vendor/pimcore/pimcore/bundles/AdminBundle/Security/Authenticator/AdminAbstractAuthenticator.php line 162

Open in your IDE?
  1. <?php
  3. /**
  4.  * Pimcore
  5.  *
  6.  * This source file is available under two different licenses:
  7.  * - GNU General Public License version 3 (GPLv3)
  8.  * - Pimcore Commercial License (PCL)
  9.  * Full copyright and license information is available in
  10.  * LICENSE.md which is distributed with this source code.
  11.  *
  12.  *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13.  *  @license    http://www.pimcore.org/license     GPLv3 and PCL
  14.  */
  16. namespace Pimcore\Bundle\AdminBundle\Security\Authenticator;
  18. use Pimcore\Bundle\AdminBundle\Security\Authentication\Token\TwoFactorRequiredToken;
  19. use Pimcore\Cache\RuntimeCache;
  20. use Pimcore\Model\User as UserModel;
  21. use Pimcore\Tool\Admin;
  22. use Pimcore\Tool\Authentication;
  23. use Pimcore\Tool\Session;
  24. use Psr\Log\LoggerAwareInterface;
  25. use Psr\Log\LoggerAwareTrait;
  26. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  27. use Symfony\Component\HttpFoundation\Cookie;
  28. use Symfony\Component\HttpFoundation\RedirectResponse;
  29. use Symfony\Component\HttpFoundation\Request;
  30. use Symfony\Component\HttpFoundation\Response;
  31. use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
  32. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  33. use Symfony\Component\Routing\RouterInterface;
  34. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  35. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  36. use Symfony\Component\Security\Core\Exception\TooManyLoginAttemptsAuthenticationException;
  37. use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
  38. use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
  39. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  40. use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
  41. use Symfony\Contracts\Translation\TranslatorInterface;
  43. /**
  44.  * @internal
  45.  */
  46. abstract class AdminAbstractAuthenticator extends AbstractAuthenticator implements AuthenticatorInterfaceLoggerAwareInterface
  47. {
  48.     public const PIMCORE_ADMIN_LOGIN 'pimcore_admin_login';
  50.     public const PIMCORE_ADMIN_LOGIN_CHECK 'pimcore_admin_login_check';
  52.     use LoggerAwareTrait;
  54.     /**
  55.      * @var bool
  56.      */
  57.     protected $twoFactorRequired false;
  59.     public function __construct(
  60.         protected EventDispatcherInterface $dispatcher,
  61.         protected RouterInterface $router,
  62.         protected TranslatorInterface $translator
  63.     ) {
  64.     }
  66.     /**
  67.      * {@inheritdoc}
  68.      */
  69.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): ?Response
  70.     {
  71.         if ($exception instanceof TooManyLoginAttemptsAuthenticationException) {
  72.             throw new AccessDeniedHttpException(strtr($exception->getMessageKey(), $exception->getMessageData()));
  73.         }
  75.         $url $this->router->generate(AdminLoginAuthenticator::PIMCORE_ADMIN_LOGIN, [
  76.             'auth_failed' => 'true',
  77.         ]);
  79.         return new RedirectResponse($url);
  80.     }
  82.     /**
  83.      * {@inheritdoc}
  84.      */
  85.     public function onAuthenticationSuccess(Request $requestTokenInterface $token$providerKey): ?Response
  86.     {
  87.         /** @var UserModel $user */
  88.         $user $token->getUser()->getUser();
  90.         // set user language
  91.         $request->setLocale($user->getLanguage());
  92.         $this->translator->setLocale($user->getLanguage());
  94.         // set user on runtime cache for legacy compatibility
  95.         RuntimeCache::set('pimcore_admin_user'$user);
  97.         if ($user->isAdmin()) {
  98.             if (Admin::isMaintenanceModeScheduledForLogin()) {
  99.                 Admin::activateMaintenanceMode(Session::getSessionId());
  100.                 Admin::unscheduleMaintenanceModeOnLogin();
  101.             }
  102.         }
  104.         // as we authenticate statelessly (short lived sessions) the authentication is called for
  105.         // every request. therefore we only redirect if we're on the login page
  106.         if (!in_array($request->attributes->get('_route'), [
  107.             AdminLoginAuthenticator::PIMCORE_ADMIN_LOGIN,
  108.             AdminLoginAuthenticator::PIMCORE_ADMIN_LOGIN_CHECK,
  109.         ])) {
  110.             return null;
  111.         }
  113.         if ($request->get('deeplink') && $request->get('deeplink') !== 'true') {
  114.             $url $this->router->generate('pimcore_admin_login_deeplink');
  115.             $url .= '?' $request->get('deeplink');
  116.         } else {
  117.             $url $this->router->generate('pimcore_admin_index', [
  118.                 '_dc' => time(),
  119.                 'perspective' => strip_tags($request->get('perspective')),
  120.             ]);
  121.         }
  123.         if ($url) {
  124.             $response = new RedirectResponse($url);
  125.             $response->headers->setCookie(new Cookie('pimcore_admin_sid'true));
  127.             return $response;
  128.         }
  130.         return null;
  131.     }
  133.     /**
  134.      * @param $user
  135.      */
  136.     protected function saveUserToSession($user): void
  137.     {
  138.         if ($user && Authentication::isValidUser($user->getUser())) {
  139.             $pimcoreUser $user->getUser();
  141.             Session::useSession(function (AttributeBagInterface $adminSession) use ($pimcoreUser) {
  142.                 Session::regenerateId();
  143.                 $adminSession->set('user'$pimcoreUser);
  145.                 // this flag gets removed after successful authentication in \Pimcore\Bundle\AdminBundle\EventListener\TwoFactorListener
  146.                 if ($pimcoreUser->getTwoFactorAuthentication('required') && $pimcoreUser->getTwoFactorAuthentication('enabled')) {
  147.                     $adminSession->set('2fa_required'true);
  148.                 }
  149.             });
  150.         }
  151.     }
  153.     public function createToken(Passport $passportstring $firewallName): TokenInterface
  154.     {
  155.         if ($this->twoFactorRequired) {
  156.             return new TwoFactorRequiredToken(
  157.                 $passport->getUser(),
  158.                 $firewallName,
  159.                 $passport->getUser()->getRoles()
  160.             );
  161.         } else {
  162.             return parent::createToken($passport$firewallName);
  163.         }
  164.     }
  166.     /**
  167.      * @deprecated
  168.      */
  169.     public function createAuthenticatedToken(PassportInterface $passportstring $firewallName): TokenInterface
  170.     {
  171.         /** @var Passport $passport */
  172.         return $this->createToken($passport$firewallName);
  173.     }
  174. }