vendor/symfony/security/Http/Firewall/ContextListener.php line 45

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  16. use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\Session\Session;
  19. use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
  20. use Symfony\Component\HttpKernel\Event\RequestEvent;
  21. use Symfony\Component\HttpKernel\KernelEvents;
  22. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
  25. use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
  26. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  27. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  28. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  29. use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
  30. use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
  31. use Symfony\Component\Security\Core\Role\SwitchUserRole;
  32. use Symfony\Component\Security\Core\User\UserInterface;
  33. use Symfony\Component\Security\Core\User\UserProviderInterface;
  34. use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
  35. use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
  37. /**
  38.  * ContextListener manages the SecurityContext persistence through a session.
  39.  *
  40.  * @author Fabien Potencier <fabien@symfony.com>
  41.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  42.  *
  43.  * @final since Symfony 4.3
  44.  */
  45. class ContextListener extends AbstractListener implements ListenerInterface
  46. {
  47.     use LegacyListenerTrait;
  49.     private $tokenStorage;
  50.     private $sessionKey;
  51.     private $logger;
  52.     private $userProviders;
  53.     private $dispatcher;
  54.     private $registered;
  55.     private $trustResolver;
  56.     private $rememberMeServices;
  57.     private $sessionTrackerEnabler;
  59.     /**
  60.      * @param iterable|UserProviderInterface[] $userProviders
  61.      */
  62.     public function __construct(TokenStorageInterface $tokenStorageiterable $userProvidersstring $contextKeyLoggerInterface $logger nullEventDispatcherInterface $dispatcher nullAuthenticationTrustResolverInterface $trustResolver null, callable $sessionTrackerEnabler null)
  63.     {
  64.         if (empty($contextKey)) {
  65.             throw new \InvalidArgumentException('$contextKey must not be empty.');
  66.         }
  68.         $this->tokenStorage $tokenStorage;
  69.         $this->userProviders $userProviders;
  70.         $this->sessionKey '_security_'.$contextKey;
  71.         $this->logger $logger;
  73.         if (null !== $dispatcher && class_exists(LegacyEventDispatcherProxy::class)) {
  74.             $this->dispatcher LegacyEventDispatcherProxy::decorate($dispatcher);
  75.         } else {
  76.             $this->dispatcher $dispatcher;
  77.         }
  79.         $this->trustResolver $trustResolver ?? new AuthenticationTrustResolver(AnonymousToken::class, RememberMeToken::class);
  80.         $this->sessionTrackerEnabler $sessionTrackerEnabler;
  81.     }
  83.     /**
  84.      * Enables deauthentication during refreshUser when the user has changed.
  85.      *
  86.      * @param bool $logoutOnUserChange
  87.      *
  88.      * @deprecated since Symfony 4.1
  89.      */
  90.     public function setLogoutOnUserChange($logoutOnUserChange)
  91.     {
  92.         @trigger_error(sprintf('The "%s()" method is deprecated since Symfony 4.1.'__METHOD__), \E_USER_DEPRECATED);
  93.     }
  95.     /**
  96.      * {@inheritdoc}
  97.      */
  98.     public function supports(Request $request): ?bool
  99.     {
  100.         return null// always run authenticate() lazily with lazy firewalls
  101.     }
  103.     /**
  104.      * Reads the Security Token from the session.
  105.      */
  106.     public function authenticate(RequestEvent $event)
  107.     {
  108.         if (!$this->registered && null !== $this->dispatcher && $event->isMasterRequest()) {
  109.             $this->dispatcher->addListener(KernelEvents::RESPONSE, [$this'onKernelResponse']);
  110.             $this->registered true;
  111.         }
  113.         $request $event->getRequest();
  114.         $session $request->hasPreviousSession() && $request->hasSession() ? $request->getSession() : null;
  116.         if (null !== $session) {
  117.             $usageIndexValue method_exists(Request::class, 'getPreferredFormat') && $session instanceof Session $usageIndexReference = &$session->getUsageIndex() : 0;
  118.             $sessionId $request->cookies->get($session->getName());
  119.             $token $session->get($this->sessionKey);
  121.             if ($this->sessionTrackerEnabler && \in_array($sessionId, [true$session->getId()], true)) {
  122.                 $usageIndexReference $usageIndexValue;
  123.             }
  124.         }
  126.         if (null === $session || null === $token) {
  127.             if ($this->sessionTrackerEnabler) {
  128.                 ($this->sessionTrackerEnabler)();
  129.             }
  131.             $this->tokenStorage->setToken(null);
  133.             return;
  134.         }
  136.         $token $this->safelyUnserialize($token);
  138.         if (null !== $this->logger) {
  139.             $this->logger->debug('Read existing security token from the session.', [
  140.                 'key' => $this->sessionKey,
  141.                 'token_class' => \is_object($token) ? \get_class($token) : null,
  142.             ]);
  143.         }
  145.         if ($token instanceof TokenInterface) {
  146.             $token $this->refreshUser($token);
  148.             if (!$token && $this->rememberMeServices) {
  149.                 $this->rememberMeServices->loginFail($request);
  150.             }
  151.         } elseif (null !== $token) {
  152.             if (null !== $this->logger) {
  153.                 $this->logger->warning('Expected a security token from the session, got something else.', ['key' => $this->sessionKey'received' => $token]);
  154.             }
  156.             $token null;
  157.         }
  159.         if ($this->sessionTrackerEnabler) {
  160.             ($this->sessionTrackerEnabler)();
  161.         }
  163.         $this->tokenStorage->setToken($token);
  164.     }
  166.     /**
  167.      * Writes the security token into the session.
  168.      */
  169.     public function onKernelResponse(FilterResponseEvent $event)
  170.     {
  171.         if (!$event->isMasterRequest()) {
  172.             return;
  173.         }
  175.         $request $event->getRequest();
  177.         if (!$request->hasSession()) {
  178.             return;
  179.         }
  181.         $this->dispatcher->removeListener(KernelEvents::RESPONSE, [$this'onKernelResponse']);
  182.         $this->registered false;
  183.         $session $request->getSession();
  184.         $sessionId $session->getId();
  185.         $usageIndexValue method_exists(Request::class, 'getPreferredFormat') && $session instanceof Session $usageIndexReference = &$session->getUsageIndex() : null;
  186.         $token $this->tokenStorage->getToken();
  188.         if (null === $token || $this->trustResolver->isAnonymous($token)) {
  189.             if ($request->hasPreviousSession()) {
  190.                 $session->remove($this->sessionKey);
  191.             }
  192.         } else {
  193.             $session->set($this->sessionKeyserialize($token));
  195.             if (null !== $this->logger) {
  196.                 $this->logger->debug('Stored the security token in the session.', ['key' => $this->sessionKey]);
  197.             }
  198.         }
  200.         if ($this->sessionTrackerEnabler && $session->getId() === $sessionId) {
  201.             $usageIndexReference $usageIndexValue;
  202.         }
  203.     }
  205.     /**
  206.      * Refreshes the user by reloading it from the user provider.
  207.      *
  208.      * @return TokenInterface|null
  209.      *
  210.      * @throws \RuntimeException
  211.      */
  212.     protected function refreshUser(TokenInterface $token)
  213.     {
  214.         $user $token->getUser();
  215.         if (!$user instanceof UserInterface) {
  216.             return $token;
  217.         }
  219.         $userNotFoundByProvider false;
  220.         $userDeauthenticated false;
  221.         $userClass = \get_class($user);
  223.         foreach ($this->userProviders as $provider) {
  224.             if (!$provider instanceof UserProviderInterface) {
  225.                 throw new \InvalidArgumentException(sprintf('User provider "%s" must implement "%s".', \get_class($provider), UserProviderInterface::class));
  226.             }
  228.             if (!$provider->supportsClass($userClass)) {
  229.                 continue;
  230.             }
  232.             try {
  233.                 $refreshedUser $provider->refreshUser($user);
  234.                 $newToken = clone $token;
  235.                 $newToken->setUser($refreshedUser);
  237.                 // tokens can be deauthenticated if the user has been changed.
  238.                 if (!$newToken->isAuthenticated()) {
  239.                     $userDeauthenticated true;
  241.                     if (null !== $this->logger) {
  242.                         $this->logger->debug('Cannot refresh token because user has changed.', ['username' => $refreshedUser->getUsername(), 'provider' => \get_class($provider)]);
  243.                     }
  245.                     continue;
  246.                 }
  248.                 $token->setUser($refreshedUser);
  250.                 if (null !== $this->logger) {
  251.                     $context = ['provider' => \get_class($provider), 'username' => $refreshedUser->getUsername()];
  253.                     if ($token instanceof SwitchUserToken) {
  254.                         $context['impersonator_username'] = $token->getOriginalToken()->getUsername();
  255.                     } else {
  256.                         foreach ($token->getRoles(false) as $role) {
  257.                             if ($role instanceof SwitchUserRole) {
  258.                                 $context['impersonator_username'] = $role->getSource(false)->getUsername();
  259.                                 break;
  260.                             }
  261.                         }
  262.                     }
  264.                     $this->logger->debug('User was reloaded from a user provider.'$context);
  265.                 }
  267.                 return $token;
  268.             } catch (UnsupportedUserException $e) {
  269.                 // let's try the next user provider
  270.             } catch (UsernameNotFoundException $e) {
  271.                 if (null !== $this->logger) {
  272.                     $this->logger->warning('Username could not be found in the selected user provider.', ['username' => $e->getUsername(), 'provider' => \get_class($provider)]);
  273.                 }
  275.                 $userNotFoundByProvider true;
  276.             }
  277.         }
  279.         if ($userDeauthenticated) {
  280.             if (null !== $this->logger) {
  281.                 $this->logger->debug('Token was deauthenticated after trying to refresh it.');
  282.             }
  284.             if (null !== $this->dispatcher) {
  285.                 $this->dispatcher->dispatch(new DeauthenticatedEvent($token$newToken), DeauthenticatedEvent::class);
  286.             }
  288.             return null;
  289.         }
  291.         if ($userNotFoundByProvider) {
  292.             return null;
  293.         }
  295.         throw new \RuntimeException(sprintf('There is no user provider for user "%s". Shouldn\'t the "supportsClass()" method of your user provider return true for this classname?'$userClass));
  296.     }
  298.     private function safelyUnserialize(string $serializedToken)
  299.     {
  300.         $e $token null;
  301.         $prevUnserializeHandler ini_set('unserialize_callback_func'__CLASS__.'::handleUnserializeCallback');
  302.         $prevErrorHandler set_error_handler(function ($type$msg$file$line$context = []) use (&$prevErrorHandler) {
  303.             if (__FILE__ === $file) {
  304.                 throw new \ErrorException($msg0x37313BC$type$file$line);
  305.             }
  307.             return $prevErrorHandler $prevErrorHandler($type$msg$file$line$context) : false;
  308.         });
  310.         try {
  311.             $token unserialize($serializedToken);
  312.         } catch (\Throwable $e) {
  313.         }
  314.         restore_error_handler();
  315.         ini_set('unserialize_callback_func'$prevUnserializeHandler);
  316.         if ($e) {
  317.             if (!$e instanceof \ErrorException || 0x37313BC !== $e->getCode()) {
  318.                 throw $e;
  319.             }
  320.             if ($this->logger) {
  321.                 $this->logger->warning('Failed to unserialize the security token from the session.', ['key' => $this->sessionKey'received' => $serializedToken'exception' => $e]);
  322.             }
  323.         }
  325.         return $token;
  326.     }
  328.     /**
  329.      * @internal
  330.      */
  331.     public static function handleUnserializeCallback(string $class)
  332.     {
  333.         throw new \ErrorException('Class not found: '.$class0x37313BC);
  334.     }
  336.     public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
  337.     {
  338.         $this->rememberMeServices $rememberMeServices;
  339.     }
  340. }