Move API stuff in ApiBundle

author: Jeremy <jeremy.benoist@gmail.com> 2015-03-29 10:53:10 +0200
committer: Jeremy <jeremy.benoist@gmail.com> 2015-04-01 21:59:12 +0200
commit: 769e19dc4ab1a068e8165a7b237f42a78a6d312f (patch)
tree: 8fcb164704dd75a6108db0792c02f4ef6a7e1722 /src/Wallabag/ApiBundle/Security
parent: e3c34bfc06f3ea266a418d6246560f15d3f73e2a (diff)
download: wallabag-769e19dc4ab1a068e8165a7b237f42a78a6d312f.tar.gz
wallabag-769e19dc4ab1a068e8165a7b237f42a78a6d312f.tar.zst
wallabag-769e19dc4ab1a068e8165a7b237f42a78a6d312f.zip
3 files changed, 163 insertions, 0 deletions
diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php
new file mode 100644
index 00000000..8e49167a
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php
@@ -0,0 +1,78 @@
+<?php
+namespace Wallabag\ApiBundle\Security\Authentication\Provider;
+use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\NonceExpiredException;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken;
+class WsseProvider implements AuthenticationProviderInterface
+{
+    private $userProvider;
+    private $cacheDir;
+    public function __construct(UserProviderInterface $userProvider, $cacheDir)
+    {
+        $this->userProvider = $userProvider;
+        $this->cacheDir     = $cacheDir;
+        // If cache directory does not exist we create it
+        if (!is_dir($this->cacheDir)) {
+            mkdir($this->cacheDir, 0777, true);
+        }
+    }
+    public function authenticate(TokenInterface $token)
+    {
+        $user = $this->userProvider->loadUserByUsername($token->getUsername());
+        if (!$user) {
+            throw new AuthenticationException("Bad credentials. Did you forgot your username?");
+        }
+        if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
+            $authenticatedToken = new WsseUserToken($user->getRoles());
+            $authenticatedToken->setUser($user);
+            return $authenticatedToken;
+        }
+        throw new AuthenticationException('The WSSE authentication failed.');
+    }
+    protected function validateDigest($digest, $nonce, $created, $secret)
+    {
+        // Check created time is not in the future
+        if (strtotime($created) > time()) {
+            throw new AuthenticationException("Back to the future...");
+        }
+        // Expire timestamp after 5 minutes
+        if (time() - strtotime($created) > 300) {
+            throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
+        }
+        // Validate nonce is unique within 5 minutes
+        if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
+            throw new NonceExpiredException('Previously used nonce detected');
+        }
+        file_put_contents($this->cacheDir.'/'.$nonce, time());
+        // Validate Secret
+        $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
+        if ($digest !== $expected) {
+            throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
+        }
+        return $digest === $expected;
+    }
+    public function supports(TokenInterface $token)
+    {
+        return $token instanceof WsseUserToken;
+    }
+}
diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php
new file mode 100644
index 00000000..aa68dbdc
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php
@@ -0,0 +1,23 @@
+<?php
+namespace Wallabag\ApiBundle\Security\Authentication\Token;
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
+class WsseUserToken extends AbstractToken
+{
+    public $created;
+    public $digest;
+    public $nonce;
+    public function __construct(array $roles = array())
+    {
+        parent::__construct($roles);
+        $this->setAuthenticated(count($roles) > 0);
+    }
+    public function getCredentials()
+    {
+        return '';
+    }
+}
diff --git a/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php b/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php
new file mode 100644
index 00000000..50587837
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php
@@ -0,0 +1,62 @@
+<?php
+namespace Wallabag\ApiBundle\Security\Firewall;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\Security\Http\Firewall\ListenerInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\SecurityContextInterface;
+use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
+use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken;
+use Psr\Log\LoggerInterface;
+class WsseListener implements ListenerInterface
+{
+    protected $securityContext;
+    protected $authenticationManager;
+    protected $logger;
+    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
+    {
+        $this->securityContext = $securityContext;
+        $this->authenticationManager = $authenticationManager;
+        $this->logger = $logger;
+    }
+    public function handle(GetResponseEvent $event)
+    {
+        $request = $event->getRequest();
+        $wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/';
+        if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) {
+            return;
+        }
+        $token = new WsseUserToken();
+        $token->setUser($matches[1]);
+        $token->digest   = $matches[2];
+        $token->nonce    = $matches[3];
+        $token->created  = $matches[4];
+        try {
+            $authToken = $this->authenticationManager->authenticate($token);
+            $this->securityContext->setToken($authToken);
+            return;
+        } catch (AuthenticationException $failed) {
+            $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
+            $this->logger->err($failedMessage);
+            // Deny authentication with a '403 Forbidden' HTTP response
+            $response = new Response();
+            $response->setStatusCode(403);
+            $response->setContent($failedMessage);
+            $event->setResponse($response);
+            return;
+        }
+    }
+}
author	Jeremy <jeremy.benoist@gmail.com>	2015-03-29 10:53:10 +0200
committer	Jeremy <jeremy.benoist@gmail.com>	2015-04-01 21:59:12 +0200
commit	769e19dc4ab1a068e8165a7b237f42a78a6d312f (patch)
tree	8fcb164704dd75a6108db0792c02f4ef6a7e1722 /src/Wallabag/ApiBundle/Security
parent	e3c34bfc06f3ea266a418d6246560f15d3f73e2a (diff)
download	wallabag-769e19dc4ab1a068e8165a7b237f42a78a6d312f.tar.gz wallabag-769e19dc4ab1a068e8165a7b237f42a78a6d312f.tar.zst wallabag-769e19dc4ab1a068e8165a7b237f42a78a6d312f.zip

diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php new file mode 100644 index 00000000..8e49167a --- /dev/null +++ b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php
@@ -0,0 +1,78 @@
	1	<?php
	2	namespace Wallabag\ApiBundle\Security\Authentication\Provider;
	3
	4	use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
	5	use Symfony\Component\Security\Core\User\UserProviderInterface;
	6	use Symfony\Component\Security\Core\Exception\AuthenticationException;
	7	use Symfony\Component\Security\Core\Exception\NonceExpiredException;
	8	use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
	9	use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken;
	10
	11	class WsseProvider implements AuthenticationProviderInterface
	12	{
	13	private $userProvider;
	14	private $cacheDir;
	15
	16	public function __construct(UserProviderInterface $userProvider, $cacheDir)
	17	{
	18	$this->userProvider = $userProvider;
	19	$this->cacheDir = $cacheDir;
	20
	21	// If cache directory does not exist we create it
	22	if (!is_dir($this->cacheDir)) {
	23	mkdir($this->cacheDir, 0777, true);
	24	}
	25	}
	26
	27	public function authenticate(TokenInterface $token)
	28	{
	29	$user = $this->userProvider->loadUserByUsername($token->getUsername());
	30
	31	if (!$user) {
	32	throw new AuthenticationException("Bad credentials. Did you forgot your username?");
	33	}
	34
	35	if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
	36	$authenticatedToken = new WsseUserToken($user->getRoles());
	37	$authenticatedToken->setUser($user);
	38
	39	return $authenticatedToken;
	40	}
	41
	42	throw new AuthenticationException('The WSSE authentication failed.');
	43	}
	44
	45	protected function validateDigest($digest, $nonce, $created, $secret)
	46	{
	47	// Check created time is not in the future
	48	if (strtotime($created) > time()) {
	49	throw new AuthenticationException("Back to the future...");
	50	}
	51
	52	// Expire timestamp after 5 minutes
	53	if (time() - strtotime($created) > 300) {
	54	throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
	55	}
	56
	57	// Validate nonce is unique within 5 minutes
	58	if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
	59	throw new NonceExpiredException('Previously used nonce detected');
	60	}
	61
	62	file_put_contents($this->cacheDir.'/'.$nonce, time());
	63
	64	// Validate Secret
	65	$expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
	66
	67	if ($digest !== $expected) {
	68	throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
	69	}
	70
	71	return $digest === $expected;
	72	}
	73
	74	public function supports(TokenInterface $token)
	75	{
	76	return $token instanceof WsseUserToken;
	77	}
	78	}


diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php new file mode 100644 index 00000000..aa68dbdc --- /dev/null +++ b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php
@@ -0,0 +1,23 @@
	1	<?php
	2	namespace Wallabag\ApiBundle\Security\Authentication\Token;
	3
	4	use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
	5
	6	class WsseUserToken extends AbstractToken
	7	{
	8	public $created;
	9	public $digest;
	10	public $nonce;
	11
	12	public function __construct(array $roles = array())
	13	{
	14	parent::__construct($roles);
	15
	16	$this->setAuthenticated(count($roles) > 0);
	17	}
	18
	19	public function getCredentials()
	20	{
	21	return '';
	22	}
	23	}


diff --git a/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php b/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php new file mode 100644 index 00000000..50587837 --- /dev/null +++ b/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php
@@ -0,0 +1,62 @@
	1	<?php
	2
	3	namespace Wallabag\ApiBundle\Security\Firewall;
	4
	5	use Symfony\Component\HttpFoundation\Response;
	6	use Symfony\Component\HttpKernel\Event\GetResponseEvent;
	7	use Symfony\Component\Security\Http\Firewall\ListenerInterface;
	8	use Symfony\Component\Security\Core\Exception\AuthenticationException;
	9	use Symfony\Component\Security\Core\SecurityContextInterface;
	10	use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
	11	use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken;
	12	use Psr\Log\LoggerInterface;
	13
	14	class WsseListener implements ListenerInterface
	15	{
	16	protected $securityContext;
	17	protected $authenticationManager;
	18	protected $logger;
	19
	20	public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
	21	{
	22	$this->securityContext = $securityContext;
	23	$this->authenticationManager = $authenticationManager;
	24	$this->logger = $logger;
	25	}
	26
	27	public function handle(GetResponseEvent $event)
	28	{
	29	$request = $event->getRequest();
	30
	31	$wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/';
	32	if (!$request->headers->has('x-wsse') \|\| 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) {
	33	return;
	34	}
	35
	36	$token = new WsseUserToken();
	37	$token->setUser($matches[1]);
	38
	39	$token->digest = $matches[2];
	40	$token->nonce = $matches[3];
	41	$token->created = $matches[4];
	42
	43	try {
	44	$authToken = $this->authenticationManager->authenticate($token);
	45
	46	$this->securityContext->setToken($authToken);
	47
	48	return;
	49	} catch (AuthenticationException $failed) {
	50	$failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
	51	$this->logger->err($failedMessage);
	52
	53	// Deny authentication with a '403 Forbidden' HTTP response
	54	$response = new Response();
	55	$response->setStatusCode(403);
	56	$response->setContent($failedMessage);
	57	$event->setResponse($response);
	58
	59	return;
	60	}
	61	}
	62	}