implements security on recovering password and redis connector

Security/PasswordRecover/PasswordRecoverEvent.php

@@ -0,0 +1,118 @@
+<?php
+/*
+ * Copyright (C) 2018 Champs Libres Cooperative <info@champs-libres.coop>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+namespace Chill\MainBundle\Security\PasswordRecover;
+
+use Chill\MainBundle\Entity\User;
+use Symfony\Component\EventDispatcher\Event;
+
+/**
+ * 
+ *
+ * @author Julien Fastré <julien.fastre@champs-libres.coop>
+ */
+class PasswordRecoverEvent extends Event
+{
+    /**
+     *
+     * @var User
+     */
+    protected $user;
+    
+    /**
+     *
+     * @var string
+     */
+    protected $token;
+    
+    /**
+     *
+     * @var string
+     */
+    protected $ip;
+    
+    /**
+     *
+     * @var boolean
+     */
+    protected $safelyGenerated;
+    
+    const ASK_TOKEN_INVALID_FORM = 'chill_main.ask_token_invalid_form';
+    const INVALID_TOKEN = 'chill_main.password_recover_invalid_token';
+    const ASK_TOKEN_SUCCESS = 'chill_main.ask_token_success';
+    
+    /**
+     * 
+     * @param type $token
+     * @param User $user
+     * @param type $ip
+     * @param bool $safelyGenerated true if generated safely (from console command, etc.)
+     */
+    public function __construct($token = null, User $user = null, $ip = null, bool $safelyGenerated = false)
+    {
+        $this->user = $user;
+        $this->token = $token;
+        $this->ip = $ip;
+        $this->safelyGenerated = $safelyGenerated;
+    }
+    
+    /**
+     * 
+     * @return User|null
+     */
+    public function getUser()
+    {
+        return $this->user;
+    }
+
+    /**
+     * 
+     * @return string
+     */
+    public function getToken()
+    {
+        return $this->token;
+    }
+    
+    public function getIp()
+    {
+        return $this->ip;
+    }
+    
+    /**
+     * 
+     * @return boolean
+     */
+    public function hasIp(): bool
+    {
+        return !empty($this->ip);
+    }
+    
+    /**
+     * 
+     * @return boolean
+     */
+    public function hasUser(): bool
+    {
+        return $this->user instanceof User;
+    }
+    
+    public function isSafelyGenerated(): bool
+    {
+        return $this->safelyGenerated;
+    }
+}

Security/PasswordRecover/PasswordRecoverEventSubscriber.php

@@ -0,0 +1,83 @@
+<?php
+/*
+ * Copyright (C) 2018 Champs Libres Cooperative <info@champs-libres.coop>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+namespace Chill\MainBundle\Security\PasswordRecover;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+
+/**
+ * 
+ *
+ * @author Julien Fastré <julien.fastre@champs-libres.coop>
+ */
+class PasswordRecoverEventSubscriber implements EventSubscriberInterface
+{
+    /**
+     *
+     * @var PasswordRecoverLocker
+     */
+    protected $locker;
+    
+    public function __construct(PasswordRecoverLocker $locker)
+    {
+        $this->locker = $locker;
+    }
+
+    
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            PasswordRecoverEvent::INVALID_TOKEN => [
+                [ 'onInvalidToken' ]
+            ],
+            PasswordRecoverEvent::ASK_TOKEN_INVALID_FORM => [
+                [ 'onAskTokenInvalidForm' ]
+            ],
+            PasswordRecoverEvent::ASK_TOKEN_SUCCESS => [
+                [ 'onAskTokenSuccess']
+            ]
+        ];
+    }
+    
+    public function onInvalidToken(PasswordRecoverEvent $event)
+    {
+        // set global lock
+        $this->locker->createLock('invalid_token_global', null);
+        
+        // set ip lock
+        if ($event->hasIp()) {
+            $this->locker->createLock('invalid_token_by_ip', $event->getIp());
+        }
+    }
+    
+    public function onAskTokenInvalidForm(PasswordRecoverEvent $event)
+    {
+        // set global lock
+        $this->locker->createLock('ask_token_invalid_form_global', null);
+        
+        // set ip lock
+        if ($event->hasIp()) {
+            $this->locker->createLock('ask_token_invalid_form_by_ip', $event->getIp());
+        }
+    }
+    
+    public function onAskTokenSuccess(PasswordRecoverEvent $event)
+    {
+        $this->locker->createLock('ask_token_success_by_user', $event->getUser());
+    }
+}

Security/PasswordRecover/PasswordRecoverLocker.php

@@ -0,0 +1,170 @@
+<?php
+/*
+ * Copyright (C) 2018 Champs Libres Cooperative <info@champs-libres.coop>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+namespace Chill\MainBundle\Security\PasswordRecover;
+
+use Chill\MainBundle\Redis\ChillRedis;
+use Psr\Log\LoggerInterface;
+
+/**
+ * 
+ *
+ * @author Julien Fastré <julien.fastre@champs-libres.coop>
+ */
+class PasswordRecoverLocker
+{
+    
+    /**
+     * The maximum of invalid token globally (across all ip)
+     */
+    const MAX_INVALID_TOKEN_GLOBAL = 50;
+    
+    /**
+     * The maximum of invalid token by ip
+     */
+    const MAX_INVALID_TOKEN_BY_IP = 10;
+    
+    /**
+     * TTL to keep invalid token recorded
+     */
+    const INVALID_TOKEN_TTL = 3600;
+    
+    const MAX_ASK_TOKEN_INVALID_FORM_GLOBAL = 50;
+    
+    const MAX_ASK_TOKEN_INVALID_FORM_BY_IP = 10;
+    
+    const MAX_ASK_TOKEN_BY_USER = 10;
+    
+    const ASK_TOKEN_INVALID_FORM_TTL = 3600;
+    
+    /**
+     *
+     * @var ChillRedis
+     */
+    protected $chillRedis;
+    
+    /**
+     *
+     * @var LoggerInterface
+     */
+    protected $logger;
+    
+    public function __construct(ChillRedis $chillRedis, LoggerInterface $logger)
+    {
+        $this->chillRedis = $chillRedis;
+        $this->logger = $logger;
+    }
+
+    
+    public function createLock($usage, $discriminator = null)
+    {
+        $max = $this->getMax($usage);
+        $ttl = $this->getTtl($usage);
+        
+        for ($i = 0; $i < $max; $i++) {
+            $key = self::generateLockKey($usage, $i, $discriminator);
+            
+            if (0 === $this->chillRedis->exists($key)) {
+                $this->chillRedis->set($key, 1);
+                $this->chillRedis->setTimeout($key, $ttl);
+                
+                break;
+            }
+        }
+    }
+    
+    public function isLocked($usage, $discriminator = null) 
+    {
+        $max = $this->getMax($usage);
+        
+        for ($i = 0; $i < $max; $i++) {
+            $key = self::generateLockKey($usage, $i, $discriminator);
+
+            if ($this->chillRedis->exists($key) === 0) {
+                return false;
+            }
+        }
+        
+        $this->logger->warning("locking reaching for password recovery", [
+            'usage' => $usage,
+            'discriminator' => $discriminator
+        ]);
+        
+        return true;
+    }
+    
+    public function getMax($usage)
+    {
+        switch ($usage) {
+            case 'invalid_token_global':
+                return self::MAX_INVALID_TOKEN_GLOBAL;
+            case 'invalid_token_by_ip':
+                return self::MAX_INVALID_TOKEN_BY_IP;
+            case 'ask_token_invalid_form_global':
+                return self::MAX_ASK_TOKEN_INVALID_FORM_GLOBAL;
+            case 'ask_token_invalid_form_by_ip':
+                return self::MAX_ASK_TOKEN_INVALID_FORM_BY_IP;
+            case 'ask_token_success_by_user':
+                return self::MAX_ASK_TOKEN_BY_USER;
+                
+            default:
+                throw new \UnexpectedValueException("this usage '$usage' is not yet implemented");
+        }
+    }
+    
+    public function getTtl($usage)
+    {
+        switch ($usage) {
+            case 'invalid_token_global':
+            case 'invalid_token_by_ip':
+                return self::INVALID_TOKEN_TTL;
+                
+            case 'ask_token_invalid_form_global':
+            case 'ask_token_invalid_form_by_ip':
+                return self::ASK_TOKEN_INVALID_FORM_TTL;
+                
+            case 'ask_token_success_by_user':
+                return self::ASK_TOKEN_INVALID_FORM_TTL * 24;
+                
+            default:
+                throw new \UnexpectedValueException("this usage '$usage' is not yet implemented");
+        }
+    }
+    
+    /**
+     * 
+     * @param string $usage 'invalid_token_global' or ...
+     * @param int $number
+     */
+    public static function generateLockKey($usage, int $number, $discriminator = null)
+    {
+        switch($usage) {
+            case "invalid_token_global":
+                return sprintf('invalid_token_global_%d', $number);
+            case "invalid_token_by_ip":
+                return sprintf('invalid_token_ip_%s_%d', $discriminator, $number);
+            case "ask_token_invalid_form_global":
+                return sprintf('ask_token_invalid_form_global_%d', $number);
+            case "ask_token_invalid_form_by_ip":
+                return sprintf('ask_token_invalid_form_by_ip_%s_%d', $discriminator, $number);
+            case 'ask_token_success_by_user':
+                return sprintf('ask_token_success_by_user_%s_%d', $discriminator->getId(), $number);
+            default:
+                throw new \LogicException("this usage is not implemented");
+        }
+    }
+}

Security/PasswordRecover/PasswordRecoverVoter.php

@@ -20,6 +20,7 @@ namespace Chill\MainBundle\Security\PasswordRecover;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 use Chill\MainBundle\Entity\User;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\HttpFoundation\RequestStack;
 
 /**
  * 
@@ -28,27 +29,74 @@ use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  */
 class PasswordRecoverVoter extends Voter
 {
-    const CHANGE_PASSWORD = 'CHILL_CHANGE_PASSWORD';
+    const TRY_TOKEN = 'CHILL_PASSWORD_TRY_TOKEN';
+    const ASK_TOKEN = 'CHILL_PASSWORD_ASK_TOKEN';
+    
+    protected $supported = [
+        self::TRY_TOKEN,
+        self::ASK_TOKEN
+    ];
+    
+    /**
+     *
+     * @var PasswordRecoverLocker
+     */
+    protected $locker;
+    
+    /**
+     *
+     * @var RequestStack
+     */
+    protected $requestStack;
+    
+    public function __construct(PasswordRecoverLocker $locker, RequestStack $requestStack)
+    {
+        $this->locker = $locker;
+        $this->requestStack = $requestStack;
+    }
+
     
     protected function supports($attribute, $subject): bool
     {
-        if ($attribute !== self::CHANGE_PASSWORD) {
+        if (!in_array($attribute, $this->supported)) {
             return false;
         }
         
-        if (!$subject['user'] instanceof User) {
-            throw new \UnexpectedValueException("The subject must contains an "
-                . "".User::class." under the 'user' key");
-        }
-        
-        if (empty($subject['token'])) {
-            throw new \UnexpectedValueException("The subject must contains a "
-                . "token key");
-        }
+        return true;
     }
 
     protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
     {
-        
+        switch ($attribute) {
+            case self::TRY_TOKEN:
+                if (TRUE === $this->locker->isLocked('invalid_token_global')) {
+                    return false;
+                }
+                
+                $ip = $this->requestStack->getCurrentRequest()->getClientIp();
+                if (TRUE === $this->locker->isLocked('invalid_token_by_ip', $ip)) {
+                    return false;
+                }
+                
+                return true;
+            case self::ASK_TOKEN:
+                if (TRUE === $this->locker->isLocked('ask_token_invalid_form_global')) {
+                    return false;
+                }
+                
+                $ip = $this->requestStack->getCurrentRequest()->getClientIp();
+                if (TRUE === $this->locker->isLocked('ask_token_invalid_form_by_ip', $ip)) {
+                    return false;
+                }
+                
+                if ($subject instanceof User) {
+                    if (TRUE === $this->locker->isLocked('ask_token_success_by_user', $subject)) {
+                        return false;
+                    }
+                }
+                
+                return true;
+                
+        }
     }
 }