rezzza/security-bundle

Signed requests check

Wednesday, September 6, 2017
by steph_py
Repository
7 Watchers
15 Stars
35,504 Installations

PHP
0 Dependents
0 Suggesters
9 Forks
1 Open issues
12 Versions
5 % Grown

The README.md

SecurityBundle

, _(*1)

Installation

With Composer

    "require": {
        'rezzza/security-bundle': '~2.0',
    }

Enable Bundle

In AppKernel:, _(*2)

    $bundles = array(
        //....
        new Rezzza\SecurityBundle\RezzzaSecurityBundle(),
        //....
    );

On symfony 2.0

Add factory to your security.yml, _(*3)

security:
    factories:
        - "%kernel.root_dir%/../vendor/bundles/Rezzza/SecurityBundle/Resources/config/services/security.xml"

Request signature checker

Validate a signature sent by client in query string, this signature can have a lifetime., _(*4)

Criterias are:, _(*5)

Time send on signature (if replay_protection activated)
RequestMethod
http host
path info
content - RAW_DATA (posted fields)

It'll hash all theses criterias with a secret defined on security.yml, example:, _(*6)

# security.yml
    firewalls:
        api:
            pattern: ^/api/.*
            request_signature:
                algorithm: SHA1
                # you can easily ignore this when use functional tests by example
                ignore:    %request_signature.ignore%
                # secret of symfony application or an other one
                secret:    %secret%
                # http://.............?_signature=....
                parameter: _signature
                # Do you want to add a lifetime criteria ? By this way the signature will be transitory
                replay_protection:
                    enabled:   true
                    lifetime:  600
                    parameter: _signature_ttl

Build the signature:, _(*7)

$signatureConfig = new SignatureConfig(true, 'sha1', 's3cr3t');
$signedRequest = new SignedRequest(
    'GET',
    'subdomain.domain.tld',
    '/path/to/resources',
    'content',
    $signatureTime // if needed
);

$signature = $signedRequest->buildSignature($signatureConfig);

You can define distant firewall on a config:, _(*8)

rezzza_security:
    firewalls:
        my_firewall:
            # algorithm:        'SHA1' default
            secret:            'IseeDeadPeopleEverywhere'
            # replay_protection: true # default

And then:, _(*9)

$signatureConfig = $this->container->get('rezzza.security.signature_config.my_firewall');

$signedRequest = new SignedRequest(
    'GET',
    'subdomain.domain.tld',
    '/path/to/resources',
    'content',
    $signatureTime // if needed
);

$signature = $signedRequest->buildSignature($signatureConfig);

Do you use PSR7 request ?, _(*10)

$signatureConfig = $this->container->get('rezzza.security.signature_config.my_firewall');

$url     = 'http://domain.tld/api/uri.json?foo= bar';
// example with guzzle psr7 implementation.
$request = new \GuzzleHttp\Psr7\Request('GET', $url);

$signer  = new \Rezzza\SecurityBundle\Request\Psr7RequestSigner($signatureConfig);
$request = $signer->sign($request);

$response = (new \GuzzleHttp\Client())->send($request);

Obfuscate request

If you have critical data coming on your application, you may not want to expose them into symfony profiler. You can easily define which data will not appear on this one on each routes., _(*11)

rezzza_security:
    request_obfuscator:
        enabled: 1

In your route:, _(*12)


use \Rezzza\SecurityBundle\Controller\Annotations\ObfuscateRequest;

/**
 * @ObfuscateRequest()
 */
public function indexAction(Request $request)
{
}

Will obfuscate all datas on symfony profiler., _(*13)

@obfuscate("content=*") // obfuscate $request->getContent()
@obfuscate("headers={'foobar'}") // obfuscate $request->headers->get('foobar')
@obfuscate("request_request={"customer[password]"}") // obfuscate $request->request->get('customer')['password']

Keys to obfuscate are:, _(*14)

format
content
content_type
status_text
status_code
request_query ($_GET)
request_request ($_POST)
request_headers ($_HEADER)
request_server ($_SERVER)
request_cookies ($_COOKIES)
request_attributes ($request->attributes)
response_headers
session_metadata
session_attributes
flashes
path_info
controller
locale

WishList

QueryString or HTTP Headers
Unit Tests with atoum

The Versions

06/09 2017

dev-master

9999999-dev https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

06/09 2017

v2.3.2

2.3.2.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

25/04 2017

v2.3.1

2.3.1.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

11/04 2017

v2.3.0

2.3.0.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

13/01 2016

v2.2.0

2.2.0.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

16/12 2015

v2.1.0

2.1.0.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

30/03 2015

v2.0.1

2.0.1.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

11/12 2014

2.0.0

2.0.0.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

04/12 2014

v1.1.2

1.1.2.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

by Community contributors

security bundle symfony

06/09 2014

v1.1.1

1.1.1.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

atoum/atoum *@dev

by Community contributors

security bundle symfony

21/07 2014

v1.1.0

1.1.0.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

The Development Requires

atoum/atoum *@dev

by Community contributors

security bundle symfony

21/05 2013

v1.0.0

1.0.0.0 https://github.com/rezzza/SecurityBundle

Signed requests check

Sources Download

MIT

The Requires

php >=5.3.2
symfony/framework-bundle 2.*

by Community contributors

security bundle symfony

symfony-bundle security-bundle

Signed requests check

rezzza/security-bundle

The README.md

SecurityBundle

Installation

With Composer

Enable Bundle

On symfony 2.0

Request signature checker

Obfuscate request

WishList

The Versions

dev-master

The Requires

The Development Requires

by Community contributors

v2.3.2

The Requires

The Development Requires

by Community contributors

v2.3.1

The Requires

The Development Requires

by Community contributors

v2.3.0

The Requires

The Development Requires

by Community contributors

v2.2.0

The Requires

The Development Requires

by Community contributors

v2.1.0

The Requires

The Development Requires

by Community contributors

v2.0.1

The Requires

The Development Requires

by Community contributors

2.0.0

The Requires

The Development Requires

by Community contributors

v1.1.2

The Requires

The Development Requires

by Community contributors

v1.1.1

The Requires

The Development Requires

by Community contributors

v1.1.0

The Requires

The Development Requires

by Community contributors

v1.0.0

The Requires

by Community contributors