search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Localisation updates from https://translatewiki.net.
[mediawiki.git] / includes / auth / Throttler.php
blob85ea051b7e6d8b3ffa9f32e0172ead37b507fa6f
1 <?php
2 /**
3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
17 *
18 * @file
19 * @ingroup Auth
20 */
21
22 namespace MediaWiki\Auth;
23
24 use InvalidArgumentException;
25 use MediaWiki\HookContainer\HookRunner;
26 use MediaWiki\Logger\LoggerFactory;
27 use MediaWiki\MainConfigNames;
28 use MediaWiki\MediaWikiServices;
29 use Psr\Log\LoggerAwareInterface;
30 use Psr\Log\LoggerInterface;
31 use Psr\Log\LogLevel;
32 use Wikimedia\ObjectCache\BagOStuff;
33
34 /**
35 * A helper class for throttling authentication attempts.
36 * @package MediaWiki\Auth
37 * @ingroup Auth
38 * @since 1.27
39 */
40 class Throttler implements LoggerAwareInterface {
41
42 /** @var string */
43 protected $type;
44
45 /**
46 * See documentation of $wgPasswordAttemptThrottle for format. Old (pre-1.27) format is not
47 * allowed here.
48 * @var array[]
49 * @see https://www.mediawiki.org/wiki/Manual:$wgPasswordAttemptThrottle
50 */
51 protected $conditions;
52
53 /** @var int|float */
54 protected $warningLimit;
55
56 protected BagOStuff $cache;
57 protected LoggerInterface $logger;
58 private HookRunner $hookRunner;
59
60 /**
61 * @param array|null $conditions An array of arrays describing throttling conditions.
62 * Defaults to $wgPasswordAttemptThrottle. See documentation of that variable for format.
63 * @param array $params Parameters (all optional):
64 * - type: throttle type, used as a namespace for counters,
65 * - cache: a BagOStuff object where throttle counters are stored.
66 * - warningLimit: the log level will be raised to warning when rejecting an attempt after
67 * no less than this many failures.
68 */
69 public function __construct( ?array $conditions = null, array $params = [] ) {
70 $invalidParams = array_diff_key( $params,
71 array_fill_keys( [ 'type', 'cache', 'warningLimit' ], true ) );
72 if ( $invalidParams ) {
73 throw new InvalidArgumentException( 'unrecognized parameters: '
74 . implode( ', ', array_keys( $invalidParams ) ) );
75 }
76
77 $services = MediaWikiServices::getInstance();
78 $this->hookRunner = new HookRunner( $services->getHookContainer() );
79
80 $objectCacheFactory = $services->getObjectCacheFactory();
81
82 if ( $conditions === null ) {
83 $config = $services->getMainConfig();
84 $conditions = $config->get( MainConfigNames::PasswordAttemptThrottle );
85 $params += [
86 'type' => 'password',
87 'cache' => $objectCacheFactory->getLocalClusterInstance(),
88 'warningLimit' => 50,
89 ];
90 } else {
91 $params += [
92 'type' => 'custom',
93 'cache' => $objectCacheFactory->getLocalClusterInstance(),
94 'warningLimit' => INF,
95 ];
96 }
97
98 $this->type = $params['type'];
99 $this->conditions = static::normalizeThrottleConditions( $conditions );
100 $this->cache = $params['cache'];
101 $this->warningLimit = $params['warningLimit'];
102
103 $this->setLogger( LoggerFactory::getInstance( 'throttler' ) );
104 }
105
106 public function setLogger( LoggerInterface $logger ) {
107 $this->logger = $logger;
108 }
109
110 /**
111 * Increase the throttle counter and return whether the attempt should be throttled.
112 *
113 * Should be called before an authentication attempt.
114 *
115 * @param string|null $username
116 * @param string|null $ip
117 * @param string|null $caller The authentication method from which we were called.
118 * @return array|false False if the attempt should not be throttled, an associative array
119 * with three keys otherwise:
120 * - throttleIndex: which throttle condition was met (a key of the conditions array)
121 * - count: throttle count (ie. number of failed attempts)
122 * - wait: time in seconds until authentication can be attempted
123 */
124 public function increase( $username = null, $ip = null, $caller = null ) {
125 if ( $username === null && $ip === null ) {
126 throw new InvalidArgumentException( 'Either username or IP must be set for throttling' );
127 }
128
129 $userKey = $username ? md5( $username ) : null;
130 foreach ( $this->conditions as $index => $throttleCondition ) {
131 $ipKey = isset( $throttleCondition['allIPs'] ) ? null : $ip;
132 $count = $throttleCondition['count'];
133 $expiry = $throttleCondition['seconds'];
134
135 // a limit of 0 is used as a disable flag in some throttling configuration settings
136 // throttling the whole world is probably a bad idea
137 if ( !$count || ( $userKey === null && $ipKey === null ) ) {
138 continue;
139 }
140
141 $throttleKey = $this->getThrottleKey( $this->type, $index, $ipKey, $userKey );
142 $throttleCount = $this->cache->get( $throttleKey );
143 if ( $throttleCount && $throttleCount >= $count ) {
144 // Throttle limited reached
145 $this->logRejection( [
146 'throttle' => $this->type,
147 'index' => $index,
148 'ipKey' => $ipKey,
149 'username' => $username,
150 'count' => $count,
151 'expiry' => $expiry,
152 // @codeCoverageIgnoreStart
153 'method' => $caller ?: __METHOD__,
154 // @codeCoverageIgnoreEnd
155 ] );
156
157 // Allow extensions to perform actions when a throttle causes throttling.
158 $this->hookRunner->onAuthenticationAttemptThrottled( $this->type, $username, $ip );
159
160 return [ 'throttleIndex' => $index, 'count' => $count, 'wait' => $expiry ];
161 } else {
162 $this->cache->incrWithInit( $throttleKey, $expiry, 1 );
163 }
164 }
165
166 return false;
167 }
168
169 /**
170 * Clear the throttle counter.
171 *
172 * Should be called after a successful authentication attempt.
173 *
174 * @param string|null $username
175 * @param string|null $ip
176 */
177 public function clear( $username = null, $ip = null ) {
178 $userKey = $username ? md5( $username ) : null;
179 foreach ( $this->conditions as $index => $specificThrottle ) {
180 $ipKey = isset( $specificThrottle['allIPs'] ) ? null : $ip;
181 $throttleKey = $this->getThrottleKey( $this->type, $index, $ipKey, $userKey );
182 $this->cache->delete( $throttleKey );
183 }
184 }
185
186 /**
187 * Construct a cache key for the throttle counter
188 * @param string $type
189 * @param int $index
190 * @param string|null $ipKey
191 * @param string|null $userKey
192 * @return string
193 */
194 private function getThrottleKey( string $type, int $index, ?string $ipKey, ?string $userKey ): string {
195 return $this->cache->makeGlobalKey(
196 'throttler',
197 $type,
198 $index,
199 $ipKey ?? '',
200 $userKey ?? ''
201 );
202 }
203
204 /**
205 * Handles B/C for $wgPasswordAttemptThrottle.
206 * @param array $throttleConditions
207 * @return array[]
208 * @see $wgPasswordAttemptThrottle for structure
209 */
210 protected static function normalizeThrottleConditions( $throttleConditions ) {
211 if ( !is_array( $throttleConditions ) ) {
212 return [];
213 }
214 if ( isset( $throttleConditions['count'] ) ) { // old style
215 $throttleConditions = [ $throttleConditions ];
216 }
217 return $throttleConditions;
218 }
219
220 protected function logRejection( array $context ) {
221 $logMsg = 'Throttle {throttle} hit, throttled for {expiry} seconds due to {count} attempts '
222 . 'from username {username} and IP {ipKey}';
223
224 // If we are hitting a throttle for >= warningLimit attempts, it is much more likely to be
225 // an attack than someone simply forgetting their password, so log it at a higher level.
226 $level = $context['count'] >= $this->warningLimit ? LogLevel::WARNING : LogLevel::INFO;
227
228 // It should be noted that once the throttle is hit, every attempt to login will
229 // generate the log message until the throttle expires, not just the attempt that
230 // puts the throttle over the top.
231 $this->logger->log( $level, $logMsg, $context );
232 }
233
234 }
MediaWiki Core