pimcore/lib/Pimcore/Bundle/AdminBundle/EventListener/AdminAuthenticationDoubleCheckListener.php line 86

Open in your IDE?
  1. <?php
  2. /**
  3.  * Pimcore
  4.  *
  5.  * This source file is available under two different licenses:
  6.  * - GNU General Public License version 3 (GPLv3)
  7.  * - Pimcore Enterprise License (PEL)
  8.  * Full copyright and license information is available in
  9.  * LICENSE.md which is distributed with this source code.
  10.  *
  11.  * @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  12.  * @license    http://www.pimcore.org/license     GPLv3 and PEL
  13.  */
  15. namespace Pimcore\Bundle\AdminBundle\EventListener;
  17. use Pimcore\Bundle\AdminBundle\Controller\DoubleAuthenticationControllerInterface;
  18. use Pimcore\Bundle\AdminBundle\EventListener\Traits\ControllerTypeTrait;
  19. use Pimcore\Bundle\AdminBundle\Security\User\TokenStorageUserResolver;
  20. use Pimcore\Http\RequestMatcherFactory;
  21. use Pimcore\Tool\Authentication;
  22. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  23. use Symfony\Component\HttpFoundation\Request;
  24. use Symfony\Component\HttpFoundation\RequestMatcherInterface;
  25. use Symfony\Component\HttpKernel\Event\FilterControllerEvent;
  26. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  27. use Symfony\Component\HttpKernel\KernelEvents;
  29. /**
  30.  * Handles double authentication check for pimcore controllers after the firewall did to make sure the admin interface is
  31.  * not accessible on configuration errors. Unauthenticated routes are not double-checked (e.g. login).
  32.  *
  33.  * TODO: the double authentication check is currently running for every DoubleAuthenticationControllerInterface, independent
  34.  * of the request context, to ensure third party bundles using the AdminController handle authentication as well. Should we
  35.  * do this on the pimcore context instead?
  36.  */
  37. class AdminAuthenticationDoubleCheckListener implements EventSubscriberInterface
  38. {
  39.     use ControllerTypeTrait;
  41.     /**
  42.      * @var RequestMatcherFactory
  43.      */
  44.     protected $requestMatcherFactory;
  46.     /**
  47.      * @var array
  48.      */
  49.     protected $unauthenticatedRoutes;
  51.     /**
  52.      * @var RequestMatcherInterface[]
  53.      */
  54.     protected $unauthenticatedMatchers;
  56.     /**
  57.      * @var TokenStorageUserResolver
  58.      */
  59.     protected $tokenResolver;
  61.     /**
  62.      * @param RequestMatcherFactory $factory
  63.      * @param TokenStorageUserResolver $tokenResolver
  64.      * @param array $unauthenticatedRoutes
  65.      */
  66.     public function __construct(
  67.         RequestMatcherFactory $factory,
  68.         TokenStorageUserResolver $tokenResolver,
  69.         array $unauthenticatedRoutes
  70.     ) {
  71.         $this->requestMatcherFactory $factory;
  72.         $this->tokenResolver         $tokenResolver;
  73.         $this->unauthenticatedRoutes $unauthenticatedRoutes;
  74.     }
  76.     /**
  77.      * @inheritDoc
  78.      */
  79.     public static function getSubscribedEvents()
  80.     {
  81.         return [
  82.             KernelEvents::CONTROLLER => 'onKernelController'
  83.         ];
  84.     }
  86.     public function onKernelController(FilterControllerEvent $event)
  87.     {
  88.         if (!$this->isControllerType($eventDoubleAuthenticationControllerInterface::class)) {
  89.             return;
  90.         }
  92.         $request    $event->getRequest();
  94.         /** @var DoubleAuthenticationControllerInterface $controller */
  95.         $controller $this->getControllerType($eventDoubleAuthenticationControllerInterface::class);
  97.         // double check we have a valid user to make sure there is no invalid security config
  98.         // opening admin interface to the public
  99.         if ($this->requestNeedsAuthentication($request)) {
  100.             if ($controller->needsSessionDoubleAuthenticationCheck()) {
  101.                 $this->checkSessionUser();
  102.             }
  104.             if ($controller->needsStorageDoubleAuthenticationCheck()) {
  105.                 $this->checkTokenStorageUser();
  106.             }
  107.         }
  108.     }
  110.     /**
  111.      * Check if the current request needs double authentication
  112.      *
  113.      * @param Request $request
  114.      *
  115.      * @return bool
  116.      */
  117.     protected function requestNeedsAuthentication(Request $request)
  118.     {
  119.         foreach ($this->getUnauthenticatedMatchers() as $matcher) {
  120.             if ($matcher->matches($request)) {
  121.                 return false;
  122.             }
  123.         }
  125.         return true;
  126.     }
  128.     /**
  129.      * Get list of paths which don't need double authentication check
  130.      *
  131.      * @return RequestMatcherInterface[]
  132.      */
  133.     protected function getUnauthenticatedMatchers()
  134.     {
  135.         if (null === $this->unauthenticatedMatchers) {
  136.             $this->unauthenticatedMatchers $this->requestMatcherFactory->buildRequestMatchers($this->unauthenticatedRoutes);
  137.         }
  139.         return $this->unauthenticatedMatchers;
  140.     }
  142.     /**
  143.      * @throws AccessDeniedHttpException
  144.      *      if there's no current user in the session
  145.      */
  146.     protected function checkSessionUser()
  147.     {
  148.         $user Authentication::authenticateSession();
  149.         if (null === $user) {
  150.             throw new AccessDeniedHttpException('User is invalid.');
  151.         }
  152.     }
  154.     /**
  155.      * @throws AccessDeniedHttpException
  156.      *      if there's no current user in the token storage
  157.      */
  158.     protected function checkTokenStorageUser()
  159.     {
  160.         $user $this->tokenResolver->getUser();
  162.         if (null === $user || !Authentication::isValidUser($user)) {
  163.             throw new AccessDeniedHttpException('User is invalid.');
  164.         }
  165.     }
  166. }