type: fingers_crossed
action_level: error
handler: nested
+ wsse:
+ type: stream
+ path: %kernel.logs_dir%/%kernel.environment%.wsse.log
+ level: error
+ channels: [wsse]
nested:
type: stream
path: "%kernel.logs_dir%/%kernel.environment%.log"
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
- #wsse_secured:
- # pattern: /api/.*
- # wsse: true
+ wsse_secured:
+ pattern: /api/.*
+ wsse: true
+ stateless: true
+ anonymous: true
login_firewall:
pattern: ^/login$
anonymous: ~
target: /
access_control:
+ - { path: ^/api/salt, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/doc, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Wallabag\CoreBundle\Entity\Entry;
-use Wallabag\CoreBundle\Repository;
use Wallabag\CoreBundle\Service\Extractor;
use Wallabag\CoreBundle\Helper\Url;
class WallabagRestController extends Controller
{
+ /**
+ * Retrieve salt for a giver user.
+ *
+ * @ApiDoc(
+ * parameters={
+ * {"name"="username", "dataType"="string", "required"=true, "description"="username"}
+ * }
+ * )
+ * @return string
+ */
+ public function getSaltAction($username)
+ {
+ $user = $this
+ ->getDoctrine()
+ ->getRepository('WallabagCoreBundle:User')
+ ->findOneByUsername($username);
+
+ if (is_null($user)) {
+ throw $this->createNotFoundException();
+ }
+
+ return $user->getSalt();
+ }
/**
* Retrieve all entries. It could be filtered by many options.
*
$entries = $this
->getDoctrine()
->getRepository('WallabagCoreBundle:Entry')
- ->findEntries(1, $isArchived, $isStarred, $isDeleted, $sort, $order);
+ ->findEntries($this->getUser()->getId(), $isArchived, $isStarred, $isDeleted, $sort, $order);
if (!($entries)) {
throw $this->createNotFoundException();
$url = $request->request->get('url');
$content = Extractor::extract($url);
- $entry = new Entry();
- $entry->setUserId(1);
+ $entry = new Entry($this->getUser());
$entry->setUrl($url);
$entry->setTitle($request->request->get('title') ?: $content->getTitle());
$entry->setContent($content->getBody());
namespace Wallabag\CoreBundle\DependencyInjection;
use Symfony\Component\DependencyInjection\ContainerBuilder;
-use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
+use Symfony\Component\DependencyInjection\Loader\YamlFileLoader;
use Symfony\Component\HttpKernel\DependencyInjection\Extension;
use Symfony\Component\Config\FileLocator;
{
public function load(array $configs, ContainerBuilder $container)
{
- $loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
- $loader->load('services.xml');
+ $loader = new YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
+ $loader->load('services.yml');
}
public function getAlias()
/**
* Find Entries
*
- * @param int $userId
- * @param bool $isArchived
- * @param bool $isStarred
- * @param bool $isDeleted
- * @param string $sort
- * @param string $order
+ * @param int $userId
+ * @param bool $isArchived
+ * @param bool $isStarred
+ * @param bool $isDeleted
+ * @param string $sort
+ * @param string $order
*
* @return array
*/
+++ /dev/null
-<?xml version="1.0" ?>
-
-<container xmlns="http://symfony.com/schema/dic/services"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
-
- <services>
- <!-- Twig -->
- <service id="wallabag_core.twig.wallabag" class="Wallabag\CoreBundle\Twig\Extension\WallabagExtension">
- <tag name="twig.extension" />
- </service>
-
- <!-- Security -->
- <service id="wsse.security.authentication.provider"
- class="Wallabag\CoreBundle\Security\Authentication\Provider\WsseProvider" public="false">
- <argument /> <!-- User Provider -->
- <argument>%kernel.cache_dir%/security/nonces</argument>
- </service>
-
- <service id="wsse.security.authentication.listener"
- class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">
- <argument type="service" id="security.context"/>
- <argument type="service" id="security.authentication.manager" />
- </service>
- </services>
-
-</container>
--- /dev/null
+services:
+ wallabag_core.twig.wallabag:
+ class: Wallabag\CoreBundle\Twig\Extension\WallabagExtension
+ tags:
+ - { name: twig.extension }
+ wsse.security.authentication.provider:
+ class: Wallabag\CoreBundle\Security\Authentication\Provider\WsseProvider
+ public: false
+ arguments: ['', '%kernel.cache_dir%/security/nonces']
+ wsse.security.authentication.listener:
+ class: Wallabag\CoreBundle\Security\Firewall\WsseListener
+ public: false
+ tags:
+ - { name: monolog.logger, channel: wsse }
+ arguments: ['@security.context', '@security.authentication.manager', '@logger']
{
$this->userProvider = $userProvider;
$this->cacheDir = $cacheDir;
+
+ // If cache directory does not exist we create it
+ if (!is_dir($this->cacheDir)) {
+ mkdir($this->cacheDir, 0777, true);
+ }
}
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
+ if (!$user) {
+ throw new AuthenticationException("Bad credentials. Did you forgot your username?");
+ }
+
if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
protected function validateDigest($digest, $nonce, $created, $secret)
{
- // Expire le timestamp après 5 minutes
+ // Check created time is not in the future
+ if (strtotime($created) > time()) {
+ throw new AuthenticationException("Back to the future...");
+ }
+
+ // Expire timestamp after 5 minutes
if (time() - strtotime($created) > 300) {
- return false;
+ throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
}
- // Valide que le nonce est unique dans les 5 minutes
+ // Validate nonce is unique within 5 minutes
if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
throw new NonceExpiredException('Previously used nonce detected');
}
+
file_put_contents($this->cacheDir.'/'.$nonce, time());
- // Valide le Secret
+ // Validate Secret
$expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
+ if ($digest !== $expected) {
+ throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
+ }
+
return $digest === $expected;
}
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
+use Psr\Log\LoggerInterface;
class WsseListener implements ListenerInterface
{
protected $securityContext;
protected $authenticationManager;
+ protected $logger;
- public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)
+ public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
{
$this->securityContext = $securityContext;
$this->authenticationManager = $authenticationManager;
+ $this->logger = $logger;
}
public function handle(GetResponseEvent $event)
$authToken = $this->authenticationManager->authenticate($token);
$this->securityContext->setToken($authToken);
- } catch (AuthenticationException $failed) {
- // ... you might log something here
- // To deny the authentication clear the token. This will redirect to the login page.
- // $this->securityContext->setToken(null);
- // return;
+ return;
+ } catch (AuthenticationException $failed) {
+ $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
+ $this->logger->err($failedMessage);
// Deny authentication with a '403 Forbidden' HTTP response
$response = new Response();
$response->setStatusCode(403);
+ $response->setContent($failedMessage);
$event->setResponse($response);
+
+ return;
}
}
}
namespace Wallabag\CoreBundle\Tests;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
-use Symfony\Component\BrowserKit\Cookie;
-use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
class WallabagTestCase extends WebTestCase
{