[Security] Added login throttling feature

wouterj · fabpot · commit cf58b547a098 · 2020-09-17T07:36:46.000+02:00
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -1736,15 +1736,37 @@ private function addRateLimiterSection(ArrayNodeDefinition $rootNode)
                             ->useAttributeAsKey('name')
                             ->arrayPrototype()
                                 ->children()
-                                    ->scalarNode('lock')->defaultValue('lock.factory')->end()
-                                    ->scalarNode('storage')->defaultValue('cache.app')->end()
-                                    ->scalarNode('strategy')->isRequired()->end()
-                                    ->integerNode('limit')->isRequired()->end()
-                                    ->scalarNode('interval')->end()
+                                    ->scalarNode('lock_factory')
+                                        ->info('The service ID of the lock factory used by this limiter')
+                                        ->defaultValue('lock.factory')
+                                    ->end()
+                                    ->scalarNode('cache_pool')
+                                        ->info('The cache pool to use for storing the current limiter state')
+                                        ->defaultValue('cache.app')
+                                    ->end()
+                                    ->scalarNode('storage_service')
+                                        ->info('The service ID of a custom storage implementation, this precedes any configured "cache_pool"')
+                                        ->defaultNull()
+                                    ->end()
+                                    ->enumNode('strategy')
+                                        ->info('The rate limiting algorithm to use for this rate')
+                                        ->isRequired()
+                                        ->values(['fixed_window', 'token_bucket'])
+                                    ->end()
+                                    ->integerNode('limit')
+                                        ->info('The maximum allowed hits in a fixed interval or burst')
+                                        ->isRequired()
+                                    ->end()
+                                    ->scalarNode('interval')
+                                        ->info('Configures the fixed interval if "strategy" is set to "fixed_window". The value must be a number followed by "second", "minute", "hour", "day", "week" or "month" (or their plural equivalent).')
+                                    ->end()
                                     ->arrayNode('rate')
+                                        ->info('Configures the fill rate if "strategy" is set to "token_bucket"')
                                         ->children()
-                                            ->scalarNode('interval')->isRequired()->end()
-                                            ->integerNode('amount')->defaultValue(1)->end()
+                                            ->scalarNode('interval')
+                                                ->info('Configures the rate interval. The value must be a number followed by "second", "minute", "hour", "day", "week" or "month" (or their plural equivalent).')
+                                            ->end()
+                                            ->integerNode('amount')->info('Amount of tokens to add each interval')->defaultValue(1)->end()
                                         ->end()
                                     ->end()
                                 ->end()
diff --git a/DependencyInjection/FrameworkExtension.php b/DependencyInjection/FrameworkExtension.php
@@ -2190,38 +2190,31 @@ private function registerRateLimiterConfiguration(array $config, ContainerBuilde
 
         $loader->load('rate_limiter.php');
 
-        $locks = [];
-        $storages = [];
         foreach ($config['limiters'] as $name => $limiterConfig) {
-            $limiter = $container->setDefinition($limiterId = 'limiter.'.$name, new ChildDefinition('limiter'));
-
-            if (!isset($locks[$limiterConfig['lock']])) {
-                $locks[$limiterConfig['lock']] = new Reference($limiterConfig['lock']);
-            }
-            $limiter->addArgument($locks[$limiterConfig['lock']]);
-            unset($limiterConfig['lock']);
-
-            if (!isset($storages[$limiterConfig['storage']])) {
-                $storageId = $limiterConfig['storage'];
-                // cache pools are configured by the FrameworkBundle, so they
-                // exists in the scoped ContainerBuilder provided to this method
-                if ($container->has($storageId)) {
-                    if ($container->findDefinition($storageId)->hasTag('cache.pool')) {
-                        $container->register('limiter.storage.'.$storageId, CacheStorage::class)->addArgument(new Reference($storageId));
-                        $storageId = 'limiter.storage.'.$storageId;
-                    }
-                }
+            self::registerRateLimiter($container, $name, $limiterConfig);
+        }
+    }
 
-                $storages[$limiterConfig['storage']] = new Reference($storageId);
-            }
-            $limiter->replaceArgument(1, $storages[$limiterConfig['storage']]);
-            unset($limiterConfig['storage']);
+    public static function registerRateLimiter(ContainerBuilder $container, string $name, array $limiterConfig)
+    {
+        $limiter = $container->setDefinition($limiterId = 'limiter.'.$name, new ChildDefinition('limiter'));
 
-            $limiterConfig['id'] = $name;
-            $limiter->replaceArgument(0, $limiterConfig);
+        $limiter->addArgument(new Reference($limiterConfig['lock_factory']));
+        unset($limiterConfig['lock_factory']);
 
-            $container->registerAliasForArgument($limiterId, Limiter::class, $name.'.limiter');
+        $storageId = $limiterConfig['storage_service'] ?? null;
+        if (null === $storageId) {
+            $container->register($storageId = 'limiter.storage.'.$name, CacheStorage::class)->addArgument(new Reference($limiterConfig['cache_pool']));
         }
+
+        $limiter->replaceArgument(1, new Reference($storageId));
+        unset($limiterConfig['storage']);
+        unset($limiterConfig['cache_pool']);
+
+        $limiterConfig['id'] = $name;
+        $limiter->replaceArgument(0, $limiterConfig);
+
+        $container->registerAliasForArgument($limiterId, Limiter::class, $name.'.limiter');
     }
 
     private function resolveTrustedHeaders(array $headers): int
diff --git a/Resources/config/schema/symfony-1.0.xsd b/Resources/config/schema/symfony-1.0.xsd
@@ -650,8 +650,9 @@
             <xsd:element name="rate" type="rate_limiter_rate" minOccurs="0" />
         </xsd:sequence>
         <xsd:attribute name="name" type="xsd:string" />
-        <xsd:attribute name="lock" type="xsd:string" />
-        <xsd:attribute name="storage" type="xsd:string" />
+        <xsd:attribute name="lock-factory" type="xsd:string" />
+        <xsd:attribute name="storage-service" type="xsd:string" />
+        <xsd:attribute name="cache-pool" type="xsd:string" />
         <xsd:attribute name="strategy" type="xsd:string" />
         <xsd:attribute name="limit" type="xsd:int" />
         <xsd:attribute name="interval" type="xsd:string" />
