/** * @test */ public function testUserTracing() { $account = new Account(); $account->setAccountIdentifier('testUserTracing'); $account->setAuthenticationProviderName('TestingProvider'); $this->persistenceManager->add($account); $this->persistenceManager->persistAll(); $this->authenticateAccount($account); $entity = new Entity(); $this->entityRepository->add($entity); $this->persistenceManager->persistAll(); $this->assertEquals($entity->getCreatedBy(), $account); $this->assertNull($entity->getUpdatedBy()); $entity->setType('testUserTracing'); $this->entityRepository->update($entity); $this->persistenceManager->persistAll(); $this->assertEquals($entity->getUpdatedBy(), $account); $account2 = new Account(); $account2->setAccountIdentifier('testUserTracing2'); $account2->setAuthenticationProviderName('TestingProvider'); $this->persistenceManager->add($account2); $this->persistenceManager->persistAll(); $this->authenticateAccount($account2); $entity->setType('testUserTracing2'); $this->entityRepository->update($entity); $this->persistenceManager->persistAll(); $this->assertEquals($entity->getUpdatedBy(), $account2); $this->assertNotEquals($entity->getCreatedBy(), $account2); }
/** * Get the account name of an user. * * @return string */ public function getAccountName() { if ($this->account == null) { return $this->email; } else { return $this->account->getAccountIdentifier(); } }
/** * @test */ public function authenticationFailsWithWrongCredentialsInAnUsernamePasswordToken() { $this->mockHashService->expects($this->once())->method('validatePassword')->with('wrong password', '8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086')->will($this->returnValue(false)); $this->mockAccount->expects($this->once())->method('getCredentialsSource')->will($this->returnValue('8bf0abbb93000e2e47f0e0a80721e834,80f117a78cff75f3f73793fd02aa9086')); $this->mockAccountRepository->expects($this->once())->method('findActiveByAccountIdentifierAndAuthenticationProviderName')->with('admin', 'myProvider')->will($this->returnValue($this->mockAccount)); $this->mockToken->expects($this->once())->method('getCredentials')->will($this->returnValue(array('username' => 'admin', 'password' => 'wrong password'))); $this->mockToken->expects($this->once())->method('setAuthenticationStatus')->with(\TYPO3\Flow\Security\Authentication\TokenInterface::WRONG_CREDENTIALS); $this->persistedUsernamePasswordProvider->authenticate($this->mockToken); }
/** * @test */ public function authenticateTagsSessionWithAccountIdentifier() { $account = new Account(); $account->setAccountIdentifier('admin'); $securityContext = $this->getMockBuilder(\TYPO3\Flow\Security\Context::class)->setMethods(array('getAuthenticationStrategy', 'getAuthenticationTokens', 'refreshTokens', 'refreshRoles'))->getMock(); $token = $this->createMock(\TYPO3\Flow\Security\Authentication\TokenInterface::class); $token->expects($this->any())->method('getAccount')->will($this->returnValue($account)); $token->expects($this->atLeastOnce())->method('isAuthenticated')->will($this->returnValue(true)); $securityContext->expects($this->atLeastOnce())->method('getAuthenticationTokens')->will($this->returnValue(array($token))); $this->mockSession->expects($this->once())->method('addTag')->with('TYPO3-Flow-Security-Account-21232f297a57a5a743894a0e4a801fc3'); $this->authenticationProviderManager->_set('providers', array()); $this->authenticationProviderManager->_set('securityContext', $securityContext); $this->authenticationProviderManager->authenticate(); }
/** * @param \TYPO3\Flow\Security\Account $account * @return string */ public function generateDisqusRemoteAuth(\TYPO3\Flow\Security\Account $account) { /** @var \TYPO3\Party\Domain\Model\Person $person */ $person = $account->getParty(); $data = array('id' => $account->getAccountIdentifier(), 'username' => $person->getName()->getFullName(), 'email' => $person->getPrimaryElectronicAddress()->getIdentifier(), 'avatar' => sprintf('//typo3.org/services/userimage.php?username=%s&size=big', $account->getAccountIdentifier())); if (!isset($this->settings['disqusApiSecret'])) { throw new \InvalidArgumentException('You need to set up a disqusApiSecrect in your settings.', 1425572965); } $message = base64_encode(json_encode($data)); $timestamp = time(); $apiSecret = $this->settings['disqusApiSecret']; $hmac = $this->disqusHmacSha1($message . ' ' . $timestamp, $apiSecret); return $message . ' ' . $hmac . ' ' . $timestamp; }
/** * @param Account $account * @return void */ protected function sendNotificationMail(Account $account) { $notificationMailSettings = $this->settings['notificationMail']; if (!$notificationMailSettings['to']) { return; } $httpRequest = Request::createFromEnvironment(); $failedAttemptsThreshold = $this->settings['failedAttemptsThreshold']; $time = (new \DateTime())->format('Y-m-d H:i'); $replacePlaceholders = function ($string) use($account, $httpRequest, $failedAttemptsThreshold, $time) { return str_replace(['{domain}', '{ip}', '{userAgent}', '{accountIdentifier}', '{failedAttemptsThreshold}', '{time}'], [$httpRequest->getUri()->getHost(), $httpRequest->getClientIpAddress(), $_SERVER['HTTP_USER_AGENT'], $account->getAccountIdentifier(), $failedAttemptsThreshold, $time], $string); }; $mail = new Message(); $mail->setFrom($replacePlaceholders($notificationMailSettings['from']['email']), $replacePlaceholders($notificationMailSettings['from']['name']))->setTo($notificationMailSettings['to'])->setSubject($replacePlaceholders($notificationMailSettings['subject']))->setBody($replacePlaceholders($notificationMailSettings['message']))->send(); }
/** * Checks if the given account is already in the account repository * * @param \TYPO3\Flow\Security\Account $account * @return bool */ public function doesAccountExist(\TYPO3\Flow\Security\Account $account) { $accountIdentifier = $account->getAccountIdentifier(); $authenticationProviderName = $account->getAuthenticationProviderName(); $existingAccount = $this->accountRepository->findByAccountIdentifierAndAuthenticationProviderName($accountIdentifier, $authenticationProviderName); return $existingAccount !== NULL; }
/** * Tries to authenticate the given token. Sets isAuthenticated to TRUE if authentication succeeded. * * @param TokenInterface $authenticationToken The token to be authenticated * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException * @return void */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof AbstractClientToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1383754993); } $credentials = $authenticationToken->getCredentials(); // Inspect the received access token as documented in https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/ $tokenInformation = $this->facebookTokenEndpoint->requestValidatedTokenInformation($credentials['accessToken']); if ($tokenInformation === FALSE) { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); return; } // Check if the permitted scopes suffice: $necessaryScopes = $this->options['scopes']; $scopesHavingPermissionFor = $tokenInformation['scopes']; $requiredButNotPermittedScopes = array_diff($necessaryScopes, $scopesHavingPermissionFor); if (count($requiredButNotPermittedScopes) > 0) { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); $this->securityLogger->log('The permitted scopes do not satisfy the required once.', LOG_NOTICE, array('necessaryScopes' => $necessaryScopes, 'allowedScopes' => $scopesHavingPermissionFor)); return; } // From here, we surely know the user is considered authenticated against the remote service, // yet to check if there is an immanent account present. $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($tokenInformation, $providerName, $accountRepository, &$account) { $account = $accountRepository->findByAccountIdentifierAndAuthenticationProviderName($tokenInformation['user_id'], $providerName); }); if ($account === NULL) { $account = new Account(); $account->setAccountIdentifier($tokenInformation['user_id']); $account->setAuthenticationProviderName($providerName); $this->accountRepository->add($account); } $authenticationToken->setAccount($account); // request long-live token and attach that to the account $longLivedToken = $this->facebookTokenEndpoint->requestLongLivedToken($credentials['accessToken']); $account->setCredentialsSource($longLivedToken); $this->accountRepository->update($account); }
/** * In this method, actually create the user / account. * * NOTE: After this method is called, the $registrationFlow is DESTROYED, so you need to store all attributes * in your object as you need them. * * @param RegistrationFlow $registrationFlow * @return void */ public function createUserAndAccount(RegistrationFlow $registrationFlow) { // Create the account $account = new Account(); $account->setAccountIdentifier($registrationFlow->getEmail()); $account->setCredentialsSource($registrationFlow->getEncryptedPassword()); $account->setAuthenticationProviderName('Sandstorm.UserManagement:Login'); // Assign pre-configured roles foreach ($this->rolesForNewUsers as $roleString) { $account->addRole(new Role($roleString)); } // Create the user $user = new User(); $user->setAccount($account); $user->setEmail($registrationFlow->getEmail()); if (array_key_exists('salutation', $registrationFlow->getAttributes())) { $user->setGender($registrationFlow->getAttributes()['salutation']); } if (array_key_exists('firstName', $registrationFlow->getAttributes())) { $user->setFirstName($registrationFlow->getAttributes()['firstName']); } if (array_key_exists('lastName', $registrationFlow->getAttributes())) { $user->setLastName($registrationFlow->getAttributes()['lastName']); } // Persist user $this->userRepository->add($user); $this->persistenceManager->whitelistObject($user); $this->persistenceManager->whitelistObject($account); }
/** * @return \Ag\Login\Domain\Model\AccountDescriptor */ public function getDescriptor() { $d = new AccountDescriptor(); $d->accountId = $this->accountId; $d->email = $this->login->getAccountIdentifier(); $d->name = $this->name; $d->imageId = $this->imageId; $d->roles = $this->login->getRoles(); foreach ($d->roles as $key => $role) { $d->roles[$key] = $this->flowRoleToRole($role); } return $d; }
/** * Creates a new account and sets the given password and roles * * @param string $identifier Identifier of the account, must be unique * @param string $password The clear text password * @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account * @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with * @param string $passwordHashingStrategy Optional password hashing strategy to use for the password * @return Account A new account, not yet added to the account repository */ public function createAccountWithPassword($identifier, $password, $roleIdentifiers = [], $authenticationProviderName = 'DefaultProvider', $passwordHashingStrategy = 'default') { $account = new Account(); $account->setAccountIdentifier($identifier); $account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy)); $account->setAuthenticationProviderName($authenticationProviderName); $roles = []; foreach ($roleIdentifiers as $roleIdentifier) { $roles[] = $this->policyService->getRole($roleIdentifier); } $account->setRoles($roles); return $account; }
/** * Sets isAuthenticated to TRUE for all tokens. * * @param TokenInterface $authenticationToken The token to be authenticated * @return void * @throws UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof PasswordToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339840); } $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['password'])) { if ($this->hashService->validatePassword($credentials['password'], $this->fileBasedSimpleKeyService->getKey($this->options['keyName']))) { $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $account = new Account(); $roles = array(); foreach ($this->options['authenticateRoles'] as $roleIdentifier) { $roles[] = $this->policyService->getRole($roleIdentifier); } $account->setRoles($roles); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * In this method, actually create the user / account. * * NOTE: After this method is called, the $registrationFlow is DESTROYED, so you need to store all attributes * in your object as you need them. * * @param RegistrationFlow $registrationFlow * @return void */ public function createUserAndAccount(RegistrationFlow $registrationFlow) { // Create the account $account = new Account(); $account->setAccountIdentifier($registrationFlow->getEmail()); $account->setCredentialsSource($registrationFlow->getEncryptedPassword()); $account->setAuthenticationProviderName('Sandstorm.UserManagement:Login'); // Assign preconfigured roles foreach ($this->rolesForNewUsers as $roleString) { $account->addRole(new Role($roleString)); } // Create the user $user = new User(); $name = new PersonName('', $registrationFlow->getAttributes()['firstName'], '', $registrationFlow->getAttributes()['lastName'], '', $registrationFlow->getEmail()); $user->setName($name); // Assign them to each other and persist $this->getPartyService()->assignAccountToParty($account, $user); $this->getPartyRepository()->add($user); $this->accountRepository->add($account); $this->persistenceManager->whitelistObject($user); $this->persistenceManager->whitelistObject($user->getPreferences()); $this->persistenceManager->whitelistObject($name); $this->persistenceManager->whitelistObject($account); }
/** * @expectedException \TYPO3\Flow\Security\Exception * @expectedExceptionCode 1397745354 * @test */ public function callingSetPartyWithoutIdentifierThrowsException() { $account = new Account(); $mockParty = $this->getMock('TYPO3\\Party\\Domain\\Model\\AbstractParty'); $account->setParty($mockParty); }
/** * @param array $userdata * @return Account */ protected function createAccount(array $userdata) { if (!isset($userdata['username'])) { return; } $account = new Account(); $account->setCredentialsSource('typo3.org SSO'); $account->setAuthenticationProviderName($this->name); $account->setRoles(array($this->policyService->getRole('T3DD.Backend:Authenticated'))); $account->setAccountIdentifier($userdata['username']); $person = new Person(); $this->partyRepository->add($person); $this->partyService->assignAccountToParty($account, $person); $this->updatePerson($person, $userdata); $this->accountRepository->add($account); $this->persistenceManager->persistAll(); return $account; }
/** * @test */ public function shutdownCreatesSpecialDataEntryForSessionWithAuthenticatedAccounts() { $session = new Session(); $this->inject($session, 'bootstrap', $this->mockBootstrap); $this->inject($session, 'objectManager', $this->mockObjectManager); $this->inject($session, 'settings', $this->settings); $this->inject($session, 'metaDataCache', $this->createCache('Meta')); $this->inject($session, 'storageCache', $this->createCache('Storage')); $session->initializeObject(); $session->start(); $account = new Account(); $account->setAccountIdentifier('admin'); $account->setAuthenticationProviderName('MyProvider'); $token = new UsernamePassword(); $token->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $token->setAccount($account); $this->mockSecurityContext->expects($this->any())->method('isInitialized')->will($this->returnValue(TRUE)); $this->mockSecurityContext->expects($this->any())->method('getAuthenticationTokens')->will($this->returnValue(array($token))); $session->close(); $this->httpRequest->setCookie($this->httpResponse->getCookie('TYPO3_Flow_Session')); $session->resume(); $this->assertEquals(array('MyProvider:admin'), $session->getData('TYPO3_Flow_Security_Accounts')); }
/** * @param string $username Crowd Username * @param string $providerName Name of the authentication provider, this account should be used with * @return Account */ public function getLocalAccountForCrowdUser($username, $providerName) { $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($username, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName); }); if ($account === NULL) { if ($this->getUser($username) === NULL) { return NULL; } $account = new Account(); $account->setAuthenticationProviderName($providerName); $account->setAccountIdentifier($username); $roleIdentifier = $this->configurationManager->getConfiguration(ConfigurationManager::CONFIGURATION_TYPE_SETTINGS, 'TYPO3.Flow.security.authentication.providers.' . $providerName . '.providerOptions.authenticateRole'); $account->addRole($this->policyService->getRole($roleIdentifier)); $this->accountRepository->add($account); $this->persistenceManager->persistAll(); } return $account; }
/** * Sets the roles for the LDAP account. * Extend this Provider class and implement this method to update the party * * @param Account $account * @param array $ldapSearchResult * @return void */ protected function setRoles(Account $account, array $ldapSearchResult) { if (is_array($this->rolesConfiguration)) { $contextVariables = array('ldapUser' => $ldapSearchResult); if (isset($this->defaultContext) && is_array($this->defaultContext)) { foreach ($this->defaultContext as $contextVariable => $objectName) { $object = $this->objectManager->get($objectName); $contextVariables[$contextVariable] = $object; } } foreach ($this->rolesConfiguration['default'] as $roleIdentifier) { $role = $this->policyService->getRole($roleIdentifier); $account->addRole($role); } $eelContext = new Context($contextVariables); if (isset($this->partyConfiguration['dn'])) { $dn = $this->eelEvaluator->evaluate($this->partyConfiguration['dn'], $eelContext); foreach ($this->rolesConfiguration['userMapping'] as $roleIdentifier => $userDns) { if (in_array($dn, $userDns)) { $role = $this->policyService->getRole($roleIdentifier); $account->addRole($role); } } } elseif (!empty($this->rolesConfiguration['userMapping'])) { $this->logger->log('User mapping found but no party mapping for dn set', LOG_ALERT); } if (isset($this->partyConfiguration['username'])) { $username = $this->eelEvaluator->evaluate($this->partyConfiguration['username'], $eelContext); $groupMembership = $this->directoryService->getGroupMembership($username); foreach ($this->rolesConfiguration['groupMapping'] as $roleIdentifier => $remoteRoleIdentifiers) { foreach ($remoteRoleIdentifiers as $remoteRoleIdentifier) { $role = $this->policyService->getRole($roleIdentifier); if (isset($groupMembership[$remoteRoleIdentifier])) { $account->addRole($role); } } } } elseif (!empty($this->rolesConfiguration['groupMapping'])) { $this->logger->log('Group mapping found but no party mapping for username set', LOG_ALERT); } } }
/** * Set a new password for the given account * * This allows for setting a new password for an existing user account. * * @param Account $account * @param $password * @param string $passwordHashingStrategy * * @return boolean */ public function resetPassword(Account $account, $password, $passwordHashingStrategy = 'default') { $account->setCredentialsSource($this->hashService->hashPassword($password, $passwordHashingStrategy)); $this->accountRepository->update($account); return TRUE; }
/** * @expectedException \TYPO3\Flow\Security\Exception * @expectedExceptionCode 1397745354 * @test */ public function callingSetPartyWithoutIdentifierThrowsException() { $account = new Account(); $account->setParty(new \stdClass()); }
/** * Tries to authenticate the given token. Sets isAuthenticated to TRUE if authentication succeeded. * * @param TokenInterface $authenticationToken The token to be authenticated * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException * @return void */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof AbstractClientToken) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1383754993); } $credentials = $authenticationToken->getCredentials(); // There is no way to validate the Token or check the scopes at the moment apart from "trying" (and possibly receiving an access denied) // we could check the validity of the Token and the scopes here in the future when Instagram provides that // Only check if an access Token is present at this time and do a single test call if (isset($credentials['accessToken']) && $credentials['accessToken'] !== NULL) { // check if a secure request is possible (https://www.instagram.com/developer/secure-api-requests/) $userInfo = $this->instagramTokenEndpoint->validateSecureRequestCapability($credentials['accessToken']); if ($userInfo === FALSE) { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); $this->securityLogger->log('A secure call to the API with the provided accessToken and clientSecret was not possible', LOG_NOTICE); return FALSE; } } else { } // From here, we surely know the user is considered authenticated against the remote service, // yet to check if there is an immanent account present. $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($userInfo, $providerName, $accountRepository, &$account) { $account = $accountRepository->findByAccountIdentifierAndAuthenticationProviderName($userInfo['id'], $providerName); }); if ($account === NULL) { $account = new Account(); $account->setAccountIdentifier($userInfo['id']); $account->setAuthenticationProviderName($providerName); $this->accountRepository->add($account); } $authenticationToken->setAccount($account); // the access token is valid for an "undefined time" according to instagram (so we cannot know when the user needs to log in again) $account->setCredentialsSource($credentials['accessToken']); $this->accountRepository->update($account); // check if a user is already attached to this account if ($this->partyService->getAssignedPartyOfAccount($account) === null || count($this->partyService->getAssignedPartyOfAccount($account)) < 1) { $user = $this->userService->getCurrentUser(); if ($user !== null) { $user->addAccount($account); $this->userService->updateUser($user); $this->persistenceManager->whitelistObject($user); } else { $this->securityLogger->logException(new Exception("The InstagramProvider was unable to determine the backend user, make sure the configuration Typo3BackendProvider requestPattern matches the Instagram Controller and the authentication strategy is set to 'atLeastOne' Token")); } } // persistAll is called automatically at the end of this function, account gets whitelisted to allow // persisting for an object thats tinkered with via a GET request $this->persistenceManager->whitelistObject($account); }
/** * renders <f:then> child if the role could be found in the security context, * otherwise renders <f:else> child. * * @param string $role The role or role identifier * @param string $packageKey PackageKey of the package defining the role * @param Account $account If specified, this subject of this check is the given Account instead of the currently authenticated account * @return string the rendered string * @api */ public function render($role, $packageKey = null, Account $account = null) { if (is_string($role)) { $roleIdentifier = $role; if (in_array($roleIdentifier, array('Everybody', 'Anonymous', 'AuthenticatedUser'))) { $roleIdentifier = 'TYPO3.Flow:' . $roleIdentifier; } if (strpos($roleIdentifier, '.') === false && strpos($roleIdentifier, ':') === false) { if ($packageKey === null) { $request = $this->controllerContext->getRequest(); $roleIdentifier = $request->getControllerPackageKey() . ':' . $roleIdentifier; } else { $roleIdentifier = $packageKey . ':' . $roleIdentifier; } } $role = $this->policyService->getRole($roleIdentifier); } if ($account instanceof Account) { $hasRole = $account->hasRole($role); } else { $hasRole = $this->securityContext->hasRole($role->getIdentifier()); } if ($hasRole) { return $this->renderThenChild(); } else { return $this->renderElseChild(); } }
/** * @return string */ public function getProfileImage() { return sprintf('//typo3.org/services/userimage.php?username=%s&size=big', $this->payload->getAccountIdentifier()); }
/** * Authenticates against a crowd instance. * * @param \TYPO3\Flow\Security\Authentication\TokenInterface $authenticationToken The token to be authenticated * @return void * @throws \TYPO3\Flow\Security\Exception\UnsupportedAuthenticationTokenException */ public function authenticate(TokenInterface $authenticationToken) { if (!$authenticationToken instanceof UsernamePassword) { throw new UnsupportedAuthenticationTokenException('This provider cannot authenticate the given token.', 1217339845); } $credentials = $authenticationToken->getCredentials(); if (is_array($credentials) && isset($credentials['username']) && isset($credentials['password'])) { $crowdAuthenticationResponse = $this->crowdClient->authenticate($credentials['username'], $credentials['password']); if ($crowdAuthenticationResponse !== NULL) { /** @var $account \TYPO3\Flow\Security\Account */ $account = NULL; $providerName = $this->name; $accountRepository = $this->accountRepository; $this->securityContext->withoutAuthorizationChecks(function () use($credentials, $providerName, $accountRepository, &$account) { $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($credentials['username'], $providerName); }); if ($account === NULL) { $account = new Account(); $account->setAuthenticationProviderName($providerName); $account->setAccountIdentifier($credentials['username']); $this->accountRepository->add($account); } $authenticateRole = $this->policyService->getRole($this->options['authenticateRole']); if ($account->hasRole($authenticateRole) === FALSE) { $account->addRole($authenticateRole); } $crowdUser = $this->partyService->getAssignedPartyOfAccount($account); if ($crowdUser instanceof Person) { if ($crowdUser->getName()->getFirstName() !== $crowdAuthenticationResponse['first-name']) { $crowdUser->getName()->setFirstName($crowdAuthenticationResponse['first-name']); $this->partyRepository->update($crowdUser); } if ($crowdUser->getName()->getLastName() !== $crowdAuthenticationResponse['last-name']) { $crowdUser->getName()->setLastName($crowdAuthenticationResponse['last-name']); $this->partyRepository->update($crowdUser); } if ($crowdUser->getPrimaryElectronicAddress()->getIdentifier() !== $crowdAuthenticationResponse['email']) { $crowdUser->getPrimaryElectronicAddress()->setIdentifier($crowdAuthenticationResponse['email']); $this->partyRepository->update($crowdUser); } } else { $crowdUser = new Person(); $crowdUser->setName(new PersonName('', $crowdAuthenticationResponse['first-name'], '', $crowdAuthenticationResponse['last-name'])); $email = new ElectronicAddress(); $email->setIdentifier($crowdAuthenticationResponse['email']); $email->setType(ElectronicAddress::TYPE_EMAIL); $crowdUser->setPrimaryElectronicAddress($email); $this->partyRepository->add($crowdUser); $this->partyService->assignAccountToParty($account, $crowdUser); } $authenticationToken->setAuthenticationStatus(TokenInterface::AUTHENTICATION_SUCCESSFUL); $authenticationToken->setAccount($account); } else { $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS); } } elseif ($authenticationToken->getAuthenticationStatus() !== TokenInterface::AUTHENTICATION_SUCCESSFUL) { $authenticationToken->setAuthenticationStatus(TokenInterface::NO_CREDENTIALS_GIVEN); } }
/** * Update a given account * * @param Account $account The account to update * @param array $roleIdentifiers A possibly updated list of roles for the user's primary account * @param array $password Expects an array in the format array('<password>', '<password confirmation>') * @Flow\Validate(argumentName="password", type="\TYPO3\Neos\Validation\Validator\PasswordValidator", options={ "allowEmpty"=1, "minimum"=1, "maximum"=255 }) * @return void */ public function updateAccountAction(Account $account, array $roleIdentifiers, array $password = array()) { $user = $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName()); if ($user === $this->currentUser) { $roles = array(); foreach ($roleIdentifiers as $roleIdentifier) { $roles[$roleIdentifier] = $this->policyService->getRole($roleIdentifier); } if (!$this->privilegeManager->isPrivilegeTargetGrantedForRoles($roles, 'TYPO3.Neos:Backend.Module.Administration.Users')) { $this->addFlashMessage('With the selected roles the currently logged in user wouldn\'t have access to this module any longer. Please adjust the assigned roles!', 'Don\'t lock yourself out', Message::SEVERITY_WARNING, array(), 1416501197); $this->forward('edit', null, null, array('user' => $this->currentUser)); } } $password = array_shift($password); if (strlen(trim(strval($password))) > 0) { $this->userService->setUserPassword($user, $password); } $this->userService->setRolesForAccount($account, $roleIdentifiers); $this->addFlashMessage('The account has been updated.', 'Account updated', Message::SEVERITY_OK); $this->redirect('edit', null, null, array('user' => $user)); }
/** * Creates a personal workspace for the given user's account if it does not exist already. * * @param User $user The new user to create a workspace for * @param Account $account The user's backend account * @throws IllegalObjectTypeException */ protected function createPersonalWorkspace(User $user, Account $account) { $userWorkspaceName = UserUtility::getPersonalWorkspaceNameForUsername($account->getAccountIdentifier()); $userWorkspace = $this->workspaceRepository->findByIdentifier($userWorkspaceName); if ($userWorkspace === null) { $liveWorkspace = $this->workspaceRepository->findByIdentifier('live'); if (!$liveWorkspace instanceof Workspace) { $liveWorkspace = new Workspace('live'); $liveWorkspace->setTitle('Live'); $this->workspaceRepository->add($liveWorkspace); } $userWorkspace = new Workspace($userWorkspaceName, $liveWorkspace, $user); $userWorkspace->setTitle((string) $user->getName()); $this->workspaceRepository->add($userWorkspace); } }
/** * Creates a new account, assigns it the given roles and authenticates it. * The created account is returned for further modification, for example for attaching a Party object to it. * * @param array $roleNames A list of roles the new account should have * @return Account The created account */ protected function authenticateRoles(array $roleNames) { // FIXME this is currently needed in order to correctly import the roles. Otherwise RepositoryInterface::isConnected() returns FALSE and importing is skipped in PolicyService::initializeRolesFromPolicy() $this->objectManager->get(\TYPO3\Flow\Security\AccountRepository::class)->countAll(); $account = new Account(); $account->setAccountIdentifier('TestAccount'); $roles = array(); foreach ($roleNames as $roleName) { $roles[] = $this->policyService->getRole($roleName); } $account->setRoles($roles); $this->authenticateAccount($account); return $account; }
/** * Sends an email to a user with the new password * * @param \TYPO3\Flow\Security\Account $account * @param array $settings * @param string $newEnteredPassword * @return boolean $success */ public function sendMail(Account $account, $settings, $newEnteredPassword = NULL) { if ($newEnteredPassword !== NULL) { $newPassword = $newEnteredPassword; } else { $newPassword = $this->algorithms->generateRandomString(10); $account->setCredentialsSource($this->hashService->hashPassword($newPassword, 'default')); $this->accountRepository->update($account); } // @TODO: Localize the email format $mailBody[] = 'Dear %1$s'; $mailBody[] = ''; $mailBody[] = 'Your password for First Visit.'; $mailBody[] = 'The password is %2$s'; $mailBody[] = ''; $mailBody[] = 'If you haven\'t requested this information, please change your password at once'; $mailBody[] = 'as others might be able to access your account'; $success = FALSE; $message = new SwiftMessage(); if ($message->setTo(array($account->getAccountIdentifier() => $account->getParty()->getName()))->setFrom(array($settings['PasswordRecovery']['Sender']['Email'] => $settings['PasswordRecovery']['Sender']['Name']))->setSubject($settings['PasswordRecovery']['Subject'])->setBody(vsprintf(implode(PHP_EOL, $mailBody), array($account->getParty()->getName(), $newPassword)))->send()) { $success = TRUE; } return $success; }
/** * Edit the given account * * @param Account $account * @return void */ public function editAccountAction(Account $account) { $this->view->assignMultiple(array('account' => $account, 'user' => $this->userService->getUser($account->getAccountIdentifier(), $account->getAuthenticationProviderName()))); }
/** * Removes the specified role from the given account and potentially carries out further actions which are needed to * properly reflect these changes. * * @param Account $account The account to remove roles from * @param string $roleIdentifier A fully qualified role identifier, or a role identifier relative to the TYPO3.Neos namespace * @return integer How often this role has been removed from the given account (effectively can be 1 or 0) * @api */ public function removeRoleFromAccount(Account $account, $roleIdentifier) { $roleIdentifier = $this->normalizeRoleIdentifier($roleIdentifier); $role = $this->policyService->getRole($roleIdentifier); /** @var Account $account */ if ($account->hasRole($role)) { $account->removeRole($role); $this->accountRepository->update($account); $this->emitRolesRemoved($account, array($role)); return 1; } return 0; }