log for authentication on API

author: Nicolas Lœuillet <nicolas@loeuillet.org> 2015-02-09 22:07:39 +0100
committer: Nicolas Lœuillet <nicolas@loeuillet.org> 2015-02-09 22:07:39 +0100
commit: 2a94b1d1b74b4e776e76a522621b67b45d115fe7 (patch)
tree: 3f4a99b890bb4ec1a7f84d131e7ead2323cc2438 /src/Wallabag
parent: 0ac38198ab1c00dfb290d5631fa7c1cf5ac2a48a (diff)
download: wallabag-2a94b1d1b74b4e776e76a522621b67b45d115fe7.tar.gz
wallabag-2a94b1d1b74b4e776e76a522621b67b45d115fe7.tar.zst
wallabag-2a94b1d1b74b4e776e76a522621b67b45d115fe7.zip
6 files changed, 39 insertions, 19 deletions
diff --git a/src/Wallabag/CoreBundle/Controller/EntryController.php b/src/Wallabag/CoreBundle/Controller/EntryController.php
index e0697ca3..5378486a 100644
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@@ -6,7 +6,6 @@ use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Component\HttpFoundation\Request;
 use Wallabag\CoreBundle\Entity\Entry;
-use Wallabag\CoreBundle\Repository;
 use Wallabag\CoreBundle\Service\Extractor;
 use Wallabag\CoreBundle\Helper\Url;
diff --git a/src/Wallabag/CoreBundle/Repository/EntryRepository.php b/src/Wallabag/CoreBundle/Repository/EntryRepository.php
index 5ae1337a..1805cf3f 100644
--- a/src/Wallabag/CoreBundle/Repository/EntryRepository.php
+++ b/src/Wallabag/CoreBundle/Repository/EntryRepository.php
@@ -91,12 +91,12 @@ class EntryRepository extends EntityRepository
    /**
     * Find Entries
     *
-     * @param  int    $userId
+     * @param int    $userId
-     * @param  bool   $isArchived
+     * @param bool   $isArchived
-     * @param  bool   $isStarred
+     * @param bool   $isStarred
-     * @param  bool   $isDeleted
+     * @param bool   $isDeleted
-     * @param  string $sort
+     * @param string $sort
-     * @param  string $order
+     * @param string $order
     *
     * @return ArrayCollection
     */
diff --git a/src/Wallabag/CoreBundle/Resources/config/services.xml b/src/Wallabag/CoreBundle/Resources/config/services.xml
index 859665ca..ca2ba383 100644
--- a/src/Wallabag/CoreBundle/Resources/config/services.xml
+++ b/src/Wallabag/CoreBundle/Resources/config/services.xml
@@ -21,6 +21,8 @@
                 class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">
            <argument type="service" id="security.context"/>
            <argument type="service" id="security.authentication.manager" />
+            <argument type="service" id="logger" />
+            <tag name="monolog.logger" channel="wsse" />
        </service>
    </services>
diff --git a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
index eaad9c63..c9b9b692 100644
--- a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
+++ b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
@@ -23,6 +23,10 @@ class WsseProvider implements AuthenticationProviderInterface
    {
        $user = $this->userProvider->loadUserByUsername($token->getUsername());
+        if (!$user) {
+            throw new AuthenticationException("Bad credentials. Did you forgot your username?");
+        }
        if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
            $authenticatedToken = new WsseUserToken($user->getRoles());
            $authenticatedToken->setUser($user);
@@ -35,12 +39,17 @@ class WsseProvider implements AuthenticationProviderInterface
    protected function validateDigest($digest, $nonce, $created, $secret)
    {
-        // Expire le timestamp après 5 minutes
+        // Check created time is not in the future
+        if (strtotime($created) > time()) {
+            throw new AuthenticationException("Back to the future...");
+        }
+        // Expire timestamp after 5 minutes
        if (time() - strtotime($created) > 300) {
-            return false;
+            throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
        }
-        // Valide que le nonce est unique dans les 5 minutes
+        // Validate nonce is unique within 5 minutes
        if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
            throw new NonceExpiredException('Previously used nonce detected');
        }
@@ -52,9 +61,13 @@ class WsseProvider implements AuthenticationProviderInterface
        file_put_contents($this->cacheDir.'/'.$nonce, time());
-        // Valide le Secret
+        // Validate Secret
        $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
+        if ($digest !== $expected) {
+            throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
+        }
        return $digest === $expected;
    }
diff --git a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
index 4d4f2145..d815d536 100644
--- a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
+++ b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
@@ -9,16 +9,19 @@ use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
+use Symfony\Component\HttpKernel\Log\LoggerInterface;
 class WsseListener implements ListenerInterface
 {
    protected $securityContext;
    protected $authenticationManager;
+    protected $logger;
-    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)
+    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
    {
        $this->securityContext = $securityContext;
        $this->authenticationManager = $authenticationManager;
+        $this->logger = $logger;
    }
    public function handle(GetResponseEvent $event)
@@ -42,16 +45,21 @@ class WsseListener implements ListenerInterface
            $this->securityContext->setToken($authToken);
        } catch (AuthenticationException $failed) {
-            // ... you might log something here
+            $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
+            $this->logger->err($failedMessage);
-            // To deny the authentication clear the token. This will redirect to the login page.
-            // $this->securityContext->setToken(null);
-            // return;
            // Deny authentication with a '403 Forbidden' HTTP response
            $response = new Response();
            $response->setStatusCode(403);
+            $response->setContent($failedMessage);
            $event->setResponse($response);
+            return;
        }
+        // By default deny authorization
+        $response = new Response();
+        $response->setStatusCode(403);
+        $event->setResponse($response);
    }
 }
diff --git a/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php b/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php
index 5f092318..edc7d992 100644
--- a/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php
+++ b/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php
@@ -3,8 +3,6 @@
 namespace Wallabag\CoreBundle\Tests;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
-use Symfony\Component\BrowserKit\Cookie;
-use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 class WallabagTestCase extends WebTestCase
 {
author	Nicolas Lœuillet <nicolas@loeuillet.org>	2015-02-09 22:07:39 +0100
committer	Nicolas Lœuillet <nicolas@loeuillet.org>	2015-02-09 22:07:39 +0100
commit	2a94b1d1b74b4e776e76a522621b67b45d115fe7 (patch)
tree	3f4a99b890bb4ec1a7f84d131e7ead2323cc2438 /src/Wallabag
parent	0ac38198ab1c00dfb290d5631fa7c1cf5ac2a48a (diff)
download	wallabag-2a94b1d1b74b4e776e76a522621b67b45d115fe7.tar.gz wallabag-2a94b1d1b74b4e776e76a522621b67b45d115fe7.tar.zst wallabag-2a94b1d1b74b4e776e76a522621b67b45d115fe7.zip

diff --git a/src/Wallabag/CoreBundle/Controller/EntryController.php b/src/Wallabag/CoreBundle/Controller/EntryController.php index e0697ca3..5378486a 100644 --- a/src/Wallabag/CoreBundle/Controller/EntryController.php +++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@@ -6,7 +6,6 @@ use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
6	use Symfony\Bundle\FrameworkBundle\Controller\Controller;	6	use Symfony\Bundle\FrameworkBundle\Controller\Controller;
7	use Symfony\Component\HttpFoundation\Request;	7	use Symfony\Component\HttpFoundation\Request;
8	use Wallabag\CoreBundle\Entity\Entry;	8	use Wallabag\CoreBundle\Entity\Entry;
9	use Wallabag\CoreBundle\Repository;
10	use Wallabag\CoreBundle\Service\Extractor;	9	use Wallabag\CoreBundle\Service\Extractor;
11	use Wallabag\CoreBundle\Helper\Url;	10	use Wallabag\CoreBundle\Helper\Url;
12		11


diff --git a/src/Wallabag/CoreBundle/Repository/EntryRepository.php b/src/Wallabag/CoreBundle/Repository/EntryRepository.php index 5ae1337a..1805cf3f 100644 --- a/src/Wallabag/CoreBundle/Repository/EntryRepository.php +++ b/src/Wallabag/CoreBundle/Repository/EntryRepository.php
@@ -91,12 +91,12 @@ class EntryRepository extends EntityRepository
91	/**	91	/**
92	* Find Entries	92	* Find Entries
93	*	93	*
94	* @param int $userId	94	* @param int $userId
95	* @param bool $isArchived	95	* @param bool $isArchived
96	* @param bool $isStarred	96	* @param bool $isStarred
97	* @param bool $isDeleted	97	* @param bool $isDeleted
98	* @param string $sort	98	* @param string $sort
99	* @param string $order	99	* @param string $order
100	*	100	*
101	* @return ArrayCollection	101	* @return ArrayCollection
102	*/	102	*/


diff --git a/src/Wallabag/CoreBundle/Resources/config/services.xml b/src/Wallabag/CoreBundle/Resources/config/services.xml index 859665ca..ca2ba383 100644 --- a/src/Wallabag/CoreBundle/Resources/config/services.xml +++ b/src/Wallabag/CoreBundle/Resources/config/services.xml
@@ -21,6 +21,8 @@
21	class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">	21	class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">
22	<argument type="service" id="security.context"/>	22	<argument type="service" id="security.context"/>
23	<argument type="service" id="security.authentication.manager" />	23	<argument type="service" id="security.authentication.manager" />
		24	<argument type="service" id="logger" />
		25	<tag name="monolog.logger" channel="wsse" />
24	</service>	26	</service>
25	</services>	27	</services>
26		28


diff --git a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php index eaad9c63..c9b9b692 100644 --- a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php +++ b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
@@ -23,6 +23,10 @@ class WsseProvider implements AuthenticationProviderInterface
23	{	23	{
24	$user = $this->userProvider->loadUserByUsername($token->getUsername());	24	$user = $this->userProvider->loadUserByUsername($token->getUsername());
25		25
		26	if (!$user) {
		27	throw new AuthenticationException("Bad credentials. Did you forgot your username?");
		28	}
		29
26	if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {	30	if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
27	$authenticatedToken = new WsseUserToken($user->getRoles());	31	$authenticatedToken = new WsseUserToken($user->getRoles());
28	$authenticatedToken->setUser($user);	32	$authenticatedToken->setUser($user);
@@ -35,12 +39,17 @@ class WsseProvider implements AuthenticationProviderInterface
35		39
36	protected function validateDigest($digest, $nonce, $created, $secret)	40	protected function validateDigest($digest, $nonce, $created, $secret)
37	{	41	{
38	// Expire le timestamp après 5 minutes	42	// Check created time is not in the future
		43	if (strtotime($created) > time()) {
		44	throw new AuthenticationException("Back to the future...");
		45	}
		46
		47	// Expire timestamp after 5 minutes
39	if (time() - strtotime($created) > 300) {	48	if (time() - strtotime($created) > 300) {
40	return false;	49	throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
41	}	50	}
42		51
43	// Valide que le nonce est unique dans les 5 minutes	52	// Validate nonce is unique within 5 minutes
44	if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {	53	if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
45	throw new NonceExpiredException('Previously used nonce detected');	54	throw new NonceExpiredException('Previously used nonce detected');
46	}	55	}
@@ -52,9 +61,13 @@ class WsseProvider implements AuthenticationProviderInterface
52		61
53	file_put_contents($this->cacheDir.'/'.$nonce, time());	62	file_put_contents($this->cacheDir.'/'.$nonce, time());
54		63
55	// Valide le Secret	64	// Validate Secret
56	$expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));	65	$expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
57		66
		67	if ($digest !== $expected) {
		68	throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
		69	}
		70
58	return $digest === $expected;	71	return $digest === $expected;
59	}	72	}
60		73


diff --git a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php index 4d4f2145..d815d536 100644 --- a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php +++ b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
@@ -9,16 +9,19 @@ use Symfony\Component\Security\Core\Exception\AuthenticationException;
9	use Symfony\Component\Security\Core\SecurityContextInterface;	9	use Symfony\Component\Security\Core\SecurityContextInterface;
10	use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;	10	use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
11	use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;	11	use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
		12	use Symfony\Component\HttpKernel\Log\LoggerInterface;
12		13
13	class WsseListener implements ListenerInterface	14	class WsseListener implements ListenerInterface
14	{	15	{
15	protected $securityContext;	16	protected $securityContext;
16	protected $authenticationManager;	17	protected $authenticationManager;
		18	protected $logger;
17		19
18	public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)	20	public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
19	{	21	{
20	$this->securityContext = $securityContext;	22	$this->securityContext = $securityContext;
21	$this->authenticationManager = $authenticationManager;	23	$this->authenticationManager = $authenticationManager;
		24	$this->logger = $logger;
22	}	25	}
23		26
24	public function handle(GetResponseEvent $event)	27	public function handle(GetResponseEvent $event)
@@ -42,16 +45,21 @@ class WsseListener implements ListenerInterface
42		45
43	$this->securityContext->setToken($authToken);	46	$this->securityContext->setToken($authToken);
44	} catch (AuthenticationException $failed) {	47	} catch (AuthenticationException $failed) {
45	// ... you might log something here	48	$failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
46		49	$this->logger->err($failedMessage);
47	// To deny the authentication clear the token. This will redirect to the login page.
48	// $this->securityContext->setToken(null);
49	// return;
50		50
51	// Deny authentication with a '403 Forbidden' HTTP response	51	// Deny authentication with a '403 Forbidden' HTTP response
52	$response = new Response();	52	$response = new Response();
53	$response->setStatusCode(403);	53	$response->setStatusCode(403);
		54	$response->setContent($failedMessage);
54	$event->setResponse($response);	55	$event->setResponse($response);
		56
		57	return;
55	}	58	}
		59
		60	// By default deny authorization
		61	$response = new Response();
		62	$response->setStatusCode(403);
		63	$event->setResponse($response);
56	}	64	}
57	}	65	}


diff --git a/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php b/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php index 5f092318..edc7d992 100644 --- a/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php +++ b/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php
@@ -3,8 +3,6 @@
3	namespace Wallabag\CoreBundle\Tests;	3	namespace Wallabag\CoreBundle\Tests;
4		4
5	use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;	5	use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
6	use Symfony\Component\BrowserKit\Cookie;
7	use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
8		6
9	class WallabagTestCase extends WebTestCase	7	class WallabagTestCase extends WebTestCase
10	{	8	{