Added request rate limiters and improved login throttling

wouterj · wouterj · commit 21e97c25faa4 · 2020-09-27T23:13:29.000+02:00
This allows limiting on different elements of a request. This is usefull to
e.g. prevent breadth-first attacks, by allowing to enforce a limit on both IP
and IP+username.
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
@@ -17,7 +17,9 @@
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\RateLimiter\AbstractRequestRateLimiter;
 use Symfony\Component\Security\Http\EventListener\LoginThrottlingListener;
+use Symfony\Component\Security\Http\RateLimiter\DefaultLoginRateLimiter;
 
 /**
  * @author Wouter de Jong <wouter@wouterj.nl>
@@ -49,7 +51,7 @@ public function addConfiguration(NodeDefinition $builder)
     {
         $builder
             ->children()
-                ->scalarNode('limiter')->info('The name of the limiter that you defined under "framework.rate_limiter".')->end()
+                ->scalarNode('limiter')->info(sprintf('A service id extending from "%s".', AbstractRequestRateLimiter::class))->end()
                 ->integerNode('max_attempts')->defaultValue(5)->end()
             ->end();
     }
@@ -65,18 +67,27 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
                 throw new \LogicException('You must either configure a rate limiter for "security.firewalls.'.$firewallName.'.login_throttling" or install symfony/framework-bundle:^5.2');
             }
 
-            FrameworkExtension::registerRateLimiter($container, $config['limiter'] = '_login_'.$firewallName, [
+            $limiterOptions = [
                 'strategy' => 'fixed_window',
                 'limit' => $config['max_attempts'],
                 'interval' => '1 minute',
                 'lock_factory' => 'lock.factory',
                 'cache_pool' => 'cache.app',
-            ]);
+            ];
+            FrameworkExtension::registerRateLimiter($container, $localId = '_login_local_'.$firewallName, $limiterOptions);
+
+            $limiterOptions['limit'] = 5 * $config['max_attempts'];
+            FrameworkExtension::registerRateLimiter($container, $globalId = '_login_global_'.$firewallName, $limiterOptions);
+
+            $container->register($config['limiter'] = 'security.login_throttling.'.$firewallName.'.limiter', DefaultLoginRateLimiter::class)
+                ->addArgument(new Reference('limiter.'.$globalId))
+                ->addArgument(new Reference('limiter.'.$localId))
+            ;
         }
 
         $container
             ->setDefinition('security.listener.login_throttling.'.$firewallName, new ChildDefinition('security.listener.login_throttling'))
-            ->replaceArgument(1, new Reference('limiter.'.$config['limiter']))
+            ->replaceArgument(1, new Reference($config['limiter']))
             ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName]);
 
         return [];
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php
@@ -118,7 +118,7 @@
             ->abstract()
             ->args([
                 service('request_stack'),
-                abstract_arg('rate limiter'),
+                abstract_arg('request rate limiter'),
             ])
 
         // Authenticators
diff --git a/src/Symfony/Component/RateLimiter/AbstractRequestRateLimiter.php b/src/Symfony/Component/RateLimiter/AbstractRequestRateLimiter.php
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\RateLimiter;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * A special type of compound limiter that deals with requests.
+ *
+ * This allows to limit on different types of information
+ * from the requests.
+ *
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ *
+ * @experimental in Symfony 5.2
+ */
+abstract class AbstractRequestRateLimiter
+{
+    public function consume(Request $request): bool
+    {
+        $allow = true;
+        foreach ($this->getLimiters($request) as $limiter) {
+            $allow = $limiter->consume(1) && $allow;
+        }
+
+        return $allow;
+    }
+
+    /**
+     * @return LimiterInterface[]
+     */
+    abstract protected function getLimiters(Request $request): array;
+}
diff --git a/src/Symfony/Component/Security/Http/EventListener/LoginThrottlingListener.php b/src/Symfony/Component/Security/Http/EventListener/LoginThrottlingListener.php
@@ -12,13 +12,12 @@
 namespace Symfony\Component\Security\Http\EventListener;
 
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
-use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
-use Symfony\Component\RateLimiter\Limiter;
+use Symfony\Component\RateLimiter\AbstractRequestRateLimiter;
 use Symfony\Component\Security\Core\Exception\TooManyLoginAttemptsAuthenticationException;
+use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
-use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 
 /**
  * @author Wouter de Jong <wouter@wouterj.nl>
@@ -30,7 +29,7 @@ final class LoginThrottlingListener implements EventSubscriberInterface
     private $requestStack;
     private $limiter;
 
-    public function __construct(RequestStack $requestStack, Limiter $limiter)
+    public function __construct(RequestStack $requestStack, AbstractRequestRateLimiter $limiter)
     {
         $this->requestStack = $requestStack;
         $this->limiter = $limiter;
@@ -44,33 +43,17 @@ public function checkPassport(CheckPassportEvent $event): void
         }
 
         $request = $this->requestStack->getMasterRequest();
-        $username = $passport->getBadge(UserBadge::class)->getUserIdentifier();
-        $limiterKey = $this->createLimiterKey($username, $request);
+        $request->attributes->set(Security::LAST_USERNAME, $passport->getBadge(UserBadge::class)->getUserIdentifier());
 
-        $limiter = $this->limiter->create($limiterKey);
-        if (!$limiter->consume()) {
+        if (!$this->limiter->consume($request)) {
             throw new TooManyLoginAttemptsAuthenticationException();
         }
     }
 
-    public function onSuccessfulLogin(LoginSuccessEvent $event): void
-    {
-        $limiterKey = $this->createLimiterKey($event->getAuthenticatedToken()->getUsername(), $event->getRequest());
-        $limiter = $this->limiter->create($limiterKey);
-
-        $limiter->reset();
-    }
-
     public static function getSubscribedEvents(): array
     {
         return [
             CheckPassportEvent::class => ['checkPassport', 64],
-            LoginSuccessEvent::class => 'onSuccessfulLogin',
         ];
     }
-
-    private function createLimiterKey($username, Request $request): string
-    {
-        return $username.$request->getClientIp();
-    }
 }
diff --git a/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php b/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\RateLimiter;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\RateLimiter\AbstractRequestRateLimiter;
+use Symfony\Component\RateLimiter\Limiter;
+use Symfony\Component\Security\Core\Security;
+
+/**
+ * A default login throttling limiter.
+ *
+ * This limiter prevents breadth-first attacks by enforcing
+ * a limit on username+IP and a (higher) limit on IP.
+ *
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ *
+ * @experimental in Symfony 5.2
+ */
+final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
+{
+    private $globalLimiter;
+    private $localLimiter;
+
+    public function __construct(Limiter $globalLimiter, Limiter $localLimiter)
+    {
+        $this->globalLimiter = $globalLimiter;
+        $this->localLimiter = $localLimiter;
+    }
+
+    protected function getLimiters(Request $request): array
+    {
+        return [
+            $this->globalLimiter->create($request->getClientIp()),
+            $this->localLimiter->create($request->attributes->get(Security::LAST_USERNAME).$request->getClientIp()),
+        ];
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\EventListener\LoginThrottlingListener;
+use Symfony\Component\Security\Http\RateLimiter\DefaultLoginRateLimiter;
 
 class LoginThrottlingListenerTest extends TestCase
 {
@@ -34,17 +35,24 @@ protected function setUp(): void
     {
         $this->requestStack = new RequestStack();
 
-        $limiter = new Limiter([
+        $localLimiter = new Limiter([
             'id' => 'login',
             'strategy' => 'fixed_window',
             'limit' => 3,
             'interval' => '1 minute',
         ], new InMemoryStorage());
+        $globalLimiter = new Limiter([
+            'id' => 'login',
+            'strategy' => 'fixed_window',
+            'limit' => 6,
+            'interval' => '1 minute',
+        ], new InMemoryStorage());
+        $limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter);
 
         $this->listener = new LoginThrottlingListener($this->requestStack, $limiter);
     }
 
-    public function testPreventsLoginWhenOverThreshold()
+    public function testPreventsLoginWhenOverLocalThreshold()
     {
         $request = $this->createRequest();
         $passport = $this->createPassport('wouter');
@@ -59,21 +67,19 @@ public function testPreventsLoginWhenOverThreshold()
         $this->listener->checkPassport($this->createCheckPassportEvent($passport));
     }
 
-    public function testSuccessfulLoginResetsCount()
+    public function testPreventsLoginWhenOverGlobalThreshold()
     {
-        $this->expectNotToPerformAssertions();
-
         $request = $this->createRequest();
-        $passport = $this->createPassport('wouter');
+        $passports = [$this->createPassport('wouter'), $this->createPassport('ryan')];
 
         $this->requestStack->push($request);
 
-        for ($i = 0; $i < 3; ++$i) {
-            $this->listener->checkPassport($this->createCheckPassportEvent($passport));
+        for ($i = 0; $i < 6; ++$i) {
+            $this->listener->checkPassport($this->createCheckPassportEvent($passports[$i % 2]));
         }
 
-        $this->listener->onSuccessfulLogin($this->createLoginSuccessfulEvent($passport));
-        $this->listener->checkPassport($this->createCheckPassportEvent($passport));
+        $this->expectException(TooManyLoginAttemptsAuthenticationException::class);
+        $this->listener->checkPassport($this->createCheckPassportEvent($passports[0]));
     }
 
     private function createPassport($username)
