/**
* Checks the given token for validity and sets the token authentication status
* accordingly (success, wrong credentials or no credentials given).
*
* @param TokenInterface $authenticationToken The token to be authenticated
* @return void
* @throws UnsupportedAuthenticationTokenException
*/
public function authenticate(TokenInterface $authenticationToken)
{
if (!$authenticationToken instanceof UsernamePassword) {
throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840);
}
/** @var $account Account */
$account = null;
$credentials = $authenticationToken->getCredentials();
if ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) {
$authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN);
}
if (!is_array($credentials) || !isset($credentials['username']) || !isset($credentials['password'])) {
return;
}
$providerName = $this->name;
$accountRepository = $this->accountRepository;
$this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) {
$account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName);
});
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
if ($account === null) {
$this->hashService->validatePassword($credentials['password'], 'bcrypt=>$2a$14$DummySaltToPreventTim,.ingAttacksOnThisProvider');
return;
}
if ($this->hashService->validatePassword($credentials['password'], $account->getCredentialsSource())) {
$account->authenticationAttempted(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL);
$authenticationToken->setAccount($account);
} else {
$account->authenticationAttempted(TokenInterface::WRONG_CREDENTIALS);
}
$this->accountRepository->update($account);
$this->persistenceManager->whitelistObject($account);
}
/**
* @test
*/
public function authenticationFailsWithWrongCredentialsInAnUsernamePasswordToken()
{
$this->mockHashService->expects($this->once())->method('validatePassword')->with('wrong password', '8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086')->will($this->returnValue(false));
$this->mockAccount->expects($this->once())->method('getCredentialsSource')->will($this->returnValue('8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086'));
$this->mockAccountRepository->expects($this->once())->method('findActiveByAccountIdentifierAndAuthenticationProviderName')->with('admin', 'myProvider')->will($this->returnValue($this->mockAccount));
$this->mockToken->expects($this->once())->method('getCredentials')->will($this->returnValue(['username' => 'admin', 'password' => 'wrong password']));
$this->mockToken->expects($this->at(2))->method('setAuthenticationStatus')->with(\Neos\Flow\Security\Authentication\TokenInterface::NO_CREDENTIALS_GIVEN);
$this->mockToken->expects($this->at(3))->method('setAuthenticationStatus')->with(\Neos\Flow\Security\Authentication\TokenInterface::WRONG_CREDENTIALS);
$this->persistedUsernamePasswordProvider->authenticate($this->mockToken);
}
/**
* @dataProvider personsDataProvider
* @test
*/
public function personsAndAccountPersistingAndRetrievingWorksCorrectly($firstName, $middleName, $lastName, $emailAddress)
{
$person = new Person();
$person->setName(new PersonName('', $firstName, $middleName, $lastName));
$electronicAddress = new ElectronicAddress();
$electronicAddress->setType(ElectronicAddress::TYPE_EMAIL);
$electronicAddress->setIdentifier($emailAddress);
$person->setPrimaryElectronicAddress($electronicAddress);
$account = $this->accountFactory->createAccountWithPassword($emailAddress, $this->persistenceManager->getIdentifierByObject($person));
$this->accountRepository->add($account);
$person->addAccount($account);
$this->partyRepository->add($person);
$this->persistenceManager->persistAll();
$this->assertEquals(1, $this->partyRepository->countAll());
$this->persistenceManager->clearState();
$foundPerson = $this->partyRepository->findByIdentifier($this->persistenceManager->getIdentifierByObject($person));
$this->assertEquals($foundPerson->getName()->getFullName(), $person->getName()->getFullName());
$this->assertEquals($foundPerson->getName()->getFullName(), $firstName . ' ' . $middleName . ' ' . $lastName);
$this->assertEquals($foundPerson->getPrimaryElectronicAddress()->getIdentifier(), $emailAddress);
}
/**
* @test
*/
public function authenticationWithCorrectCredentialsResetsFailedAuthenticationCount()
{
$this->authenticationToken->_set('credentials', ['username' => 'username', 'password' => 'wrongPW']);
$this->persistedUsernamePasswordProvider->authenticate($this->authenticationToken);
$account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName('username', 'myTestProvider');
$this->assertEquals(1, $account->getFailedAuthenticationCount());
$this->authenticationToken->_set('credentials', ['username' => 'username', 'password' => 'password']);
$this->persistedUsernamePasswordProvider->authenticate($this->authenticationToken);
$account = $this->accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName('username', 'myTestProvider');
$this->assertEquals((new \DateTime())->format(\DateTime::W3C), $account->getLastSuccessfulAuthenticationDate()->format(\DateTime::W3C));
$this->assertEquals(0, $account->getFailedAuthenticationCount());
}
/**
* Deactivates the given user
*
* @param User $user The user to deactivate
* @return void
* @api
*/
public function deactivateUser(User $user)
{
/** @var Account $account */
foreach ($user->getAccounts() as $account) {
$account->setExpirationDate($this->now);
$this->accountRepository->update($account);
}
$this->emitUserDeactivated($user);
}
