feat: implement brute force protection for public links

[jvillafanez]

Note: https://github.com/cs3org/go-cs3apis/blob/main/cs3/rpc/v1beta1/code.pb.go#L121-L125 has a recommended RPC matching for the "Too Many Requests" error, so we're following along.

Implement brute force protection for public shares. The implementation follows a rate-limit approach. This means that you can access the share while the access failure rate is below certain threshold. If such threshold is surpassed, the public share won't be accessible until the failure rate goes below the threshold.

By default, the failure rate is 5 failures per hour (configurable). This means that you're allowed to fail the password for the share up to 5 times per hour before the share is blocked.
The duration of the blockage will be undefined, but between 0 and the configuration duration:

• If the configuration is 10 failures each 2 hours, and the failures come in a quick burst (10 failures in a couple of seconds), the share will be blocked for 2 hours.
• With the same configuration, but with spaced failures, one every 10 minutes, the share will be blocked for around 30 minutes (20 minute gap for the last failure + 10 minutes until the first failure is out of the time scope)
• The share might be blocked just for a few seconds if the last allowed failure comes right before the 2 hours pass for the first failure.

Note that this is an in-memory implementation, so the data won't be shared with other service replicas. This means that the protection will be effective per-server replica, which might not behave as expected: if there are 3 replicas, requests might block one replica but not others, and you might be allowed additional failures because requests will hit different replicas.

Current implementation will use a reva store to make the related data accessible to all the service's replicas.
The recommended environment for the replicas is below (adjust the values if needed):

      LANG: C.UTF-8
      LC_ALL: C.UTF-8
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "ocis:9233"
      OCIS_RUNTIME_HOST: "ocis"
      OCIS_CONFIG_DIR: /etc/ocis/
      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_INSECURE: true

      STORAGE_PUBLICLINK_GRPC_ADDR: 0.0.0.0:9178
      OCIS_PERSISTENT_STORE: "nats-js-kv"
      OCIS_PERSISTENT_STORE_NODES: "ocis:9233"

TODO:

• It needs a way to disable the feature. Right now, we need to keep timestamps in memory to keep track of the failed attempts. The greater the maximum number of attempts is, the more memory we might need to use; this also applies to the duration we need to store the timestamps.
  Setting the configuration values with zeros will effectively disable the feature
• When writing data into the store, the "check" implementation (areEqualLists) is too strict and could lead to excessive retries and / or failures.
• Need to replace the RWLock for a regular mutex because the RWLock isn't needed any longer.
• Consider to include some logs to know what's going on.
• Consider to include an ID as part of the attempt data. At the moment, if 2 replicas try to write an attempt at the same exact second, it isn't possible to know which replica has written the attempt and both replicas will assume that the written attempt is theirs, so only one attempt will be registered instead of the expected 2 (one per replica).
• Consider to increase the time resolution, currently at seconds. This might not be needed if we use IDs.

[kobergj]

Some questions/remarks.

[kobergj]

Why do we need two methods calls here? Isn't CleanInfo already checking max attempts?

[jvillafanez]

The Verify method is intended to provide a fast response (only read lock needed) while the CleanInfo might take more time (write lock plus more operations).

The expected scenario is that most of the requests will be successful, so only the Verify method is called, allowing better concurrency with just the read lock.

[kobergj]

Makes sense. But couldn't that all be done by the Verify method? It could check with readlock and return if successful, otherwise writelock.

I don't see a scenario where we would only call one of the methods, or am I missing something?

[jvillafanez]

It might be possible, but the code would be more complex. There are a couple of things to notice:

• Current code uses the standard pattern of "lock + defer unlock" to ensure the lock is always released. If we put everything in the same method, this won't be possible because we must release the read lock before obtaining the write lock, and unlocking manually has its drawbacks.
• Since we're dealing with locks, these are usually handled within public methods. Dealing with them in private methods might limit the reusability of those methods. It might cause problems with the previous point too because you might be forced to manually release the lock almost always.

I don't see a scenario where we would only call one of the methods, or am I missing something?

You can use just the CleanInfo method (now I see it's a bad name, maybe AccurateVerify fits better) if you don't really care about performance.
You can also use just the Verify method assuming you also have some background thread cleaning the information so the result is "accurate enough". However, this seems tricky and I'd rather not rely on a background thread that can't be easily controlled.

We can provide a convenience function such as the one below, but since the locks will be handled implicitly inside the Verify and CleanInfo methods it might cause issues if we need to make changes in that code later: you'd either assume the code isn't thread-safe because locks aren't explicitly handled in the method, or forget to handle the locks

func (bfp *BruteForceProtection) MasterVerify(token string) bool {
  if !bfp.Verify(token) && !bfp.CleanInfo(token) {
    return false
  }
  return true
}

[jvillafanez]

Updated info in this regard: the CleanInfo method has been removed because we'd need to read from the store twice. The updated code will use a write lock always and conditionally write into the store if there is obsolete data.

[kobergj]

Unfortunately this won't work so easy. In production we use multiple instances of this service. We need a global counter of this value so we are sure all intances behave the same at the same moment in time.

[jvillafanez]

We'll have to move the counter to natsjs (not sure what alternatives we have inside reva). We need to ensure it's thread-safe too.

[kobergj]

Yes. Or we store it as an additional property on the public link itself. Not sure what is more feasible.

[jvillafanez]

I'll change the plans a bit

Discarded solutions:

• Reva stores don't provide thread-safety. This means that there could be problems when multiple replicas try to store failed attempts over the same share.
• The public link doesn't have a good place to store additional information.
  • Changing the public link definition in the cs3org API doesn't seem a good idea.
  • Adding the information at storage level implies changing all the implementations to prepare them to store random information.

Proposed solution:

We'll keep the current code. However, when a failed attempt happens, the service will emit a "public share password failed" event. The event will be received by all the replicas that will adjust the related information on their side.

The additional benefit is that other services like audit can also receive the event and act accordingly. For example, the audit service might want to log something about the failed attempt.

[2403905]

@jvillafanez Do we need to implement some event based logic if we already have the nats-kv in a reva/pkg/store ?
// Create initializes a new store func Create(opts ...microstore.Option) microstore.Store

[2403905]

Can we just use the existing cache?

[jvillafanez]

The store doesn't provide any thread-safety mechanism, so there is a high risk of race conditions.
If there are 2 or more failures happening at the same time and going to different replicas, all the replicas will try to write the data at the same time. There is a high risk of one replica overwriting the data of any other and messing up with the failure count.
It's the classic "get and set" problem that doesn't have solution without thread-safety mechanisms, either (distributed) locks or atomic operations.

[jvillafanez]

Final implementation will use the store. In order to mitigate (not completely prevent) the risk of overwriting data, we'll check that the data we've just written can be read from the store. If the data isn't there, we'll retry the operation several times (up to 10 at the moment) before failing.

Right now, the algorithm is pretty strict with the check (basically the data must match exactly), which might cause problems: replica A might fail to write despite the retries because replicas B and C keep overwriting the data.
It's probably fine to check if the failed attempt we want to add is present even if the full data isn't exactly the same. This should lead to less retries and faster responses in congested scenarios.

[2403905]

I think this implementation is quite good since we don't need high accuracy.

[kobergj]

I do understand why secret != "". It makes no sense to increase wrong password counter if none was given. But I don't understand

• Why secret != "|"? Why does anyone set the secret to "|"? Why do we need to care about this here?
• What is the purpose of the CheckSkipAttempt functions? Why do we need them at all?

[jvillafanez]

Why secret != "|"? Why does anyone set the secret to "|"? Why do we need to care about this here?

We get | as secret for empty password attempts, which happens when loading the share link in the web. The actual secret we get somewhere on top is publicshare|pass or signed|pass|expiration, so something is likely wrong and it isn't working properly in that scenario.

What is the purpose of the CheckSkipAttempt functions? Why do we need them at all?

That's for the duplicated authentication that happens in the server (owncloud/ocis#11862). There is one authentication happening in the proxy middleware to get a reva access token, plus the one to access the share.
Removing the authentication from the middleware didn't work because we need it if a user access to an office document via the public share.
This solution allows us to tell this code not to count the authentication coming from the middleware as a failed attempt.

[kobergj]

We get | as secret for empty password attempts, which happens when loading the share link in the web. The actual secret we get somewhere on top is publicshare|pass or signed|pass|expiration, so something is likely wrong and it isn't working properly in that scenario.

So this means there is some error before where the publicshare|pass (or signed|pass|expiration) isn't converted properly to pass. The best option would be to fix it there, but I would be fine with a FIXME comment describing the problem if the actual fix is too cumbersome.

There is one authentication happening in the proxy middleware to get a reva access token, plus the one to access the share.

Why don't we just return immediately when the first one fails? This way second authentication would never happen and we don't have a problem with the counter.

[jvillafanez]

Why don't we just return immediately when the first one fails? This way second authentication would never happen and we don't have a problem with the counter.

I don't think it's that easy... I've already tried removing the related code in the middleware, but it failed because we need the returned reva access token for the office integration (collaboration service). Access to office documents with collabora / onlyoffice through a public link wasn't possible with that change.

The only alternative I see is to move the brute force protection code to the middleware, but any internal request that bypasses the proxy would also bypass the brute force protection, and I don't think we want to do that.

[kobergj]

LGTM 👍