vendor/symfony/security-http/Firewall/SwitchUserListener.php line 40

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\HttpFoundation\RedirectResponse;
  16. use Symfony\Component\HttpFoundation\Request;
  17. use Symfony\Component\HttpKernel\Event\RequestEvent;
  18. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  19. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  20. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  21. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  22. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  23. use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
  24. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  25. use Symfony\Component\Security\Core\User\UserCheckerInterface;
  26. use Symfony\Component\Security\Core\User\UserInterface;
  27. use Symfony\Component\Security\Core\User\UserProviderInterface;
  28. use Symfony\Component\Security\Http\Event\SwitchUserEvent;
  29. use Symfony\Component\Security\Http\SecurityEvents;
  30. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  32. /**
  33. * SwitchUserListener allows a user to impersonate another one temporarily
  34. * (like the Unix su command).
  35. *
  36. * @author Fabien Potencier <fabien@symfony.com>
  37. *
  38. * @final
  39. */
  40. class SwitchUserListener extends AbstractListener
  41. {
  42. public const EXIT_VALUE = '_exit';
  44. private $tokenStorage;
  45. private $provider;
  46. private $userChecker;
  47. private $firewallName;
  48. private $accessDecisionManager;
  49. private $usernameParameter;
  50. private $role;
  51. private $logger;
  52. private $dispatcher;
  53. private $stateless;
  55. public function __construct(TokenStorageInterface $tokenStorage, UserProviderInterface $provider, UserCheckerInterface $userChecker, string $firewallName, AccessDecisionManagerInterface $accessDecisionManager, ?LoggerInterface $logger = null, string $usernameParameter = '_switch_user', string $role = 'ROLE_ALLOWED_TO_SWITCH', ?EventDispatcherInterface $dispatcher = null, bool $stateless = false)
  56. {
  57. if ('' === $firewallName) {
  58. throw new \InvalidArgumentException('$firewallName must not be empty.');
  59. }
  61. $this->tokenStorage = $tokenStorage;
  62. $this->provider = $provider;
  63. $this->userChecker = $userChecker;
  64. $this->firewallName = $firewallName;
  65. $this->accessDecisionManager = $accessDecisionManager;
  66. $this->usernameParameter = $usernameParameter;
  67. $this->role = $role;
  68. $this->logger = $logger;
  69. $this->dispatcher = $dispatcher;
  70. $this->stateless = $stateless;
  71. }
  73. /**
  74. * {@inheritdoc}
  75. */
  76. public function supports(Request $request): ?bool
  77. {
  78. // usernames can be falsy
  79. $username = $request->get($this->usernameParameter);
  81. if (null === $username || '' === $username) {
  82. $username = $request->headers->get($this->usernameParameter);
  83. }
  85. // if it's still "empty", nothing to do.
  86. if (null === $username || '' === $username) {
  87. return false;
  88. }
  90. $request->attributes->set('_switch_user_username', $username);
  92. return true;
  93. }
  95. /**
  96. * Handles the switch to another user.
  97. *
  98. * @throws \LogicException if switching to a user failed
  99. */
  100. public function authenticate(RequestEvent $event)
  101. {
  102. $request = $event->getRequest();
  104. $username = $request->attributes->get('_switch_user_username');
  105. $request->attributes->remove('_switch_user_username');
  107. if (null === $this->tokenStorage->getToken()) {
  108. throw new AuthenticationCredentialsNotFoundException('Could not find original Token object.');
  109. }
  111. if (self::EXIT_VALUE === $username) {
  112. $this->attemptExitUser($request);
  113. } else {
  114. try {
  115. $this->tokenStorage->setToken($this->attemptSwitchUser($request, $username));
  116. } catch (AuthenticationException $e) {
  117. // Generate 403 in any conditions to prevent user enumeration vulnerabilities
  118. throw new AccessDeniedException('Switch User failed: '.$e->getMessage(), $e);
  119. }
  120. }
  122. if (!$this->stateless) {
  123. $request->query->remove($this->usernameParameter);
  124. $request->server->set('QUERY_STRING', http_build_query($request->query->all(), '', '&'));
  125. $response = new RedirectResponse($request->getUri(), 302);
  127. $event->setResponse($response);
  128. }
  129. }
  131. /**
  132. * Attempts to switch to another user and returns the new token if successfully switched.
  133. *
  134. * @throws \LogicException
  135. * @throws AccessDeniedException
  136. */
  137. private function attemptSwitchUser(Request $request, string $username): ?TokenInterface
  138. {
  139. $token = $this->tokenStorage->getToken();
  140. $originalToken = $this->getOriginalToken($token);
  142. if (null !== $originalToken) {
  143. // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
  144. if ((method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()) === $username) {
  145. return $token;
  146. }
  148. // User already switched, exit before seamlessly switching to another user
  149. $token = $this->attemptExitUser($request);
  150. }
  152. // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
  153. $currentUsername = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
  154. $nonExistentUsername = '_'.md5(random_bytes(8).$username);
  156. // To protect against user enumeration via timing measurements
  157. // we always load both successfully and unsuccessfully
  158. $methodName = 'loadUserByIdentifier';
  159. if (!method_exists($this->provider, $methodName)) {
  160. trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($this->provider));
  162. $methodName = 'loadUserByUsername';
  163. }
  164. try {
  165. $user = $this->provider->$methodName($username);
  167. try {
  168. $this->provider->$methodName($nonExistentUsername);
  169. } catch (\Exception $e) {
  170. }
  171. } catch (AuthenticationException $e) {
  172. $this->provider->$methodName($currentUsername);
  174. throw $e;
  175. }
  177. if (false === $this->accessDecisionManager->decide($token, [$this->role], $user)) {
  178. $exception = new AccessDeniedException();
  179. $exception->setAttributes($this->role);
  181. throw $exception;
  182. }
  184. if (null !== $this->logger) {
  185. $this->logger->info('Attempting to switch to user.', ['username' => $username]);
  186. }
  188. $this->userChecker->checkPostAuth($user);
  190. $roles = $user->getRoles();
  191. $roles[] = 'ROLE_PREVIOUS_ADMIN';
  192. $originatedFromUri = str_replace('/&', '/?', preg_replace('#[&?]'.$this->usernameParameter.'=[^&]*#', '', $request->getRequestUri()));
  193. $token = new SwitchUserToken($user, $this->firewallName, $roles, $token, $originatedFromUri);
  195. if (null !== $this->dispatcher) {
  196. $switchEvent = new SwitchUserEvent($request, $token->getUser(), $token);
  197. $this->dispatcher->dispatch($switchEvent, SecurityEvents::SWITCH_USER);
  198. // use the token from the event in case any listeners have replaced it.
  199. $token = $switchEvent->getToken();
  200. }
  202. return $token;
  203. }
  205. /**
  206. * Attempts to exit from an already switched user and returns the original token.
  207. *
  208. * @throws AuthenticationCredentialsNotFoundException
  209. */
  210. private function attemptExitUser(Request $request): TokenInterface
  211. {
  212. if (null === ($currentToken = $this->tokenStorage->getToken()) || null === $original = $this->getOriginalToken($currentToken)) {
  213. throw new AuthenticationCredentialsNotFoundException('Could not find original Token object.');
  214. }
  216. if (null !== $this->dispatcher && $original->getUser() instanceof UserInterface) {
  217. $user = $this->provider->refreshUser($original->getUser());
  218. $original->setUser($user);
  219. $switchEvent = new SwitchUserEvent($request, $user, $original);
  220. $this->dispatcher->dispatch($switchEvent, SecurityEvents::SWITCH_USER);
  221. $original = $switchEvent->getToken();
  222. }
  224. $this->tokenStorage->setToken($original);
  226. return $original;
  227. }
  229. private function getOriginalToken(TokenInterface $token): ?TokenInterface
  230. {
  231. if ($token instanceof SwitchUserToken) {
  232. return $token->getOriginalToken();
  233. }
  235. return null;
  236. }
  237. }