diff options
Diffstat (limited to 'src/Wallabag/CoreBundle/Security')
| -rw-r--r-- | src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php | 27 | ||||
| -rw-r--r-- | src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php | 17 |
2 files changed, 34 insertions, 10 deletions
diff --git a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php index 5499f400..7e6a5dfb 100644 --- a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php +++ b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php | |||
| @@ -17,12 +17,21 @@ class WsseProvider implements AuthenticationProviderInterface | |||
| 17 | { | 17 | { |
| 18 | $this->userProvider = $userProvider; | 18 | $this->userProvider = $userProvider; |
| 19 | $this->cacheDir = $cacheDir; | 19 | $this->cacheDir = $cacheDir; |
| 20 | |||
| 21 | // If cache directory does not exist we create it | ||
| 22 | if (!is_dir($this->cacheDir)) { | ||
| 23 | mkdir($this->cacheDir, 0777, true); | ||
| 24 | } | ||
| 20 | } | 25 | } |
| 21 | 26 | ||
| 22 | public function authenticate(TokenInterface $token) | 27 | public function authenticate(TokenInterface $token) |
| 23 | { | 28 | { |
| 24 | $user = $this->userProvider->loadUserByUsername($token->getUsername()); | 29 | $user = $this->userProvider->loadUserByUsername($token->getUsername()); |
| 25 | 30 | ||
| 31 | if (!$user) { | ||
| 32 | throw new AuthenticationException("Bad credentials. Did you forgot your username?"); | ||
| 33 | } | ||
| 34 | |||
| 26 | if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) { | 35 | if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) { |
| 27 | $authenticatedToken = new WsseUserToken($user->getRoles()); | 36 | $authenticatedToken = new WsseUserToken($user->getRoles()); |
| 28 | $authenticatedToken->setUser($user); | 37 | $authenticatedToken->setUser($user); |
| @@ -35,20 +44,30 @@ class WsseProvider implements AuthenticationProviderInterface | |||
| 35 | 44 | ||
| 36 | protected function validateDigest($digest, $nonce, $created, $secret) | 45 | protected function validateDigest($digest, $nonce, $created, $secret) |
| 37 | { | 46 | { |
| 38 | // Expire le timestamp après 5 minutes | 47 | // Check created time is not in the future |
| 48 | if (strtotime($created) > time()) { | ||
| 49 | throw new AuthenticationException("Back to the future..."); | ||
| 50 | } | ||
| 51 | |||
| 52 | // Expire timestamp after 5 minutes | ||
| 39 | if (time() - strtotime($created) > 300) { | 53 | if (time() - strtotime($created) > 300) { |
| 40 | return false; | 54 | throw new AuthenticationException("Too late for this timestamp... Watch your watch."); |
| 41 | } | 55 | } |
| 42 | 56 | ||
| 43 | // Valide que le nonce est unique dans les 5 minutes | 57 | // Validate nonce is unique within 5 minutes |
| 44 | if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) { | 58 | if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) { |
| 45 | throw new NonceExpiredException('Previously used nonce detected'); | 59 | throw new NonceExpiredException('Previously used nonce detected'); |
| 46 | } | 60 | } |
| 61 | |||
| 47 | file_put_contents($this->cacheDir.'/'.$nonce, time()); | 62 | file_put_contents($this->cacheDir.'/'.$nonce, time()); |
| 48 | 63 | ||
| 49 | // Valide le Secret | 64 | // Validate Secret |
| 50 | $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true)); | 65 | $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true)); |
| 51 | 66 | ||
| 67 | if ($digest !== $expected) { | ||
| 68 | throw new AuthenticationException("Bad credentials ! Digest is not as expected."); | ||
| 69 | } | ||
| 70 | |||
| 52 | return $digest === $expected; | 71 | return $digest === $expected; |
| 53 | } | 72 | } |
| 54 | 73 | ||
diff --git a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php index 4d4f2145..6ffdfaf0 100644 --- a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php +++ b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php | |||
| @@ -9,16 +9,19 @@ use Symfony\Component\Security\Core\Exception\AuthenticationException; | |||
| 9 | use Symfony\Component\Security\Core\SecurityContextInterface; | 9 | use Symfony\Component\Security\Core\SecurityContextInterface; |
| 10 | use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; | 10 | use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; |
| 11 | use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken; | 11 | use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken; |
| 12 | use Psr\Log\LoggerInterface; | ||
| 12 | 13 | ||
| 13 | class WsseListener implements ListenerInterface | 14 | class WsseListener implements ListenerInterface |
| 14 | { | 15 | { |
| 15 | protected $securityContext; | 16 | protected $securityContext; |
| 16 | protected $authenticationManager; | 17 | protected $authenticationManager; |
| 18 | protected $logger; | ||
| 17 | 19 | ||
| 18 | public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager) | 20 | public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger) |
| 19 | { | 21 | { |
| 20 | $this->securityContext = $securityContext; | 22 | $this->securityContext = $securityContext; |
| 21 | $this->authenticationManager = $authenticationManager; | 23 | $this->authenticationManager = $authenticationManager; |
| 24 | $this->logger = $logger; | ||
| 22 | } | 25 | } |
| 23 | 26 | ||
| 24 | public function handle(GetResponseEvent $event) | 27 | public function handle(GetResponseEvent $event) |
| @@ -41,17 +44,19 @@ class WsseListener implements ListenerInterface | |||
| 41 | $authToken = $this->authenticationManager->authenticate($token); | 44 | $authToken = $this->authenticationManager->authenticate($token); |
| 42 | 45 | ||
| 43 | $this->securityContext->setToken($authToken); | 46 | $this->securityContext->setToken($authToken); |
| 44 | } catch (AuthenticationException $failed) { | ||
| 45 | // ... you might log something here | ||
| 46 | 47 | ||
| 47 | // To deny the authentication clear the token. This will redirect to the login page. | 48 | return; |
| 48 | // $this->securityContext->setToken(null); | 49 | } catch (AuthenticationException $failed) { |
| 49 | // return; | 50 | $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage(); |
| 51 | $this->logger->err($failedMessage); | ||
| 50 | 52 | ||
| 51 | // Deny authentication with a '403 Forbidden' HTTP response | 53 | // Deny authentication with a '403 Forbidden' HTTP response |
| 52 | $response = new Response(); | 54 | $response = new Response(); |
| 53 | $response->setStatusCode(403); | 55 | $response->setStatusCode(403); |
| 56 | $response->setContent($failedMessage); | ||
| 54 | $event->setResponse($response); | 57 | $event->setResponse($response); |
| 58 | |||
| 59 | return; | ||
| 55 | } | 60 | } |
| 56 | } | 61 | } |
| 57 | } | 62 | } |