Merge pull request #1 from fdsis/f_hmac_token

Multiple AuthenticationProvider

Author: bweinzierl

Classes/Authentication/UsernameHmacTimestampProvider.php

@@ -2,14 +2,14 @@
 namespace FormatD\HmacAuthentication\Authentication;
 
 
+use FormatD\HmacAuthentication\Domain\Model\HmacToken;
+use FormatD\HmacAuthentication\Service\HmacService;
 use Neos\Flow\Annotations as Flow;
 use Neos\Flow\Security\Account;
 use Neos\Flow\Security\AccountRepository;
-use Neos\Flow\Security\Authentication\Token\UsernamePassword;
-use Neos\Flow\Security\Authentication\Token\UsernamePasswordHttpBasic;
+use Neos\Flow\Security\Authentication\TokenAndProviderFactoryInterface;
 use Neos\Flow\Security\Authentication\TokenInterface;
 use Neos\Flow\Security\Context;
-use Neos\Flow\Security\Cryptography\HashService;
 use Neos\Flow\Security\Exception\UnsupportedAuthenticationTokenException;
 
 /**
@@ -31,6 +31,12 @@ class UsernameHmacTimestampProvider extends \Neos\Flow\Security\Authentication\P
      */
     protected $hmacService;
 
+    /**
+     * @Flow\Inject
+     * @var TokenAndProviderFactoryInterface
+     */
+    protected $tokenAndProviderFactory;
+
     /**
      * @var Context
      * @Flow\Inject
@@ -43,6 +49,12 @@ class UsernameHmacTimestampProvider extends \Neos\Flow\Security\Authentication\P
      */
     protected $persistenceManager;
 
+    /**
+     * @Flow\InjectConfiguration(package="FormatD.HmacAuthentication.allowedAuthenticationProviders")
+     * @var array
+     */
+    protected $allowedAuthenticationProviders;
+
     /**
      * Returns the class names of the tokens this provider can authenticate.
      *
@@ -53,6 +65,43 @@ public function getTokenClassNames()
         return [UsernameHmacTimestampToken::class];
     }
 
+    /**
+     * @param string $alias
+     * @return false|string
+     */
+    protected function getAuthenticationProviderNameByAlias($alias) {
+        if(!is_array($this->allowedAuthenticationProviders)) {
+            return false;
+        }
+        if(!key_exists($alias, $this->allowedAuthenticationProviders)) {
+            return false;
+        }
+        $name = $this->allowedAuthenticationProviders[$alias];
+        return strlen($name) > 0 ? $name : false;
+    }
+
+    /**
+     * @param HmacToken $hmacToken
+     */
+    protected function getAuthenticationProviderNameWithHmacToken($hmacToken) {
+        if($hmacToken->hasPayloadEntry(HmacService::HTK_Provider)) {
+            $tokenAuthenticationProviderAlias = $hmacToken->getPayloadEntry(HmacService::HTK_Provider);
+            if($authenticationProviderName = $this->getAuthenticationProviderNameByAlias($tokenAuthenticationProviderAlias)) {
+                return $authenticationProviderName;
+            }
+        }
+
+        return $this->options['mainAuthenticationProviderName'] ? $this->options['mainAuthenticationProviderName'] : $this->name;
+    }
+
+    /**
+     * @param HmacToken $hmacToken
+     * @return mixed
+     */
+    protected function getUsernameFromHmacToken($hmacToken) {
+        return $hmacToken->getPayloadEntry(HmacService::HTK_Username);
+    }
+
     /**
      * Checks the given token for validity and sets the token authentication status
      * accordingly (success, wrong credentials or no credentials given).
@@ -76,31 +125,35 @@ public function authenticate(TokenInterface $authenticationToken)
             $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
         }
 
-        if (!is_array($credentials) || !isset($credentials['username']) || !isset($credentials['hmac']) || !isset($credentials['timestamp'])) {
+        if (!is_array($credentials) || !isset($credentials[UsernameHmacTimestampToken::CRED_TOKEN])) {
             return;
         }
 
-        $providerName = $this->options['mainAuthenticationProviderName'] ? $this->options['mainAuthenticationProviderName'] : $this->name;
+        $hmacToken = HmacToken::FromJson($credentials[UsernameHmacTimestampToken::CRED_TOKEN]);
+
+        $providerName = $this->getAuthenticationProviderNameWithHmacToken($hmacToken);
+        $userName = $this->getUsernameFromHmacToken($hmacToken);
+
         $accountRepository = $this->accountRepository;
-        $this->securityContext->withoutAuthorizationChecks(function () use ($credentials, $providerName, $accountRepository, &$account) {
-            $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
+        $this->securityContext->withoutAuthorizationChecks(function () use ($credentials, $userName, $providerName, $accountRepository, &$account) {
+            $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($userName, $providerName);
         });
 
         $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
 
+        $isHmacTokenValid = $this->hmacService->validateToken($hmacToken);
+
         if ($account === null) {
-        	// validate anyway to prevent timing attacks
-            $this->hmacService->validateHmac($credentials['username'], $credentials['timestamp'], $credentials['hmac']);
+            // Return after token hmac validation to prevent timing attacks
             return;
         }
 
-        if ($this->hmacService->validateHmac($credentials['username'], $credentials['timestamp'], $credentials['hmac'])) {
+        if ($isHmacTokenValid) {
             $account->authenticationAttempted(TokenInterface::AUTHENTICATION_SUCCESSFUL);
             $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
             $authenticationToken->setAccount($account);
-        } else {
-            $account->authenticationAttempted(TokenInterface::WRONG_CREDENTIALS);
         }
+
         $this->accountRepository->update($account);
         $this->persistenceManager->whitelistObject($account);
     }

Classes/Authentication/UsernameHmacTimestampToken.php

@@ -12,12 +12,14 @@
  */
 class UsernameHmacTimestampToken extends \Neos\Flow\Security\Authentication\Token\AbstractToken {
 
+    const CRED_TOKEN = 'token';
+
 	/**
 	 * The password credentials
 	 * @var array
 	 * @Flow\Transient
 	 */
-	protected $credentials = ['username' => '', 'hmac' => '', 'timestamp' => ''];
+	protected $credentials = [self::CRED_TOKEN => ''];
 
 	/**
 	 * @var \Neos\Flow\Utility\Environment
@@ -43,12 +45,10 @@ class UsernameHmacTimestampToken extends \Neos\Flow\Security\Authentication\Toke
 	 */
 	public function updateCredentials(\Neos\Flow\Mvc\ActionRequest $actionRequest)
 	{
-		$credentials = $this->hmacService->getCredentialsFromActionRequest($actionRequest);
+		$token = $this->hmacService->getCredentialsFromActionRequest($actionRequest);
 
-		if ($credentials) {
-			$this->credentials['username'] = $credentials->username;
-			$this->credentials['hmac'] = $credentials->hmac;
-			$this->credentials['timestamp'] = $credentials->timestamp;
+		if ($token) {
+		    $this->credentials[self::CRED_TOKEN] = $token->toJson();
 			$this->setAuthenticationStatus(self::AUTHENTICATION_NEEDED);
 		}
 	}
@@ -60,7 +60,8 @@ public function updateCredentials(\Neos\Flow\Mvc\ActionRequest $actionRequest)
 	 */
 	public function __toString()
 	{
-		return 'Username: "' . $this->credentials['username'] . '", Hmac: "***", Timestamp: "' . $this->credentials['timestamp'] . '" ';
+	    $token = $this->credentials[self::CRED_TOKEN];
+		return 'Token: "' . $token . '"';
 	}
 
 }

Classes/Domain/Model/HmacToken.php

@@ -0,0 +1,112 @@
+<?php
+
+namespace FormatD\HmacAuthentication\Domain\Model;
+
+use Neos\Flow\Annotations as Flow;
+
+/**
+ * @Flow\Scope("prototype")
+ */
+class HmacToken
+{
+    /**
+     * @var array<string,string>
+     */
+    protected $payload;
+
+    /**
+     * @var string
+     */
+    protected $hmac;
+
+    /**
+     * @var int
+     */
+    protected $timestamp;
+
+    public function __construct($payload = [], $hmac = null, $timestamp = null)
+    {
+        $this->payload = $payload;
+        $this->hmac = $hmac;
+        $this->timestamp = $timestamp;
+    }
+
+    /**
+     * @param string $hmac
+     */
+    public function setHmac(string $hmac) {
+        $this->hmac = $hmac;
+    }
+
+    /**
+     * @param int $timestamp
+     */
+    public function setTimestamp(int $timestamp) {
+        $this->timestamp = $timestamp;
+    }
+
+    /**
+     * @param string $key
+     * @param string $value
+     */
+    public function setPayloadEntry(string $key, string $value) {
+        $this->payload[$key] = $value;
+    }
+
+    /**
+     * @param string $key
+     */
+    public function hasPayloadEntry(string $key) {
+        return array_key_exists($key, $this->payload);
+    }
+
+    /**
+     * @param string $key
+     * @return mixed|string
+     */
+    public function getPayloadEntry(string $key) {
+        return $this->payload[$key];
+    }
+
+    /**
+     * @return false|string
+     */
+    public function getHashData() {
+        return json_encode($this->payload);
+    }
+
+    /**
+     * @return int
+     */
+    public function getTimestamp() {
+        return $this->timestamp;
+    }
+
+    /**
+     * @return string
+     */
+    public function getHmac() {
+        return $this->hmac;
+    }
+
+    /**
+     * @return false|string
+     */
+    public function toJson() {
+        return json_encode([
+            'payload' => $this->payload,
+            'hmac' => $this->hmac,
+            'timestamp' => $this->timestamp
+        ]);
+    }
+
+    /**
+     * @param string $json
+     * @return HmacToken
+     */
+    public static function FromJson(string $json) {
+        $data = json_decode($json, true);
+        $token = new HmacToken($data['payload'], $data['hmac'], $data['timestamp']);
+        return $token;
+    }
+}