/**
* {@inheritdoc}
*/
protected function attemptAuthentication(Request $request)
{
if ($this->options['post_only'] && 'post' !== strtolower($request->getMethod())) {
if (null !== $this->logger) {
$this->logger->debug(sprintf('Authentication method not supported: %s.', $request->getMethod()));
}
return null;
}
if (null !== $this->csrfProvider) {
$csrfToken = $request->get($this->options['csrf_parameter'], null, true);
if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
}
}
if (null !== $this->recaptcha && false === $this->recaptchaDisabled) {
try {
if (true !== $this->recaptcha->checkAnswer($request->server->get('REMOTE_ADDR'), $request->get($this->recaptcha->getChallengeField()), $request->get($this->recaptcha->getResponseField()))) {
throw new InvalidRecaptchaException('Invalid captcha.');
}
} catch (Exception $e) {
throw new AuthenticationException('Invalid captcha.', null, null, $e);
}
}
$username = trim($request->get($this->options['username_parameter'], null, true));
$password = $request->get($this->options['password_parameter'], null, true);
$request->getSession()->set(SecurityContextInterface::LAST_USERNAME, $username);
return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));
}
/**
* @param GetResponseEvent $event
*/
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
if (!$request->headers->has('cookie')) {
return;
}
if (strstr($request->headers->get('cookie'), 'SimpleSAMLAuthToken') === false) {
return;
}
if (!$request->query->has('csrf-token')) {
$this->logger->notice('Ssp Firewall: Auth Token cookie but no CSRF Token');
return;
}
$csrfToken = $request->query->getAlnum('csrf-token');
if (!$this->csrfProvider->isCsrfTokenValid('api', $csrfToken)) {
$this->logger->notice('Ssp Firewall: Invalid CSRF token for api use: ' . $csrfToken);
return;
}
try {
$authToken = $this->authenticationManager->authenticate(new SspToken());
$this->securityContext->setToken($authToken);
} catch (AuthenticationException $failed) {
$this->logger->warning('Ssp Firewall: failed:' . $failed->getMessage());
$token = $this->securityContext->getToken();
if ($token instanceof SspToken) {
$this->securityContext->setToken(null);
}
return;
}
}
public function onBindClientData(DataEvent $event)
{
$form = $event->getForm();
$data = $event->getData();
if ((!$form->hasParent() || $form->getParent()->isRoot()) && !$this->csrfProvider->isCsrfTokenValid($this->intention, $data)) {
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
// If the session timed out, the token is invalid now.
// Regenerate the token so that a resubmission is possible.
$event->setData($this->csrfProvider->generateCsrfToken($this->intention));
}
}
public function onBindClientData(FilterDataEvent $event)
{
$form = $event->getForm();
$data = $event->getData();
if ($form->isRoot() && $form->hasChildren() && isset($data[$this->fieldName])) {
if (!$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form'));
}
unset($data[$this->fieldName]);
}
$event->setData($data);
}
public function preBind(FormEvent $event)
{
$form = $event->getForm();
$data = $event->getData();
if ($form->isRoot() && $form->getConfig()->getOption('compound')) {
if (!isset($data[$this->fieldName]) || !$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
$form->addError(new FormError('The CSRF token is invalid. Please try to resubmit the form.'));
}
unset($data[$this->fieldName]);
}
$event->setData($data);
}
/**
* This method validates CSRF token if CSRF protection is enabled.
*
* @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
*
* @throws \eZ\Publish\Core\Base\Exceptions\UnauthorizedException
*/
public function onKernelRequest(GetResponseEvent $event)
{
if (!$this->container->getParameter('form.type_extension.csrf.enabled')) {
return;
}
// skip CSRF validation if no session is running
if (!$event->getRequest()->getSession()->isStarted()) {
return;
}
if ($event->getRequestType() !== HttpKernelInterface::MASTER_REQUEST) {
return;
}
if (!$this->isRestRequest($event->getRequest())) {
return;
}
if (in_array($event->getRequest()->getMethod(), array('GET', 'HEAD'))) {
return;
}
// TODO: add CSRF token to protect against force-login attacks
if ($event->getRequest()->get("_route") == "ezpublish_rest_createSession") {
return;
}
if (!$event->getRequest()->headers->has(self::CSRF_TOKEN_HEADER) || !$this->csrfProvider->isCsrfTokenValid($this->container->getParameter('ezpublish_rest.csrf_token_intention'), $event->getRequest()->headers->get(self::CSRF_TOKEN_HEADER))) {
throw new UnauthorizedException("Missing or invalid CSRF token", $event->getRequest()->getMethod() . " " . $event->getRequest()->getPathInfo());
}
// Dispatching event so that CSRF token intention can be injected into Legacy Stack
/** @var \Symfony\Component\EventDispatcher\EventDispatcherInterface $eventDispatcher */
$eventDispatcher = $this->container->get("event_dispatcher");
$eventDispatcher->dispatch(RestEvents::REST_CSRF_TOKEN_VALIDATED);
}
/**
* @param GetResponseEvent $event
*
* @return bool
*/
protected function checkCsrfToken(Request $request)
{
if (!$request->headers->has(self::CSRF_TOKEN_HEADER)) {
return false;
}
return $this->csrfProvider->isCsrfTokenValid($this->csrfTokenIntention, $request->headers->get(self::CSRF_TOKEN_HEADER));
}
public function preSubmit(FormEvent $event)
{
$form = $event->getForm();
$data = $event->getData();
if ($form->isRoot() && $form->getConfig()->getOption('compound')) {
if (!isset($data[$this->fieldName]) || !$this->csrfProvider->isCsrfTokenValid($this->intention, $data[$this->fieldName])) {
$errorMessage = $this->errorMessage;
if (null !== $this->translator) {
$errorMessage = $this->translator->trans($errorMessage, array(), $this->translationDomain);
}
$form->addError(new FormError($errorMessage));
}
if (is_array($data)) {
unset($data[$this->fieldName]);
}
}
$event->setData($data);
}
/**
* {@inheritdoc}
*/
protected function attemptAuthentication(Request $request)
{
$organization = $this->getOrganization($request->get($this->options['organization_parameter'], null, true));
if (null !== $this->csrfProvider) {
$csrfToken = $request->get($this->options['csrf_parameter'], null, true);
if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
}
}
if ($this->options['post_only']) {
$username = trim($request->request->get($this->options['username_parameter'], null, true));
$password = $request->request->get($this->options['password_parameter'], null, true);
} else {
$username = trim($request->get($this->options['username_parameter'], null, true));
$password = $request->get($this->options['password_parameter'], null, true);
}
$request->getSession()->set(SecurityContextInterface::LAST_USERNAME, $username);
return $this->authenticationManager->authenticate(new UsernamePasswordOrganizationToken($username, $password, $this->providerKey, $organization, array()));
}
/**
* @param string $intention
* @param string $token
* @return boolean
*/
public function isTokenValid($intention, $token)
{
return $this->csrfProvider->isCsrfTokenValid($intention, $token);
}
/**
* {@inheritdoc}
*/
public function isTokenValid(CsrfToken $token)
{
return $this->csrfProvider->isCsrfTokenValid($token->getId(), $token->getValue());
}
public function validateRequest(Request $req)
{
if (!$this->csrf->isCsrfTokenValid(__CLASS__, $req->query->get(self::STATE_KEY, ''))) {
throw new AuthenticationException("Invalid state");
}
}
private function checkCSRFToken()
{
if (!$this->csrfProvider->isCsrfTokenValid($this->getConfiguration()->getCSRFIntention(), $this->getRequest()->get('_token'))) {
throw new \Exception('Bad CSRF Token');
}
}
