vendor/pimcore/pimcore/bundles/AdminBundle/EventListener/AdminAuthenticationDoubleCheckListener.php line 90

Open in your IDE?
  1. <?php
  3. /**
  4.  * Pimcore
  5.  *
  6.  * This source file is available under two different licenses:
  7.  * - GNU General Public License version 3 (GPLv3)
  8.  * - Pimcore Commercial License (PCL)
  9.  * Full copyright and license information is available in
  10.  * LICENSE.md which is distributed with this source code.
  11.  *
  12.  *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13.  *  @license    http://www.pimcore.org/license     GPLv3 and PCL
  14.  */
  16. namespace Pimcore\Bundle\AdminBundle\EventListener;
  18. use Pimcore\Bundle\AdminBundle\Controller\DoubleAuthenticationControllerInterface;
  19. use Pimcore\Bundle\AdminBundle\EventListener\Traits\ControllerTypeTrait;
  20. use Pimcore\Bundle\CoreBundle\EventListener\Traits\PimcoreContextAwareTrait;
  21. use Pimcore\Http\Request\Resolver\PimcoreContextResolver;
  22. use Pimcore\Http\RequestMatcherFactory;
  23. use Pimcore\Security\User\TokenStorageUserResolver;
  24. use Pimcore\Tool\Authentication;
  25. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  26. use Symfony\Component\HttpFoundation\Request;
  27. use Symfony\Component\HttpFoundation\RequestMatcherInterface;
  28. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  29. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  30. use Symfony\Component\HttpKernel\KernelEvents;
  32. /**
  33.  * Handles double authentication check for pimcore controllers after the firewall did to make sure the admin interface is
  34.  * not accessible on configuration errors. Unauthenticated routes are not double-checked (e.g. login).
  35.  *
  36.  * @internal
  37.  *
  38.  * @deprecated and will be removed in Pimcore 11.
  39.  */
  40. class AdminAuthenticationDoubleCheckListener implements EventSubscriberInterface
  41. {
  42.     use ControllerTypeTrait;
  43.     use PimcoreContextAwareTrait;
  45.     /**
  46.      * @var RequestMatcherFactory
  47.      */
  48.     protected $requestMatcherFactory;
  50.     /**
  51.      * @var array
  52.      */
  53.     protected $unauthenticatedRoutes;
  55.     /**
  56.      * @var RequestMatcherInterface[]
  57.      */
  58.     protected $unauthenticatedMatchers;
  60.     /**
  61.      * @var TokenStorageUserResolver
  62.      */
  63.     protected $tokenResolver;
  65.     /**
  66.      * @param RequestMatcherFactory $factory
  67.      * @param TokenStorageUserResolver $tokenResolver
  68.      * @param array $unauthenticatedRoutes
  69.      */
  70.     public function __construct(
  71.         RequestMatcherFactory $factory,
  72.         TokenStorageUserResolver $tokenResolver,
  73.         array $unauthenticatedRoutes
  74.     ) {
  75.         $this->requestMatcherFactory $factory;
  76.         $this->tokenResolver $tokenResolver;
  77.         $this->unauthenticatedRoutes $unauthenticatedRoutes;
  78.     }
  80.     /**
  81.      * {@inheritdoc}
  82.      */
  83.     public static function getSubscribedEvents(): array
  84.     {
  85.         return [
  86.             KernelEvents::CONTROLLER => 'onKernelController',
  87.         ];
  88.     }
  90.     public function onKernelController(ControllerEvent $event)
  91.     {
  92.         if (!$event->isMainRequest()) {
  93.             return;
  94.         }
  96.         $request $event->getRequest();
  98.         $isDoubleAuthController $this->isControllerType($eventDoubleAuthenticationControllerInterface::class);
  99.         $isPimcoreAdminContext $this->matchesPimcoreContext($requestPimcoreContextResolver::CONTEXT_ADMIN);
  101.         if (!$isDoubleAuthController && !$isPimcoreAdminContext) {
  102.             return;
  103.         }
  105.         // double check we have a valid user to make sure there is no invalid security config
  106.         // opening admin interface to the public
  107.         if ($this->requestNeedsAuthentication($request)) {
  108.             if ($isDoubleAuthController) {
  109.                 /** @var DoubleAuthenticationControllerInterface $controller */
  110.                 $controller $this->getControllerType($eventDoubleAuthenticationControllerInterface::class);
  112.                 if ($controller->needsSessionDoubleAuthenticationCheck()) {
  113.                     $this->checkSessionUser();
  114.                 }
  116.                 if ($controller->needsStorageDoubleAuthenticationCheck()) {
  117.                     $this->checkTokenStorageUser();
  118.                 }
  119.             } else {
  120.                 $this->checkSessionUser();
  121.                 $this->checkTokenStorageUser();
  122.             }
  123.         }
  124.     }
  126.     /**
  127.      * Check if the current request needs double authentication
  128.      *
  129.      * @param Request $request
  130.      *
  131.      * @return bool
  132.      */
  133.     protected function requestNeedsAuthentication(Request $request)
  134.     {
  135.         foreach ($this->getUnauthenticatedMatchers() as $matcher) {
  136.             if ($matcher->matches($request)) {
  137.                 return false;
  138.             }
  139.         }
  141.         return true;
  142.     }
  144.     /**
  145.      * Get list of paths which don't need double authentication check
  146.      *
  147.      * @return RequestMatcherInterface[]
  148.      */
  149.     protected function getUnauthenticatedMatchers()
  150.     {
  151.         if (null === $this->unauthenticatedMatchers) {
  152.             $this->unauthenticatedMatchers $this->requestMatcherFactory->buildRequestMatchers($this->unauthenticatedRoutes);
  153.         }
  155.         return $this->unauthenticatedMatchers;
  156.     }
  158.     /**
  159.      * @throws AccessDeniedHttpException
  160.      *      if there's no current user in the session
  161.      */
  162.     protected function checkSessionUser()
  163.     {
  164.         $user Authentication::authenticateSession();
  165.         if (null === $user) {
  166.             throw new AccessDeniedHttpException('User is invalid.');
  167.         }
  168.     }
  170.     /**
  171.      * @throws AccessDeniedHttpException
  172.      *      if there's no current user in the token storage
  173.      */
  174.     protected function checkTokenStorageUser()
  175.     {
  176.         $user $this->tokenResolver->getUser();
  178.         if (null === $user || !Authentication::isValidUser($user)) {
  179.             throw new AccessDeniedHttpException('User is invalid.');
  180.         }
  181.     }
  182. }