<?php
namespace LiteDesk\CoreBundle\Security;
use LiteDesk\CoreBundle\Util\AADAuthUtils;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\SimpleAuthenticatorInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\AdvancedUserInterface;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
use Symfony\Component\Security\Guard\GuardAuthenticatorInterface;
use Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface;
use JMS\DiExtraBundle\Annotation\Service;
use JMS\DiExtraBundle\Annotation\InjectParams;
use JMS\DiExtraBundle\Annotation\Inject;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
/**
* @Service("security.app_service_aad_authenticator")
*/
class AppServiceAADAuthenticator extends AbstractGuardAuthenticator
{
private $encoder;
private $container;
/**
* @InjectParams({
* "encoder" = @Inject("security.password_encoder"),
* "container" = @Inject("service_container"),
* })
*/
public function __construct(UserPasswordEncoderInterface $encoder, ContainerInterface $container)
{
$this->encoder = $encoder;
$this->container = $container;
}
/**
* @return ContainerInterface
*/
protected function getContainer()
{
return $this->container;
}
public function start(Request $request, AuthenticationException $authException = null)
{
if (AADAuthUtils::mustRedirectToAuthentication($request)) {
throw new AuthenticationException('NO_AUTHENTICATION_FOUND');
}
}
public function getCredentials(Request $request)
{
if (AADAuthUtils::mustRedirectToAuthentication($request)) {
throw new AuthenticationException('NO_AUTHENTICATION_FOUND');
}
$idToken = $request->server->get('HTTP_X_MS_TOKEN_AAD_ID_TOKEN', null);
if (!$idToken) {
return null;
}
$tokenParts = explode('.', $idToken);
$token = json_decode(base64_decode($tokenParts[1]), true);
$U_NUMBER_TOKEN_FIELD = 'governorTKID';
$EMAIL_TOKEN_FIELD = 'email';
if (isset($token[$U_NUMBER_TOKEN_FIELD]) && $token[$U_NUMBER_TOKEN_FIELD]) {
return $token[$U_NUMBER_TOKEN_FIELD];
}
if (isset($token[$EMAIL_TOKEN_FIELD]) && $token[$EMAIL_TOKEN_FIELD]) {
return $token[$EMAIL_TOKEN_FIELD];
}
return null;
}
protected function isTestUserPossible()
{
return $_ENV['SYMFONY_ENV'] === 'dev';
}
protected function getTestUser($credentials, UserProviderInterface $userProvider)
{
if (!$this->isTestUserPossible()) {
return null;
}
$testUserMap = [
'marc-severin-manfred.burgstaller.sp@dlh.de' => 999999,
'manuela.remus-woelffling@dlh.de' => 212884,
'cihan.simsek@dlh.de' => 733143,
'robert.barbieri@dlh.de' => 201230,
];
$email = strtolower($credentials);
if (isset($testUserMap[$email]) && $testPersonnalNumber = $testUserMap[$email]) {
return $userProvider->loadUserByUsername($testPersonnalNumber);
}
return null;
}
public function getUser($credentials, UserProviderInterface $userProvider)
{
$testUser = $this->getTestUser($credentials, $userProvider);
if ($testUser) {
return $testUser;
}
if (!preg_match('/([0-9]{6,6})/', $credentials, $matches)) {
throw new AuthenticationException('Wrong username');
}
$personalNumber = $matches[1];
//We map HR Colleagues to Max Mustermann in dev Environment.
if (($personalNumber == 266845 || $personalNumber == 541546 || $personalNumber == 760449 )
&& $_ENV['SYMFONY_ENV'] === 'dev') {
$personalNumber = 999999;
}
return $userProvider->loadUserByUsername($personalNumber);
}
public function checkCredentials($credentials, UserInterface $user)
{
return true;
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
return AADAuthUtils::getLoginRedirectResponse($request);
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
{
return null;
}
public function supportsRememberMe()
{
return false;
}
}