vendor/pimcore/pimcore/bundles/AdminBundle/Security/Guard/AdminAuthenticator.php line 365

Open in your IDE?
  1. <?php
  3. /**
  4.  * Pimcore
  5.  *
  6.  * This source file is available under two different licenses:
  7.  * - GNU General Public License version 3 (GPLv3)
  8.  * - Pimcore Commercial License (PCL)
  9.  * Full copyright and license information is available in
  10.  * LICENSE.md which is distributed with this source code.
  11.  *
  12.  *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13.  *  @license    http://www.pimcore.org/license     GPLv3 and PCL
  14.  */
  16. namespace Pimcore\Bundle\AdminBundle\Security\Guard;
  18. use Pimcore\Bundle\AdminBundle\Security\Authentication\Token\LegacyTwoFactorRequiredToken;
  19. use Pimcore\Bundle\AdminBundle\Security\BruteforceProtectionHandler;
  20. use Pimcore\Bundle\AdminBundle\Security\User\User;
  21. use Pimcore\Cache\RuntimeCache;
  22. use Pimcore\Event\Admin\Login\LoginCredentialsEvent;
  23. use Pimcore\Event\Admin\Login\LoginFailedEvent;
  24. use Pimcore\Event\Admin\Login\LoginRedirectEvent;
  25. use Pimcore\Event\AdminEvents;
  26. use Pimcore\Model\User as UserModel;
  27. use Pimcore\Tool\Admin;
  28. use Pimcore\Tool\Authentication;
  29. use Pimcore\Tool\Session;
  30. use Psr\Log\LoggerAwareInterface;
  31. use Psr\Log\LoggerAwareTrait;
  32. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  33. use Symfony\Component\HttpFoundation\Cookie;
  34. use Symfony\Component\HttpFoundation\RedirectResponse;
  35. use Symfony\Component\HttpFoundation\Request;
  36. use Symfony\Component\HttpFoundation\Response;
  37. use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
  38. use Symfony\Component\Routing\RouterInterface;
  39. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  40. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  41. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  42. use Symfony\Component\Security\Core\User\UserInterface;
  43. use Symfony\Component\Security\Core\User\UserProviderInterface;
  44. use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
  45. use Symfony\Component\Security\Http\HttpUtils;
  46. use Symfony\Contracts\Translation\TranslatorInterface;
  48. /**
  49.  * @internal
  50.  *
  51.  * @deprecated will be removed in Pimcore 11
  52.  */
  53. class AdminAuthenticator extends AbstractGuardAuthenticator implements LoggerAwareInterface
  54. {
  55.     use LoggerAwareTrait;
  57.     /**
  58.      * @var TokenStorageInterface
  59.      */
  60.     protected $tokenStorage;
  62.     /**
  63.      * @var RouterInterface
  64.      */
  65.     protected $router;
  67.     /**
  68.      * @var EventDispatcherInterface
  69.      */
  70.     protected $dispatcher;
  72.     /**
  73.      * @var TranslatorInterface
  74.      */
  75.     protected $translator;
  77.     /**
  78.      * @var HttpUtils
  79.      */
  80.     protected $httpUtils;
  82.     /**
  83.      * @var BruteforceProtectionHandler
  84.      */
  85.     protected $bruteforceProtectionHandler;
  87.     /**
  88.      * @var bool
  89.      */
  90.     protected $twoFactorRequired false;
  92.     /**
  93.      * @param TokenStorageInterface $tokenStorage
  94.      * @param RouterInterface $router
  95.      * @param EventDispatcherInterface $dispatcher
  96.      * @param TranslatorInterface $translator
  97.      * @param HttpUtils $httpUtils
  98.      * @param BruteforceProtectionHandler $bruteforceProtectionHandler
  99.      */
  100.     public function __construct(
  101.         TokenStorageInterface $tokenStorage,
  102.         RouterInterface $router,
  103.         EventDispatcherInterface $dispatcher,
  104.         TranslatorInterface $translator,
  105.         HttpUtils $httpUtils,
  106.         BruteforceProtectionHandler $bruteforceProtectionHandler
  107.     ) {
  108.         $this->tokenStorage $tokenStorage;
  109.         $this->router $router;
  110.         $this->dispatcher $dispatcher;
  111.         $this->translator $translator;
  112.         $this->httpUtils $httpUtils;
  114.         $this->bruteforceProtectionHandler $bruteforceProtectionHandler;
  115.     }
  117.     /**
  118.      * {@inheritdoc}
  119.      */
  120.     public function supports(Request $request)
  121.     {
  122.         return $request->attributes->get('_route') === 'pimcore_admin_login_check'
  123.             || Authentication::authenticateSession($request);
  124.     }
  126.     /**
  127.      * {@inheritdoc}
  128.      */
  129.     public function start(Request $requestAuthenticationException $authException null)
  130.     {
  131.         if ($request->isXmlHttpRequest()) {
  132.             // TODO use a JSON formatted error response?
  133.             $response = new Response('Session expired or unauthorized request. Please reload and try again!');
  134.             $response->setStatusCode(Response::HTTP_FORBIDDEN);
  136.             return $response;
  137.         }
  139.         $event = new LoginRedirectEvent('pimcore_admin_login', ['perspective' => strip_tags($request->get('perspective'''))]);
  140.         $this->dispatcher->dispatch($eventAdminEvents::LOGIN_REDIRECT);
  142.         $url $this->router->generate($event->getRouteName(), $event->getRouteParams());
  144.         return new RedirectResponse($url);
  145.     }
  147.     /**
  148.      * {@inheritdoc}
  149.      */
  150.     public function getCredentials(Request $request)
  151.     {
  152.         $credentials = [];
  154.         if ($request->attributes->get('_route') === 'pimcore_admin_login_check') {
  155.             $username $request->get('username');
  156.             if ($request->getMethod() === 'POST' && $request->get('password') && $username) {
  157.                 $this->bruteforceProtectionHandler->checkProtection($username);
  158.                 $credentials = [
  159.                     'username' => $username,
  160.                     'password' => $request->get('password'),
  161.                 ];
  162.             } elseif ($token $request->get('token')) {
  163.                 $this->bruteforceProtectionHandler->checkProtection();
  164.                 $credentials = [
  165.                     'token' => $token,
  166.                     'reset' => (bool) $request->get('reset'false),
  167.                 ];
  168.             } else {
  169.                 $this->bruteforceProtectionHandler->checkProtection();
  171.                 throw new AuthenticationException('Missing username or token');
  172.             }
  174.             $event = new LoginCredentialsEvent($request$credentials);
  175.             $this->dispatcher->dispatch($eventAdminEvents::LOGIN_CREDENTIALS);
  177.             return $event->getCredentials();
  178.         } else {
  179.             if ($pimcoreUser Authentication::authenticateSession($request)) {
  180.                 return [
  181.                     'user' => $pimcoreUser,
  182.                 ];
  183.             }
  184.         }
  186.         return $credentials;
  187.     }
  189.     /**
  190.      * {@inheritdoc}
  191.      */
  192.     public function getUser($credentialsUserProviderInterface $userProvider)
  193.     {
  194.         /** @var User|null $user */
  195.         $user null;
  197.         if (!is_array($credentials)) {
  198.             throw new AuthenticationException('Invalid credentials');
  199.         }
  201.         if (isset($credentials['user']) && $credentials['user'] instanceof UserModel) {
  202.             $user = new User($credentials['user']);
  203.             $session Session::getReadOnly();
  204.             if ($session->has('2fa_required') && $session->get('2fa_required') === true) {
  205.                 $this->twoFactorRequired true;
  206.             }
  207.         } else {
  208.             if (!isset($credentials['username']) && !isset($credentials['token'])) {
  209.                 throw new AuthenticationException('Missing username/token');
  210.             }
  212.             if (isset($credentials['password'])) {
  213.                 $pimcoreUser Authentication::authenticatePlaintext($credentials['username'], $credentials['password']);
  215.                 if ($pimcoreUser) {
  216.                     $user = new User($pimcoreUser);
  217.                 } else {
  218.                     // trigger LOGIN_FAILED event if user could not be authenticated via username/password
  219.                     $event = new LoginFailedEvent($credentials);
  220.                     $this->dispatcher->dispatch($eventAdminEvents::LOGIN_FAILED);
  222.                     if ($event->hasUser()) {
  223.                         $user = new User($event->getUser());
  224.                     } else {
  225.                         throw new AuthenticationException('Failed to authenticate with username and password');
  226.                     }
  227.                 }
  228.             } elseif (isset($credentials['token'])) {
  229.                 $pimcoreUser Authentication::authenticateToken($credentials['token']);
  231.                 if ($pimcoreUser) {
  232.                     //disable two factor authentication for token based credentials e.g. reset password, admin access links
  233.                     $pimcoreUser->setTwoFactorAuthentication('required'false);
  234.                     $user = new User($pimcoreUser);
  235.                 } else {
  236.                     throw new AuthenticationException('Failed to authenticate with username and token');
  237.                 }
  239.                 if ($credentials['reset']) {
  240.                     // save the information to session when the user want's to reset the password
  241.                     // this is because otherwise the old password is required => see also PIMCORE-1468
  243.                     Session::useSession(function (AttributeBagInterface $adminSession) {
  244.                         $adminSession->set('password_reset'true);
  245.                     });
  246.                 }
  247.             } else {
  248.                 throw new AuthenticationException('Invalid authentication method, must be either password or token');
  249.             }
  251.             if ($user && Authentication::isValidUser($user->getUser())) {
  252.                 $pimcoreUser $user->getUser();
  254.                 Session::useSession(function (AttributeBagInterface $adminSession) use ($pimcoreUser) {
  255.                     Session::regenerateId();
  256.                     $adminSession->set('user'$pimcoreUser);
  258.                     // this flag gets removed after successful authentication in \Pimcore\Bundle\AdminBundle\EventListener\TwoFactorListener
  259.                     if ($pimcoreUser->getTwoFactorAuthentication('required') && $pimcoreUser->getTwoFactorAuthentication('enabled')) {
  260.                         $adminSession->set('2fa_required'true);
  261.                     }
  262.                 });
  263.             }
  264.         }
  266.         return $user;
  267.     }
  269.     /**
  270.      * {@inheritdoc}
  271.      */
  272.     public function checkCredentials($credentialsUserInterface $user)
  273.     {
  274.         // we rely on getUser returning a valid user
  275.         if ($user instanceof User) {
  276.             return true;
  277.         }
  279.         return false;
  280.     }
  282.     /**
  283.      * {@inheritdoc}
  284.      */
  285.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception)
  286.     {
  287.         $this->bruteforceProtectionHandler->addEntry($request->get('username'), $request);
  289.         $url $this->router->generate('pimcore_admin_login', [
  290.             'auth_failed' => 'true',
  291.         ]);
  293.         return new RedirectResponse($url);
  294.     }
  296.     /**
  297.      * {@inheritdoc}
  298.      */
  299.     public function onAuthenticationSuccess(Request $requestTokenInterface $token$providerKey)
  300.     {
  301.         /** @var UserModel $user */
  302.         $user $token->getUser()->getUser();
  304.         // set user language
  305.         $request->setLocale($user->getLanguage());
  306.         $this->translator->setLocale($user->getLanguage());
  308.         // set user on runtime cache for legacy compatibility
  309.         RuntimeCache::set('pimcore_admin_user'$user);
  311.         if ($user->isAdmin()) {
  312.             if (Admin::isMaintenanceModeScheduledForLogin()) {
  313.                 Admin::activateMaintenanceMode(Session::getSessionId());
  314.                 Admin::unscheduleMaintenanceModeOnLogin();
  315.             }
  316.         }
  318.         // as we authenticate statelessly (short lived sessions) the authentication is called for
  319.         // every request. therefore we only redirect if we're on the login page
  320.         if (!in_array($request->attributes->get('_route'), [
  321.             'pimcore_admin_login',
  322.             'pimcore_admin_login_check',
  323.         ])) {
  324.             return null;
  325.         }
  327.         $url null;
  328.         if ($request->get('deeplink') && $request->get('deeplink') !== 'true') {
  329.             $url $this->router->generate('pimcore_admin_login_deeplink');
  330.             $url .= '?' $request->get('deeplink');
  331.         } else {
  332.             $url $this->router->generate('pimcore_admin_index', [
  333.                 '_dc' => time(),
  334.                 'perspective' => strip_tags($request->get('perspective''')),
  335.             ]);
  336.         }
  338.         if ($url) {
  339.             $response = new RedirectResponse($url);
  340.             $response->headers->setCookie(new Cookie('pimcore_admin_sid'true));
  342.             return $response;
  343.         }
  345.         return null;
  346.     }
  348.     /**
  349.      * {@inheritdoc}
  350.      */
  351.     public function supportsRememberMe()
  352.     {
  353.         return false;
  354.     }
  356.     public function createAuthenticatedToken(UserInterface $user$providerKey)
  357.     {
  358.         if ($this->twoFactorRequired) {
  359.             return new LegacyTwoFactorRequiredToken(
  360.                 $user,
  361.                 $providerKey,
  362.                 $user->getRoles()
  363.             );
  364.         } else {
  365.             return parent::createAuthenticatedToken($user$providerKey);
  366.         }
  367.     }
  368. }