vendor/symfony/symfony/src/Symfony/Component/Security/Guard/Firewall/GuardAuthenticationListener.php line 38

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Guard\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\HttpKernel\Event\GetResponseEvent;
  18. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  19. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  20. use Symfony\Component\Security\Core\Exception\AccountStatusException;
  21. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  22. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  23. use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
  24. use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
  25. use Symfony\Component\Security\Guard\AuthenticatorInterface;
  26. use Symfony\Component\Security\Guard\GuardAuthenticatorHandler;
  27. use Symfony\Component\Security\Guard\GuardAuthenticatorInterface;
  28. use Symfony\Component\Security\Guard\Token\PreAuthenticationGuardToken;
  29. use Symfony\Component\Security\Http\Firewall\ListenerInterface;
  30. use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
  32. /**
  33.  * Authentication listener for the "guard" system.
  34.  *
  35.  * @author Ryan Weaver <ryan@knpuniversity.com>
  36.  * @author Amaury Leroux de Lens <amaury@lerouxdelens.com>
  37.  */
  38. class GuardAuthenticationListener implements ListenerInterface
  39. {
  40.     private $guardHandler;
  41.     private $authenticationManager;
  42.     private $providerKey;
  43.     private $guardAuthenticators;
  44.     private $logger;
  45.     private $rememberMeServices;
  46.     private $hideUserNotFoundExceptions;
  48.     /**
  49.      * @param GuardAuthenticatorHandler         $guardHandler          The Guard handler
  50.      * @param AuthenticationManagerInterface    $authenticationManager An AuthenticationManagerInterface instance
  51.      * @param string                            $providerKey           The provider (i.e. firewall) key
  52.      * @param iterable|AuthenticatorInterface[] $guardAuthenticators   The authenticators, with keys that match what's passed to GuardAuthenticationProvider
  53.      * @param LoggerInterface                   $logger                A LoggerInterface instance
  54.      */
  55.     public function __construct(GuardAuthenticatorHandler $guardHandlerAuthenticationManagerInterface $authenticationManager$providerKey$guardAuthenticatorsLoggerInterface $logger null$hideUserNotFoundExceptions true)
  56.     {
  57.         if (empty($providerKey)) {
  58.             throw new \InvalidArgumentException('$providerKey must not be empty.');
  59.         }
  61.         $this->guardHandler $guardHandler;
  62.         $this->authenticationManager $authenticationManager;
  63.         $this->providerKey $providerKey;
  64.         $this->guardAuthenticators $guardAuthenticators;
  65.         $this->logger $logger;
  66.         $this->hideUserNotFoundExceptions $hideUserNotFoundExceptions;
  67.     }
  69.     /**
  70.      * Iterates over each authenticator to see if each wants to authenticate the request.
  71.      */
  72.     public function handle(GetResponseEvent $event)
  73.     {
  74.         if (null !== $this->logger) {
  75.             $context = ['firewall_key' => $this->providerKey];
  77.             if ($this->guardAuthenticators instanceof \Countable || \is_array($this->guardAuthenticators)) {
  78.                 $context['authenticators'] = \count($this->guardAuthenticators);
  79.             }
  81.             $this->logger->debug('Checking for guard authentication credentials.'$context);
  82.         }
  84.         foreach ($this->guardAuthenticators as $key => $guardAuthenticator) {
  85.             // get a key that's unique to *this* guard authenticator
  86.             // this MUST be the same as GuardAuthenticationProvider
  87.             $uniqueGuardKey $this->providerKey.'_'.$key;
  89.             $this->executeGuardAuthenticator($uniqueGuardKey$guardAuthenticator$event);
  91.             if ($event->hasResponse()) {
  92.                 if (null !== $this->logger) {
  93.                     $this->logger->debug('The "{authenticator}" authenticator set the response. Any later authenticator will not be called', ['authenticator' => \get_class($guardAuthenticator)]);
  94.                 }
  96.                 break;
  97.             }
  98.         }
  99.     }
  101.     private function executeGuardAuthenticator($uniqueGuardKeyGuardAuthenticatorInterface $guardAuthenticatorGetResponseEvent $event)
  102.     {
  103.         $request $event->getRequest();
  104.         try {
  105.             // abort the execution of the authenticator if it doesn't support the request
  106.             if ($guardAuthenticator instanceof AuthenticatorInterface) {
  107.                 if (null !== $this->logger) {
  108.                     $this->logger->debug('Checking support on guard authenticator.', ['firewall_key' => $this->providerKey'authenticator' => \get_class($guardAuthenticator)]);
  109.                 }
  111.                 if (!$guardAuthenticator->supports($request)) {
  112.                     if (null !== $this->logger) {
  113.                         $this->logger->debug('Guard authenticator does not support the request.', ['firewall_key' => $this->providerKey'authenticator' => \get_class($guardAuthenticator)]);
  114.                     }
  116.                     return;
  117.                 }
  118.                 // as there was a support for given request,
  119.                 // authenticator is expected to give not-null credentials.
  120.                 $credentialsCanBeNull false;
  121.             } else {
  122.                 // deprecated since version 3.4, to be removed in 4.0
  123.                 $credentialsCanBeNull true;
  124.             }
  126.             if (null !== $this->logger) {
  127.                 $this->logger->debug('Calling getCredentials() on guard authenticator.', ['firewall_key' => $this->providerKey'authenticator' => \get_class($guardAuthenticator)]);
  128.             }
  130.             // allow the authenticator to fetch authentication info from the request
  131.             $credentials $guardAuthenticator->getCredentials($request);
  133.             if (null === $credentials) {
  134.                 // deprecated since version 3.4, to be removed in 4.0
  135.                 if ($credentialsCanBeNull) {
  136.                     return;
  137.                 }
  139.                 if ($guardAuthenticator instanceof AbstractGuardAuthenticator) {
  140.                     @trigger_error(sprintf('Returning null from "%1$s::getCredentials()" is deprecated since Symfony 3.4 and will throw an \UnexpectedValueException in 4.0. Return false from "%1$s::supports()" instead.', \get_class($guardAuthenticator)), \E_USER_DEPRECATED);
  142.                     return;
  143.                 }
  145.                 throw new \UnexpectedValueException(sprintf('The return value of "%1$s::getCredentials()" must not be null. Return false from "%1$s::supports()" instead.', \get_class($guardAuthenticator)));
  146.             }
  148.             // create a token with the unique key, so that the provider knows which authenticator to use
  149.             $token = new PreAuthenticationGuardToken($credentials$uniqueGuardKey);
  151.             if (null !== $this->logger) {
  152.                 $this->logger->debug('Passing guard token information to the GuardAuthenticationProvider', ['firewall_key' => $this->providerKey'authenticator' => \get_class($guardAuthenticator)]);
  153.             }
  154.             // pass the token into the AuthenticationManager system
  155.             // this indirectly calls GuardAuthenticationProvider::authenticate()
  156.             $token $this->authenticationManager->authenticate($token);
  158.             if (null !== $this->logger) {
  159.                 $this->logger->info('Guard authentication successful!', ['token' => $token'authenticator' => \get_class($guardAuthenticator)]);
  160.             }
  162.             // sets the token on the token storage, etc
  163.             $this->guardHandler->authenticateWithToken($token$request$this->providerKey);
  164.         } catch (AuthenticationException $e) {
  165.             // oh no! Authentication failed!
  167.             if (null !== $this->logger) {
  168.                 $this->logger->info('Guard authentication failed.', ['exception' => $e'authenticator' => \get_class($guardAuthenticator)]);
  169.             }
  171.             // Avoid leaking error details in case of invalid user (e.g. user not found or invalid account status)
  172.             // to prevent user enumeration via response content
  173.             if ($this->hideUserNotFoundExceptions && ($e instanceof UsernameNotFoundException || $e instanceof AccountStatusException)) {
  174.                 $e = new BadCredentialsException('Bad credentials.'0$e);
  175.             }
  177.             $response $this->guardHandler->handleAuthenticationFailure($e$request$guardAuthenticator$this->providerKey);
  179.             if ($response instanceof Response) {
  180.                 $event->setResponse($response);
  181.             }
  183.             return;
  184.         }
  186.         // success!
  187.         $response $this->guardHandler->handleAuthenticationSuccess($token$request$guardAuthenticator$this->providerKey);
  188.         if ($response instanceof Response) {
  189.             if (null !== $this->logger) {
  190.                 $this->logger->debug('Guard authenticator set success response.', ['response' => $response'authenticator' => \get_class($guardAuthenticator)]);
  191.             }
  193.             $event->setResponse($response);
  194.         } else {
  195.             if (null !== $this->logger) {
  196.                 $this->logger->debug('Guard authenticator set no success response: request continues.', ['authenticator' => \get_class($guardAuthenticator)]);
  197.             }
  198.         }
  200.         // attempt to trigger the remember me functionality
  201.         $this->triggerRememberMe($guardAuthenticator$request$token$response);
  202.     }
  204.     /**
  205.      * Should be called if this listener will support remember me.
  206.      */
  207.     public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
  208.     {
  209.         $this->rememberMeServices $rememberMeServices;
  210.     }
  212.     /**
  213.      * Checks to see if remember me is supported in the authenticator and
  214.      * on the firewall. If it is, the RememberMeServicesInterface is notified.
  215.      */
  216.     private function triggerRememberMe(GuardAuthenticatorInterface $guardAuthenticatorRequest $requestTokenInterface $tokenResponse $response null)
  217.     {
  218.         if (null === $this->rememberMeServices) {
  219.             if (null !== $this->logger) {
  220.                 $this->logger->debug('Remember me skipped: it is not configured for the firewall.', ['authenticator' => \get_class($guardAuthenticator)]);
  221.             }
  223.             return;
  224.         }
  226.         if (!$guardAuthenticator->supportsRememberMe()) {
  227.             if (null !== $this->logger) {
  228.                 $this->logger->debug('Remember me skipped: your authenticator does not support it.', ['authenticator' => \get_class($guardAuthenticator)]);
  229.             }
  231.             return;
  232.         }
  234.         if (!$response instanceof Response) {
  235.             throw new \LogicException(sprintf('"%s::onAuthenticationSuccess()" *must* return a Response if you want to use the remember me functionality. Return a Response, or set remember_me to false under the guard configuration.', \get_class($guardAuthenticator)));
  236.         }
  238.         $this->rememberMeServices->loginSuccess($request$response$token);
  239.     }
  240. }