feat(rate-limit): Allow overwriting the rate limit

Signed-off-by: Joas Schilling <coding@schilljs.com>

[skip ci]

Author: nickvergessen

lib/private/AppFramework/Middleware/Security/RateLimitingMiddleware.php

@@ -22,9 +22,11 @@
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Middleware;
 use OCP\IAppConfig;
+use OCP\IConfig;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUserSession;
+use Psr\Log\LoggerInterface;
 use ReflectionMethod;
 
 /**
@@ -56,7 +58,9 @@ public function __construct(
 		protected Limiter $limiter,
 		protected ISession $session,
 		protected IAppConfig $appConfig,
+		protected IConfig $serverConfig,
 		protected BruteforceAllowList $bruteForceAllowList,
+		protected LoggerInterface $logger,
 	) {
 	}
 
@@ -74,7 +78,13 @@ public function beforeController(Controller $controller, string $methodName): vo
 		}
 
 		if ($this->userSession->isLoggedIn()) {
-			$rateLimit = $this->readLimitFromAnnotationOrAttribute($controller, $methodName, 'UserRateThrottle', UserRateLimit::class);
+			$rateLimit = $this->readLimitFromAnnotationOrAttribute(
+				$controller,
+				$methodName,
+				'UserRateThrottle',
+				UserRateLimit::class,
+				'user',
+			);
 
 			if ($rateLimit !== null) {
 				if ($this->appConfig->getValueBool('bruteforcesettings', 'apply_allowlist_to_ratelimit')
@@ -94,7 +104,13 @@ public function beforeController(Controller $controller, string $methodName): vo
 			// If not user specific rate limit is found the Anon rate limit applies!
 		}
 
-		$rateLimit = $this->readLimitFromAnnotationOrAttribute($controller, $methodName, 'AnonRateThrottle', AnonRateLimit::class);
+		$rateLimit = $this->readLimitFromAnnotationOrAttribute(
+			$controller,
+			$methodName,
+			'AnonRateThrottle',
+			AnonRateLimit::class,
+			'anon',
+		);
 
 		if ($rateLimit !== null) {
 			$this->limiter->registerAnonRequest(
@@ -115,7 +131,35 @@ public function beforeController(Controller $controller, string $methodName): vo
 	 * @param class-string<T> $attributeClass
 	 * @return ?ARateLimit
 	 */
-	protected function readLimitFromAnnotationOrAttribute(Controller $controller, string $methodName, string $annotationName, string $attributeClass): ?ARateLimit {
+	protected function readLimitFromAnnotationOrAttribute(Controller $controller, string $methodName, string $annotationName, string $attributeClass, string $overwriteKey): ?ARateLimit {
+		$rateLimitOverwrite = $this->serverConfig->getSystemValue('ratelimit_overwrite', []);
+		if (!empty($rateLimitOverwrite)) {
+			$controllerRef = new \ReflectionClass($controller);
+			$appName = $controllerRef->getProperty('appName')->getValue($controller);
+			$controllerName = substr($controller::class, strrpos($controller::class, '\\') + 1);
+			$controllerName = substr($controllerName, 0, 0 - strlen('Controller'));
+
+			$overwriteConfig = strtolower($appName . '.' . $controllerName . '.' . $methodName);
+			$rateLimitOverwriteForActionAndType = $rateLimitOverwrite[$overwriteConfig][$overwriteKey] ?? null;
+			if ($rateLimitOverwriteForActionAndType !== null) {
+				$isValid = isset($rateLimitOverwriteForActionAndType['limit'], $rateLimitOverwriteForActionAndType['period'])
+					&& $rateLimitOverwriteForActionAndType['limit'] > 0
+					&& $rateLimitOverwriteForActionAndType['period'] > 0;
+
+				if ($isValid) {
+					return new $attributeClass(
+						(int)$rateLimitOverwriteForActionAndType['limit'],
+						(int)$rateLimitOverwriteForActionAndType['period'],
+					);
+				}
+
+				$this->logger->warning('Rate limit overwrite on controller "{overwriteConfig}" for "{overwriteKey}" is invalid', [
+					'overwriteConfig' => $overwriteConfig,
+					'overwriteKey' => $overwriteKey,
+				]);
+			}
+		}
+
 		$annotationLimit = $this->reflector->getAnnotationParameter($annotationName, 'limit');
 		$annotationPeriod = $this->reflector->getAnnotationParameter($annotationName, 'period');
 

tests/lib/AppFramework/Middleware/Security/RateLimitingMiddlewareTest.php

@@ -20,6 +20,7 @@
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\IAppConfig;
+use OCP\IConfig;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUser;
@@ -64,7 +65,9 @@ class RateLimitingMiddlewareTest extends TestCase {
 	private Limiter|MockObject $limiter;
 	private ISession|MockObject $session;
 	private IAppConfig|MockObject $appConfig;
+	private IConfig|MockObject $serverConfig;
 	private BruteforceAllowList|MockObject $bruteForceAllowList;
+	private LoggerInterface|MockObject $logger;
 	private RateLimitingMiddleware $rateLimitingMiddleware;
 
 	protected function setUp(): void {
@@ -76,7 +79,9 @@ protected function setUp(): void {
 		$this->limiter = $this->createMock(Limiter::class);
 		$this->session = $this->createMock(ISession::class);
 		$this->appConfig = $this->createMock(IAppConfig::class);
+		$this->serverConfig = $this->createMock(IConfig::class);
 		$this->bruteForceAllowList = $this->createMock(BruteforceAllowList::class);
+		$this->logger = $this->createMock(LoggerInterface::class);
 
 		$this->rateLimitingMiddleware = new RateLimitingMiddleware(
 			$this->request,
@@ -85,7 +90,9 @@ protected function setUp(): void {
 			$this->limiter,
 			$this->session,
 			$this->appConfig,
+			$this->serverConfig,
 			$this->bruteForceAllowList,
+			$this->logger
 		);
 	}