src/Platform/SecurityBundle/Service/Firewalls/DashboardSecuritySubscriber.php line 199

Open in your IDE?
  1. <?php
  3. namespace Platform\SecurityBundle\Service\Firewalls;
  5. use Cms\CoreBundle\Util\Doctrine\EntityManager;
  6. use Cms\FrontendBundle\Service\FrontendBuilder;
  7. use Cms\TenantBundle\Entity\Tenant;
  8. use Cms\TenantBundle\Model\ProductsBitwise;
  9. use Platform\SecurityBundle\Entity\Identity\Account;
  10. use Platform\SecurityBundle\Entity\Login\Attempt;
  11. use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
  12. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  13. use Symfony\Component\HttpFoundation\Cookie;
  14. use Symfony\Component\HttpFoundation\RedirectResponse;
  15. use Symfony\Component\Routing\RouterInterface;
  16. use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
  17. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  18. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  19. use Symfony\Component\Security\Http\Event\LoginFailureEvent;
  20. use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
  21. use Symfony\Component\Security\Http\Event\LogoutEvent;
  23. /**
  24.  * TODO: have this registered to the dashboard firewalls dispatcher...
  25.  * Handles various security event handling relating to the "dashboard" firewall specifically.
  26.  */
  27. final class DashboardSecuritySubscriber implements EventSubscriberInterface
  28. {
  29.     /**
  30.      * @var ParameterBagInterface
  31.      */
  32.     private ParameterBagInterface $params;
  34.     /**
  35.      * @var EntityManager
  36.      */
  37.     private EntityManager $em;
  39.     /**
  40.      * @var RouterInterface
  41.      */
  42.     private RouterInterface $router;
  44.     /**
  45.      * @param ParameterBagInterface $params
  46.      * @param EntityManager $em
  47.      * @param RouterInterface $router
  48.      */
  49.     public function __construct(
  50.         ParameterBagInterface $params,
  51.         EntityManager $em,
  52.         RouterInterface $router
  53.     )
  54.     {
  55.         $this->params $params;
  56.         $this->em $em;
  57.         $this->router $router;
  58.     }
  60.     /**
  61.      * {@inheritDoc}
  62.      */
  63.     public static function getSubscribedEvents(): array
  64.     {
  65.         return [
  66.             AuthenticationSuccessEvent::class => [
  67.                 ['onAuthenticationSuccessCheckSystemStatus'0],
  68.                 ['onAuthenticationSuccessCheckTenantStatus'0],
  69.                 ['onAuthenticationSuccessCheckAttempts'0],
  70.                 ['onAuthenticationSuccessCheckUserStatus'0],
  71.             ],
  72.             LoginFailureEvent::class => [
  73.                 ['onLoginFailureRedirectToLogin'0],
  74.             ],
  75.             LoginSuccessEvent::class => [
  76.                 ['onLoginSuccessLastLoggedInUpdate'0],
  77.                 ['onLoginSuccessRedirection'0],
  78.             ],
  79.             LogoutEvent::class => [
  80.                 ['onLogout'0],
  81.             ],
  82.         ];
  83.     }
  85.     /**
  86.      * Handles checking whether logins for the entire system are enabled/disabled.
  87.      * This is reserved for future use; there may be times when we need to ensure people cannot log in to the system.
  88.      *
  89.      * @param AuthenticationSuccessEvent $event
  90.      * @return void
  91.      */
  92.     public function onAuthenticationSuccessCheckSystemStatus(AuthenticationSuccessEvent $event): void
  93.     {
  94.         // get the user
  95.         $user $event->getAuthenticationToken()->getUser();
  96.         if ( ! $user instanceof Account) {
  97.             return;
  98.         }
  100.         // allow csadmin to continue to log in while in this state
  101.         if ($user->getEmail() === $this->params->get('app.security.csadmin.username')) {
  102.             return;
  103.         }
  105.         // NOOP: reserved for future use...
  106.         if (false) {
  107.             throw new AuthenticationException(
  108.                 'Logins to the system are currently disabled.',
  109.             );
  110.         }
  111.     }
  113.     /**
  114.      * Checks that the tenant attached to the user is in an operable status.
  115.      *
  116.      * @param AuthenticationSuccessEvent $event
  117.      * @return void
  118.      */
  119.     public function onAuthenticationSuccessCheckTenantStatus(AuthenticationSuccessEvent $event): void
  120.     {
  121.         // get the user
  122.         $user $event->getAuthenticationToken()->getUser();
  123.         if ( ! $user instanceof Account) {
  124.             return;
  125.         }
  127.         // allow csadmin to continue to log in while in this state
  128.         if ($user->getEmail() === $this->params->get('app.security.csadmin.username')) {
  129.             return;
  130.         }
  132.         // tenant must be marked as "ok" in order for logins to continue to function
  133.         if ($user->getTenant()->getStatus() !== Tenant::STATUS__OK) {
  134.             throw new AuthenticationException(
  135.                 'Logins to this instance are currently disabled.',
  136.             );
  137.         }
  138.     }
  140.     /**
  141.      * TODO: should probably add a tenant setting/property to control this check, in the events when customers goof and need to get in...
  142.      * Checks whether too many failed logins have been attempted for the given instance.
  143.      *
  144.      * @param AuthenticationSuccessEvent $event
  145.      * @return void
  146.      */
  147.     public function onAuthenticationSuccessCheckAttempts(AuthenticationSuccessEvent $event): void
  148.     {
  149.         // get the user
  150.         $user $event->getAuthenticationToken()->getUser();
  151.         if ( ! $user instanceof Account) {
  152.             return;
  153.         }
  155.         // allow csadmin to continue to log in while in this state
  156.         if ($user->getEmail() === $this->params->get('app.security.csadmin.username')) {
  157.             return;
  158.         }
  160.         // count how many failed logins for this customer in the last bit of time
  161.         $count $this->em->getRepository(Attempt::class)->countLastHourFailed(
  162.             $user->getTenant(),
  163.         );
  165.         // check if the account exceeds our threshold
  166.         if ($count 250) {
  167.             throw new AuthenticationException(
  168.                 'Logins for this instance are currently disabled.',
  169.             );
  170.         }
  171.     }
  173.     /**
  174.      * Checks that the user is a proper, active status when logging in.
  175.      *
  176.      * @param AuthenticationSuccessEvent $event
  177.      * @return void
  178.      */
  179.     public function onAuthenticationSuccessCheckUserStatus(AuthenticationSuccessEvent $event): void
  180.     {
  181.         // get the user
  182.         $user $event->getAuthenticationToken()->getUser();
  183.         if ( ! $user instanceof Account) {
  184.             return;
  185.         }
  187.         // if the account is not active, we need to reject the login
  188.         if ( ! $user->isActive()) {
  189.             throw new AuthenticationException(
  190.                 'Logins to this account are currently disabled.',
  191.             );
  192.         }
  193.     }
  195.     /**
  196.      * @param LoginFailureEvent $event
  197.      * @return void
  198.      */
  199.     public function onLoginFailureRedirectToLogin(LoginFailureEvent $event): void
  200.     {
  201.         // ensure proper firewall
  202.         if ($event->getFirewallName() !== 'dashboard') {
  203.             return;
  204.         }
  206.         // redirect to the login selection page
  207.         // TODO: is this necessary; might be a setting in the yaml that can take care of this...
  208.         $event->setResponse(
  209.             new RedirectResponse(
  210.                 $this->router->generate('platform.security.login.default.select'),
  211.             ),
  212.         );
  213.     }
  215.     /**
  216.      * @param LoginSuccessEvent $event
  217.      * @return void
  218.      */
  219.     public function onLoginSuccessLastLoggedInUpdate(LoginSuccessEvent $event): void
  220.     {
  221.         // ensure proper firewall
  222.         if ($event->getFirewallName() !== 'dashboard') {
  223.             return;
  224.         }
  226.         // get the user
  227.         $user $event->getUser();
  228.         if ( ! $user instanceof Account) {
  229.             throw new \RuntimeException();
  230.         }
  232.         // mark the user with the latest timestamp
  233.         $this->em->getRepository(Account::class)->updateLastLoginTimestamp(
  234.             $user,
  235.         );
  236.     }
  238.     /**
  239.      * @param LoginSuccessEvent $event
  240.      * @return void
  241.      */
  242.     public function onLoginSuccessRedirection(LoginSuccessEvent $event): void
  243.     {
  244.         // checks we need to run
  245.         // NOTE: order matters!
  246.         static $checks = [
  247.             ProductsBitwise::SITES__BASE => null,
  248.             ProductsBitwise::NOTIFICATIONS__V2 => 'app.notifications.dashboard.default.main',
  249.             ProductsBitwise::ACCESSIBILITY__CONTENT => 'products.ada.dashboard.default.main',
  250.             ProductsBitwise::ACCESSIBILITY__PDFS => 'products.ada.dashboard.default.main',
  251.             ProductsBitwise::SMM__BASE => 'products.smm.dashboard.default.main',
  252.             ProductsBitwise::APP__CAMPUSSUITE => 'products.app.dashboard.default.main',
  253.             ProductsBitwise::APP__SIA => 'products.app.dashboard.default.main',
  254.         ];
  256.         // ensure proper firewall
  257.         if ($event->getFirewallName() !== 'dashboard') {
  258.             return;
  259.         }
  261.         // get the user
  262.         $user $event->getUser();
  263.         if ( ! $user instanceof Account) {
  264.             throw new \RuntimeException();
  265.         }
  267.         // first see if we have a redirect stored in the passport (in case it was set via oauth or something)
  268.         $passport $event->getPassport();
  269.         $redirect null;
  270.         if ($passport instanceof Passport) {
  271.             $redirect $passport->getAttribute('oauth_redirect');
  272.         }
  274.         // see if we have a redirect given in the authentication flow, if not already given
  275.         $redirect $redirect ?: $event->getRequest()->query->get('redirect');
  277.         // determine where to go to, either redirect or dashboard
  278.         if ($redirect === null || $redirect === '' || $redirect === '/') {
  280.             // single out customers that have single-product instances to jump to those specific products
  281.             foreach ($checks as $product => $route) {
  282.                 if ($user->getTenant()->getProducts()->checkAnyFlag($product)) {
  283.                     $redirect $route
  284.                         $this->router->generate($route)
  285.                         : null;
  286.                     break;
  287.                 }
  288.             }
  290.             // if we still don't have a redirect, determine the best place to put them
  291.             if (empty($redirect)) {
  292.                 switch (true) {
  293.                     case $user->getTenant()->getProducts()->hasFlag(ProductsBitwise::SCHOOLNOW__MIGRATED):
  294.                         $redirect $this->router->generate('app.schoolnow.dashboard.default.main');
  295.                         break;
  296.                     default:
  297.                         $redirect $this->router->generate('cms.container.dashboard.dashboard.index');
  298.                 }
  299.             }
  300.         }
  302.         // force https, should always be redirecting to a dashboard url anyway
  303.         $pos strpos($redirect'http://');
  304.         if ($pos === 0) {
  305.             $redirect substr_replace($redirect'https://'$posstrlen('http://'));
  306.         }
  308.         // generate redirect to the dashboard
  309.         $response = new RedirectResponse($redirect);
  311.         // set user uid cookie
  312.         // TODO: is this necessary anymore?
  313.         $response->headers->setCookie(new Cookie(
  314.             FrontendBuilder::ACCOUNT_UID_KEY,
  315.             $user->getUid()->toString(),
  316.             0'/'nullfalsefalse
  317.         ));
  319.         // set the response on the event
  320.         $event->setResponse($response);
  321.     }
  323.     /**
  324.      * @param LogoutEvent $event
  325.      * @return void
  326.      */
  327.     public function onLogout(LogoutEvent $event): void
  328.     {
  329.         if ($event->getRequest() && $event->getRequest()->getSession()) {
  330.             $event->getRequest()->getSession()->invalidate();
  331.         }
  332.     }
  333. }