Signed Request checks and obfuscate requests on Symfony profiler.
PHP Gherkin ApacheConf
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
Controller/Annotations
DataCollector
DependencyInjection
Request
Resources/config/services
Security
Tests/Units
features
.atoum.bootstrap.php
.atoum.php
.gitignore
.scrutinizer.yml
.travis.yml
README.md
RezzzaSecurityBundle.php
behat.yml
composer.json

README.md

SecurityBundle

Build Status Scrutinizer Code Quality Code Coverage

Installation

With Composer

    "require": {
        'rezzza/security-bundle': '~2.0',
    }

Enable Bundle

In AppKernel:

    $bundles = array(
        //....
        new Rezzza\SecurityBundle\RezzzaSecurityBundle(),
        //....
    );

On symfony 2.0

Add factory to your security.yml

security:
    factories:
        - "%kernel.root_dir%/../vendor/bundles/Rezzza/SecurityBundle/Resources/config/services/security.xml"

Request signature checker

Validate a signature sent by client in query string, this signature can have a lifetime.

Criterias are:

  • Time send on signature (if replay_protection activated)
  • RequestMethod
  • http host
  • path info
  • content - RAW_DATA (posted fields)

It'll hash all theses criterias with a secret defined on security.yml, example:

# security.yml
    firewalls:
        api:
            pattern: ^/api/.*
            request_signature:
                algorithm: SHA1
                # you can easily ignore this when use functional tests by example
                ignore:    %request_signature.ignore%
                # secret of symfony application or an other one
                secret:    %secret%
                # http://.............?_signature=....
                parameter: _signature
                # Do you want to add a lifetime criteria ? By this way the signature will be transitory
                replay_protection:
                    enabled:   true
                    lifetime:  600
                    parameter: _signature_ttl

Build the signature:

$signatureConfig = new SignatureConfig(true, 'sha1', 's3cr3t');
$signedRequest = new SignedRequest(
    'GET',
    'subdomain.domain.tld',
    '/path/to/resources',
    'content',
    $signatureTime // if needed
);

$signature = $signedRequest->buildSignature($signatureConfig);

You can define distant firewall on a config:

rezzza_security:
    firewalls:
        my_firewall:
            # algorithm:        'SHA1' default
            secret:            'IseeDeadPeopleEverywhere'
            # replay_protection: true # default

And then:

$signatureConfig = $this->container->get('rezzza.security.signature_config.my_firewall');

$signedRequest = new SignedRequest(
    'GET',
    'subdomain.domain.tld',
    '/path/to/resources',
    'content',
    $signatureTime // if needed
);

$signature = $signedRequest->buildSignature($signatureConfig);

Do you use PSR7 request ?

$signatureConfig = $this->container->get('rezzza.security.signature_config.my_firewall');

$url     = 'http://domain.tld/api/uri.json?foo= bar';
// example with guzzle psr7 implementation.
$request = new \GuzzleHttp\Psr7\Request('GET', $url);

$signer  = new \Rezzza\SecurityBundle\Request\Psr7RequestSigner($signatureConfig);
$request = $signer->sign($request);

$response = (new \GuzzleHttp\Client())->send($request);

Obfuscate request

If you have critical data coming on your application, you may not want to expose them into symfony profiler. You can easily define which data will not appear on this one on each routes.

rezzza_security:
    request_obfuscator:
        enabled: 1

In your route:


use \Rezzza\SecurityBundle\Controller\Annotations\ObfuscateRequest;

/**
 * @ObfuscateRequest()
 */
public function indexAction(Request $request)
{
}

Will obfuscate all datas on symfony profiler.

@obfuscate("content=*") // obfuscate $request->getContent()
@obfuscate("headers={'foobar'}") // obfuscate $request->headers->get('foobar')
@obfuscate("request_request={"customer[password]"}") // obfuscate $request->request->get('customer')['password']

Keys to obfuscate are:

  • format
  • content
  • content_type
  • status_text
  • status_code
  • request_query ($_GET)
  • request_request ($_POST)
  • request_headers ($_HEADER)
  • request_server ($_SERVER)
  • request_cookies ($_COOKIES)
  • request_attributes ($request->attributes)
  • response_headers
  • session_metadata
  • session_attributes
  • flashes
  • path_info
  • controller
  • locale

WishList

  • QueryString or HTTP Headers
  • Unit Tests with atoum