vendor/pimcore/pimcore/bundles/AdminBundle/EventListener/AdminAuthenticationDoubleCheckListener.php line 88

Open in your IDE?
  1. <?php
  3. /**
  4.  * Pimcore
  5.  *
  6.  * This source file is available under two different licenses:
  7.  * - GNU General Public License version 3 (GPLv3)
  8.  * - Pimcore Commercial License (PCL)
  9.  * Full copyright and license information is available in
  10.  * LICENSE.md which is distributed with this source code.
  11.  *
  12.  *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13.  *  @license    http://www.pimcore.org/license     GPLv3 and PCL
  14.  */
  16. namespace Pimcore\Bundle\AdminBundle\EventListener;
  18. use Pimcore\Bundle\AdminBundle\Controller\DoubleAuthenticationControllerInterface;
  19. use Pimcore\Bundle\AdminBundle\EventListener\Traits\ControllerTypeTrait;
  20. use Pimcore\Bundle\AdminBundle\Security\User\TokenStorageUserResolver;
  21. use Pimcore\Bundle\CoreBundle\EventListener\Traits\PimcoreContextAwareTrait;
  22. use Pimcore\Http\Request\Resolver\PimcoreContextResolver;
  23. use Pimcore\Http\RequestMatcherFactory;
  24. use Pimcore\Tool\Authentication;
  25. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  26. use Symfony\Component\HttpFoundation\Request;
  27. use Symfony\Component\HttpFoundation\RequestMatcherInterface;
  28. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  29. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  30. use Symfony\Component\HttpKernel\KernelEvents;
  32. /**
  33.  * Handles double authentication check for pimcore controllers after the firewall did to make sure the admin interface is
  34.  * not accessible on configuration errors. Unauthenticated routes are not double-checked (e.g. login).
  35.  *
  36.  * @internal
  37.  */
  38. class AdminAuthenticationDoubleCheckListener implements EventSubscriberInterface
  39. {
  40.     use ControllerTypeTrait;
  41.     use PimcoreContextAwareTrait;
  43.     /**
  44.      * @var RequestMatcherFactory
  45.      */
  46.     protected $requestMatcherFactory;
  48.     /**
  49.      * @var array
  50.      */
  51.     protected $unauthenticatedRoutes;
  53.     /**
  54.      * @var RequestMatcherInterface[]
  55.      */
  56.     protected $unauthenticatedMatchers;
  58.     /**
  59.      * @var TokenStorageUserResolver
  60.      */
  61.     protected $tokenResolver;
  63.     /**
  64.      * @param RequestMatcherFactory $factory
  65.      * @param TokenStorageUserResolver $tokenResolver
  66.      * @param array $unauthenticatedRoutes
  67.      */
  68.     public function __construct(
  69.         RequestMatcherFactory $factory,
  70.         TokenStorageUserResolver $tokenResolver,
  71.         array $unauthenticatedRoutes
  72.     ) {
  73.         $this->requestMatcherFactory $factory;
  74.         $this->tokenResolver $tokenResolver;
  75.         $this->unauthenticatedRoutes $unauthenticatedRoutes;
  76.     }
  78.     /**
  79.      * {@inheritdoc}
  80.      */
  81.     public static function getSubscribedEvents()
  82.     {
  83.         return [
  84.             KernelEvents::CONTROLLER => 'onKernelController',
  85.         ];
  86.     }
  88.     public function onKernelController(ControllerEvent $event)
  89.     {
  90.         if (!$event->isMainRequest()) {
  91.             return;
  92.         }
  94.         $request $event->getRequest();
  96.         $isDoubleAuthController $this->isControllerType($eventDoubleAuthenticationControllerInterface::class);
  97.         $isPimcoreAdminContext $this->matchesPimcoreContext($requestPimcoreContextResolver::CONTEXT_ADMIN);
  99.         if (!$isDoubleAuthController && !$isPimcoreAdminContext) {
  100.             return;
  101.         }
  103.         // double check we have a valid user to make sure there is no invalid security config
  104.         // opening admin interface to the public
  105.         if ($this->requestNeedsAuthentication($request)) {
  106.             if ($isDoubleAuthController) {
  107.                 /** @var DoubleAuthenticationControllerInterface $controller */
  108.                 $controller $this->getControllerType($eventDoubleAuthenticationControllerInterface::class);
  110.                 if ($controller->needsSessionDoubleAuthenticationCheck()) {
  111.                     $this->checkSessionUser();
  112.                 }
  114.                 if ($controller->needsStorageDoubleAuthenticationCheck()) {
  115.                     $this->checkTokenStorageUser();
  116.                 }
  117.             } else {
  118.                 $this->checkSessionUser();
  119.                 $this->checkTokenStorageUser();
  120.             }
  121.         }
  122.     }
  124.     /**
  125.      * Check if the current request needs double authentication
  126.      *
  127.      * @param Request $request
  128.      *
  129.      * @return bool
  130.      */
  131.     protected function requestNeedsAuthentication(Request $request)
  132.     {
  133.         foreach ($this->getUnauthenticatedMatchers() as $matcher) {
  134.             if ($matcher->matches($request)) {
  135.                 return false;
  136.             }
  137.         }
  139.         return true;
  140.     }
  142.     /**
  143.      * Get list of paths which don't need double authentication check
  144.      *
  145.      * @return RequestMatcherInterface[]
  146.      */
  147.     protected function getUnauthenticatedMatchers()
  148.     {
  149.         if (null === $this->unauthenticatedMatchers) {
  150.             $this->unauthenticatedMatchers $this->requestMatcherFactory->buildRequestMatchers($this->unauthenticatedRoutes);
  151.         }
  153.         return $this->unauthenticatedMatchers;
  154.     }
  156.     /**
  157.      * @throws AccessDeniedHttpException
  158.      *      if there's no current user in the session
  159.      */
  160.     protected function checkSessionUser()
  161.     {
  162.         $user Authentication::authenticateSession();
  163.         if (null === $user) {
  164.             throw new AccessDeniedHttpException('User is invalid.');
  165.         }
  166.     }
  168.     /**
  169.      * @throws AccessDeniedHttpException
  170.      *      if there's no current user in the token storage
  171.      */
  172.     protected function checkTokenStorageUser()
  173.     {
  174.         $user $this->tokenResolver->getUser();
  176.         if (null === $user || !Authentication::isValidUser($user)) {
  177.             throw new AccessDeniedHttpException('User is invalid.');
  178.         }
  179.     }
  180. }