/**
* Matches a \Neos\Flow\Mvc\RequestInterface against the set IP pattern rules
*
* @param RequestInterface $request The request that should be matched
* @return boolean TRUE if the pattern matched, FALSE otherwise
* @throws InvalidRequestPatternException
*/
public function matchRequest(RequestInterface $request)
{
if (!isset($this->options['cidrPattern'])) {
throw new InvalidRequestPatternException('Missing option "cidrPattern" in the Ip request pattern configuration', 1446224520);
}
if (!$request instanceof ActionRequest) {
return false;
}
return (bool) IpUtility::cidrMatch($request->getHttpRequest()->getClientIpAddress(), $this->options['cidrPattern']);
}
/**
* Matches a \Neos\Flow\Mvc\RequestInterface against its set URL pattern rules
*
* @param RequestInterface $request The request that should be matched
* @return boolean TRUE if the pattern matched, FALSE otherwise
* @throws InvalidRequestPatternException
*/
public function matchRequest(RequestInterface $request)
{
if (!$request instanceof ActionRequest) {
return false;
}
if (!isset($this->options['uriPattern'])) {
throw new InvalidRequestPatternException('Missing option "uriPattern" in the Uri request pattern configuration', 1446224530);
}
return (bool) preg_match('/^' . str_replace('/', '\\/', $this->options['uriPattern']) . '$/', $request->getHttpRequest()->getUri()->getPath());
}
/**
* Matches a \Neos\Flow\Mvc\RequestInterface against its set host pattern rules
*
* @param RequestInterface $request The request that should be matched
* @return boolean TRUE if the pattern matched, FALSE otherwise
* @throws InvalidRequestPatternException
*/
public function matchRequest(RequestInterface $request)
{
if (!isset($this->options['hostPattern'])) {
throw new InvalidRequestPatternException('Missing option "hostPattern" in the Host request pattern configuration', 1446224510);
}
if (!$request instanceof ActionRequest) {
return false;
}
$hostPattern = str_replace('\\*', '.*', preg_quote($this->options['hostPattern'], '/'));
return preg_match('/^' . $hostPattern . '$/', $request->getHttpRequest()->getUri()->getHost()) === 1;
}
/**
* Matches a \Neos\Flow\Mvc\RequestInterface against the configured CSRF pattern rules and
* searches for invalid csrf tokens. If this returns TRUE, the request is invalid!
*
* @param RequestInterface $request The request that should be matched
* @return boolean TRUE if the pattern matched, FALSE otherwise
* @throws AuthenticationRequiredException
*/
public function matchRequest(RequestInterface $request)
{
if (!$request instanceof ActionRequest || $request->getHttpRequest()->isMethodSafe()) {
$this->systemLogger->log('CSRF: No token required, safe request', LOG_DEBUG);
return false;
}
if ($this->authenticationManager->isAuthenticated() === false) {
$this->systemLogger->log('CSRF: No token required, not authenticated', LOG_DEBUG);
return false;
}
if ($this->securityContext->areAuthorizationChecksDisabled() === true) {
$this->systemLogger->log('CSRF: No token required, authorization checks are disabled', LOG_DEBUG);
return false;
}
$controllerClassName = $this->objectManager->getClassNameByObjectName($request->getControllerObjectName());
$actionMethodName = $request->getControllerActionName() . 'Action';
if (!$this->hasPolicyEntryForMethod($controllerClassName, $actionMethodName)) {
$this->systemLogger->log(sprintf('CSRF: No token required, method %s::%s() is not restricted by a policy.', $controllerClassName, $actionMethodName), LOG_DEBUG);
return false;
}
if ($this->reflectionService->isMethodTaggedWith($controllerClassName, $actionMethodName, 'skipcsrfprotection')) {
$this->systemLogger->log(sprintf('CSRF: No token required, method %s::%s() is tagged with a "skipcsrfprotection" annotation', $controllerClassName, $actionMethodName), LOG_DEBUG);
return false;
}
$httpRequest = $request->getHttpRequest();
if ($httpRequest->hasHeader('X-Flow-Csrftoken')) {
$csrfToken = $httpRequest->getHeader('X-Flow-Csrftoken');
} else {
$internalArguments = $request->getMainRequest()->getInternalArguments();
$csrfToken = isset($internalArguments['__csrfToken']) ? $internalArguments['__csrfToken'] : null;
}
if (empty($csrfToken)) {
$this->systemLogger->log(sprintf('CSRF: token was empty but a valid token is required for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG);
return true;
}
if (!$this->securityContext->hasCsrfProtectionTokens()) {
throw new AuthenticationRequiredException(sprintf('CSRF: No CSRF tokens in security context, possible session timeout. A valid token is required for %s::%s()', $controllerClassName, $actionMethodName), 1317309673);
}
if ($this->securityContext->isCsrfProtectionTokenValid($csrfToken) === false) {
$this->systemLogger->log(sprintf('CSRF: token was invalid but a valid token is required for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG);
return true;
}
$this->systemLogger->log(sprintf('CSRF: Successfully verified token for %s::%s()', $controllerClassName, $actionMethodName), LOG_DEBUG);
return false;
}
/**
* Finds and instantiates a controller that matches the current request.
* If no controller can be found, an instance of NotFoundControllerInterface is returned.
*
* @param RequestInterface $request The request to dispatch
* @return ControllerInterface
* @throws NoSuchOptionException
* @throws Controller\Exception\InvalidControllerException
*/
protected function resolveController(RequestInterface $request)
{
/** @var ActionRequest $request */
$controllerObjectName = $request->getControllerObjectName();
if ($controllerObjectName === '') {
if (isset($this->settings['mvc']['notFoundController'])) {
throw new NoSuchOptionException('The configuration option Neos.Flow:mvc:notFoundController is deprecated since Flow 2.0. Use the "renderingGroups" option of the production exception handler instead in order to render custom error messages.', 1346949795);
}
$exceptionMessage = 'No controller could be resolved which would match your request';
if ($request instanceof ActionRequest) {
$exceptionMessage .= sprintf('. Package key: "%s", controller name: "%s"', $request->getControllerPackageKey(), $request->getControllerName());
if ($request->getControllerSubpackageKey() !== null) {
$exceptionMessage .= sprintf(', SubPackage key: "%s"', $request->getControllerSubpackageKey());
}
$exceptionMessage .= sprintf('. (%s %s)', $request->getHttpRequest()->getMethod(), $request->getHttpRequest()->getUri());
}
throw new Controller\Exception\InvalidControllerException($exceptionMessage, 1303209195, null, $request);
}
$controller = $this->objectManager->get($controllerObjectName);
if (!$controller instanceof ControllerInterface) {
throw new Controller\Exception\InvalidControllerException('Invalid controller "' . $request->getControllerObjectName() . '". The controller must be a valid request handling controller, ' . (is_object($controller) ? get_class($controller) : gettype($controller)) . ' given.', 1202921619, null, $request);
}
return $controller;
}
