diff options
author | Jeremy Benoist <jeremy.benoist@gmail.com> | 2017-06-09 09:45:43 +0200 |
---|---|---|
committer | Jeremy Benoist <jeremy.benoist@gmail.com> | 2017-06-09 09:45:43 +0200 |
commit | f81a34e37929a822755d120215d2f18f042ff713 (patch) | |
tree | 086049b73cf8d547f18c28963a60f36c5679cfcc /src | |
parent | fa1c9d7cc7f3c4d2f9167a5b62bbc8cd1f9df59b (diff) | |
download | wallabag-f81a34e37929a822755d120215d2f18f042ff713.tar.gz wallabag-f81a34e37929a822755d120215d2f18f042ff713.tar.zst wallabag-f81a34e37929a822755d120215d2f18f042ff713.zip |
Use a listener to catch auth failure
Diffstat (limited to 'src')
3 files changed, 45 insertions, 67 deletions
diff --git a/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php new file mode 100644 index 00000000..10f13233 --- /dev/null +++ b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php | |||
@@ -0,0 +1,40 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Wallabag\UserBundle\EventListener; | ||
4 | |||
5 | use Psr\Log\LoggerInterface; | ||
6 | use Symfony\Component\EventDispatcher\EventSubscriberInterface; | ||
7 | use Symfony\Component\HttpFoundation\RequestStack; | ||
8 | use Symfony\Component\Security\Core\AuthenticationEvents; | ||
9 | |||
10 | class AuthenticationFailureListener implements EventSubscriberInterface | ||
11 | { | ||
12 | private $requestStack; | ||
13 | private $logger; | ||
14 | |||
15 | public function __construct(RequestStack $requestStack, LoggerInterface $logger) | ||
16 | { | ||
17 | $this->requestStack = $requestStack; | ||
18 | $this->logger = $logger; | ||
19 | } | ||
20 | |||
21 | /** | ||
22 | * {@inheritdoc} | ||
23 | */ | ||
24 | public static function getSubscribedEvents() | ||
25 | { | ||
26 | return [ | ||
27 | AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure', | ||
28 | ]; | ||
29 | } | ||
30 | |||
31 | /** | ||
32 | * On failure, add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much. | ||
33 | */ | ||
34 | public function onAuthenticationFailure() | ||
35 | { | ||
36 | $request = $this->requestStack->getMasterRequest(); | ||
37 | |||
38 | $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".'); | ||
39 | } | ||
40 | } | ||
diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml index 6ab463e3..f2cd6e01 100644 --- a/src/Wallabag/UserBundle/Resources/config/services.yml +++ b/src/Wallabag/UserBundle/Resources/config/services.yml | |||
@@ -36,10 +36,10 @@ services: | |||
36 | tags: | 36 | tags: |
37 | - { name: kernel.event_subscriber } | 37 | - { name: kernel.event_subscriber } |
38 | 38 | ||
39 | wallabag_user.security.custom_auth_failure_handler: | 39 | wallabag_user.listener.authentication_failure_event_listener: |
40 | class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler | 40 | class: Wallabag\UserBundle\EventListener\AuthenticationFailureListener |
41 | arguments: | 41 | arguments: |
42 | - "@http_kernel" | 42 | - "@request_stack" |
43 | - "@security.http_utils" | ||
44 | - { } | ||
45 | - "@logger" | 43 | - "@logger" |
44 | tags: | ||
45 | - { name: kernel.event_listener, event: security.authentication.failure, method: onAuthenticationFailure } | ||
diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php deleted file mode 100644 index 2d4ea0ea..00000000 --- a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php +++ /dev/null | |||
@@ -1,62 +0,0 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Wallabag\UserBundle\Security; | ||
4 | |||
5 | use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler; | ||
6 | use Symfony\Component\HttpFoundation\Request; | ||
7 | use Symfony\Component\Security\Core\Exception\AuthenticationException; | ||
8 | use Symfony\Component\Security\Http\ParameterBagUtils; | ||
9 | use Symfony\Component\HttpKernel\HttpKernelInterface; | ||
10 | use Symfony\Component\Security\Core\Security; | ||
11 | |||
12 | /** | ||
13 | * This is a custom authentication failure. | ||
14 | * It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much. | ||
15 | * | ||
16 | * This only changing thing is the logError() addition | ||
17 | */ | ||
18 | class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler | ||
19 | { | ||
20 | /** | ||
21 | * {@inheritdoc} | ||
22 | */ | ||
23 | public function onAuthenticationFailure(Request $request, AuthenticationException $exception) | ||
24 | { | ||
25 | if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) { | ||
26 | $this->options['failure_path'] = $failureUrl; | ||
27 | } | ||
28 | |||
29 | if (null === $this->options['failure_path']) { | ||
30 | $this->options['failure_path'] = $this->options['login_path']; | ||
31 | } | ||
32 | |||
33 | if ($this->options['failure_forward']) { | ||
34 | $this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]); | ||
35 | |||
36 | $this->logError($request); | ||
37 | |||
38 | $subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']); | ||
39 | $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception); | ||
40 | |||
41 | return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST); | ||
42 | } | ||
43 | |||
44 | $this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]); | ||
45 | |||
46 | $this->logError($request); | ||
47 | |||
48 | $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception); | ||
49 | |||
50 | return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']); | ||
51 | } | ||
52 | |||
53 | /** | ||
54 | * Log error information about fialure. | ||
55 | * | ||
56 | * @param Request $request | ||
57 | */ | ||
58 | private function logError(Request $request) | ||
59 | { | ||
60 | $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".'); | ||
61 | } | ||
62 | } | ||