aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/Wallabag/ApiBundle
diff options
context:
space:
mode:
Diffstat (limited to 'src/Wallabag/ApiBundle')
-rw-r--r--src/Wallabag/ApiBundle/Controller/WallabagRestController.php376
-rw-r--r--src/Wallabag/ApiBundle/DependencyInjection/Configuration.php29
-rw-r--r--src/Wallabag/ApiBundle/DependencyInjection/Security/Factory/WsseFactory.php40
-rw-r--r--src/Wallabag/ApiBundle/DependencyInjection/WallabagApiExtension.php25
-rw-r--r--src/Wallabag/ApiBundle/Resources/config/routing.yml0
-rw-r--r--src/Wallabag/ApiBundle/Resources/config/routing_rest.yml4
-rw-r--r--src/Wallabag/ApiBundle/Resources/config/services.yml12
-rw-r--r--src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php79
-rw-r--r--src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php24
-rw-r--r--src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php62
-rw-r--r--src/Wallabag/ApiBundle/Tests/Controller/WallabagRestControllerTest.php410
-rw-r--r--src/Wallabag/ApiBundle/WallabagApiBundle.php18
12 files changed, 1079 insertions, 0 deletions
diff --git a/src/Wallabag/ApiBundle/Controller/WallabagRestController.php b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php
new file mode 100644
index 00000000..2f5923c8
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Controller/WallabagRestController.php
@@ -0,0 +1,376 @@
1<?php
2
3namespace Wallabag\ApiBundle\Controller;
4
5use Nelmio\ApiDocBundle\Annotation\ApiDoc;
6use Symfony\Bundle\FrameworkBundle\Controller\Controller;
7use Symfony\Component\HttpFoundation\Request;
8use Symfony\Component\HttpFoundation\Response;
9use Wallabag\CoreBundle\Entity\Entry;
10use Wallabag\CoreBundle\Entity\Tag;
11use Wallabag\CoreBundle\Service\Extractor;
12use Hateoas\Configuration\Route;
13use Hateoas\Representation\Factory\PagerfantaFactory;
14
15class WallabagRestController extends Controller
16{
17 /**
18 * @param Entry $entry
19 * @param string $tags
20 */
21 private function assignTagsToEntry(Entry $entry, $tags)
22 {
23 foreach (explode(',', $tags) as $label) {
24 $label = trim($label);
25 $tagEntity = $this
26 ->getDoctrine()
27 ->getRepository('WallabagCoreBundle:Tag')
28 ->findOneByLabel($label);
29
30 if (is_null($tagEntity)) {
31 $tagEntity = new Tag($this->getUser());
32 $tagEntity->setLabel($label);
33 }
34
35 // only add the tag on the entry if the relation doesn't exist
36 if (!$entry->getTags()->contains($tagEntity)) {
37 $entry->addTag($tagEntity);
38 }
39 }
40 }
41
42 /**
43 * Retrieve salt for a giver user.
44 *
45 * @ApiDoc(
46 * parameters={
47 * {"name"="username", "dataType"="string", "required"=true, "description"="username"}
48 * }
49 * )
50 *
51 * @return array
52 */
53 public function getSaltAction($username)
54 {
55 $user = $this
56 ->getDoctrine()
57 ->getRepository('WallabagCoreBundle:User')
58 ->findOneByUsername($username);
59
60 if (is_null($user)) {
61 throw $this->createNotFoundException();
62 }
63
64 return array($user->getSalt() ?: null);
65 }
66
67 /**
68 * Retrieve all entries. It could be filtered by many options.
69 *
70 * @ApiDoc(
71 * parameters={
72 * {"name"="archive", "dataType"="boolean", "required"=false, "format"="true or false, all entries by default", "description"="filter by archived status."},
73 * {"name"="star", "dataType"="boolean", "required"=false, "format"="true or false, all entries by default", "description"="filter by starred status."},
74 * {"name"="sort", "dataType"="string", "required"=false, "format"="'created' or 'updated', default 'created'", "description"="sort entries by date."},
75 * {"name"="order", "dataType"="string", "required"=false, "format"="'asc' or 'desc', default 'desc'", "description"="order of sort."},
76 * {"name"="page", "dataType"="integer", "required"=false, "format"="default '1'", "description"="what page you want."},
77 * {"name"="perPage", "dataType"="integer", "required"=false, "format"="default'30'", "description"="results per page."},
78 * {"name"="tags", "dataType"="string", "required"=false, "format"="api%2Crest", "description"="a list of tags url encoded. Will returns entries that matches ALL tags."},
79 * }
80 * )
81 *
82 * @return Entry
83 */
84 public function getEntriesAction(Request $request)
85 {
86 $isArchived = $request->query->get('archive');
87 $isStarred = $request->query->get('star');
88 $sort = $request->query->get('sort', 'created');
89 $order = $request->query->get('order', 'desc');
90 $page = (int) $request->query->get('page', 1);
91 $perPage = (int) $request->query->get('perPage', 30);
92 $tags = $request->query->get('tags', []);
93
94 $pager = $this
95 ->getDoctrine()
96 ->getRepository('WallabagCoreBundle:Entry')
97 ->findEntries($this->getUser()->getId(), $isArchived, $isStarred, $sort, $order);
98
99 $pager->setCurrentPage($page);
100 $pager->setMaxPerPage($perPage);
101
102 $pagerfantaFactory = new PagerfantaFactory('page', 'perPage');
103 $paginatedCollection = $pagerfantaFactory->createRepresentation(
104 $pager,
105 new Route('api_get_entries', [], $absolute = true)
106 );
107
108 $json = $this->get('serializer')->serialize($paginatedCollection, 'json');
109
110 return $this->renderJsonResponse($json);
111 }
112
113 /**
114 * Retrieve a single entry.
115 *
116 * @ApiDoc(
117 * requirements={
118 * {"name"="entry", "dataType"="integer", "requirement"="\w+", "description"="The entry ID"}
119 * }
120 * )
121 *
122 * @return Entry
123 */
124 public function getEntryAction(Entry $entry)
125 {
126 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId());
127
128 $json = $this->get('serializer')->serialize($entry, 'json');
129
130 return $this->renderJsonResponse($json);
131 }
132
133 /**
134 * Create an entry.
135 *
136 * @ApiDoc(
137 * parameters={
138 * {"name"="url", "dataType"="string", "required"=true, "format"="http://www.test.com/article.html", "description"="Url for the entry."},
139 * {"name"="title", "dataType"="string", "required"=false, "description"="Optional, we'll get the title from the page."},
140 * {"name"="tags", "dataType"="string", "required"=false, "format"="tag1,tag2,tag3", "description"="a comma-separated list of tags."},
141 * }
142 * )
143 *
144 * @return Entry
145 */
146 public function postEntriesAction(Request $request)
147 {
148 $url = $request->request->get('url');
149
150 $content = Extractor::extract($url);
151 $entry = new Entry($this->getUser());
152 $entry->setUrl($url);
153 $entry->setTitle($request->request->get('title') ?: $content->getTitle());
154 $entry->setContent($content->getBody());
155
156 $tags = $request->request->get('tags', '');
157 if (!empty($tags)) {
158 $this->assignTagsToEntry($entry, $tags);
159 }
160
161 $em = $this->getDoctrine()->getManager();
162 $em->persist($entry);
163 $em->flush();
164
165 $json = $this->get('serializer')->serialize($entry, 'json');
166
167 return $this->renderJsonResponse($json);
168 }
169
170 /**
171 * Change several properties of an entry.
172 *
173 * @ApiDoc(
174 * requirements={
175 * {"name"="entry", "dataType"="integer", "requirement"="\w+", "description"="The entry ID"}
176 * },
177 * parameters={
178 * {"name"="title", "dataType"="string", "required"=false},
179 * {"name"="tags", "dataType"="string", "required"=false, "format"="tag1,tag2,tag3", "description"="a comma-separated list of tags."},
180 * {"name"="archive", "dataType"="boolean", "required"=false, "format"="true or false", "description"="archived the entry."},
181 * {"name"="star", "dataType"="boolean", "required"=false, "format"="true or false", "description"="starred the entry."},
182 * }
183 * )
184 *
185 * @return Entry
186 */
187 public function patchEntriesAction(Entry $entry, Request $request)
188 {
189 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId());
190
191 $title = $request->request->get('title');
192 $isArchived = $request->request->get('archive');
193 $isStarred = $request->request->get('star');
194
195 if (!is_null($title)) {
196 $entry->setTitle($title);
197 }
198
199 if (!is_null($isArchived)) {
200 $entry->setArchived($isArchived);
201 }
202
203 if (!is_null($isStarred)) {
204 $entry->setStarred($isStarred);
205 }
206
207 $tags = $request->request->get('tags', '');
208 if (!empty($tags)) {
209 $this->assignTagsToEntry($entry, $tags);
210 }
211
212 $em = $this->getDoctrine()->getManager();
213 $em->flush();
214
215 $json = $this->get('serializer')->serialize($entry, 'json');
216
217 return $this->renderJsonResponse($json);
218 }
219
220 /**
221 * Delete **permanently** an entry.
222 *
223 * @ApiDoc(
224 * requirements={
225 * {"name"="entry", "dataType"="integer", "requirement"="\w+", "description"="The entry ID"}
226 * }
227 * )
228 *
229 * @return Entry
230 */
231 public function deleteEntriesAction(Entry $entry)
232 {
233 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId());
234
235 $em = $this->getDoctrine()->getManager();
236 $em->remove($entry);
237 $em->flush();
238
239 $json = $this->get('serializer')->serialize($entry, 'json');
240
241 return $this->renderJsonResponse($json);
242 }
243
244 /**
245 * Retrieve all tags for an entry.
246 *
247 * @ApiDoc(
248 * requirements={
249 * {"name"="entry", "dataType"="integer", "requirement"="\w+", "description"="The entry ID"}
250 * }
251 * )
252 */
253 public function getEntriesTagsAction(Entry $entry)
254 {
255 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId());
256
257 $json = $this->get('serializer')->serialize($entry->getTags(), 'json');
258
259 return $this->renderJsonResponse($json);
260 }
261
262 /**
263 * Add one or more tags to an entry.
264 *
265 * @ApiDoc(
266 * requirements={
267 * {"name"="entry", "dataType"="integer", "requirement"="\w+", "description"="The entry ID"}
268 * },
269 * parameters={
270 * {"name"="tags", "dataType"="string", "required"=false, "format"="tag1,tag2,tag3", "description"="a comma-separated list of tags."},
271 * }
272 * )
273 */
274 public function postEntriesTagsAction(Request $request, Entry $entry)
275 {
276 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId());
277
278 $tags = $request->request->get('tags', '');
279 if (!empty($tags)) {
280 $this->assignTagsToEntry($entry, $tags);
281 }
282
283 $em = $this->getDoctrine()->getManager();
284 $em->persist($entry);
285 $em->flush();
286
287 $json = $this->get('serializer')->serialize($entry, 'json');
288
289 return $this->renderJsonResponse($json);
290 }
291
292 /**
293 * Permanently remove one tag for an entry.
294 *
295 * @ApiDoc(
296 * requirements={
297 * {"name"="tag", "dataType"="integer", "requirement"="\w+", "description"="The tag ID"},
298 * {"name"="entry", "dataType"="integer", "requirement"="\w+", "description"="The entry ID"}
299 * }
300 * )
301 */
302 public function deleteEntriesTagsAction(Entry $entry, Tag $tag)
303 {
304 $this->validateUserAccess($entry->getUser()->getId(), $this->getUser()->getId());
305
306 $entry->removeTag($tag);
307 $em = $this->getDoctrine()->getManager();
308 $em->persist($entry);
309 $em->flush();
310
311 $json = $this->get('serializer')->serialize($entry, 'json');
312
313 return $this->renderJsonResponse($json);
314 }
315
316 /**
317 * Retrieve all tags.
318 *
319 * @ApiDoc()
320 */
321 public function getTagsAction()
322 {
323 $json = $this->get('serializer')->serialize($this->getUser()->getTags(), 'json');
324
325 return $this->renderJsonResponse($json);
326 }
327
328 /**
329 * Permanently remove one tag from **every** entry.
330 *
331 * @ApiDoc(
332 * requirements={
333 * {"name"="tag", "dataType"="integer", "requirement"="\w+", "description"="The tag"}
334 * }
335 * )
336 */
337 public function deleteTagAction(Tag $tag)
338 {
339 $this->validateUserAccess($tag->getUser()->getId(), $this->getUser()->getId());
340
341 $em = $this->getDoctrine()->getManager();
342 $em->remove($tag);
343 $em->flush();
344
345 $json = $this->get('serializer')->serialize($tag, 'json');
346
347 return $this->renderJsonResponse($json);
348 }
349
350 /**
351 * Validate that the first id is equal to the second one.
352 * If not, throw exception. It means a user try to access information from an other user.
353 *
354 * @param int $requestUserId User id from the requested source
355 * @param int $currentUserId User id from the retrieved source
356 */
357 private function validateUserAccess($requestUserId, $currentUserId)
358 {
359 if ($requestUserId != $currentUserId) {
360 throw $this->createAccessDeniedException('Access forbidden. Entry user id: '.$requestUserId.', logged user id: '.$currentUserId);
361 }
362 }
363
364 /**
365 * Send a JSON Response.
366 * We don't use the Symfony JsonRespone, because it takes an array as parameter instead of a JSON string.
367 *
368 * @param string $json
369 *
370 * @return Response
371 */
372 private function renderJsonResponse($json)
373 {
374 return new Response($json, 200, array('application/json'));
375 }
376}
diff --git a/src/Wallabag/ApiBundle/DependencyInjection/Configuration.php b/src/Wallabag/ApiBundle/DependencyInjection/Configuration.php
new file mode 100644
index 00000000..cec45412
--- /dev/null
+++ b/src/Wallabag/ApiBundle/DependencyInjection/Configuration.php
@@ -0,0 +1,29 @@
1<?php
2
3namespace Wallabag\ApiBundle\DependencyInjection;
4
5use Symfony\Component\Config\Definition\Builder\TreeBuilder;
6use Symfony\Component\Config\Definition\ConfigurationInterface;
7
8/**
9 * This is the class that validates and merges configuration from your app/config files.
10 *
11 * To learn more see {@link http://symfony.com/doc/current/cookbook/bundles/extension.html#cookbook-bundles-extension-config-class}
12 */
13class Configuration implements ConfigurationInterface
14{
15 /**
16 * {@inheritdoc}
17 */
18 public function getConfigTreeBuilder()
19 {
20 $treeBuilder = new TreeBuilder();
21 $rootNode = $treeBuilder->root('wallabag_api');
22
23 // Here you should define the parameters that are allowed to
24 // configure your bundle. See the documentation linked above for
25 // more information on that topic.
26
27 return $treeBuilder;
28 }
29}
diff --git a/src/Wallabag/ApiBundle/DependencyInjection/Security/Factory/WsseFactory.php b/src/Wallabag/ApiBundle/DependencyInjection/Security/Factory/WsseFactory.php
new file mode 100644
index 00000000..402eb869
--- /dev/null
+++ b/src/Wallabag/ApiBundle/DependencyInjection/Security/Factory/WsseFactory.php
@@ -0,0 +1,40 @@
1<?php
2
3namespace Wallabag\ApiBundle\DependencyInjection\Security\Factory;
4
5use Symfony\Component\DependencyInjection\ContainerBuilder;
6use Symfony\Component\DependencyInjection\Reference;
7use Symfony\Component\DependencyInjection\DefinitionDecorator;
8use Symfony\Component\Config\Definition\Builder\NodeDefinition;
9use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
10
11class WsseFactory implements SecurityFactoryInterface
12{
13 public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
14 {
15 $providerId = 'security.authentication.provider.wsse.'.$id;
16 $container
17 ->setDefinition($providerId, new DefinitionDecorator('wsse.security.authentication.provider'))
18 ->replaceArgument(0, new Reference($userProvider))
19 ;
20
21 $listenerId = 'security.authentication.listener.wsse.'.$id;
22 $listener = $container->setDefinition($listenerId, new DefinitionDecorator('wsse.security.authentication.listener'));
23
24 return array($providerId, $listenerId, $defaultEntryPoint);
25 }
26
27 public function getPosition()
28 {
29 return 'pre_auth';
30 }
31
32 public function getKey()
33 {
34 return 'wsse';
35 }
36
37 public function addConfiguration(NodeDefinition $node)
38 {
39 }
40}
diff --git a/src/Wallabag/ApiBundle/DependencyInjection/WallabagApiExtension.php b/src/Wallabag/ApiBundle/DependencyInjection/WallabagApiExtension.php
new file mode 100644
index 00000000..c5cc204e
--- /dev/null
+++ b/src/Wallabag/ApiBundle/DependencyInjection/WallabagApiExtension.php
@@ -0,0 +1,25 @@
1<?php
2
3namespace Wallabag\ApiBundle\DependencyInjection;
4
5use Symfony\Component\DependencyInjection\ContainerBuilder;
6use Symfony\Component\Config\FileLocator;
7use Symfony\Component\HttpKernel\DependencyInjection\Extension;
8use Symfony\Component\DependencyInjection\Loader;
9
10class WallabagApiExtension extends Extension
11{
12 public function load(array $configs, ContainerBuilder $container)
13 {
14 $configuration = new Configuration();
15 $config = $this->processConfiguration($configuration, $configs);
16
17 $loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
18 $loader->load('services.yml');
19 }
20
21 public function getAlias()
22 {
23 return 'wallabag_api';
24 }
25}
diff --git a/src/Wallabag/ApiBundle/Resources/config/routing.yml b/src/Wallabag/ApiBundle/Resources/config/routing.yml
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Resources/config/routing.yml
diff --git a/src/Wallabag/ApiBundle/Resources/config/routing_rest.yml b/src/Wallabag/ApiBundle/Resources/config/routing_rest.yml
new file mode 100644
index 00000000..5f43f971
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Resources/config/routing_rest.yml
@@ -0,0 +1,4 @@
1entries:
2 type: rest
3 resource: "WallabagApiBundle:WallabagRest"
4 name_prefix: api_
diff --git a/src/Wallabag/ApiBundle/Resources/config/services.yml b/src/Wallabag/ApiBundle/Resources/config/services.yml
new file mode 100644
index 00000000..6854a444
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Resources/config/services.yml
@@ -0,0 +1,12 @@
1services:
2 wsse.security.authentication.provider:
3 class: Wallabag\ApiBundle\Security\Authentication\Provider\WsseProvider
4 public: false
5 arguments: ['', '%kernel.cache_dir%/security/nonces']
6
7 wsse.security.authentication.listener:
8 class: Wallabag\ApiBundle\Security\Firewall\WsseListener
9 public: false
10 tags:
11 - { name: monolog.logger, channel: wsse }
12 arguments: ['@security.context', '@security.authentication.manager', '@logger']
diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php
new file mode 100644
index 00000000..db73ae2a
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php
@@ -0,0 +1,79 @@
1<?php
2
3namespace Wallabag\ApiBundle\Security\Authentication\Provider;
4
5use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
6use Symfony\Component\Security\Core\User\UserProviderInterface;
7use Symfony\Component\Security\Core\Exception\AuthenticationException;
8use Symfony\Component\Security\Core\Exception\NonceExpiredException;
9use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
10use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken;
11
12class WsseProvider implements AuthenticationProviderInterface
13{
14 private $userProvider;
15 private $cacheDir;
16
17 public function __construct(UserProviderInterface $userProvider, $cacheDir)
18 {
19 $this->userProvider = $userProvider;
20 $this->cacheDir = $cacheDir;
21
22 // If cache directory does not exist we create it
23 if (!is_dir($this->cacheDir)) {
24 mkdir($this->cacheDir, 0777, true);
25 }
26 }
27
28 public function authenticate(TokenInterface $token)
29 {
30 $user = $this->userProvider->loadUserByUsername($token->getUsername());
31
32 if (!$user) {
33 throw new AuthenticationException('Bad credentials. Did you forgot your username?');
34 }
35
36 if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
37 $authenticatedToken = new WsseUserToken($user->getRoles());
38 $authenticatedToken->setUser($user);
39
40 return $authenticatedToken;
41 }
42
43 throw new AuthenticationException('The WSSE authentication failed.');
44 }
45
46 protected function validateDigest($digest, $nonce, $created, $secret)
47 {
48 // Check created time is not in the future
49 if (strtotime($created) > time()) {
50 throw new AuthenticationException('Back to the future...');
51 }
52
53 // Expire timestamp after 5 minutes
54 if (time() - strtotime($created) > 300) {
55 throw new AuthenticationException('Too late for this timestamp... Watch your watch.');
56 }
57
58 // Validate nonce is unique within 5 minutes
59 if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
60 throw new NonceExpiredException('Previously used nonce detected');
61 }
62
63 file_put_contents($this->cacheDir.'/'.$nonce, time());
64
65 // Validate Secret
66 $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
67
68 if ($digest !== $expected) {
69 throw new AuthenticationException('Bad credentials ! Digest is not as expected.');
70 }
71
72 return $digest === $expected;
73 }
74
75 public function supports(TokenInterface $token)
76 {
77 return $token instanceof WsseUserToken;
78 }
79}
diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php
new file mode 100644
index 00000000..e6d30224
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php
@@ -0,0 +1,24 @@
1<?php
2
3namespace Wallabag\ApiBundle\Security\Authentication\Token;
4
5use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
6
7class WsseUserToken extends AbstractToken
8{
9 public $created;
10 public $digest;
11 public $nonce;
12
13 public function __construct(array $roles = array())
14 {
15 parent::__construct($roles);
16
17 $this->setAuthenticated(count($roles) > 0);
18 }
19
20 public function getCredentials()
21 {
22 return '';
23 }
24}
diff --git a/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php b/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php
new file mode 100644
index 00000000..50587837
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Security/Firewall/WsseListener.php
@@ -0,0 +1,62 @@
1<?php
2
3namespace Wallabag\ApiBundle\Security\Firewall;
4
5use Symfony\Component\HttpFoundation\Response;
6use Symfony\Component\HttpKernel\Event\GetResponseEvent;
7use Symfony\Component\Security\Http\Firewall\ListenerInterface;
8use Symfony\Component\Security\Core\Exception\AuthenticationException;
9use Symfony\Component\Security\Core\SecurityContextInterface;
10use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
11use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken;
12use Psr\Log\LoggerInterface;
13
14class WsseListener implements ListenerInterface
15{
16 protected $securityContext;
17 protected $authenticationManager;
18 protected $logger;
19
20 public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
21 {
22 $this->securityContext = $securityContext;
23 $this->authenticationManager = $authenticationManager;
24 $this->logger = $logger;
25 }
26
27 public function handle(GetResponseEvent $event)
28 {
29 $request = $event->getRequest();
30
31 $wsseRegex = '/UsernameToken Username="([^"]+)", PasswordDigest="([^"]+)", Nonce="([^"]+)", Created="([^"]+)"/';
32 if (!$request->headers->has('x-wsse') || 1 !== preg_match($wsseRegex, $request->headers->get('x-wsse'), $matches)) {
33 return;
34 }
35
36 $token = new WsseUserToken();
37 $token->setUser($matches[1]);
38
39 $token->digest = $matches[2];
40 $token->nonce = $matches[3];
41 $token->created = $matches[4];
42
43 try {
44 $authToken = $this->authenticationManager->authenticate($token);
45
46 $this->securityContext->setToken($authToken);
47
48 return;
49 } catch (AuthenticationException $failed) {
50 $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
51 $this->logger->err($failedMessage);
52
53 // Deny authentication with a '403 Forbidden' HTTP response
54 $response = new Response();
55 $response->setStatusCode(403);
56 $response->setContent($failedMessage);
57 $event->setResponse($response);
58
59 return;
60 }
61 }
62}
diff --git a/src/Wallabag/ApiBundle/Tests/Controller/WallabagRestControllerTest.php b/src/Wallabag/ApiBundle/Tests/Controller/WallabagRestControllerTest.php
new file mode 100644
index 00000000..86c8de1e
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Tests/Controller/WallabagRestControllerTest.php
@@ -0,0 +1,410 @@
1<?php
2
3namespace Wallabag\ApiBundle\Tests\Controller;
4
5use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
6
7class WallabagRestControllerTest extends WebTestCase
8{
9 protected static $salt;
10
11 /**
12 * Grab the salt once and store it to be available for all tests.
13 */
14 public static function setUpBeforeClass()
15 {
16 $client = self::createClient();
17
18 $user = $client->getContainer()
19 ->get('doctrine.orm.entity_manager')
20 ->getRepository('WallabagCoreBundle:User')
21 ->findOneByUsername('admin');
22
23 self::$salt = $user->getSalt();
24 }
25
26 /**
27 * Generate HTTP headers for authenticate user on API.
28 *
29 * @param string $username
30 * @param string $password
31 *
32 * @return array
33 */
34 private function generateHeaders($username, $password)
35 {
36 $encryptedPassword = sha1($password.$username.self::$salt);
37 $nonce = substr(md5(uniqid('nonce_', true)), 0, 16);
38
39 $now = new \DateTime('now', new \DateTimeZone('UTC'));
40 $created = (string) $now->format('Y-m-d\TH:i:s\Z');
41 $digest = base64_encode(sha1(base64_decode($nonce).$created.$encryptedPassword, true));
42
43 return array(
44 'HTTP_AUTHORIZATION' => 'Authorization profile="UsernameToken"',
45 'HTTP_x-wsse' => 'X-WSSE: UsernameToken Username="'.$username.'", PasswordDigest="'.$digest.'", Nonce="'.$nonce.'", Created="'.$created.'"',
46 );
47 }
48
49 public function testGetSalt()
50 {
51 $client = $this->createClient();
52 $client->request('GET', '/api/salts/admin.json');
53
54 $user = $client->getContainer()
55 ->get('doctrine.orm.entity_manager')
56 ->getRepository('WallabagCoreBundle:User')
57 ->findOneByUsername('admin');
58
59 $this->assertEquals(200, $client->getResponse()->getStatusCode());
60
61 $content = json_decode($client->getResponse()->getContent(), true);
62
63 $this->assertArrayHasKey(0, $content);
64 $this->assertEquals($user->getSalt(), $content[0]);
65
66 $client->request('GET', '/api/salts/notfound.json');
67 $this->assertEquals(404, $client->getResponse()->getStatusCode());
68 }
69
70 public function testWithBadHeaders()
71 {
72 $client = $this->createClient();
73
74 $entry = $client->getContainer()
75 ->get('doctrine.orm.entity_manager')
76 ->getRepository('WallabagCoreBundle:Entry')
77 ->findOneByIsArchived(false);
78
79 if (!$entry) {
80 $this->markTestSkipped('No content found in db.');
81 }
82
83 $badHeaders = array(
84 'HTTP_AUTHORIZATION' => 'Authorization profile="UsernameToken"',
85 'HTTP_x-wsse' => 'X-WSSE: UsernameToken Username="admin", PasswordDigest="Wr0ngDig3st", Nonce="n0Nc3", Created="2015-01-01T13:37:00Z"',
86 );
87
88 $client->request('GET', '/api/entries/'.$entry->getId().'.json', array(), array(), $badHeaders);
89 $this->assertEquals(403, $client->getResponse()->getStatusCode());
90 }
91
92 public function testGetOneEntry()
93 {
94 $client = $this->createClient();
95 $headers = $this->generateHeaders('admin', 'mypassword');
96
97 $entry = $client->getContainer()
98 ->get('doctrine.orm.entity_manager')
99 ->getRepository('WallabagCoreBundle:Entry')
100 ->findOneBy(array('user' => 1, 'isArchived' => false));
101
102 if (!$entry) {
103 $this->markTestSkipped('No content found in db.');
104 }
105
106 $client->request('GET', '/api/entries/'.$entry->getId().'.json', array(), array(), $headers);
107
108 $this->assertEquals(200, $client->getResponse()->getStatusCode());
109
110 $content = json_decode($client->getResponse()->getContent(), true);
111
112 $this->assertEquals($entry->getTitle(), $content['title']);
113 $this->assertEquals($entry->getUrl(), $content['url']);
114 $this->assertCount(count($entry->getTags()), $content['tags']);
115
116 $this->assertTrue(
117 $client->getResponse()->headers->contains(
118 'Content-Type',
119 'application/json'
120 )
121 );
122 }
123
124 public function testGetOneEntryWrongUser()
125 {
126 $client = $this->createClient();
127 $headers = $this->generateHeaders('admin', 'mypassword');
128
129 $entry = $client->getContainer()
130 ->get('doctrine.orm.entity_manager')
131 ->getRepository('WallabagCoreBundle:Entry')
132 ->findOneBy(array('user' => 2, 'isArchived' => false));
133
134 if (!$entry) {
135 $this->markTestSkipped('No content found in db.');
136 }
137
138 $client->request('GET', '/api/entries/'.$entry->getId().'.json', array(), array(), $headers);
139
140 $this->assertEquals(403, $client->getResponse()->getStatusCode());
141 }
142
143 public function testGetEntries()
144 {
145 $client = $this->createClient();
146 $headers = $this->generateHeaders('admin', 'mypassword');
147
148 $client->request('GET', '/api/entries', array(), array(), $headers);
149
150 $this->assertEquals(200, $client->getResponse()->getStatusCode());
151
152 $content = json_decode($client->getResponse()->getContent(), true);
153
154 $this->assertGreaterThanOrEqual(1, count($content));
155 $this->assertNotEmpty($content['_embedded']['items']);
156 $this->assertGreaterThanOrEqual(1, $content['total']);
157 $this->assertEquals(1, $content['page']);
158 $this->assertGreaterThanOrEqual(1, $content['pages']);
159
160 $this->assertTrue(
161 $client->getResponse()->headers->contains(
162 'Content-Type',
163 'application/json'
164 )
165 );
166 }
167
168 public function testGetStarredEntries()
169 {
170 $client = $this->createClient();
171 $headers = $this->generateHeaders('admin', 'mypassword');
172
173 $client->request('GET', '/api/entries', array('archive' => 1), array(), $headers);
174
175 $this->assertEquals(200, $client->getResponse()->getStatusCode());
176
177 $content = json_decode($client->getResponse()->getContent(), true);
178
179 $this->assertGreaterThanOrEqual(1, count($content));
180 $this->assertNotEmpty($content['_embedded']['items']);
181 $this->assertGreaterThanOrEqual(1, $content['total']);
182 $this->assertEquals(1, $content['page']);
183 $this->assertGreaterThanOrEqual(1, $content['pages']);
184
185 $this->assertTrue(
186 $client->getResponse()->headers->contains(
187 'Content-Type',
188 'application/json'
189 )
190 );
191 }
192
193 public function testDeleteEntry()
194 {
195 $client = $this->createClient();
196 $headers = $this->generateHeaders('admin', 'mypassword');
197
198 $entry = $client->getContainer()
199 ->get('doctrine.orm.entity_manager')
200 ->getRepository('WallabagCoreBundle:Entry')
201 ->findOneByUser(1);
202
203 if (!$entry) {
204 $this->markTestSkipped('No content found in db.');
205 }
206
207 $client->request('DELETE', '/api/entries/'.$entry->getId().'.json', array(), array(), $headers);
208
209 $this->assertEquals(200, $client->getResponse()->getStatusCode());
210
211 $content = json_decode($client->getResponse()->getContent(), true);
212
213 $this->assertEquals($entry->getTitle(), $content['title']);
214 $this->assertEquals($entry->getUrl(), $content['url']);
215
216 // We'll try to delete this entry again
217 $headers = $this->generateHeaders('admin', 'mypassword');
218
219 $client->request('DELETE', '/api/entries/'.$entry->getId().'.json', array(), array(), $headers);
220
221 $this->assertEquals(404, $client->getResponse()->getStatusCode());
222 }
223
224 public function testPostEntry()
225 {
226 $client = $this->createClient();
227 $headers = $this->generateHeaders('admin', 'mypassword');
228
229 $client->request('POST', '/api/entries.json', array(
230 'url' => 'http://www.lemonde.fr/pixels/article/2015/03/28/plongee-dans-l-univers-d-ingress-le-jeu-de-google-aux-frontieres-du-reel_4601155_4408996.html',
231 'tags' => 'google',
232 ), array(), $headers);
233
234 $this->assertEquals(200, $client->getResponse()->getStatusCode());
235
236 $content = json_decode($client->getResponse()->getContent(), true);
237
238 $this->assertGreaterThan(0, $content['id']);
239 $this->assertEquals('http://www.lemonde.fr/pixels/article/2015/03/28/plongee-dans-l-univers-d-ingress-le-jeu-de-google-aux-frontieres-du-reel_4601155_4408996.html', $content['url']);
240 $this->assertEquals(false, $content['is_archived']);
241 $this->assertEquals(false, $content['is_starred']);
242 $this->assertCount(1, $content['tags']);
243 }
244
245 public function testPatchEntry()
246 {
247 $client = $this->createClient();
248 $headers = $this->generateHeaders('admin', 'mypassword');
249
250 $entry = $client->getContainer()
251 ->get('doctrine.orm.entity_manager')
252 ->getRepository('WallabagCoreBundle:Entry')
253 ->findOneByUser(1);
254
255 if (!$entry) {
256 $this->markTestSkipped('No content found in db.');
257 }
258
259 // hydrate the tags relations
260 $nbTags = count($entry->getTags());
261
262 $client->request('PATCH', '/api/entries/'.$entry->getId().'.json', array(
263 'title' => 'New awesome title',
264 'tags' => 'new tag '.uniqid(),
265 'star' => true,
266 'archive' => false,
267 ), array(), $headers);
268
269 $this->assertEquals(200, $client->getResponse()->getStatusCode());
270
271 $content = json_decode($client->getResponse()->getContent(), true);
272
273 $this->assertEquals($entry->getId(), $content['id']);
274 $this->assertEquals($entry->getUrl(), $content['url']);
275 $this->assertEquals('New awesome title', $content['title']);
276 $this->assertGreaterThan($nbTags, count($content['tags']));
277 }
278
279 public function testGetTagsEntry()
280 {
281 $client = $this->createClient();
282 $headers = $this->generateHeaders('admin', 'mypassword');
283
284 $entry = $client->getContainer()
285 ->get('doctrine.orm.entity_manager')
286 ->getRepository('WallabagCoreBundle:Entry')
287 ->findOneWithTags(1);
288
289 $entry = $entry[0];
290
291 if (!$entry) {
292 $this->markTestSkipped('No content found in db.');
293 }
294
295 $tags = array();
296 foreach ($entry->getTags() as $tag) {
297 $tags[] = array('id' => $tag->getId(), 'label' => $tag->getLabel());
298 }
299
300 $client->request('GET', '/api/entries/'.$entry->getId().'/tags', array(), array(), $headers);
301
302 $this->assertEquals(json_encode($tags, JSON_HEX_QUOT), $client->getResponse()->getContent());
303 }
304
305 public function testPostTagsOnEntry()
306 {
307 $client = $this->createClient();
308 $headers = $this->generateHeaders('admin', 'mypassword');
309
310 $entry = $client->getContainer()
311 ->get('doctrine.orm.entity_manager')
312 ->getRepository('WallabagCoreBundle:Entry')
313 ->findOneByUser(1);
314
315 if (!$entry) {
316 $this->markTestSkipped('No content found in db.');
317 }
318
319 $nbTags = count($entry->getTags());
320
321 $newTags = 'tag1,tag2,tag3';
322
323 $client->request('POST', '/api/entries/'.$entry->getId().'/tags', array('tags' => $newTags), array(), $headers);
324
325 $this->assertEquals(200, $client->getResponse()->getStatusCode());
326
327 $content = json_decode($client->getResponse()->getContent(), true);
328
329 $this->assertArrayHasKey('tags', $content);
330 $this->assertEquals($nbTags + 3, count($content['tags']));
331
332 $entryDB = $client->getContainer()
333 ->get('doctrine.orm.entity_manager')
334 ->getRepository('WallabagCoreBundle:Entry')
335 ->find($entry->getId());
336
337 $tagsInDB = array();
338 foreach ($entryDB->getTags()->toArray() as $tag) {
339 $tagsInDB[$tag->getId()] = $tag->getLabel();
340 }
341
342 foreach (explode(',', $newTags) as $tag) {
343 $this->assertContains($tag, $tagsInDB);
344 }
345 }
346
347 public function testDeleteOneTagEntrie()
348 {
349 $client = $this->createClient();
350 $headers = $this->generateHeaders('admin', 'mypassword');
351
352 $entry = $client->getContainer()
353 ->get('doctrine.orm.entity_manager')
354 ->getRepository('WallabagCoreBundle:Entry')
355 ->findOneByUser(1);
356
357 if (!$entry) {
358 $this->markTestSkipped('No content found in db.');
359 }
360
361 // hydrate the tags relations
362 $nbTags = count($entry->getTags());
363 $tag = $entry->getTags()[0];
364
365 $client->request('DELETE', '/api/entries/'.$entry->getId().'/tags/'.$tag->getId().'.json', array(), array(), $headers);
366
367 $this->assertEquals(200, $client->getResponse()->getStatusCode());
368
369 $content = json_decode($client->getResponse()->getContent(), true);
370
371 $this->assertArrayHasKey('tags', $content);
372 $this->assertEquals($nbTags - 1, count($content['tags']));
373 }
374
375 public function testGetUserTags()
376 {
377 $client = $this->createClient();
378 $headers = $this->generateHeaders('admin', 'mypassword');
379
380 $client->request('GET', '/api/tags.json', array(), array(), $headers);
381
382 $this->assertEquals(200, $client->getResponse()->getStatusCode());
383
384 $content = json_decode($client->getResponse()->getContent(), true);
385
386 $this->assertGreaterThan(0, $content);
387 $this->assertArrayHasKey('id', $content[0]);
388 $this->assertArrayHasKey('label', $content[0]);
389
390 return end($content);
391 }
392
393 /**
394 * @depends testGetUserTags
395 */
396 public function testDeleteUserTag($tag)
397 {
398 $client = $this->createClient();
399 $headers = $this->generateHeaders('admin', 'mypassword');
400
401 $client->request('DELETE', '/api/tags/'.$tag['id'].'.json', array(), array(), $headers);
402
403 $this->assertEquals(200, $client->getResponse()->getStatusCode());
404
405 $content = json_decode($client->getResponse()->getContent(), true);
406
407 $this->assertArrayHasKey('label', $content);
408 $this->assertEquals($tag['label'], $content['label']);
409 }
410}
diff --git a/src/Wallabag/ApiBundle/WallabagApiBundle.php b/src/Wallabag/ApiBundle/WallabagApiBundle.php
new file mode 100644
index 00000000..2484f277
--- /dev/null
+++ b/src/Wallabag/ApiBundle/WallabagApiBundle.php
@@ -0,0 +1,18 @@
1<?php
2
3namespace Wallabag\ApiBundle;
4
5use Symfony\Component\HttpKernel\Bundle\Bundle;
6use Wallabag\ApiBundle\DependencyInjection\Security\Factory\WsseFactory;
7use Symfony\Component\DependencyInjection\ContainerBuilder;
8
9class WallabagApiBundle extends Bundle
10{
11 public function build(ContainerBuilder $container)
12 {
13 parent::build($container);
14
15 $extension = $container->getExtension('security');
16 $extension->addSecurityListenerFactory(new WsseFactory());
17 }
18}