vendor/symfony/security-http/Firewall/ContextListener.php line 161

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Session\Session;
  17. use Symfony\Component\HttpKernel\Event\RequestEvent;
  18. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  19. use Symfony\Component\HttpKernel\KernelEvents;
  20. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
  21. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
  23. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  25. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  26. use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
  27. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  28. use Symfony\Component\Security\Core\User\EquatableInterface;
  29. use Symfony\Component\Security\Core\User\LegacyPasswordAuthenticatedUserInterface;
  30. use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
  31. use Symfony\Component\Security\Core\User\UserInterface;
  32. use Symfony\Component\Security\Core\User\UserProviderInterface;
  33. use Symfony\Component\Security\Http\Event\TokenDeauthenticatedEvent;
  34. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  36. /**
  37.  * ContextListener manages the SecurityContext persistence through a session.
  38.  *
  39.  * @author Fabien Potencier <fabien@symfony.com>
  40.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  41.  *
  42.  * @final
  43.  */
  44. class ContextListener extends AbstractListener
  45. {
  46.     private $tokenStorage;
  47.     private string $sessionKey;
  48.     private $logger;
  49.     private iterable $userProviders;
  50.     private $dispatcher;
  51.     private bool $registered false;
  52.     private $trustResolver;
  53.     private ?\Closure $sessionTrackerEnabler;
  55.     /**
  56.      * @param iterable<mixed, UserProviderInterface> $userProviders
  57.      */
  58.     public function __construct(TokenStorageInterface $tokenStorageiterable $userProvidersstring $contextKeyLoggerInterface $logger nullEventDispatcherInterface $dispatcher nullAuthenticationTrustResolverInterface $trustResolver null, callable $sessionTrackerEnabler null)
  59.     {
  60.         if (empty($contextKey)) {
  61.             throw new \InvalidArgumentException('$contextKey must not be empty.');
  62.         }
  64.         $this->tokenStorage $tokenStorage;
  65.         $this->userProviders $userProviders;
  66.         $this->sessionKey '_security_'.$contextKey;
  67.         $this->logger $logger;
  68.         $this->dispatcher $dispatcher;
  70.         $this->trustResolver $trustResolver ?? new AuthenticationTrustResolver();
  71.         $this->sessionTrackerEnabler null === $sessionTrackerEnabler || $sessionTrackerEnabler instanceof \Closure $sessionTrackerEnabler \Closure::fromCallable($sessionTrackerEnabler);
  72.     }
  74.     /**
  75.      * {@inheritdoc}
  76.      */
  77.     public function supports(Request $request): ?bool
  78.     {
  79.         return null// always run authenticate() lazily with lazy firewalls
  80.     }
  82.     /**
  83.      * Reads the Security Token from the session.
  84.      */
  85.     public function authenticate(RequestEvent $event)
  86.     {
  87.         if (!$this->registered && null !== $this->dispatcher && $event->isMainRequest()) {
  88.             $this->dispatcher->addListener(KernelEvents::RESPONSE, [$this'onKernelResponse']);
  89.             $this->registered true;
  90.         }
  92.         $request $event->getRequest();
  93.         $session $request->hasPreviousSession() && $request->hasSession() ? $request->getSession() : null;
  95.         $request->attributes->set('_security_firewall_run'$this->sessionKey);
  97.         if (null !== $session) {
  98.             $usageIndexValue $session instanceof Session $usageIndexReference = &$session->getUsageIndex() : 0;
  99.             $usageIndexReference \PHP_INT_MIN;
  100.             $sessionId $request->cookies->all()[$session->getName()] ?? null;
  101.             $token $session->get($this->sessionKey);
  103.             // sessionId = true is used in the tests
  104.             if ($this->sessionTrackerEnabler && \in_array($sessionId, [true$session->getId()], true)) {
  105.                 $usageIndexReference $usageIndexValue;
  106.             } else {
  107.                 $usageIndexReference $usageIndexReference \PHP_INT_MIN $usageIndexValue;
  108.             }
  109.         }
  111.         if (null === $session || null === $token) {
  112.             if ($this->sessionTrackerEnabler) {
  113.                 ($this->sessionTrackerEnabler)();
  114.             }
  116.             $this->tokenStorage->setToken(null);
  118.             return;
  119.         }
  121.         $token $this->safelyUnserialize($token);
  123.         if (null !== $this->logger) {
  124.             $this->logger->debug('Read existing security token from the session.', [
  125.                 'key' => $this->sessionKey,
  126.                 'token_class' => \is_object($token) ? \get_class($token) : null,
  127.             ]);
  128.         }
  130.         if ($token instanceof TokenInterface) {
  131.             $originalToken $token;
  132.             $token $this->refreshUser($token);
  134.             if (!$token) {
  135.                 if ($this->logger) {
  136.                     $this->logger->debug('Token was deauthenticated after trying to refresh it.');
  137.                 }
  139.                 if ($this->dispatcher) {
  140.                     $this->dispatcher->dispatch(new TokenDeauthenticatedEvent($originalToken$request));
  141.                 }
  142.             }
  143.         } elseif (null !== $token) {
  144.             if (null !== $this->logger) {
  145.                 $this->logger->warning('Expected a security token from the session, got something else.', ['key' => $this->sessionKey'received' => $token]);
  146.             }
  148.             $token null;
  149.         }
  151.         if ($this->sessionTrackerEnabler) {
  152.             ($this->sessionTrackerEnabler)();
  153.         }
  155.         $this->tokenStorage->setToken($token);
  156.     }
  158.     /**
  159.      * Writes the security token into the session.
  160.      */
  161.     public function onKernelResponse(ResponseEvent $event)
  162.     {
  163.         if (!$event->isMainRequest()) {
  164.             return;
  165.         }
  167.         $request $event->getRequest();
  169.         if (!$request->hasSession() || $request->attributes->get('_security_firewall_run') !== $this->sessionKey) {
  170.             return;
  171.         }
  173.         if ($this->dispatcher) {
  174.             $this->dispatcher->removeListener(KernelEvents::RESPONSE, [$this'onKernelResponse']);
  175.         }
  176.         $this->registered false;
  177.         $session $request->getSession();
  178.         $sessionId $session->getId();
  179.         $usageIndexValue $session instanceof Session $usageIndexReference = &$session->getUsageIndex() : null;
  180.         $token $this->tokenStorage->getToken();
  182.         if (!$this->trustResolver->isAuthenticated($token)) {
  183.             if ($request->hasPreviousSession()) {
  184.                 $session->remove($this->sessionKey);
  185.             }
  186.         } else {
  187.             $session->set($this->sessionKeyserialize($token));
  189.             if (null !== $this->logger) {
  190.                 $this->logger->debug('Stored the security token in the session.', ['key' => $this->sessionKey]);
  191.             }
  192.         }
  194.         if ($this->sessionTrackerEnabler && $session->getId() === $sessionId) {
  195.             $usageIndexReference $usageIndexValue;
  196.         }
  197.     }
  199.     /**
  200.      * Refreshes the user by reloading it from the user provider.
  201.      *
  202.      * @throws \RuntimeException
  203.      */
  204.     protected function refreshUser(TokenInterface $token): ?TokenInterface
  205.     {
  206.         $user $token->getUser();
  208.         $userNotFoundByProvider false;
  209.         $userDeauthenticated false;
  210.         $userClass \get_class($user);
  212.         foreach ($this->userProviders as $provider) {
  213.             if (!$provider instanceof UserProviderInterface) {
  214.                 throw new \InvalidArgumentException(sprintf('User provider "%s" must implement "%s".'get_debug_type($provider), UserProviderInterface::class));
  215.             }
  217.             if (!$provider->supportsClass($userClass)) {
  218.                 continue;
  219.             }
  221.             try {
  222.                 $refreshedUser $provider->refreshUser($user);
  223.                 $newToken = clone $token;
  224.                 $newToken->setUser($refreshedUserfalse);
  226.                 // tokens can be deauthenticated if the user has been changed.
  227.                 if ($token instanceof AbstractToken && $this->hasUserChanged($user$newToken)) {
  228.                     $userDeauthenticated true;
  230.                     if (null !== $this->logger) {
  231.                         $this->logger->debug('Cannot refresh token because user has changed.', ['username' => $refreshedUser->getUserIdentifier(), 'provider' => \get_class($provider)]);
  232.                     }
  234.                     continue;
  235.                 }
  237.                 $token->setUser($refreshedUser);
  239.                 if (null !== $this->logger) {
  240.                     $context = ['provider' => \get_class($provider), 'username' => $refreshedUser->getUserIdentifier()];
  242.                     if ($token instanceof SwitchUserToken) {
  243.                         $originalToken $token->getOriginalToken();
  244.                         $context['impersonator_username'] = $originalToken->getUserIdentifier();
  245.                     }
  247.                     $this->logger->debug('User was reloaded from a user provider.'$context);
  248.                 }
  250.                 return $token;
  251.             } catch (UnsupportedUserException $e) {
  252.                 // let's try the next user provider
  253.             } catch (UserNotFoundException $e) {
  254.                 if (null !== $this->logger) {
  255.                     $this->logger->warning('Username could not be found in the selected user provider.', ['username' => $e->getUserIdentifier(), 'provider' => \get_class($provider)]);
  256.                 }
  258.                 $userNotFoundByProvider true;
  259.             }
  260.         }
  262.         if ($userDeauthenticated) {
  263.             return null;
  264.         }
  266.         if ($userNotFoundByProvider) {
  267.             return null;
  268.         }
  270.         throw new \RuntimeException(sprintf('There is no user provider for user "%s". Shouldn\'t the "supportsClass()" method of your user provider return true for this classname?'$userClass));
  271.     }
  273.     private function safelyUnserialize(string $serializedToken)
  274.     {
  275.         $token null;
  276.         $prevUnserializeHandler ini_set('unserialize_callback_func'__CLASS__.'::handleUnserializeCallback');
  277.         $prevErrorHandler set_error_handler(function ($type$msg$file$line$context = []) use (&$prevErrorHandler) {
  278.             if (__FILE__ === $file) {
  279.                 throw new \ErrorException($msg0x37313BC$type$file$line);
  280.             }
  282.             return $prevErrorHandler $prevErrorHandler($type$msg$file$line$context) : false;
  283.         });
  285.         try {
  286.             $token unserialize($serializedToken);
  287.         } catch (\ErrorException $e) {
  288.             if (0x37313BC !== $e->getCode()) {
  289.                 throw $e;
  290.             }
  291.             if ($this->logger) {
  292.                 $this->logger->warning('Failed to unserialize the security token from the session.', ['key' => $this->sessionKey'received' => $serializedToken'exception' => $e]);
  293.             }
  294.         } finally {
  295.             restore_error_handler();
  296.             ini_set('unserialize_callback_func'$prevUnserializeHandler);
  297.         }
  299.         return $token;
  300.     }
  302.     private static function hasUserChanged(UserInterface $originalUserTokenInterface $refreshedToken): bool
  303.     {
  304.         $refreshedUser $refreshedToken->getUser();
  306.         if ($originalUser instanceof EquatableInterface) {
  307.             return !(bool) $originalUser->isEqualTo($refreshedUser);
  308.         }
  310.         if ($originalUser instanceof PasswordAuthenticatedUserInterface || $refreshedUser instanceof PasswordAuthenticatedUserInterface) {
  311.             if (!$originalUser instanceof PasswordAuthenticatedUserInterface || !$refreshedUser instanceof PasswordAuthenticatedUserInterface || $originalUser->getPassword() !== $refreshedUser->getPassword()) {
  312.                 return true;
  313.             }
  315.             if ($originalUser instanceof LegacyPasswordAuthenticatedUserInterface xor $refreshedUser instanceof LegacyPasswordAuthenticatedUserInterface) {
  316.                 return true;
  317.             }
  319.             if ($originalUser instanceof LegacyPasswordAuthenticatedUserInterface && $refreshedUser instanceof LegacyPasswordAuthenticatedUserInterface && $originalUser->getSalt() !== $refreshedUser->getSalt()) {
  320.                 return true;
  321.             }
  322.         }
  324.         $userRoles array_map('strval', (array) $refreshedUser->getRoles());
  326.         if ($refreshedToken instanceof SwitchUserToken) {
  327.             $userRoles[] = 'ROLE_PREVIOUS_ADMIN';
  328.         }
  330.         if (
  331.             \count($userRoles) !== \count($refreshedToken->getRoleNames()) ||
  332.             \count($userRoles) !== \count(array_intersect($userRoles$refreshedToken->getRoleNames()))
  333.         ) {
  334.             return true;
  335.         }
  337.         if ($originalUser->getUserIdentifier() !== $refreshedUser->getUserIdentifier()) {
  338.             return true;
  339.         }
  341.         return false;
  342.     }
  344.     /**
  345.      * @internal
  346.      */
  347.     public static function handleUnserializeCallback(string $class)
  348.     {
  349.         throw new \ErrorException('Class not found: '.$class0x37313BC);
  350.     }
  351. }