| Total Complexity | 166 |
| Total Lines | 1602 |
| Duplicated Lines | 0 % |
| Changes | 5 | ||
| Bugs | 0 | Features | 0 |
Complex classes like Kernel often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use Kernel, and based on these observations, apply Extract Interface, too.
| 1 | <?php |
||
| 81 | class Kernel |
||
| 82 | { |
||
| 83 | use IpTrait; |
||
| 84 | use FilterTrait; |
||
| 85 | |||
| 86 | // Reason codes (allow) |
||
| 87 | const REASON_IS_SEARCH_ENGINE = 100; |
||
| 88 | const REASON_IS_GOOGLE = 101; |
||
| 89 | const REASON_IS_BING = 102; |
||
| 90 | const REASON_IS_YAHOO = 103; |
||
| 91 | const REASON_IS_SOCIAL_NETWORK = 110; |
||
| 92 | const REASON_IS_FACEBOOK = 111; |
||
| 93 | const REASON_IS_TWITTER = 112; |
||
| 94 | |||
| 95 | // Reason codes (deny) |
||
| 96 | const REASON_TOO_MANY_SESSIONS = 1; |
||
| 97 | const REASON_TOO_MANY_ACCESSES = 2; // (not used) |
||
| 98 | const REASON_EMPTY_JS_COOKIE = 3; |
||
| 99 | const REASON_EMPTY_REFERER = 4; |
||
| 100 | |||
| 101 | const REASON_REACHED_LIMIT_DAY = 11; |
||
| 102 | const REASON_REACHED_LIMIT_HOUR = 12; |
||
| 103 | const REASON_REACHED_LIMIT_MINUTE = 13; |
||
| 104 | const REASON_REACHED_LIMIT_SECOND = 14; |
||
| 105 | |||
| 106 | const REASON_INVALID_IP = 40; |
||
| 107 | const REASON_DENY_IP = 41; |
||
| 108 | const REASON_ALLOW_IP = 42; |
||
| 109 | |||
| 110 | const REASON_COMPONENT_IP = 81; |
||
| 111 | const REASON_COMPONENT_RDNS = 82; |
||
| 112 | const REASON_COMPONENT_HEADER = 83; |
||
| 113 | const REASON_COMPONENT_USERAGENT = 84; |
||
| 114 | const REASON_COMPONENT_TRUSTED_ROBOT = 85; |
||
| 115 | |||
| 116 | const REASON_MANUAL_BAN = 99; |
||
| 117 | |||
| 118 | // Action codes |
||
| 119 | const ACTION_DENY = 0; |
||
| 120 | const ACTION_ALLOW = 1; |
||
| 121 | const ACTION_TEMPORARILY_DENY = 2; |
||
| 122 | const ACTION_UNBAN = 9; |
||
| 123 | |||
| 124 | // Result codes |
||
| 125 | const RESPONSE_DENY = 0; |
||
| 126 | const RESPONSE_ALLOW = 1; |
||
| 127 | const RESPONSE_TEMPORARILY_DENY = 2; |
||
| 128 | const RESPONSE_LIMIT_SESSION = 3; |
||
| 129 | |||
| 130 | const LOG_LIMIT = 3; |
||
| 131 | const LOG_PAGEVIEW = 11; |
||
| 132 | const LOG_BLACKLIST = 98; |
||
| 133 | const LOG_CAPTCHA = 99; |
||
| 134 | |||
| 135 | const KERNEL_DIR = __DIR__; |
||
| 136 | |||
| 137 | /** |
||
| 138 | * Driver for storing data. |
||
| 139 | * |
||
| 140 | * @var \Shieldon\Firewall\Driver\DriverProvider |
||
| 141 | */ |
||
| 142 | public $driver; |
||
| 143 | |||
| 144 | /** |
||
| 145 | * Container for Shieldon components. |
||
| 146 | * |
||
| 147 | * @var array |
||
| 148 | */ |
||
| 149 | public $component = []; |
||
| 150 | |||
| 151 | /** |
||
| 152 | * Logger instance. |
||
| 153 | * |
||
| 154 | * @var ActionLogger |
||
| 155 | */ |
||
| 156 | public $logger; |
||
| 157 | |||
| 158 | /** |
||
| 159 | * The closure functions that will be executed in this->run() |
||
| 160 | * |
||
| 161 | * @var array |
||
| 162 | */ |
||
| 163 | protected $closures = []; |
||
| 164 | |||
| 165 | /** |
||
| 166 | * default settings |
||
| 167 | * |
||
| 168 | * @var array |
||
| 169 | */ |
||
| 170 | protected $properties = []; |
||
| 171 | |||
| 172 | /** |
||
| 173 | * This is for creating data tables automatically |
||
| 174 | * Turn it off, if you don't want to check data tables every connection. |
||
| 175 | * |
||
| 176 | * @var bool |
||
| 177 | */ |
||
| 178 | protected $autoCreateDatabase = true; |
||
| 179 | |||
| 180 | /** |
||
| 181 | * Container for captcha addons. |
||
| 182 | * The collection of \Shieldon\Firewall\Captcha\CaptchaInterface |
||
| 183 | * |
||
| 184 | * @var array |
||
| 185 | */ |
||
| 186 | protected $captcha = []; |
||
| 187 | |||
| 188 | /** |
||
| 189 | * The ways Shieldon send a message to when someone has been blocked. |
||
| 190 | * The collection of \Shieldon\Messenger\Messenger\MessengerInterface |
||
| 191 | * |
||
| 192 | * @var array |
||
| 193 | */ |
||
| 194 | protected $messenger = []; |
||
| 195 | |||
| 196 | /** |
||
| 197 | * Is to limit traffic? |
||
| 198 | * |
||
| 199 | * @var array |
||
| 200 | */ |
||
| 201 | protected $sessionLimit = [ |
||
| 202 | |||
| 203 | // How many sessions will be available? |
||
| 204 | // 0 = no limit. |
||
| 205 | 'count' => 0, |
||
| 206 | |||
| 207 | // How many minutes will a session be availe to visit? |
||
| 208 | // 0 = no limit. |
||
| 209 | 'period' => 0, |
||
| 210 | ]; |
||
| 211 | |||
| 212 | /** |
||
| 213 | * Record the online session status. |
||
| 214 | * This will be enabled when $sessionLimit[count] > 0 |
||
| 215 | * |
||
| 216 | * @var array |
||
| 217 | */ |
||
| 218 | protected $sessionStatus = [ |
||
| 219 | |||
| 220 | // Online session count. |
||
| 221 | 'count' => 0, |
||
| 222 | |||
| 223 | // Current session order. |
||
| 224 | 'order' => 0, |
||
| 225 | |||
| 226 | // Current waiting queue. |
||
| 227 | 'queue' => 0, |
||
| 228 | ]; |
||
| 229 | |||
| 230 | /** |
||
| 231 | * The events. |
||
| 232 | * |
||
| 233 | * @var array |
||
| 234 | */ |
||
| 235 | protected $event = [ |
||
| 236 | |||
| 237 | // Update rule table when this value true. |
||
| 238 | 'update_rule_table' => false, |
||
| 239 | |||
| 240 | // Send notifications when this value true. |
||
| 241 | 'trigger_messengers' => false, |
||
| 242 | ]; |
||
| 243 | |||
| 244 | /** |
||
| 245 | * Result. |
||
| 246 | * |
||
| 247 | * @var int |
||
| 248 | */ |
||
| 249 | protected $result = 1; |
||
| 250 | |||
| 251 | /** |
||
| 252 | * URLs that are excluded from Shieldon's protection. |
||
| 253 | * |
||
| 254 | * @var array |
||
| 255 | */ |
||
| 256 | protected $excludedUrls = []; |
||
| 257 | |||
| 258 | /** |
||
| 259 | * Which type of configuration source that Shieldon firewall managed? |
||
| 260 | * |
||
| 261 | * @var string |
||
| 262 | */ |
||
| 263 | protected $firewallType = 'self'; // managed | config | self | demo |
||
| 264 | |||
| 265 | /** |
||
| 266 | * Custom dialog UI settings. |
||
| 267 | * |
||
| 268 | * @var array |
||
| 269 | */ |
||
| 270 | protected $dialogUI = []; |
||
| 271 | |||
| 272 | /** |
||
| 273 | * Store the class information used in Shieldon. |
||
| 274 | * |
||
| 275 | * @var array |
||
| 276 | */ |
||
| 277 | protected $registrar = []; |
||
| 278 | |||
| 279 | /** |
||
| 280 | * Strict mode. |
||
| 281 | * |
||
| 282 | * Set by `strictMode()` only. The default value of this propertry is undefined. |
||
| 283 | * |
||
| 284 | * @var bool |
||
| 285 | */ |
||
| 286 | protected $strictMode; |
||
| 287 | |||
| 288 | /** |
||
| 289 | * The directory in where the frontend template files are placed. |
||
| 290 | * |
||
| 291 | * @var string |
||
| 292 | */ |
||
| 293 | protected $templateDirectory = ''; |
||
| 294 | |||
| 295 | /** |
||
| 296 | * The message that will be sent to the third-party API. |
||
| 297 | * |
||
| 298 | * @var string |
||
| 299 | */ |
||
| 300 | protected $msgBody = ''; |
||
| 301 | |||
| 302 | /** |
||
| 303 | * Shieldon constructor. |
||
| 304 | * |
||
| 305 | * @param ServerRequestInterface|null $request A PSR-7 server request. |
||
| 306 | * |
||
| 307 | * @return void |
||
| 308 | */ |
||
| 309 | public function __construct(?ServerRequestInterface $request = null, ?ResponseInterface $response = null) |
||
| 310 | { |
||
| 311 | // Load helper functions. This is the must. |
||
| 312 | new Helpers(); |
||
| 313 | |||
| 314 | if (is_null($request)) { |
||
| 315 | $request = HttpFactory::createRequest(); |
||
| 316 | } |
||
| 317 | |||
| 318 | if (is_null($response)) { |
||
| 319 | $response = HttpFactory::createResponse(); |
||
| 320 | } |
||
| 321 | |||
| 322 | $session = HttpFactory::createSession(); |
||
| 323 | |||
| 324 | $this->properties = get_default_properties(); |
||
| 325 | $this->add(new Foundation()); |
||
| 326 | |||
| 327 | Container::set('request', $request); |
||
| 328 | Container::set('response', $response); |
||
| 329 | Container::set('session', $session); |
||
| 330 | Container::set('shieldon', $this); |
||
| 331 | } |
||
| 332 | |||
| 333 | /** |
||
| 334 | * Log actions. |
||
| 335 | * |
||
| 336 | * @param int $actionCode The code number of the action. |
||
| 337 | * |
||
| 338 | * @return void |
||
| 339 | */ |
||
| 340 | protected function log(int $actionCode): void |
||
| 341 | { |
||
| 342 | if (null !== $this->logger) { |
||
| 343 | $logData = []; |
||
| 344 | $logData['ip'] = $this->getIp(); |
||
| 345 | $logData['session_id'] = get_session()->get('id'); |
||
| 346 | $logData['action_code'] = $actionCode; |
||
| 347 | $logData['timesamp'] = time(); |
||
| 348 | |||
| 349 | $this->logger->add($logData); |
||
| 350 | } |
||
| 351 | } |
||
| 352 | |||
| 353 | /** |
||
| 354 | * Initialize components. |
||
| 355 | * |
||
| 356 | * @return void |
||
| 357 | */ |
||
| 358 | private function initComponents() |
||
| 359 | { |
||
| 360 | foreach (array_keys($this->component) as $name) { |
||
| 361 | $this->component[$name]->setIp($this->ip); |
||
| 362 | $this->component[$name]->setRdns($this->rdns); |
||
| 363 | |||
| 364 | // Apply global strict mode to all components by `strictMode()` if nesscessary. |
||
| 365 | if (isset($this->strictMode)) { |
||
| 366 | $this->component[$name]->setStrict($this->strictMode); |
||
| 367 | } |
||
| 368 | } |
||
| 369 | } |
||
| 370 | |||
| 371 | /** |
||
| 372 | * Look up the rule table. |
||
| 373 | * |
||
| 374 | * If a specific IP address doesn't exist, return false. |
||
| 375 | * Otherwise, return true. |
||
| 376 | * |
||
| 377 | * @return bool |
||
| 378 | */ |
||
| 379 | private function isRuleTable() |
||
| 380 | { |
||
| 381 | $ipRule = $this->driver->get($this->ip, 'rule'); |
||
| 382 | |||
| 383 | if (empty($ipRule)) { |
||
| 384 | return false; |
||
| 385 | } |
||
| 386 | |||
| 387 | $ruleType = (int) $ipRule['type']; |
||
| 388 | |||
| 389 | // Apply the status code. |
||
| 390 | $this->result = $ruleType; |
||
| 391 | |||
| 392 | if ($ruleType === self::ACTION_ALLOW) { |
||
| 393 | return true; |
||
| 394 | } |
||
| 395 | |||
| 396 | // Current visitor has been blocked. If he still attempts accessing the site, |
||
| 397 | // then we can drop him into the permanent block list. |
||
| 398 | $attempts = $ipRule['attempts'] ?? 0; |
||
| 399 | $attempts = (int) $attempts; |
||
| 400 | $now = time(); |
||
| 401 | $logData = []; |
||
| 402 | $handleType = 0; |
||
| 403 | |||
| 404 | $logData['log_ip'] = $ipRule['log_ip']; |
||
| 405 | $logData['ip_resolve'] = $ipRule['ip_resolve']; |
||
| 406 | $logData['time'] = $now; |
||
| 407 | $logData['type'] = $ipRule['type']; |
||
| 408 | $logData['reason'] = $ipRule['reason']; |
||
| 409 | $logData['attempts'] = $attempts; |
||
| 410 | |||
| 411 | // @since 0.2.0 |
||
| 412 | $attemptPeriod = $this->properties['record_attempt_detection_period']; |
||
| 413 | $attemptReset = $this->properties['reset_attempt_counter']; |
||
| 414 | |||
| 415 | $lastTimeDiff = $now - $ipRule['time']; |
||
| 416 | |||
| 417 | if ($lastTimeDiff <= $attemptPeriod) { |
||
| 418 | $logData['attempts'] = ++$attempts; |
||
| 419 | } |
||
| 420 | |||
| 421 | if ($lastTimeDiff > $attemptReset) { |
||
| 422 | $logData['attempts'] = 0; |
||
| 423 | } |
||
| 424 | |||
| 425 | if ($ruleType === self::ACTION_TEMPORARILY_DENY) { |
||
| 426 | $ratd = $this->determineAttemptsTemporaryDeny($logData, $handleType, $attempts); |
||
| 427 | $logData = $ratd['log_data']; |
||
| 428 | $handleType = $ratd['handle_type']; |
||
| 429 | } |
||
| 430 | |||
| 431 | if ($ruleType === self::ACTION_DENY) { |
||
| 432 | $rapd = $this->determineAttemptsPermanentDeny($logData, $handleType, $attempts); |
||
| 433 | $logData = $rapd['log_data']; |
||
| 434 | $handleType = $rapd['handle_type']; |
||
| 435 | } |
||
| 436 | |||
| 437 | // We only update data when `deny_attempt_enable` is enable. |
||
| 438 | // Because we want to get the last visited time and attempt counter. |
||
| 439 | // Otherwise, we don't update it everytime to avoid wasting CPU resource. |
||
| 440 | if ($this->event['update_rule_table']) { |
||
| 441 | $this->driver->save($this->ip, $logData, 'rule'); |
||
| 442 | } |
||
| 443 | |||
| 444 | // Notify this event to messenger. |
||
| 445 | if ($this->event['trigger_messengers']) { |
||
| 446 | $this->prepareMessengerBody($logData, $handleType); |
||
| 447 | } |
||
| 448 | |||
| 449 | return true; |
||
| 450 | } |
||
| 451 | |||
| 452 | /** |
||
| 453 | * Record the attempts when the user is temporarily denied by rule table. |
||
| 454 | * |
||
| 455 | * @param array $logData |
||
| 456 | * @param int $handleType |
||
| 457 | * @param int $attempts |
||
| 458 | * |
||
| 459 | * @return array |
||
| 460 | */ |
||
| 461 | private function determineAttemptsTemporaryDeny(array $logData, int $handleType, int $attempts): array |
||
| 462 | { |
||
| 463 | if ($this->properties['deny_attempt_enable']['data_circle']) { |
||
| 464 | $this->event['update_rule_table'] = true; |
||
| 465 | |||
| 466 | $buffer = $this->properties['deny_attempt_buffer']['data_circle']; |
||
| 467 | |||
| 468 | if ($attempts >= $buffer) { |
||
| 469 | |||
| 470 | if ($this->properties['deny_attempt_notify']['data_circle']) { |
||
| 471 | $this->event['trigger_messengers'] = true; |
||
| 472 | } |
||
| 473 | |||
| 474 | $logData['type'] = self::ACTION_DENY; |
||
| 475 | |||
| 476 | // Reset this value for next checking process - iptables. |
||
| 477 | $logData['attempts'] = 0; |
||
| 478 | $handleType = 1; |
||
| 479 | } |
||
| 480 | } |
||
| 481 | |||
| 482 | return [ |
||
| 483 | 'log_data' => $logData, |
||
| 484 | 'handle_type' => $handleType, |
||
| 485 | ]; |
||
| 486 | } |
||
| 487 | |||
| 488 | /** |
||
| 489 | * Record the attempts when the user is permanently denied by rule table. |
||
| 490 | * |
||
| 491 | * @param array $logData |
||
| 492 | * @param int $handleType |
||
| 493 | * @param int $attempts |
||
| 494 | * |
||
| 495 | * @return array |
||
| 496 | */ |
||
| 497 | private function determineAttemptsPermanentDeny(array $logData, int $handleType, int $attempts): array |
||
| 498 | { |
||
| 499 | if ($this->properties['deny_attempt_enable']['system_firewall']) { |
||
| 500 | $this->event['update_rule_table'] = true; |
||
| 501 | |||
| 502 | // For the requests that are already banned, but they are still attempting access, that means |
||
| 503 | // that they are programmably accessing your website. Consider put them in the system-layer fireall |
||
| 504 | // such as IPTABLE. |
||
| 505 | $bufferIptable = $this->properties['deny_attempt_buffer']['system_firewall']; |
||
| 506 | |||
| 507 | if ($attempts >= $bufferIptable) { |
||
| 508 | |||
| 509 | if ($this->properties['deny_attempt_notify']['system_firewall']) { |
||
| 510 | $this->event['trigger_messengers'] = true; |
||
| 511 | } |
||
| 512 | |||
| 513 | $folder = rtrim($this->properties['iptables_watching_folder'], '/'); |
||
| 514 | |||
| 515 | if (file_exists($folder) && is_writable($folder)) { |
||
| 516 | $filePath = $folder . '/iptables_queue.log'; |
||
| 517 | |||
| 518 | // command, ipv4/6, ip, subnet, port, protocol, action |
||
| 519 | // add,4,127.0.0.1,null,all,all,drop (example) |
||
| 520 | // add,4,127.0.0.1,null,80,tcp,drop (example) |
||
| 521 | $command = 'add,4,' . $this->ip . ',null,all,all,deny'; |
||
| 522 | |||
| 523 | if (filter_var($this->ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { |
||
| 524 | $command = 'add,6,' . $this->ip . ',null,all,allow'; |
||
| 525 | } |
||
| 526 | |||
| 527 | // Add this IP address to itables_queue.log |
||
| 528 | // Use `bin/iptables.sh` for adding it into IPTABLES. See document for more information. |
||
| 529 | file_put_contents($filePath, $command . "\n", FILE_APPEND | LOCK_EX); |
||
| 530 | |||
| 531 | $logData['attempts'] = 0; |
||
| 532 | $handleType = 2; |
||
| 533 | } |
||
| 534 | } |
||
| 535 | } |
||
| 536 | |||
| 537 | return [ |
||
| 538 | 'log_data' => $logData, |
||
| 539 | 'handle_type' => $handleType, |
||
| 540 | ]; |
||
| 541 | } |
||
| 542 | |||
| 543 | /** |
||
| 544 | * Prepare the message body for messenger modules to sent. |
||
| 545 | * |
||
| 546 | * @param array $logData |
||
| 547 | * @param int $handleType |
||
| 548 | * |
||
| 549 | * @return void |
||
| 550 | */ |
||
| 551 | private function prepareMessengerBody(array $logData, int $handleType): void |
||
| 552 | { |
||
| 553 | // The data strings that will be appended to message body. |
||
| 554 | $prepareMessageData = [ |
||
| 555 | __('core', 'messenger_text_ip') => $logData['log_ip'], |
||
| 556 | __('core', 'messenger_text_rdns') => $logData['ip_resolve'], |
||
| 557 | __('core', 'messenger_text_reason') => __('core', 'messenger_text_reason_code_' . $logData['reason']), |
||
| 558 | __('core', 'messenger_text_handle') => __('core', 'messenger_text_handle_type_' . $handleType), |
||
| 559 | __('core', 'messenger_text_system') => '', |
||
| 560 | __('core', 'messenger_text_cpu') => get_cpu_usage(), |
||
| 561 | __('core', 'messenger_text_memory') => get_memory_usage(), |
||
| 562 | __('core', 'messenger_text_time') => date('Y-m-d H:i:s', $logData['time']), |
||
| 563 | __('core', 'messenger_text_timezone') => date_default_timezone_get(), |
||
| 564 | ]; |
||
| 565 | |||
| 566 | $message = __('core', 'messenger_notification_subject', 'Notification for {0}', [$this->ip]) . "\n\n"; |
||
| 567 | |||
| 568 | foreach ($prepareMessageData as $key => $value) { |
||
| 569 | $message .= $key . ': ' . $value . "\n"; |
||
| 570 | } |
||
| 571 | |||
| 572 | $this->msgBody = $message; |
||
| 573 | } |
||
| 574 | |||
| 575 | /** |
||
| 576 | * Check if current IP is trusted or not. |
||
| 577 | * |
||
| 578 | * @return bool |
||
| 579 | */ |
||
| 580 | private function isTrustedBot() |
||
| 581 | { |
||
| 582 | if ($this->getComponent('TrustedBot')) { |
||
| 583 | |||
| 584 | // We want to put all the allowed robot into the rule list, so that the checking of IP's resolved hostname |
||
| 585 | // is no more needed for that IP. |
||
| 586 | if ($this->getComponent('TrustedBot')->isAllowed()) { |
||
|
|
|||
| 587 | |||
| 588 | if ($this->getComponent('TrustedBot')->isGoogle()) { |
||
| 589 | // Add current IP into allowed list, because it is from real Google domain. |
||
| 590 | $this->action( |
||
| 591 | self::ACTION_ALLOW, |
||
| 592 | self::REASON_IS_GOOGLE |
||
| 593 | ); |
||
| 594 | |||
| 595 | } elseif ($this->getComponent('TrustedBot')->isBing()) { |
||
| 596 | // Add current IP into allowed list, because it is from real Bing domain. |
||
| 597 | $this->action( |
||
| 598 | self::ACTION_ALLOW, |
||
| 599 | self::REASON_IS_BING |
||
| 600 | ); |
||
| 601 | |||
| 602 | } elseif ($this->getComponent('TrustedBot')->isYahoo()) { |
||
| 603 | // Add current IP into allowed list, because it is from real Yahoo domain. |
||
| 604 | $this->action( |
||
| 605 | self::ACTION_ALLOW, |
||
| 606 | self::REASON_IS_YAHOO |
||
| 607 | ); |
||
| 608 | |||
| 609 | } else { |
||
| 610 | // Add current IP into allowed list, because you trust it. |
||
| 611 | // You have already defined it in the settings. |
||
| 612 | $this->action( |
||
| 613 | self::ACTION_ALLOW, |
||
| 614 | self::REASON_IS_SEARCH_ENGINE |
||
| 615 | ); |
||
| 616 | } |
||
| 617 | // Allowed robots not join to our traffic handler. |
||
| 618 | $this->result = self::RESPONSE_ALLOW; |
||
| 619 | return true; |
||
| 620 | } |
||
| 621 | } |
||
| 622 | return false; |
||
| 623 | } |
||
| 624 | |||
| 625 | /** |
||
| 626 | * Check whether the IP is fake search engine or not. |
||
| 627 | * The method "isTrustedBot()" must be executed before this method. |
||
| 628 | * |
||
| 629 | * @return bool |
||
| 630 | */ |
||
| 631 | private function isFakeRobot(): bool |
||
| 632 | { |
||
| 633 | if ($this->getComponent('TrustedBot')) { |
||
| 634 | if ($this->getComponent('TrustedBot')->isFakeRobot()) { |
||
| 635 | $this->action( |
||
| 636 | self::ACTION_DENY, |
||
| 637 | self::REASON_COMPONENT_TRUSTED_ROBOT |
||
| 638 | ); |
||
| 639 | $this->result = self::RESPONSE_DENY; |
||
| 640 | return true; |
||
| 641 | } |
||
| 642 | } |
||
| 643 | return false; |
||
| 644 | } |
||
| 645 | |||
| 646 | /** |
||
| 647 | * Run, run, run! |
||
| 648 | * |
||
| 649 | * Check the rule tables first, if an IP address has been listed. |
||
| 650 | * Call function filter() if an IP address is not listed in rule tables. |
||
| 651 | * |
||
| 652 | * @return int The response code. |
||
| 653 | */ |
||
| 654 | protected function process(): int |
||
| 655 | { |
||
| 656 | $this->driver->init($this->autoCreateDatabase); |
||
| 657 | |||
| 658 | $this->initComponents(); |
||
| 659 | |||
| 660 | /* |
||
| 661 | |-------------------------------------------------------------------------- |
||
| 662 | | Stage - Looking for rule table. |
||
| 663 | |-------------------------------------------------------------------------- |
||
| 664 | */ |
||
| 665 | |||
| 666 | if ($this->isRuleTable()) { |
||
| 667 | return $this->result; |
||
| 668 | } |
||
| 669 | |||
| 670 | /* |
||
| 671 | |-------------------------------------------------------------------------- |
||
| 672 | | Statge - Detect popular search engine. |
||
| 673 | |-------------------------------------------------------------------------- |
||
| 674 | */ |
||
| 675 | |||
| 676 | if ($this->isTrustedBot()) { |
||
| 677 | return $this->result; |
||
| 678 | } |
||
| 679 | |||
| 680 | if ($this->isFakeRobot()) { |
||
| 681 | return $this->result; |
||
| 682 | } |
||
| 683 | |||
| 684 | /* |
||
| 685 | |-------------------------------------------------------------------------- |
||
| 686 | | Stage - IP component. |
||
| 687 | |-------------------------------------------------------------------------- |
||
| 688 | */ |
||
| 689 | |||
| 690 | if ($this->getComponent('Ip')) { |
||
| 691 | |||
| 692 | $result = $this->getComponent('Ip')->check(); |
||
| 693 | $actionCode = self::ACTION_DENY; |
||
| 694 | |||
| 695 | if (!empty($result)) { |
||
| 696 | |||
| 697 | switch ($result['status']) { |
||
| 698 | |||
| 699 | case 'allow': |
||
| 700 | $actionCode = self::ACTION_ALLOW; |
||
| 701 | $reasonCode = $result['code']; |
||
| 702 | break; |
||
| 703 | |||
| 704 | case 'deny': |
||
| 705 | $actionCode = self::ACTION_DENY; |
||
| 706 | $reasonCode = $result['code']; |
||
| 707 | break; |
||
| 708 | } |
||
| 709 | |||
| 710 | $this->action($actionCode, $reasonCode); |
||
| 711 | |||
| 712 | // $resultCode = $actionCode |
||
| 713 | return $this->result = $this->sessionHandler($actionCode); |
||
| 714 | } |
||
| 715 | } |
||
| 716 | |||
| 717 | /* |
||
| 718 | |-------------------------------------------------------------------------- |
||
| 719 | | Stage - Check all other components. |
||
| 720 | |-------------------------------------------------------------------------- |
||
| 721 | */ |
||
| 722 | |||
| 723 | foreach ($this->component as $component) { |
||
| 724 | |||
| 725 | // check if is a a bad robot already defined in settings. |
||
| 726 | if ($component->isDenied()) { |
||
| 727 | |||
| 728 | // @since 0.1.8 |
||
| 729 | $this->action( |
||
| 730 | self::ACTION_DENY, |
||
| 731 | $component->getDenyStatusCode() |
||
| 732 | ); |
||
| 733 | |||
| 734 | return $this->result = self::RESPONSE_DENY; |
||
| 735 | } |
||
| 736 | } |
||
| 737 | |||
| 738 | |||
| 739 | /* |
||
| 740 | |-------------------------------------------------------------------------- |
||
| 741 | | Stage - Filters |
||
| 742 | |-------------------------------------------------------------------------- |
||
| 743 | | This IP address is not listed in rule table, let's detect it. |
||
| 744 | | |
||
| 745 | */ |
||
| 746 | |||
| 747 | if ( |
||
| 748 | $this->filterStatus['frequency'] || |
||
| 749 | $this->filterStatus['referer'] || |
||
| 750 | $this->filterStatus['session'] || |
||
| 751 | $this->filterStatus['cookie'] |
||
| 752 | ) { |
||
| 753 | return $this->result = $this->sessionHandler($this->filter()); |
||
| 754 | } |
||
| 755 | |||
| 756 | return $this->result = $this->sessionHandler(self::RESPONSE_ALLOW); |
||
| 757 | } |
||
| 758 | |||
| 759 | /** |
||
| 760 | * Detect and analyze an user's behavior. |
||
| 761 | * |
||
| 762 | * @return int The response code. |
||
| 763 | */ |
||
| 764 | protected function filter(): int |
||
| 765 | { |
||
| 766 | $now = time(); |
||
| 767 | $isFlagged = false; |
||
| 768 | |||
| 769 | // Fetch an IP data from Shieldon log table. |
||
| 770 | $ipDetail = $this->driver->get($this->ip, 'filter'); |
||
| 771 | |||
| 772 | $ipDetail = $this->driver->parseData($ipDetail, 'filter'); |
||
| 773 | $logData = $ipDetail; |
||
| 774 | |||
| 775 | // Counting user pageviews. |
||
| 776 | foreach (array_keys($this->filterResetStatus) as $unit) { |
||
| 777 | |||
| 778 | // Each time unit will increase by 1. |
||
| 779 | $logData['pageviews_' . $unit] = $ipDetail['pageviews_' . $unit] + 1; |
||
| 780 | $logData['first_time_' . $unit] = $ipDetail['first_time_' . $unit]; |
||
| 781 | } |
||
| 782 | |||
| 783 | $logData['first_time_flag'] = $ipDetail['first_time_flag']; |
||
| 784 | |||
| 785 | if (!empty($ipDetail['ip'])) { |
||
| 786 | $logData['ip'] = $this->ip; |
||
| 787 | $logData['session'] = get_session()->get('id'); |
||
| 788 | $logData['hostname'] = $this->rdns; |
||
| 789 | $logData['last_time'] = $now; |
||
| 790 | |||
| 791 | // Filter: HTTP referrer information. |
||
| 792 | $filterReferer = $this->filterReferer($logData, $ipDetail, $isFlagged); |
||
| 793 | $isFlagged = $filterReferer['is_flagged']; |
||
| 794 | $logData = $filterReferer['log_data']; |
||
| 795 | |||
| 796 | if ($filterReferer['is_reject']) { |
||
| 797 | return self::RESPONSE_TEMPORARILY_DENY; |
||
| 798 | } |
||
| 799 | |||
| 800 | // Filter: Session. |
||
| 801 | $filterSession = $this->filterSession($logData, $ipDetail, $isFlagged); |
||
| 802 | $isFlagged = $filterSession['is_flagged']; |
||
| 803 | $logData = $filterSession['log_data']; |
||
| 804 | |||
| 805 | if ($filterSession['is_reject']) { |
||
| 806 | return self::RESPONSE_TEMPORARILY_DENY; |
||
| 807 | } |
||
| 808 | |||
| 809 | // Filter: JavaScript produced cookie. |
||
| 810 | $filterCookie = $this->filterCookie($logData, $ipDetail, $isFlagged); |
||
| 811 | $isFlagged = $filterCookie['is_flagged']; |
||
| 812 | $logData = $filterCookie['log_data']; |
||
| 813 | |||
| 814 | if ($filterCookie['is_reject']) { |
||
| 815 | return self::RESPONSE_TEMPORARILY_DENY; |
||
| 816 | } |
||
| 817 | |||
| 818 | // Filter: frequency. |
||
| 819 | $filterFrequency = $this->filterFrequency($logData, $ipDetail, $isFlagged); |
||
| 820 | $isFlagged = $filterFrequency['is_flagged']; |
||
| 821 | $logData = $filterFrequency['log_data']; |
||
| 822 | |||
| 823 | if ($filterFrequency['is_reject']) { |
||
| 824 | return self::RESPONSE_TEMPORARILY_DENY; |
||
| 825 | } |
||
| 826 | |||
| 827 | // Is fagged as unusual beavior? Count the first time. |
||
| 828 | if ($isFlagged) { |
||
| 829 | $logData['first_time_flag'] = (!empty($logData['first_time_flag'])) ? $logData['first_time_flag'] : $now; |
||
| 830 | } |
||
| 831 | |||
| 832 | // Reset the flagged factor check. |
||
| 833 | if (!empty($ipDetail['first_time_flag'])) { |
||
| 834 | if ($now - $ipDetail['first_time_flag'] >= $this->properties['time_reset_limit']) { |
||
| 835 | $logData['flag_multi_session'] = 0; |
||
| 836 | $logData['flag_empty_referer'] = 0; |
||
| 837 | $logData['flag_js_cookie'] = 0; |
||
| 838 | } |
||
| 839 | } |
||
| 840 | |||
| 841 | $this->driver->save($this->ip, $logData, 'filter'); |
||
| 842 | |||
| 843 | } else { |
||
| 844 | |||
| 845 | // If $ipDetail[ip] is empty. |
||
| 846 | // It means that the user is first time visiting our webiste. |
||
| 847 | $this->initializeFilterLogData($logData); |
||
| 848 | } |
||
| 849 | |||
| 850 | return self::RESPONSE_ALLOW; |
||
| 851 | } |
||
| 852 | |||
| 853 | /** |
||
| 854 | * Start an action for this IP address, allow or deny, and give a reason for it. |
||
| 855 | * |
||
| 856 | * @param int $actionCode - 0: deny, 1: allow, 9: unban. |
||
| 857 | * @param string $reasonCode |
||
| 858 | * @param string $assignIp |
||
| 859 | * |
||
| 860 | * @return void |
||
| 861 | */ |
||
| 862 | protected function action(int $actionCode, int $reasonCode, string $assignIp = ''): void |
||
| 863 | { |
||
| 864 | $ip = $this->ip; |
||
| 865 | $rdns = $this->rdns; |
||
| 866 | $now = time(); |
||
| 867 | $logData = []; |
||
| 868 | |||
| 869 | if ('' !== $assignIp) { |
||
| 870 | $ip = $assignIp; |
||
| 871 | $rdns = gethostbyaddr($ip); |
||
| 872 | } |
||
| 873 | |||
| 874 | switch ($actionCode) { |
||
| 875 | case self::ACTION_ALLOW: // acutally not used. |
||
| 876 | case self::ACTION_DENY: // actually not used. |
||
| 877 | case self::ACTION_TEMPORARILY_DENY: |
||
| 878 | $logData['log_ip'] = $ip; |
||
| 879 | $logData['ip_resolve'] = $rdns; |
||
| 880 | $logData['time'] = $now; |
||
| 881 | $logData['type'] = $actionCode; |
||
| 882 | $logData['reason'] = $reasonCode; |
||
| 883 | $logData['attempts'] = 0; |
||
| 884 | |||
| 885 | $this->driver->save($ip, $logData, 'rule'); |
||
| 886 | break; |
||
| 887 | |||
| 888 | case self::ACTION_UNBAN: |
||
| 889 | $this->driver->delete($ip, 'rule'); |
||
| 890 | break; |
||
| 891 | } |
||
| 892 | |||
| 893 | // Remove logs for this IP address because It already has it's own rule on system. |
||
| 894 | // No need to count it anymore. |
||
| 895 | $this->driver->delete($ip, 'filter'); |
||
| 896 | |||
| 897 | if (null !== $this->logger) { |
||
| 898 | $log['ip'] = $ip; |
||
| 899 | $log['session_id'] = get_session()->get('id'); |
||
| 900 | $log['action_code'] = $actionCode; |
||
| 901 | $log['timesamp'] = $now; |
||
| 902 | |||
| 903 | $this->logger->add($log); |
||
| 904 | } |
||
| 905 | } |
||
| 906 | |||
| 907 | /** |
||
| 908 | * Deal with online sessions. |
||
| 909 | * |
||
| 910 | * @param int $statusCode The response code. |
||
| 911 | * |
||
| 912 | * @return int The response code. |
||
| 913 | */ |
||
| 914 | protected function sessionHandler($statusCode): int |
||
| 915 | { |
||
| 916 | if (self::RESPONSE_ALLOW !== $statusCode) { |
||
| 917 | return $statusCode; |
||
| 918 | } |
||
| 919 | |||
| 920 | // If you don't enable `limit traffic`, ignore the following steps. |
||
| 921 | if (empty($this->sessionLimit['count'])) { |
||
| 922 | return self::RESPONSE_ALLOW; |
||
| 923 | |||
| 924 | } else { |
||
| 925 | |||
| 926 | // Get the proerties. |
||
| 927 | $limit = (int) ($this->sessionLimit['count'] ?? 0); |
||
| 928 | $period = (int) ($this->sessionLimit['period'] ?? 300); |
||
| 929 | $now = time(); |
||
| 930 | |||
| 931 | $sessionData = $this->driver->getAll('session'); |
||
| 932 | $sessionPools = []; |
||
| 933 | |||
| 934 | $i = 1; |
||
| 935 | $sessionOrder = 0; |
||
| 936 | |||
| 937 | if (!empty($sessionData)) { |
||
| 938 | foreach ($sessionData as $v) { |
||
| 939 | $sessionPools[] = $v['id']; |
||
| 940 | $lasttime = (int) $v['time']; |
||
| 941 | |||
| 942 | if (get_session()->get('id') === $v['id']) { |
||
| 943 | $sessionOrder = $i; |
||
| 944 | } |
||
| 945 | |||
| 946 | // Remove session if it expires. |
||
| 947 | if ($now - $lasttime > $period) { |
||
| 948 | $this->driver->delete($v['id'], 'session'); |
||
| 949 | } |
||
| 950 | $i++; |
||
| 951 | } |
||
| 952 | |||
| 953 | if (0 === $sessionOrder) { |
||
| 954 | $sessionOrder = $i; |
||
| 955 | } |
||
| 956 | } else { |
||
| 957 | $sessionOrder = 0; |
||
| 958 | } |
||
| 959 | |||
| 960 | // Count the online sessions. |
||
| 961 | $this->sessionStatus['count'] = count($sessionPools); |
||
| 962 | $this->sessionStatus['order'] = $sessionOrder; |
||
| 963 | $this->sessionStatus['queue'] = $sessionOrder - $limit; |
||
| 964 | |||
| 965 | if (!in_array(get_session()->get('id'), $sessionPools)) { |
||
| 966 | $this->sessionStatus['count']++; |
||
| 967 | |||
| 968 | // New session, record this data. |
||
| 969 | $data['id'] = get_session()->get('id'); |
||
| 970 | $data['ip'] = $this->ip; |
||
| 971 | $data['time'] = $now; |
||
| 972 | |||
| 973 | $microtimesamp = explode(' ', microtime()); |
||
| 974 | $microtimesamp = $microtimesamp[1] . str_replace('0.', '', $microtimesamp[0]); |
||
| 975 | $data['microtimesamp'] = $microtimesamp; |
||
| 976 | |||
| 977 | $this->driver->save(get_session()->get('id'), $data, 'session'); |
||
| 978 | } |
||
| 979 | |||
| 980 | // Online session count reached the limit. So return RESPONSE_LIMIT_SESSION response code. |
||
| 981 | if ($sessionOrder >= $limit) { |
||
| 982 | return self::RESPONSE_LIMIT_SESSION; |
||
| 983 | } |
||
| 984 | } |
||
| 985 | |||
| 986 | return self::RESPONSE_ALLOW; |
||
| 987 | } |
||
| 988 | |||
| 989 | /** |
||
| 990 | * When the user is first time visiting our webiste. |
||
| 991 | * Initialize the log data. |
||
| 992 | * |
||
| 993 | * @param array $logData The user's log data. |
||
| 994 | * |
||
| 995 | * @return void |
||
| 996 | */ |
||
| 997 | protected function initializeFilterLogData($logData) |
||
| 998 | { |
||
| 999 | $now = time(); |
||
| 1000 | |||
| 1001 | $logData['ip'] = $this->ip; |
||
| 1002 | $logData['session'] = get_session()->get('id'); |
||
| 1003 | $logData['hostname'] = $this->rdns; |
||
| 1004 | $logData['last_time'] = $now; |
||
| 1005 | |||
| 1006 | foreach (array_keys($this->filterResetStatus) as $unit) { |
||
| 1007 | $logData['first_time_' . $unit] = $now; |
||
| 1008 | } |
||
| 1009 | |||
| 1010 | $this->driver->save($this->ip, $logData, 'filter'); |
||
| 1011 | } |
||
| 1012 | |||
| 1013 | |||
| 1014 | |||
| 1015 | // @codeCoverageIgnoreStart |
||
| 1016 | |||
| 1017 | /** |
||
| 1018 | * For testing propose. |
||
| 1019 | * |
||
| 1020 | * @param string $sessionId |
||
| 1021 | * |
||
| 1022 | * @return void |
||
| 1023 | */ |
||
| 1024 | protected function setSessionId(string $sessionId = ''): void |
||
| 1025 | { |
||
| 1026 | if ('' !== $sessionId) { |
||
| 1027 | get_session()->set('id', $sessionId); |
||
| 1028 | } |
||
| 1029 | } |
||
| 1030 | |||
| 1031 | // @codeCoverageIgnoreEnd |
||
| 1032 | |||
| 1033 | /* |
||
| 1034 | | ------------------------------------------------------------------- |
||
| 1035 | | Public APIs |
||
| 1036 | | ------------------------------------------------------------------- |
||
| 1037 | */ |
||
| 1038 | |||
| 1039 | /** |
||
| 1040 | * Register classes to Shieldon core. |
||
| 1041 | * setDriver, setLogger, setComponent and setCaptcha are deprecated methods |
||
| 1042 | * and no more used. |
||
| 1043 | * |
||
| 1044 | * @param object $instance Component classes that used on Shieldon. |
||
| 1045 | * |
||
| 1046 | * @return void |
||
| 1047 | */ |
||
| 1048 | public function add($instance) |
||
| 1049 | { |
||
| 1050 | static $i = 2; |
||
| 1051 | |||
| 1052 | $class = $this->getClassName($instance); |
||
| 1053 | |||
| 1054 | if ($instance instanceof DriverProvider) { |
||
| 1055 | $this->driver = $instance; |
||
| 1056 | $this->registrar[0] = [ |
||
| 1057 | 'category' => 'driver', |
||
| 1058 | 'class' => $class, |
||
| 1059 | ]; |
||
| 1060 | } |
||
| 1061 | |||
| 1062 | if ($instance instanceof ActionLogger) { |
||
| 1063 | $this->logger = $instance; |
||
| 1064 | $this->registrar[1] = [ |
||
| 1065 | 'category' => 'logger', |
||
| 1066 | 'class' => $class, |
||
| 1067 | ]; |
||
| 1068 | } |
||
| 1069 | |||
| 1070 | if ($instance instanceof CaptchaInterface) { |
||
| 1071 | $this->captcha[$class] = $instance; |
||
| 1072 | $this->registrar[$i] = [ |
||
| 1073 | 'category' => 'captcha', |
||
| 1074 | 'class' => $class, |
||
| 1075 | ]; |
||
| 1076 | $i++; |
||
| 1077 | } |
||
| 1078 | |||
| 1079 | if ($instance instanceof ComponentProvider) { |
||
| 1080 | $this->component[$class] = $instance; |
||
| 1081 | $this->registrar[$i] = [ |
||
| 1082 | 'category' => 'component', |
||
| 1083 | 'class' => $class, |
||
| 1084 | ]; |
||
| 1085 | $i++; |
||
| 1086 | } |
||
| 1087 | |||
| 1088 | if ($instance instanceof MessengerInterface) { |
||
| 1089 | $this->messenger[] = $instance; |
||
| 1090 | $this->registrar[$i] = [ |
||
| 1091 | 'category' => 'messenger', |
||
| 1092 | 'class' => $class, |
||
| 1093 | ]; |
||
| 1094 | $i++; |
||
| 1095 | } |
||
| 1096 | } |
||
| 1097 | |||
| 1098 | /** |
||
| 1099 | * Remove registered classes from the Kernel. |
||
| 1100 | * |
||
| 1101 | * @param string $category The class category. |
||
| 1102 | * @param string $className The class name. |
||
| 1103 | * |
||
| 1104 | * @return void |
||
| 1105 | */ |
||
| 1106 | public function remove(string $category, string $className = '') |
||
| 1107 | { |
||
| 1108 | if ($className !== '') { |
||
| 1109 | foreach ($this->getRegistrar() as $k => $v) { |
||
| 1110 | if ($category === $v['category'] && $className === $v['class']) { |
||
| 1111 | if (is_array($this->{$category})) { |
||
| 1112 | foreach ($this->{$category} as $k2 => $instance) { |
||
| 1113 | if ($this->getClassName($instance) === $className) { |
||
| 1114 | unset($this->{$category}[$k2]); |
||
| 1115 | } |
||
| 1116 | } |
||
| 1117 | } else { |
||
| 1118 | $this->{$category} = null; |
||
| 1119 | } |
||
| 1120 | unset($this->registrar[$k]); |
||
| 1121 | } |
||
| 1122 | } |
||
| 1123 | } else { |
||
| 1124 | foreach ($this->getRegistrar() as $k => $v) { |
||
| 1125 | if ($category === $v['category']) { |
||
| 1126 | if (is_array($this->{$category})) { |
||
| 1127 | $this->{$category} = []; |
||
| 1128 | } else { |
||
| 1129 | $this->{$category} = null; |
||
| 1130 | } |
||
| 1131 | unset($this->registrar[$k]); |
||
| 1132 | } |
||
| 1133 | } |
||
| 1134 | } |
||
| 1135 | } |
||
| 1136 | |||
| 1137 | /** |
||
| 1138 | * Fetch the class list from registrar. |
||
| 1139 | * |
||
| 1140 | * @return array |
||
| 1141 | */ |
||
| 1142 | public function getRegistrar(): array |
||
| 1143 | { |
||
| 1144 | return $this->registrar; |
||
| 1145 | } |
||
| 1146 | |||
| 1147 | /** |
||
| 1148 | * Get a component instance from component's container. |
||
| 1149 | * |
||
| 1150 | * @param string $name The component's class name. |
||
| 1151 | * |
||
| 1152 | * @return ComponentInterface|null |
||
| 1153 | */ |
||
| 1154 | public function getComponent(string $name) |
||
| 1155 | { |
||
| 1156 | if (isset($this->component[$name])) { |
||
| 1157 | return $this->component[$name]; |
||
| 1158 | } |
||
| 1159 | |||
| 1160 | return null; |
||
| 1161 | } |
||
| 1162 | |||
| 1163 | /** |
||
| 1164 | * Strict mode. |
||
| 1165 | * This option will take effects to all components. |
||
| 1166 | * |
||
| 1167 | * @param bool $bool Set true to enble strict mode, false to disable it overwise. |
||
| 1168 | * |
||
| 1169 | * @return void |
||
| 1170 | */ |
||
| 1171 | public function setStrict(bool $bool) |
||
| 1172 | { |
||
| 1173 | $this->strictMode = $bool; |
||
| 1174 | } |
||
| 1175 | |||
| 1176 | /** |
||
| 1177 | * Disable filters. |
||
| 1178 | */ |
||
| 1179 | public function disableFilters(): void |
||
| 1180 | { |
||
| 1181 | $this->setFilters([ |
||
| 1182 | 'session' => false, |
||
| 1183 | 'cookie' => false, |
||
| 1184 | 'referer' => false, |
||
| 1185 | 'frequency' => false, |
||
| 1186 | ]); |
||
| 1187 | } |
||
| 1188 | |||
| 1189 | /** |
||
| 1190 | * For first time installation only. This is for creating data tables automatically. |
||
| 1191 | * Turning it on will check the data tables exist or not at every single pageview, |
||
| 1192 | * it's not good for high traffic websites. |
||
| 1193 | * |
||
| 1194 | * @param bool $bool |
||
| 1195 | * |
||
| 1196 | * @return void |
||
| 1197 | */ |
||
| 1198 | public function createDatabase(bool $bool) |
||
| 1199 | { |
||
| 1200 | $this->autoCreateDatabase = $bool; |
||
| 1201 | } |
||
| 1202 | |||
| 1203 | /** |
||
| 1204 | * Set a data channel. |
||
| 1205 | * |
||
| 1206 | * This will create databases for the channel. |
||
| 1207 | * |
||
| 1208 | * @param string $channel Specify a channel. |
||
| 1209 | * |
||
| 1210 | * @return void |
||
| 1211 | */ |
||
| 1212 | public function setChannel(string $channel) |
||
| 1213 | { |
||
| 1214 | if (!$this->driver instanceof DriverProvider) { |
||
| 1215 | throw new LogicException('setChannel method requires setDriver set first.'); |
||
| 1216 | } else { |
||
| 1217 | $this->driver->setChannel($channel); |
||
| 1218 | } |
||
| 1219 | } |
||
| 1220 | |||
| 1221 | /** |
||
| 1222 | * Return the result from Captchas. |
||
| 1223 | * |
||
| 1224 | * @return bool |
||
| 1225 | */ |
||
| 1226 | public function captchaResponse(): bool |
||
| 1227 | { |
||
| 1228 | foreach ($this->captcha as $captcha) { |
||
| 1229 | |||
| 1230 | if (!$captcha->response()) { |
||
| 1231 | return false; |
||
| 1232 | } |
||
| 1233 | } |
||
| 1234 | |||
| 1235 | if (!empty($this->sessionLimit['count'])) { |
||
| 1236 | $this->result = $this->sessionHandler(self::RESPONSE_ALLOW); |
||
| 1237 | } |
||
| 1238 | |||
| 1239 | return true; |
||
| 1240 | } |
||
| 1241 | |||
| 1242 | /** |
||
| 1243 | * Ban an IP. |
||
| 1244 | * |
||
| 1245 | * @param string $ip A valid IP address. |
||
| 1246 | * |
||
| 1247 | * @return void |
||
| 1248 | */ |
||
| 1249 | public function ban(string $ip = ''): void |
||
| 1258 | ); |
||
| 1259 | } |
||
| 1260 | |||
| 1261 | /** |
||
| 1262 | * Unban an IP. |
||
| 1263 | * |
||
| 1264 | * @param string $ip A valid IP address. |
||
| 1265 | * |
||
| 1266 | * @return void |
||
| 1267 | */ |
||
| 1268 | public function unban(string $ip = ''): void |
||
| 1269 | { |
||
| 1270 | if ('' === $ip) { |
||
| 1271 | $ip = $this->ip; |
||
| 1272 | } |
||
| 1273 | |||
| 1274 | $this->action( |
||
| 1275 | self::ACTION_UNBAN, |
||
| 1276 | self::REASON_MANUAL_BAN, $ip |
||
| 1277 | ); |
||
| 1278 | $this->log(self::ACTION_UNBAN); |
||
| 1279 | |||
| 1280 | $this->result = self::RESPONSE_ALLOW; |
||
| 1281 | } |
||
| 1282 | |||
| 1283 | /** |
||
| 1284 | * Set a property setting. |
||
| 1285 | * |
||
| 1286 | * @param string $key The key of a property setting. |
||
| 1287 | * @param mixed $value The value of a property setting. |
||
| 1288 | * |
||
| 1289 | * @return void |
||
| 1290 | */ |
||
| 1291 | public function setProperty(string $key = '', $value = '') |
||
| 1292 | { |
||
| 1293 | if (isset($this->properties[$key])) { |
||
| 1294 | $this->properties[$key] = $value; |
||
| 1295 | } |
||
| 1296 | } |
||
| 1297 | |||
| 1298 | /** |
||
| 1299 | * Set the property settings. |
||
| 1300 | * |
||
| 1301 | * @param array $settings The settings. |
||
| 1302 | * |
||
| 1303 | * @return void |
||
| 1304 | */ |
||
| 1305 | public function setProperties(array $settings): void |
||
| 1306 | { |
||
| 1307 | foreach (array_keys($this->properties) as $k) { |
||
| 1308 | if (isset($settings[$k])) { |
||
| 1309 | $this->properties[$k] = $settings[$k]; |
||
| 1310 | } |
||
| 1311 | } |
||
| 1312 | } |
||
| 1313 | |||
| 1314 | /** |
||
| 1315 | * Limt online sessions. |
||
| 1316 | * |
||
| 1317 | * @param int $count |
||
| 1318 | * @param int $period |
||
| 1319 | * |
||
| 1320 | * @return void |
||
| 1321 | */ |
||
| 1322 | public function limitSession(int $count = 1000, int $period = 300): void |
||
| 1323 | { |
||
| 1324 | $this->sessionLimit = [ |
||
| 1325 | 'count' => $count, |
||
| 1326 | 'period' => $period |
||
| 1327 | ]; |
||
| 1328 | } |
||
| 1329 | |||
| 1330 | /** |
||
| 1331 | * Customize the dialog UI. |
||
| 1332 | * |
||
| 1333 | * @return void |
||
| 1334 | */ |
||
| 1335 | public function setDialogUI(array $settings): void |
||
| 1338 | } |
||
| 1339 | |||
| 1340 | /** |
||
| 1341 | * Set the frontend template directory. |
||
| 1342 | * |
||
| 1343 | * @param string $directory |
||
| 1344 | * |
||
| 1345 | * @return void |
||
| 1346 | */ |
||
| 1347 | public function setTemplateDirectory(string $directory) |
||
| 1348 | { |
||
| 1349 | if (!is_dir($directory)) { |
||
| 1350 | throw new InvalidArgumentException('The template directory does not exist.'); |
||
| 1351 | } |
||
| 1352 | $this->templateDirectory = $directory; |
||
| 1353 | } |
||
| 1354 | |||
| 1355 | /** |
||
| 1356 | * Get a template PHP file. |
||
| 1357 | * |
||
| 1358 | * @param string $type The template type. |
||
| 1359 | * |
||
| 1360 | * @return string |
||
| 1361 | */ |
||
| 1362 | protected function getTemplate(string $type): string |
||
| 1363 | { |
||
| 1364 | $directory = self::KERNEL_DIR . '/../../templates/frontend'; |
||
| 1365 | |||
| 1366 | if (!empty($this->templateDirectory)) { |
||
| 1367 | $directory = $this->templateDirectory; |
||
| 1368 | } |
||
| 1369 | |||
| 1370 | $path = $directory . '/' . $type . '.php'; |
||
| 1371 | |||
| 1372 | if (!file_exists($path)) { |
||
| 1373 | throw new RuntimeException( |
||
| 1374 | sprintf( |
||
| 1375 | 'The templeate file is missing. (%s)', |
||
| 1376 | $path |
||
| 1377 | ) |
||
| 1378 | ); |
||
| 1379 | } |
||
| 1380 | |||
| 1381 | return $path; |
||
| 1382 | } |
||
| 1383 | |||
| 1384 | /** |
||
| 1385 | * Get a class name without namespace string. |
||
| 1386 | * |
||
| 1387 | * @param object $instance Class |
||
| 1388 | * |
||
| 1389 | * @return void |
||
| 1390 | */ |
||
| 1391 | protected function getClassName($instance): string |
||
| 1392 | { |
||
| 1393 | $class = get_class($instance); |
||
| 1394 | return substr($class, strrpos($class, '\\') + 1); |
||
| 1395 | } |
||
| 1396 | |||
| 1397 | /** |
||
| 1398 | * Respond the result. |
||
| 1399 | * |
||
| 1400 | * @return ResponseInterface |
||
| 1401 | */ |
||
| 1402 | public function respond(): ResponseInterface |
||
| 1403 | { |
||
| 1404 | $response = get_response(); |
||
| 1405 | $type = ''; |
||
| 1406 | |||
| 1407 | if (self::RESPONSE_TEMPORARILY_DENY === $this->result) { |
||
| 1408 | $type = 'captcha'; |
||
| 1409 | $statusCode = 403; // Forbidden. |
||
| 1410 | |||
| 1411 | } elseif (self::RESPONSE_LIMIT_SESSION === $this->result) { |
||
| 1412 | $type = 'session_limitation'; |
||
| 1413 | $statusCode = 429; // Too Many Requests. |
||
| 1414 | |||
| 1415 | } elseif (self::RESPONSE_DENY === $this->result) { |
||
| 1416 | $type = 'rejection'; |
||
| 1417 | $statusCode = 400; // Bad request. |
||
| 1418 | } |
||
| 1419 | |||
| 1420 | // Nothing happened. Return. |
||
| 1421 | if (empty($type)) { |
||
| 1422 | // @codeCoverageIgnoreStart |
||
| 1423 | return $response; |
||
| 1424 | // @codeCoverageIgnoreEnd |
||
| 1425 | } |
||
| 1426 | |||
| 1427 | $viewPath = $this->getTemplate($type); |
||
| 1428 | |||
| 1429 | // The language of output UI. It is used on views. |
||
| 1430 | $langCode = get_session()->get('shieldon_ui_lang') ?? 'en'; |
||
| 1431 | // Show online session count. It is used on views. |
||
| 1432 | $showOnlineInformation = true; |
||
| 1433 | // Show user information such as IP, user-agent, device name. |
||
| 1434 | $showUserInformation = true; |
||
| 1435 | |||
| 1436 | if (empty($this->properties['display_online_info'])) { |
||
| 1437 | $showOnlineInformation = false; |
||
| 1438 | } |
||
| 1439 | |||
| 1440 | if (empty($this->properties['display_user_info'])) { |
||
| 1441 | $showUserInformation = false; |
||
| 1442 | } |
||
| 1443 | |||
| 1444 | if ($showUserInformation) { |
||
| 1445 | $dialoguserinfo['ip'] = $this->ip; |
||
| 1446 | $dialoguserinfo['rdns'] = $this->rdns; |
||
| 1447 | $dialoguserinfo['user_agent'] = get_request()->getHeaderLine('user-agent'); |
||
| 1448 | } |
||
| 1449 | |||
| 1450 | $ui = [ |
||
| 1451 | 'background_image' => $this->dialogUI['background_image'] ?? '', |
||
| 1452 | 'bg_color' => $this->dialogUI['bg_color'] ?? '#ffffff', |
||
| 1453 | 'header_bg_color' => $this->dialogUI['header_bg_color'] ?? '#212531', |
||
| 1454 | 'header_color' => $this->dialogUI['header_color'] ?? '#ffffff', |
||
| 1455 | 'shadow_opacity' => $this->dialogUI['shadow_opacity'] ?? '0.2', |
||
| 1456 | ]; |
||
| 1457 | |||
| 1458 | if (!defined('SHIELDON_VIEW')) { |
||
| 1459 | define('SHIELDON_VIEW', true); |
||
| 1460 | } |
||
| 1461 | |||
| 1462 | $css = require $this->getTemplate('css/default'); |
||
| 1463 | |||
| 1464 | ob_start(); |
||
| 1465 | require $viewPath; |
||
| 1466 | $output = ob_get_contents(); |
||
| 1467 | ob_end_clean(); |
||
| 1468 | |||
| 1469 | // Remove unused variable notices generated from PHP intelephense. |
||
| 1470 | unset( |
||
| 1471 | $css, |
||
| 1472 | $ui, |
||
| 1473 | $langCode, |
||
| 1474 | $showOnlineInformation, |
||
| 1475 | $showLineupInformation, |
||
| 1476 | $showUserInformation |
||
| 1477 | ); |
||
| 1478 | |||
| 1479 | $stream = $response->getBody(); |
||
| 1480 | $stream->write($output); |
||
| 1481 | $stream->rewind(); |
||
| 1482 | |||
| 1483 | return $response-> |
||
| 1484 | withHeader('X-Protected-By', 'shieldon.io')-> |
||
| 1485 | withBody($stream)-> |
||
| 1486 | withStatus($statusCode); |
||
| 1487 | } |
||
| 1488 | |||
| 1489 | /** |
||
| 1490 | * Run, run, run! |
||
| 1491 | * |
||
| 1492 | * Check the rule tables first, if an IP address has been listed. |
||
| 1493 | * Call function filter() if an IP address is not listed in rule tables. |
||
| 1494 | * |
||
| 1495 | * @return |
||
| 1496 | */ |
||
| 1497 | public function run(): int |
||
| 1498 | { |
||
| 1499 | if (!isset($this->registrar[0])) { |
||
| 1500 | throw new RuntimeException( |
||
| 1501 | 'Must register at least one data driver.' |
||
| 1502 | ); |
||
| 1503 | } |
||
| 1504 | |||
| 1505 | // Ignore the excluded urls. |
||
| 1506 | if (!empty($this->excludedUrls)) { |
||
| 1507 | foreach ($this->excludedUrls as $url) { |
||
| 1508 | if (0 === strpos(get_request()->getUri()->getPath(), $url)) { |
||
| 1509 | return $this->result = self::RESPONSE_ALLOW; |
||
| 1510 | } |
||
| 1511 | } |
||
| 1512 | } |
||
| 1513 | |||
| 1514 | // Execute closure functions. |
||
| 1515 | foreach ($this->closures as $closure) { |
||
| 1516 | $closure(); |
||
| 1517 | } |
||
| 1518 | |||
| 1519 | $result = $this->process(); |
||
| 1520 | |||
| 1521 | if ($result !== self::RESPONSE_ALLOW) { |
||
| 1522 | |||
| 1523 | // Current session did not pass the CAPTCHA, it is still stuck in CAPTCHA page. |
||
| 1524 | $actionCode = self::LOG_CAPTCHA; |
||
| 1525 | |||
| 1526 | // If current session's respone code is RESPONSE_DENY, record it as `blacklist_count` in our logs. |
||
| 1527 | // It is stuck in warning page, not CAPTCHA. |
||
| 1528 | if ($result === self::RESPONSE_DENY) { |
||
| 1529 | $actionCode = self::LOG_BLACKLIST; |
||
| 1530 | } |
||
| 1531 | |||
| 1532 | if ($result === self::RESPONSE_LIMIT_SESSION) { |
||
| 1533 | $actionCode = self::LOG_LIMIT; |
||
| 1534 | } |
||
| 1535 | |||
| 1536 | $this->log($actionCode); |
||
| 1537 | |||
| 1538 | } else { |
||
| 1539 | |||
| 1540 | $this->log(self::LOG_PAGEVIEW); |
||
| 1541 | } |
||
| 1542 | |||
| 1543 | |||
| 1544 | if (!empty($this->msgBody)) { |
||
| 1545 | |||
| 1546 | // @codeCoverageIgnoreStart |
||
| 1547 | |||
| 1548 | try { |
||
| 1549 | foreach ($this->messenger as $messenger) { |
||
| 1550 | $messenger->setTimeout(2); |
||
| 1551 | $messenger->send($this->msgBody); |
||
| 1552 | } |
||
| 1553 | } catch (RuntimeException $e) { |
||
| 1554 | // Do not throw error, becasue the third-party services might be unavailable. |
||
| 1555 | } |
||
| 1556 | |||
| 1557 | // @codeCoverageIgnoreEnd |
||
| 1558 | } |
||
| 1559 | |||
| 1560 | |||
| 1561 | return $result; |
||
| 1562 | } |
||
| 1563 | |||
| 1564 | /** |
||
| 1565 | * Set the filters. |
||
| 1566 | * |
||
| 1567 | * @param array $settings filter settings. |
||
| 1568 | * |
||
| 1569 | * @return void |
||
| 1570 | */ |
||
| 1571 | public function setFilters(array $settings) |
||
| 1572 | { |
||
| 1573 | foreach (array_keys($this->filterStatus) as $k) { |
||
| 1574 | if (isset($settings[$k])) { |
||
| 1575 | $this->filterStatus[$k] = $settings[$k] ?? false; |
||
| 1576 | } |
||
| 1577 | } |
||
| 1578 | } |
||
| 1579 | |||
| 1580 | /** |
||
| 1581 | * Set a filter. |
||
| 1582 | * |
||
| 1583 | * @param string $filterName The filter's name. |
||
| 1584 | * @param bool $value True for enabling the filter, overwise. |
||
| 1585 | * |
||
| 1586 | * @return void |
||
| 1587 | */ |
||
| 1588 | public function setFilter(string $filterName, bool $value): void |
||
| 1589 | { |
||
| 1590 | if (isset($this->filterStatus[$filterName])) { |
||
| 1591 | $this->filterStatus[$filterName] = $value; |
||
| 1592 | } |
||
| 1593 | } |
||
| 1594 | |||
| 1595 | /** |
||
| 1596 | * Get online people count. If enable limitSession. |
||
| 1597 | * |
||
| 1598 | * @return int |
||
| 1599 | */ |
||
| 1600 | public function getSessionCount(): int |
||
| 1603 | } |
||
| 1604 | |||
| 1605 | /** |
||
| 1606 | * Set the URLs you want them to be excluded them from protection. |
||
| 1607 | * |
||
| 1608 | * @param array $urls The list of URL want to be excluded. |
||
| 1609 | * |
||
| 1610 | * @return void |
||
| 1611 | */ |
||
| 1612 | public function setExcludedUrls(array $urls = []): void |
||
| 1613 | { |
||
| 1614 | $this->excludedUrls = $urls; |
||
| 1615 | } |
||
| 1616 | |||
| 1617 | /** |
||
| 1618 | * Set a closure function. |
||
| 1619 | * |
||
| 1620 | * @param string $key The name for the closure class. |
||
| 1621 | * @param Closure $closure An instance will be later called. |
||
| 1622 | * |
||
| 1623 | * @return void |
||
| 1624 | */ |
||
| 1625 | public function setClosure(string $key, Closure $closure): void |
||
| 1626 | { |
||
| 1627 | $this->closures[$key] = $closure; |
||
| 1628 | } |
||
| 1629 | |||
| 1630 | /** |
||
| 1631 | * Print a JavasSript snippet in your webpages. |
||
| 1632 | * |
||
| 1633 | * This snippet generate cookie on client's browser,then we check the |
||
| 1634 | * cookie to identify the client is a rebot or not. |
||
| 1635 | * |
||
| 1636 | * @return string |
||
| 1637 | */ |
||
| 1638 | public function outputJsSnippet(): string |
||
| 1658 | } |
||
| 1659 | |||
| 1660 | /** |
||
| 1661 | * Get current visior's path. |
||
| 1662 | * |
||
| 1663 | * @return string |
||
| 1664 | */ |
||
| 1665 | public function getCurrentUrl(): string |
||
| 1666 | { |
||
| 1667 | return get_request()->getUri()->getPath(); |
||
| 1668 | } |
||
| 1669 | |||
| 1670 | /** |
||
| 1671 | * Displayed on Firewall Panel, tell you current what type of current |
||
| 1672 | * configuration is used for. |
||
| 1673 | * |
||
| 1674 | * @param string $type The type of configuration. |
||
| 1675 | * demo | managed | config |
||
| 1676 | * |
||
| 1677 | * @return void |
||
| 1678 | */ |
||
| 1679 | public function managedBy(string $type = ''): void |
||
| 1683 | } |
||
| 1684 | } |
||
| 1685 | } |
||
| 1686 |