Protect public links password page

[karakayasemi]

Fixes #57

• Legacy OC\User hooks changed with EventDispatcher events
• Brute force protection added for public link share authentications.
• Brute force protection settings now common for login and public link share auth.

[codecov]

Codecov Report

Merging #90 into master will increase coverage by 1.87%.
The diff coverage is 76.51%.

@@             Coverage Diff              @@
##             master      #90      +/-   ##
============================================
+ Coverage     70.00%   71.87%   +1.87%     
- Complexity       39       53      +14     
============================================
  Files            11       13       +2     
  Lines           170      256      +86     
============================================
+ Hits            119      184      +65     
- Misses           51       72      +21     

Impacted Files	Coverage Δ	Complexity Δ
appinfo/Migrations/Version20191109111104.php	0.00% <0.00%> (ø)	2.00 <2.00> (?)
lib/BruteForceProtectionConfig.php	100.00% <ø> (ø)	8.00 <0.00> (ø)
templates/settings-admin.php	0.00% <0.00%> (ø)	0.00 <0.00> (ø)
lib/Throttle.php	93.33% <91.30%> (+1.33%)	11.00 <10.00> (+3.00)
lib/Db/FailedLinkAccessMapper.php	100.00% <100.00%> (ø)	6.00 <6.00> (?)
lib/Db/FailedLoginAttemptMapper.php	100.00% <100.00%> (ø)	6.00 <2.00> (ø)
lib/Hooks.php	100.00% <100.00%> (+17.64%)	8.00 <6.00> (+3.00)
lib/Jobs/ExpireOldAttempts.php	100.00% <100.00%> (ø)	2.00 <0.00> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a142614...a56cce2. Read the comment docs.

[karakayasemi]

@DeepDiver1975 when you have time, would you like to review this community request implementation?

[mmattel]

Any update?

[karakayasemi]

@mmattel I need to rebase and resolve conflicts. After that, you can help me with testing the pr. Finally, we can merge this after your approval.

[mmattel]

@karakayasemi ping ?

[karakayasemi]

@mmattel, I rebased the PR and resolved conflicts. The PR is all green again and ready to merge after an approval. You can test the feature now.
Actually, I made quite some changes in codebase. A second eye on the code would be good. Thanks for helping me.

[phil-davis]

It's very good that the existing acceptance tests pass.
We should add some acceptance tests to demonstrate what happens when someone tries to brute-force a public link.

[phil-davis]

I added QA-team label etc. Someone can look at adding acceptance tests tomorrow - maybe @haribhandari07 you were already working in this app this week.

[haribhandari07]

I added QA-team label etc. Someone can look at adding acceptance tests tomorrow - maybe @haribhandari07 you were already working in this app this week.

I am on it @phil-davis

[phil-davis]

@haribhandari07 what is the status?
Please assign yourself if you are working on this, or talk to the scrum-master to get someone else assigned.

[phil-davis]

@haribhandari07 what happened so far?

[VicDeo]

Any reason why brute_force_protection is not in CamelCase?

[karakayasemi]

MigrationService cannot find migration classes that has '_' character in app name, it may indicate a bug on core. Because of that, I have been followed same syntax with previous migration class of this app.

[phil-davis]

Probably we will need to wait overnight until the new daily-master-qa tarball is generated. That will have the core changes in it. (But maybe you get lucky and the changes already work in CI?)

[phil-davis]

https://drone.owncloud.com/owncloud/brute_force_protection/973/17/7

The app now requires core 10.5 or later. So the drone test matrix needs to be adjusted.
.drone.star around in the acceptance webUI` section around line 48 needs:

			'servers': [
				'daily-master-qa'
			],

so that it only tests against daily-master-qa and not against latest (which is 10.4.1)

[phil-davis]

I added a commit to remove testing against latest 10.4.1

[phil-davis]

https://drone.owncloud.com/owncloud/brute_force_protection/975/17/10

  Scenario: access to public link is not blocked after too many invalid requests                                                                                                                               # /var/www/owncloud/testrunner/apps/brute_force_protection/tests/acceptance/features/apiBruteForceProtection/bruteforceprotection.feature:91
    Given user "Alice" has uploaded file with content "user1 file" to "/PARENT/randomfile.txt"                                                                                                                 # FeatureContext::userHasUploadedAFileWithContentTo()
    When user "Alice" creates a public link share using the sharing API with settings                                                                                                                          # FeatureContext::userCreatesAPublicLinkShareWithSettings()
      | path     | PARENT   |
      | password | %public% |
    And the public download of the last publicly shared file using the new public WebDAV API with password "12345" should fail with HTTP status code "401"                                                     # PublicWebDavContext::theLastPublicSharedFileShouldNotBeAbleToBeDownloadedWithPassword()
    And the public download of the last publicly shared file using the new public WebDAV API with password "12345" should fail with HTTP status code "401"                                                     # PublicWebDavContext::theLastPublicSharedFileShouldNotBeAbleToBeDownloadedWithPassword()
    And the public download of the last publicly shared file using the new public WebDAV API with password "123455" should fail with HTTP status code "401"                                                    # PublicWebDavContext::theLastPublicSharedFileShouldNotBeAbleToBeDownloadedWithPassword()
      HTTP status code 500 is not the expected value 401
      Failed asserting that 500 matches expected '401'.
    And the public should be able to download file "/randomfile.txt" from inside the last public shared folder using the new public WebDAV API with password "%public%" and the content should be "user1 file" # PublicWebDavContext::shouldBeAbleToDownloadFileInsidePublicSharedFolderWithPassword()

--- Failed scenarios:

    /var/www/owncloud/testrunner/apps/brute_force_protection/tests/acceptance/features/apiBruteForceProtection/bruteforceprotection.feature:91

34 scenarios (33 passed, 1 failed)
222 steps (220 passed, 1 failed, 1 skipped)

This is failing due to issue #112 - I will adjust the test...

[phil-davis]

I pushed more commits for acceptance test changes. I will see the CI result, and then rebase/squash/cleanup the commits into something more logical.

[phil-davis]

Commits squashed. Works with core 10.5.0. Ready for developer review.

[jvillafanez]

It's questionable to have translated messages in the exception.

• If the exception isn't caught this likely means that any other exception that could happen around here won't be caught neither, with the risk of exposing unneeded info
• If it's caught, it should be the responsibility of whoever caught the exception (probably a controller) to provide a proper response with the translated message.

[karakayasemi]

@jvillafanez I agree with your point, but I do not think we can easily implement consistent exception catching mechanism since an event can be dispatched from multiple places and multiple endpoints.
I followed the same way with login protection here. As far as I know, we have some translated exceptions like HintException in the codebase also. I would suggest keeping this one in that way for now to reduce effort.

[jvillafanez]

ok, you might want to include a comment instead so we know the text will be shown to the users

[jvillafanez]

Just saying there are some new files with copyright of 2019... we should adjust that date

[phil-davis]

drone CI got the "random" issue #98
https://drone.owncloud.com/owncloud/brute_force_protection/989/17/10
I will restart drone.

[karakayasemi]

drone CI got the "random" issue #98
https://drone.owncloud.com/owncloud/brute_force_protection/989/17/10
I will restart drone.

Looks like the random issue is not random anymore. I could not get a green CI with many attempts.

[karakayasemi]

@jvillafanez CI is green, I corrected most of the issues that you mention in your review. Please, review it again. Thank you.