nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

[PM-6141] Remove rate limiting ip blocker (#3754)

Browse Source 
* remove rate limiting ip blocker

* remove using

* fix tests
This commit is contained in:
Kyle Spearrin 2024-02-07 12:23:26 -05:00 committed by GitHub
parent 6e6b50fd86
commit a019355ab4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 2 additions and 643 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Admin/AdminSettings.cs
View File

@ -3,13 +3,5 @@
public class AdminSettings
{
public virtual string Admins { get; set; }
public virtual CloudflareSettings Cloudflare { get; set; }
public int? DeleteTrashDaysAgo { get; set; }
public class CloudflareSettings
{
public string ZoneId { get; set; }
public string AuthEmail { get; set; }
public string AuthKey { get; set; }
}
}

83
src/Admin/HostedServices/AmazonSqsBlockIpHostedService.cs
View File

@ -1,83 +0,0 @@
using Amazon;
using Amazon.SQS;
using Amazon.SQS.Model;
using Bit.Core.Settings;
using Microsoft.Extensions.Options;
namespace Bit.Admin.HostedServices;
public class AmazonSqsBlockIpHostedService : BlockIpHostedService
{
private AmazonSQSClient _client;
public AmazonSqsBlockIpHostedService(
ILogger<AmazonSqsBlockIpHostedService> logger,
IOptions<AdminSettings> adminSettings,
GlobalSettings globalSettings)
: base(logger, adminSettings, globalSettings)
{ }
public override void Dispose()
{
_client?.Dispose();
}
protected override async Task ExecuteAsync(CancellationToken cancellationToken)
{
_client = new AmazonSQSClient(_globalSettings.Amazon.AccessKeyId,
_globalSettings.Amazon.AccessKeySecret, RegionEndpoint.GetBySystemName(_globalSettings.Amazon.Region));
var blockIpQueue = await _client.GetQueueUrlAsync("block-ip", cancellationToken);
var blockIpQueueUrl = blockIpQueue.QueueUrl;
var unblockIpQueue = await _client.GetQueueUrlAsync("unblock-ip", cancellationToken);
var unblockIpQueueUrl = unblockIpQueue.QueueUrl;
while (!cancellationToken.IsCancellationRequested)
{
var blockMessageResponse = await _client.ReceiveMessageAsync(new ReceiveMessageRequest
{
QueueUrl = blockIpQueueUrl,
MaxNumberOfMessages = 10,
WaitTimeSeconds = 15
}, cancellationToken);
if (blockMessageResponse.Messages.Any())
{
foreach (var message in blockMessageResponse.Messages)
{
try
{
await BlockIpAsync(message.Body, cancellationToken);
}
catch (Exception e)
{
_logger.LogError(e, "Failed to block IP.");
}
await _client.DeleteMessageAsync(blockIpQueueUrl, message.ReceiptHandle, cancellationToken);
}
}
var unblockMessageResponse = await _client.ReceiveMessageAsync(new ReceiveMessageRequest
{
QueueUrl = unblockIpQueueUrl,
MaxNumberOfMessages = 10,
WaitTimeSeconds = 15
}, cancellationToken);
if (unblockMessageResponse.Messages.Any())
{
foreach (var message in unblockMessageResponse.Messages)
{
try
{
await UnblockIpAsync(message.Body, cancellationToken);
}
catch (Exception e)
{
_logger.LogError(e, "Failed to unblock IP.");
}
await _client.DeleteMessageAsync(unblockIpQueueUrl, message.ReceiptHandle, cancellationToken);
}
}
await Task.Delay(TimeSpan.FromSeconds(15));
}
}
}

63
src/Admin/HostedServices/AzureQueueBlockIpHostedService.cs
View File

@ -1,63 +0,0 @@
using Azure.Storage.Queues;
using Bit.Core.Settings;
using Microsoft.Extensions.Options;
namespace Bit.Admin.HostedServices;
public class AzureQueueBlockIpHostedService : BlockIpHostedService
{
private QueueClient _blockIpQueueClient;
private QueueClient _unblockIpQueueClient;
public AzureQueueBlockIpHostedService(
ILogger<AzureQueueBlockIpHostedService> logger,
IOptions<AdminSettings> adminSettings,
GlobalSettings globalSettings)
: base(logger, adminSettings, globalSettings)
{ }
protected override async Task ExecuteAsync(CancellationToken cancellationToken)
{
_blockIpQueueClient = new QueueClient(_globalSettings.Storage.ConnectionString, "blockip");
_unblockIpQueueClient = new QueueClient(_globalSettings.Storage.ConnectionString, "unblockip");
while (!cancellationToken.IsCancellationRequested)
{
var blockMessages = await _blockIpQueueClient.ReceiveMessagesAsync(maxMessages: 32);
if (blockMessages.Value?.Any() ?? false)
{
foreach (var message in blockMessages.Value)
{
try
{
await BlockIpAsync(message.MessageText, cancellationToken);
}
catch (Exception e)
{
_logger.LogError(e, "Failed to block IP.");
}
await _blockIpQueueClient.DeleteMessageAsync(message.MessageId, message.PopReceipt);
}
}
var unblockMessages = await _unblockIpQueueClient.ReceiveMessagesAsync(maxMessages: 32);
if (unblockMessages.Value?.Any() ?? false)
{
foreach (var message in unblockMessages.Value)
{
try
{
await UnblockIpAsync(message.MessageText, cancellationToken);
}
catch (Exception e)
{
_logger.LogError(e, "Failed to unblock IP.");
}
await _unblockIpQueueClient.DeleteMessageAsync(message.MessageId, message.PopReceipt);
}
}
await Task.Delay(TimeSpan.FromSeconds(15));
}
}
}

164
src/Admin/HostedServices/BlockIpHostedService.cs
View File

@ -1,164 +0,0 @@
using Bit.Core.Settings;
using Microsoft.Extensions.Options;
namespace Bit.Admin.HostedServices;
public abstract class BlockIpHostedService : IHostedService, IDisposable
{
protected readonly ILogger<BlockIpHostedService> _logger;
protected readonly GlobalSettings _globalSettings;
private readonly AdminSettings _adminSettings;
private Task _executingTask;
private CancellationTokenSource _cts;
private HttpClient _httpClient = new HttpClient();
public BlockIpHostedService(
ILogger<BlockIpHostedService> logger,
IOptions<AdminSettings> adminSettings,
GlobalSettings globalSettings)
{
_logger = logger;
_globalSettings = globalSettings;
_adminSettings = adminSettings?.Value;
}
public Task StartAsync(CancellationToken cancellationToken)
{
_cts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
_executingTask = ExecuteAsync(_cts.Token);
return _executingTask.IsCompleted ? _executingTask : Task.CompletedTask;
}
public async Task StopAsync(CancellationToken cancellationToken)
{
if (_executingTask == null)
{
return;
}
_cts.Cancel();
await Task.WhenAny(_executingTask, Task.Delay(-1, cancellationToken));
cancellationToken.ThrowIfCancellationRequested();
}
public virtual void Dispose()
{ }
protected abstract Task ExecuteAsync(CancellationToken cancellationToken);
protected async Task BlockIpAsync(string message, CancellationToken cancellationToken)
{
var request = new HttpRequestMessage();
request.Headers.Accept.Clear();
request.Headers.Add("X-Auth-Email", _adminSettings.Cloudflare.AuthEmail);
request.Headers.Add("X-Auth-Key", _adminSettings.Cloudflare.AuthKey);
request.Method = HttpMethod.Post;
request.RequestUri = new Uri("https://api.cloudflare.com/" +
$"client/v4/zones/{_adminSettings.Cloudflare.ZoneId}/firewall/access_rules/rules");
request.Content = JsonContent.Create(new
{
mode = "block",
configuration = new
{
target = "ip",
value = message
},
notes = $"Rate limit abuse on {DateTime.UtcNow.ToString()}."
});
var response = await _httpClient.SendAsync(request, cancellationToken);
if (!response.IsSuccessStatusCode)
{
return;
}
var accessRuleResponse = await response.Content.ReadFromJsonAsync<AccessRuleResponse>(cancellationToken: cancellationToken);
if (!accessRuleResponse.Success)
{
return;
}
// TODO: Send `accessRuleResponse.Result?.Id` message to unblock queue
}
protected async Task UnblockIpAsync(string message, CancellationToken cancellationToken)
{
if (string.IsNullOrWhiteSpace(message))
{
return;
}
if (message.Contains(".") || message.Contains(":"))
{
// IP address messages
var request = new HttpRequestMessage();
request.Headers.Accept.Clear();
request.Headers.Add("X-Auth-Email", _adminSettings.Cloudflare.AuthEmail);
request.Headers.Add("X-Auth-Key", _adminSettings.Cloudflare.AuthKey);
request.Method = HttpMethod.Get;
request.RequestUri = new Uri("https://api.cloudflare.com/" +
$"client/v4/zones/{_adminSettings.Cloudflare.ZoneId}/firewall/access_rules/rules?" +
$"configuration_target=ip&configuration_value={message}");
var response = await _httpClient.SendAsync(request, cancellationToken);
if (!response.IsSuccessStatusCode)
{
return;
}
var listResponse = await response.Content.ReadFromJsonAsync<ListResponse>(cancellationToken: cancellationToken);
if (!listResponse.Success)
{
return;
}
foreach (var rule in listResponse.Result)
{
await DeleteAccessRuleAsync(rule.Id, cancellationToken);
}
}
else
{
// Rule Id messages
await DeleteAccessRuleAsync(message, cancellationToken);
}
}
protected async Task DeleteAccessRuleAsync(string ruleId, CancellationToken cancellationToken)
{
var request = new HttpRequestMessage();
request.Headers.Accept.Clear();
request.Headers.Add("X-Auth-Email", _adminSettings.Cloudflare.AuthEmail);
request.Headers.Add("X-Auth-Key", _adminSettings.Cloudflare.AuthKey);
request.Method = HttpMethod.Delete;
request.RequestUri = new Uri("https://api.cloudflare.com/" +
$"client/v4/zones/{_adminSettings.Cloudflare.ZoneId}/firewall/access_rules/rules/{ruleId}");
await _httpClient.SendAsync(request, cancellationToken);
}
public class ListResponse
{
public bool Success { get; set; }
public List<AccessRuleResultResponse> Result { get; set; }
}
public class AccessRuleResponse
{
public bool Success { get; set; }
public AccessRuleResultResponse Result { get; set; }
}
public class AccessRuleResultResponse
{
public string Id { get; set; }
public string Notes { get; set; }
public ConfigurationResponse Configuration { get; set; }
public class ConfigurationResponse
{
public string Target { get; set; }
public string Value { get; set; }
}
}
}

8
src/Admin/Startup.cs
View File

@ -118,14 +118,6 @@ public class Startup
}
else
{
if (CoreHelpers.SettingHasValue(globalSettings.Storage.ConnectionString))
{
services.AddHostedService<HostedServices.AzureQueueBlockIpHostedService>();
}
else if (CoreHelpers.SettingHasValue(globalSettings.Amazon?.AccessKeySecret))
{
services.AddHostedService<HostedServices.AmazonSqsBlockIpHostedService>();
}
if (CoreHelpers.SettingHasValue(globalSettings.Mail.ConnectionString))
{
services.AddHostedService<HostedServices.AzureQueueMailHostedService>();

9
src/Admin/appsettings.json
View File

@ -1,4 +1,4 @@
{
{
"globalSettings": {
"selfHosted": false,
"siteName": "Bitwarden",
@ -48,12 +48,7 @@
}
},
"adminSettings": {
"admins": "",
"cloudflare": {
"zoneId": "SECRET",
"authEmail": "SECRET",
"authKey": "SECRET"
}
"admins": ""
},
"braintree": {
"production": false,

6
src/Core/Services/IBlockIpService.cs
View File

@ -1,6 +0,0 @@
namespace Bit.Core.Services;
public interface IBlockIpService
{
Task BlockIpAsync(string ipAddress, bool permanentBlock);
}

81
src/Core/Services/Implementations/AmazonSqsBlockIpService.cs
View File

@ -1,81 +0,0 @@
using Amazon;
using Amazon.SQS;
using Bit.Core.Settings;
namespace Bit.Core.Services;
public class AmazonSqsBlockIpService : IBlockIpService, IDisposable
{
private readonly IAmazonSQS _client;
private string _blockIpQueueUrl;
private string _unblockIpQueueUrl;
private bool _didInit = false;
private Tuple<string, bool, DateTime> _lastBlock;
public AmazonSqsBlockIpService(
GlobalSettings globalSettings)
: this(globalSettings, new AmazonSQSClient(
globalSettings.Amazon.AccessKeyId,
globalSettings.Amazon.AccessKeySecret,
RegionEndpoint.GetBySystemName(globalSettings.Amazon.Region))
)
{
}
public AmazonSqsBlockIpService(
GlobalSettings globalSettings,
IAmazonSQS amazonSqs)
{
if (string.IsNullOrWhiteSpace(globalSettings.Amazon?.AccessKeyId))
{
throw new ArgumentNullException(nameof(globalSettings.Amazon.AccessKeyId));
}
if (string.IsNullOrWhiteSpace(globalSettings.Amazon?.AccessKeySecret))
{
throw new ArgumentNullException(nameof(globalSettings.Amazon.AccessKeySecret));
}
if (string.IsNullOrWhiteSpace(globalSettings.Amazon?.Region))
{
throw new ArgumentNullException(nameof(globalSettings.Amazon.Region));
}
_client = amazonSqs;
}
public void Dispose()
{
_client?.Dispose();
}
public async Task BlockIpAsync(string ipAddress, bool permanentBlock)
{
var now = DateTime.UtcNow;
if (_lastBlock != null && _lastBlock.Item1 == ipAddress && _lastBlock.Item2 == permanentBlock &&
(now - _lastBlock.Item3) < TimeSpan.FromMinutes(1))
{
// Already blocked this IP recently.
return;
}
_lastBlock = new Tuple<string, bool, DateTime>(ipAddress, permanentBlock, now);
await _client.SendMessageAsync(_blockIpQueueUrl, ipAddress);
if (!permanentBlock)
{
await _client.SendMessageAsync(_unblockIpQueueUrl, ipAddress);
}
}
private async Task InitAsync()
{
if (_didInit)
{
return;
}
var blockIpQueue = await _client.GetQueueUrlAsync("block-ip");
_blockIpQueueUrl = blockIpQueue.QueueUrl;
var unblockIpQueue = await _client.GetQueueUrlAsync("unblock-ip");
_unblockIpQueueUrl = unblockIpQueue.QueueUrl;
_didInit = true;
}
}

36
src/Core/Services/Implementations/AzureQueueBlockIpService.cs
View File

@ -1,36 +0,0 @@
using Azure.Storage.Queues;
using Bit.Core.Settings;
namespace Bit.Core.Services;
public class AzureQueueBlockIpService : IBlockIpService
{
private readonly QueueClient _blockIpQueueClient;
private readonly QueueClient _unblockIpQueueClient;
private Tuple<string, bool, DateTime> _lastBlock;
public AzureQueueBlockIpService(
GlobalSettings globalSettings)
{
_blockIpQueueClient = new QueueClient(globalSettings.Storage.ConnectionString, "blockip");
_unblockIpQueueClient = new QueueClient(globalSettings.Storage.ConnectionString, "unblockip");
}
public async Task BlockIpAsync(string ipAddress, bool permanentBlock)
{
var now = DateTime.UtcNow;
if (_lastBlock != null && _lastBlock.Item1 == ipAddress && _lastBlock.Item2 == permanentBlock &&
(now - _lastBlock.Item3) < TimeSpan.FromMinutes(1))
{
// Already blocked this IP recently.
return;
}
_lastBlock = new Tuple<string, bool, DateTime>(ipAddress, permanentBlock, now);
await _blockIpQueueClient.SendMessageAsync(ipAddress);
if (!permanentBlock)
{
await _unblockIpQueueClient.SendMessageAsync(ipAddress, new TimeSpan(0, 15, 0));
}
}
}

10
src/Core/Services/NoopImplementations/NoopBlockIpService.cs
View File

@ -1,10 +0,0 @@
namespace Bit.Core.Services;
public class NoopBlockIpService : IBlockIpService
{
public Task BlockIpAsync(string ipAddress, bool permanentBlock)
{
// Do nothing
return Task.FromResult(0);
}
}

55
src/Core/Utilities/CustomIpRateLimitMiddleware.cs
View File

@ -1,8 +1,6 @@
using AspNetCoreRateLimit;
using Bit.Core.Models.Api;
using Bit.Core.Services;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
@ -10,14 +8,9 @@ namespace Bit.Core.Utilities;
public class CustomIpRateLimitMiddleware : IpRateLimitMiddleware
{
private readonly IBlockIpService _blockIpService;
private readonly ILogger<CustomIpRateLimitMiddleware> _logger;
private readonly IDistributedCache _distributedCache;
private readonly IpRateLimitOptions _options;
public CustomIpRateLimitMiddleware(
IDistributedCache distributedCache,
IBlockIpService blockIpService,
RequestDelegate next,
IProcessingStrategy processingStrategy,
IRateLimitConfiguration rateLimitConfiguration,
@ -26,10 +19,7 @@ public class CustomIpRateLimitMiddleware : IpRateLimitMiddleware
ILogger<CustomIpRateLimitMiddleware> logger)
: base(next, processingStrategy, options, policyStore, rateLimitConfiguration, logger)
{
_distributedCache = distributedCache;
_blockIpService = blockIpService;
_options = options.Value;
_logger = logger;
}
public override Task ReturnQuotaExceededResponse(HttpContext httpContext, RateLimitRule rule, string retryAfter)
@ -42,49 +32,4 @@ public class CustomIpRateLimitMiddleware : IpRateLimitMiddleware
var errorModel = new ErrorResponseModel { Message = message };
return httpContext.Response.WriteAsJsonAsync(errorModel, httpContext.RequestAborted);
}
protected override void LogBlockedRequest(HttpContext httpContext, ClientRequestIdentity identity,
RateLimitCounter counter, RateLimitRule rule)
{
base.LogBlockedRequest(httpContext, identity, counter, rule);
var key = $"blockedIp_{identity.ClientIp}";
_distributedCache.TryGetValue(key, out int blockedCount);
blockedCount++;
if (blockedCount > 10)
{
_blockIpService.BlockIpAsync(identity.ClientIp, false);
_logger.LogInformation(Constants.BypassFiltersEventId, null,
"Banned {0}. \nInfo: \n{1}", identity.ClientIp, GetRequestInfo(httpContext));
}
else
{
_logger.LogInformation(Constants.BypassFiltersEventId, null,
"Request blocked {0}. \nInfo: \n{1}", identity.ClientIp, GetRequestInfo(httpContext));
_distributedCache.Set(key, blockedCount,
new DistributedCacheEntryOptions().SetSlidingExpiration(new TimeSpan(0, 5, 0)));
}
}
private string GetRequestInfo(HttpContext httpContext)
{
if (httpContext == null || httpContext.Request == null)
{
return null;
}
var s = string.Empty;
foreach (var header in httpContext.Request.Headers)
{
s += $"Header \"{header.Key}\": {header.Value} \n";
}
foreach (var query in httpContext.Request.Query)
{
s += $"Query \"{query.Key}\": {query.Value} \n";
}
return s;
}
}

14
src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
View File

@ -272,19 +272,6 @@ public static class ServiceCollectionExtensions
services.AddSingleton<IPushRegistrationService, NoopPushRegistrationService>();
}
if (!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Storage?.ConnectionString))
{
services.AddSingleton<IBlockIpService, AzureQueueBlockIpService>();
}
else if (!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Amazon?.AccessKeySecret))
{
services.AddSingleton<IBlockIpService, AmazonSqsBlockIpService>();
}
else
{
services.AddSingleton<IBlockIpService, NoopBlockIpService>();
}
if (!globalSettings.SelfHosted && CoreHelpers.SettingHasValue(globalSettings.Mail.ConnectionString))
{
services.AddSingleton<IMailEnqueuingService, AzureQueueMailService>();
@ -366,7 +353,6 @@ public static class ServiceCollectionExtensions
services.AddSingleton<IMailService, NoopMailService>();
services.AddSingleton<IMailDeliveryService, NoopMailDeliveryService>();
services.AddSingleton<IPushNotificationService, NoopPushNotificationService>();
services.AddSingleton<IBlockIpService, NoopBlockIpService>();
services.AddSingleton<IPushRegistrationService, NoopPushRegistrationService>();
services.AddSingleton<IAttachmentStorageService, NoopAttachmentStorageService>();
services.AddSingleton<ILicensingService, NoopLicensingService>();

76
test/Core.Test/Services/AmazonSqsBlockIpServiceTests.cs
View File

@ -1,76 +0,0 @@
using Amazon.SQS;
using Bit.Core.Services;
using Bit.Core.Settings;
using NSubstitute;
using Xunit;
namespace Bit.Core.Test.Services;
public class AmazonSqsBlockIpServiceTests : IDisposable
{
private readonly AmazonSqsBlockIpService _sut;
private readonly GlobalSettings _globalSettings;
private readonly IAmazonSQS _amazonSqs;
public AmazonSqsBlockIpServiceTests()
{
_globalSettings = new GlobalSettings
{
Amazon =
{
AccessKeyId = "AccessKeyId-AmazonSesMailDeliveryServiceTests",
AccessKeySecret = "AccessKeySecret-AmazonSesMailDeliveryServiceTests",
Region = "Region-AmazonSesMailDeliveryServiceTests"
}
};
_amazonSqs = Substitute.For<IAmazonSQS>();
_sut = new AmazonSqsBlockIpService(_globalSettings, _amazonSqs);
}
public void Dispose()
{
_sut?.Dispose();
}
[Fact]
public async Task BlockIpAsync_UnblockCalled_WhenNotPermanent()
{
const string expectedIp = "ip";
await _sut.BlockIpAsync(expectedIp, false);
await _amazonSqs.Received(2).SendMessageAsync(
Arg.Any<string>(),
Arg.Is(expectedIp));
}
[Fact]
public async Task BlockIpAsync_UnblockNotCalled_WhenPermanent()
{
const string expectedIp = "ip";
await _sut.BlockIpAsync(expectedIp, true);
await _amazonSqs.Received(1).SendMessageAsync(
Arg.Any<string>(),
Arg.Is(expectedIp));
}
[Fact]
public async Task BlockIpAsync_NotBlocked_WhenAlreadyBlockedRecently()
{
const string expectedIp = "ip";
await _sut.BlockIpAsync(expectedIp, true);
// The second call should hit the already blocked guard clause
await _sut.BlockIpAsync(expectedIp, true);
await _amazonSqs.Received(1).SendMessageAsync(
Arg.Any<string>(),
Arg.Is(expectedIp));
}
}

27
test/Core.Test/Services/AzureQueueBlockIpServiceTests.cs
View File

@ -1,27 +0,0 @@
using Bit.Core.Services;
using Bit.Core.Settings;
using Xunit;
namespace Bit.Core.Test.Services;
public class AzureQueueBlockIpServiceTests
{
private readonly AzureQueueBlockIpService _sut;
private readonly GlobalSettings _globalSettings;
public AzureQueueBlockIpServiceTests()
{
_globalSettings = new GlobalSettings();
_sut = new AzureQueueBlockIpService(_globalSettings);
}
// Remove this test when we add actual tests. It only proves that
// we've properly constructed the system under test.
[Fact(Skip = "Needs additional work")]
public void ServiceExists()
{
Assert.NotNull(_sut);
}
}

5
test/IntegrationTestCommon/Factories/WebApplicationFactoryBase.cs
View File

@ -139,11 +139,6 @@ public abstract class WebApplicationFactoryBase<T> : WebApplicationFactory<T>
services.Remove(captchaValidationService);
services.AddSingleton<ICaptchaValidationService, NoopCaptchaValidationService>();
// Disable blocking
var blockingService = services.First(sd => sd.ServiceType == typeof(IBlockIpService));
services.Remove(blockingService);
services.AddSingleton<IBlockIpService, NoopBlockIpService>();
// TODO: Install and use azurite in CI pipeline
var installationDeviceRepository =
services.First(sd => sd.ServiceType == typeof(IInstallationDeviceRepository));