218 lines
5.1 KiB
Go
218 lines
5.1 KiB
Go
package security
|
|
|
|
import (
|
|
"sort"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
type Config struct {
|
|
IPWhitelist string
|
|
AdminIPWhitelist string
|
|
LoginWindowSeconds int64
|
|
LoginMaxAttempts int
|
|
BanSeconds int64
|
|
ScanWindowSeconds int64
|
|
ScanMaxAttempts int
|
|
UploadWindowSeconds int64
|
|
UploadMaxRequests int
|
|
UploadMaxBytes int64
|
|
}
|
|
|
|
type Guard struct {
|
|
mu sync.Mutex
|
|
failedLogins map[string][]time.Time
|
|
scanAttempts map[string][]time.Time
|
|
uploadEvents map[string][]uploadEvent
|
|
bannedUntil map[string]time.Time
|
|
ipWhitelist map[string]bool
|
|
adminWhitelist map[string]bool
|
|
}
|
|
|
|
type uploadEvent struct {
|
|
at time.Time
|
|
bytes int64
|
|
}
|
|
|
|
type BanEntry struct {
|
|
IP string `json:"ip"`
|
|
Until time.Time `json:"until"`
|
|
}
|
|
|
|
func NewGuard() *Guard {
|
|
return &Guard{
|
|
failedLogins: map[string][]time.Time{},
|
|
scanAttempts: map[string][]time.Time{},
|
|
uploadEvents: map[string][]uploadEvent{},
|
|
bannedUntil: map[string]time.Time{},
|
|
ipWhitelist: map[string]bool{},
|
|
adminWhitelist: map[string]bool{},
|
|
}
|
|
}
|
|
|
|
func (g *Guard) Reload(cfg Config) {
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
g.ipWhitelist = parseList(cfg.IPWhitelist)
|
|
g.adminWhitelist = parseList(cfg.AdminIPWhitelist)
|
|
}
|
|
|
|
func (g *Guard) IsWhitelisted(ip string) bool {
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
return g.ipWhitelist[ip]
|
|
}
|
|
|
|
func (g *Guard) IsAdminWhitelisted(ip string) bool {
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
return g.adminWhitelist[ip] || g.ipWhitelist[ip]
|
|
}
|
|
|
|
func (g *Guard) IsBanned(ip string) bool {
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
until, ok := g.bannedUntil[ip]
|
|
if !ok {
|
|
return false
|
|
}
|
|
if time.Now().UTC().After(until) {
|
|
delete(g.bannedUntil, ip)
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
func (g *Guard) Ban(ip string, seconds int64) {
|
|
if seconds <= 0 || ip == "" {
|
|
return
|
|
}
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
g.bannedUntil[ip] = time.Now().UTC().Add(time.Duration(seconds) * time.Second)
|
|
}
|
|
|
|
func (g *Guard) BanUntil(ip string, until time.Time) {
|
|
if ip == "" || until.IsZero() {
|
|
return
|
|
}
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
g.bannedUntil[ip] = until.UTC()
|
|
}
|
|
|
|
func (g *Guard) Unban(ip string) {
|
|
if ip == "" {
|
|
return
|
|
}
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
delete(g.bannedUntil, ip)
|
|
}
|
|
|
|
func (g *Guard) BanList() []BanEntry {
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
now := time.Now().UTC()
|
|
out := make([]BanEntry, 0, len(g.bannedUntil))
|
|
for ip, until := range g.bannedUntil {
|
|
if now.After(until) {
|
|
delete(g.bannedUntil, ip)
|
|
continue
|
|
}
|
|
out = append(out, BanEntry{IP: ip, Until: until})
|
|
}
|
|
sort.Slice(out, func(i, j int) bool {
|
|
return out[i].Until.Before(out[j].Until)
|
|
})
|
|
return out
|
|
}
|
|
|
|
func (g *Guard) RegisterFailedLogin(ip string, windowSeconds int64, maxAttempts int, banSeconds int64) (bool, int) {
|
|
if ip == "" || maxAttempts <= 0 || windowSeconds <= 0 {
|
|
return false, 0
|
|
}
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
now := time.Now().UTC()
|
|
cutoff := now.Add(-time.Duration(windowSeconds) * time.Second)
|
|
attempts := pruneTimes(g.failedLogins[ip], cutoff)
|
|
attempts = append(attempts, now)
|
|
g.failedLogins[ip] = attempts
|
|
if len(attempts) >= maxAttempts {
|
|
g.bannedUntil[ip] = now.Add(time.Duration(banSeconds) * time.Second)
|
|
return true, len(attempts)
|
|
}
|
|
return false, len(attempts)
|
|
}
|
|
|
|
func (g *Guard) RegisterScanAttempt(ip string, windowSeconds int64, maxAttempts int, banSeconds int64) (bool, int) {
|
|
if ip == "" || maxAttempts <= 0 || windowSeconds <= 0 {
|
|
return false, 0
|
|
}
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
now := time.Now().UTC()
|
|
cutoff := now.Add(-time.Duration(windowSeconds) * time.Second)
|
|
attempts := pruneTimes(g.scanAttempts[ip], cutoff)
|
|
attempts = append(attempts, now)
|
|
g.scanAttempts[ip] = attempts
|
|
if len(attempts) >= maxAttempts {
|
|
g.bannedUntil[ip] = now.Add(time.Duration(banSeconds) * time.Second)
|
|
return true, len(attempts)
|
|
}
|
|
return false, len(attempts)
|
|
}
|
|
|
|
func (g *Guard) AllowUpload(ip string, size int64, windowSeconds int64, maxRequests int, maxBytes int64) (bool, int, int64) {
|
|
if ip == "" || windowSeconds <= 0 || maxRequests <= 0 {
|
|
return true, 0, 0
|
|
}
|
|
g.mu.Lock()
|
|
defer g.mu.Unlock()
|
|
now := time.Now().UTC()
|
|
cutoff := now.Add(-time.Duration(windowSeconds) * time.Second)
|
|
events := g.uploadEvents[ip]
|
|
kept := make([]uploadEvent, 0, len(events)+1)
|
|
totalBytes := int64(0)
|
|
for _, event := range events {
|
|
if event.at.After(cutoff) {
|
|
kept = append(kept, event)
|
|
totalBytes += event.bytes
|
|
}
|
|
}
|
|
nextCount := len(kept) + 1
|
|
nextBytes := totalBytes + size
|
|
if nextCount > maxRequests {
|
|
return false, nextCount, nextBytes
|
|
}
|
|
if maxBytes > 0 && nextBytes > maxBytes {
|
|
return false, nextCount, nextBytes
|
|
}
|
|
kept = append(kept, uploadEvent{at: now, bytes: size})
|
|
g.uploadEvents[ip] = kept
|
|
return true, nextCount, nextBytes
|
|
}
|
|
|
|
func pruneTimes(values []time.Time, cutoff time.Time) []time.Time {
|
|
kept := make([]time.Time, 0, len(values))
|
|
for _, value := range values {
|
|
if value.After(cutoff) {
|
|
kept = append(kept, value)
|
|
}
|
|
}
|
|
return kept
|
|
}
|
|
|
|
func parseList(raw string) map[string]bool {
|
|
out := map[string]bool{}
|
|
for _, chunk := range strings.Split(raw, ",") {
|
|
value := strings.TrimSpace(chunk)
|
|
if value != "" {
|
|
out[value] = true
|
|
}
|
|
}
|
|
return out
|
|
}
|