/**
* Renders hidden form fields for referrer information about
* the current request.
*
* @return string Hidden fields with referrer information
*/
protected function renderHiddenReferrerFields()
{
$tagBuilder = new TagBuilder('input');
$tagBuilder->addAttribute('type', 'hidden');
$tagBuilder->addAttribute('name', $this->prefixFieldName('__state'));
$serializedFormState = base64_encode(serialize($this->arguments['object']->getFormState()));
$tagBuilder->addAttribute('value', $this->hashService->appendHmac($serializedFormState));
return $tagBuilder->render();
}
/**
* Extracts the WidgetContext from the given $httpRequest.
* If the request contains an argument "__widgetId" the context is fetched from the session (AjaxWidgetContextHolder).
* Otherwise the argument "__widgetContext" is expected to contain the serialized WidgetContext (protected by a HMAC suffix)
*
* @param Request $httpRequest
* @return WidgetContext
*/
protected function extractWidgetContext(Request $httpRequest)
{
if ($httpRequest->hasArgument('__widgetId')) {
return $this->ajaxWidgetContextHolder->get($httpRequest->getArgument('__widgetId'));
} elseif ($httpRequest->hasArgument('__widgetContext')) {
$serializedWidgetContextWithHmac = $httpRequest->getArgument('__widgetContext');
$serializedWidgetContext = $this->hashService->validateAndStripHmac($serializedWidgetContextWithHmac);
return unserialize(base64_decode($serializedWidgetContext));
}
return null;
}
/**
* Creates a new account and sets the given password and roles
*
* @param string $identifier Identifier of the account, must be unique
* @param string $password The clear text password
* @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account
* @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with
* @param string $passwordHashingStrategy Optional password hashing strategy to use for the password
* @return Account A new account, not yet added to the account repository
*/
public function createAccountWithPassword($identifier, $password, $roleIdentifiers = [], $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default')
{
$account = new Account();
$account->setAccountIdentifier($identifier);
$account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy));
$account->setAuthenticationProviderName($authenticationProviderName);
$roles = [];
foreach ($roleIdentifiers as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
return $account;
}
/**
* Checks the given token for validity and sets the token authentication status
* accordingly (success, wrong credentials or no credentials given).
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof UsernamePassword) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
/** @var $account Account */
$account = null;
$credentials = $authenticationToken->getCredentials();
if ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
if (!is_array($credentials) || !isset($credentials['username']) || !isset($credentials['password'])) {
return;
}
$providerName = $this->name;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
if ($account === null) {
$this->hashService->validatePassword($credentials['password'], 'bcrypt=>$2a$14$DummySaltToPreventTim,.ingAttacksOnThisProvider');
return;
}
if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) {
$account->authenticationAttempted(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
} else {
$account->authenticationAttempted(TokenInterface::WRONG_CREDENTIALS);
}
$this->accountRepository->update($account);
$this->persistenceManager->whitelistObject($account);
}
/**
* Returns an ActionRequest which referred to this request, if any.
*
* The referring request is not set or determined automatically but must be
* explicitly set through the corresponding internal argument "__referrer".
* This mechanism is used by Flow's form and validation mechanisms.
*
* @return ActionRequest the referring request, or NULL if no referrer found
*/
public function getReferringRequest()
{
if ($this->referringRequest !== null) {
return $this->referringRequest;
}
if (!isset($this->internalArguments['__referrer'])) {
return null;
}
if (is_array($this->internalArguments['__referrer'])) {
$referrerArray = $this->internalArguments['__referrer'];
$referringRequest = new ActionRequest($this->getHttpRequest());
$arguments = [];
if (isset($referrerArray['arguments'])) {
$serializedArgumentsWithHmac = $referrerArray['arguments'];
$serializedArguments = $this->hashService->validateAndStripHmac($serializedArgumentsWithHmac);
$arguments = unserialize(base64_decode($serializedArguments));
unset($referrerArray['arguments']);
}
$referringRequest->setArguments(Arrays::arrayMergeRecursiveOverrule($arguments, $referrerArray));
return $referringRequest;
} else {
$this->referringRequest = $this->internalArguments['__referrer'];
}
return $this->referringRequest;
}
/**
* @test
*/
public function validateAndStripHmacReturnsTheStringWithoutHmac()
{
$string = ' Some arbitrary string with special characters: öäüß!"§$ ';
$hashedString = $this->hashService->appendHmac($string);
$actualResult = $this->hashService->validateAndStripHmac($hashedString);
$this->assertSame($string, $actualResult);
}
/**
* Renders hidden form fields for referrer information about
* the current controller and action.
*
* @return string Hidden fields with referrer information
* @todo filter out referrer information that is equal to the target (e.g. same packageKey)
*/
protected function renderHiddenReferrerFields()
{
$result = chr(10);
$request = $this->controllerContext->getRequest();
$argumentNamespace = null;
if (!$request->isMainRequest()) {
$argumentNamespace = $request->getArgumentNamespace();
$referrer = array('@package' => $request->getControllerPackageKey(), '@subpackage' => $request->getControllerSubpackageKey(), '@controller' => $request->getControllerName(), '@action' => $request->getControllerActionName(), 'arguments' => $this->hashService->appendHmac(base64_encode(serialize($request->getArguments()))));
foreach ($referrer as $referrerKey => $referrerValue) {
$referrerValue = htmlspecialchars($referrerValue);
$result .= '<input type="hidden" name="' . $argumentNamespace . '[__referrer][' . $referrerKey . ']" value="' . $referrerValue . '" />' . chr(10);
}
$request = $request->getParentRequest();
}
$arguments = $request->getArguments();
if ($argumentNamespace !== null && isset($arguments[$argumentNamespace])) {
// A sub request was there; thus we can unset the sub requests arguments,
// as they are transferred separately via the code block shown above.
unset($arguments[$argumentNamespace]);
}
$referrer = array('@package' => $request->getControllerPackageKey(), '@subpackage' => $request->getControllerSubpackageKey(), '@controller' => $request->getControllerName(), '@action' => $request->getControllerActionName(), 'arguments' => $this->hashService->appendHmac(base64_encode(serialize($arguments))));
foreach ($referrer as $referrerKey => $referrerValue) {
$result .= '<input type="hidden" name="__referrer[' . $referrerKey . ']" value="' . htmlspecialchars($referrerValue) . '" />' . chr(10);
}
return $result;
}
public function setUp()
{
$this->mockRole = $this->getMockBuilder(Role::class)->disableOriginalConstructor()->getMock();
$this->mockRole->expects($this->any())->method('getIdentifier')->will($this->returnValue('Neos.Flow:TestRoleIdentifier'));
$this->mockPolicyService = $this->getMockBuilder(PolicyService::class)->disableOriginalConstructor()->getMock();
$this->mockPolicyService->expects($this->any())->method('getRole')->with('Neos.Flow:TestRoleIdentifier')->will($this->returnValue($this->mockRole));
$this->mockHashService = $this->getMockBuilder(HashService::class)->disableOriginalConstructor()->getMock();
$expectedPassword = $this->testKeyClearText;
$expectedHashedPasswordAndSalt = $this->testKeyHashed;
$this->mockHashService->expects($this->any())->method('validatePassword')->will($this->returnCallback(function ($password, $hashedPasswordAndSalt) use($expectedPassword, $expectedHashedPasswordAndSalt) {
return $hashedPasswordAndSalt === $expectedHashedPasswordAndSalt && $password === $expectedPassword;
}));
$this->mockFileBasedSimpleKeyService = $this->getMockBuilder(FileBasedSimpleKeyService::class)->disableOriginalConstructor()->getMock();
$this->mockFileBasedSimpleKeyService->expects($this->any())->method('getKey')->with('testKey')->will($this->returnValue($this->testKeyHashed));
$this->mockToken = $this->getMockBuilder(PasswordToken::class)->disableOriginalConstructor()->getMock();
}
/**
* @test
*/
public function authenticationFailsWithWrongCredentialsInAnUsernamePasswordToken()
{
$this->mockHashService->expects($this->once())->method('validatePassword')->with('wrong password', '8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086')->will($this->returnValue(false));
$this->mockAccount->expects($this->once())->method('getCredentialsSource')->will($this->returnValue('8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086'));
$this->mockAccountRepository->expects($this->once())->method('findActiveByAccountIdentifierAndAuthenticationProviderName')->with('admin', 'myProvider')->will($this->returnValue($this->mockAccount));
$this->mockToken->expects($this->once())->method('getCredentials')->will($this->returnValue(['username' => 'admin', 'password' => 'wrong password']));
$this->mockToken->expects($this->at(2))->method('setAuthenticationStatus')->with(\Neos\Flow\Security\Authentication\TokenInterface::NO_CREDENTIALS_GIVEN);
$this->mockToken->expects($this->at(3))->method('setAuthenticationStatus')->with(\Neos\Flow\Security\Authentication\TokenInterface::WRONG_CREDENTIALS);
$this->persistedUsernamePasswordProvider->authenticate($this->mockToken);
}
/**
* Persists a key to the file system
*
* @param string $name
* @param string $password
* @return void
* @throws SecurityException
*/
protected function persistKey($name, $password)
{
$hashedPassword = $this->hashService->hashPassword($password, $this->passwordHashingStrategy);
$keyPathAndFilename = $this->getKeyPathAndFilename($name);
if (!is_dir($this->getPath())) {
Utility\Files::createDirectoryRecursively($this->getPath());
}
$result = file_put_contents($keyPathAndFilename, $hashedPassword);
if ($result === false) {
throw new SecurityException(sprintf('The key could not be stored ("%s").', $keyPathAndFilename), 1305812921);
}
}
/**
* Sets isAuthenticated to TRUE for all tokens.
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof PasswordToken) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
$credentials = $authenticationToken->getCredentials();
if (is_array($credentials) && isset($credentials['password'])) {
if ($this->hashService->validatePassword($credentials['password'], $this->fileBasedSimpleKeyService->getKey($this->options['keyName']))) {
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$account = new Account();
$roles = [];
foreach ($this->options['authenticateRoles'] as $roleIdentifier) {
$roles[] = $this->policyService->getRole($roleIdentifier);
}
$account->setRoles($roles);
$authenticationToken->setAccount($account);
} else {
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
}
} elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
}
/**
* @test
*/
public function extractWidgetContextDecodesSerializedWidgetContextIfPresent()
{
$ajaxWidgetComponent = $this->getAccessibleMock(\Neos\FluidAdaptor\Core\Widget\AjaxWidgetComponent::class, array('dummy'));
$this->inject($ajaxWidgetComponent, 'hashService', $this->mockHashService);
$mockWidgetContext = 'SomeWidgetContext';
$mockSerializedWidgetContext = base64_encode(serialize($mockWidgetContext));
$mockSerializedWidgetContextWithHmac = $mockSerializedWidgetContext . 'HMAC';
$this->mockHttpRequest->expects($this->at(0))->method('hasArgument')->with('__widgetId')->will($this->returnValue(false));
$this->mockHttpRequest->expects($this->at(1))->method('hasArgument')->with('__widgetContext')->will($this->returnValue(true));
$this->mockHttpRequest->expects($this->atLeastOnce())->method('getArgument')->with('__widgetContext')->will($this->returnValue($mockSerializedWidgetContextWithHmac));
$this->mockHashService->expects($this->atLeastOnce())->method('validateAndStripHmac')->with($mockSerializedWidgetContextWithHmac)->will($this->returnValue($mockSerializedWidgetContext));
$actualResult = $ajaxWidgetComponent->_call('extractWidgetContext', $this->mockHttpRequest);
$this->assertEquals($mockWidgetContext, $actualResult);
}
/**
* Initialize the property mapping configuration in $controllerArguments if
* the trusted properties are set inside the request.
*
* @param ActionRequest $request
* @param Arguments $controllerArguments
* @return void
*/
public function initializePropertyMappingConfigurationFromRequest(ActionRequest $request, Arguments $controllerArguments)
{
$trustedPropertiesToken = $request->getInternalArgument('__trustedProperties');
if (!is_string($trustedPropertiesToken)) {
return;
}
$serializedTrustedProperties = $this->hashService->validateAndStripHmac($trustedPropertiesToken);
$trustedProperties = unserialize($serializedTrustedProperties);
foreach ($trustedProperties as $propertyName => $propertyConfiguration) {
if (!$controllerArguments->hasArgument($propertyName)) {
continue;
}
$propertyMappingConfiguration = $controllerArguments->getArgument($propertyName)->getPropertyMappingConfiguration();
$this->modifyPropertyMappingConfiguration($propertyConfiguration, $propertyMappingConfiguration);
}
}
/**
* Get the URI for an AJAX Request.
*
* @return string the AJAX URI
* @throws WidgetContextNotFoundException
*/
protected function getAjaxUri()
{
$action = $this->arguments['action'];
$arguments = $this->arguments['arguments'];
if ($action === null) {
$action = $this->controllerContext->getRequest()->getControllerActionName();
}
$arguments['@action'] = $action;
if (strlen($this->arguments['format']) > 0) {
$arguments['@format'] = $this->arguments['format'];
}
/** @var $widgetContext WidgetContext */
$widgetContext = $this->controllerContext->getRequest()->getInternalArgument('__widgetContext');
if ($widgetContext === null) {
throw new WidgetContextNotFoundException('Widget context not found in <f:widget.link>', 1307450686);
}
if ($this->arguments['includeWidgetContext'] === true) {
$serializedWidgetContext = serialize($widgetContext);
$arguments['__widgetContext'] = $this->hashService->appendHmac($serializedWidgetContext);
} else {
$arguments['__widgetId'] = $widgetContext->getAjaxWidgetIdentifier();
}
return '?' . http_build_query($arguments, null, '&');
}
/**
* @return void
* @internal
*/
protected function initializeFormStateFromRequest()
{
$serializedFormStateWithHmac = $this->request->getInternalArgument('__state');
if ($serializedFormStateWithHmac === null) {
$this->formState = new FormState();
} else {
$serializedFormState = $this->hashService->validateAndStripHmac($serializedFormStateWithHmac);
$this->formState = unserialize(base64_decode($serializedFormState));
}
}
/**
* Sets a new password for the given user
*
* This method will iterate over all accounts owned by the given user and, if the account uses a UsernamePasswordToken,
* sets a new password accordingly.
*
* @param User $user The user to set the password for
* @param string $password A new password
* @return void
* @api
*/
public function setUserPassword(User $user, $password)
{
$tokens = $this->authenticationManager->getTokens();
$indexedTokens = array();
foreach ($tokens as $token) {
/** @var TokenInterface $token */
$indexedTokens[$token->getAuthenticationProviderName()] = $token;
}
foreach ($user->getAccounts() as $account) {
/** @var Account $account */
$authenticationProviderName = $account->getAuthenticationProviderName();
if (isset($indexedTokens[$authenticationProviderName]) && $indexedTokens[$authenticationProviderName] instanceof UsernamePassword) {
$account->setCredentialsSource($this->hashService->hashPassword($password));
$this->accountRepository->update($account);
}
}
}
