diff options
5 files changed, 111 insertions, 68 deletions
diff --git a/app/config/security.yml b/app/config/security.yml index 171a69e2..ffb1d356 100644 --- a/app/config/security.yml +++ b/app/config/security.yml | |||
| @@ -41,7 +41,6 @@ security: | |||
| 41 | form_login: | 41 | form_login: |
| 42 | provider: fos_userbundle | 42 | provider: fos_userbundle |
| 43 | csrf_token_generator: security.csrf.token_manager | 43 | csrf_token_generator: security.csrf.token_manager |
| 44 | failure_handler: wallabag_user.security.custom_auth_failure_handler | ||
| 45 | 44 | ||
| 46 | anonymous: true | 45 | anonymous: true |
| 47 | remember_me: | 46 | remember_me: |
diff --git a/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php new file mode 100644 index 00000000..10f13233 --- /dev/null +++ b/src/Wallabag/UserBundle/EventListener/AuthenticationFailureListener.php | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | <?php | ||
| 2 | |||
| 3 | namespace Wallabag\UserBundle\EventListener; | ||
| 4 | |||
| 5 | use Psr\Log\LoggerInterface; | ||
| 6 | use Symfony\Component\EventDispatcher\EventSubscriberInterface; | ||
| 7 | use Symfony\Component\HttpFoundation\RequestStack; | ||
| 8 | use Symfony\Component\Security\Core\AuthenticationEvents; | ||
| 9 | |||
| 10 | class AuthenticationFailureListener implements EventSubscriberInterface | ||
| 11 | { | ||
| 12 | private $requestStack; | ||
| 13 | private $logger; | ||
| 14 | |||
| 15 | public function __construct(RequestStack $requestStack, LoggerInterface $logger) | ||
| 16 | { | ||
| 17 | $this->requestStack = $requestStack; | ||
| 18 | $this->logger = $logger; | ||
| 19 | } | ||
| 20 | |||
| 21 | /** | ||
| 22 | * {@inheritdoc} | ||
| 23 | */ | ||
| 24 | public static function getSubscribedEvents() | ||
| 25 | { | ||
| 26 | return [ | ||
| 27 | AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure', | ||
| 28 | ]; | ||
| 29 | } | ||
| 30 | |||
| 31 | /** | ||
| 32 | * On failure, add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much. | ||
| 33 | */ | ||
| 34 | public function onAuthenticationFailure() | ||
| 35 | { | ||
| 36 | $request = $this->requestStack->getMasterRequest(); | ||
| 37 | |||
| 38 | $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".'); | ||
| 39 | } | ||
| 40 | } | ||
diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml index 6ab463e3..f2cd6e01 100644 --- a/src/Wallabag/UserBundle/Resources/config/services.yml +++ b/src/Wallabag/UserBundle/Resources/config/services.yml | |||
| @@ -36,10 +36,10 @@ services: | |||
| 36 | tags: | 36 | tags: |
| 37 | - { name: kernel.event_subscriber } | 37 | - { name: kernel.event_subscriber } |
| 38 | 38 | ||
| 39 | wallabag_user.security.custom_auth_failure_handler: | 39 | wallabag_user.listener.authentication_failure_event_listener: |
| 40 | class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler | 40 | class: Wallabag\UserBundle\EventListener\AuthenticationFailureListener |
| 41 | arguments: | 41 | arguments: |
| 42 | - "@http_kernel" | 42 | - "@request_stack" |
| 43 | - "@security.http_utils" | ||
| 44 | - { } | ||
| 45 | - "@logger" | 43 | - "@logger" |
| 44 | tags: | ||
| 45 | - { name: kernel.event_listener, event: security.authentication.failure, method: onAuthenticationFailure } | ||
diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php deleted file mode 100644 index 2d4ea0ea..00000000 --- a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php +++ /dev/null | |||
| @@ -1,62 +0,0 @@ | |||
| 1 | <?php | ||
| 2 | |||
| 3 | namespace Wallabag\UserBundle\Security; | ||
| 4 | |||
| 5 | use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler; | ||
| 6 | use Symfony\Component\HttpFoundation\Request; | ||
| 7 | use Symfony\Component\Security\Core\Exception\AuthenticationException; | ||
| 8 | use Symfony\Component\Security\Http\ParameterBagUtils; | ||
| 9 | use Symfony\Component\HttpKernel\HttpKernelInterface; | ||
| 10 | use Symfony\Component\Security\Core\Security; | ||
| 11 | |||
| 12 | /** | ||
| 13 | * This is a custom authentication failure. | ||
| 14 | * It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much. | ||
| 15 | * | ||
| 16 | * This only changing thing is the logError() addition | ||
| 17 | */ | ||
| 18 | class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler | ||
| 19 | { | ||
| 20 | /** | ||
| 21 | * {@inheritdoc} | ||
| 22 | */ | ||
| 23 | public function onAuthenticationFailure(Request $request, AuthenticationException $exception) | ||
| 24 | { | ||
| 25 | if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) { | ||
| 26 | $this->options['failure_path'] = $failureUrl; | ||
| 27 | } | ||
| 28 | |||
| 29 | if (null === $this->options['failure_path']) { | ||
| 30 | $this->options['failure_path'] = $this->options['login_path']; | ||
| 31 | } | ||
| 32 | |||
| 33 | if ($this->options['failure_forward']) { | ||
| 34 | $this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]); | ||
| 35 | |||
| 36 | $this->logError($request); | ||
| 37 | |||
| 38 | $subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']); | ||
| 39 | $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception); | ||
| 40 | |||
| 41 | return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST); | ||
| 42 | } | ||
| 43 | |||
| 44 | $this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]); | ||
| 45 | |||
| 46 | $this->logError($request); | ||
| 47 | |||
| 48 | $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception); | ||
| 49 | |||
| 50 | return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']); | ||
| 51 | } | ||
| 52 | |||
| 53 | /** | ||
| 54 | * Log error information about fialure. | ||
| 55 | * | ||
| 56 | * @param Request $request | ||
| 57 | */ | ||
| 58 | private function logError(Request $request) | ||
| 59 | { | ||
| 60 | $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".'); | ||
| 61 | } | ||
| 62 | } | ||
diff --git a/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php b/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php new file mode 100644 index 00000000..6191ea13 --- /dev/null +++ b/tests/Wallabag/UserBundle/EventListener/AuthenticationFailureListenerTest.php | |||
| @@ -0,0 +1,66 @@ | |||
| 1 | <?php | ||
| 2 | |||
| 3 | namespace Tests\Wallabag\UserBundle\EventListener; | ||
| 4 | |||
| 5 | use Symfony\Component\EventDispatcher\EventDispatcher; | ||
| 6 | use Symfony\Component\HttpFoundation\Request; | ||
| 7 | use Wallabag\UserBundle\EventListener\AuthenticationFailureListener; | ||
| 8 | use Monolog\Logger; | ||
| 9 | use Monolog\Handler\TestHandler; | ||
| 10 | use Symfony\Component\HttpFoundation\RequestStack; | ||
| 11 | use Symfony\Component\Security\Core\AuthenticationEvents; | ||
| 12 | use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent; | ||
| 13 | |||
| 14 | class AuthenticationFailureListenerTest extends \PHPUnit_Framework_TestCase | ||
| 15 | { | ||
| 16 | private $requestStack; | ||
| 17 | private $logHandler; | ||
| 18 | private $listener; | ||
| 19 | private $dispatcher; | ||
| 20 | |||
| 21 | protected function setUp() | ||
| 22 | { | ||
| 23 | $request = Request::create('/'); | ||
| 24 | $request->request->set('_username', 'admin'); | ||
| 25 | |||
| 26 | $this->requestStack = new RequestStack(); | ||
| 27 | $this->requestStack->push($request); | ||
| 28 | |||
| 29 | $this->logHandler = new TestHandler(); | ||
| 30 | $logger = new Logger('test', [$this->logHandler]); | ||
| 31 | |||
| 32 | $this->listener = new AuthenticationFailureListener( | ||
| 33 | $this->requestStack, | ||
| 34 | $logger | ||
| 35 | ); | ||
| 36 | |||
| 37 | $this->dispatcher = new EventDispatcher(); | ||
| 38 | $this->dispatcher->addSubscriber($this->listener); | ||
| 39 | } | ||
| 40 | |||
| 41 | public function testOnAuthenticationFailure() | ||
| 42 | { | ||
| 43 | $token = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface') | ||
| 44 | ->disableOriginalConstructor() | ||
| 45 | ->getMock(); | ||
| 46 | |||
| 47 | $exception = $this->getMockBuilder('Symfony\Component\Security\Core\Exception\AuthenticationException') | ||
| 48 | ->disableOriginalConstructor() | ||
| 49 | ->getMock(); | ||
| 50 | |||
| 51 | $event = new AuthenticationFailureEvent( | ||
| 52 | $token, | ||
| 53 | $exception | ||
| 54 | ); | ||
| 55 | |||
| 56 | $this->dispatcher->dispatch( | ||
| 57 | AuthenticationEvents::AUTHENTICATION_FAILURE, | ||
| 58 | $event | ||
| 59 | ); | ||
| 60 | |||
| 61 | $records = $this->logHandler->getRecords(); | ||
| 62 | |||
| 63 | $this->assertCount(1, $records); | ||
| 64 | $this->assertSame('Authentication failure for user "admin", from IP "127.0.0.1", with UA: "Symfony/3.X".', $records[0]['message']); | ||
| 65 | } | ||
| 66 | } | ||