0/16',
  103. 'whitelist_1' => '10.10.10.0/24',
  104. 'whitelist_2' => 'deaf:beef::/64'
  105. ],
  106. false,
  107. ],
  108. [
  109. 'dead:beef:cafe::1',
  110. [
  111. 'whitelist_0' => '192.168.0.0/16',
  112. 'whitelist_1' => '10.10.10.0/24',
  113. 'whitelist_2' => 'deaf:cafe::/8'
  114. ],
  115. true,
  116. ],
  117. [
  118. 'dead:beef:cafe::1111',
  119. [
  120. 'whitelist_0' => 'dead:beef:cafe::1100/123',
  121. ],
  122. true,
  123. ],
  124. [
  125. 'invalid',
  126. [],
  127. false,
  128. ],
  129. ];
  130. }
  131. /**
  132. * @param string $ip
  133. * @param string[] $whitelists
  134. * @param bool $isWhiteListed
  135. * @param bool $enabled
  136. */
  137. private function isIpWhiteListedHelper($ip,
  138. $whitelists,
  139. $isWhiteListed,
  140. $enabled) {
  141. $this->config->method('getAppKeys')
  142. ->with($this->equalTo('bruteForce'))
  143. ->willReturn(array_keys($whitelists));
  144. $this->config
  145. ->expects($this->once())
  146. ->method('getSystemValueBool')
  147. ->with('auth.bruteforce.protection.enabled', true)
  148. ->willReturn($enabled);
  149. $this->config->method('getAppValue')
  150. ->willReturnCallback(function ($app, $key, $default) use ($whitelists) {
  151. if ($app !== 'bruteForce') {
  152. return $default;
  153. }
  154. if (isset($whitelists[$key])) {
  155. return $whitelists[$key];
  156. }
  157. return $default;
  158. });
  159. $this->assertSame(
  160. ($enabled === false) ? true : $isWhiteListed,
  161. self::invokePrivate($this->throttler, 'isBypassListed', [$ip])
  162. );
  163. }
  164. /**
  165. * @dataProvider dataIsIPWhitelisted
  166. *
  167. * @param string $ip
  168. * @param string[] $whitelists
  169. * @param bool $isWhiteListed
  170. */
  171. public function testIsIpWhiteListedWithEnabledProtection($ip,
  172. $whitelists,
  173. $isWhiteListed): void {
  174. $this->isIpWhiteListedHelper(
  175. $ip,
  176. $whitelists,
  177. $isWhiteListed,
  178. true
  179. );
  180. }
  181. /**
  182. * @dataProvider dataIsIPWhitelisted
  183. *
  184. * @param string $ip
  185. * @param string[] $whitelists
  186. * @param bool $isWhiteListed
  187. */
  188. public function testIsIpWhiteListedWithDisabledProtection($ip,
  189. $whitelists,
  190. $isWhiteListed): void {
  191. $this->isIpWhiteListedHelper(
  192. $ip,
  193. $whitelists,
  194. $isWhiteListed,
  195. false
  196. );
  197. }
  198. }