log for authentication on API

This commit is contained in:
Nicolas Lœuillet 2015-02-09 22:07:39 +01:00
parent 0ac38198ab
commit 2a94b1d1b7
7 changed files with 45 additions and 20 deletions

View File

@ -17,6 +17,11 @@ monolog:
type: fingers_crossed
action_level: error
handler: nested
wsse:
type: stream
path: %kernel.logs_dir%/%kernel.environment%.wsse.log
level: error
channels: [wsse]
nested:
type: stream
path: "%kernel.logs_dir%/%kernel.environment%.log"

View File

@ -6,7 +6,6 @@ use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Wallabag\CoreBundle\Entity\Entry;
use Wallabag\CoreBundle\Repository;
use Wallabag\CoreBundle\Service\Extractor;
use Wallabag\CoreBundle\Helper\Url;

View File

@ -91,12 +91,12 @@ class EntryRepository extends EntityRepository
/**
* Find Entries
*
* @param int $userId
* @param bool $isArchived
* @param bool $isStarred
* @param bool $isDeleted
* @param string $sort
* @param string $order
* @param int $userId
* @param bool $isArchived
* @param bool $isStarred
* @param bool $isDeleted
* @param string $sort
* @param string $order
*
* @return ArrayCollection
*/

View File

@ -21,6 +21,8 @@
class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">
<argument type="service" id="security.context"/>
<argument type="service" id="security.authentication.manager" />
<argument type="service" id="logger" />
<tag name="monolog.logger" channel="wsse" />
</service>
</services>

View File

@ -23,6 +23,10 @@ class WsseProvider implements AuthenticationProviderInterface
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if (!$user) {
throw new AuthenticationException("Bad credentials. Did you forgot your username?");
}
if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
@ -35,12 +39,17 @@ class WsseProvider implements AuthenticationProviderInterface
protected function validateDigest($digest, $nonce, $created, $secret)
{
// Expire le timestamp après 5 minutes
if (time() - strtotime($created) > 300) {
return false;
// Check created time is not in the future
if (strtotime($created) > time()) {
throw new AuthenticationException("Back to the future...");
}
// Valide que le nonce est unique dans les 5 minutes
// Expire timestamp after 5 minutes
if (time() - strtotime($created) > 300) {
throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
}
// Validate nonce is unique within 5 minutes
if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
throw new NonceExpiredException('Previously used nonce detected');
}
@ -52,9 +61,13 @@ class WsseProvider implements AuthenticationProviderInterface
file_put_contents($this->cacheDir.'/'.$nonce, time());
// Valide le Secret
// Validate Secret
$expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
if ($digest !== $expected) {
throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
}
return $digest === $expected;
}

View File

@ -9,16 +9,19 @@ use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
use Symfony\Component\HttpKernel\Log\LoggerInterface;
class WsseListener implements ListenerInterface
{
protected $securityContext;
protected $authenticationManager;
protected $logger;
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
{
$this->securityContext = $securityContext;
$this->authenticationManager = $authenticationManager;
$this->logger = $logger;
}
public function handle(GetResponseEvent $event)
@ -42,16 +45,21 @@ class WsseListener implements ListenerInterface
$this->securityContext->setToken($authToken);
} catch (AuthenticationException $failed) {
// ... you might log something here
// To deny the authentication clear the token. This will redirect to the login page.
// $this->securityContext->setToken(null);
// return;
$failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
$this->logger->err($failedMessage);
// Deny authentication with a '403 Forbidden' HTTP response
$response = new Response();
$response->setStatusCode(403);
$response->setContent($failedMessage);
$event->setResponse($response);
return;
}
// By default deny authorization
$response = new Response();
$response->setStatusCode(403);
$event->setResponse($response);
}
}

View File

@ -3,8 +3,6 @@
namespace Wallabag\CoreBundle\Tests;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
use Symfony\Component\BrowserKit\Cookie;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
class WallabagTestCase extends WebTestCase
{