aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJeremy Benoist <jeremy.benoist@gmail.com>2017-06-09 09:45:43 +0200
committerJeremy Benoist <jeremy.benoist@gmail.com>2017-06-09 09:45:43 +0200
commitf81a34e37929a822755d120215d2f18f042ff713 (patch)
tree086049b73cf8d547f18c28963a60f36c5679cfcc
parentfa1c9d7cc7f3c4d2f9167a5b62bbc8cd1f9df59b (diff)
downloadwallabag-f81a34e37929a822755d120215d2f18f042ff713.tar.gz
wallabag-f81a34e37929a822755d120215d2f18f042ff713.tar.zst
wallabag-f81a34e37929a822755d120215d2f18f042ff713.zip
Use a listener to catch auth failure
-rw-r--r--app/config/security.yml1
-rw-r--r--src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php40
-rw-r--r--src/Wallabag/UserBundle/Resources/config/services.yml10
-rw-r--r--src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php62
-rw-r--r--tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php66
5 files changed, 111 insertions, 68 deletions
diff --git a/app/config/security.yml b/app/config/security.yml
index 171a69e2..ffb1d356 100644
--- a/app/config/security.yml
+++ b/app/config/security.yml
@@ -41,7 +41,6 @@ security:
41 form_login: 41 form_login:
42 provider: fos_userbundle 42 provider: fos_userbundle
43 csrf_token_generator: security.csrf.token_manager 43 csrf_token_generator: security.csrf.token_manager
44 failure_handler: wallabag_user.security.custom_auth_failure_handler
45 44
46 anonymous: true 45 anonymous: true
47 remember_me: 46 remember_me:
diff --git a/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php
new file mode 100644
index 00000000..10f13233
--- /dev/null
+++ b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php
@@ -0,0 +1,40 @@
1<?php
2
3namespace Wallabag\UserBundle\EventListener;
4
5use Psr\Log\LoggerInterface;
6use Symfony\Component\EventDispatcher\EventSubscriberInterface;
7use Symfony\Component\HttpFoundation\RequestStack;
8use Symfony\Component\Security\Core\AuthenticationEvents;
9
10class AuthenticationFailureListener implements EventSubscriberInterface
11{
12 private $requestStack;
13 private $logger;
14
15 public function __construct(RequestStack $requestStack, LoggerInterface $logger)
16 {
17 $this->requestStack = $requestStack;
18 $this->logger = $logger;
19 }
20
21 /**
22 * {@inheritdoc}
23 */
24 public static function getSubscribedEvents()
25 {
26 return [
27 AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure',
28 ];
29 }
30
31 /**
32 * On failure, add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
33 */
34 public function onAuthenticationFailure()
35 {
36 $request = $this->requestStack->getMasterRequest();
37
38 $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
39 }
40}
diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml
index 6ab463e3..f2cd6e01 100644
--- a/src/Wallabag/UserBundle/Resources/config/services.yml
+++ b/src/Wallabag/UserBundle/Resources/config/services.yml
@@ -36,10 +36,10 @@ services:
36 tags: 36 tags:
37 - { name: kernel.event_subscriber } 37 - { name: kernel.event_subscriber }
38 38
39 wallabag_user.security.custom_auth_failure_handler: 39 wallabag_user.listener.authentication_failure_event_listener:
40 class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler 40 class: Wallabag\UserBundle\EventListener\AuthenticationFailureListener
41 arguments: 41 arguments:
42 - "@http_kernel" 42 - "@request_stack"
43 - "@security.http_utils"
44 - { }
45 - "@logger" 43 - "@logger"
44 tags:
45 - { name: kernel.event_listener, event: security.authentication.failure, method: onAuthenticationFailure }
diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
deleted file mode 100644
index 2d4ea0ea..00000000
--- a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
+++ /dev/null
@@ -1,62 +0,0 @@
1<?php
2
3namespace Wallabag\UserBundle\Security;
4
5use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
6use Symfony\Component\HttpFoundation\Request;
7use Symfony\Component\Security\Core\Exception\AuthenticationException;
8use Symfony\Component\Security\Http\ParameterBagUtils;
9use Symfony\Component\HttpKernel\HttpKernelInterface;
10use Symfony\Component\Security\Core\Security;
11
12/**
13 * This is a custom authentication failure.
14 * It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
15 *
16 * This only changing thing is the logError() addition
17 */
18class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler
19{
20 /**
21 * {@inheritdoc}
22 */
23 public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
24 {
25 if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
26 $this->options['failure_path'] = $failureUrl;
27 }
28
29 if (null === $this->options['failure_path']) {
30 $this->options['failure_path'] = $this->options['login_path'];
31 }
32
33 if ($this->options['failure_forward']) {
34 $this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]);
35
36 $this->logError($request);
37
38 $subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']);
39 $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
40
41 return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
42 }
43
44 $this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]);
45
46 $this->logError($request);
47
48 $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
49
50 return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']);
51 }
52
53 /**
54 * Log error information about fialure.
55 *
56 * @param Request $request
57 */
58 private function logError(Request $request)
59 {
60 $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
61 }
62}
diff --git a/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php b/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php
new file mode 100644
index 00000000..6191ea13
--- /dev/null
+++ b/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php
@@ -0,0 +1,66 @@
1<?php
2
3namespace Tests\Wallabag\UserBundle\EventListener;
4
5use Symfony\Component\EventDispatcher\EventDispatcher;
6use Symfony\Component\HttpFoundation\Request;
7use Wallabag\UserBundle\EventListener\AuthenticationFailureListener;
8use Monolog\Logger;
9use Monolog\Handler\TestHandler;
10use Symfony\Component\HttpFoundation\RequestStack;
11use Symfony\Component\Security\Core\AuthenticationEvents;
12use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
13
14class AuthenticationFailureListenerTest extends \PHPUnit_Framework_TestCase
15{
16 private $requestStack;
17 private $logHandler;
18 private $listener;
19 private $dispatcher;
20
21 protected function setUp()
22 {
23 $request = Request::create('/');
24 $request->request->set('_username', 'admin');
25
26 $this->requestStack = new RequestStack();
27 $this->requestStack->push($request);
28
29 $this->logHandler = new TestHandler();
30 $logger = new Logger('test', [$this->logHandler]);
31
32 $this->listener = new AuthenticationFailureListener(
33 $this->requestStack,
34 $logger
35 );
36
37 $this->dispatcher = new EventDispatcher();
38 $this->dispatcher->addSubscriber($this->listener);
39 }
40
41 public function testOnAuthenticationFailure()
42 {
43 $token = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')
44 ->disableOriginalConstructor()
45 ->getMock();
46
47 $exception = $this->getMockBuilder('Symfony\Component\Security\Core\Exception\AuthenticationException')
48 ->disableOriginalConstructor()
49 ->getMock();
50
51 $event = new AuthenticationFailureEvent(
52 $token,
53 $exception
54 );
55
56 $this->dispatcher->dispatch(
57 AuthenticationEvents::AUTHENTICATION_FAILURE,
58 $event
59 );
60
61 $records = $this->logHandler->getRecords();
62
63 $this->assertCount(1, $records);
64 $this->assertSame('Authentication failure for user "admin", from IP "127.0.0.1", with UA: "Symfony/3.X".', $records[0]['message']);
65 }
66}