apiBruteForceProtection/bruteforceprotection.feature:76-83 sometimes fail

[individual-it]

e.g https://drone.owncloud.com/owncloud/brute_force_protection/1720/15/11 or https://drone.owncloud.com/owncloud/brute_force_protection/1718 but pass on rerun https://drone.owncloud.com/owncloud/brute_force_protection/1719

[phil-davis]

These failed in a couple of nightly builds last week. For example: https://drone.owncloud.com/owncloud/brute_force_protection/1775/15/11

Scenario Outline: access is still possible from another IP after user/ip combination was blocked # /var/www/owncloud/testrunner/apps/brute_force_protection/tests/acceptance/features/apiBruteForceProtection/bruteforceprotection.feature:67
    When the client accesses the server from IP address "10.4.1.248" using X-Forwarded-For header  # IpContext::theClientAccessesTheServerFromIpAddressUsingXForwardedForHeader()
    And user "Alice" sends HTTP method "<method>" to URL "<endpoint>" with password "notvalid"     # FeatureContext::userSendsHTTPMethodToUrlWithPassword()
    And user "Alice" sends HTTP method "<method>" to URL "<endpoint>" with password "notvalid"     # FeatureContext::userSendsHTTPMethodToUrlWithPassword()
    And the client accesses the server from IP address "192.168.56.1" using X-Forwarded-For header # IpContext::theClientAccessesTheServerFromIpAddressUsingXForwardedForHeader()
    And user "Alice" sends HTTP method "<method>" to URL "<endpoint>"                              # FeatureContext::userSendsHTTPMethodToUrl()
    Then the HTTP status code should be "<http-code>"                                              # FeatureContext::thenTheHTTPStatusCodeShouldBe()

    Examples:
      | method   | endpoint                                | http-code |
      | GET      | /index.php/apps/files                   | 200       |
        HTTP status code 403 is not the expected value 200
        Failed asserting that 403 matches expected '200'.
      | PROPFIND | /remote.php/dav/systemtags              | 207       |
        HTTP status code 401 is not the expected value 207
        Failed asserting that 401 matches expected '207'.
      | PROPFIND | /remote.php/dav/files/Alice/welcome.txt | 207       |
        HTTP status code 401 is not the expected value 207
        Failed asserting that 401 matches expected '207'.
      | GET      | /remote.php/dav/files/Alice/welcome.txt | 200       |
        HTTP status code 401 is not the expected value 200
        Failed asserting that 401 matches expected '200'.
      | PROPFIND | /remote.php/webdav/welcome.txt          | 207       |
        HTTP status code 401 is not the expected value 207
        Failed asserting that 401 matches expected '207'.
      | GET      | /remote.php/webdav/welcome.txt          | 200       |
        HTTP status code 401 is not the expected value 200
        Failed asserting that 401 matches expected '200'.
      | MKCOL    | /remote.php/dav/files/Alice/blocked     | 201       |
        HTTP status code 401 is not the expected value 201
        Failed asserting that 401 matches expected '201'.
      | MKCOL    | /remote.php/webdav/blocked              | 201       |
        HTTP status code 401 is not the expected value 201
        Failed asserting that 401 matches expected '201'.

We should think how to make these reliable in CI - look at what network things the tests depend on and try to minimize the dependency on particular network addresses...

[amrita-shrestha]

In my local setup, apiBruteForceProtection/bruteforceprotection.feature:76-83 doesn't pass in 50-80 test run . on ci https://github.com/owncloud/brute_force_protection/pull/170 , I tried different combinations of passing test scenarios with apiBruteForceProtection/bruteforceprotection.feature:76-83

Through the curl command ,

• I get 303 HTTP status code for the client accessing the server from IP address "10.4.1.248" with incorrect password.

• And HTTP status code 403 ,for the client accessing the server from IP address "192.168.56.1" with correct password

[kiranparajuli589]

latest build failure: https://drone.owncloud.com/owncloud/brute_force_protection/1804/15/11

[saw-jan]

Failed today as well: https://drone.owncloud.com/owncloud/brute_force_protection/1846/14/11

[individual-it]

any progress in investigating why this is happening?

[kiranparajuli589]

This fails every time in my local machine as it is failing intermittently in the CI.

1. When client accesses the server from IP address "10.4.1.248" two times with invalid auth

   More details

   MKCOL /owncloud/core/remote.php/webdav/blocked HTTP/1.1
   Host: localhost
   User-Agent: GuzzleHttp/7
   Authorization: Basic QWxpY2U6bm90dmFsaWQ=
   X-Forwarded-For: 10.4.1.248
   
   HTTP/1.1 401 Unauthorized
   Date: Thu, 31 Mar 2022 09:47:33 GMT
   Server: Apache/2.4.41 (Ubuntu)
   Set-Cookie: oc7epvr9s2gv=kuk26ulhl0bnddh6b8t26040qt; path=/owncloud/core; HttpOnly; SameSite=Strict
   Expires: Thu, 19 Nov 1981 08:52:00 GMT
   Cache-Control: no-store, no-cache, must-revalidate
   Pragma: no-cache
   Set-Cookie: oc_sessionPassphrase=Jfcj6oztUN2uTx9uN6l46sD%2BF%2Fwxm6kUHD0H6zzUXPw7r3rDBpyzqP8nVC932ypv5iQcGA52F%2FHXIBSWrn4IZSMByDBzq7PzadhKopeOLVbUn%2B1j%2B80xbi%2BpusJI75k3; path=/owncloud/core; HttpOnly; SameSite=Strict
   Content-Security-Policy: default-src 'none';
   X-XSS-Protection: 0
   X-Content-Type-Options: nosniff
   X-Frame-Options: SAMEORIGIN
   X-Robots-Tag: none
   X-Download-Options: noopen
   X-Permitted-Cross-Domain-Policies: none
   Set-Cookie: oc7epvr9s2gv=k4gbf07m17nfcpabgmkojgv52i; path=/owncloud/core; HttpOnly; SameSite=Strict
   WWW-Authenticate: Basic realm="ownCloud", charset="UTF-8"
   WWW-Authenticate: Bearer realm="ownCloud"
   Content-Length: 379
   Content-Type: application/xml; charset=utf-8
   
   
   
     Sabre\DAV\Exception\NotAuthenticated
     Username or password was incorrect, Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured
   
   

2. Now the client again accesses the server from IP address "192.168.56.1" using X-Forwarded-For header with valid auth, the request fails with

• 403 for GET /index.php/apps/files

  more info

  GET /owncloud/core/index.php/apps/files HTTP/1.1
  Host: localhost
  User-Agent: GuzzleHttp/7
  Authorization: Basic QWxpY2U6MTIzNDU2
  X-Forwarded-For: 192.168.56.1
  
  HTTP/1.1 403 Forbidden
  Date: Thu, 31 Mar 2022 09:57:24 GMT
  Server: Apache/2.4.41 (Ubuntu)
  Set-Cookie: oc7epvr9s2gv=iosp06m6bsm6apcu0spqk44r9q; path=/owncloud/core; HttpOnly; SameSite=Strict
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Set-Cookie: oc_sessionPassphrase=qTK4oemlgdE76ZzpiOcXmD6bNYD6hU7kFD2k9effEGdReD%2BXuVw0%2Ft65%2BJg3Foin25Z1VPZU8WwVrUnNK45TL47MMywt37%2B6ths9zPfAHpn0rW63iSuay06WfAwf0Fme; path=/owncloud/core; HttpOnly; SameSite=Strict
  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
  X-XSS-Protection: 0
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-Robots-Tag: none
  X-Download-Options: noopen
  X-Permitted-Cross-Domain-Policies: none
  Set-Cookie: oc7epvr9s2gv=sirg4hv9e42h6b9g5s8eb0jl6s; path=/owncloud/core; HttpOnly; SameSite=Strict
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=UTF-8
  

• 401 for every other endpoints mentioned in the scenario examples

  More details

  PROPFIND /owncloud/core/remote.php/dav/systemtags HTTP/1.1
  Host: localhost
  User-Agent: GuzzleHttp/7
  Authorization: Basic QWxpY2U6MTIzNDU2
  X-Forwarded-For: 192.168.56.1
  
  HTTP/1.1 401 Unauthorized
  Date: Thu, 31 Mar 2022 09:45:16 GMT
  Server: Apache/2.4.41 (Ubuntu)
  Set-Cookie: oc7epvr9s2gv=9lbuqkc42tuq59rda102r5b29c; path=/owncloud/core; HttpOnly; SameSite=Strict
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Set-Cookie: oc_sessionPassphrase=77CAlgss2yV6cRHr8%2F8TzamyB2NiqXlxxj%2FAJTJp1euS8wo%2BJVMZVWHRjfO8UapJP%2BPXfSCf1nmBDgnRuPC6EuxxVdw48%2Bxt086gBFvB%2BHVR11%2Ftmavp77PmXI2hRgrQ; path=/owncloud/core; HttpOnly; SameSite=Strict
  Content-Security-Policy: default-src 'none';
  X-XSS-Protection: 0
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-Robots-Tag: none
  X-Download-Options: noopen
  X-Permitted-Cross-Domain-Policies: none
  Set-Cookie: oc7epvr9s2gv=kjj1hn1ejnnt2f2fmh8cupvruk; path=/owncloud/core; HttpOnly; SameSite=Strict
  Content-Length: 256
  Content-Type: application/xml; charset=utf-8
  
  
  
    Sabre\DAV\Exception\NotAuthenticated
    Too many failed login attempts. Try again in  5 minutes.
  
  

I need some help on how to proceed on this.

[phil-davis]

Failed again last night: https://drone.owncloud.com/owncloud/brute_force_protection/1860/14/11

[kiranparajuli589]

The reported tests are now

• passing fine while running with drone locally
• passing fine in the CI while running multiple times https://github.com/owncloud/brute_force_protection/pull/174

closing for now. this can be reopened if the issue appears again.

[phil-davis]

https://drone.owncloud.com/owncloud/brute_force_protection/1903/14/11

runsh: Total unexpected failed scenarios throughout the test run:
apiBruteForceProtection/bruteforceprotection.feature:76
apiBruteForceProtection/bruteforceprotection.feature:77
apiBruteForceProtection/bruteforceprotection.feature:78
apiBruteForceProtection/bruteforceprotection.feature:79
apiBruteForceProtection/bruteforceprotection.feature:80
apiBruteForceProtection/bruteforceprotection.feature:81
apiBruteForceProtection/bruteforceprotection.feature:82
apiBruteForceProtection/bruteforceprotection.feature:83

This is very hard to reproduce. Maybe we need to skip these in nightly runs, and just verify them when there is an app release?

I will think about it next week.

[SwikritiT]

Failing in today's nightly as well: https://drone.owncloud.com/owncloud/brute_force_protection/1908/14/11

apiBruteForceProtection/bruteforceprotection.feature:76
apiBruteForceProtection/bruteforceprotection.feature:77
apiBruteForceProtection/bruteforceprotection.feature:78
apiBruteForceProtection/bruteforceprotection.feature:79
apiBruteForceProtection/bruteforceprotection.feature:80
apiBruteForceProtection/bruteforceprotection.feature:81
apiBruteForceProtection/bruteforceprotection.feature:82
apiBruteForceProtection/bruteforceprotection.feature:83

[SwikritiT]

@phil-davis https://drone.owncloud.com/owncloud/brute_force_protection/1909/14/11 failed in today's nightly as well. What shall we do? Shall we skip the tests?

[phil-davis]

https://drone.owncloud.com/owncloud/brute_force_protection/1939/14/11

  Scenario Outline: access is still possible from another IP after user/ip combination was blocked # /var/www/owncloud/testrunner/apps/brute_force_protection/tests/acceptance/features/apiBruteForceProtection/bruteforceprotection.feature:67
    When the client accesses the server from IP address "10.4.1.248" using X-Forwarded-For header  # IpContext::theClientAccessesTheServerFromIpAddressUsingXForwardedForHeader()
    And user "Alice" sends HTTP method "<method>" to URL "<endpoint>" with password "notvalid"     # FeatureContext::userSendsHTTPMethodToUrlWithPassword()
    And user "Alice" sends HTTP method "<method>" to URL "<endpoint>" with password "notvalid"     # FeatureContext::userSendsHTTPMethodToUrlWithPassword()
    And the client accesses the server from IP address "192.168.56.1" using X-Forwarded-For header # IpContext::theClientAccessesTheServerFromIpAddressUsingXForwardedForHeader()
    And user "Alice" sends HTTP method "<method>" to URL "<endpoint>"                              # FeatureContext::userSendsHTTPMethodToUrl()
    Then the HTTP status code should be "<http-code>"                                              # FeatureContext::thenTheHTTPStatusCodeShouldBe()

    Examples:
      | method   | endpoint                                | http-code |
      | GET      | /index.php/apps/files                   | 200       |
        HTTP status code 403 is not the expected value 200
        Failed asserting that 403 matches expected '200'.
      | PROPFIND | /remote.php/dav/systemtags              | 207       |
        HTTP status code 401 is not the expected value 207
        Failed asserting that 401 matches expected '207'.
      | PROPFIND | /remote.php/dav/files/Alice/welcome.txt | 207       |
        HTTP status code 401 is not the expected value 207
        Failed asserting that 401 matches expected '207'.
      | GET      | /remote.php/dav/files/Alice/welcome.txt | 200       |
        HTTP status code 401 is not the expected value 200
        Failed asserting that 401 matches expected '200'.
      | PROPFIND | /remote.php/webdav/welcome.txt          | 207       |
        HTTP status code 401 is not the expected value 207
        Failed asserting that 401 matches expected '207'.
      | GET      | /remote.php/webdav/welcome.txt          | 200       |
        HTTP status code 401 is not the expected value 200
        Failed asserting that 401 matches expected '200'.
      | MKCOL    | /remote.php/dav/files/Alice/blocked     | 201       |
        HTTP status code 401 is not the expected value 201
        Failed asserting that 401 matches expected '201'.
      | MKCOL    | /remote.php/webdav/blocked              | 201       |
        HTTP status code 401 is not the expected value 201
        Failed asserting that 401 matches expected '201'.

Failed again last night. I will make a PR to skip these.

[phil-davis]

In test PR #178 I checked that the Apache config file was really getting the X-Forwarded-For settings, and that there was not some other Apache running that might have missed the settings. The Apache that is run in the server service is the one that the tests use.

Documentation of RemoteIPHeader X-Forwarded-For and RemoteIPInternalProxy and RemoteIPTrustedProxy indicates that the default is that all IP addresses are trusted if these Proxy settings are not set. So Apache should be always passing through the client IP address specified in X-Forwarded-For

I don't see anything special in the log of the Apache server process when these tests fail. So there is no obvious reason for the problem.

The tests are skipped in PR #179 - but they will still be in the test suite so that they can be run manually or semi-automatically in CI if and when we want to.

[kiranparajuli589]

@phil-davis, after #179 can we close this ticket?

[phil-davis]

We have skipped these tests. Note: they can be run locally by specifically select the filter tag @blockBasedOnClientIpAddress