From 0d8f38eab35fb21d7609b33ab206d8b191eec48a Mon Sep 17 00:00:00 2001
From: Ere Maijala <ere.maijala@helsinki.fi>
Date: Fri, 6 Apr 2018 09:11:16 -0400
Subject: [PATCH] Refactor CSRF validator to service.
---
module/VuFind/config/module.config.php | 1 +
module/VuFind/src/VuFind/Auth/Manager.php | 13 +---
.../VuFind/src/VuFind/Auth/ManagerFactory.php | 3 +-
.../VuFind/Service/CsrfValidatorFactory.php | 78 +++++++++++++++++++
.../src/VuFindTest/Auth/ManagerTest.php | 10 ++-
5 files changed, 93 insertions(+), 12 deletions(-)
create mode 100644 module/VuFind/src/VuFind/Service/CsrfValidatorFactory.php
diff --git a/module/VuFind/config/module.config.php b/module/VuFind/config/module.config.php
index d5b271c12e6..6f7b4c26168 100644
--- a/module/VuFind/config/module.config.php
+++ b/module/VuFind/config/module.config.php
@@ -353,6 +353,7 @@ $config = [
'Zend\Db\Adapter\Adapter' => 'VuFind\Service\Factory::getDbAdapter',
'Zend\Mvc\I18n\Translator' => 'VuFind\Service\Factory::getTranslator',
'Zend\Session\SessionManager' => 'VuFind\Session\ManagerFactory',
+ 'Zend\Validator\Csrf' => 'VuFind\Service\CsrfValidatorFactory',
],
'initializers' => [
'VuFind\ServiceManager\ServiceInitializer',
diff --git a/module/VuFind/src/VuFind/Auth/Manager.php b/module/VuFind/src/VuFind/Auth/Manager.php
index 396d27cc1a5..4618d6da29d 100644
--- a/module/VuFind/src/VuFind/Auth/Manager.php
+++ b/module/VuFind/src/VuFind/Auth/Manager.php
@@ -124,10 +124,11 @@ class Manager implements \ZfcRbac\Identity\IdentityProviderInterface
* @param SessionManager $sessionManager Session manager
* @param PluginManager $pm Authentication plugin manager
* @param CookieManager $cookieManager Cookie manager
+ * @param Csrf $csrf CSRF validator
*/
public function __construct(Config $config, UserTable $userTable,
SessionManager $sessionManager, PluginManager $pm,
- CookieManager $cookieManager
+ CookieManager $cookieManager, Csrf $csrf
) {
// Store dependencies:
$this->config = $config;
@@ -135,19 +136,11 @@ class Manager implements \ZfcRbac\Identity\IdentityProviderInterface
$this->sessionManager = $sessionManager;
$this->pluginManager = $pm;
$this->cookieManager = $cookieManager;
+ $this->csrf = $csrf;
// Set up session:
$this->session = new \Zend\Session\Container('Account', $sessionManager);
- // Set up CSRF:
- $this->csrf = new Csrf(
- [
- 'session' => new \Zend\Session\Container('csrf', $sessionManager),
- 'salt' => isset($this->config->Security->HMACkey)
- ? $this->config->Security->HMACkey : 'VuFindCsrfSalt',
- ]
- );
-
// Initialize active authentication setting (defaulting to Database
// if no setting passed in):
$method = isset($config->Authentication->method)
diff --git a/module/VuFind/src/VuFind/Auth/ManagerFactory.php b/module/VuFind/src/VuFind/Auth/ManagerFactory.php
index 771b698bdb0..5d19dc29706 100644
--- a/module/VuFind/src/VuFind/Auth/ManagerFactory.php
+++ b/module/VuFind/src/VuFind/Auth/ManagerFactory.php
@@ -84,10 +84,11 @@ class ManagerFactory implements FactoryInterface
$sessionManager = $container->get('Zend\Session\SessionManager');
$pm = $container->get('VuFind\Auth\PluginManager');
$cookies = $container->get('VuFind\Cookie\CookieManager');
+ $csrf = $container->get('Zend\Validator\Csrf');
// Build the object and make sure account credentials haven't expired:
$manager = new $requestedName(
- $config, $userTable, $sessionManager, $pm, $cookies
+ $config, $userTable, $sessionManager, $pm, $cookies, $csrf
);
$manager->checkForExpiredCredentials();
return $manager;
diff --git a/module/VuFind/src/VuFind/Service/CsrfValidatorFactory.php b/module/VuFind/src/VuFind/Service/CsrfValidatorFactory.php
new file mode 100644
index 00000000000..d998b399b00
--- /dev/null
+++ b/module/VuFind/src/VuFind/Service/CsrfValidatorFactory.php
@@ -0,0 +1,78 @@
+<?php
+/**
+ * CSRF Validator factory.
+ *
+ * PHP version 5
+ *
+ * Copyright (C) Villanova University 2014.
+ * Copyright (C) The National Library of Finland 2018.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ * @category VuFind
+ * @package Service
+ * @author Demian Katz <demian.katz@villanova.edu>
+ * @author Ere Maijala <ere.maijala@helsinki.fi>
+ * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link https://vufind.org/wiki/development Wiki
+ */
+namespace VuFind\Service;
+
+use Interop\Container\ContainerInterface;
+use Zend\ServiceManager\Factory\FactoryInterface;
+
+/**
+ * CSRF Validator factory.
+ *
+ * @category VuFind
+ * @package Service
+ * @author Demian Katz <demian.katz@villanova.edu>
+ * @author Ere Maijala <ere.maijala@helsinki.fi>
+ * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link https://vufind.org/wiki/development Wiki
+ *
+ * @codeCoverageIgnore
+ */
+class CsrfValidatorFactory implements FactoryInterface
+{
+ /**
+ * Create an object
+ *
+ * @param ContainerInterface $container Service manager
+ * @param string $requestedName Service being created
+ * @param null|array $options Extra options (optional)
+ *
+ * @return object
+ *
+ * @throws ServiceNotFoundException if unable to resolve the service.
+ * @throws ServiceNotCreatedException if an exception is raised when
+ * creating a service.
+ * @throws ContainerException if any other error occurs
+ */
+ public function __invoke(ContainerInterface $container, $requestedName,
+ array $options = null
+ ) {
+ if (!empty($options)) {
+ throw new \Exception('Unexpected options passed to factory.');
+ }
+ $config = $container->get('VuFind\Config\PluginManager')->get('config');
+ $sessionManager = $container->get('Zend\Session\SessionManager');
+ return new $requestedName(
+ [
+ 'session' => new \Zend\Session\Container('csrf', $sessionManager),
+ 'salt' => $config->Security->HMACkey ?? 'VuFindCsrfSalt'
+ ]
+ );
+ }
+}
diff --git a/module/VuFind/tests/unit-tests/src/VuFindTest/Auth/ManagerTest.php b/module/VuFind/tests/unit-tests/src/VuFindTest/Auth/ManagerTest.php
index fda3e408b90..5eba35bc793 100644
--- a/module/VuFind/tests/unit-tests/src/VuFindTest/Auth/ManagerTest.php
+++ b/module/VuFind/tests/unit-tests/src/VuFindTest/Auth/ManagerTest.php
@@ -514,7 +514,15 @@ class ManagerTest extends \VuFindTest\Unit\TestCase
$pm = $this->getMockPluginManager();
}
$cookies = new \VuFind\Cookie\CookieManager([]);
- return new Manager($config, $userTable, $sessionManager, $pm, $cookies);
+ $csrf = new \Zend\Validator\Csrf(
+ [
+ 'session' => new \Zend\Session\Container('csrf', $sessionManager),
+ 'salt' => 'csrftest'
+ ]
+ );
+ return new Manager(
+ $config, $userTable, $sessionManager, $pm, $cookies, $csrf
+ );
}
/**
--
GitLab