1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
namespace Kaliop\IdentityManagementBundle\Security\Authentication\Provider; |
4
|
|
|
|
5
|
|
|
use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface; |
6
|
|
|
use Symfony\Component\Security\Core\User\UserProviderInterface; |
7
|
|
|
use Symfony\Component\Security\Core\User\UserInterface; |
8
|
|
|
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; |
9
|
|
|
use Symfony\Component\Security\Core\Exception\BadCredentialsException; |
10
|
|
|
use Symfony\Component\Security\Core\Exception\AuthenticationException; |
11
|
|
|
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException; |
12
|
|
|
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException; |
13
|
|
|
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; |
14
|
|
|
use Kaliop\IdentityManagementBundle\Adapter\ClientInterface; |
15
|
|
|
use Psr\Log\LoggerInterface; |
16
|
|
|
use Symfony\Component\Security\Core\Role\SwitchUserRole; |
17
|
|
|
|
18
|
|
|
/** |
19
|
|
|
* @todo: |
20
|
|
|
* 4. save locally the wsdl for perfs, as it is downloaded when building the container! |
21
|
|
|
* 5. it seems that this authenticator gets called AFTER the eZ one... try to revert the config in security.yml? |
22
|
|
|
*/ |
23
|
|
|
class RemoteUserAuthenticationProvider implements AuthenticationProviderInterface |
24
|
|
|
{ |
25
|
|
|
/** |
26
|
|
|
* @var bool $hideUserNotFoundExceptions when true, auth exceptions of type UsernameNotFoundException, |
27
|
|
|
* BadCredentialsException and unkown (non-AuthenticationException) will be masked with a standard error message |
28
|
|
|
*/ |
29
|
|
|
protected $hideUserNotFoundExceptions; |
30
|
|
|
//protected $userChecker; |
31
|
|
|
protected $providerKey; |
32
|
|
|
/** @var ClientInterface $client */ |
33
|
|
|
protected $client; |
34
|
|
|
/** @var UserProviderInterface $userProvider */ |
35
|
|
|
protected $userProvider; |
36
|
|
|
/** @var LoggerInterface|null $logger */ |
37
|
|
|
protected $logger; |
38
|
|
|
|
39
|
|
|
public function __construct(ClientInterface $client, UserProviderInterface $userProvider, $providerKey, $hideUserNotFoundExceptions = true) |
40
|
|
|
{ |
41
|
|
|
$this->client = $client; |
42
|
|
|
$this->providerKey = $providerKey; |
43
|
|
|
$this->hideUserNotFoundExceptions = $hideUserNotFoundExceptions; |
44
|
|
|
$this->userProvider = $userProvider; |
45
|
|
|
} |
46
|
|
|
|
47
|
|
|
/** |
48
|
|
|
* @param LoggerInterface $logger |
49
|
|
|
*/ |
50
|
|
|
public function setLogger(LoggerInterface $logger) |
51
|
|
|
{ |
52
|
|
|
$this->logger = $logger; |
53
|
|
|
} |
54
|
|
|
|
55
|
|
|
public function supports(TokenInterface $token) |
56
|
|
|
{ |
57
|
|
|
return $token instanceof UsernamePasswordToken && $this->providerKey === $token->getProviderKey(); |
|
|
|
|
58
|
|
|
} |
59
|
|
|
|
60
|
|
|
/** |
61
|
|
|
* Reimplemented differently from what UserAuthenticationProvider does because we do not have its logic - instead of |
62
|
|
|
* fetch 1st, then check pwd, we do fetch-while-checking-pwd |
63
|
|
|
* |
64
|
|
|
* @param TokenInterface $token |
65
|
|
|
* @return UsernamePasswordToken |
66
|
|
|
* @throws AuthenticationException |
67
|
|
|
* |
68
|
|
|
* @see DaoAuthenticationProvider |
69
|
|
|
*/ |
70
|
|
|
public function authenticate(TokenInterface $token) |
71
|
|
|
{ |
72
|
|
|
if (!$this->supports($token)) { |
73
|
|
|
return; |
74
|
|
|
} |
75
|
|
|
|
76
|
|
|
/* we can not fetch the user 1st based on his login |
|
|
|
|
77
|
|
|
/// @todo throw a BadCredentialsException instead ? |
78
|
|
|
$username = $token->getUsername(); |
79
|
|
|
if ('' === $username || null === $username) { |
80
|
|
|
$username = 'NONE_PROVIDED'; |
81
|
|
|
} |
82
|
|
|
|
83
|
|
|
try { |
84
|
|
|
$user = $this->retrieveUser($username, $token); |
85
|
|
|
} catch (UsernameNotFoundException $e) { |
86
|
|
|
if ($this->hideUserNotFoundExceptions) { |
87
|
|
|
throw new BadCredentialsException('Bad credentials.', 0, $e); |
88
|
|
|
} |
89
|
|
|
$e->setUsername($username); |
90
|
|
|
|
91
|
|
|
throw $e; |
92
|
|
|
} |
93
|
|
|
|
94
|
|
|
if (!$user instanceof UserInterface) { |
95
|
|
|
throw new AuthenticationServiceException('retrieveUser() must return a UserInterface.'); |
96
|
|
|
}*/ |
97
|
|
|
|
98
|
|
|
try { |
99
|
|
|
//$this->userChecker->checkPreAuth($user); |
|
|
|
|
100
|
|
|
$user = $this->retrieveUserAndCheckAuthentication($token); |
101
|
|
|
/// @todo !important reintroduce this check? |
102
|
|
|
//$this->userChecker->checkPostAuth($user); |
|
|
|
|
103
|
|
|
} catch (UsernameNotFoundException $e) { |
|
|
|
|
104
|
|
|
if ($this->hideUserNotFoundExceptions) { |
105
|
|
|
throw new BadCredentialsException('Bad credentials.', 0, $e); |
106
|
|
|
} |
107
|
|
|
|
108
|
|
|
throw $e; |
109
|
|
|
} catch (BadCredentialsException $e) { |
|
|
|
|
110
|
|
|
if ($this->hideUserNotFoundExceptions) { |
111
|
|
|
throw new BadCredentialsException('Bad credentials.', 0, $e); |
112
|
|
|
} |
113
|
|
|
|
114
|
|
|
throw $e; |
115
|
|
|
} |
116
|
|
|
|
117
|
|
|
$authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $this->getRoles($user, $token)); |
118
|
|
|
$authenticatedToken->setAttributes($token->getAttributes()); |
119
|
|
|
|
120
|
|
|
return $authenticatedToken; |
121
|
|
|
} |
122
|
|
|
|
123
|
|
|
/** |
124
|
|
|
* @param UsernamePasswordToken $token |
125
|
|
|
* @return mixed|UserInterface |
126
|
|
|
* @throws BadCredentialsException|AuthenticationException |
127
|
|
|
*/ |
128
|
|
|
protected function retrieveUserAndCheckAuthentication(UsernamePasswordToken $token) |
129
|
|
|
{ |
130
|
|
|
$currentUser = $token->getUser(); |
131
|
|
|
if ($currentUser instanceof UserInterface) { |
|
|
|
|
132
|
|
|
|
133
|
|
|
/// @todo check if this is a good idea or not: keeping user password in the token ? Maybe encrypt it! |
134
|
|
|
if ($currentUser->getPassword() !== $token->getCredentials()) { |
135
|
|
|
throw new BadCredentialsException('The credentials were changed from another session.'); |
136
|
|
|
} |
137
|
|
|
|
138
|
|
|
return $currentUser; |
139
|
|
|
|
140
|
|
|
} else { |
141
|
|
|
|
142
|
|
|
/// @todo !important might want to throw AuthenticationCredentialsNotFoundException instead? |
143
|
|
|
if ('' === ($presentedUsername = $token->getUsername())) { |
144
|
|
|
throw new BadCredentialsException('The presented email cannot be empty.'); |
145
|
|
|
} |
146
|
|
|
|
147
|
|
|
if ('' === ($presentedPassword = $token->getCredentials())) { |
148
|
|
|
throw new BadCredentialsException('The presented password cannot be empty.'); |
149
|
|
|
} |
150
|
|
|
|
151
|
|
|
// communication errors and config errors should be logged/handled by the client |
152
|
|
|
try { |
153
|
|
|
|
154
|
|
|
$user = $this->client->AuthenticateUser($presentedUsername, $presentedPassword); |
155
|
|
|
// the client should return a UserInterface, no need for us to use a userProvider |
156
|
|
|
//$user = $this->userProvider->loadUserByUsername($username); |
|
|
|
|
157
|
|
|
return $user; |
158
|
|
|
|
159
|
|
|
} catch(AuthenticationException $e) { |
|
|
|
|
160
|
|
|
// let through any exception of the expected authentication type |
161
|
|
|
throw $e; |
162
|
|
|
} catch(\Exception $e) { |
163
|
|
|
// we mask any internal, unexpected error from the Client |
164
|
|
|
/// @todo we should log a message here: the Client used an unexpected exception type... |
165
|
|
|
/// @tood we should really be using an AuthenticationServiceException here |
166
|
|
|
throw new BadCredentialsException('The presented username or password is invalid.', 0, $e); |
167
|
|
|
} |
168
|
|
|
|
169
|
|
|
// no need to check the password after loading the user: the remote ws does that |
170
|
|
|
/*if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) { |
|
|
|
|
171
|
|
|
throw new BadCredentialsException('The presented password is invalid.'); |
172
|
|
|
}*/ |
173
|
|
|
} |
174
|
|
|
} |
175
|
|
|
|
176
|
|
|
/** |
177
|
|
|
* Copied from UserAuthenticationProvider |
178
|
|
|
*/ |
179
|
|
|
protected function getRoles(UserInterface $user, TokenInterface $token) |
180
|
|
|
{ |
181
|
|
|
$roles = $user->getRoles(); |
182
|
|
|
|
183
|
|
|
foreach ($token->getRoles() as $role) { |
184
|
|
|
if ($role instanceof SwitchUserRole) { |
|
|
|
|
185
|
|
|
$roles[] = $role; |
186
|
|
|
|
187
|
|
|
break; |
188
|
|
|
} |
189
|
|
|
} |
190
|
|
|
|
191
|
|
|
return $roles; |
192
|
|
|
} |
193
|
|
|
} |
194
|
|
|
|
This error could be the result of:
1. Missing dependencies
PHP Analyzer uses your
composer.json
file (if available) to determine the dependencies of your project and to determine all the available classes and functions. It expects thecomposer.json
to be in the root folder of your repository.Are you sure this class is defined by one of your dependencies, or did you maybe not list a dependency in either the
require
orrequire-dev
section?2. Missing use statement
PHP does not complain about undefined classes in
ìnstanceof
checks. For example, the following PHP code will work perfectly fine:If you have not tested against this specific condition, such errors might go unnoticed.