Use a listener to catch auth failure

author: Jeremy Benoist <jeremy.benoist@gmail.com> 2017-06-09 09:45:43 +0200
committer: Jeremy Benoist <jeremy.benoist@gmail.com> 2017-06-09 09:45:43 +0200
commit: f81a34e37929a822755d120215d2f18f042ff713 (patch)
tree: 086049b73cf8d547f18c28963a60f36c5679cfcc
parent: fa1c9d7cc7f3c4d2f9167a5b62bbc8cd1f9df59b (diff)
download: wallabag-f81a34e37929a822755d120215d2f18f042ff713.tar.gz
wallabag-f81a34e37929a822755d120215d2f18f042ff713.tar.zst
wallabag-f81a34e37929a822755d120215d2f18f042ff713.zip
5 files changed, 111 insertions, 68 deletions
diff --git a/app/config/security.yml b/app/config/security.yml
index 171a69e2..ffb1d356 100644
--- a/app/config/security.yml
+++ b/app/config/security.yml
@@ -41,7 +41,6 @@ security:
            form_login:
                provider: fos_userbundle
                csrf_token_generator: security.csrf.token_manager
-                failure_handler: wallabag_user.security.custom_auth_failure_handler
            anonymous: true
            remember_me:
diff --git a/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php
new file mode 100644
index 00000000..10f13233
--- /dev/null
+++ b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php
@@ -0,0 +1,40 @@
+<?php
+namespace Wallabag\UserBundle\EventListener;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\AuthenticationEvents;
+class AuthenticationFailureListener implements EventSubscriberInterface
+{
+    private $requestStack;
+    private $logger;
+    public function __construct(RequestStack $requestStack, LoggerInterface $logger)
+    {
+        $this->requestStack = $requestStack;
+        $this->logger = $logger;
+    }
+    /**
+     * {@inheritdoc}
+     */
+    public static function getSubscribedEvents()
+    {
+        return [
+            AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure',
+        ];
+    }
+    /**
+     * On failure, add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
+     */
+    public function onAuthenticationFailure()
+    {
+        $request = $this->requestStack->getMasterRequest();
+        $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
+    }
+}
diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml
index 6ab463e3..f2cd6e01 100644
--- a/src/Wallabag/UserBundle/Resources/config/services.yml
+++ b/src/Wallabag/UserBundle/Resources/config/services.yml
@@ -36,10 +36,10 @@ services:
        tags:
            - { name: kernel.event_subscriber }
-    wallabag_user.security.custom_auth_failure_handler:
+    wallabag_user.listener.authentication_failure_event_listener:
-        class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler
+        class: Wallabag\UserBundle\EventListener\AuthenticationFailureListener
        arguments:
-            - "@http_kernel"
+            - "@request_stack"
-            - "@security.http_utils"
-            - {  }
            - "@logger"
+        tags:
+            - { name: kernel.event_listener, event: security.authentication.failure, method: onAuthenticationFailure }
diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
deleted file mode 100644
index 2d4ea0ea..00000000
--- a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
+++ /dev/null
@@ -1,62 +0,0 @@
-<?php
-namespace Wallabag\UserBundle\Security;
-use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
-use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Http\ParameterBagUtils;
-use Symfony\Component\HttpKernel\HttpKernelInterface;
-use Symfony\Component\Security\Core\Security;
-/**
- * This is a custom authentication failure.
- * It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
- *
- * This only changing thing is the logError() addition
- */
-class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler
-{
-    /**
-     * {@inheritdoc}
-     */
-    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
-    {
-        if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
-            $this->options['failure_path'] = $failureUrl;
-        }
-        if (null === $this->options['failure_path']) {
-            $this->options['failure_path'] = $this->options['login_path'];
-        }
-        if ($this->options['failure_forward']) {
-            $this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]);
-            $this->logError($request);
-            $subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']);
-            $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
-            return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
-        }
-        $this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]);
-        $this->logError($request);
-        $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
-        return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']);
-    }
-    /**
-     * Log error information about fialure.
-     *
-     * @param Request $request
-     */
-    private function logError(Request $request)
-    {
-        $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
-    }
-}
diff --git a/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php b/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php
new file mode 100644
index 00000000..6191ea13
--- /dev/null
+++ b/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php
@@ -0,0 +1,66 @@
+<?php
+namespace Tests\Wallabag\UserBundle\EventListener;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\HttpFoundation\Request;
+use Wallabag\UserBundle\EventListener\AuthenticationFailureListener;
+use Monolog\Logger;
+use Monolog\Handler\TestHandler;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\AuthenticationEvents;
+use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
+class AuthenticationFailureListenerTest extends \PHPUnit_Framework_TestCase
+{
+    private $requestStack;
+    private $logHandler;
+    private $listener;
+    private $dispatcher;
+    protected function setUp()
+    {
+        $request = Request::create('/');
+        $request->request->set('_username', 'admin');
+        $this->requestStack = new RequestStack();
+        $this->requestStack->push($request);
+        $this->logHandler = new TestHandler();
+        $logger = new Logger('test', [$this->logHandler]);
+        $this->listener = new AuthenticationFailureListener(
+            $this->requestStack,
+            $logger
+        );
+        $this->dispatcher = new EventDispatcher();
+        $this->dispatcher->addSubscriber($this->listener);
+    }
+    public function testOnAuthenticationFailure()
+    {
+        $token = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $exception = $this->getMockBuilder('Symfony\Component\Security\Core\Exception\AuthenticationException')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $event = new AuthenticationFailureEvent(
+            $token,
+            $exception
+        );
+        $this->dispatcher->dispatch(
+            AuthenticationEvents::AUTHENTICATION_FAILURE,
+            $event
+        );
+        $records = $this->logHandler->getRecords();
+        $this->assertCount(1, $records);
+        $this->assertSame('Authentication failure for user "admin", from IP "127.0.0.1", with UA: "Symfony/3.X".', $records[0]['message']);
+    }
+}
author	Jeremy Benoist <jeremy.benoist@gmail.com>	2017-06-09 09:45:43 +0200
committer	Jeremy Benoist <jeremy.benoist@gmail.com>	2017-06-09 09:45:43 +0200
commit	f81a34e37929a822755d120215d2f18f042ff713 (patch)
tree	086049b73cf8d547f18c28963a60f36c5679cfcc
parent	fa1c9d7cc7f3c4d2f9167a5b62bbc8cd1f9df59b (diff)
download	wallabag-f81a34e37929a822755d120215d2f18f042ff713.tar.gz wallabag-f81a34e37929a822755d120215d2f18f042ff713.tar.zst wallabag-f81a34e37929a822755d120215d2f18f042ff713.zip

diff --git a/app/config/security.yml b/app/config/security.yml index 171a69e2..ffb1d356 100644 --- a/app/config/security.yml +++ b/app/config/security.yml
@@ -41,7 +41,6 @@ security:
41	form_login:	41	form_login:
42	provider: fos_userbundle	42	provider: fos_userbundle
43	csrf_token_generator: security.csrf.token_manager	43	csrf_token_generator: security.csrf.token_manager
44	failure_handler: wallabag_user.security.custom_auth_failure_handler
45		44
46	anonymous: true	45	anonymous: true
47	remember_me:	46	remember_me:


diff --git a/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php new file mode 100644 index 00000000..10f13233 --- /dev/null +++ b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php
@@ -0,0 +1,40 @@
		1	<?php
		2
		3	namespace Wallabag\UserBundle\EventListener;
		4
		5	use Psr\Log\LoggerInterface;
		6	use Symfony\Component\EventDispatcher\EventSubscriberInterface;
		7	use Symfony\Component\HttpFoundation\RequestStack;
		8	use Symfony\Component\Security\Core\AuthenticationEvents;
		9
		10	class AuthenticationFailureListener implements EventSubscriberInterface
		11	{
		12	private $requestStack;
		13	private $logger;
		14
		15	public function __construct(RequestStack $requestStack, LoggerInterface $logger)
		16	{
		17	$this->requestStack = $requestStack;
		18	$this->logger = $logger;
		19	}
		20
		21	/**
		22	* {@inheritdoc}
		23	*/
		24	public static function getSubscribedEvents()
		25	{
		26	return [
		27	AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure',
		28	];
		29	}
		30
		31	/**
		32	* On failure, add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
		33	*/
		34	public function onAuthenticationFailure()
		35	{
		36	$request = $this->requestStack->getMasterRequest();
		37
		38	$this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
		39	}
		40	}


diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml index 6ab463e3..f2cd6e01 100644 --- a/src/Wallabag/UserBundle/Resources/config/services.yml +++ b/src/Wallabag/UserBundle/Resources/config/services.yml
@@ -36,10 +36,10 @@ services:
36	tags:	36	tags:
37	- { name: kernel.event_subscriber }	37	- { name: kernel.event_subscriber }
38		38
39	wallabag_user.security.custom_auth_failure_handler:	39	wallabag_user.listener.authentication_failure_event_listener:
40	class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler	40	class: Wallabag\UserBundle\EventListener\AuthenticationFailureListener
41	arguments:	41	arguments:
42	- "@http_kernel"	42	- "@request_stack"
43	- "@security.http_utils"
44	- { }
45	- "@logger"	43	- "@logger"
		44	tags:
		45	- { name: kernel.event_listener, event: security.authentication.failure, method: onAuthenticationFailure }


diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php deleted file mode 100644 index 2d4ea0ea..00000000 --- a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php +++ /dev/null
@@ -1,62 +0,0 @@
1	<?php
2
3	namespace Wallabag\UserBundle\Security;
4
5	use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
6	use Symfony\Component\HttpFoundation\Request;
7	use Symfony\Component\Security\Core\Exception\AuthenticationException;
8	use Symfony\Component\Security\Http\ParameterBagUtils;
9	use Symfony\Component\HttpKernel\HttpKernelInterface;
10	use Symfony\Component\Security\Core\Security;
11
12	/**
13	* This is a custom authentication failure.
14	* It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
15	*
16	* This only changing thing is the logError() addition
17	*/
18	class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler
19	{
20	/**
21	* {@inheritdoc}
22	*/
23	public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
24	{
25	if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
26	$this->options['failure_path'] = $failureUrl;
27	}
28
29	if (null === $this->options['failure_path']) {
30	$this->options['failure_path'] = $this->options['login_path'];
31	}
32
33	if ($this->options['failure_forward']) {
34	$this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]);
35
36	$this->logError($request);
37
38	$subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']);
39	$subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
40
41	return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
42	}
43
44	$this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]);
45
46	$this->logError($request);
47
48	$request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
49
50	return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']);
51	}
52
53	/**
54	* Log error information about fialure.
55	*
56	* @param Request $request
57	*/
58	private function logError(Request $request)
59	{
60	$this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
61	}
62	}


diff --git a/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php b/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php new file mode 100644 index 00000000..6191ea13 --- /dev/null +++ b/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php
@@ -0,0 +1,66 @@
		1	<?php
		2
		3	namespace Tests\Wallabag\UserBundle\EventListener;
		4
		5	use Symfony\Component\EventDispatcher\EventDispatcher;
		6	use Symfony\Component\HttpFoundation\Request;
		7	use Wallabag\UserBundle\EventListener\AuthenticationFailureListener;
		8	use Monolog\Logger;
		9	use Monolog\Handler\TestHandler;
		10	use Symfony\Component\HttpFoundation\RequestStack;
		11	use Symfony\Component\Security\Core\AuthenticationEvents;
		12	use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
		13
		14	class AuthenticationFailureListenerTest extends \PHPUnit_Framework_TestCase
		15	{
		16	private $requestStack;
		17	private $logHandler;
		18	private $listener;
		19	private $dispatcher;
		20
		21	protected function setUp()
		22	{
		23	$request = Request::create('/');
		24	$request->request->set('_username', 'admin');
		25
		26	$this->requestStack = new RequestStack();
		27	$this->requestStack->push($request);
		28
		29	$this->logHandler = new TestHandler();
		30	$logger = new Logger('test', [$this->logHandler]);
		31
		32	$this->listener = new AuthenticationFailureListener(
		33	$this->requestStack,
		34	$logger
		35	);
		36
		37	$this->dispatcher = new EventDispatcher();
		38	$this->dispatcher->addSubscriber($this->listener);
		39	}
		40
		41	public function testOnAuthenticationFailure()
		42	{
		43	$token = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')
		44	->disableOriginalConstructor()
		45	->getMock();
		46
		47	$exception = $this->getMockBuilder('Symfony\Component\Security\Core\Exception\AuthenticationException')
		48	->disableOriginalConstructor()
		49	->getMock();
		50
		51	$event = new AuthenticationFailureEvent(
		52	$token,
		53	$exception
		54	);
		55
		56	$this->dispatcher->dispatch(
		57	AuthenticationEvents::AUTHENTICATION_FAILURE,
		58	$event
		59	);
		60
		61	$records = $this->logHandler->getRecords();
		62
		63	$this->assertCount(1, $records);
		64	$this->assertSame('Authentication failure for user "admin", from IP "127.0.0.1", with UA: "Symfony/3.X".', $records[0]['message']);
		65	}
		66	}