add asset protection

README.md

@@ -6,7 +6,7 @@
 
 | Release | Supported Pimcore Versions | Supported Symfony Versions | Release Date | Maintained     | Branch |
 |---------|----------------------------|----------------------------|--------------|----------------|--------|
-| **1.x** | `^11.2`                    | `6.2`                      | --           | Feature Branch | master |
+| **1.x** | `^11.3`                    | `6.2`                      | --           | Feature Branch | master |
 
 
 ## Installation
@@ -44,6 +44,8 @@ Encrypt/Decrypt assets on the fly!
 
 ## Configuration
 
+### File Encryption
+
 ```yaml
 secure_storage:
     encrypter:
@@ -54,12 +56,8 @@ secure_storage:
     secured_fly_system_storages:
 
         # form builder (if you want to encrypt form builder data)
-        -
-            storage: form_builder.chunk.storage
-            paths: null
-        -
-            storage: form_builder.files.storage
-            paths: null
+        - storage: form_builder.chunk.storage
+        - storage: form_builder.files.storage
 
         # pimcore
         -
@@ -69,11 +67,33 @@ secure_storage:
                 - /formdata
 ```
 
-## Custom Encrypter
+#### Custom Encrypter
 TBD
 
 ***
 
+### Asset Protection
+
+```yaml
+secure_storage:
+
+    pimcore_asset_protection:
+
+        # protects:
+        # - public/var/assets [pimcore.asset.storage]
+        # - public/tmp/asset-cache [pimcore.asset_cache.storage]
+        # - public/tmp/thumbnails [pimcore.thumbnail.storage]
+        htaccess_protection_public_directories:
+            paths:
+                - /secure-storage
+
+        omit_backend_search_indexing:
+            paths:
+                - /secure-storage
+```
+
+***
+
 ## Copyright and license
 Copyright: [DACHCOM.DIGITAL](http://dachcom-digital.ch)  
 For licensing details please visit [LICENSE.md](LICENSE.md)  

composer.json

@@ -31,7 +31,7 @@
         }
     },
     "require": {
-        "pimcore/pimcore": "^11.0"
+        "pimcore/pimcore": "^11.3"
     },
     "require-dev": {
         "codeception/codeception": "^5.0",

config/pimcore/config.yaml

@@ -0,0 +1,6 @@
+framework:
+    messenger:
+        buses:
+            messenger.bus.pimcore-core:
+                middleware:
+                    - SecureStorageBundle\Messenger\Middleware\GuardMiddleware

config/services.yaml

@@ -1,2 +1,2 @@
 imports:
-    - { resource: services/*.yaml }
+    - { resource: services/*.yaml }

config/services/maintenance.yaml

@@ -0,0 +1,14 @@
+services:
+    _defaults:
+        autowire: true
+        autoconfigure: true
+        public: false
+
+    SecureStorageBundle\Maintenance\ProtectPublicDirectoriesTask:
+        autowire: true
+        autoconfigure: true
+        arguments:
+            $secureStorageConfig: '%pimcore.secure_storage.config%'
+            $locator: !tagged_locator { tag: flysystem.storage }
+        tags:
+            - { name: pimcore.maintenance.task, type: secure_storage_protect_public_directories }

config/services/messenger.yaml

@@ -0,0 +1,11 @@
+services:
+    _defaults:
+        autowire: true
+        autoconfigure: true
+        public: false
+
+    SecureStorageBundle\Messenger\Middleware\GuardMiddleware:
+        arguments:
+            $secureStorageConfig: '%pimcore.secure_storage.config%'
+        tags:
+            - { name: messenger.middleware }

src/DependencyInjection/Configuration.php

@@ -22,22 +22,50 @@ public function getConfigTreeBuilder(): TreeBuilder
                         ->variableNode('options')->defaultValue([])->end()
                     ->end()
                 ->end()
+
                 ->arrayNode('secured_fly_system_storages')
                     ->prototype('array')
+                        ->addDefaultsIfNotSet()
+                        ->children()
+                            ->scalarNode('storage')
+                                ->isRequired()
+                                ->validate()
+                                    ->ifNull()
+                                    ->thenInvalid('Invalid storage %s')
+                                ->end()
+                            ->end()
+                            ->arrayNode('paths')
+                                ->prototype('scalar')->end()
+                            ->end()
+                            ->booleanNode('allow_asset_preview_image_generation')->defaultFalse()->end()
+                            ->booleanNode('allow_asset_update_preview_image_generation')->defaultFalse()->end()
+                            ->booleanNode('allow_image_optimizing')->defaultFalse()->end()
+                        ->end()
+                    ->end()
+                ->end()
+
+                ->arrayNode('pimcore_asset_protection')
                     ->addDefaultsIfNotSet()
                     ->children()
-                        ->scalarNode('storage')
-                            ->isRequired()
-                            ->validate()
-                                ->ifNull()
-                                ->thenInvalid('Invalid storage %s')
+                        ->arrayNode('htaccess_protection_public_directories')
+                            ->addDefaultsIfNotSet()
+                            ->children()
+                                ->arrayNode('paths')
+                                    ->prototype('scalar')->end()
+                                ->end()
                             ->end()
                         ->end()
-                        ->arrayNode('paths')
-                            ->prototype('scalar')->end()
+                        ->arrayNode('omit_backend_search_indexing')
+                            ->addDefaultsIfNotSet()
+                            ->children()
+                                ->arrayNode('paths')
+                                    ->prototype('scalar')->end()
+                                ->end()
+                            ->end()
                         ->end()
                     ->end()
                 ->end()
+
             ->end();
 
         return $treeBuilder;

src/Flysystem/Adapter/SecuredAdapter.php

@@ -26,7 +26,7 @@ private function isSecuredPath(string $path): bool
             return true;
         }
 
-        foreach($this->securedPaths as $securedPath) {
+        foreach ($this->securedPaths as $securedPath) {
             if (str_starts_with($path, ltrim($securedPath, '/'))) {
                 return true;
             }
@@ -47,6 +47,12 @@ public function directoryExists(string $path): bool
 
     public function write(string $path, string $contents, Config $config): void
     {
+        if ($config->get('bypass_secured_adapter') === true) {
+            $this->inner->write($path, $contents, $config);
+
+            return;
+        }
+
         if (!$this->isSecuredPath($path)) {
             $this->inner->write($path, $contents, $config);
 
@@ -64,6 +70,12 @@ public function write(string $path, string $contents, Config $config): void
 
     public function writeStream(string $path, $contents, Config $config): void
     {
+        if ($config->get('bypass_secured_adapter') === true) {
+            $this->inner->write($path, $contents, $config);
+
+            return;
+        }
+
         if (!$this->isSecuredPath($path)) {
             $this->inner->writeStream($path, $contents, $config);
 

src/Maintenance/ProtectPublicDirectoriesTask.php

@@ -0,0 +1,77 @@
+<?php
+
+namespace SecureStorageBundle\Maintenance;
+
+use League\Flysystem\FilesystemOperator;
+use Pimcore\Maintenance\TaskInterface;
+use Psr\Container\ContainerInterface;
+
+class ProtectPublicDirectoriesTask implements TaskInterface
+{
+    public function __construct(
+        protected array $secureStorageConfig,
+        protected ContainerInterface $locator
+    ) {
+    }
+
+    public function execute(): void
+    {
+        $assetProtectionConfig = $this->secureStorageConfig['pimcore_asset_protection']['htaccess_protection_public_directories'];
+
+        if (count($assetProtectionConfig['paths']) === 0) {
+            return;
+        }
+
+        foreach ($assetProtectionConfig['paths'] as $protectedPath) {
+            $this->protectPath($protectedPath);
+        }
+    }
+
+    private function protectPath(string $protectedPath): void
+    {
+        $data = implode(PHP_EOL, $this->getProtectionLines());
+
+        $storages = [
+            'pimcore.asset.storage',
+            'pimcore.asset_cache.storage',
+            'pimcore.thumbnail.storage'
+        ];
+
+        foreach ($storages as $storageName) {
+
+            $storage = $this->getStorage($storageName);
+
+            if ($protectedPath === '/') {
+
+                $secureFilePath = '.htaccess';
+                if (!$storage->fileExists($secureFilePath)) {
+                    $storage->write($secureFilePath, $data, ['bypass_secured_adapter' => true]);
+                }
+
+                continue;
+            }
+
+            $secureFilePath = sprintf('%s/.htaccess', $protectedPath);
+            if ($storage->directoryExists($protectedPath) && !$storage->fileExists($secureFilePath)) {
+                $storage->write($secureFilePath, $data, ['bypass_secured_adapter' => true]);
+            }
+        }
+    }
+
+    private function getStorage(string $name): FilesystemOperator
+    {
+        return $this->locator->get($name);
+    }
+
+    private function getProtectionLines(): array
+    {
+        $data = [];
+
+        $data[] = 'RewriteEngine On';
+        $data[] = 'RewriteCond %{HTTP_HOST}==%{HTTP_REFERER} !^(.*?)==https?://\1/admin/ [OR]';
+        $data[] = 'RewriteCond %{HTTP_COOKIE} !^.*pimcore_admin_sid.*$ [NC]';
+        $data[] = 'RewriteRule ^ - [L,F]';
+
+        return $data;
+    }
+}