vendor/symfony/security-guard/Provider/GuardAuthenticationProvider.php line 102

Open in your IDE?
  1. <?php
  2. /*
  3.  * This file is part of the Symfony package.
  4.  *
  5.  * (c) Fabien Potencier <fabien@symfony.com>
  6.  *
  7.  * For the full copyright and license information, please view the LICENSE
  8.  * file that was distributed with this source code.
  9.  */
  10. namespace Symfony\Component\Security\Guard\Provider;
  11. use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
  12. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  13. use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
  14. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  15. use Symfony\Component\Security\Core\Exception\AuthenticationExpiredException;
  16. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  17. use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
  18. use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
  19. use Symfony\Component\Security\Core\User\UserCheckerInterface;
  20. use Symfony\Component\Security\Core\User\UserInterface;
  21. use Symfony\Component\Security\Core\User\UserProviderInterface;
  22. use Symfony\Component\Security\Guard\AuthenticatorInterface;
  23. use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;
  24. use Symfony\Component\Security\Guard\Token\GuardTokenInterface;
  25. use Symfony\Component\Security\Guard\Token\PreAuthenticationGuardToken;
  26. /**
  27.  * Responsible for accepting the PreAuthenticationGuardToken and calling
  28.  * the correct authenticator to retrieve the authenticated token.
  29.  *
  30.  * @author Ryan Weaver <ryan@knpuniversity.com>
  31.  */
  32. class GuardAuthenticationProvider implements AuthenticationProviderInterface
  33. {
  34.     /**
  35.      * @var AuthenticatorInterface[]
  36.      */
  37.     private $guardAuthenticators;
  38.     private $userProvider;
  39.     private $providerKey;
  40.     private $userChecker;
  41.     private $passwordEncoder;
  42.     /**
  43.      * @param iterable|AuthenticatorInterface[] $guardAuthenticators The authenticators, with keys that match what's passed to GuardAuthenticationListener
  44.      * @param string                            $providerKey         The provider (i.e. firewall) key
  45.      */
  46.     public function __construct(iterable $guardAuthenticatorsUserProviderInterface $userProviderstring $providerKeyUserCheckerInterface $userCheckerUserPasswordEncoderInterface $passwordEncoder null)
  47.     {
  48.         $this->guardAuthenticators $guardAuthenticators;
  49.         $this->userProvider $userProvider;
  50.         $this->providerKey $providerKey;
  51.         $this->userChecker $userChecker;
  52.         $this->passwordEncoder $passwordEncoder;
  53.     }
  54.     /**
  55.      * Finds the correct authenticator for the token and calls it.
  56.      *
  57.      * @param GuardTokenInterface $token
  58.      *
  59.      * @return TokenInterface
  60.      */
  61.     public function authenticate(TokenInterface $token)
  62.     {
  63.         if (!$token instanceof GuardTokenInterface) {
  64.             throw new \InvalidArgumentException('GuardAuthenticationProvider only supports GuardTokenInterface.');
  65.         }
  66.         if (!$token instanceof PreAuthenticationGuardToken) {
  67.             /*
  68.              * The listener *only* passes PreAuthenticationGuardToken instances.
  69.              * This means that an authenticated token (e.g. PostAuthenticationGuardToken)
  70.              * is being passed here, which happens if that token becomes
  71.              * "not authenticated" (e.g. happens if the user changes between
  72.              * requests). In this case, the user should be logged out, so
  73.              * we will return an AnonymousToken to accomplish that.
  74.              */
  75.             // this should never happen - but technically, the token is
  76.             // authenticated... so it could just be returned
  77.             if ($token->isAuthenticated()) {
  78.                 return $token;
  79.             }
  80.             // this causes the user to be logged out
  81.             throw new AuthenticationExpiredException();
  82.         }
  83.         $guardAuthenticator $this->findOriginatingAuthenticator($token);
  84.         if (null === $guardAuthenticator) {
  85.             throw new AuthenticationException(sprintf('Token with provider key "%s" did not originate from any of the guard authenticators of provider "%s".'$token->getGuardProviderKey(), $this->providerKey));
  86.         }
  87.         return $this->authenticateViaGuard($guardAuthenticator$token);
  88.     }
  89.     private function authenticateViaGuard(AuthenticatorInterface $guardAuthenticatorPreAuthenticationGuardToken $token): GuardTokenInterface
  90.     {
  91.         // get the user from the GuardAuthenticator
  92.         $user $guardAuthenticator->getUser($token->getCredentials(), $this->userProvider);
  93.         if (null === $user) {
  94.             $e = new UsernameNotFoundException(sprintf('Null returned from "%s::getUser()".', \get_class($guardAuthenticator)));
  95.             $e->setUsername($token->getUsername());
  96.             throw $e;
  97.         }
  98.         if (!$user instanceof UserInterface) {
  99.             throw new \UnexpectedValueException(sprintf('The "%s::getUser()" method must return a UserInterface. You returned "%s".', \get_class($guardAuthenticator), \is_object($user) ? \get_class($user) : \gettype($user)));
  100.         }
  101.         $this->userChecker->checkPreAuth($user);
  102.         if (true !== $checkCredentialsResult $guardAuthenticator->checkCredentials($token->getCredentials(), $user)) {
  103.             if (false !== $checkCredentialsResult) {
  104.                 @trigger_error(sprintf('"%s::checkCredentials()" must return a boolean value. You returned "%s". This behavior is deprecated in Symfony 4.4 and will trigger a TypeError in Symfony 5.', \get_class($guardAuthenticator), \is_object($checkCredentialsResult) ? \get_class($checkCredentialsResult) : \gettype($checkCredentialsResult)), \E_USER_DEPRECATED);
  105.             }
  106.             throw new BadCredentialsException(sprintf('Authentication failed because "%s::checkCredentials()" did not return true.', \get_class($guardAuthenticator)));
  107.         }
  108.         if ($this->userProvider instanceof PasswordUpgraderInterface && $guardAuthenticator instanceof PasswordAuthenticatedInterface && null !== $this->passwordEncoder && (null !== $password $guardAuthenticator->getPassword($token->getCredentials())) && method_exists($this->passwordEncoder'needsRehash') && $this->passwordEncoder->needsRehash($user)) {
  109.             $this->userProvider->upgradePassword($user$this->passwordEncoder->encodePassword($user$password));
  110.         }
  111.         $this->userChecker->checkPostAuth($user);
  112.         // turn the UserInterface into a TokenInterface
  113.         $authenticatedToken $guardAuthenticator->createAuthenticatedToken($user$this->providerKey);
  114.         if (!$authenticatedToken instanceof TokenInterface) {
  115.             throw new \UnexpectedValueException(sprintf('The "%s::createAuthenticatedToken()" method must return a TokenInterface. You returned "%s".', \get_class($guardAuthenticator), \is_object($authenticatedToken) ? \get_class($authenticatedToken) : \gettype($authenticatedToken)));
  116.         }
  117.         return $authenticatedToken;
  118.     }
  119.     private function findOriginatingAuthenticator(PreAuthenticationGuardToken $token): ?AuthenticatorInterface
  120.     {
  121.         // find the *one* GuardAuthenticator that this token originated from
  122.         foreach ($this->guardAuthenticators as $key => $guardAuthenticator) {
  123.             // get a key that's unique to *this* guard authenticator
  124.             // this MUST be the same as GuardAuthenticationListener
  125.             $uniqueGuardKey $this->providerKey.'_'.$key;
  126.             if ($uniqueGuardKey === $token->getGuardProviderKey()) {
  127.                 return $guardAuthenticator;
  128.             }
  129.         }
  130.         // no matching authenticator found - but there will be multiple GuardAuthenticationProvider
  131.         // instances that will be checked if you have multiple firewalls.
  132.         return null;
  133.     }
  134.     public function supports(TokenInterface $token)
  135.     {
  136.         if ($token instanceof PreAuthenticationGuardToken) {
  137.             return null !== $this->findOriginatingAuthenticator($token);
  138.         }
  139.         return $token instanceof GuardTokenInterface;
  140.     }
  141. }