vendor/symfony/security-http/Firewall/ContextListener.php line 164

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\Event;
  16. use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\Session\Session;
  19. use Symfony\Component\HttpKernel\Event\RequestEvent;
  20. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  21. use Symfony\Component\HttpKernel\KernelEvents;
  22. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
  25. use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
  26. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  27. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  28. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  29. use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
  30. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  31. use Symfony\Component\Security\Core\User\UserInterface;
  32. use Symfony\Component\Security\Core\User\UserProviderInterface;
  33. use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
  34. use Symfony\Component\Security\Http\Event\TokenDeauthenticatedEvent;
  35. use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
  36. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  38. /**
  39.  * ContextListener manages the SecurityContext persistence through a session.
  40.  *
  41.  * @author Fabien Potencier <fabien@symfony.com>
  42.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  43.  *
  44.  * @final
  45.  */
  46. class ContextListener extends AbstractListener
  47. {
  48.     private $tokenStorage;
  49.     private $sessionKey;
  50.     private $logger;
  51.     private $userProviders;
  52.     private $dispatcher;
  53.     private $registered;
  54.     private $trustResolver;
  55.     private $rememberMeServices;
  56.     private $sessionTrackerEnabler;
  58.     /**
  59.      * @param iterable|UserProviderInterface[] $userProviders
  60.      */
  61.     public function __construct(TokenStorageInterface $tokenStorageiterable $userProvidersstring $contextKeyLoggerInterface $logger nullEventDispatcherInterface $dispatcher nullAuthenticationTrustResolverInterface $trustResolver null, callable $sessionTrackerEnabler null)
  62.     {
  63.         if (empty($contextKey)) {
  64.             throw new \InvalidArgumentException('$contextKey must not be empty.');
  65.         }
  67.         $this->tokenStorage $tokenStorage;
  68.         $this->userProviders $userProviders;
  69.         $this->sessionKey '_security_'.$contextKey;
  70.         $this->logger $logger;
  71.         $this->dispatcher class_exists(Event::class) ? LegacyEventDispatcherProxy::decorate($dispatcher) : $dispatcher;
  73.         $this->trustResolver $trustResolver ?? new AuthenticationTrustResolver(AnonymousToken::class, RememberMeToken::class);
  74.         $this->sessionTrackerEnabler $sessionTrackerEnabler;
  75.     }
  77.     /**
  78.      * {@inheritdoc}
  79.      */
  80.     public function supports(Request $request): ?bool
  81.     {
  82.         return null// always run authenticate() lazily with lazy firewalls
  83.     }
  85.     /**
  86.      * Reads the Security Token from the session.
  87.      */
  88.     public function authenticate(RequestEvent $event)
  89.     {
  90.         if (!$this->registered && null !== $this->dispatcher && $event->isMainRequest()) {
  91.             $this->dispatcher->addListener(KernelEvents::RESPONSE, [$this'onKernelResponse']);
  92.             $this->registered true;
  93.         }
  95.         $request $event->getRequest();
  96.         $session $request->hasPreviousSession() && $request->hasSession() ? $request->getSession() : null;
  98.         $request->attributes->set('_security_firewall_run'$this->sessionKey);
  100.         if (null !== $session) {
  101.             $usageIndexValue $session instanceof Session $usageIndexReference = &$session->getUsageIndex() : 0;
  102.             $usageIndexReference \PHP_INT_MIN;
  103.             $sessionId $request->cookies->all()[$session->getName()] ?? null;
  104.             $token $session->get($this->sessionKey);
  106.             // sessionId = true is used in the tests
  107.             if ($this->sessionTrackerEnabler && \in_array($sessionId, [true$session->getId()], true)) {
  108.                 $usageIndexReference $usageIndexValue;
  109.             } else {
  110.                 $usageIndexReference $usageIndexReference \PHP_INT_MIN $usageIndexValue;
  111.             }
  112.         }
  114.         if (null === $session || null === $token) {
  115.             if ($this->sessionTrackerEnabler) {
  116.                 ($this->sessionTrackerEnabler)();
  117.             }
  119.             $this->tokenStorage->setToken(null);
  121.             return;
  122.         }
  124.         $token $this->safelyUnserialize($token);
  126.         if (null !== $this->logger) {
  127.             $this->logger->debug('Read existing security token from the session.', [
  128.                 'key' => $this->sessionKey,
  129.                 'token_class' => \is_object($token) ? \get_class($token) : null,
  130.             ]);
  131.         }
  133.         if ($token instanceof TokenInterface) {
  134.             $originalToken $token;
  135.             $token $this->refreshUser($token);
  137.             if (!$token) {
  138.                 if ($this->dispatcher) {
  139.                     $this->dispatcher->dispatch(new TokenDeauthenticatedEvent($originalToken$request));
  140.                 }
  142.                 if ($this->rememberMeServices) {
  143.                     $this->rememberMeServices->loginFail($request);
  144.                 }
  145.             }
  146.         } elseif (null !== $token) {
  147.             if (null !== $this->logger) {
  148.                 $this->logger->warning('Expected a security token from the session, got something else.', ['key' => $this->sessionKey'received' => $token]);
  149.             }
  151.             $token null;
  152.         }
  154.         if ($this->sessionTrackerEnabler) {
  155.             ($this->sessionTrackerEnabler)();
  156.         }
  158.         $this->tokenStorage->setToken($token);
  159.     }
  161.     /**
  162.      * Writes the security token into the session.
  163.      */
  164.     public function onKernelResponse(ResponseEvent $event)
  165.     {
  166.         if (!$event->isMainRequest()) {
  167.             return;
  168.         }
  170.         $request $event->getRequest();
  172.         if (!$request->hasSession() || $request->attributes->get('_security_firewall_run') !== $this->sessionKey) {
  173.             return;
  174.         }
  176.         if ($this->dispatcher) {
  177.             $this->dispatcher->removeListener(KernelEvents::RESPONSE, [$this'onKernelResponse']);
  178.         }
  179.         $this->registered false;
  180.         $session $request->getSession();
  181.         $sessionId $session->getId();
  182.         $usageIndexValue $session instanceof Session $usageIndexReference = &$session->getUsageIndex() : null;
  183.         $token $this->tokenStorage->getToken();
  185.         if (null === $token || $this->trustResolver->isAnonymous($token)) {
  186.             if ($request->hasPreviousSession()) {
  187.                 $session->remove($this->sessionKey);
  188.             }
  189.         } else {
  190.             $session->set($this->sessionKeyserialize($token));
  192.             if (null !== $this->logger) {
  193.                 $this->logger->debug('Stored the security token in the session.', ['key' => $this->sessionKey]);
  194.             }
  195.         }
  197.         if ($this->sessionTrackerEnabler && $session->getId() === $sessionId) {
  198.             $usageIndexReference $usageIndexValue;
  199.         }
  200.     }
  202.     /**
  203.      * Refreshes the user by reloading it from the user provider.
  204.      *
  205.      * @throws \RuntimeException
  206.      */
  207.     protected function refreshUser(TokenInterface $token): ?TokenInterface
  208.     {
  209.         $user $token->getUser();
  210.         if (!$user instanceof UserInterface) {
  211.             return $token;
  212.         }
  214.         $userNotFoundByProvider false;
  215.         $userDeauthenticated false;
  216.         $userClass \get_class($user);
  218.         foreach ($this->userProviders as $provider) {
  219.             if (!$provider instanceof UserProviderInterface) {
  220.                 throw new \InvalidArgumentException(sprintf('User provider "%s" must implement "%s".'get_debug_type($provider), UserProviderInterface::class));
  221.             }
  223.             if (!$provider->supportsClass($userClass)) {
  224.                 continue;
  225.             }
  227.             try {
  228.                 $refreshedUser $provider->refreshUser($user);
  229.                 $newToken = clone $token;
  230.                 $newToken->setUser($refreshedUser);
  232.                 // tokens can be deauthenticated if the user has been changed.
  233.                 if (!$newToken->isAuthenticated()) {
  234.                     $userDeauthenticated true;
  236.                     if (null !== $this->logger) {
  237.                         // @deprecated since 5.3, change to $refreshedUser->getUserIdentifier() in 6.0
  238.                         $this->logger->debug('Cannot refresh token because user has changed.', ['username' => method_exists($refreshedUser'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername(), 'provider' => \get_class($provider)]);
  239.                     }
  241.                     continue;
  242.                 }
  244.                 $token->setUser($refreshedUser);
  246.                 if (null !== $this->logger) {
  247.                     // @deprecated since 5.3, change to $refreshedUser->getUserIdentifier() in 6.0
  248.                     $context = ['provider' => \get_class($provider), 'username' => method_exists($refreshedUser'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername()];
  250.                     if ($token instanceof SwitchUserToken) {
  251.                         // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
  252.                         $context['impersonator_username'] = method_exists($token'getUserIdentifier') ? $token->getUserIdentifier() : $token->getOriginalToken()->getUsername();
  253.                     }
  255.                     $this->logger->debug('User was reloaded from a user provider.'$context);
  256.                 }
  258.                 return $token;
  259.             } catch (UnsupportedUserException $e) {
  260.                 // let's try the next user provider
  261.             } catch (UserNotFoundException $e) {
  262.                 if (null !== $this->logger) {
  263.                     $this->logger->warning('Username could not be found in the selected user provider.', ['username' => method_exists($e'getUserIdentifier') ? $e->getUserIdentifier() : $e->getUsername(), 'provider' => \get_class($provider)]);
  264.                 }
  266.                 $userNotFoundByProvider true;
  267.             }
  268.         }
  270.         if ($userDeauthenticated) {
  271.             if (null !== $this->logger) {
  272.                 $this->logger->debug('Token was deauthenticated after trying to refresh it.');
  273.             }
  275.             if ($this->dispatcher) {
  276.                 $this->dispatcher->dispatch(new DeauthenticatedEvent($token$newToken), DeauthenticatedEvent::class);
  277.             }
  279.             return null;
  280.         }
  282.         if ($userNotFoundByProvider) {
  283.             return null;
  284.         }
  286.         throw new \RuntimeException(sprintf('There is no user provider for user "%s". Shouldn\'t the "supportsClass()" method of your user provider return true for this classname?'$userClass));
  287.     }
  289.     private function safelyUnserialize(string $serializedToken)
  290.     {
  291.         $e $token null;
  292.         $prevUnserializeHandler ini_set('unserialize_callback_func'__CLASS__.'::handleUnserializeCallback');
  293.         $prevErrorHandler set_error_handler(function ($type$msg$file$line$context = []) use (&$prevErrorHandler) {
  294.             if (__FILE__ === $file) {
  295.                 throw new \ErrorException($msg0x37313bc$type$file$line);
  296.             }
  298.             return $prevErrorHandler $prevErrorHandler($type$msg$file$line$context) : false;
  299.         });
  301.         try {
  302.             $token unserialize($serializedToken);
  303.         } catch (\Throwable $e) {
  304.         }
  305.         restore_error_handler();
  306.         ini_set('unserialize_callback_func'$prevUnserializeHandler);
  307.         if ($e) {
  308.             if (!$e instanceof \ErrorException || 0x37313bc !== $e->getCode()) {
  309.                 throw $e;
  310.             }
  311.             if ($this->logger) {
  312.                 $this->logger->warning('Failed to unserialize the security token from the session.', ['key' => $this->sessionKey'received' => $serializedToken'exception' => $e]);
  313.             }
  314.         }
  316.         return $token;
  317.     }
  319.     /**
  320.      * @internal
  321.      */
  322.     public static function handleUnserializeCallback($class)
  323.     {
  324.         throw new \ErrorException('Class not found: '.$class0x37313bc);
  325.     }
  327.     public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
  328.     {
  329.         $this->rememberMeServices $rememberMeServices;
  330.     }
  331. }