aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--app/config/config_prod.yml5
-rw-r--r--src/Wallabag/CoreBundle/Controller/EntryController.php1
-rw-r--r--src/Wallabag/CoreBundle/Repository/EntryRepository.php12
-rw-r--r--src/Wallabag/CoreBundle/Resources/config/services.xml2
-rw-r--r--src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php21
-rw-r--r--src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php20
-rw-r--r--src/Wallabag/CoreBundle/Tests/WallabagTestCase.php2
7 files changed, 44 insertions, 19 deletions
diff --git a/app/config/config_prod.yml b/app/config/config_prod.yml
index 342837a0..c45f0fa6 100644
--- a/app/config/config_prod.yml
+++ b/app/config/config_prod.yml
@@ -17,6 +17,11 @@ monolog:
17 type: fingers_crossed 17 type: fingers_crossed
18 action_level: error 18 action_level: error
19 handler: nested 19 handler: nested
20 wsse:
21 type: stream
22 path: %kernel.logs_dir%/%kernel.environment%.wsse.log
23 level: error
24 channels: [wsse]
20 nested: 25 nested:
21 type: stream 26 type: stream
22 path: "%kernel.logs_dir%/%kernel.environment%.log" 27 path: "%kernel.logs_dir%/%kernel.environment%.log"
diff --git a/src/Wallabag/CoreBundle/Controller/EntryController.php b/src/Wallabag/CoreBundle/Controller/EntryController.php
index e0697ca3..5378486a 100644
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@@ -6,7 +6,6 @@ use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
6use Symfony\Bundle\FrameworkBundle\Controller\Controller; 6use Symfony\Bundle\FrameworkBundle\Controller\Controller;
7use Symfony\Component\HttpFoundation\Request; 7use Symfony\Component\HttpFoundation\Request;
8use Wallabag\CoreBundle\Entity\Entry; 8use Wallabag\CoreBundle\Entity\Entry;
9use Wallabag\CoreBundle\Repository;
10use Wallabag\CoreBundle\Service\Extractor; 9use Wallabag\CoreBundle\Service\Extractor;
11use Wallabag\CoreBundle\Helper\Url; 10use Wallabag\CoreBundle\Helper\Url;
12 11
diff --git a/src/Wallabag/CoreBundle/Repository/EntryRepository.php b/src/Wallabag/CoreBundle/Repository/EntryRepository.php
index 5ae1337a..1805cf3f 100644
--- a/src/Wallabag/CoreBundle/Repository/EntryRepository.php
+++ b/src/Wallabag/CoreBundle/Repository/EntryRepository.php
@@ -91,12 +91,12 @@ class EntryRepository extends EntityRepository
91 /** 91 /**
92 * Find Entries 92 * Find Entries
93 * 93 *
94 * @param int $userId 94 * @param int $userId
95 * @param bool $isArchived 95 * @param bool $isArchived
96 * @param bool $isStarred 96 * @param bool $isStarred
97 * @param bool $isDeleted 97 * @param bool $isDeleted
98 * @param string $sort 98 * @param string $sort
99 * @param string $order 99 * @param string $order
100 * 100 *
101 * @return ArrayCollection 101 * @return ArrayCollection
102 */ 102 */
diff --git a/src/Wallabag/CoreBundle/Resources/config/services.xml b/src/Wallabag/CoreBundle/Resources/config/services.xml
index 859665ca..ca2ba383 100644
--- a/src/Wallabag/CoreBundle/Resources/config/services.xml
+++ b/src/Wallabag/CoreBundle/Resources/config/services.xml
@@ -21,6 +21,8 @@
21 class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false"> 21 class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">
22 <argument type="service" id="security.context"/> 22 <argument type="service" id="security.context"/>
23 <argument type="service" id="security.authentication.manager" /> 23 <argument type="service" id="security.authentication.manager" />
24 <argument type="service" id="logger" />
25 <tag name="monolog.logger" channel="wsse" />
24 </service> 26 </service>
25 </services> 27 </services>
26 28
diff --git a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
index eaad9c63..c9b9b692 100644
--- a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
+++ b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
@@ -23,6 +23,10 @@ class WsseProvider implements AuthenticationProviderInterface
23 { 23 {
24 $user = $this->userProvider->loadUserByUsername($token->getUsername()); 24 $user = $this->userProvider->loadUserByUsername($token->getUsername());
25 25
26 if (!$user) {
27 throw new AuthenticationException("Bad credentials. Did you forgot your username?");
28 }
29
26 if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) { 30 if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
27 $authenticatedToken = new WsseUserToken($user->getRoles()); 31 $authenticatedToken = new WsseUserToken($user->getRoles());
28 $authenticatedToken->setUser($user); 32 $authenticatedToken->setUser($user);
@@ -35,12 +39,17 @@ class WsseProvider implements AuthenticationProviderInterface
35 39
36 protected function validateDigest($digest, $nonce, $created, $secret) 40 protected function validateDigest($digest, $nonce, $created, $secret)
37 { 41 {
38 // Expire le timestamp après 5 minutes 42 // Check created time is not in the future
43 if (strtotime($created) > time()) {
44 throw new AuthenticationException("Back to the future...");
45 }
46
47 // Expire timestamp after 5 minutes
39 if (time() - strtotime($created) > 300) { 48 if (time() - strtotime($created) > 300) {
40 return false; 49 throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
41 } 50 }
42 51
43 // Valide que le nonce est unique dans les 5 minutes 52 // Validate nonce is unique within 5 minutes
44 if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) { 53 if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
45 throw new NonceExpiredException('Previously used nonce detected'); 54 throw new NonceExpiredException('Previously used nonce detected');
46 } 55 }
@@ -52,9 +61,13 @@ class WsseProvider implements AuthenticationProviderInterface
52 61
53 file_put_contents($this->cacheDir.'/'.$nonce, time()); 62 file_put_contents($this->cacheDir.'/'.$nonce, time());
54 63
55 // Valide le Secret 64 // Validate Secret
56 $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true)); 65 $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
57 66
67 if ($digest !== $expected) {
68 throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
69 }
70
58 return $digest === $expected; 71 return $digest === $expected;
59 } 72 }
60 73
diff --git a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
index 4d4f2145..d815d536 100644
--- a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
+++ b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
@@ -9,16 +9,19 @@ use Symfony\Component\Security\Core\Exception\AuthenticationException;
9use Symfony\Component\Security\Core\SecurityContextInterface; 9use Symfony\Component\Security\Core\SecurityContextInterface;
10use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; 10use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
11use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken; 11use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
12use Symfony\Component\HttpKernel\Log\LoggerInterface;
12 13
13class WsseListener implements ListenerInterface 14class WsseListener implements ListenerInterface
14{ 15{
15 protected $securityContext; 16 protected $securityContext;
16 protected $authenticationManager; 17 protected $authenticationManager;
18 protected $logger;
17 19
18 public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager) 20 public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
19 { 21 {
20 $this->securityContext = $securityContext; 22 $this->securityContext = $securityContext;
21 $this->authenticationManager = $authenticationManager; 23 $this->authenticationManager = $authenticationManager;
24 $this->logger = $logger;
22 } 25 }
23 26
24 public function handle(GetResponseEvent $event) 27 public function handle(GetResponseEvent $event)
@@ -42,16 +45,21 @@ class WsseListener implements ListenerInterface
42 45
43 $this->securityContext->setToken($authToken); 46 $this->securityContext->setToken($authToken);
44 } catch (AuthenticationException $failed) { 47 } catch (AuthenticationException $failed) {
45 // ... you might log something here 48 $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
46 49 $this->logger->err($failedMessage);
47 // To deny the authentication clear the token. This will redirect to the login page.
48 // $this->securityContext->setToken(null);
49 // return;
50 50
51 // Deny authentication with a '403 Forbidden' HTTP response 51 // Deny authentication with a '403 Forbidden' HTTP response
52 $response = new Response(); 52 $response = new Response();
53 $response->setStatusCode(403); 53 $response->setStatusCode(403);
54 $response->setContent($failedMessage);
54 $event->setResponse($response); 55 $event->setResponse($response);
56
57 return;
55 } 58 }
59
60 // By default deny authorization
61 $response = new Response();
62 $response->setStatusCode(403);
63 $event->setResponse($response);
56 } 64 }
57} 65}
diff --git a/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php b/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php
index 5f092318..edc7d992 100644
--- a/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php
+++ b/src/Wallabag/CoreBundle/Tests/WallabagTestCase.php
@@ -3,8 +3,6 @@
3namespace Wallabag\CoreBundle\Tests; 3namespace Wallabag\CoreBundle\Tests;
4 4
5use Symfony\Bundle\FrameworkBundle\Test\WebTestCase; 5use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
6use Symfony\Component\BrowserKit\Cookie;
7use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
8 6
9class WallabagTestCase extends WebTestCase 7class WallabagTestCase extends WebTestCase
10{ 8{