Merge pull request #24 from GoogleChromeLabs/ineffective-config

Ineffective config
GoogleChromeLabs · Sep 1, 2020 · 3c321a1 · 3c321a1
2 parents 0ce6430 + f61a95c
commit 3c321a1
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 2 deletions.
diff --git a/EventSubscriber/ResponseSubscriber.php b/EventSubscriber/ResponseSubscriber.php
@@ -3,18 +3,20 @@
 namespace Ise\WebSecurityBundle\EventSubscriber;
 
 use Ise\WebSecurityBundle\Options\ConfigProviderInterface;
-use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
+use Ise\WebSecurityBundle\Options\ContextChecker;
 
 class ResponseSubscriber implements EventSubscriberInterface
 {
     private $configProvider;
+    private $context;
 
-    public function __construct(ConfigProviderInterface $configProvider)
+    public function __construct(ConfigProviderInterface $configProvider, ContextChecker $context)
     {
         $this->configProvider = $configProvider;
+        $this->context = $context;
     }
 
     public static function getSubscribedEvents()
@@ -34,11 +36,14 @@ public function responseEvent(ResponseEvent $event)
 
         $options = $this->configProvider->getPathConfig($request);
 
+
         if ($options['coop']['active']) {
+            $this->context->checkSecure($request, 'COOP');
             $response->headers->set('Cross-Origin-Opener-Policy', $options['coop']['policy']);
         }
 
         if ($options['coep']['active']) {
+            $this->context->checkSecure($request, 'COEP');
             $response->headers->set('Cross-Origin-Embedder-Policy', $options['coep']['policy']);
         }
 

diff --git a/Options/ContextChecker.php b/Options/ContextChecker.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Ise\WebSecurityBundle\Options;
+
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+class ContextChecker
+{
+    private $insecureMessage = "Warning: request from %s is an insecure context. %s policy may not be active as it requires a secure context.";
+    private $logger;
+    public function __construct(LoggerInterface $logger)
+    {
+        $this->logger = $logger;
+    }
+
+    public function checkSecure(Request $request, String $policy)
+    {
+        if (!$request->isSecure()) {
+            $insecureLog = sprintf($this->insecureMessage, $request->getUri(), $policy);
+            $this->logger->error($insecureLog);
+        }
+    }
+}
diff --git a/tests/ContextCheckerTest.php b/tests/ContextCheckerTest.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace Ise\WebSecurityBundle\Tests;
+
+use Ise\WebSecurityBundle\Options\ContextChecker;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Log\Logger;
+
+class IseWebSecurityContextCheckerTest extends TestCase
+{
+    public function testSecureContext()
+    {
+        $logger = $this->getMockBuilder(Logger::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $context = new ContextChecker($logger);
+
+        $request = Request::create('https://127.0.0.1');
+
+        $context->checkSecure($request, 'COOP');
+        $logger->expects($this->never())
+            ->method('error');
+    }
+}