vendor/symfony/security-http/Firewall/ContextListener.php line 195

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\Event;
  16. use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\Session\Session;
  19. use Symfony\Component\HttpKernel\Event\RequestEvent;
  20. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  21. use Symfony\Component\HttpKernel\KernelEvents;
  22. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
  25. use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
  26. use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
  27. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  28. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  29. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  30. use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
  31. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  32. use Symfony\Component\Security\Core\User\EquatableInterface;
  33. use Symfony\Component\Security\Core\User\UserInterface;
  34. use Symfony\Component\Security\Core\User\UserProviderInterface;
  35. use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
  36. use Symfony\Component\Security\Http\Event\TokenDeauthenticatedEvent;
  37. use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
  38. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  40. /**
  41. * ContextListener manages the SecurityContext persistence through a session.
  42. *
  43. * @author Fabien Potencier <fabien@symfony.com>
  44. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  45. *
  46. * @final
  47. */
  48. class ContextListener extends AbstractListener
  49. {
  50. private $tokenStorage;
  51. private $sessionKey;
  52. private $logger;
  53. private $userProviders;
  54. private $dispatcher;
  55. private $registered;
  56. private $trustResolver;
  57. private $rememberMeServices;
  58. private $sessionTrackerEnabler;
  60. /**
  61. * @param iterable<mixed, UserProviderInterface> $userProviders
  62. */
  63. public function __construct(TokenStorageInterface $tokenStorage, iterable $userProviders, string $contextKey, ?LoggerInterface $logger = null, ?EventDispatcherInterface $dispatcher = null, ?AuthenticationTrustResolverInterface $trustResolver = null, ?callable $sessionTrackerEnabler = null)
  64. {
  65. if (empty($contextKey)) {
  66. throw new \InvalidArgumentException('$contextKey must not be empty.');
  67. }
  69. $this->tokenStorage = $tokenStorage;
  70. $this->userProviders = $userProviders;
  71. $this->sessionKey = '_security_'.$contextKey;
  72. $this->logger = $logger;
  73. $this->dispatcher = class_exists(Event::class) ? LegacyEventDispatcherProxy::decorate($dispatcher) : $dispatcher;
  75. $this->trustResolver = $trustResolver ?? new AuthenticationTrustResolver(AnonymousToken::class, RememberMeToken::class);
  76. $this->sessionTrackerEnabler = $sessionTrackerEnabler;
  77. }
  79. /**
  80. * {@inheritdoc}
  81. */
  82. public function supports(Request $request): ?bool
  83. {
  84. return null; // always run authenticate() lazily with lazy firewalls
  85. }
  87. /**
  88. * Reads the Security Token from the session.
  89. */
  90. public function authenticate(RequestEvent $event)
  91. {
  92. if (!$this->registered && null !== $this->dispatcher && $event->isMainRequest()) {
  93. $this->dispatcher->addListener(KernelEvents::RESPONSE, [$this, 'onKernelResponse']);
  94. $this->registered = true;
  95. }
  97. $request = $event->getRequest();
  98. $session = $request->hasPreviousSession() && $request->hasSession() ? $request->getSession() : null;
  100. $request->attributes->set('_security_firewall_run', $this->sessionKey);
  102. if (null !== $session) {
  103. $usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : 0;
  104. $usageIndexReference = \PHP_INT_MIN;
  105. $sessionId = $request->cookies->all()[$session->getName()] ?? null;
  106. $token = $session->get($this->sessionKey);
  108. // sessionId = true is used in the tests
  109. if ($this->sessionTrackerEnabler && \in_array($sessionId, [true, $session->getId()], true)) {
  110. $usageIndexReference = $usageIndexValue;
  111. } else {
  112. $usageIndexReference = $usageIndexReference - \PHP_INT_MIN + $usageIndexValue;
  113. }
  114. }
  116. if (null === $session || null === $token) {
  117. if ($this->sessionTrackerEnabler) {
  118. ($this->sessionTrackerEnabler)();
  119. }
  121. $this->tokenStorage->setToken(null);
  123. return;
  124. }
  126. $token = $this->safelyUnserialize($token);
  128. if (null !== $this->logger) {
  129. $this->logger->debug('Read existing security token from the session.', [
  130. 'key' => $this->sessionKey,
  131. 'token_class' => \is_object($token) ? \get_class($token) : null,
  132. ]);
  133. }
  135. if ($token instanceof TokenInterface) {
  136. $originalToken = $token;
  137. $token = $this->refreshUser($token);
  139. if (!$token) {
  140. if ($this->logger) {
  141. $this->logger->debug('Token was deauthenticated after trying to refresh it.');
  142. }
  144. if ($this->dispatcher) {
  145. $this->dispatcher->dispatch(new TokenDeauthenticatedEvent($originalToken, $request));
  146. }
  148. if ($this->rememberMeServices) {
  149. $this->rememberMeServices->loginFail($request);
  150. }
  151. }
  152. } elseif (null !== $token) {
  153. if (null !== $this->logger) {
  154. $this->logger->warning('Expected a security token from the session, got something else.', ['key' => $this->sessionKey, 'received' => $token]);
  155. }
  157. $token = null;
  158. }
  160. if ($this->sessionTrackerEnabler) {
  161. ($this->sessionTrackerEnabler)();
  162. }
  164. $this->tokenStorage->setToken($token);
  165. }
  167. /**
  168. * Writes the security token into the session.
  169. */
  170. public function onKernelResponse(ResponseEvent $event)
  171. {
  172. if (!$event->isMainRequest()) {
  173. return;
  174. }
  176. $request = $event->getRequest();
  178. if (!$request->hasSession() || $request->attributes->get('_security_firewall_run') !== $this->sessionKey) {
  179. return;
  180. }
  182. if ($this->dispatcher) {
  183. $this->dispatcher->removeListener(KernelEvents::RESPONSE, [$this, 'onKernelResponse']);
  184. }
  185. $this->registered = false;
  186. $session = $request->getSession();
  187. $sessionId = $session->getId();
  188. $usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : null;
  189. $token = $this->tokenStorage->getToken();
  191. // @deprecated always use isAuthenticated() in 6.0
  192. $notAuthenticated = method_exists($this->trustResolver, 'isAuthenticated') ? !$this->trustResolver->isAuthenticated($token) : (null === $token || $this->trustResolver->isAnonymous($token));
  193. if ($notAuthenticated) {
  194. if ($request->hasPreviousSession()) {
  195. $session->remove($this->sessionKey);
  196. }
  197. } else {
  198. $session->set($this->sessionKey, serialize($token));
  200. if (null !== $this->logger) {
  201. $this->logger->debug('Stored the security token in the session.', ['key' => $this->sessionKey]);
  202. }
  203. }
  205. if ($this->sessionTrackerEnabler && $session->getId() === $sessionId) {
  206. $usageIndexReference = $usageIndexValue;
  207. }
  208. }
  210. /**
  211. * Refreshes the user by reloading it from the user provider.
  212. *
  213. * @throws \RuntimeException
  214. */
  215. protected function refreshUser(TokenInterface $token): ?TokenInterface
  216. {
  217. $user = $token->getUser();
  218. if (!$user instanceof UserInterface) {
  219. return $token;
  220. }
  222. $userNotFoundByProvider = false;
  223. $userDeauthenticated = false;
  224. $userClass = \get_class($user);
  226. foreach ($this->userProviders as $provider) {
  227. if (!$provider instanceof UserProviderInterface) {
  228. throw new \InvalidArgumentException(sprintf('User provider "%s" must implement "%s".', get_debug_type($provider), UserProviderInterface::class));
  229. }
  231. if (!$provider->supportsClass($userClass)) {
  232. continue;
  233. }
  235. try {
  236. $refreshedUser = $provider->refreshUser($user);
  237. $newToken = clone $token;
  238. $newToken->setUser($refreshedUser, false);
  240. // tokens can be deauthenticated if the user has been changed.
  241. if ($token instanceof AbstractToken && $this->hasUserChanged($user, $newToken)) {
  242. $userDeauthenticated = true;
  243. // @deprecated since Symfony 5.4
  244. if (method_exists($newToken, 'setAuthenticated')) {
  245. $newToken->setAuthenticated(false, false);
  246. }
  248. if (null !== $this->logger) {
  249. // @deprecated since Symfony 5.3, change to $refreshedUser->getUserIdentifier() in 6.0
  250. $this->logger->debug('Cannot refresh token because user has changed.', ['username' => method_exists($refreshedUser, 'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername(), 'provider' => \get_class($provider)]);
  251. }
  253. continue;
  254. }
  256. $token->setUser($refreshedUser);
  258. if (null !== $this->logger) {
  259. // @deprecated since Symfony 5.3, change to $refreshedUser->getUserIdentifier() in 6.0
  260. $context = ['provider' => \get_class($provider), 'username' => method_exists($refreshedUser, 'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername()];
  262. if ($token instanceof SwitchUserToken) {
  263. $originalToken = $token->getOriginalToken();
  264. // @deprecated since Symfony 5.3, change to $originalToken->getUserIdentifier() in 6.0
  265. $context['impersonator_username'] = method_exists($originalToken, 'getUserIdentifier') ? $originalToken->getUserIdentifier() : $originalToken->getUsername();
  266. }
  268. $this->logger->debug('User was reloaded from a user provider.', $context);
  269. }
  271. return $token;
  272. } catch (UnsupportedUserException $e) {
  273. // let's try the next user provider
  274. } catch (UserNotFoundException $e) {
  275. if (null !== $this->logger) {
  276. $this->logger->warning('Username could not be found in the selected user provider.', ['username' => method_exists($e, 'getUserIdentifier') ? $e->getUserIdentifier() : $e->getUsername(), 'provider' => \get_class($provider)]);
  277. }
  279. $userNotFoundByProvider = true;
  280. }
  281. }
  283. if ($userDeauthenticated) {
  284. // @deprecated since Symfony 5.4
  285. if ($this->dispatcher) {
  286. $this->dispatcher->dispatch(new DeauthenticatedEvent($token, $newToken, false), DeauthenticatedEvent::class);
  287. }
  289. return null;
  290. }
  292. if ($userNotFoundByProvider) {
  293. return null;
  294. }
  296. throw new \RuntimeException(sprintf('There is no user provider for user "%s". Shouldn\'t the "supportsClass()" method of your user provider return true for this classname?', $userClass));
  297. }
  299. private function safelyUnserialize(string $serializedToken)
  300. {
  301. $token = null;
  302. $prevUnserializeHandler = ini_set('unserialize_callback_func', __CLASS__.'::handleUnserializeCallback');
  303. $prevErrorHandler = set_error_handler(function ($type, $msg, $file, $line, $context = []) use (&$prevErrorHandler) {
  304. if (__FILE__ === $file && !\in_array($type, [\E_DEPRECATED, \E_USER_DEPRECATED], true)) {
  305. throw new \ErrorException($msg, 0x37313BC, $type, $file, $line);
  306. }
  308. return $prevErrorHandler ? $prevErrorHandler($type, $msg, $file, $line, $context) : false;
  309. });
  311. try {
  312. $token = unserialize($serializedToken);
  313. } catch (\ErrorException $e) {
  314. if (0x37313BC !== $e->getCode()) {
  315. throw $e;
  316. }
  317. if ($this->logger) {
  318. $this->logger->warning('Failed to unserialize the security token from the session.', ['key' => $this->sessionKey, 'received' => $serializedToken, 'exception' => $e]);
  319. }
  320. } finally {
  321. restore_error_handler();
  322. ini_set('unserialize_callback_func', $prevUnserializeHandler);
  323. }
  325. return $token;
  326. }
  328. /**
  329. * @param string|\Stringable|UserInterface $originalUser
  330. */
  331. private static function hasUserChanged($originalUser, TokenInterface $refreshedToken): bool
  332. {
  333. $refreshedUser = $refreshedToken->getUser();
  335. if ($originalUser instanceof UserInterface) {
  336. if (!$refreshedUser instanceof UserInterface) {
  337. return true;
  338. } else {
  339. // noop
  340. }
  341. } elseif ($refreshedUser instanceof UserInterface) {
  342. return true;
  343. } else {
  344. return (string) $originalUser !== (string) $refreshedUser;
  345. }
  347. if ($originalUser instanceof EquatableInterface) {
  348. return !(bool) $originalUser->isEqualTo($refreshedUser);
  349. }
  351. // @deprecated since Symfony 5.3, check for PasswordAuthenticatedUserInterface on both user objects before comparing passwords
  352. if ($originalUser->getPassword() !== $refreshedUser->getPassword()) {
  353. return true;
  354. }
  356. // @deprecated since Symfony 5.3, check for LegacyPasswordAuthenticatedUserInterface on both user objects before comparing salts
  357. if ($originalUser->getSalt() !== $refreshedUser->getSalt()) {
  358. return true;
  359. }
  361. $userRoles = array_map('strval', (array) $refreshedUser->getRoles());
  363. if ($refreshedToken instanceof SwitchUserToken) {
  364. $userRoles[] = 'ROLE_PREVIOUS_ADMIN';
  365. }
  367. if (
  368. \count($userRoles) !== \count($refreshedToken->getRoleNames()) ||
  369. \count($userRoles) !== \count(array_intersect($userRoles, $refreshedToken->getRoleNames()))
  370. ) {
  371. return true;
  372. }
  374. // @deprecated since Symfony 5.3, drop getUsername() in 6.0
  375. $userIdentifier = function ($refreshedUser) {
  376. return method_exists($refreshedUser, 'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername();
  377. };
  378. if ($userIdentifier($originalUser) !== $userIdentifier($refreshedUser)) {
  379. return true;
  380. }
  382. return false;
  383. }
  385. /**
  386. * @internal
  387. */
  388. public static function handleUnserializeCallback(string $class)
  389. {
  390. throw new \ErrorException('Class not found: '.$class, 0x37313BC);
  391. }
  393. /**
  394. * @deprecated since Symfony 5.4
  395. */
  396. public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
  397. {
  398. trigger_deprecation('symfony/security-http', '5.4', 'Method "%s()" is deprecated, use the new remember me handlers instead.', __METHOD__);
  400. $this->rememberMeServices = $rememberMeServices;
  401. }
  402. }