[WIP] Evented implementation for Zend Auth

composer.json

@@ -14,7 +14,8 @@
     },
     "require": {
         "php": ">=5.5",
-        "zendframework/zend-stdlib": "~2.5"
+        "zendframework/zend-stdlib": "~2.5",
+        "zendframework/zend-eventmanager": "^3.0.0"
     },
     "require-dev": {
         "zendframework/zend-db": "~2.5",

cookbook/2fa.php

@@ -0,0 +1,73 @@
+<?php
+
+/**
+ * I've left this in as a demonstration of a possible solution, however I think the complexities of 2fa should be
+ * considered separately - possibly even in it's own (zend-2fa) module.
+ */
+
+
+use Zend\Authentication\AuthenticationService;
+use Zend\EventManager\EventManager;
+
+class TwoFAListener
+{
+    public function onAuthenticate(\Zend\Authentication\Event\Authenticate $event)
+    {
+        $result = $event->getResult();
+        if ($result->isValid()) {
+            $prevResult = $event->getPreviousResult();
+            $identity = $result->getIdentity();
+
+            if ($prevResult !== null) {
+                $identity = $prevResult->getIdentity();
+            }
+
+            if (isset($identity['do2fa']) && $identity['do2fa']) {
+                $twoFactorResponse = $event->getParam('twoFactorResponse');
+
+                if (isset($twoFactorResponse)) {
+                    if (
+                        $prevResult !== null &&
+                        isset($prevResult->twoFactorToken) &&
+                        $twoFactorResponse === $prevResult->twoFactorToken
+                    ) {
+                        $result = new \Zend\Authentication\Result(\Zend\Authentication\Result::SUCCESS, $identity);
+                        $event->setResult($result);
+
+                        return $result;
+                    }
+                }
+
+                $result = new \Zend\Authentication\Result(-4, $identity, 'Requires 2 factor Auth');
+                $result->twoFactorToken = 'efg456'; //generate randomly
+                $event->setResult($result);
+                $event->stopPropagation();
+
+                return $result;
+
+            }
+        }
+
+        return $result;
+    }
+}
+
+$twoFaListener = new TwoFAListener();
+
+$callback = function ($identity, $credential) {
+    if ($identity === $credential) {
+        return new \Zend\Stdlib\ArrayObject(['identity' => $identity, 'credential' => $credential, 'do2fa' => true]);
+    }
+
+    throw new \Exception('Authentication failed');
+};
+
+$adapter = new \Zend\Authentication\Adapter\Callback($callback);
+
+$authService = new AuthenticationService(null, $adapter);
+$authService->addListener('Authenticate', [$TwoFAlistener, 'onAuthenticate'], 20);
+
+$authService->authenticate(['identity' => 'test', 'credential' => 'test']);
+
+//result success with test identity
+$authService->authenticate(['twoFactorResponse' => 'efg456']);

cookbook/AuditLog.php

@@ -0,0 +1,43 @@
+<?php
+
+use Zend\Authentication\AuthenticationService;
+use Zend\EventManager\EventManager;
+
+class AuditLog
+{
+    private $log;
+
+    /**
+     * AuditLog constructor.
+     * @TODO add dependency for a psr logger
+     * @param $log
+     */
+    public function __construct($log)
+    {
+        $this->log = $log;
+    }
+
+    public function onAuthenticationFailed(\Zend\Authentication\Event\Authenticate $event)
+    {
+        $this->log->warn(
+            sprintf('Authenication Failure for (%s) from (%s)', $event->getParam('identity'), $event->getParam('ip'))
+        );
+    }
+}
+
+$auditLog = new AuditLog(new stdClass());
+
+$callback = function ($identity, $credential) {
+    if ($identity === $credential) {
+        return new \Zend\Stdlib\ArrayObject(['identity' => $identity, 'credential' => $credential]);
+    }
+
+    throw new \Exception('Authentication failed');
+};
+
+$adapter = new \Zend\Authentication\Adapter\Callback($callback);
+
+$authService = new AuthenticationService(null, $adapter);
+$authService->addListener('AuthenticationFailed', [$auditLog, 'onAuthenticationFailed'] , -1);
+
+$authService->authenticate(['ip' => '127.0.0.1', 'identity' => 'test', 'credential' => 'failed']);

cookbook/BruteForceProtection.php

@@ -0,0 +1,79 @@
+<?php
+
+use Zend\Authentication\AuthenticationService;
+use Zend\EventManager\EventManager;
+
+class Firewall
+{
+    private $authFails = [];
+
+    public function getFailureCount($identifier)
+    {
+        if (isset($this->authFails[$identifier])) {
+            return $this->authFails[$identifier];
+        }
+
+        return 0;
+    }
+
+    public function onAuthenticate(\Zend\Authentication\Event\Authenticate $event)
+    {
+        $identity = $event->getParam('identity');
+        if ($identity !== null) {
+            if ($this->getFailurecount($identity) > 2) {
+                $result = new \Zend\Authentication\Result(-4, $identity, 'Too many failed attempts');
+                $event->setResult($result);
+                $event->stopPropagation();
+
+                return $result;
+            }
+        }
+
+        $ip = $event->getParam('ip');
+        if ($ip !== null) {
+            if ($this->getFailurecount($ip) > 2) {
+                $result = new \Zend\Authentication\Result(-4, $ip, 'Too many failed attempts');
+                $event->setResult($result);
+                $event->stopPropagation();
+
+                return $result;
+            }
+        }
+    }
+
+    public function onAuthenticationFailed(\Zend\Authentication\Event\Authenticate $event)
+    {
+        $identity = $event->getParam('identity');
+        if ($identity !== null) {
+            $this->authFails[$identity]++;
+        }
+
+        $ip = $event->getParam('ip');
+        if ($ip !== null) {
+            $this->authFails[$ip]++;
+        }
+    }
+}
+
+$firewall = new Firewall();
+
+$callback = function ($identity, $credential) {
+    if ($identity === $credential) {
+        return new \Zend\Stdlib\ArrayObject(['identity' => $identity, 'credential' => $credential]);
+    }
+
+    throw new \Exception('Authentication failed');
+};
+
+$adapter = new \Zend\Authentication\Adapter\Callback($callback);
+
+$authService = new AuthenticationService(null, $adapter, 10);
+$authService->addListener('Authenticate', [$firewall, 'onAuthenticate'] , -1);
+$authService->addListener('AuthenticationFailed', [$firewall, 'onAuthenticationFailed'] , -1);
+
+$authService->authenticate(['ip' => '127.0.0.1', 'identity' => 'test', 'credential' => 'failed']);
+$authService->authenticate(['ip' => '127.0.0.1', 'identity' => 'test', 'credential' => 'failed']);
+$authService->authenticate(['ip' => '127.0.0.1', 'identity' => 'test2', 'credential' => 'failed']);
+
+// result = failure to many attempts
+$authService->authenticate(['ip' => '127.0.0.1', 'identity' => 'test2', 'credential' => 'failed']);

cookbook/ChainedAuthentication.php

@@ -0,0 +1,34 @@
+<?php
+
+use Zend\Authentication\AuthenticationService;
+use Zend\EventManager\EventManager;
+
+$callback = function ($identity, $credential) {
+    if ($identity === $credential) {
+        return new \Zend\Stdlib\ArrayObject(['identity' => $identity, 'credential' => $credential]);
+    }
+
+    throw new \Exception('Authentication failed');
+};
+
+$adapter = new \Zend\Authentication\Adapter\Callback($callback);
+
+$callback2 = function ($identity, $credential) {
+    if ($identity === 'test' && $credential === 'tester') {
+        return new \Zend\Stdlib\ArrayObject(['identity' => $identity, 'credential' => $credential]);
+    }
+
+    throw new \Exception('Authentication failed');
+};
+
+$adapter2 = new \Zend\Authentication\Adapter\Callback($callback2);
+
+$authService = new AuthenticationService(null, $adapter, 10);
+$authService->addAdapter($adapter2, 20);
+
+//auths against adapter 1
+$authService->authenticate(['identity' => 'test', 'credential' => 'test']);
+
+//auths against adapter 2
+$authService->authenticate(['identity' => 'test', 'credential' => 'tester']);
+