vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Server/Security/RestAuthenticator.php line 37

Open in your IDE?
  1. <?php
  3. /**
  4.  * @copyright Copyright (C) eZ Systems AS. All rights reserved.
  5.  * @license For full copyright and license information view LICENSE file distributed with this source code.
  6.  */
  7. namespace eZ\Publish\Core\REST\Server\Security;
  9. use eZ\Publish\Core\MVC\ConfigResolverInterface;
  10. use eZ\Publish\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface;
  11. use eZ\Publish\Core\MVC\Symfony\Security\UserInterface as EzUser;
  12. use eZ\Publish\Core\REST\Server\Exceptions\InvalidUserTypeException;
  13. use eZ\Publish\Core\REST\Server\Exceptions\UserConflictException;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  16. use Symfony\Component\HttpFoundation\Request;
  17. use Symfony\Component\HttpFoundation\Response;
  18. use Symfony\Component\HttpFoundation\Session\Storage\SessionStorageInterface;
  19. use Symfony\Component\HttpKernel\Event\GetResponseEvent;
  20. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  21. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  23. use Symfony\Component\Security\Core\Exception\TokenNotFoundException;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
  26. use Symfony\Component\Security\Http\Firewall\ListenerInterface;
  27. use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
  28. use Symfony\Component\Security\Http\Logout\SessionLogoutHandler;
  29. use Symfony\Component\Security\Http\SecurityEvents;
  31. /**
  32.  * Authenticator for REST API, mainly used for session based authentication (session creation resource).
  33.  *
  34.  * Implements \Symfony\Component\Security\Http\Firewall\ListenerInterface to be able to receive the provider key
  35.  * (firewall identifier from configuration).
  36.  */
  37. class RestAuthenticator implements ListenerInterfaceAuthenticatorInterface
  38. {
  39.     /** @var \Psr\Log\LoggerInterface */
  40.     private $logger;
  42.     /** @var \Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface */
  43.     private $authenticationManager;
  44.     /** @var string */
  45.     private $providerKey;
  47.     /** @var \Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface */
  48.     private $tokenStorage;
  50.     /** @var \Symfony\Component\EventDispatcher\EventDispatcherInterface */
  51.     private $dispatcher;
  53.     /** @var \eZ\Publish\Core\MVC\ConfigResolverInterface */
  54.     private $configResolver;
  56.     /** @var \Symfony\Component\HttpFoundation\Session\Storage\SessionStorageInterface */
  57.     private $sessionStorage;
  59.     /** @var \Symfony\Component\Security\Http\Logout\LogoutHandlerInterface[] */
  60.     private $logoutHandlers = [];
  62.     public function __construct(
  63.         TokenStorageInterface $tokenStorage,
  64.         AuthenticationManagerInterface $authenticationManager,
  65.         $providerKey,
  66.         EventDispatcherInterface $dispatcher,
  67.         ConfigResolverInterface $configResolver,
  68.         SessionStorageInterface $sessionStorage,
  69.         LoggerInterface $logger null
  70.     ) {
  71.         $this->tokenStorage $tokenStorage;
  72.         $this->authenticationManager $authenticationManager;
  73.         $this->providerKey $providerKey;
  74.         $this->dispatcher $dispatcher;
  75.         $this->configResolver $configResolver;
  76.         $this->sessionStorage $sessionStorage;
  77.         $this->logger $logger;
  78.     }
  80.     /**
  81.      * Doesn't do anything as we don't use this service with main Firewall listener.
  82.      *
  83.      * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
  84.      */
  85.     public function handle(GetResponseEvent $event)
  86.     {
  87.         return;
  88.     }
  90.     public function authenticate(Request $request)
  91.     {
  92.         // If a token already exists and username is the same as the one we request authentication for,
  93.         // then return it and mark it as coming from session.
  94.         $previousToken $this->tokenStorage->getToken();
  95.         if (
  96.             $previousToken instanceof TokenInterface
  97.             && $previousToken->getUsername() === $request->attributes->get('username')
  98.         ) {
  99.             $previousToken->setAttribute('isFromSession'true);
  101.             return $previousToken;
  102.         }
  104.         $token $this->attemptAuthentication($request);
  105.         if (!$token instanceof TokenInterface) {
  106.             if ($this->logger) {
  107.                 $this->logger->error('REST: No token could be found in SecurityContext');
  108.             }
  110.             throw new TokenNotFoundException();
  111.         }
  113.         $this->tokenStorage->setToken($token);
  114.         $this->dispatcher->dispatch(
  115.             SecurityEvents::INTERACTIVE_LOGIN,
  116.             new InteractiveLoginEvent($request$token)
  117.         );
  119.         // Re-fetch token from SecurityContext since an INTERACTIVE_LOGIN listener might have changed it
  120.         // i.e. when using multiple user providers.
  121.         // @see \eZ\Publish\Core\MVC\Symfony\Security\EventListener\SecurityListener::onInteractiveLogin()
  122.         $token $this->tokenStorage->getToken();
  123.         $user $token->getUser();
  124.         if (!$user instanceof EzUser) {
  125.             if ($this->logger) {
  126.                 $this->logger->error('REST: Authenticated user must be eZ\Publish\Core\MVC\Symfony\Security\User, got ' is_string($user) ? $user get_class($user));
  127.             }
  129.             $e = new InvalidUserTypeException('Authenticated user is not an eZ User.');
  130.             $e->setToken($token);
  131.             throw $e;
  132.         }
  134.         // Check if newly logged in user differs from previous one.
  135.         if ($this->isUserConflict($user$previousToken)) {
  136.             $this->tokenStorage->setToken($previousToken);
  137.             throw new UserConflictException();
  138.         }
  140.         return $token;
  141.     }
  143.     /**
  144.      * @param \Symfony\Component\HttpFoundation\Request $request
  145.      *
  146.      * @return \Symfony\Component\Security\Core\Authentication\Token\TokenInterface
  147.      */
  148.     private function attemptAuthentication(Request $request)
  149.     {
  150.         return $this->authenticationManager->authenticate(
  151.             new UsernamePasswordToken(
  152.                 $request->attributes->get('username'),
  153.                 $request->attributes->get('password'),
  154.                 $this->providerKey
  155.             )
  156.         );
  157.     }
  159.     /**
  160.      * Checks if newly matched user is conflicting with previously non-anonymous logged in user, if any.
  161.      *
  162.      * @param EzUser $user
  163.      * @param TokenInterface $previousToken
  164.      *
  165.      * @return bool
  166.      */
  167.     private function isUserConflict(EzUser $userTokenInterface $previousToken null)
  168.     {
  169.         if ($previousToken === null || !$previousToken instanceof UsernamePasswordToken) {
  170.             return false;
  171.         }
  173.         $previousUser $previousToken->getUser();
  174.         if (!$previousUser instanceof EzUser) {
  175.             return false;
  176.         }
  178.         $wasAnonymous $previousUser->getAPIUser()->getUserId() == $this->configResolver->getParameter('anonymous_user_id');
  179.         // TODO: isEqualTo is not on the interface
  180.         return !$wasAnonymous && !$user->isEqualTo($previousUser);
  181.     }
  183.     public function addLogoutHandler(LogoutHandlerInterface $handler)
  184.     {
  185.         $this->logoutHandlers[] = $handler;
  186.     }
  188.     public function logout(Request $request)
  189.     {
  190.         $response = new Response();
  192.         // Manually clear the session through session storage.
  193.         // Session::invalidate() is not called on purpose, to avoid unwanted session migration that would imply
  194.         // generation of a new session id.
  195.         // REST logout must indeed clear the session cookie.
  196.         // See \eZ\Publish\Core\REST\Server\Security\RestLogoutHandler
  197.         $this->sessionStorage->clear();
  199.         $token $this->tokenStorage->getToken();
  200.         foreach ($this->logoutHandlers as $handler) {
  201.             // Explicitly ignore SessionLogoutHandler as we do session invalidation manually here,
  202.             // through the session storage, to avoid unwanted session migration.
  203.             if ($handler instanceof SessionLogoutHandler) {
  204.                 continue;
  205.             }
  207.             $handler->logout($request$response$token);
  208.         }
  210.         return $response;
  211.     }
  212. }