Initial commit (but after some polished work) of the new Guard authentication system

Author: weaverryan

Guard/AbstractGuardAuthenticator.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace Symfony\Component\Security\Guard;
+
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Guard\Token\GenericGuardToken;
+
+/**
+ * An optional base class that creates a GenericGuardToken for you
+ *
+ * @author Ryan Weaver <[email protected]>
+ */
+abstract class AbstractGuardAuthenticator implements GuardAuthenticatorInterface
+{
+    /**
+     * Shortcut to create a GenericGuardToken for you, if you don't really
+     * care about which authenticated token you're using
+     *
+     * @param UserInterface $user
+     * @param string $providerKey
+     * @return GenericGuardToken
+     */
+    public function createAuthenticatedToken(UserInterface $user, $providerKey)
+    {
+        return new GenericGuardToken(
+            $user,
+            $providerKey,
+            $user->getRoles()
+        );
+    }
+}

Guard/Firewall/GuardAuthenticationListener.php

@@ -0,0 +1,180 @@
+<?php
+
+namespace Symfony\Component\Security\Guard\Firewall;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\Security\Guard\GuardAuthenticatorHandler;
+use Symfony\Component\Security\Guard\Token\NonAuthenticatedGuardToken;
+use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
+use Symfony\Component\Security\Guard\GuardAuthenticatorInterface;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Firewall\ListenerInterface;
+use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
+
+/**
+ * Authentication listener for the "guard" system
+ *
+ * @author Ryan Weaver <[email protected]>
+ */
+class GuardAuthenticationListener implements ListenerInterface
+{
+    private $guardHandler;
+    private $authenticationManager;
+    private $providerKey;
+    private $guardAuthenticators;
+    private $logger;
+    private $rememberMeServices;
+
+    /**
+     * @param GuardAuthenticatorHandler       $guardHandler          The Guard handler
+     * @param AuthenticationManagerInterface  $authenticationManager An AuthenticationManagerInterface instance
+     * @param string                          $providerKey           The provider (i.e. firewall) key
+     * @param GuardAuthenticatorInterface[]   $guardAuthenticators   The authenticators, with keys that match what's passed to GuardAuthenticationProvider
+     * @param LoggerInterface                 $logger                A LoggerInterface instance
+     */
+    public function __construct(GuardAuthenticatorHandler $guardHandler, AuthenticationManagerInterface $authenticationManager, $providerKey, $guardAuthenticators, LoggerInterface $logger = null)
+    {
+        if (empty($providerKey)) {
+            throw new \InvalidArgumentException('$providerKey must not be empty.');
+        }
+
+        $this->guardHandler = $guardHandler;
+        $this->authenticationManager = $authenticationManager;
+        $this->providerKey = $providerKey;
+        $this->guardAuthenticators = $guardAuthenticators;
+        $this->logger = $logger;
+    }
+
+    /**
+     * Iterates over each authenticator to see if each wants to authenticate the request
+     *
+     * @param GetResponseEvent $event
+     */
+    public function handle(GetResponseEvent $event)
+    {
+        if (null !== $this->logger) {
+            $this->logger->info('Checking for guard authentication credentials', array('firewall_key' => $this->providerKey, 'authenticators' => count($this->guardAuthenticators)));
+        }
+
+        foreach ($this->guardAuthenticators as $key => $guardAuthenticator) {
+            // get a key that's unique to *this* guard authenticator
+            // this MUST be the same as GuardAuthenticationProvider
+            $uniqueGuardKey = $this->providerKey.'_'.$key;
+
+            $this->executeGuardAuthenticator($uniqueGuardKey, $guardAuthenticator, $event);
+        }
+    }
+
+    private function executeGuardAuthenticator($uniqueGuardKey, GuardAuthenticatorInterface $guardAuthenticator, GetResponseEvent $event)
+    {
+        $request = $event->getRequest();
+        try {
+            if (null !== $this->logger) {
+                $this->logger->info('Calling getCredentialsFromRequest on guard configurator', array('firewall_key' => $this->providerKey, 'authenticator' => get_class($guardAuthenticator)));
+            }
+
+            // allow the authenticator to fetch authentication info from the request
+            $credentials = $guardAuthenticator->getCredentialsFromRequest($request);
+
+            // allow null to be returned to skip authentication
+            if (null === $credentials) {
+                return;
+            }
+
+            // create a token with the unique key, so that the provider knows which authenticator to use
+            $token = new NonAuthenticatedGuardToken($credentials, $uniqueGuardKey);
+
+            if (null !== $this->logger) {
+                $this->logger->info('Passing guard token information to the GuardAuthenticationProvider', array('firewall_key' => $this->providerKey, 'authenticator' => get_class($guardAuthenticator)));
+            }
+            // pass the token into the AuthenticationManager system
+            // this indirectly calls GuardAuthenticationProvider::authenticate()
+            $token = $this->authenticationManager->authenticate($token);
+
+            if (null !== $this->logger) {
+                $this->logger->info('Guard authentication successful!', array('token' => $token, 'authenticator' => get_class($guardAuthenticator)));
+            }
+
+            // sets the token on the token storage, etc
+            $this->guardHandler->authenticateWithToken($token, $request);
+        } catch (AuthenticationException $e) {
+            // oh no! Authentication failed!
+
+            if (null !== $this->logger) {
+                $this->logger->info('Guard authentication failed.', array('exception' => $e, 'authenticator' => get_class($guardAuthenticator)));
+            }
+
+            $response = $this->guardHandler->handleAuthenticationFailure($e, $request, $guardAuthenticator);
+
+            if ($response instanceof Response) {
+                $event->setResponse($response);
+            }
+
+            return;
+        }
+
+        // success!
+        $response = $this->guardHandler->handleAuthenticationSuccess($token, $request, $guardAuthenticator, $this->providerKey);
+        if ($response instanceof Response) {
+            if (null !== $this->logger) {
+                $this->logger->info('Guard authenticator set success response', array('response' => $response, 'authenticator' => get_class($guardAuthenticator)));
+            }
+
+            $event->setResponse($response);
+        } else {
+            if (null !== $this->logger) {
+                $this->logger->info('Guard authenticator set no success response: request continues', array('authenticator' => get_class($guardAuthenticator)));
+            }
+        }
+
+        // attempt to trigger the remember me functionality
+        $this->triggerRememberMe($guardAuthenticator, $request, $token, $response);
+    }
+
+    /**
+     * Should be called if this listener will support remember me.
+     *
+     * @param RememberMeServicesInterface $rememberMeServices
+     */
+    public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
+    {
+        $this->rememberMeServices = $rememberMeServices;
+    }
+
+    /**
+     * Checks to see if remember me is supported in the authenticator and
+     * on the firewall. If it is, the RememberMeServicesInterface is notified
+     *
+     * @param GuardAuthenticatorInterface $guardAuthenticator
+     * @param Request $request
+     * @param TokenInterface $token
+     * @param Response $response
+     */
+    private function triggerRememberMe(GuardAuthenticatorInterface $guardAuthenticator, Request $request, TokenInterface $token, Response $response = null)
+    {
+        if (!$guardAuthenticator->supportsRememberMe()) {
+            return;
+        }
+
+        if (null === $this->rememberMeServices) {
+            if (null !== $this->logger) {
+                $this->logger->info('Remember me skipped: it is not configured for the firewall', array('authenticator' => get_class($guardAuthenticator)));
+            }
+
+            return;
+        }
+
+        if (!$response instanceof Response) {
+            throw new \LogicException(sprintf(
+                '%s::onAuthenticationSuccess *must* return a Response if you want to use the remember me functionality. Return a Response, or set remember_me to false under the guard configuration.',
+                get_class($guardAuthenticator)
+            ));
+        }
+
+        $this->rememberMeServices->loginSuccess($request, $response, $token);
+    }
+}

Guard/GuardAuthenticatorHandler.php

@@ -0,0 +1,122 @@
+<?php
+
+namespace Symfony\Component\Security\Guard;
+
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
+use Symfony\Component\Security\Http\SecurityEvents;
+
+/**
+ * A utility class that does much of the *work* during the guard authentication process
+ *
+ * By having the logic here instead of the listener, more of the process
+ * can be called directly (e.g. for manual authentication) or overridden.
+ *
+ * @author Ryan Weaver <[email protected]>
+ */
+class GuardAuthenticatorHandler
+{
+    private $tokenStorage;
+
+    private $dispatcher;
+
+    public function __construct(TokenStorageInterface $tokenStorage, EventDispatcherInterface $eventDispatcher = null)
+    {
+        $this->tokenStorage = $tokenStorage;
+        $this->dispatcher = $eventDispatcher;
+    }
+
+    /**
+     * Authenticates the given token in the system
+     *
+     * @param TokenInterface $token
+     * @param Request $request
+     */
+    public function authenticateWithToken(TokenInterface $token, Request $request)
+    {
+        $this->tokenStorage->setToken($token);
+
+        if (null !== $this->dispatcher) {
+            $loginEvent = new InteractiveLoginEvent($request, $token);
+            $this->dispatcher->dispatch(SecurityEvents::INTERACTIVE_LOGIN, $loginEvent);
+        }
+    }
+
+    /**
+     * Returns the "on success" response for the given GuardAuthenticator
+     *
+     * @param TokenInterface $token
+     * @param Request $request
+     * @param GuardAuthenticatorInterface $guardAuthenticator
+     * @param string $providerKey The provider (i.e. firewall) key
+     * @return null|Response
+     */
+    public function handleAuthenticationSuccess(TokenInterface $token, Request $request, GuardAuthenticatorInterface $guardAuthenticator, $providerKey)
+    {
+        $response = $guardAuthenticator->onAuthenticationSuccess($request, $token, $providerKey);
+
+        // check that it's a Response or null
+        if ($response instanceof Response || null === $response) {
+            return $response;
+        }
+
+        throw new \UnexpectedValueException(sprintf(
+            'The %s::onAuthenticationSuccess method must return null or a Response object. You returned %s',
+            get_class($guardAuthenticator),
+            is_object($response) ? get_class($response) : gettype($response)
+        ));
+    }
+
+    /**
+     * Convenience method for authenticating the user and returning the
+     * Response *if any* for success
+     *
+     * @param UserInterface $user
+     * @param Request $request
+     * @param GuardAuthenticatorInterface $authenticator
+     * @param string $providerKey The provider (i.e. firewall) key
+     * @return Response|null
+     */
+    public function authenticateUserAndHandleSuccess(UserInterface $user, Request $request, GuardAuthenticatorInterface $authenticator, $providerKey)
+    {
+        // create an authenticated token for the User
+        $token = $authenticator->createAuthenticatedToken($user, $providerKey);
+        // authenticate this in the system
+        $this->authenticateWithToken($token, $request);
+
+        // return the success metric
+        return $this->handleAuthenticationSuccess($token, $request, $authenticator, $providerKey);
+    }
+
+    /**
+     * Handles an authentication failure and returns the Response for the
+     * GuardAuthenticator
+     *
+     * @param AuthenticationException $authenticationException
+     * @param Request $request
+     * @param GuardAuthenticatorInterface $guardAuthenticator
+     * @return null|Response
+     */
+    public function handleAuthenticationFailure(AuthenticationException $authenticationException, Request $request, GuardAuthenticatorInterface $guardAuthenticator)
+    {
+        $this->tokenStorage->setToken(null);
+
+        $response = $guardAuthenticator->onAuthenticationFailure($request, $authenticationException);
+        if ($response instanceof Response || null === $response) {
+            // returning null is ok, it means they want the request to continue
+            return $response;
+        }
+
+        throw new \UnexpectedValueException(sprintf(
+            'The %s::onAuthenticationFailure method must return null or a Response object. You returned %s',
+            get_class($guardAuthenticator),
+            is_object($response) ? get_class($response) : gettype($response)
+        ));
+    }
+}