/** * {@inheritDoc} */ public function isAuthentic(ResponseInterface $response) { if (!$response->hasHeader('X-Server-Authorization-HMAC-SHA256')) { throw new MalformedResponseException('Response is missing required X-Server-Authorization-HMAC-SHA256 header.', null, 0, $response); } $responseSigner = new ResponseSigner($this->key, $this->request); $compareResponse = $responseSigner->signResponse($response->withoutHeader('X-Server-Authorization-HMAC-SHA256')); $responseSignature = $response->getHeaderLine('X-Server-Authorization-HMAC-SHA256'); $compareSignature = $compareResponse->getHeaderLine('X-Server-Authorization-HMAC-SHA256'); return hash_equals($compareSignature, $responseSignature); }
/** * @param FilterResponseEvent $event */ public function onKernelResponse(FilterResponseEvent $event) { if (!$event->isMasterRequest()) { return; } $request = $event->getRequest(); $response = $event->getResponse(); if ($request->attributes->has('hmac.key')) { $psr7Factory = new DiactorosFactory(); $foundationFactory = new HttpFoundationFactory(); $psr7Request = $psr7Factory->createRequest($request); $psr7Response = $psr7Factory->createResponse($response); $signer = new ResponseSigner($request->attributes->get('hmac.key'), $psr7Request); $signedResponse = $signer->signResponse($psr7Response); $event->setResponse($foundationFactory->createResponse($signedResponse)); } }
/** * @dataProvider specFixtureProvider */ public function testSpec($input, $expectations) { $key = new Key($input['id'], $input['secret']); $digest = new Digest(); $headers = ['X-Authorization-Timestamp' => $input['timestamp'], 'Content-Type' => $input['content_type']]; foreach ($input['headers'] as $header => $value) { $headers[$header] = $value; } $body = !empty($input['content_body']) ? $input['content_body'] : null; $request = new Request($input['method'], $input['url'], $headers, $body); $authHeaderBuilder = new AuthorizationHeaderBuilder($request, $key); $authHeaderBuilder->setRealm($input['realm']); $authHeaderBuilder->setId($input['id']); $authHeaderBuilder->setNonce($input['nonce']); $authHeaderBuilder->setVersion('2.0'); $authHeaderBuilder->setCustomHeaders($input['signed_headers']); $authHeader = $authHeaderBuilder->getAuthorizationHeader(); $requestSigner = new MockRequestSigner($key, $input['realm'], $digest, $authHeader); $signedRequest = $requestSigner->signRequest($request, $input['signed_headers']); $signedAuthHeader = $signedRequest->getHeaderLine('Authorization'); $this->assertContains('id="' . $input['id'] . '"', $signedAuthHeader); $this->assertContains('nonce="' . $input['nonce'] . '"', $signedAuthHeader); $this->assertContains('realm="' . rawurlencode($input['realm']) . '"', $signedAuthHeader); $this->assertContains('signature="' . $expectations['message_signature'] . '"', $signedAuthHeader); $this->assertContains('version="2.0"', $signedAuthHeader); // Prove that the digest generates the correct signature. $signedMessage = $digest->sign($expectations['signable_message'], $input['secret']); $this->assertEquals($expectations['message_signature'], $signedMessage); // Prove that the authenticator can authenticate the request. $keyLoader = new MockKeyLoader([$input['id'] => $input['secret']] + $this->keys); $authenticator = new MockRequestAuthenticator($keyLoader, null, $input['timestamp']); $compareKey = $authenticator->authenticate($signedRequest); $this->assertEquals($compareKey->getId(), $input['id']); // Prove that the response signer generates the correct signature. $response = new Response(200, [], $expectations['response_body']); $responseSigner = new ResponseSigner($key, $signedRequest); $response = $responseSigner->signResponse($response); $this->assertTrue($response->hasHeader('X-Server-Authorization-HMAC-SHA256')); $this->assertEquals($expectations['response_signature'], $response->getHeaderLine('X-Server-Authorization-HMAC-SHA256')); }
/** * Ensures the correct headers are added when the response is signed. */ public function testSignResponse() { $authId = 'efdde334-fe7b-11e4-a322-1697f925ec7b'; $authSecret = 'W5PeGMxSItNerkNFqQMfYiJvH14WzVJMy54CPoTAYoI='; $realm = 'Pipet service'; $nonce = 'd1954337-5319-4821-8427-115542e08d10'; $timestamp = 1432075982; $signature = 'LusIUHmqt9NOALrQ4N4MtXZEFE03MjcDjziK+vVqhvQ='; $authKey = new Key($authId, $authSecret); $headers = ['X-Authorization-Timestamp' => $timestamp]; $request = new Request('GET', 'http://example.com', $headers); $authHeaderBuilder = new AuthorizationHeaderBuilder($request, $authKey); $authHeaderBuilder->setRealm($realm); $authHeaderBuilder->setId($authKey->getId()); $authHeaderBuilder->setNonce($nonce); $authHeader = $authHeaderBuilder->getAuthorizationHeader(); $requestSigner = new MockRequestSigner($authKey, $realm, new Digest(), $authHeader); $signedRequest = $requestSigner->signRequest($request); $response = new Response(); $responseSigner = new ResponseSigner($authKey, $signedRequest); $signedResponse = $responseSigner->signResponse($response); $this->assertTrue($signedResponse->hasHeader('X-Server-Authorization-HMAC-SHA256')); $this->assertEquals($signature, $signedResponse->getHeaderLine('X-Server-Authorization-HMAC-SHA256')); }