[shopsys] improved administration authentication code (#3683)

Author: grossmannmartin

src/Controller/Admin/AdministratorController.php

@@ -20,8 +20,8 @@
 use Shopsys\FrameworkBundle\Model\Administrator\Exception\DeletingSelfException;
 use Shopsys\FrameworkBundle\Model\Administrator\Security\AdministratorRolesChangedFacade;
 use Shopsys\FrameworkBundle\Model\AdminNavigation\BreadcrumbOverrider;
-use Shopsys\FrameworkBundle\Model\Security\Authenticator;
 use Shopsys\FrameworkBundle\Model\Security\Roles;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\Form\Extension\Core\Type\FormType;
 use Symfony\Component\Form\Extension\Core\Type\SubmitType;
 use Symfony\Component\Form\Extension\Core\Type\TextType;
@@ -37,7 +37,7 @@
 
 class AdministratorController extends AdminBaseController
 {
-    protected const MAX_ADMINISTRATOR_ACTIVITIES_COUNT = 10;
+    protected const int MAX_ADMINISTRATOR_ACTIVITIES_COUNT = 10;
 
     /**
      * @param \Shopsys\FrameworkBundle\Model\Administrator\AdministratorFacade $administratorFacade
@@ -48,7 +48,7 @@ class AdministratorController extends AdminBaseController
      * @param \Shopsys\FrameworkBundle\Model\Administrator\Security\AdministratorRolesChangedFacade $administratorRolesChangedFacade
      * @param \Shopsys\FrameworkBundle\Model\Administrator\AdministratorTwoFactorAuthenticationFacade $administratorTwoFactorAuthenticationFacade
      * @param \Shopsys\FrameworkBundle\Model\Administrator\AdministratorPasswordFacade $administratorPasswordFacade
-     * @param \Shopsys\FrameworkBundle\Model\Security\Authenticator $authenticator
+     * @param \Symfony\Bundle\SecurityBundle\Security $security
      */
     public function __construct(
         protected readonly AdministratorFacade $administratorFacade,
@@ -59,12 +59,15 @@ public function __construct(
         protected readonly AdministratorRolesChangedFacade $administratorRolesChangedFacade,
         protected readonly AdministratorTwoFactorAuthenticationFacade $administratorTwoFactorAuthenticationFacade,
         protected readonly AdministratorPasswordFacade $administratorPasswordFacade,
-        protected readonly Authenticator $authenticator,
+        protected readonly Security $security,
     ) {
     }
 
+    /**
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
     #[Route(path: '/administrator/list/')]
-    public function listAction()
+    public function listAction(): Response
     {
         $queryBuilder = $this->administratorFacade->getAllListableQueryBuilder();
         $dataSource = new QueryBuilderDataSource($queryBuilder, 'a.id');
@@ -90,10 +93,13 @@ public function listAction()
     /**
      * @param \Symfony\Component\HttpFoundation\Request $request
      * @param int $id
+     * @return \Symfony\Component\HttpFoundation\Response
      */
     #[Route(path: '/administrator/edit/{id}', requirements: ['id' => '\d+'])]
-    public function editAction(Request $request, int $id)
+    public function editAction(Request $request, int $id): Response
     {
+        $this->denyAccessUnlessHimselfOrGranted($request, $id);
+
         $administrator = $this->administratorFacade->getById($id);
 
         $loggedUser = $this->getUser();
@@ -159,8 +165,31 @@ public function editAction(Request $request, int $id)
         ]);
     }
 
+    /**
+     * @param \Symfony\Component\HttpFoundation\Request $request
+     * @param int $administratorId
+     */
+    protected function denyAccessUnlessHimselfOrGranted(Request $request, int $administratorId): void
+    {
+        $currentAdministrator = $this->getCurrentAdministrator();
+
+        // always allow admin to edit himself
+        if ($currentAdministrator->getId() === $administratorId) {
+            return;
+        }
+
+        if ($request->getMethod() === Request::METHOD_GET) {
+            $this->denyAccessUnlessGranted(Roles::ROLE_ADMINISTRATOR_VIEW);
+        } else {
+            $this->denyAccessUnlessGranted(Roles::ROLE_ADMINISTRATOR_FULL);
+        }
+    }
+
+    /**
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
     #[Route(path: '/administrator/my-account/')]
-    public function myAccountAction()
+    public function myAccountAction(): Response
     {
         /** @var \Shopsys\FrameworkBundle\Model\Administrator\Administrator $loggedUser */
         $loggedUser = $this->getUser();
@@ -172,9 +201,10 @@ public function myAccountAction()
 
     /**
      * @param \Symfony\Component\HttpFoundation\Request $request
+     * @return \Symfony\Component\HttpFoundation\Response
      */
     #[Route(path: '/administrator/new/')]
-    public function newAction(Request $request)
+    public function newAction(Request $request): Response
     {
         $form = $this->createForm(AdministratorFormType::class, $this->administratorDataFactory->create(), [
             'scenario' => AdministratorFormType::SCENARIO_CREATE,
@@ -211,9 +241,10 @@ public function newAction(Request $request)
     /**
      * @CsrfProtection
      * @param int $id
+     * @return \Symfony\Component\HttpFoundation\Response
      */
     #[Route(path: '/administrator/delete/{id}', requirements: ['id' => '\d+'])]
-    public function deleteAction(int $id)
+    public function deleteAction(int $id): Response
     {
         try {
             $realName = $this->administratorFacade->getById($id)->getRealName();
@@ -225,16 +256,16 @@ public function deleteAction(int $id)
                     'name' => $realName,
                 ],
             );
-        } catch (DeletingSelfException $ex) {
+        } catch (DeletingSelfException) {
             $this->addErrorFlash(t('You can\'t delete yourself.'));
-        } catch (DeletingLastAdministratorException $ex) {
+        } catch (DeletingLastAdministratorException) {
             $this->addErrorFlashTwig(
                 t('Administrator <strong>{{ name }}</strong> is the only one and can\'t be deleted.'),
                 [
                     'name' => $this->administratorFacade->getById($id)->getRealName(),
                 ],
             );
-        } catch (AdministratorNotFoundException $ex) {
+        } catch (AdministratorNotFoundException) {
             $this->addErrorFlash(t('Selected administrated doesn\'t exist.'));
         }
 
@@ -269,7 +300,7 @@ public function enableTwoFactorAuthenticationAction(
         $loggedUser = $this->getUser();
         $this->securitySafeCheck($loggedUser);
 
-        if ($administrator->getUsername() !== $loggedUser->getUserIdentifier()) {
+        if ($administrator->getUsername() !== $loggedUser?->getUserIdentifier()) {
             $this->addErrorFlash(t('You are allowed to set up two factor authentication only to yourself.'));
 
             return $this->redirectToRoute('admin_administrator_edit', ['id' => $id]);
@@ -386,7 +417,7 @@ public function disableTwoFactorAuthenticationAction(Request $request, int $id):
         $loggedUser = $this->getUser();
         $this->securitySafeCheck($loggedUser);
 
-        if ($administrator->getUsername() !== $loggedUser->getUserIdentifier()) {
+        if ($administrator->getUsername() !== $loggedUser?->getUserIdentifier()) {
             $this->addErrorFlash(t('You are allowed to disable two factor authentication only to yourself.'));
 
             return $this->redirectToRoute('admin_administrator_edit', ['id' => $id]);
@@ -531,7 +562,8 @@ public function setNewPasswordAction(Request $request): Response
             );
 
             if (!$this->isGranted(Roles::ROLE_ADMIN)) {
-                $this->authenticator->loginAdministrator($administrator);
+                $this->security->login($administrator, 'security.authenticator.form_login.administration');
+                $request->getSession()->migrate();
             }
 
             $this->addSuccessFlash(t('Password has been successfully set.'));

src/Controller/Admin/LoginController.php

@@ -9,42 +9,44 @@
 use Shopsys\FrameworkBundle\Form\Admin\Login\LoginFormType;
 use Shopsys\FrameworkBundle\Model\Administrator\Security\Exception\InvalidTokenException;
 use Shopsys\FrameworkBundle\Model\Security\AdministratorLoginFacade;
-use Shopsys\FrameworkBundle\Model\Security\Authenticator;
-use Shopsys\FrameworkBundle\Model\Security\Exception\LoginFailedException;
 use Shopsys\FrameworkBundle\Model\Security\Exception\LoginWithDefaultPasswordException;
 use Shopsys\FrameworkBundle\Model\Security\Roles;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Security\Core\Exception\TooManyLoginAttemptsAuthenticationException;
+use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 class LoginController extends AdminBaseController
 {
-    protected const MULTIDOMAIN_LOGIN_TOKEN_PARAMETER_NAME = 'multidomainLoginToken';
-    public const ORIGINAL_DOMAIN_ID_PARAMETER_NAME = 'originalDomainId';
-    public const ORIGINAL_REFERER_PARAMETER_NAME = 'originalReferer';
+    protected const string MULTIDOMAIN_LOGIN_TOKEN_PARAMETER_NAME = 'multidomainLoginToken';
+    public const string ORIGINAL_DOMAIN_ID_PARAMETER_NAME = 'originalDomainId';
+    public const string ORIGINAL_REFERER_PARAMETER_NAME = 'originalReferer';
 
     /**
-     * @param \Shopsys\FrameworkBundle\Model\Security\Authenticator $authenticator
      * @param \Shopsys\FrameworkBundle\Component\Domain\Domain $domain
      * @param \Shopsys\FrameworkBundle\Component\Router\DomainRouterFactory $domainRouterFactory
      * @param \Shopsys\FrameworkBundle\Model\Security\AdministratorLoginFacade $administratorLoginFacade
+     * @param \Symfony\Component\Security\Http\Authentication\AuthenticationUtils $authenticationUtils
      */
     public function __construct(
-        protected readonly Authenticator $authenticator,
         protected readonly Domain $domain,
         protected readonly DomainRouterFactory $domainRouterFactory,
         protected readonly AdministratorLoginFacade $administratorLoginFacade,
+        protected readonly AuthenticationUtils $authenticationUtils,
     ) {
     }
 
     /**
      * @param \Symfony\Component\HttpFoundation\Request $request
+     * @return \Symfony\Component\HttpFoundation\Response
      */
     #[Route(path: '/', name: 'admin_login')]
     #[Route(path: '/login-check/', name: 'admin_login_check')]
     #[Route(path: '/logout/', name: 'admin_logout')]
-    public function loginAction(Request $request)
+    public function loginAction(Request $request): Response
     {
         $currentDomainId = $this->domain->getId();
 
@@ -72,39 +74,44 @@ public function loginAction(Request $request)
             'action' => $this->generateUrl('admin_login_check'),
         ]);
 
-        try {
-            $this->authenticator->checkLoginProcess($request);
-        } catch (LoginFailedException $e) {
-            if ($e->getPrevious() instanceof LoginWithDefaultPasswordException) {
-                $error = t(
+        $lastAuthenticationError = $this->authenticationUtils->getLastAuthenticationError();
+
+        if ($lastAuthenticationError !== null) {
+            $error = match (true) {
+                $lastAuthenticationError->getPrevious() instanceof LoginWithDefaultPasswordException => t(
                     'Oh, you just tried to log in using default credentials. We do not allow that on production'
-                        . ' environment. If you are random hacker, please go somewhere else. If you are authorized user,'
-                        . ' please use another account or contact developers and change password during deployment.',
-                );
-            } elseif ($e->getPrevious() instanceof TooManyLoginAttemptsAuthenticationException) {
-                $error = t('Too many login attempts. Please try again later.');
-            } else {
-                $error = t('Log in failed.');
-            }
+                    . ' environment. If you are random hacker, please go somewhere else. If you are authorized user,'
+                    . ' please use another account or contact developers and change password during deployment.',
+                ),
+                $lastAuthenticationError->getPrevious() instanceof TooManyLoginAttemptsAuthenticationException => t(
+                    'Too many login attempts. Please try again later.',
+                ),
+                default => t('Log in failed.'),
+            };
         }
 
+        $lastUserName = $this->authenticationUtils->getLastUsername();
+        $request->getSession()->remove(SecurityRequestAttributes::LAST_USERNAME);
+
         return $this->render('@ShopsysFramework/Admin/Content/Login/loginForm.html.twig', [
             'form' => $form->createView(),
+            'lastUsername' => $lastUserName,
             'error' => $error,
         ]);
     }
 
     /**
      * @param \Symfony\Component\HttpFoundation\Request $request
      * @param int $originalDomainId
+     * @return \Symfony\Component\HttpFoundation\Response
      */
     #[Route(path: '/sso/{originalDomainId}', requirements: ['originalDomainId' => '\d+'])]
-    public function ssoAction(Request $request, $originalDomainId)
+    public function ssoAction(Request $request, int $originalDomainId): Response
     {
         $multidomainToken = $this->administratorLoginFacade->generateMultidomainLoginTokenWithExpiration(
             $this->getCurrentAdministrator(),
         );
-        $originalDomainRouter = $this->domainRouterFactory->getRouter((int)$originalDomainId);
+        $originalDomainRouter = $this->domainRouterFactory->getRouter($originalDomainId);
         $redirectTo = $originalDomainRouter->generate(
             'admin_login_authorization',
             [
@@ -119,19 +126,20 @@ public function ssoAction(Request $request, $originalDomainId)
 
     /**
      * @param \Symfony\Component\HttpFoundation\Request $request
+     * @return \Symfony\Component\HttpFoundation\Response
      */
     #[Route(path: '/authorization/')]
-    public function authorizationAction(Request $request)
+    public function authorizationAction(Request $request): Response
     {
         $multidomainLoginToken = $request->get(static::MULTIDOMAIN_LOGIN_TOKEN_PARAMETER_NAME);
         $originalReferer = $request->get(self::ORIGINAL_REFERER_PARAMETER_NAME);
 
         try {
             $this->administratorLoginFacade->loginByMultidomainToken($request, $multidomainLoginToken);
-        } catch (InvalidTokenException $ex) {
+        } catch (InvalidTokenException) {
             return $this->render('@ShopsysFramework/Admin/Content/Login/loginFailed.html.twig');
         }
-        $redirectTo = $originalReferer !== null ? $originalReferer : $this->generateUrl('admin_default_dashboard');
+        $redirectTo = $originalReferer ?? $this->generateUrl('admin_default_dashboard');
 
         return $this->redirect($redirectTo);
     }