Passed
Branch master (ecb760)
by Antonio Carlos
05:12
created

AttackBlocker::isBeingAttacked()   A

Complexity

Conditions 2
Paths 2

Size

Total Lines 10
Code Lines 5

Duplication

Lines 0
Ratio 0 %

Code Coverage

Tests 4
CRAP Score 2.032

Importance

Changes 0
Metric Value
dl 0
loc 10
ccs 4
cts 5
cp 0.8
rs 9.4285
c 0
b 0
f 0
cc 2
eloc 5
nc 2
nop 1
crap 2.032
1
<?php
2
3
namespace PragmaRX\Firewall\Support;
4
5
use Carbon\Carbon;
6
use PragmaRX\Firewall\Events\AttackDetected;
7
use PragmaRX\Firewall\Firewall;
8
use PragmaRX\Firewall\Repositories\Cache\Cache;
9
use PragmaRX\Support\Config;
10
11
class AttackBlocker
12
{
13
    use ServiceInstances;
14
15
    /**
16
     * The request record.
17
     *
18
     * @var array
19
     */
20
    protected $record = [
21
        'ip' => null,
22
23
        'country' => null,
24
    ];
25
26
    /**
27
     * The ip address.
28
     *
29
     * @var string
30
     */
31
    protected $ipAddress;
32
33
    /**
34
     * The cache key.
35
     *
36
     * @var string
37
     */
38
    protected $key;
39
40
    /**
41
     * The max request count.
42
     *
43
     * @var int
44
     */
45
    protected $maxRequestCount;
46
47
    /**
48
     * The max request count.
49
     *
50
     * @var int
51
     */
52
    protected $maxSeconds;
53
54
    /**
55
     * The firewall instance.
56
     *
57
     * @var Firewall
58
     */
59
    protected $firewall;
60
61
    /**
62
     * The country.
63
     *
64
     * @var string
65
     */
66
    protected $country;
67
68
    /**
69
     * The enabled items.
70
     *
71
     * @var \Illuminate\Support\Collection
72
     */
73
    protected $enabledItems;
74
75
    /**
76
     * AttackBlocker constructor.
77
     */
78 37
    public function __construct()
79
    {
80 37
        $this->loadConfig();
81 37
    }
82
83
    /**
84
     * Blacklist the IP address.
85
     *
86
     * @param $record
87
     *
88
     * @return bool
89
     */
90 2
    protected function blacklist($record)
91
    {
92 2
        if ($record['isBlacklisted']) {
93 2
            return false;
94
        }
95
96 2
        $blacklistUnknown = $this->config()->get("attack_blocker.action.{$record['type']}.blacklist_unknown");
97
98 2
        $blackWhitelisted = $this->config()->get("attack_blocker.action.{$record['type']}.blacklist_whitelisted");
99
100 2
        if ($blacklistUnknown || $blackWhitelisted) {
101 2
            $record['isBlacklisted'] = true;
102
103 2
            $ipAddress = $record['type'] == 'country'
104
                        ? 'country:'.$record['country_code']
105 2
                        : $record['ipAddress'];
106
107 2
            $this->firewall->blacklist($ipAddress, $blackWhitelisted);
108
109 2
            $this->save($record);
110
111 2
            return true;
112
        }
113
114
        return false;
115
    }
116
117
    /**
118
     * Check for expiration.
119
     *
120
     * @return void
121
     */
122
    protected function checkExpiration()
123
    {
124 2
        $this->enabledItems->each(function ($index, $type) {
125 2
            if (($this->record[$type]['lastRequestAt']->diffInSeconds(Carbon::now())) <= ($this->getMaxSecondsForType($type))) {
126 2
                return $this->record;
127
            }
128
129
            return $this->getEmptyRecord($this->record[$type]['key'], $type);
130 2
        });
131 2
    }
132
133
    /**
134
     * Get an empty record.
135
     *
136
     * @return array
137
     */
138 2
    protected function getEmptyRecord($key, $type)
139
    {
140 2
        return $this->makeRecord($key, $type);
141
    }
142
143
    /**
144
     * Get a timestamp for the time the cache should expire.
145
     *
146
     * @param $type
147
     *
148
     * @return \Carbon\Carbon
149
     */
150 2
    protected function getExpirationTimestamp($type)
151
    {
152 2
        return Carbon::now()->addSeconds($this->getMaxSecondsForType($type));
153
    }
154
155
    /**
156
     * Get firewall.
157
     *
158
     * @return Firewall
159
     */
160
    public function getFirewall()
161
    {
162
        return $this->firewall;
163
    }
164
165
    /**
166
     * Search geo localization by ip.
167
     *
168
     * @param $ipAddress
169
     *
170
     * @return array|null
171
     */
172 2
    protected function getGeo($ipAddress)
173
    {
174 2
        return $this->firewall->getGeoIp()->searchAddr($ipAddress);
175
    }
176
177
    /**
178
     * Get the cache key.
179
     *
180
     * @return string
181
     */
182
    public function getKey()
183
    {
184
        return $this->key;
185
    }
186
187
    /**
188
     * Get max request count from config.
189
     *
190
     * @param string $type
191
     *
192
     * @return int
193
     */
194 2
    protected function getMaxRequestCountForType($type = 'ip')
195
    {
196 2
        return !is_null($this->maxRequestCount)
197 2
            ? $this->maxRequestCount
198 2
            : ($this->maxRequestCount = $this->config()->get("attack_blocker.allowed_frequency.{$type}.requests"));
199
    }
200
201
    /**
202
     * Get max seconds from config.
203
     *
204
     * @param $type
205
     *
206
     * @return int
207
     */
208 2
    protected function getMaxSecondsForType($type)
209
    {
210 2
        return !is_null($this->maxSeconds)
211 2
            ? $this->maxSeconds
212 2
            : ($this->maxSeconds = $this->config()->get("attack_blocker.allowed_frequency.{$type}.seconds"));
213
    }
214
215
    /**
216
     * Get attack records.
217
     *
218
     * @return array
219
     */
220
    public function getRecord()
221
    {
222
        return $this->record;
223
    }
224
225
    /**
226
     * Get the response configuration.
227
     *
228
     * @return array
229
     */
230 2
    protected function getResponseConfig()
231
    {
232 2
        return $this->config()->get('attack_blocker.response');
233
    }
234
235
    /**
236
     * Increment request count.
237
     *
238
     * @return void
239
     */
240
    protected function increment()
241
    {
242 2
        $this->enabledItems->each(function ($index, $type) {
243 2
            $this->save($type, ['requestCount' => $this->record[$type]['requestCount'] + 1]);
244 2
        });
245 2
    }
246
247
    /**
248
     * Check if this is an attack.
249
     *
250
     * @return bool
251
     */
252
    protected function isAttack()
253
    {
254 2
        return $this->enabledItems->filter(function ($index, $type) {
255 2
            if (!$this->isWhitelisted($type) && $this->record[$type]['requestCount'] > $this->getMaxRequestCountForType($type)) {
256 2
                $this->takeAction($this->record[$type]);
257
258 2
                return true;
259
            }
260 2
        })->count() > 0;
261
    }
262
263
    /**
264
     * Check for attacks.
265
     *
266
     * @param $ipAddress
267
     *
268
     * @return bool
269
     */
270 2
    public function isBeingAttacked($ipAddress)
271
    {
272 2
        if (!$this->isEnabled()) {
273
            return false;
274
        }
275
276 2
        $this->loadRecord($ipAddress);
277
278 2
        return $this->isAttack();
279
    }
280
281
    /**
282
     * Get enabled state.
283
     *
284
     * @return bool
285
     */
286 2
    protected function isEnabled()
287
    {
288 2
        return count($this->enabledItems) > 0;
289
    }
290
291
    /**
292
     * Is the current user whitelisted?
293
     *
294
     * @param $type
295
     *
296
     * @return bool
297
     */
298 2
    private function isWhitelisted($type)
299
    {
300 2
        return $this->firewall->whichList($this->record[$type]['ipAddress']) == 'whitelist' &&
301 2
                $this->config()->get("attack_blocker.action.{$this->record[$type]['type']}.blacklist_whitelisted");
302
    }
303
304
    /**
305
     * Load the configuration.
306
     *
307
     * @return void
308
     */
309
    private function loadConfig()
310
    {
311 37
        $this->enabledItems = collect($this->config()->get('attack_blocker.enabled'))->filter(function ($item) {
312 37
            return $item === true;
313 37
        });
314 37
    }
315
316
    /**
317
     * Load a record.
318
     *
319
     * @param $ipAddress
320
     *
321
     * @return void
322
     */
323 2
    protected function loadRecord($ipAddress)
324
    {
325 2
        $this->ipAddress = $ipAddress;
326
327 2
        $this->loadRecordItems();
328
329 2
        $this->checkExpiration();
330
331 2
        $this->increment();
332 2
    }
333
334
    /**
335
     * Load all record items.
336
     *
337
     * @return void
338
     */
339
    protected function loadRecordItems()
340
    {
341 2
        $this->enabledItems->each(function ($index, $type) {
342 2
            if (is_null($this->record[$type] = $this->cache()->get($key = $this->makeKeyForType($type, $this->ipAddress)))) {
343 2
                $this->record[$type] = $this->getEmptyRecord($key, $type);
344
            }
345 2
        });
346 2
    }
347
348
    /**
349
     * Write to the log.
350
     *
351
     * @param $string
352
     *
353
     * @return void
354
     */
355 2
    protected function log($string)
356
    {
357 2
        $this->firewall->log($string);
358 2
    }
359
360
    /**
361
     * Send attack the the log.
362
     *
363
     * @param $record
364
     *
365
     * @return void
366
     */
367 2
    protected function logAttack($record)
368
    {
369 2
        $this->log("Attacker detected - IP: {$record['ipAddress']} - Request count: {$record['requestCount']}");
370 2
    }
371
372
    /**
373
     * Make a response.
374
     *
375
     * @return null|\Illuminate\Http\Response
376
     */
377 2
    public function responseToAttack()
378
    {
379 2
        if ($this->isAttack()) {
380 2
            return (new Responder())->respond($this->getResponseConfig(), $this->record);
381
        }
382 2
    }
383
384
    /**
385
     * Make a hashed key.
386
     *
387
     * @param $field
388
     *
389
     * @return string
390
     */
391 2
    public function makeHashedKey($field)
392
    {
393 2
        return hash(
394 2
            'sha256',
395 2
            $this->config()->get('attack_blocker.cache_key_prefix').'-'.$field
396
        );
397
    }
398
399
    /**
400
     * Make the cache key to record countries.
401
     *
402
     * @param $ipAddress
403
     *
404
     * @return string|null
405
     */
406 2
    protected function makeKeyForType($type, $ipAddress)
407
    {
408 2
        if ($type == 'country') {
409
            $geo = $this->getGeo($ipAddress);
410
411
            if (is_null($geo)) {
412
                $this->log("No GeoIp info for {$ipAddress}, is it installed?");
413
            }
414
415
            if (!is_null($geo) && $this->country = $geo['country_code']) {
416
                return $this->makeHashedKey($this->country);
417
            }
418
419
            unset($this->enabledItems['country']);
420
421
            return;
422
        }
423
424 2
        return $this->makeHashedKey($this->ipAddress = $ipAddress);
425
    }
426
427
    /**
428
     * Make a record.
429
     *
430
     * @param $key
431
     * @param $type
432
     *
433
     * @return array
434
     */
435 2
    protected function makeRecord($key, $type)
436
    {
437 2
        $geo = $this->getGeo($this->ipAddress);
438
439
        return [
440 2
            'type' => $type,
441
442 2
            'key' => $key,
443
444 2
            'ipAddress' => $this->ipAddress,
445
446 2
            'requestCount' => 0,
447
448 2
            'firstRequestAt' => Carbon::now(),
449
450 2
            'lastRequestAt' => Carbon::now(),
451
452
            'isBlacklisted' => false,
453
454
            'wasNotified' => false,
455
456 2
            'userAgent' => request()->server('HTTP_USER_AGENT'),
457
458 2
            'server' => request()->server(),
459
460 2
            'geoIp' => $geo,
461
462 2
            'country_name' => $geo ? $geo['country_name'] : null,
463
464 2
            'country_code' => $geo ? $geo['country_code'] : null,
465
466 2
            'host' => gethostbyaddr($this->ipAddress),
467
        ];
468
    }
469
470
    /**
471
     * Send notifications.
472
     *
473
     * @param $record
474
     *
475
     * @return void
476
     */
477 2
    protected function notify($record)
478
    {
479 2
        if (!$record['wasNotified'] && $this->config()->get('notifications.enabled')) {
480
            $this->save($record['type'], ['wasNotified' => true]);
481
482
            collect($this->config()->get('notifications.channels'))->filter(function ($value, $channel) use ($record) {
483
                try {
484
                    event(new AttackDetected($record, $channel));
485
                } catch (\Exception $exception) {
486
                    info($exception);
487
                }
488
            });
489
        }
490 2
    }
491
492
    /**
493
     * Renew first request timestamp, to keep the offender blocked.
494
     *
495
     * @param $record
496
     *
497
     * @return void
498
     */
499 2
    protected function renew($record)
500
    {
501 2
        $this->save($record['type'], ['lastRequestAt' => Carbon::now()]);
502 2
    }
503
504
    /**
505
     * Set firewall.
506
     *
507
     * @param Firewall $firewall
508
     *
509
     * @return void
510
     */
511 37
    public function setFirewall($firewall)
512
    {
513 37
        $this->firewall = $firewall;
514 37
    }
515
516
    /**
517
     * Store record on cache.
518
     *
519
     * @param $type
520
     * @param array $items
521
     *
522
     * @return array
523
     */
524 2
    protected function save($type, $items = [])
525
    {
526 2
        if (is_array($type)) {
527 2
            $items = $type;
528
529 2
            $type = $type['type'];
530
        }
531
532 2
        $this->record[$type] = array_merge($this->record[$type], $items);
533
534 2
        $this->cache()->put($this->record[$type]['key'], $this->record[$type], $this->getExpirationTimestamp($type));
0 ignored issues
show
Documentation introduced by
$this->getExpirationTimestamp($type) is of type object<Carbon\Carbon>, but the function expects a integer|null|boolean.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
535
536 2
        return $this->record[$type];
537
    }
538
539
    /**
540
     * Take the necessary action to keep the offender blocked.
541
     *
542
     * @return void
543
     */
544 2
    protected function takeAction($record)
545
    {
546 2
        $this->renew($record);
547
548 2
        $this->blacklist($record);
549
550 2
        $this->notify($record);
551
552 2
        $this->logAttack($record);
553 2
    }
554
}
555