vendor/symfony/security-http/Firewall/ContextListener.php line 90

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\Event;
  16. use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\Session\Session;
  19. use Symfony\Component\HttpKernel\Event\RequestEvent;
  20. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  21. use Symfony\Component\HttpKernel\KernelEvents;
  22. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
  25. use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
  26. use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
  27. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  28. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  29. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  30. use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
  31. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  32. use Symfony\Component\Security\Core\User\EquatableInterface;
  33. use Symfony\Component\Security\Core\User\UserInterface;
  34. use Symfony\Component\Security\Core\User\UserProviderInterface;
  35. use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
  36. use Symfony\Component\Security\Http\Event\TokenDeauthenticatedEvent;
  37. use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
  38. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  40. /**
  41.  * ContextListener manages the SecurityContext persistence through a session.
  42.  *
  43.  * @author Fabien Potencier <fabien@symfony.com>
  44.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  45.  *
  46.  * @final
  47.  */
  48. class ContextListener extends AbstractListener
  49. {
  50.     private $tokenStorage;
  51.     private $sessionKey;
  52.     private $logger;
  53.     private $userProviders;
  54.     private $dispatcher;
  55.     private $registered;
  56.     private $trustResolver;
  57.     private $rememberMeServices;
  58.     private $sessionTrackerEnabler;
  60.     /**
  61.      * @param iterable<mixed, UserProviderInterface> $userProviders
  62.      */
  63.     public function __construct(TokenStorageInterface $tokenStorageiterable $userProvidersstring $contextKey, ?LoggerInterface $logger null, ?EventDispatcherInterface $dispatcher null, ?AuthenticationTrustResolverInterface $trustResolver null, ?callable $sessionTrackerEnabler null)
  64.     {
  65.         if (empty($contextKey)) {
  66.             throw new \InvalidArgumentException('$contextKey must not be empty.');
  67.         }
  69.         $this->tokenStorage $tokenStorage;
  70.         $this->userProviders $userProviders;
  71.         $this->sessionKey '_security_'.$contextKey;
  72.         $this->logger $logger;
  73.         $this->dispatcher class_exists(Event::class) ? LegacyEventDispatcherProxy::decorate($dispatcher) : $dispatcher;
  75.         $this->trustResolver $trustResolver ?? new AuthenticationTrustResolver(AnonymousToken::class, RememberMeToken::class);
  76.         $this->sessionTrackerEnabler $sessionTrackerEnabler;
  77.     }
  79.     /**
  80.      * {@inheritdoc}
  81.      */
  82.     public function supports(Request $request): ?bool
  83.     {
  84.         return null// always run authenticate() lazily with lazy firewalls
  85.     }
  87.     /**
  88.      * Reads the Security Token from the session.
  89.      */
  90.     public function authenticate(RequestEvent $event)
  91.     {
  92.         if (!$this->registered && null !== $this->dispatcher && $event->isMainRequest()) {
  93.             $this->dispatcher->addListener(KernelEvents::RESPONSE, [$this'onKernelResponse']);
  94.             $this->registered true;
  95.         }
  97.         $request $event->getRequest();
  98.         $session $request->hasPreviousSession() && $request->hasSession() ? $request->getSession() : null;
  100.         $request->attributes->set('_security_firewall_run'$this->sessionKey);
  102.         if (null !== $session) {
  103.             $usageIndexValue $session instanceof Session $usageIndexReference = &$session->getUsageIndex() : 0;
  104.             $usageIndexReference \PHP_INT_MIN;
  105.             $sessionId $request->cookies->all()[$session->getName()] ?? null;
  106.             $token $session->get($this->sessionKey);
  108.             // sessionId = true is used in the tests
  109.             if ($this->sessionTrackerEnabler && \in_array($sessionId, [true$session->getId()], true)) {
  110.                 $usageIndexReference $usageIndexValue;
  111.             } else {
  112.                 $usageIndexReference $usageIndexReference \PHP_INT_MIN $usageIndexValue;
  113.             }
  114.         }
  116.         if (null === $session || null === $token) {
  117.             if ($this->sessionTrackerEnabler) {
  118.                 ($this->sessionTrackerEnabler)();
  119.             }
  121.             $this->tokenStorage->setToken(null);
  123.             return;
  124.         }
  126.         $token $this->safelyUnserialize($token);
  128.         if (null !== $this->logger) {
  129.             $this->logger->debug('Read existing security token from the session.', [
  130.                 'key' => $this->sessionKey,
  131.                 'token_class' => \is_object($token) ? \get_class($token) : null,
  132.             ]);
  133.         }
  135.         if ($token instanceof TokenInterface) {
  136.             $originalToken $token;
  137.             $token $this->refreshUser($token);
  139.             if (!$token) {
  140.                 if ($this->logger) {
  141.                     $this->logger->debug('Token was deauthenticated after trying to refresh it.');
  142.                 }
  144.                 if ($this->dispatcher) {
  145.                     $this->dispatcher->dispatch(new TokenDeauthenticatedEvent($originalToken$request));
  146.                 }
  148.                 if ($this->rememberMeServices) {
  149.                     $this->rememberMeServices->loginFail($request);
  150.                 }
  151.             }
  152.         } elseif (null !== $token) {
  153.             if (null !== $this->logger) {
  154.                 $this->logger->warning('Expected a security token from the session, got something else.', ['key' => $this->sessionKey'received' => $token]);
  155.             }
  157.             $token null;
  158.         }
  160.         if ($this->sessionTrackerEnabler) {
  161.             ($this->sessionTrackerEnabler)();
  162.         }
  164.         $this->tokenStorage->setToken($token);
  165.     }
  167.     /**
  168.      * Writes the security token into the session.
  169.      */
  170.     public function onKernelResponse(ResponseEvent $event)
  171.     {
  172.         if (!$event->isMainRequest()) {
  173.             return;
  174.         }
  176.         $request $event->getRequest();
  178.         if (!$request->hasSession() || $request->attributes->get('_security_firewall_run') !== $this->sessionKey) {
  179.             return;
  180.         }
  182.         if ($this->dispatcher) {
  183.             $this->dispatcher->removeListener(KernelEvents::RESPONSE, [$this'onKernelResponse']);
  184.         }
  185.         $this->registered false;
  186.         $session $request->getSession();
  187.         $sessionId $session->getId();
  188.         $usageIndexValue $session instanceof Session $usageIndexReference = &$session->getUsageIndex() : null;
  189.         $token $this->tokenStorage->getToken();
  191.         // @deprecated always use isAuthenticated() in 6.0
  192.         $notAuthenticated method_exists($this->trustResolver'isAuthenticated') ? !$this->trustResolver->isAuthenticated($token) : (null === $token || $this->trustResolver->isAnonymous($token));
  193.         if ($notAuthenticated) {
  194.             if ($request->hasPreviousSession()) {
  195.                 $session->remove($this->sessionKey);
  196.             }
  197.         } else {
  198.             $session->set($this->sessionKeyserialize($token));
  200.             if (null !== $this->logger) {
  201.                 $this->logger->debug('Stored the security token in the session.', ['key' => $this->sessionKey]);
  202.             }
  203.         }
  205.         if ($this->sessionTrackerEnabler && $session->getId() === $sessionId) {
  206.             $usageIndexReference $usageIndexValue;
  207.         }
  208.     }
  210.     /**
  211.      * Refreshes the user by reloading it from the user provider.
  212.      *
  213.      * @throws \RuntimeException
  214.      */
  215.     protected function refreshUser(TokenInterface $token): ?TokenInterface
  216.     {
  217.         $user $token->getUser();
  218.         if (!$user instanceof UserInterface) {
  219.             return $token;
  220.         }
  222.         $userNotFoundByProvider false;
  223.         $userDeauthenticated false;
  224.         $userClass \get_class($user);
  226.         foreach ($this->userProviders as $provider) {
  227.             if (!$provider instanceof UserProviderInterface) {
  228.                 throw new \InvalidArgumentException(sprintf('User provider "%s" must implement "%s".'get_debug_type($provider), UserProviderInterface::class));
  229.             }
  231.             if (!$provider->supportsClass($userClass)) {
  232.                 continue;
  233.             }
  235.             try {
  236.                 $refreshedUser $provider->refreshUser($user);
  237.                 $newToken = clone $token;
  238.                 $newToken->setUser($refreshedUserfalse);
  240.                 // tokens can be deauthenticated if the user has been changed.
  241.                 if ($token instanceof AbstractToken && $this->hasUserChanged($user$newToken)) {
  242.                     $userDeauthenticated true;
  243.                     // @deprecated since Symfony 5.4
  244.                     if (method_exists($newToken'setAuthenticated')) {
  245.                         $newToken->setAuthenticated(falsefalse);
  246.                     }
  248.                     if (null !== $this->logger) {
  249.                         // @deprecated since Symfony 5.3, change to $refreshedUser->getUserIdentifier() in 6.0
  250.                         $this->logger->debug('Cannot refresh token because user has changed.', ['username' => method_exists($refreshedUser'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername(), 'provider' => \get_class($provider)]);
  251.                     }
  253.                     continue;
  254.                 }
  256.                 $token->setUser($refreshedUser);
  258.                 if (null !== $this->logger) {
  259.                     // @deprecated since Symfony 5.3, change to $refreshedUser->getUserIdentifier() in 6.0
  260.                     $context = ['provider' => \get_class($provider), 'username' => method_exists($refreshedUser'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername()];
  262.                     if ($token instanceof SwitchUserToken) {
  263.                         $originalToken $token->getOriginalToken();
  264.                         // @deprecated since Symfony 5.3, change to $originalToken->getUserIdentifier() in 6.0
  265.                         $context['impersonator_username'] = method_exists($originalToken'getUserIdentifier') ? $originalToken->getUserIdentifier() : $originalToken->getUsername();
  266.                     }
  268.                     $this->logger->debug('User was reloaded from a user provider.'$context);
  269.                 }
  271.                 return $token;
  272.             } catch (UnsupportedUserException $e) {
  273.                 // let's try the next user provider
  274.             } catch (UserNotFoundException $e) {
  275.                 if (null !== $this->logger) {
  276.                     $this->logger->warning('Username could not be found in the selected user provider.', ['username' => method_exists($e'getUserIdentifier') ? $e->getUserIdentifier() : $e->getUsername(), 'provider' => \get_class($provider)]);
  277.                 }
  279.                 $userNotFoundByProvider true;
  280.             }
  281.         }
  283.         if ($userDeauthenticated) {
  284.             // @deprecated since Symfony 5.4
  285.             if ($this->dispatcher) {
  286.                 $this->dispatcher->dispatch(new DeauthenticatedEvent($token$newTokenfalse), DeauthenticatedEvent::class);
  287.             }
  289.             return null;
  290.         }
  292.         if ($userNotFoundByProvider) {
  293.             return null;
  294.         }
  296.         throw new \RuntimeException(sprintf('There is no user provider for user "%s". Shouldn\'t the "supportsClass()" method of your user provider return true for this classname?'$userClass));
  297.     }
  299.     private function safelyUnserialize(string $serializedToken)
  300.     {
  301.         $token null;
  302.         $prevUnserializeHandler ini_set('unserialize_callback_func'__CLASS__.'::handleUnserializeCallback');
  303.         $prevErrorHandler set_error_handler(function ($type$msg$file$line$context = []) use (&$prevErrorHandler) {
  304.             if (__FILE__ === $file && !\in_array($type, [\E_DEPRECATED\E_USER_DEPRECATED], true)) {
  305.                 throw new \ErrorException($msg0x37313BC$type$file$line);
  306.             }
  308.             return $prevErrorHandler $prevErrorHandler($type$msg$file$line$context) : false;
  309.         });
  311.         try {
  312.             $token unserialize($serializedToken);
  313.         } catch (\ErrorException $e) {
  314.             if (0x37313BC !== $e->getCode()) {
  315.                 throw $e;
  316.             }
  317.             if ($this->logger) {
  318.                 $this->logger->warning('Failed to unserialize the security token from the session.', ['key' => $this->sessionKey'received' => $serializedToken'exception' => $e]);
  319.             }
  320.         } finally {
  321.             restore_error_handler();
  322.             ini_set('unserialize_callback_func'$prevUnserializeHandler);
  323.         }
  325.         return $token;
  326.     }
  328.     /**
  329.      * @param string|\Stringable|UserInterface $originalUser
  330.      */
  331.     private static function hasUserChanged($originalUserTokenInterface $refreshedToken): bool
  332.     {
  333.         $refreshedUser $refreshedToken->getUser();
  335.         if ($originalUser instanceof UserInterface) {
  336.             if (!$refreshedUser instanceof UserInterface) {
  337.                 return true;
  338.             } else {
  339.                 // noop
  340.             }
  341.         } elseif ($refreshedUser instanceof UserInterface) {
  342.             return true;
  343.         } else {
  344.             return (string) $originalUser !== (string) $refreshedUser;
  345.         }
  347.         if ($originalUser instanceof EquatableInterface) {
  348.             return !(bool) $originalUser->isEqualTo($refreshedUser);
  349.         }
  351.         // @deprecated since Symfony 5.3, check for PasswordAuthenticatedUserInterface on both user objects before comparing passwords
  352.         if ($originalUser->getPassword() !== $refreshedUser->getPassword()) {
  353.             return true;
  354.         }
  356.         // @deprecated since Symfony 5.3, check for LegacyPasswordAuthenticatedUserInterface on both user objects before comparing salts
  357.         if ($originalUser->getSalt() !== $refreshedUser->getSalt()) {
  358.             return true;
  359.         }
  361.         $userRoles array_map('strval', (array) $refreshedUser->getRoles());
  363.         if ($refreshedToken instanceof SwitchUserToken) {
  364.             $userRoles[] = 'ROLE_PREVIOUS_ADMIN';
  365.         }
  367.         if (
  368.             \count($userRoles) !== \count($refreshedToken->getRoleNames()) ||
  369.             \count($userRoles) !== \count(array_intersect($userRoles$refreshedToken->getRoleNames()))
  370.         ) {
  371.             return true;
  372.         }
  374.         // @deprecated since Symfony 5.3, drop getUsername() in 6.0
  375.         $userIdentifier = function ($refreshedUser) {
  376.             return method_exists($refreshedUser'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername();
  377.         };
  378.         if ($userIdentifier($originalUser) !== $userIdentifier($refreshedUser)) {
  379.             return true;
  380.         }
  382.         return false;
  383.     }
  385.     /**
  386.      * @internal
  387.      */
  388.     public static function handleUnserializeCallback(string $class)
  389.     {
  390.         throw new \ErrorException('Class not found: '.$class0x37313BC);
  391.     }
  393.     /**
  394.      * @deprecated since Symfony 5.4
  395.      */
  396.     public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
  397.     {
  398.         trigger_deprecation('symfony/security-http''5.4''Method "%s()" is deprecated, use the new remember me handlers instead.'__METHOD__);
  400.         $this->rememberMeServices $rememberMeServices;
  401.     }
  402. }