vendor/ibexa/rest/src/lib/Server/Security/RestAuthenticator.php line 35

Open in your IDE?
  1. <?php
  3. /**
  4. * @copyright Copyright (C) Ibexa AS. All rights reserved.
  5. * @license For full copyright and license information view LICENSE file distributed with this source code.
  6. */
  7. namespace Ibexa\Rest\Server\Security;
  9. use Ibexa\Contracts\Core\SiteAccess\ConfigResolverInterface;
  10. use Ibexa\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface;
  11. use Ibexa\Core\MVC\Symfony\Security\UserInterface as IbexaUser;
  12. use Ibexa\Rest\Server\Exceptions\InvalidUserTypeException;
  13. use Ibexa\Rest\Server\Exceptions\UserConflictException;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  16. use Symfony\Component\HttpFoundation\Request;
  17. use Symfony\Component\HttpFoundation\Response;
  18. use Symfony\Component\HttpKernel\Event\RequestEvent;
  19. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  20. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  21. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  23. use Symfony\Component\Security\Core\Exception\TokenNotFoundException;
  24. use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
  25. use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
  26. use Symfony\Component\Security\Http\Logout\SessionLogoutHandler;
  27. use Symfony\Component\Security\Http\SecurityEvents;
  29. /**
  30. * Authenticator for REST API, mainly used for session based authentication (session creation resource).
  31. *
  32. * Implements \Symfony\Component\Security\Http\Firewall\ListenerInterface to be able to receive the provider key
  33. * (firewall identifier from configuration).
  34. */
  35. class RestAuthenticator implements AuthenticatorInterface
  36. {
  37. /**
  38. * @var \Psr\Log\LoggerInterface
  39. */
  40. private $logger;
  42. /**
  43. * @var \Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface
  44. */
  45. private $authenticationManager;
  47. /**
  48. * @var string
  49. */
  50. private $providerKey;
  52. /**
  53. * @var \Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface
  54. */
  55. private $tokenStorage;
  57. /**
  58. * @var \Symfony\Component\EventDispatcher\EventDispatcherInterface
  59. */
  60. private $dispatcher;
  62. /**
  63. * @var \Ibexa\Contracts\Core\SiteAccess\ConfigResolverInterface
  64. */
  65. private $configResolver;
  67. /**
  68. * @var \Symfony\Component\Security\Http\Logout\LogoutHandlerInterface[]
  69. */
  70. private $logoutHandlers = [];
  72. public function __construct(
  73. TokenStorageInterface $tokenStorage,
  74. AuthenticationManagerInterface $authenticationManager,
  75. $providerKey,
  76. EventDispatcherInterface $dispatcher,
  77. ConfigResolverInterface $configResolver,
  78. LoggerInterface $logger = null
  79. ) {
  80. $this->tokenStorage = $tokenStorage;
  81. $this->authenticationManager = $authenticationManager;
  82. $this->providerKey = $providerKey;
  83. $this->dispatcher = $dispatcher;
  84. $this->configResolver = $configResolver;
  85. $this->logger = $logger;
  86. }
  88. /**
  89. * Doesn't do anything as we don't use this service with main Firewall listener.
  90. *
  91. * @param \Symfony\Component\HttpKernel\Event\RequestEvent $event
  92. */
  93. public function __invoke(RequestEvent $event)
  94. {
  95. return;
  96. }
  98. public function authenticate(Request $request)
  99. {
  100. // If a token already exists and username is the same as the one we request authentication for,
  101. // then return it and mark it as coming from session.
  102. $previousToken = $this->tokenStorage->getToken();
  103. if (
  104. $previousToken instanceof TokenInterface
  105. && $previousToken->getUsername() === $request->attributes->get('username')
  106. ) {
  107. $previousToken->setAttribute('isFromSession', true);
  109. return $previousToken;
  110. }
  112. $token = $this->attemptAuthentication($request);
  113. if (!$token instanceof TokenInterface) {
  114. if ($this->logger) {
  115. $this->logger->error('REST: No token could be found in SecurityContext');
  116. }
  118. throw new TokenNotFoundException();
  119. }
  121. $this->tokenStorage->setToken($token);
  122. $this->dispatcher->dispatch(new InteractiveLoginEvent($request, $token), SecurityEvents::INTERACTIVE_LOGIN);
  124. // Re-fetch token from SecurityContext since an INTERACTIVE_LOGIN listener might have changed it
  125. // i.e. when using multiple user providers.
  126. // @see \Ibexa\Core\MVC\Symfony\Security\EventListener\SecurityListener::onInteractiveLogin()
  127. $token = $this->tokenStorage->getToken();
  128. $user = $token->getUser();
  129. if (!$user instanceof IbexaUser) {
  130. if ($this->logger) {
  131. $this->logger->error('REST: Authenticated user must be Ibexa\\Core\\MVC\\Symfony\\Security\\User, got ' . is_string($user) ? $user : get_class($user));
  132. }
  134. $e = new InvalidUserTypeException('Authenticated user is not an Ibexa User.');
  135. $e->setToken($token);
  136. throw $e;
  137. }
  139. // Check if newly logged in user differs from previous one.
  140. if ($this->isUserConflict($user, $previousToken)) {
  141. $this->tokenStorage->setToken($previousToken);
  142. throw new UserConflictException();
  143. }
  145. return $token;
  146. }
  148. /**
  149. * @param \Symfony\Component\HttpFoundation\Request $request
  150. *
  151. * @return \Symfony\Component\Security\Core\Authentication\Token\TokenInterface
  152. */
  153. private function attemptAuthentication(Request $request)
  154. {
  155. return $this->authenticationManager->authenticate(
  156. new UsernamePasswordToken(
  157. $request->attributes->get('username'),
  158. $request->attributes->get('password'),
  159. $this->providerKey
  160. )
  161. );
  162. }
  164. /**
  165. * Checks if newly matched user is conflicting with previously non-anonymous logged in user, if any.
  166. *
  167. * @param \Ibexa\Core\MVC\Symfony\Security\UserInterface $user
  168. * @param \Symfony\Component\Security\Core\Authentication\Token\TokenInterface $previousToken
  169. *
  170. * @return bool
  171. */
  172. private function isUserConflict(IbexaUser $user, TokenInterface $previousToken = null)
  173. {
  174. if ($previousToken === null || !$previousToken instanceof UsernamePasswordToken) {
  175. return false;
  176. }
  178. $previousUser = $previousToken->getUser();
  179. if (!$previousUser instanceof IbexaUser) {
  180. return false;
  181. }
  183. $wasAnonymous = $previousUser->getAPIUser()->getUserId() == $this->configResolver->getParameter('anonymous_user_id');
  184. // TODO: isEqualTo is not on the interface
  185. return !$wasAnonymous && !$user->isEqualTo($previousUser);
  186. }
  188. public function addLogoutHandler(LogoutHandlerInterface $handler)
  189. {
  190. $this->logoutHandlers[] = $handler;
  191. }
  193. public function logout(Request $request)
  194. {
  195. $response = new Response();
  197. // Manually clear the session through session storage.
  198. // Session::invalidate() is not called on purpose, to avoid unwanted session migration that would imply
  199. // generation of a new session id.
  200. // REST logout must indeed clear the session cookie.
  201. // See \Ibexa\Rest\Server\Security\RestLogoutHandler
  202. $request->getSession()->clear();
  204. $token = $this->tokenStorage->getToken();
  205. foreach ($this->logoutHandlers as $handler) {
  206. // Explicitly ignore SessionLogoutHandler as we do session invalidation manually here,
  207. // through the session storage, to avoid unwanted session migration.
  208. if ($handler instanceof SessionLogoutHandler) {
  209. continue;
  210. }
  212. $handler->logout($request, $response, $token);
  213. }
  215. return $response;
  216. }
  217. }
  219. class_alias(RestAuthenticator::class, 'EzSystems\EzPlatformRest\Server\Security\RestAuthenticator');