vendor/pimcore/pimcore/bundles/AdminBundle/Security/Guard/AdminAuthenticator.php line 127

Open in your IDE?
  1. <?php
  3. /**
  4. * Pimcore
  5. *
  6. * This source file is available under two different licenses:
  7. * - GNU General Public License version 3 (GPLv3)
  8. * - Pimcore Commercial License (PCL)
  9. * Full copyright and license information is available in
  10. * LICENSE.md which is distributed with this source code.
  11. *
  12. * @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13. * @license http://www.pimcore.org/license GPLv3 and PCL
  14. */
  16. namespace Pimcore\Bundle\AdminBundle\Security\Guard;
  18. use Pimcore\Bundle\AdminBundle\Security\Authentication\Token\TwoFactorRequiredToken;
  19. use Pimcore\Bundle\AdminBundle\Security\BruteforceProtectionHandler;
  20. use Pimcore\Bundle\AdminBundle\Security\User\User;
  21. use Pimcore\Cache\Runtime;
  22. use Pimcore\Event\Admin\Login\LoginCredentialsEvent;
  23. use Pimcore\Event\Admin\Login\LoginFailedEvent;
  24. use Pimcore\Event\Admin\Login\LoginRedirectEvent;
  25. use Pimcore\Event\AdminEvents;
  26. use Pimcore\Model\User as UserModel;
  27. use Pimcore\Tool\Admin;
  28. use Pimcore\Tool\Authentication;
  29. use Pimcore\Tool\Session;
  30. use Psr\Log\LoggerAwareInterface;
  31. use Psr\Log\LoggerAwareTrait;
  32. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  33. use Symfony\Component\HttpFoundation\Cookie;
  34. use Symfony\Component\HttpFoundation\RedirectResponse;
  35. use Symfony\Component\HttpFoundation\Request;
  36. use Symfony\Component\HttpFoundation\Response;
  37. use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
  38. use Symfony\Component\Routing\RouterInterface;
  39. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  40. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  41. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  42. use Symfony\Component\Security\Core\User\UserInterface;
  43. use Symfony\Component\Security\Core\User\UserProviderInterface;
  44. use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
  45. use Symfony\Component\Security\Http\HttpUtils;
  46. use Symfony\Contracts\Translation\TranslatorInterface;
  48. /**
  49. * @internal
  50. */
  51. class AdminAuthenticator extends AbstractGuardAuthenticator implements LoggerAwareInterface
  52. {
  53. use LoggerAwareTrait;
  55. /**
  56. * @var TokenStorageInterface
  57. */
  58. protected $tokenStorage;
  60. /**
  61. * @var RouterInterface
  62. */
  63. protected $router;
  65. /**
  66. * @var EventDispatcherInterface
  67. */
  68. protected $dispatcher;
  70. /**
  71. * @var TranslatorInterface
  72. */
  73. protected $translator;
  75. /**
  76. * @var HttpUtils
  77. */
  78. protected $httpUtils;
  80. /**
  81. * @var BruteforceProtectionHandler
  82. */
  83. protected $bruteforceProtectionHandler;
  85. /**
  86. * @var bool
  87. */
  88. protected $twoFactorRequired = false;
  90. /**
  91. * @param TokenStorageInterface $tokenStorage
  92. * @param RouterInterface $router
  93. * @param EventDispatcherInterface $dispatcher
  94. * @param TranslatorInterface $translator
  95. * @param HttpUtils $httpUtils
  96. * @param BruteforceProtectionHandler $bruteforceProtectionHandler
  97. */
  98. public function __construct(
  99. TokenStorageInterface $tokenStorage,
  100. RouterInterface $router,
  101. EventDispatcherInterface $dispatcher,
  102. TranslatorInterface $translator,
  103. HttpUtils $httpUtils,
  104. BruteforceProtectionHandler $bruteforceProtectionHandler
  105. ) {
  106. $this->tokenStorage = $tokenStorage;
  107. $this->router = $router;
  108. $this->dispatcher = $dispatcher;
  109. $this->translator = $translator;
  110. $this->httpUtils = $httpUtils;
  112. $this->bruteforceProtectionHandler = $bruteforceProtectionHandler;
  113. }
  115. /**
  116. * {@inheritdoc}
  117. */
  118. public function supports(Request $request)
  119. {
  120. return $request->attributes->get('_route') === 'pimcore_admin_login_check'
  121. || Authentication::authenticateSession($request);
  122. }
  124. /**
  125. * {@inheritdoc}
  126. */
  127. public function start(Request $request, AuthenticationException $authException = null)
  128. {
  129. if ($request->isXmlHttpRequest()) {
  130. // TODO use a JSON formatted error response?
  131. $response = new Response('Session expired or unauthorized request. Please reload and try again!');
  132. $response->setStatusCode(Response::HTTP_FORBIDDEN);
  134. return $response;
  135. }
  137. $event = new LoginRedirectEvent('pimcore_admin_login', ['perspective' => strip_tags($request->get('perspective'))]);
  138. $this->dispatcher->dispatch($event, AdminEvents::LOGIN_REDIRECT);
  140. $url = $this->router->generate($event->getRouteName(), $event->getRouteParams());
  142. return new RedirectResponse($url);
  143. }
  145. /**
  146. * {@inheritdoc}
  147. */
  148. public function getCredentials(Request $request)
  149. {
  150. $credentials = [];
  152. if ($request->attributes->get('_route') === 'pimcore_admin_login_check') {
  153. $username = $request->get('username');
  154. if ($request->getMethod() === 'POST' && $request->get('password') && $username) {
  155. $this->bruteforceProtectionHandler->checkProtection($username);
  156. $credentials = [
  157. 'username' => $username,
  158. 'password' => $request->get('password'),
  159. ];
  160. } elseif ($token = $request->get('token')) {
  161. $this->bruteforceProtectionHandler->checkProtection();
  162. $credentials = [
  163. 'token' => $token,
  164. 'reset' => (bool) $request->get('reset', false),
  165. ];
  166. } else {
  167. $this->bruteforceProtectionHandler->checkProtection();
  169. throw new AuthenticationException('Missing username or token');
  170. }
  172. $event = new LoginCredentialsEvent($request, $credentials);
  173. $this->dispatcher->dispatch($event, AdminEvents::LOGIN_CREDENTIALS);
  175. return $event->getCredentials();
  176. } else {
  177. if ($pimcoreUser = Authentication::authenticateSession($request)) {
  178. return [
  179. 'user' => $pimcoreUser,
  180. ];
  181. }
  182. }
  184. return $credentials;
  185. }
  187. /**
  188. * {@inheritdoc}
  189. */
  190. public function getUser($credentials, UserProviderInterface $userProvider)
  191. {
  192. /** @var User|null $user */
  193. $user = null;
  195. if (!is_array($credentials)) {
  196. throw new AuthenticationException('Invalid credentials');
  197. }
  199. if (isset($credentials['user']) && $credentials['user'] instanceof UserModel) {
  200. $user = new User($credentials['user']);
  201. $session = Session::getReadOnly();
  202. if ($session->has('2fa_required') && $session->get('2fa_required') === true) {
  203. $this->twoFactorRequired = true;
  204. }
  205. } else {
  206. if (!isset($credentials['username']) && !isset($credentials['token'])) {
  207. throw new AuthenticationException('Missing username/token');
  208. }
  210. if (isset($credentials['password'])) {
  211. $pimcoreUser = Authentication::authenticatePlaintext($credentials['username'], $credentials['password']);
  213. if ($pimcoreUser) {
  214. $user = new User($pimcoreUser);
  215. } else {
  216. // trigger LOGIN_FAILED event if user could not be authenticated via username/password
  217. $event = new LoginFailedEvent($credentials);
  218. $this->dispatcher->dispatch($event, AdminEvents::LOGIN_FAILED);
  220. if ($event->hasUser()) {
  221. $user = new User($event->getUser());
  222. } else {
  223. throw new AuthenticationException('Failed to authenticate with username and password');
  224. }
  225. }
  226. } elseif (isset($credentials['token'])) {
  227. $pimcoreUser = Authentication::authenticateToken($credentials['token']);
  229. if ($pimcoreUser) {
  230. //disable two factor authentication for token based credentials e.g. reset password, admin access links
  231. $pimcoreUser->setTwoFactorAuthentication('required', false);
  232. $user = new User($pimcoreUser);
  233. } else {
  234. throw new AuthenticationException('Failed to authenticate with username and token');
  235. }
  237. if ($credentials['reset']) {
  238. // save the information to session when the user want's to reset the password
  239. // this is because otherwise the old password is required => see also PIMCORE-1468
  241. Session::useSession(function (AttributeBagInterface $adminSession) {
  242. $adminSession->set('password_reset', true);
  243. });
  244. }
  245. } else {
  246. throw new AuthenticationException('Invalid authentication method, must be either password or token');
  247. }
  249. if ($user && Authentication::isValidUser($user->getUser())) {
  250. $pimcoreUser = $user->getUser();
  252. Session::useSession(function (AttributeBagInterface $adminSession) use ($pimcoreUser) {
  253. Session::regenerateId();
  254. $adminSession->set('user', $pimcoreUser);
  256. // this flag gets removed after successful authentication in \Pimcore\Bundle\AdminBundle\EventListener\TwoFactorListener
  257. if ($pimcoreUser->getTwoFactorAuthentication('required') && $pimcoreUser->getTwoFactorAuthentication('enabled')) {
  258. $adminSession->set('2fa_required', true);
  259. }
  260. });
  261. }
  262. }
  264. return $user;
  265. }
  267. /**
  268. * {@inheritdoc}
  269. */
  270. public function checkCredentials($credentials, UserInterface $user)
  271. {
  272. // we rely on getUser returning a valid user
  273. if ($user instanceof User) {
  274. return true;
  275. }
  277. return false;
  278. }
  280. /**
  281. * {@inheritdoc}
  282. */
  283. public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
  284. {
  285. $this->bruteforceProtectionHandler->addEntry($request->get('username'), $request);
  287. $url = $this->router->generate('pimcore_admin_login', [
  288. 'auth_failed' => 'true',
  289. ]);
  291. return new RedirectResponse($url);
  292. }
  294. /**
  295. * {@inheritdoc}
  296. */
  297. public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
  298. {
  299. /** @var UserModel $user */
  300. $user = $token->getUser()->getUser();
  302. // set user language
  303. $request->setLocale($user->getLanguage());
  304. $this->translator->setLocale($user->getLanguage());
  306. // set user on runtime cache for legacy compatibility
  307. Runtime::set('pimcore_admin_user', $user);
  309. if ($user->isAdmin()) {
  310. if (Admin::isMaintenanceModeScheduledForLogin()) {
  311. Admin::activateMaintenanceMode(Session::getSessionId());
  312. Admin::unscheduleMaintenanceModeOnLogin();
  313. }
  314. }
  316. // as we authenticate statelessly (short lived sessions) the authentication is called for
  317. // every request. therefore we only redirect if we're on the login page
  318. if (!in_array($request->attributes->get('_route'), [
  319. 'pimcore_admin_login',
  320. 'pimcore_admin_login_check',
  321. ])) {
  322. return null;
  323. }
  325. $url = null;
  326. if ($request->get('deeplink') && $request->get('deeplink') !== 'true') {
  327. $url = $this->router->generate('pimcore_admin_login_deeplink');
  328. $url .= '?' . $request->get('deeplink');
  329. } else {
  330. $url = $this->router->generate('pimcore_admin_index', [
  331. '_dc' => time(),
  332. 'perspective' => strip_tags($request->get('perspective')),
  333. ]);
  334. }
  336. if ($url) {
  337. $response = new RedirectResponse($url);
  338. $response->headers->setCookie(new Cookie('pimcore_admin_sid', true, 0, '/', null, false, true));
  340. return $response;
  341. }
  343. return null;
  344. }
  346. /**
  347. * {@inheritdoc}
  348. */
  349. public function supportsRememberMe()
  350. {
  351. return false;
  352. }
  354. public function createAuthenticatedToken(UserInterface $user, $providerKey)
  355. {
  356. if ($this->twoFactorRequired) {
  357. return new TwoFactorRequiredToken(
  358. $user,
  359. $providerKey,
  360. $user->getRoles()
  361. );
  362. } else {
  363. return parent::createAuthenticatedToken($user, $providerKey);
  364. }
  365. }
  366. }