Add support for ratelimiting via annotations

This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago · 66835476b5
21 changed files with 1026 additions and 160 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -277,6 +277,17 @@ pipeline:
    when:
      matrix:
        TESTS: integration-maintenance-mode
+  integration-ratelimiting:
+  image: nextcloudci/integration-php7.0:integration-php7.0-3
+    commands:
+      - ./occ maintenance:install --admin-pass=admin
+      - ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.local
+      - ./occ config:system:set --type string --value "\\OC\\Memcache\\Redis" memcache.distributed
+      - cd build/integration
+      - ./run.sh features/ratelimiting.feature
+    when:
+      matrix:
+        TESTS: integration-ratelimiting
  integration-carddav:
    image: nextcloudci/integration-php7.0:integration-php7.0-3
    commands:
@ -516,6 +527,7 @@ matrix:
    - TESTS: integration-capabilities_features
    - TESTS: integration-federation_features
    - TESTS: integration-maintenance-mode
+    - TESTS: integration-ratelimiting
    - TESTS: integration-auth
    - TESTS: integration-carddav
    - TESTS: integration-dav-v2
--- a/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
+++ b/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
@ -120,7 +120,7 @@ class MountPublicLinkController extends Controller {
 	 *
 	 * @NoCSRFRequired
 	 * @PublicPage
-	 * @BruteForceProtection publicLink2FederatedShare
+	 * @BruteForceProtection(action=publicLink2FederatedShare)
 	 *
 	 * @param string $shareWith
 	 * @param string $token
--- a/apps/files_sharing/lib/Controller/ShareController.php
+++ b/apps/files_sharing/lib/Controller/ShareController.php
@ -160,7 +160,7 @@ class ShareController extends Controller {
 	/**
 	 * @PublicPage
 	 * @UseSession
-	 * @BruteForceProtection publicLinkAuth
+	 * @BruteForceProtection(action=publicLinkAuth)
 	 *
 	 * Authenticates against password-protected shares
 	 * @param string $token
--- a/apps/testing/appinfo/routes.php
+++ b/apps/testing/appinfo/routes.php
@ -25,12 +25,32 @@ namespace OCA\Testing\AppInfo;
 use OCA\Testing\Config;
 use OCA\Testing\Locking\Provisioning;
 use OCP\API;
+use OCP\AppFramework\App;

 $config = new Config(
 	\OC::$server->getConfig(),
 	\OC::$server->getRequest()
 );

+$app = new App('testing');
+$app->registerRoutes(
+	$this,
+	[
+		'routes' => [
+			[
+				'name' => 'RateLimitTest#userAndAnonProtected',
+				'url' => '/userAndAnonProtected',
+				'verb' => 'GET',
+			],
+			[
+				'name' => 'RateLimitTest#onlyAnonProtected',
+				'url' => '/anonProtected',
+				'verb' => 'GET',
+			],
+		]
+	]
+);
+
 API::register(
 	'post',
 	'/apps/testing/api/v1/app/{appid}/{configkey}',
--- a/apps/testing/lib/Controller/RateLimitTestController.php
+++ b/apps/testing/lib/Controller/RateLimitTestController.php
@ -0,0 +1,52 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Testing\Controller;
+
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\JSONResponse;
+
+class RateLimitTestController extends Controller {
+	/**
+	 * @PublicPage
+	 * @NoCSRFRequired
+	 *
+	 * @UserRateThrottle(limit=5, period=100)
+	 * @AnonRateThrottle(limit=1, period=100)
+	 *
+	 * @return JSONResponse
+	 */
+	public function userAndAnonProtected() {
+		return new JSONResponse();
+	}
+
+	/**
+	 * @PublicPage
+	 * @NoCSRFRequired
+	 *
+	 * @AnonRateThrottle(limit=1, period=10)
+	 *
+	 * @return JSONResponse
+	 */
+	public function onlyAnonProtected() {
+		return new JSONResponse();
+	}
+}
--- a/build/integration/features/ratelimiting.feature
+++ b/build/integration/features/ratelimiting.feature
@ -0,0 +1,58 @@
+Feature: ratelimiting
+  
+  Background:
+    Given user "user0" exists
+    Given As an "admin"
+    Given app "testing" is enabled
+
+  Scenario: Accessing a page with only an AnonRateThrottle as user
+    Given user "user0" exists
+    # First request should work
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Second one should fail
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "429"
+    # After 11 seconds the next request should work
+    And Sleep for "11" seconds
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+
+  Scenario: Accessing a page with only an AnonRateThrottle as guest
+    Given Sleep for "11" seconds
+    # First request should work
+    When requesting "/index.php/apps/testing/anonProtected" with "GET"
+    Then the HTTP status code should be "200"
+    # Second one should fail
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "429"
+    # After 11 seconds the next request should work
+    And Sleep for "11" seconds
+    When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+
+  Scenario: Accessing a page with UserRateThrottle and AnonRateThrottle
+    # First request should work as guest
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+    Then the HTTP status code should be "200"
+    # Second request should fail as guest
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+    Then the HTTP status code should be "429"
+    # First request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Second request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Third request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Fourth request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Fifth request should work as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+    Then the HTTP status code should be "200"
+    # Sixth request should fail as user
+    When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+    Then the HTTP status code should be "429"
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@ -204,7 +204,7 @@ class LostController extends Controller {

 	/**
 	 * @PublicPage
-	 * @BruteForceProtection passwordResetEmail
+	 * @BruteForceProtection(action=passwordResetEmail)
 	 *
 	 * @param string $user
 	 * @return array
--- a/lib/private/AppFramework/DependencyInjection/DIContainer.php
+++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php
@ -53,11 +53,13 @@ use OCP\AppFramework\QueryException;
 use OCP\Files\Folder;
 use OCP\Files\IAppData;
 use OCP\IL10N;
+use OCP\IMemcache;
 use OCP\IRequest;
 use OCP\IServerContainer;
 use OCP\IUserSession;
 use OCP\RichObjectStrings\IValidator;
 use OCP\Util;
+use SearchDAV\XML\Limit;

 class DIContainer extends SimpleContainer implements IAppContainer {

@ -162,6 +164,22 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 			return $c->query(Validator::class);
 		});

+		$this->registerService(OC\Security\RateLimiting\Limiter::class, function($c) {
+			return new OC\Security\RateLimiting\Limiter(
+				$this->getServer()->getUserSession(),
+				$this->getServer()->getRequest(),
+				new OC\AppFramework\Utility\TimeFactory(),
+				$c->query(OC\Security\RateLimiting\Backend\IBackend::class)
+			);
+		});
+
+		$this->registerService(OC\Security\RateLimiting\Backend\IBackend::class, function($c) {
+			return new OC\Security\RateLimiting\Backend\MemoryCache(
+				$this->getServer()->getMemCacheFactory(),
+				new OC\AppFramework\Utility\TimeFactory()
+			);
+		});
+
 		$this->registerService(\OC\Security\IdentityProof\Manager::class, function ($c) {
 			return new \OC\Security\IdentityProof\Manager(
 				$this->getServer()->getAppDataDir('identityproof'),
@ -169,7 +187,6 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 			);
 		});

-
 		/**
 		 * App Framework APIs
 		 */
@ -220,12 +237,13 @@ class DIContainer extends SimpleContainer implements IAppContainer {
 				$server->getLogger(),
 				$server->getSession(),
 				$c['AppName'],
-				$app->isLoggedIn(),
+				$server->getUserSession(),
 				$app->isAdminUser(),
 				$server->getContentSecurityPolicyManager(),
 				$server->getCsrfTokenManager(),
 				$server->getContentSecurityPolicyNonceManager(),
-				$server->getBruteForceThrottler()
+				$server->getBruteForceThrottler(),
+				$c->query(OC\Security\RateLimiting\Limiter::class)
 			);

 		});
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@ -26,7 +26,6 @@
 *
 */

-
 namespace OC\AppFramework\Middleware\Security;

 use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException;
@ -40,6 +39,7 @@ use OC\Security\Bruteforce\Throttler;
 use OC\Security\CSP\ContentSecurityPolicyManager;
 use OC\Security\CSP\ContentSecurityPolicyNonceManager;
 use OC\Security\CSRF\CsrfTokenManager;
+use OC\Security\RateLimiting\Limiter;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
 use OCP\AppFramework\Http\RedirectResponse;
@ -54,6 +54,7 @@ use OCP\IURLGenerator;
 use OCP\IRequest;
 use OCP\ILogger;
 use OCP\AppFramework\Controller;
+use OCP\IUserSession;
 use OCP\Util;
 use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;

@ -78,8 +79,8 @@ class SecurityMiddleware extends Middleware {
 	private $logger;
 	/** @var ISession */
 	private $session;
-	/** @var bool */
-	private $isLoggedIn;
+	/** @var IUserSession */
+	private $userSession;
 	/** @var bool */
 	private $isAdminUser;
 	/** @var ContentSecurityPolicyManager */
@ -90,6 +91,8 @@ class SecurityMiddleware extends Middleware {
 	private $cspNonceManager;
 	/** @var Throttler */
 	private $throttler;
+	/** @var Limiter */
+	private $limiter;

 	/**
 	 * @param IRequest $request
@ -99,12 +102,13 @@ class SecurityMiddleware extends Middleware {
 	 * @param ILogger $logger
 	 * @param ISession $session
 	 * @param string $appName
-	 * @param bool $isLoggedIn
+	 * @param IUserSession $userSession
 	 * @param bool $isAdminUser
 	 * @param ContentSecurityPolicyManager $contentSecurityPolicyManager
 	 * @param CSRFTokenManager $csrfTokenManager
 	 * @param ContentSecurityPolicyNonceManager $cspNonceManager
 	 * @param Throttler $throttler
+	 * @param Limiter $limiter
 	 */
 	public function __construct(IRequest $request,
 								ControllerMethodReflector $reflector,
@ -113,12 +117,13 @@ class SecurityMiddleware extends Middleware {
 								ILogger $logger,
 								ISession $session,
 								$appName,
-								$isLoggedIn,
+								IUserSession $userSession,
 								$isAdminUser,
 								ContentSecurityPolicyManager $contentSecurityPolicyManager,
 								CsrfTokenManager $csrfTokenManager,
 								ContentSecurityPolicyNonceManager $cspNonceManager,
-								Throttler $throttler) {
+								Throttler $throttler,
+								Limiter $limiter) {
 		$this->navigationManager = $navigationManager;
 		$this->request = $request;
 		$this->reflector = $reflector;
@ -126,15 +131,15 @@ class SecurityMiddleware extends Middleware {
 		$this->urlGenerator = $urlGenerator;
 		$this->logger = $logger;
 		$this->session = $session;
-		$this->isLoggedIn = $isLoggedIn;
+		$this->userSession = $userSession;
 		$this->isAdminUser = $isAdminUser;
 		$this->contentSecurityPolicyManager = $contentSecurityPolicyManager;
 		$this->csrfTokenManager = $csrfTokenManager;
 		$this->cspNonceManager = $cspNonceManager;
 		$this->throttler = $throttler;
+		$this->limiter = $limiter;
 	}

-
 	/**
 	 * This runs all the security checks before a method call. The
 	 * security checks are determined by inspecting the controller method
@ -152,7 +157,7 @@ class SecurityMiddleware extends Middleware {
 		// security checks
 		$isPublicPage = $this->reflector->hasAnnotation('PublicPage');
 		if(!$isPublicPage) {
-			if(!$this->isLoggedIn) {
+			if(!$this->userSession->isLoggedIn()) {
 				throw new NotLoggedInException();
 			}

@ -191,8 +196,29 @@ class SecurityMiddleware extends Middleware {
 			}
 		}

+		$anonLimit = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'limit');
+		$anonPeriod = $this->reflector->getAnnotationParameter('AnonRateThrottle', 'period');
+		$userLimit = $this->reflector->getAnnotationParameter('UserRateThrottle', 'limit');
+		$userPeriod = $this->reflector->getAnnotationParameter('UserRateThrottle', 'period');
+		$rateLimitIdentifier = get_class($controller) . '::' . $methodName;
+		if($userLimit !== '' && $userPeriod !== '' && $this->userSession->isLoggedIn()) {
+			$this->limiter->registerUserRequest(
+				$rateLimitIdentifier,
+				$userLimit,
+				$userPeriod,
+				$this->userSession->getUser()
+			);
+		} elseif ($anonLimit !== '' && $anonPeriod !== '') {
+			$this->limiter->registerAnonRequest(
+				$rateLimitIdentifier,
+				$anonLimit,
+				$anonPeriod,
+				$this->request->getRemoteAddress()
+			);
+		}
+
 		if($this->reflector->hasAnnotation('BruteForceProtection')) {
-			$action = $this->reflector->getAnnotationParameter('BruteForceProtection');
+			$action = $this->reflector->getAnnotationParameter('BruteForceProtection', 'action');
 			$this->throttler->sleepDelay($this->request->getRemoteAddress(), $action);
 			$this->throttler->registerAttempt($action, $this->request->getRemoteAddress());
 		}
@ -206,7 +232,6 @@ class SecurityMiddleware extends Middleware {
 		if(\OC_App::getAppPath($this->appName) !== false && !\OC_App::isEnabled($this->appName)) {
 			throw new AppNotEnabledException();
 		}
-
 	}

 	/**
--- a/lib/private/AppFramework/Utility/ControllerMethodReflector.php
+++ b/lib/private/AppFramework/Utility/ControllerMethodReflector.php
@ -24,27 +24,17 @@
 *
 */

-
 namespace OC\AppFramework\Utility;

 use \OCP\AppFramework\Utility\IControllerMethodReflector;

-
 /**
 * Reads and parses annotations from doc comments
 */
-class ControllerMethodReflector implements IControllerMethodReflector{
-
-	private $annotations;
-	private $types;
-	private $parameters;
-
-	public function __construct() {
-		$this->types = array();
-		$this->parameters = array();
-		$this->annotations = array();
-	}
-
+class ControllerMethodReflector implements IControllerMethodReflector {
+	public $annotations = [];
+	private $types = [];
+	private $parameters = [];

 	/**
 	 * @param object $object an object or classname
@ -55,9 +45,21 @@ class ControllerMethodReflector implements IControllerMethodReflector{
 		$docs = $reflection->getDocComment();

 		// extract everything prefixed by @ and first letter uppercase
-		preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)(\h+(?P<parameter>\w+))?$/m', $docs, $matches);
+		preg_match_all('/^\h+\*\h+@(?P<annotation>[A-Z]\w+)((?P<parameter>.*))?$/m', $docs, $matches);
 		foreach($matches['annotation'] as $key => $annontation) {
-			$this->annotations[$annontation] = $matches['parameter'][$key];
+			$annotationValue = $matches['parameter'][$key];
+			if($annotationValue[0] === '(' && $annotationValue[strlen($annotationValue) - 1] === ')') {
+				$cutString = substr($annotationValue, 1, -1);
+				$cutString = str_replace(' ', '', $cutString);
+				$splittedArray = explode(',', $cutString);
+				foreach($splittedArray as $annotationValues) {
+					list($key, $value) = explode('=', $annotationValues);
+					$this->annotations[$annontation][$key] = $value;
+				}
+				continue;
+			}
+
+			$this->annotations[$annontation] = [$annotationValue];
 		}

 		// extract type parameter information
@ -83,7 +85,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
 		}
 	}

-
 	/**
 	 * Inspects the PHPDoc parameters for types
 	 * @param string $parameter the parameter whose type comments should be
@ -99,7 +100,6 @@ class ControllerMethodReflector implements IControllerMethodReflector{
 		}
 	}

-
 	/**
 	 * @return array the arguments of the method with key => default value
 	 */
@ -107,30 +107,27 @@ class ControllerMethodReflector implements IControllerMethodReflector{
 		return $this->parameters;
 	}

-
 	/**
 	 * Check if a method contains an annotation
 	 * @param string $name the name of the annotation
 	 * @return bool true if the annotation is found
 	 */
-	public function hasAnnotation($name){
+	public function hasAnnotation($name) {
 		return array_key_exists($name, $this->annotations);
 	}

-
 	/**
-	 * Get optional annotation parameter
+	 * Get optional annotation parameter by key
+	 *
 	 * @param string $name the name of the annotation
+	 * @param string $key the string of the annotation
 	 * @return string
 	 */
-	public function getAnnotationParameter($name){
-		$parameter = '';
-		if($this->hasAnnotation($name)) {
-			$parameter = $this->annotations[$name];
+	public function getAnnotationParameter($name, $key) {
+		if(isset($this->annotations[$name][$key])) {
+			return $this->annotations[$name][$key];
 		}

-		return $parameter;
+		return '';
 	}
-
-
 }
--- a/lib/private/Security/Bruteforce/Throttler.php
+++ b/lib/private/Security/Bruteforce/Throttler.php
@ -23,6 +23,7 @@

 namespace OC\Security\Bruteforce;

+use OC\Security\Normalizer\IpAddress;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IConfig;
 use OCP\IDBConnection;
@ -82,67 +83,6 @@ class Throttler {
 		return $d2->diff($d1);
 	}

-	/**
-	 * Return the given subnet for an IPv4 address and mask bits
-	 *
-	 * @param string $ip
-	 * @param int $maskBits
-	 * @return string
-	 */
-	private function getIPv4Subnet($ip,
-								  $maskBits = 32) {
-		$binary = \inet_pton($ip);
-		for ($i = 32; $i > $maskBits; $i -= 8) {
-			$j = \intdiv($i, 8) - 1;
-			$k = (int) \min(8, $i - $maskBits);
-			$mask = (0xff - ((pow(2, $k)) - 1));
-			$int = \unpack('C', $binary[$j]);
-			$binary[$j] = \pack('C', $int[1] & $mask);
-		}
-		return \inet_ntop($binary).'/'.$maskBits;
-	}
-
-	/**
-	 * Return the given subnet for an IPv6 address and mask bits
-	 *
-	 * @param string $ip
-	 * @param int $maskBits
-	 * @return string
-	 */
-	private function getIPv6Subnet($ip, $maskBits = 48) {
-		$binary = \inet_pton($ip);
-		for ($i = 128; $i > $maskBits; $i -= 8) {
-			$j = \intdiv($i, 8) - 1;
-			$k = (int) \min(8, $i - $maskBits);
-			$mask = (0xff - ((pow(2, $k)) - 1));
-			$int = \unpack('C', $binary[$j]);
-			$binary[$j] = \pack('C', $int[1] & $mask);
-		}
-		return \inet_ntop($binary).'/'.$maskBits;
-	}
-
-	/**
-	 * Return the given subnet for an IP and the configured mask bits
-	 *
-	 * Determine if the IP is an IPv4 or IPv6 address, then pass to the correct
-	 * method for handling that specific type.
-	 *
-	 * @param string $ip
-	 * @return string
-	 */
-	private function getSubnet($ip) {
-		if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $ip)) {
-			return $this->getIPv4Subnet(
-				$ip,
-				32
-			);
-		}
-		return $this->getIPv6Subnet(
-			$ip,
-			128
-		);
-	}
-
 	/**
 	 * Register a failed attempt to bruteforce a security control
 	 *
@ -158,11 +98,12 @@ class Throttler {
 			return;
 		}

+		$ipAddress = new IpAddress($ip);
 		$values = [
 			'action' => $action,
 			'occurred' => $this->timeFactory->getTime(),
-			'ip' => $ip,
-			'subnet' => $this->getSubnet($ip),
+			'ip' => (string)$ipAddress,
+			'subnet' => $ipAddress->getSubnet(),
 			'metadata' => json_encode($metadata),
 		];

@ -254,7 +195,8 @@ class Throttler {
 	 * @return int
 	 */
 	public function getDelay($ip, $action = '') {
-		if ($this->isIPWhitelisted($ip)) {
+		$ipAddress = new IpAddress($ip);
+		if ($this->isIPWhitelisted((string)$ipAddress)) {
 			return 0;
 		}

@ -266,7 +208,7 @@ class Throttler {
 		$qb->select('*')
 			->from('bruteforce_attempts')
 			->where($qb->expr()->gt('occurred', $qb->createNamedParameter($cutoffTime)))
-			->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($this->getSubnet($ip))));
+			->andWhere($qb->expr()->eq('subnet', $qb->createNamedParameter($ipAddress->getSubnet())));

 		if ($action !== '') {
 			$qb->andWhere($qb->expr()->eq('action', $qb->createNamedParameter($action)));
--- a/lib/private/Security/Normalizer/IpAddress.php
+++ b/lib/private/Security/Normalizer/IpAddress.php
@ -0,0 +1,106 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Security\Normalizer;
+
+/**
+ * Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security
+ * relevant contexts in Nextcloud.
+ *
+ * @package OC\Security\Normalizer
+ */
+class IpAddress {
+	/** @var string */
+	private $ip;
+
+	/**
+	 * @param string $ip IP to normalized
+	 */
+	public function __construct($ip) {
+		$this->ip = $ip;
+	}
+
+	/**
+	 * Return the given subnet for an IPv4 address and mask bits
+	 *
+	 * @param string $ip
+	 * @param int $maskBits
+	 * @return string
+	 */
+	private function getIPv4Subnet($ip,
+								   $maskBits = 32) {
+		$binary = \inet_pton($ip);
+		for ($i = 32; $i > $maskBits; $i -= 8) {
+			$j = \intdiv($i, 8) - 1;
+			$k = (int) \min(8, $i - $maskBits);
+			$mask = (0xff - ((pow(2, $k)) - 1));
+			$int = \unpack('C', $binary[$j]);
+			$binary[$j] = \pack('C', $int[1] & $mask);
+		}
+		return \inet_ntop($binary).'/'.$maskBits;
+	}
+
+	/**
+	 * Return the given subnet for an IPv6 address and mask bits
+	 *
+	 * @param string $ip
+	 * @param int $maskBits
+	 * @return string
+	 */
+	private function getIPv6Subnet($ip, $maskBits = 48) {
+		$binary = \inet_pton($ip);
+		for ($i = 128; $i > $maskBits; $i -= 8) {
+			$j = \intdiv($i, 8) - 1;
+			$k = (int) \min(8, $i - $maskBits);
+			$mask = (0xff - ((pow(2, $k)) - 1));
+			$int = \unpack('C', $binary[$j]);
+			$binary[$j] = \pack('C', $int[1] & $mask);
+		}
+		return \inet_ntop($binary).'/'.$maskBits;
+	}
+
+	/**
+	 * Gets either the /32 (IPv4) or the /128 (IPv6) subnet of an IP address
+	 *
+	 * @return string
+	 */
+	public function getSubnet() {
+		if (\preg_match('/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/', $this->ip)) {
+			return $this->getIPv4Subnet(
+				$this->ip,
+				32
+			);
+		}
+		return $this->getIPv6Subnet(
+			$this->ip,
+			128
+		);
+	}
+
+	/**
+	 * Returns the specified IP address
+	 *
+	 * @return string
+	 */
+	public function __toString() {
+		return $this->ip;
+	}
+}
--- a/lib/private/Security/RateLimiting/Backend/IBackend.php
+++ b/lib/private/Security/RateLimiting/Backend/IBackend.php
@ -0,0 +1,50 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Security\RateLimiting\Backend;
+
+/**
+ * Interface IBackend defines a storage backend for the rate limiting data. It
+ * should be noted that writing and reading rate limiting data is an expensive
+ * operation and one should thus make sure to only use sufficient fast backends.
+ *
+ * @package OC\Security\RateLimiting\Backend
+ */
+interface IBackend {
+	/**
+	 * Gets the amount of attempts within the last specified seconds
+	 *
+	 * @param string $methodIdentifier
+	 * @param string $userIdentifier
+	 * @param int $seconds
+	 * @return int
+	 */
+	public function getAttempts($methodIdentifier, $userIdentifier, $seconds);
+
+	/**
+	 * Registers an attempt
+	 *
+	 * @param string $methodIdentifier
+	 * @param string $userIdentifier
+	 * @param int $timestamp
+	 */
+	public function registerAttempt($methodIdentifier, $userIdentifier, $timestamp);
+}
--- a/lib/private/Security/RateLimiting/Backend/MemoryCache.php
+++ b/lib/private/Security/RateLimiting/Backend/MemoryCache.php
@ -0,0 +1,100 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Security\RateLimiting\Backend;
+
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\ICache;
+use OCP\ICacheFactory;
+
+/**
+ * Class MemoryCache uses the configured distributed memory cache for storing
+ * rate limiting data.
+ *
+ * @package OC\Security\RateLimiting\Backend
+ */
+class MemoryCache implements IBackend {
+	/** @var ICache */
+	private $cache;
+	/** @var ITimeFactory */
+	private $timeFactory;
+
+	/**
+	 * @param ICacheFactory $cacheFactory
+	 * @param ITimeFactory $timeFactory
+	 */
+	public function __construct(ICacheFactory $cacheFactory,
+								ITimeFactory $timeFactory) {
+		$this->cache = $cacheFactory->create(__CLASS__);
+		$this->timeFactory = $timeFactory;
+	}
+
+	/**
+	 * @param string $methodIdentifier
+	 * @param string $userIdentifier
+	 * @return string
+	 */
+	private function hash($methodIdentifier, $userIdentifier) {
+		return hash('sha512', $methodIdentifier . $userIdentifier);
+	}
+
+	/**
+	 * @param string $identifier
+	 * @return array
+	 */
+	private function getExistingAttempts($identifier) {
+		$cachedAttempts = json_decode($this->cache->get($identifier), true);
+		if(is_array($cachedAttempts)) {
+			return $cachedAttempts;
+		}
+
+		return [];
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	public function getAttempts($methodIdentifier, $userIdentifier, $seconds) {
+		$identifier = $this->hash($methodIdentifier, $userIdentifier);
+		$existingAttempts = $this->getExistingAttempts($identifier);
+
+		$count = 0;
+		$currentTime = $this->timeFactory->getTime();
+		/** @var array $existingAttempts */
+		foreach ($existingAttempts as $attempt) {
+			if(($attempt + $seconds) > $currentTime) {
+				$count++;
+			}
+		}
+
+		return $count;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	public function registerAttempt($methodIdentifier, $userIdentifier, $timestamp) {
+		$identifier = $this->hash($methodIdentifier, $userIdentifier);
+		$existingAttempts = $this->getExistingAttempts($identifier);
+		$existingAttempts[] = (string)$timestamp;
+		$this->cache->set($identifier, json_encode($existingAttempts));
+	}
+}
--- a/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php
+++ b/lib/private/Security/RateLimiting/Exception/RateLimitExceededException.php
@ -0,0 +1,31 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Security\RateLimiting\Exception;
+
+use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
+use OCP\AppFramework\Http;
+
+class RateLimitExceededException extends SecurityException {
+	public function __construct() {
+		parent::__construct('Rate limit exceeded', Http::STATUS_TOO_MANY_REQUESTS);
+	}
+}
--- a/lib/private/Security/RateLimiting/Limiter.php
+++ b/lib/private/Security/RateLimiting/Limiter.php
@ -0,0 +1,106 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Security\RateLimiting;
+
+use OC\Security\Normalizer\IpAddress;
+use OC\Security\RateLimiting\Backend\IBackend;
+use OC\Security\RateLimiting\Exception\RateLimitExceededException;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\IRequest;
+use OCP\IUser;
+use OCP\IUserSession;
+
+class Limiter {
+	/** @var IBackend */
+	private $backend;
+	/** @var ITimeFactory */
+	private $timeFactory;
+
+	/**
+	 * @param IUserSession $userSession
+	 * @param IRequest $request
+	 * @param ITimeFactory $timeFactory
+	 * @param IBackend $backend
+	 */
+	public function __construct(IUserSession $userSession,
+								IRequest $request,
+								ITimeFactory $timeFactory,
+								IBackend $backend) {
+		$this->backend = $backend;
+		$this->timeFactory = $timeFactory;
+	}
+
+	/**
+	 * @param string $methodIdentifier
+	 * @param string $userIdentifier
+	 * @param int $period
+	 * @param int $limit
+	 * @throws RateLimitExceededException
+	 */
+	private function register($methodIdentifier,
+							  $userIdentifier,
+							  $period,
+							  $limit) {
+		$existingAttempts = $this->backend->getAttempts($methodIdentifier, $userIdentifier, (int)$period);
+		if ($existingAttempts >= (int)$limit) {
+			throw new RateLimitExceededException();
+		}
+
+		$this->backend->registerAttempt($methodIdentifier, $userIdentifier, $this->timeFactory->getTime());
+	}
+
+	/**
+	 * Registers attempt for an anonymous request
+	 *
+	 * @param string $identifier
+	 * @param int $anonLimit
+	 * @param int $anonPeriod
+	 * @param string $ip
+	 * @throws RateLimitExceededException
+	 */
+	public function registerAnonRequest($identifier,
+										$anonLimit,
+										$anonPeriod,
+										$ip) {
+		$ipSubnet = (new IpAddress($ip))->getSubnet();
+
+		$anonHashIdentifier = hash('sha512', 'anon::' . $identifier . $ipSubnet);
+		$this->register($identifier, $anonHashIdentifier, $anonPeriod, $anonLimit);
+	}
+
+	/**
+	 * Registers attempt for an authenticated request
+	 *
+	 * @param string $identifier
+	 * @param int $userLimit
+	 * @param int $userPeriod
+	 * @param IUser $user
+	 * @throws RateLimitExceededException
+	 */
+	public function registerUserRequest($identifier,
+										$userLimit,
+										$userPeriod,
+										IUser $user) {
+		$userHashIdentifier = hash('sha512', 'user::' . $identifier . $user->getUID());
+		$this->register($identifier, $userHashIdentifier, $userPeriod, $userLimit);
+	}
+}
--- a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
@ -40,6 +40,7 @@ use OC\Security\CSP\ContentSecurityPolicyManager;
 use OC\Security\CSP\ContentSecurityPolicyNonceManager;
 use OC\Security\CSRF\CsrfToken;
 use OC\Security\CSRF\CsrfTokenManager;
+use OC\Security\RateLimiting\Limiter;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\EmptyContentSecurityPolicy;
 use OCP\AppFramework\Http\RedirectResponse;
@ -52,6 +53,7 @@ use OCP\INavigationManager;
 use OCP\IRequest;
 use OCP\ISession;
 use OCP\IURLGenerator;
+use OCP\IUserSession;
 use OCP\Security\ISecureRandom;


@ -83,6 +85,10 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 	private $csrfTokenManager;
 	/** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */
 	private $cspNonceManager;
+	/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
+	private $userSession;
+	/** @var Limiter|\PHPUnit_Framework_MockObject_MockObject */
+	private $limiter;
 	/** @var  Throttler|\PHPUnit_Framework_MockObject_MockObject */
 	private $bruteForceThrottler;

@ -93,6 +99,8 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 		$this->reader = new ControllerMethodReflector();
 		$this->logger = $this->createMock(ILogger::class);
 		$this->navigationManager = $this->createMock(INavigationManager::class);
+		$this->userSession = $this->createMock(IUserSession::class);
+		$this->limiter = $this->createMock(Limiter::class);
 		$this->urlGenerator = $this->createMock(IURLGenerator::class);
 		$this->session = $this->createMock(ISession::class);
 		$this->request = $this->createMock(IRequest::class);
@ -111,6 +119,11 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 	 * @return SecurityMiddleware
 	 */
 	private function getMiddleware($isLoggedIn, $isAdminUser) {
+		$this->userSession
+			->expects($this->any())
+			->method('isLoggedIn')
+			->willReturn($isLoggedIn);
+
 		return new SecurityMiddleware(
 			$this->request,
 			$this->reader,
@ -119,12 +132,13 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 			$this->logger,
 			$this->session,
 			'files',
-			$isLoggedIn,
+			$this->userSession,
 			$isAdminUser,
 			$this->contentSecurityPolicyManager,
 			$this->csrfTokenManager,
 			$this->cspNonceManager,
-			$this->bruteForceThrottler
+			$this->bruteForceThrottler,
+			$this->limiter
 		);
 	}

@ -673,14 +687,36 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 			$this->logger,
 			$this->session,
 			'files',
-			false,
+			$this->userSession,
 			false,
 			$this->contentSecurityPolicyManager,
 			$this->csrfTokenManager,
 			$this->cspNonceManager,
-			$this->bruteForceThrottler
+			$this->bruteForceThrottler,
+			$this->limiter
 		);

+		$reader
+			->expects($this->at(0))
+			->method('getAnnotationParameter')
+			->with('AnonRateThrottle', 'limit')
+			->willReturn('');
+		$reader
+			->expects($this->at(1))
+			->method('getAnnotationParameter')
+			->with('AnonRateThrottle', 'period')
+			->willReturn('');
+		$reader
+			->expects($this->at(2))
+			->method('getAnnotationParameter')
+			->with('UserRateThrottle', 'limit')
+			->willReturn('');
+		$reader
+			->expects($this->at(3))
+			->method('getAnnotationParameter')
+			->with('UserRateThrottle', 'period')
+			->willReturn('');
+
 		$reader->expects($this->any())->method('hasAnnotation')
 			->willReturnCallback(
 				function($annotation) use ($bruteForceProtectionEnabled) {
--- a/tests/lib/Security/Bruteforce/ThrottlerTest.php
+++ b/tests/lib/Security/Bruteforce/ThrottlerTest.php
@ -76,51 +76,6 @@ class ThrottlerTest extends TestCase {
 		$this->assertLessThan(2, $cutoff->s);
 	}

-	public function testSubnet() {
-		// IPv4
-		$this->assertSame(
-			'64.233.191.254/32',
-			$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 32])
-		);
-		$this->assertSame(
-			'64.233.191.252/30',
-			$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 30])
-		);
-		$this->assertSame(
-			'64.233.191.240/28',
-			$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 28])
-		);
-		$this->assertSame(
-			'64.233.191.0/24',
-			$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 24])
-		);
-		$this->assertSame(
-			'64.233.188.0/22',
-			$this->invokePrivate($this->throttler, 'getIPv4Subnet', ['64.233.191.254', 22])
-		);
-		// IPv6
-		$this->assertSame(
-			'2001:db8:85a3::8a2e:370:7334/127',
-			$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 127])
-		);
-		$this->assertSame(
-			'2001:db8:85a3::8a2e:370:7300/120',
-			$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7300', 120])
-		);
-		$this->assertSame(
-			'2001:db8:85a3::/64',
-			$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 64])
-		);
-		$this->assertSame(
-			'2001:db8:85a3::/48',
-			$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 48])
-		);
-		$this->assertSame(
-			'2001:db8:8500::/40',
-			$this->invokePrivate($this->throttler, 'getIPv6Subnet', ['2001:0db8:85a3:0000:0000:8a2e:0370:7334', 40])
-		);
-	}
-
 	public function dataIsIPWhitelisted() {
 		return [
 			[
--- a/tests/lib/Security/Normalizer/IpAddressTest.php
+++ b/tests/lib/Security/Normalizer/IpAddressTest.php
@ -0,0 +1,59 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Test\Security\Normalizer;
+
+use OC\Security\Normalizer\IpAddress;
+use Test\TestCase;
+
+class IpAddressTest extends TestCase {
+
+	public function subnetDataProvider() {
+		return [
+			[
+				'64.233.191.254',
+				'64.233.191.254/32',
+			],
+			[
+				'192.168.0.123',
+				'192.168.0.123/32',
+			],
+			[
+				'2001:0db8:85a3:0000:0000:8a2e:0370:7334',
+				'2001:db8:85a3::8a2e:370:7334/128',
+			],
+		];
+	}
+
+	/**
+	 * @dataProvider subnetDataProvider
+	 *
+	 * @param string $input
+	 * @param string $expected
+	 */
+	public function testGetSubnet($input, $expected) {
+		$this->assertSame($expected, (new IpAddress($input))->getSubnet());
+	}
+
+	public function testToString() {
+		$this->assertSame('127.0.0.1', (string)(new IpAddress('127.0.0.1')));
+	}
+}
--- a/tests/lib/Security/RateLimiting/Backend/MemoryCacheTest.php
+++ b/tests/lib/Security/RateLimiting/Backend/MemoryCacheTest.php
@ -0,0 +1,138 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Test\Security\RateLimiting\Backend;
+
+use OC\Security\RateLimiting\Backend\MemoryCache;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\ICache;
+use OCP\ICacheFactory;
+use Test\TestCase;
+
+class MemoryCacheTest extends TestCase {
+	/** @var ICacheFactory|\PHPUnit_Framework_MockObject_MockObject */
+	private $cacheFactory;
+	/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
+	private $timeFactory;
+	/** @var ICache|\PHPUnit_Framework_MockObject_MockObject */
+	private $cache;
+	/** @var MemoryCache */
+	private $memoryCache;
+
+	public function setUp() {
+		parent::setUp();
+
+		$this->cacheFactory = $this->createMock(ICacheFactory::class);
+		$this->timeFactory = $this->createMock(ITimeFactory::class);
+		$this->cache = $this->createMock(ICache::class);
+
+		$this->cacheFactory
+			->expects($this->once())
+			->method('create')
+			->with('OC\Security\RateLimiting\Backend\MemoryCache')
+			->willReturn($this->cache);
+
+		$this->memoryCache = new MemoryCache(
+			$this->cacheFactory,
+			$this->timeFactory
+		);
+	}
+
+	public function testGetAttemptsWithNoAttemptsBefore() {
+		$this->cache
+			->expects($this->once())
+			->method('get')
+			->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
+			->willReturn(false);
+
+		$this->assertSame(0, $this->memoryCache->getAttempts('Method', 'User', 123));
+	}
+
+	public function testGetAttempts() {
+		$this->timeFactory
+			->expects($this->once())
+			->method('getTime')
+			->willReturn(210);
+		$this->cache
+			->expects($this->once())
+			->method('get')
+			->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
+			->willReturn(json_encode([
+				'1',
+				'2',
+				'87',
+				'123',
+				'123',
+				'124',
+			]));
+
+		$this->assertSame(3, $this->memoryCache->getAttempts('Method', 'User', 123));
+	}
+
+	public function testRegisterAttemptWithNoAttemptsBefore() {
+		$this->cache
+			->expects($this->once())
+			->method('get')
+			->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
+			->willReturn(false);
+		$this->cache
+			->expects($this->once())
+			->method('set')
+			->with(
+				'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
+				json_encode(['123'])
+			);
+
+		$this->memoryCache->registerAttempt('Method', 'User', 123);
+	}
+
+	public function testRegisterAttempts() {
+		$this->cache
+			->expects($this->once())
+			->method('get')
+			->with('eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b')
+			->willReturn(json_encode([
+				'1',
+				'2',
+				'87',
+				'123',
+				'123',
+				'124',
+			]));
+		$this->cache
+			->expects($this->once())
+			->method('set')
+			->with(
+				'eea460b8d756885099c7f0a4c083bf6a745069ee4a301984e726df58fd4510bffa2dac4b7fd5d835726a6753ffa8343ba31c7e902bbef78fc68c2e743667cb4b',
+				json_encode([
+					'1',
+					'2',
+					'87',
+					'123',
+					'123',
+					'124',
+					'129',
+				])
+			);
+
+		$this->memoryCache->registerAttempt('Method', 'User', 129);
+	}
+}
--- a/tests/lib/Security/RateLimiting/LimiterTest.php
+++ b/tests/lib/Security/RateLimiting/LimiterTest.php
@ -0,0 +1,161 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Test\Security\RateLimiting;
+
+use OC\Security\RateLimiting\Backend\IBackend;
+use OC\Security\RateLimiting\Limiter;
+use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\ICacheFactory;
+use OCP\IRequest;
+use OCP\IUser;
+use OCP\IUserSession;
+use Test\TestCase;
+
+class LimiterTest extends TestCase {
+	/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
+	private $userSession;
+	/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
+	private $request;
+	/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */
+	private $timeFactory;
+	/** @var IBackend|\PHPUnit_Framework_MockObject_MockObject */
+	private $backend;
+	/** @var Limiter */
+	private $limiter;
+
+	public function setUp() {
+		parent::setUp();
+
+		$this->userSession = $this->createMock(IUserSession::class);
+		$this->request = $this->createMock(IRequest::class);
+		$this->timeFactory = $this->createMock(ITimeFactory::class);
+		$this->backend = $this->createMock(IBackend::class);
+
+		$this->limiter = new Limiter(
+			$this->userSession,
+			$this->request,
+			$this->timeFactory,
+			$this->backend
+		);
+	}
+
+	/**
+	 * @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
+	 * @expectedExceptionMessage Rate limit exceeded
+	 */
+	public function testRegisterAnonRequestExceeded() {
+		$this->backend
+			->expects($this->once())
+			->method('getAttempts')
+			->with(
+				'MyIdentifier',
+				'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
+				100
+			)
+			->willReturn(101);
+
+		$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
+	}
+
+	public function testRegisterAnonRequestSuccess() {
+		$this->timeFactory
+			->expects($this->once())
+			->method('getTime')
+			->willReturn(2000);
+		$this->backend
+			->expects($this->once())
+			->method('getAttempts')
+			->with(
+				'MyIdentifier',
+				'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
+				100
+			)
+			->willReturn(99);
+		$this->backend
+			->expects($this->once())
+			->method('registerAttempt')
+			->with(
+				'MyIdentifier',
+				'4664f0d9c88dcb7552be47b37bb52ce35977b2e60e1ac13757cf625f31f87050a41f3da064887fa87d49fd042e4c8eb20de8f10464877d3959677ab011b73a47',
+				2000
+			);
+
+		$this->limiter->registerAnonRequest('MyIdentifier', 100, 100, '127.0.0.1');
+	}
+
+	/**
+	 * @expectedException \OC\Security\RateLimiting\Exception\RateLimitExceededException
+	 * @expectedExceptionMessage Rate limit exceeded
+	 */
+	public function testRegisterUserRequestExceeded() {
+		/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
+		$user = $this->createMock(IUser::class);
+		$user
+			->expects($this->once())
+			->method('getUID')
+			->willReturn('MyUid');
+		$this->backend
+			->expects($this->once())
+			->method('getAttempts')
+			->with(
+				'MyIdentifier',
+				'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
+				100
+			)
+			->willReturn(101);
+
+		$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
+	}
+
+	public function testRegisterUserRequestSuccess() {
+		/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */
+		$user = $this->createMock(IUser::class);
+		$user
+			->expects($this->once())
+			->method('getUID')
+			->willReturn('MyUid');
+
+		$this->timeFactory
+			->expects($this->once())
+			->method('getTime')
+			->willReturn(2000);
+		$this->backend
+			->expects($this->once())
+			->method('getAttempts')
+			->with(
+				'MyIdentifier',
+				'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
+				100
+			)
+			->willReturn(99);
+		$this->backend
+			->expects($this->once())
+			->method('registerAttempt')
+			->with(
+				'MyIdentifier',
+				'ddb2ec50fa973fd49ecf3d816f677c8095143e944ad10485f30fb3dac85c13a346dace4dae2d0a15af91867320957bfd38a43d9eefbb74fe6919e15119b6d805',
+				2000
+			);
+
+		$this->limiter->registerUserRequest('MyIdentifier', 100, 100, $user);
+	}
+}