vendor/hslavich/oneloginsaml-bundle/Security/Http/Authenticator/SamlAuthenticator.php line 35

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Hslavich\OneloginSamlBundle\Security\Http\Authenticator;
  7. use Hslavich\OneloginSamlBundle\Event\UserCreatedEvent;
  8. use Hslavich\OneloginSamlBundle\Event\UserModifiedEvent;
  9. use Hslavich\OneloginSamlBundle\Security\Http\Authenticator\Passport\Badge\SamlAttributesBadge;
  10. use Hslavich\OneloginSamlBundle\Security\Http\Authenticator\Token\SamlToken;
  11. use Hslavich\OneloginSamlBundle\Security\User\SamlUserFactoryInterface;
  12. use Hslavich\OneloginSamlBundle\Security\User\SamlUserInterface;
  13. use Psr\Log\LoggerInterface;
  14. use Symfony\Component\HttpFoundation\RedirectResponse;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  18. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  19. use Symfony\Component\Security\Core\Exception\LogicException;
  20. use Symfony\Component\Security\Core\Exception\SessionUnavailableException;
  21. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  22. use Symfony\Component\Security\Core\User\UserInterface;
  23. use Symfony\Component\Security\Core\User\UserProviderInterface;
  24. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  25. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  26. use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
  27. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  28. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  29. use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
  30. use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
  31. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  32. use Symfony\Component\Security\Http\HttpUtils;
  33. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  35. class SamlAuthenticator implements InteractiveAuthenticatorInterfaceAuthenticationEntryPointInterface
  36. {
  37.     private $httpUtils;
  38.     private $userProvider;
  39.     private $oneLoginAuth;
  40.     private $successHandler;
  41.     private $failureHandler;
  42.     private $options;
  43.     private $userFactory;
  44.     private $eventDispatcher;
  45.     private $logger;
  47.     public function __construct(
  48.         HttpUtils $httpUtils,
  49.         UserProviderInterface $userProvider,
  50.         \OneLogin\Saml2\Auth $oneLoginAuth,
  51.         AuthenticationSuccessHandlerInterface $successHandler,
  52.         AuthenticationFailureHandlerInterface $failureHandler,
  53.         array $options,
  54.         ?SamlUserFactoryInterface $userFactory,
  55.         ?EventDispatcherInterface $eventDispatcher,
  56.         ?LoggerInterface $logger
  57.     ) {
  58.         $this->httpUtils $httpUtils;
  59.         $this->userProvider $userProvider;
  60.         $this->oneLoginAuth $oneLoginAuth;
  61.         $this->successHandler $successHandler;
  62.         $this->failureHandler $failureHandler;
  63.         $this->options $options;
  64.         $this->userFactory $userFactory;
  65.         $this->eventDispatcher $eventDispatcher;
  66.         $this->logger $logger;
  67.     }
  69.     public function supports(Request $request): ?bool
  70.     {
  71.         return $request->isMethod('POST')
  72.             && $this->httpUtils->checkRequestPath($request$this->options['check_path']);
  73.     }
  75.     public function start(Request $request, ?AuthenticationException $authException null): Response
  76.     {
  77.         return new RedirectResponse($this->httpUtils->generateUri($request$this->options['login_path']));
  78.     }
  80.     public function authenticate(Request $request): Passport
  81.     {
  82.         if (!$request->hasSession()) {
  83.             throw new SessionUnavailableException('This authentication method requires a session.');
  84.         }
  86.         if ($this->options['require_previous_session'] && !$request->hasPreviousSession()) {
  87.             throw new SessionUnavailableException('Your session has timed out, or you have disabled cookies.');
  88.         }
  90.         $this->oneLoginAuth->processResponse();
  92.         if ($this->oneLoginAuth->getErrors()) {
  93.             $errorReason $this->oneLoginAuth->getLastErrorReason();
  94.             if (null !== $this->logger) {
  95.                 $this->logger->error($errorReason);
  96.             }
  97.             throw new AuthenticationException($errorReason);
  98.         }
  100.         return $this->createPassport();
  101.     }
  103.     public function createAuthenticatedToken(PassportInterface $passportstring $firewallName): TokenInterface
  104.     {
  105.         if (!$passport instanceof Passport) {
  106.             throw new LogicException(sprintf('Passport should be an instance of "%s".'Passport::class));
  107.         }
  109.         return $this->createToken($passport$firewallName);
  110.     }
  112.     public function createToken(Passport $passportstring $firewallName): TokenInterface
  113.     {
  114.         if (!$passport->hasBadge(SamlAttributesBadge::class)) {
  115.             throw new LogicException(sprintf('Passport should contains a "%s" badge.'SamlAttributesBadge::class));
  116.         }
  118.         /** @var SamlAttributesBadge $badge */
  119.         $badge $passport->getBadge(SamlAttributesBadge::class);
  121.         return new SamlToken($passport->getUser(), $firewallName$passport->getUser()->getRoles(), $badge->getAttributes());
  122.     }
  124.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $firewallName): ?Response
  125.     {
  126.         return $this->successHandler->onAuthenticationSuccess($request$token);
  127.     }
  129.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): ?Response
  130.     {
  131.         return $this->failureHandler->onAuthenticationFailure($request$exception);
  132.     }
  134.     public function isInteractive(): bool
  135.     {
  136.         return true;
  137.     }
  139.     protected function createPassport(): Passport
  140.     {
  141.         $attributes $this->extractAttributes();
  142.         $username $this->extractUsername($attributes);
  144.         $userBadge = new UserBadge(
  145.             $username,
  146.             function ($identifier) use ($attributes) {
  147.                 try {
  148.                     $user $this->userProvider->loadUserByIdentifier($identifier);
  149.                 } catch (UserNotFoundException $exception) {
  150.                     if (!$this->userFactory instanceof SamlUserFactoryInterface) {
  151.                         throw $exception;
  152.                     }
  154.                     $user $this->generateUser($identifier$attributes);
  155.                 } catch (\Throwable $exception) {
  156.                     throw new AuthenticationException('The authentication failed.'0$exception);
  157.                 }
  159.                 if ($user instanceof SamlUserInterface) {
  160.                     $user->setSamlAttributes($attributes);
  161.                     if ($this->eventDispatcher) {
  162.                         $this->eventDispatcher->dispatch(new UserModifiedEvent($user));
  163.                     }
  164.                 }
  166.                 return $user;
  167.             }
  168.         );
  170.         return new SelfValidatingPassport($userBadge, [new SamlAttributesBadge($attributes)]);
  171.     }
  173.     protected function extractAttributes(): array
  174.     {
  175.         if (isset($this->options['use_attribute_friendly_name']) && $this->options['use_attribute_friendly_name']) {
  176.             $attributes $this->oneLoginAuth->getAttributesWithFriendlyName();
  177.         } else {
  178.             $attributes $this->oneLoginAuth->getAttributes();
  179.         }
  180.         $attributes['sessionIndex'] = $this->oneLoginAuth->getSessionIndex();
  182.         return $attributes;
  183.     }
  185.     protected function extractUsername(array $attributes): string
  186.     {
  187.         if (isset($this->options['username_attribute'])) {
  188.             if (!\array_key_exists($this->options['username_attribute'], $attributes)) {
  189.                 if (null !== $this->logger) {
  190.                     $this->logger->error('Found attributes: '.print_r($attributestrue));
  191.                 }
  192.                 throw new \RuntimeException('Attribute "'.$this->options['username_attribute'].'" not found in SAML data');
  193.             }
  195.             return $attributes[$this->options['username_attribute']][0];
  196.         }
  198.         return $this->oneLoginAuth->getNameId();
  199.     }
  201.     protected function generateUser(string $username, array $attributes): UserInterface
  202.     {
  203.         $user $this->userFactory->createUser($username$attributes);
  205.         if ($this->eventDispatcher) {
  206.             $this->eventDispatcher->dispatch(new UserCreatedEvent($user));
  207.         }
  209.         return $user;
  210.     }
  211. }