feat: Expose if the own IP is allowed to bypass bruteforce protection

Signed-off-by: Joas Schilling <[email protected]>
nextcloud · Aug 15, 2023 · a326817 · a326817
1 parent 754afda
commit a326817
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 26 deletions.
diff --git a/lib/private/Security/Bruteforce/Capabilities.php b/lib/private/Security/Bruteforce/Capabilities.php
@@ -3,9 +3,11 @@
 declare(strict_types=1);
 
 /**
+ * @copyright Copyright (c) 2023 Joas Schilling <[email protected]>
  * @copyright Copyright (c) 2017 Roeland Jago Douma <[email protected]>
  *
  * @author J0WI <[email protected]>
+ * @author Joas Schilling <[email protected]>
  * @author Julius Härtl <[email protected]>
  * @author Roeland Jago Douma <[email protected]>
  *
@@ -32,33 +34,21 @@
 use OCP\IRequest;
 
 class Capabilities implements IPublicCapability, IInitialStateExcludedCapability {
-	/** @var IRequest */
-	private $request;
-
-	/** @var Throttler */
-	private $throttler;
+	public function __construct(
+		private IRequest $request,
+		private Throttler $throttler,
+	) {
+	}
 
 	/**
-	 * Capabilities constructor.
-	 *
-	 * @param IRequest $request
-	 * @param Throttler $throttler
+	 * @return array{bruteforce: array{delay: int, allow-listed: bool}}
 	 */
-	public function __construct(IRequest $request,
-								Throttler $throttler) {
-		$this->request = $request;
-		$this->throttler = $throttler;
-	}
-
 	public function getCapabilities(): array {
-		if (version_compare(\OC::$server->getConfig()->getSystemValueString('version', '0.0.0.0'), '12.0.0.0', '<')) {
-			return [];
-		}
-
 		return [
 			'bruteforce' => [
-				'delay' => $this->throttler->getDelay($this->request->getRemoteAddress())
-			]
+				'delay' => $this->throttler->getDelay($this->request->getRemoteAddress()),
+				'allow-listed' => $this->throttler->isIPWhitelisted($this->request->getRemoteAddress()),
+			],
 		];
 	}
 }
diff --git a/lib/private/Security/Bruteforce/Throttler.php b/lib/private/Security/Bruteforce/Throttler.php
@@ -110,7 +110,7 @@ public function registerAttempt(string $action,
 	 * @param string $ip
 	 * @return bool
 	 */
-	private function isIPWhitelisted(string $ip): bool {
+	public function isIPWhitelisted(string $ip): bool {
 		if (isset($this->ipIsWhitelisted[$ip])) {
 			return $this->ipIsWhitelisted[$ip];
 		}

diff --git a/tests/lib/Security/Bruteforce/CapabilitiesTest.php b/tests/lib/Security/Bruteforce/CapabilitiesTest.php
@@ -52,26 +52,32 @@ protected function setUp(): void {
 		);
 	}
 
-	public function testGetCapabilities() {
+	public function testGetCapabilities(): void {
 		$this->throttler->expects($this->atLeastOnce())
 			->method('getDelay')
 			->with('10.10.10.10')
 			->willReturn(42);
 
+		$this->throttler->expects($this->atLeastOnce())
+			->method('isIPWhitelisted')
+			->with('10.10.10.10')
+			->willReturn(true);
+
 		$this->request->method('getRemoteAddress')
 			->willReturn('10.10.10.10');
 
 		$expected = [
 			'bruteforce' => [
-				'delay' => 42
+				'delay' => 42,
+				'allow-listed' => true,
 			]
 		];
 		$result = $this->capabilities->getCapabilities();
 
 		$this->assertEquals($expected, $result);
 	}
 
-	public function testGetCapabilitiesOnCli() {
+	public function testGetCapabilitiesOnCli(): void {
 		$this->throttler->expects($this->atLeastOnce())
 			->method('getDelay')
 			->with('')
@@ -82,7 +88,8 @@ public function testGetCapabilitiesOnCli() {
 
 		$expected = [
 			'bruteforce' => [
-				'delay' => 0
+				'delay' => 0,
+				'allow-listed' => false,
 			]
 		];
 		$result = $this->capabilities->getCapabilities();