Implemented Symfony reverse proxy support for user context hash.

Ref #26

Added tests for Symfony RP

Author: lolautruche

EventListener/UserContextSubscriber.php

@@ -103,6 +103,7 @@ public function onKernelRequest(GetResponseEvent $event)
         if ($this->ttl > 0) {
             $response->setClientTtl($this->ttl);
             $response->setVary($this->userIdentifierHeaders);
+            $response->setPublic();
         } else {
             $response->setClientTtl(0);
             $response->headers->addCacheControlDirective('no-cache');

HttpCache.php

@@ -0,0 +1,174 @@
+<?php
+
+/*
+ * This file is part of the FOSHttpCacheBundle package.
+ *
+ * (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FOS\HttpCacheBundle;
+
+use Symfony\Bundle\FrameworkBundle\HttpCache\HttpCache as BaseHttpCache;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+
+/**
+ * Base class for enhanced Symfony reverse proxy.
+ *
+ * @author Jérôme Vieilledent <[email protected]>
+ *
+ * {@inheritdoc}
+ */
+abstract class HttpCache extends BaseHttpCache
+{
+    /**
+     * Hash for anonymous user.
+     */
+    const ANONYMOUS_HASH = '38015b703d82206ebc01d17a39c727e5';
+
+    /**
+     * Accept header value to be used to request the user hash to the backend application.
+     * It must match the one defined in FOSHttpCacheBundle's configuration.
+     */
+    const USER_HASH_ACCEPT_HEADER = 'application/vnd.fos.user-context-hash';
+
+    /**
+     * Name of the header the user context hash will be stored into.
+     * It must match the one defined in FOSHttpCacheBundle's configuration.
+     */
+    const USER_HASH_HEADER = 'X-User-Context-Hash';
+
+    /**
+     * URI used with the forwarded request for user context hash generation.
+     */
+    const USER_HASH_URI = '/_fos_user_context_hash';
+
+    /**
+     * HTTP Method used with the forwarded request for user context hash generation.
+     */
+    const USER_HASH_METHOD = 'GET';
+
+    /**
+     * Prefix for session names.
+     * Must match your session configuration.
+     */
+    const SESSION_NAME_PREFIX = 'PHPSESSID';
+
+    /**
+     * Generated user hash.
+     *
+     * @var string
+     */
+    private $userHash;
+
+    public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQUEST, $catch = true)
+    {
+        if (!$this->isInternalRequest($request)) {
+            // Prevent tampering attacks on the hash mechanism
+            if ($request->headers->get('accept') === static::USER_HASH_ACCEPT_HEADER
+                || $request->headers->get(static::USER_HASH_HEADER) !== null) {
+                return new Response('', 400);
+            }
+
+            if ($request->isMethodSafe()) {
+                $request->headers->set(static::USER_HASH_HEADER, $this->getUserHash($request));
+            }
+        }
+
+        return parent::handle($request, $type, $catch);
+    }
+
+    /**
+     * Checks if passed request object is to be considered internal (e.g. for user hash lookup).
+     *
+     * @param Request $request
+     *
+     * @return bool
+     */
+    protected function isInternalRequest(Request $request)
+    {
+        return $request->attributes->get('internalRequest', false) === true;
+    }
+
+    /**
+     * Returns the user context hash for $request.
+     *
+     * @param Request $request
+     *
+     * @return string
+     */
+    protected function getUserHash(Request $request)
+    {
+        if (isset($this->userHash)) {
+            return $this->userHash;
+        }
+
+        if ($this->isAnonymous($request)) {
+            return $this->userHash = static::ANONYMOUS_HASH;
+        }
+
+        // Forward the request to generate the user hash
+        $forwardReq = $this->generateForwardRequest($request);
+        $resp = $this->handle($forwardReq);
+        // Store the user hash in memory for sub-requests (processed in the same thread).
+        return $this->userHash = $resp->headers->get(static::USER_HASH_HEADER);
+    }
+
+    /**
+     * Checks if current request is considered anonymous.
+     *
+     * @param Request $request
+     *
+     * @return bool
+     */
+    protected function isAnonymous(Request $request)
+    {
+        foreach ($request->cookies as $name => $value) {
+            if ($this->isSessionName($name)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Checks if passed string can be considered as a session name, such as would be used in cookies.
+     *
+     * @param string $name
+     *
+     * @return bool
+     */
+    protected function isSessionName($name)
+    {
+        return strpos($name, static::SESSION_NAME_PREFIX) === 0;
+    }
+
+    /**
+     * Generates the request object that will be forwarded to get the user context hash.
+     *
+     * @param Request $request
+     *
+     * @return Request
+     */
+    protected function generateForwardRequest(Request $request)
+    {
+        $forwardReq = Request::create(static::USER_HASH_URI, static::USER_HASH_METHOD, array(), $request->cookies->all(), array(), $request->server->all());
+        $forwardReq->attributes->set('internalRequest', true);
+        $forwardReq->headers->set('Accept', static::USER_HASH_ACCEPT_HEADER);
+        // Clean cookie header to only get proper sessionIds in it. This is to make the hash request cacheable.
+        $sessionIds = array();
+        foreach ($request->cookies as $name => $value) {
+            if ($this->isSessionName($name)) {
+                $sessionIds[] = $value;
+            }
+        }
+        $forwardReq->headers->set('Cookie', implode('|', $sessionIds));
+
+        return $forwardReq;
+    }
+}

Resources/doc/reference/configuration/user-context.rst

@@ -11,9 +11,44 @@ Configuration
 Caching Proxy Configuration
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-First you need to set up your caching proxy as explained in the
+Varnish
+"""""""
+
+Set up Varnish caching proxy as explained in the
 :ref:`user context documentation <foshttpcache:user-context>`.
 
+Symfony reverse proxy
+"""""""""""""""""""""
+
+If you use Symfony reverse proxy (aka ``HttpCache``), you'll need to make your ``AppCache`` class extend
+``\FOS\HttpCacheBundle\HttpCache`` instead of ``\Symfony\Bundle\FrameworkBundle\HttpCache\HttpCache``.
+
+``\FOS\HttpCacheBundle\HttpCache`` defines constants that can be overriden in your ``AppCache`` class:
+
+* ``USER_HASH_ACCEPT_HEADER``: Accept header value to be used to request the user hash to the backend application.
+  It must match the one defined in FOSHttpCacheBundle's configuration (see below).
+
+  **default**: ``application/vnd.fos.user-context-hash``
+
+* ``USER_HASH_HEADER``: Name of the header the user context hash will be stored into.
+  It must match the one defined in FOSHttpCacheBundle's configuration (see below).
+
+  **default**: ``X-User-Context-Hash``
+
+* ``USER_HASH_URI``: URI used with the forwarded request for user context hash generation.
+
+  **default**: ``/_fos_user_context_hash``
+
+* ``USER_HASH_METHOD``: HTTP Method used with the forwarded request for user context hash generation.
+
+  **default**: ``GET``
+
+* ``SESSION_NAME_PREFIX``: Prefix for session names. Must match your session configuration.
+  Needed for caching correctly generated user context hash for each user session.
+
+  **default**: ``PHPSESSID``
+
+
 Context Hash Route
 ~~~~~~~~~~~~~~~~~~
 

Tests/Unit/EventListener/UserContextSubscriberTest.php

@@ -94,7 +94,7 @@ public function testOnKernelRequestCached()
         $this->assertInstanceOf('\Symfony\Component\HttpFoundation\Response', $response);
         $this->assertEquals('hash', $response->headers->get('X-Hash'));
         $this->assertEquals('X-SessionId', $response->headers->get('Vary'));
-        $this->assertEquals('max-age=30, private', $response->headers->get('Cache-Control'));
+        $this->assertEquals('max-age=30, public', $response->headers->get('Cache-Control'));
     }
 
     public function testOnKernelRequestNotMatched()

Tests/Unit/HttpCacheTest.php

@@ -0,0 +1,145 @@
+<?php
+
+/*
+ * This file is part of the FOSHttpCacheBundle package.
+ *
+ * (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace FOS\HttpCacheBundle\Tests\Unit;
+
+use FOS\HttpCacheBundle\HttpCache;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+
+class HttpCacheTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @return \FOS\HttpCacheBundle\HttpCache|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected function getHttpCachePartialMock(array $mockedMethods = null)
+    {
+        $mock = $this->getMockBuilder( '\FOS\HttpCacheBundle\HttpCache' )
+                     ->setMethods( $mockedMethods )
+                     ->disableOriginalConstructor()
+                     ->getMock();
+
+        // Force setting options property since we can't use original constructor.
+        $options = array(
+            'debug' => false,
+            'default_ttl' => 0,
+            'private_headers' => array( 'Authorization', 'Cookie' ),
+            'allow_reload' => false,
+            'allow_revalidate' => false,
+            'stale_while_revalidate' => 2,
+            'stale_if_error' => 60,
+        );
+
+        $refMock = new \ReflectionObject($mock);
+        $refHttpCache = $refMock
+            // \FOS\HttpCacheBundle\HttpCache
+            ->getParentClass()
+            // \Symfony\Bundle\FrameworkBundle\HttpCache\HttpCache
+            ->getParentClass()
+            // \Symfony\Component\HttpKernel\HttpCache\HttpCache
+            ->getParentClass();
+        // Workaround for Symfony 2.3 where $options property is not defined.
+        if (!$refHttpCache->hasProperty('options')) {
+            $mock->options = $options;
+        } else {
+            $refOptions = $refHttpCache
+                ->getProperty('options');
+            $refOptions->setAccessible(true);
+            $refOptions->setValue($mock, $options );
+        }
+
+        return $mock;
+    }
+
+    public function testGenerateUserHashNotAllowed()
+    {
+        $request = new Request();
+        $request->headers->set('accept', HttpCache::USER_HASH_ACCEPT_HEADER);
+        $httpCache = $this->getHttpCachePartialMock();
+        $response = $httpCache->handle($request);
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\Response', $response);
+        $this->assertSame(400, $response->getStatusCode());
+    }
+
+    public function testPassingUserHashNotAllowed()
+    {
+        $request = new Request();
+        $request->headers->set(HttpCache::USER_HASH_HEADER, 'foo');
+        $httpCache = $this->getHttpCachePartialMock();
+        $response = $httpCache->handle($request);
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\Response', $response);
+        $this->assertSame(400, $response->getStatusCode());
+    }
+
+    public function testUserHashAnonymous()
+    {
+        $request = new Request();
+        $catch = true;
+
+        $httpCache = $this->getHttpCachePartialMock(array('lookup'));
+        $response = new Response();
+        $httpCache
+            ->expects($this->once())
+            ->method('lookup')
+            ->with($request, $catch)
+            ->will($this->returnValue($response));
+
+        $this->assertSame($response, $httpCache->handle($request, HttpKernelInterface::MASTER_REQUEST, $catch));
+        $this->assertTrue($request->headers->has(HttpCache::USER_HASH_HEADER));
+        $this->assertSame(HttpCache::ANONYMOUS_HASH, $request->headers->get(HttpCache::USER_HASH_HEADER));
+    }
+
+    public function testUserHashUserWithSession()
+    {
+        $catch = true;
+        $sessionId = 'my_session_id';
+        $cookies = array(
+            'PHPSESSID' => $sessionId,
+            'foo' => 'bar'
+        );
+        $cookieString = "PHPSESSID=$sessionId; foo=bar";
+        $request = Request::create('/foo', 'GET', array(), $cookies, array(), array('Cookie' => $cookieString));
+        $response = new Response();
+
+        $hashRequest = Request::create(HttpCache::USER_HASH_URI, HttpCache::USER_HASH_METHOD, array(), $request->cookies->all(), array(), $request->server->all());
+        $hashRequest->attributes->set('internalRequest', true);
+        $hashRequest->headers->set('Accept', HttpCache::USER_HASH_ACCEPT_HEADER);
+        $hashRequest->headers->set('Cookie', $sessionId);
+        // Ensure request properties have been filled up.
+        $hashRequest->getPathInfo();
+        $hashRequest->getMethod();
+
+        $expectedContextHash = 'my_generated_hash';
+        // Just avoid the response to modify the request object, otherwise it's impossible to test objects equality.
+        /** @var \Symfony\Component\HttpFoundation\Response|\PHPUnit_Framework_MockObject_MockObject $hashResponse */
+        $hashResponse = $this->getMockBuilder('\Symfony\Component\HttpFoundation\Response')
+            ->setMethods(array('prepare'))
+            ->getMock();
+        $hashResponse->headers->set(HttpCache::USER_HASH_HEADER, $expectedContextHash );
+
+        $httpCache = $this->getHttpCachePartialMock(array('lookup'));
+        $httpCache
+            ->expects($this->at(0))
+            ->method('lookup')
+            ->with($hashRequest, $catch)
+            ->will($this->returnValue($hashResponse));
+        $httpCache
+            ->expects($this->at(1))
+            ->method('lookup')
+            ->with($request)
+            ->will($this->returnValue($response));
+
+        $this->assertSame($response, $httpCache->handle($request, HttpKernelInterface::MASTER_REQUEST, $catch));
+        $this->assertTrue($request->headers->has(HttpCache::USER_HASH_HEADER));
+        $this->assertSame($expectedContextHash, $request->headers->get(HttpCache::USER_HASH_HEADER));
+    }
+}