Security.php

Go to the documentation of this file.

<?php

namespace Rsi\Fred;

class Security extends Component{

  public $proxies = []; //!< Proxy white-list (key = proxy IP-address (optionally in CIDR notation), value = header to use
    // (string) or headers (array)).
  public $allowlist = []; //!< IP-addresses (key; CIDR notation; seperate with semi-colon) to exclude from certain checks
    // (value = array of check names).
  public $blocklist = []; //!< IP-addresses to ban anyhow (array of IP-address, optionally in CIDR notation).
  public $ext = '.ban'; //!< Extension for ban registration file.
  public $defaultPurgeDays = 14; //!< Default number of days after which a ban file will be purged.
  public $defaultDelay = 3600; //!< Default time (seconds) a ban reason stays in the registry.
  public $bruteForceDelay = 10; //!< Default time (seconds) a brute force check stays in the registry.
  public $banCount = 5; //!< Number of registrations that will get you banned.
  public $server = []; //!< Server checks configuration (key = name, value = config as assoc.array).

  protected $_path = null; //!< Path to store the ban registration files (temp path if empty).
  protected $_checks = null; //!< Available checks (key = name, value = \\Rsi\\Fred\\Security\\Check).

  protected $_remoteAddr = null; //!< True IP-address of the client client (optionally behind a white-listed proxy).
  protected $_filename = null;
  protected $_banned = null;

  public function clientConfig(){
    $config = [];
    foreach($this->checks as $name => $check) $config[$name] = $check->clientConfig();
    return array_filter($config);
  }

  protected function filename($addr){
    return $this->path . str_replace(['.',':'],'-',$addr) . $this->ext;
  }

  protected function hasBan(){
    return is_file($this->filename);
  }

  protected function countBan(){
    return $this->hasBan() ? count(file($this->filename)) : 0;
  }

  protected function writeBan($reason,$time){
    return \Rsi\File::write($this->filename,"$time:$reason\n",0666,true);
  }
  /**
   * Add a ban reason to the registry.
   * @param string $reason  Name of reason.
   * @param int $delay  Time (seconds) the reason should stay in the registry (empty = use default).
   * @return bool  True when successful (null if the reason was on the allowlist).
   */
  public function addBan($reason,$delay = null){
    if($this->remoteAddr) try{
      foreach($this->allowlist as $subnets => $reasons)
        if(in_array($reason,$reasons) && \Rsi\Http::inSubnet(explode(';',$subnets),$this->remoteAddr)) return null;
      if(($this->countBan() < 10 * $this->banCount) && $this->writeBan($reason,time() + ($delay ?: $this->defaultDelay)))
        $this->session->banned = $this->_banned = null; //determine again on next call
    }
    catch(Exception $e){
      if($this->_fred->debug) throw $e;
      return false;
    }
    return true;
  }
  /**
   * Add a brute force reason to the registry.
   * @param bool $result  Whether the request was OK or not (only negative results get registered; however, positive results
   *   with a non-empty registry will be delayed too - this prevents attackers from interrupting a request after a small amount
   *   of time).
   * @param string $reason  Name of reason.
   * @param int $delay  Time (seconds) the reason should stay in the registry (empty = default).
   */
  public function bruteForceDelay($result,$reason = null,$delay = null){
    if(!$result) $this->addBan($reason ?: 'brute',$delay ?: $this->bruteForceDelay);
    if($this->hasBan()) sleep($this->bruteForceDelay * ($result ? pow(rand(0,100),3) / 1000000 : 1));
  }
  /**
   * Unban a client's IP address.
   * @param string $addr
   * @return bool  True if the ban was successful deleted.
   */
  public function unBan($addr){
    $result = true;
    foreach($this->checks as $name=> $check) if(!$check->unBan($addr)) $result = false;
    return \Rsi\File::unlink($this->filename($addr)) && $result;
  }
  /**
   * Perform a server check.
   * @param string $name  Name of the check.
   * @return mixed  Whatever the check returned
   */
  public function server($name){
    $config = $this->server[$name] ?? [];
    $class_name = \Rsi\Record::get($config,'className',__CLASS__ . '\\Server\\' . ucfirst($name));
    $check = new $class_name($this->_fred,$config);
    return $check->check();
  }
  /**
   * Purge the ban registration files.
   * @param int $days  Number of days after which a file should be purged (defaultPurgeDays when null)
   * @return int  Number of files purged.
   */
  public function purge($days = null){
    $time = time() - 86400 * ($days === null ? $this->defaultPurgeDays : $days);
    $count = 0;
    foreach((new \GlobIterator($this->path . '*' . $this->ext)) as $filename => $file)
      if($file->getMTime() < $time) $count += \Rsi\File::unlink($filename);
    return $count;
  }
  /**
   * Perform all security checks.
   * @param array|bool $ignore  Checks to ignore (true = all).
   * @param bool $expected  True if this is an expected call.
   * @return bool  True if all checks are fine.
   */
  public function check($ignore = null,$expected = false){
    $result = true;
    if(!$this->banned){
      if($blocked = $this->session->blocked) $this->_banned = true;
      elseif($blocked === null) $this->session->blocked = $this->_banned = \Rsi\Http::inSubnet($this->blocklist,$this->remoteAddr);
      if(!$this->_banned && ($ignore !== true)){
        if(($allowed = $this->session->allowed) === null){
          $allowed = [];
          foreach($this->allowlist as $subnets => $checks) if(\Rsi\Http::inSubnet(explode(';',$subnets),$this->remoteAddr))
            $allowed = array_merge($allowed,$checks);
          $this->session->allowed = $allowed;
        }
        $ignore = array_merge($ignore ?: [],$allowed);
        foreach($this->checks as $name => $check)
          if((!is_array($ignore) || !in_array($name,$ignore)) && !($result = $check->check($expected))){
            $this->component('log')->notice("Suspicious $name request");
            if($result !== null) $this->addBan($name,$check->delay);
            break;
          }
      }
      if($this->banned){
        $this->server('config');
        $this->purge();
      }
    }
    if($this->banned){
      usleep(rand(5000000,10000000));
      http_response_code(429); //Too Many Requests
      try{
        $_SERVER['REMOTE_ADDR'] = $this->remoteAddr;
        require($this->_fred->templatePath . 'banned.php');
      }
      catch(Exception $e){
        print('Banned');
      }
      $this->_fred->halt();
    }
    return $result;
  }

  protected function getBanned(){
    if(($this->_banned === null) && !($this->_banned = $this->session->banned)){
      if($this->_banned = is_file($this->filename)) try{ //in case of error: banned (probably file access problems due to brute forcing)
        $reasons = [];
        $purged = false;
        foreach(file($this->filename) as $reason)
          if(substr($reason,0,strpos($reason,':')) >= time()) $reasons[] = $reason;
          else $purged = true;
        if($purged){
          if($reasons) \Rsi\File::write($this->filename,implode($reasons),0666);
          else \Rsi\File::unlink($this->filename);
        }
        $this->_banned = count($reasons) >= $this->banCount;
      }
      catch(Exception $e){
        if($this->_fred->debug) throw $e;
      }
      $this->session->banned = $this->_banned;
    }
    return $this->_banned;
  }

  protected function getChecks(){
    if($this->_checks === null){
      $this->_checks = [];
      foreach($this->config('checks',[]) as $name => $config){
        $class_name = \Rsi\Record::get($config,'className',__CLASS__ . '\\Check\\' . ucfirst($name));
        $this->_checks[$name] = new $class_name($this->_fred,$config);
      }
    }
    return $this->_checks;
  }

  protected function getFilename(){
    if(!$this->_filename) $this->_filename = $this->filename($this->remoteAddr);
    return $this->_filename;
  }

  protected function getPath(){
    if(!$this->_path) $this->_path = $this->config('path') ?: \Rsi\File::tempDir();
    return $this->_path;
  }

  protected function getRemoteAddr(){
    if($this->_remoteAddr === null){
      $this->_remoteAddr = $remote_addr = \Rsi\Http::remoteAddr();
      foreach($this->proxies as $subnets => $headers) if(\Rsi\Http::inSubnet(explode(';',$subnets),$remote_addr)){ //applicable proxy
        $reason = 'missing';
        foreach((array)$headers as $header) if(array_key_exists($header,$_SERVER)) foreach(explode(',',$_SERVER[$header]) as $addr){
          if(filter_var($addr = trim($addr),FILTER_VALIDATE_IP,FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false)
            return $this->_remoteAddr = \Rsi\Http::expandAddr($addr);
          else $reason = 'invalid';
        }
        $this->component('log')->warning(
          "Proxy request from $remote_addr has $reason IP forward header",
          __FILE__,
          __LINE__,
          compact('subnet','headers') + ['remoteAddr' => $remote_addr,'http' => $this->component('request')->server->http->data,'request' => $_REQUEST]
        );
        $this->_remoteAddr = false;
      }
    }
    return $this->_remoteAddr;
  }

}