/**
* {@inheritDoc}
*/
public function isAuthentic(ResponseInterface $response)
{
if (!$response->hasHeader('X-Server-Authorization-HMAC-SHA256')) {
throw new MalformedResponseException('Response is missing required X-Server-Authorization-HMAC-SHA256 header.', null, 0, $response);
}
$responseSigner = new ResponseSigner($this->key, $this->request);
$compareResponse = $responseSigner->signResponse($response->withoutHeader('X-Server-Authorization-HMAC-SHA256'));
$responseSignature = $response->getHeaderLine('X-Server-Authorization-HMAC-SHA256');
$compareSignature = $compareResponse->getHeaderLine('X-Server-Authorization-HMAC-SHA256');
return hash_equals($compareSignature, $responseSignature);
}
/**
* @param FilterResponseEvent $event
*/
public function onKernelResponse(FilterResponseEvent $event)
{
if (!$event->isMasterRequest()) {
return;
}
$request = $event->getRequest();
$response = $event->getResponse();
if ($request->attributes->has('hmac.key')) {
$psr7Factory = new DiactorosFactory();
$foundationFactory = new HttpFoundationFactory();
$psr7Request = $psr7Factory->createRequest($request);
$psr7Response = $psr7Factory->createResponse($response);
$signer = new ResponseSigner($request->attributes->get('hmac.key'), $psr7Request);
$signedResponse = $signer->signResponse($psr7Response);
$event->setResponse($foundationFactory->createResponse($signedResponse));
}
}
/**
* @dataProvider specFixtureProvider
*/
public function testSpec($input, $expectations)
{
$key = new Key($input['id'], $input['secret']);
$digest = new Digest();
$headers = ['X-Authorization-Timestamp' => $input['timestamp'], 'Content-Type' => $input['content_type']];
foreach ($input['headers'] as $header => $value) {
$headers[$header] = $value;
}
$body = !empty($input['content_body']) ? $input['content_body'] : null;
$request = new Request($input['method'], $input['url'], $headers, $body);
$authHeaderBuilder = new AuthorizationHeaderBuilder($request, $key);
$authHeaderBuilder->setRealm($input['realm']);
$authHeaderBuilder->setId($input['id']);
$authHeaderBuilder->setNonce($input['nonce']);
$authHeaderBuilder->setVersion('2.0');
$authHeaderBuilder->setCustomHeaders($input['signed_headers']);
$authHeader = $authHeaderBuilder->getAuthorizationHeader();
$requestSigner = new MockRequestSigner($key, $input['realm'], $digest, $authHeader);
$signedRequest = $requestSigner->signRequest($request, $input['signed_headers']);
$signedAuthHeader = $signedRequest->getHeaderLine('Authorization');
$this->assertContains('id="' . $input['id'] . '"', $signedAuthHeader);
$this->assertContains('nonce="' . $input['nonce'] . '"', $signedAuthHeader);
$this->assertContains('realm="' . rawurlencode($input['realm']) . '"', $signedAuthHeader);
$this->assertContains('signature="' . $expectations['message_signature'] . '"', $signedAuthHeader);
$this->assertContains('version="2.0"', $signedAuthHeader);
// Prove that the digest generates the correct signature.
$signedMessage = $digest->sign($expectations['signable_message'], $input['secret']);
$this->assertEquals($expectations['message_signature'], $signedMessage);
// Prove that the authenticator can authenticate the request.
$keyLoader = new MockKeyLoader([$input['id'] => $input['secret']] + $this->keys);
$authenticator = new MockRequestAuthenticator($keyLoader, null, $input['timestamp']);
$compareKey = $authenticator->authenticate($signedRequest);
$this->assertEquals($compareKey->getId(), $input['id']);
// Prove that the response signer generates the correct signature.
$response = new Response(200, [], $expectations['response_body']);
$responseSigner = new ResponseSigner($key, $signedRequest);
$response = $responseSigner->signResponse($response);
$this->assertTrue($response->hasHeader('X-Server-Authorization-HMAC-SHA256'));
$this->assertEquals($expectations['response_signature'], $response->getHeaderLine('X-Server-Authorization-HMAC-SHA256'));
}
/**
* Ensures the correct headers are added when the response is signed.
*/
public function testSignResponse()
{
$authId = 'efdde334-fe7b-11e4-a322-1697f925ec7b';
$authSecret = 'W5PeGMxSItNerkNFqQMfYiJvH14WzVJMy54CPoTAYoI=';
$realm = 'Pipet service';
$nonce = 'd1954337-5319-4821-8427-115542e08d10';
$timestamp = 1432075982;
$signature = 'LusIUHmqt9NOALrQ4N4MtXZEFE03MjcDjziK+vVqhvQ=';
$authKey = new Key($authId, $authSecret);
$headers = ['X-Authorization-Timestamp' => $timestamp];
$request = new Request('GET', 'http://example.com', $headers);
$authHeaderBuilder = new AuthorizationHeaderBuilder($request, $authKey);
$authHeaderBuilder->setRealm($realm);
$authHeaderBuilder->setId($authKey->getId());
$authHeaderBuilder->setNonce($nonce);
$authHeader = $authHeaderBuilder->getAuthorizationHeader();
$requestSigner = new MockRequestSigner($authKey, $realm, new Digest(), $authHeader);
$signedRequest = $requestSigner->signRequest($request);
$response = new Response();
$responseSigner = new ResponseSigner($authKey, $signedRequest);
$signedResponse = $responseSigner->signResponse($response);
$this->assertTrue($signedResponse->hasHeader('X-Server-Authorization-HMAC-SHA256'));
$this->assertEquals($signature, $signedResponse->getHeaderLine('X-Server-Authorization-HMAC-SHA256'));
}
