Merge branch 'release-1.x'

OpenConext · Jul 15, 2015 · c988ce7 · c988ce7
2 parents e8eb093 + 55a2e43
commit c988ce7
Show file tree

Hide file tree

Showing 17 changed files with 226 additions and 117 deletions.
diff --git a/app/Resources/SurfnetStepupBundle/views/Exception/error.html.twig b/app/Resources/SurfnetStepupBundle/views/Exception/error.html.twig
@@ -9,6 +9,7 @@
     <a class="btn btn-primary" href="{{ path('ss_entry_point') }}">{{ 'ss.error.button.go_home'|trans }}</a>
 
     <hr>
+    <p><i class="fa fa-clock-o"></i> {{ "now"|date('Y-m-d H:i:s') }}</p>
     <p>{{ 'ss.error.text.your_art_code'|trans }}: <span class="art">#{{ art }}</span></p>
     <p>{{ 'ss.error.text.what_were_you_doing_well_fix_it'|trans }}</p>
 {% endblock %}
diff --git a/app/Resources/SurfnetStepupBundle/views/Exception/error404.html.twig b/app/Resources/SurfnetStepupBundle/views/Exception/error404.html.twig
@@ -9,6 +9,7 @@
     <a class="btn btn-primary" href="{{ path('ss_entry_point') }}">{{ 'ss.error.button.go_home'|trans }}</a>
 
     <hr>
+    <p><i class="fa fa-clock-o"></i> {{ "now"|date('Y-m-d H:i:s') }}</p>
     <p>{{ 'ss.error.text.your_art_code'|trans }}: <span class="art">#{{ art }}</span></p>
     <p>{{ 'ss.error.text.if_you_think_this_is_incorrect_report'|trans }}</p>
 {% endblock %}
diff --git a/app/Resources/views/base.html.twig b/app/Resources/views/base.html.twig
@@ -27,7 +27,7 @@
             </div>
         {% if app.user %}
             <div class="clearfix">
-                <form method="post" action="{{ path('logout') }}" class="pull-right">
+                <form method="post" action="{{ logout_url('saml_based') }}" class="pull-right">
                     <button type="submit" class="btn btn-link">
                         <i class="fa fa-sign-out"></i>
                         {{ 'button.logout'|trans }}

diff --git a/app/config/config.yml b/app/config/config.yml
@@ -61,6 +61,9 @@ swiftmailer:
     spool:     { type: memory }
 
 nelmio_security:
+    clickjacking:
+        paths:
+            '^/.*': DENY
     # Content Security Policy
     csp:
         report_uri: /csp/report

diff --git a/app/config/security.yml b/app/config/security.yml
@@ -18,7 +18,10 @@ security:
                 path: /logout
                 target: %logout_redirect_url%
                 invalidate_session: true
+                csrf_token_generator: form.csrf_provider
+                csrf_parameter: 't'
+                csrf_token_id: 'self_service_logout_token'
 
     access_control:
-        - { path: ^/authentication, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel:https }
+        - { path: ^/authentication, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
         - { path: ^/, roles: ROLE_USER, requires_channel: https }
diff --git a/composer.json b/composer.json
@@ -25,9 +25,8 @@
         "jms/di-extra-bundle": "~1.4.0",
         "surfnet/stepup-middleware-client-bundle": "^1.0",
         "guzzlehttp/guzzle": "~4",
-        "simplesamlphp/saml2": "dev-master",
-        "surfnet/stepup-saml-bundle": "^1.0",
-        "surfnet/stepup-bundle": "^1.0",
+        "surfnet/stepup-saml-bundle": "^1.3.0",
+        "surfnet/stepup-bundle": "^1.1.0",
         "symfony/swiftmailer-bundle": "~2.3"
     },
     "require-dev": {

diff --git a/composer.lock b/composer.lock
diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Controller.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/Controller.php
@@ -21,7 +21,7 @@
 use Surfnet\StepupMiddlewareClientBundle\Identity\Dto\Identity;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller as FrameworkController;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
-use Symfony\Component\Security\Core\SecurityContextInterface;
+use UnexpectedValueException;
 
 class Controller extends FrameworkController
 {
@@ -31,16 +31,13 @@ class Controller extends FrameworkController
      */
     protected function getIdentity()
     {
-        /** @var SecurityContextInterface $tokenStorage */
-        $tokenStorage = $this->get('security.context');
-        $token = $tokenStorage->getToken();
-
-        $user = $token->getUser();
+        $token = $this->get('security.token_storage')->getToken();
+        $user  = $token->getUser();
 
         if (!$user instanceof Identity) {
             $actualType = is_object($token) ? get_class($token) : gettype($token);
 
-            throw new \UnexpectedValueException(
+            throw new UnexpectedValueException(
                 sprintf(
                     "Token did not contain user of type '%s', but one of type '%s'",
                     'Surfnet\StepupMiddlewareClientBundle\Identity\Dto\Identity',

diff --git a/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/LocaleController.php b/src/Surfnet/StepupSelfService/SelfServiceBundle/Controller/LocaleController.php
@@ -22,13 +22,24 @@
 use Surfnet\StepupBundle\Command\SwitchLocaleCommand;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final class LocaleController extends Controller
 {
     public function switchLocaleAction(Request $request)
     {
         $returnUrl = $request->query->get('return-url');
 
+        $domain = $request->getSchemeAndHttpHost();
+        if (strpos($returnUrl, $domain) !== 0) {
+            $this->get('logger')->error(sprintf(
+                'Identity "%s" used illegal return-url for redirection after changing locale, aborting request',
+                $this->getIdentity()->id
+            ));
+
+            throw new BadRequestHttpException('Invalid return-url given');
+        }
+
         /** @var LoggerInterface $logger */
         $logger = $this->get('logger');
         $logger->info('Switching locale...');