/**
* Loads the user for the given username.
*
* This method must throw UsernameNotFoundException if the user is not
* found.
*
* @param string $username The username
*
* @return UserInterface
*
* @see UsernameNotFoundException
*
* @throws UsernameNotFoundException if the user is not found
*/
public function loadUserByUsername($username)
{
if ($this->provider) {
return $this->provider->loadUserByUsername($username);
}
throw new UsernameNotFoundException();
}
/**
* Load user from payload, using username by default.
* Override this to load by another property.
*
* @param array $payload
*
* @return \Symfony\Component\Security\Core\User\UserInterface
*/
protected function getUserFromPayload(array $payload)
{
if (!isset($payload[$this->userIdentityField])) {
throw new AuthenticationException('Invalid JWT Token');
}
return $this->userProvider->loadUserByUsername($payload[$this->userIdentityField]);
}
/**
* Authenticate a token according to the user provider.
*
* @param \Symfony\Component\Security\Core\Authentication\Token\TokenInterface $token
*
* @return \Symfony\Component\Security\Core\User\UserProviderInterface
*
* @throws SecurityException Occures on invalid connection
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
}
$username = $token->getUsername();
if (empty($username)) {
$username = '******';
}
$user = $this->_userProvider->loadUserByUsername($username);
if (false === is_array($user)) {
$user = array($user);
}
$authenticatedToken = false;
while (false === $authenticatedToken) {
if (null !== ($provider = array_pop($user))) {
$authenticatedToken = $this->authenticateUser($token, $provider);
} else {
break;
}
}
if (false === $authenticatedToken) {
throw new SecurityException('Invalid authentication informations', SecurityException::INVALID_CREDENTIALS);
}
return $authenticatedToken;
}
/**
* Get user from cached, otherwise get it from the source User Provider.
* @param string $username
* @return type
*/
public function loadUserByUsername($username)
{
if (!isset($this->cachedUsers[$username])) {
$this->cachedUsers[$username] = $this->userProvider->loadUserByUsername($username);
}
return $this->cachedUsers[$username];
}
/**
* @param TokenInterface $token
* @return BlockCypherUserToken
*/
public function authenticate(TokenInterface $token)
{
// if (!$userProvider instanceof ApiKeyUserProvider) {
// throw new \InvalidArgumentException(
// sprintf(
// 'The user provider must be an instance of ApiKeyUserProvider (%s was given).',
// get_class($userProvider)
// )
// );
// }
//$blockCypherToken = null;
$blockCypherToken = $token->getCredentials();
$username = $blockCypherToken;
// DEBUG
//var_dump($blockCypherToken);
//die();
/** @var User $user */
$user = $this->userProvider->loadUserByUsername($username);
// DEBUG
//var_dump($user);
//die();
if ($user) {
$blockCypherToken = $user->getBlockCypherToken();
}
if ($user && $this->validateBlockCypherToken($blockCypherToken)) {
$authenticatedToken = new BlockCypherUserToken($user, $blockCypherToken, 'blockcypher', $user->getRoles());
//$authenticatedToken->setUser($user);
return $authenticatedToken;
}
throw new AuthenticationException('BlockCypher token empty or invalid.');
}
/**
* @param string $username
* @param UsernamePasswordToken $token
* @return null|UserInterface
*/
public function retrieveUser($username, UsernamePasswordToken $token)
{
try {
return $this->userProvider->loadUserByUsername($username);
} catch (NoResultException $e) {
return null;
}
}
/**
* {@inheritDoc}
*/
public function authenticate(TokenInterface $token)
{
$username = $this->oauthProvider->getUsername($token->getCredentials());
$user = $this->userProvider->loadUserByUsername($username);
$token = new OAuthToken($token->getCredentials(), $user->getRoles());
$token->setUser($user);
$token->setAuthenticated(true);
return $token;
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
$authenticatedToken = new WsseToken($user->getRoles());
$authenticatedToken->setUser($user);
return $authenticatedToken;
}
throw new AuthenticationException('The WSSE authentication failed.');
}
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($user && ($token->isAuthenticated() || $this->crowd->isauthenticationvalid($token->getUsername(), $token->getCredentials()))) {
$authenticatedToken = new CrowdToken($user->getRoles());
$authenticatedToken->setUser($user);
return $authenticatedToken;
}
throw new AuthenticationException('The Crowd authentication failed.');
}
public function __invoke($username, $password)
{
try {
$user = $this->userProvider->loadUserByUsername($username);
} catch (UsernameNotFoundException $e) {
// in order to prevent timing attacks, we call the same method on a dummy user
// this way it is not revealed that the user by that username does not exist in DB
$this->passwordEncoder->isPasswordValid(AccountUser::dummy(), 'dummy');
return false;
}
return $this->passwordEncoder->isPasswordValid($user, $password) ? $username : false;
}
private function getTokenForUsername($username, $attributes = array())
{
/** @var User $user */
$user = $this->userProvider->loadUserByUsername($username);
if (!$user) {
throw new AuthenticationException("No user by the name of '{$username}'");
}
$token = new SspToken($user->getRoles());
$token->setUser($user);
$token->setAttributes($attributes);
return $token;
}
/**
* @param TokenInterface $token
*
* @return WsseUserToken
*/
public function authenticate(TokenInterface $token)
{
/** @var WsseUserToken $token */
$user = $this->userProvider->loadUserByUsername($token->getUsername());
$secret = $user->getApiKey() . '{' . $user->getSalt() . '}';
if ($this->validateDigest($token->digest, $token->nonce, $token->created, $secret)) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
return $authenticatedToken;
}
throw new AuthenticationException('The WSSE authentication failed.');
}
/**
* Attempts to authenticate a TokenInterface object.
*
* @param TokenInterface $token The TokenInterface instance to authenticate
*
* @return TokenInterface An authenticated TokenInterface instance, never null
*
* @throws AuthenticationException if the authentication fails
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
}
if (!($user = $token->getUser())) {
throw new AuthenticationException('JWT auth failed');
}
$user = $this->userProvider->loadUserByUsername($user);
$this->userChecker->checkPostAuth($user);
$token = new JWTToken($user, $token->getCredentials(), $this->providerKey, $this->getRoles($user, $token));
return $token;
}
/**
* Attempts to authenticate a TokenInterface object.
*
* @param TokenInterface $token The TokenInterface instance to authenticate
*
* @return TokenInterface An authenticated TokenInterface instance, never null
*
* @throws AuthenticationException if the authentication fails
*/
public function authenticate(TokenInterface $token)
{
$userName = $token->getUsername();
$user = $this->userProvider->loadUserByUsername($userName);
if (null != $user) {
$lastContext = $token->getTokenContext();
$token = new JWTToken($user->getRoles());
$token->setTokenContext($lastContext);
$token->setUser($user);
return $token;
}
throw new AuthenticationException('JWT auth failed');
}
/**
* Authenticate API user by API key
*
* @param TokenInterface $token
* @return Token
* @throws AuthenticationException
*/
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($user && $user->getApi()) {
if ($this->validateDigest($token->getAttribute('digest'), $token->getAttribute('nonce'), $token->getAttribute('created'), $user->getApi()->getApiKey(), $user->getSalt())) {
$authToken = new Token($user->getRoles());
$authToken->setUser($user);
$authToken->setAuthenticated(true);
return $authToken;
}
}
throw new AuthenticationException('WSSE authentication failed.');
}
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if (!$user) {
throw new AuthenticationException('The authentication failed.');
}
$authenticatedToken = new ChoiceAuthToken($user->getRoles());
$authenticatedToken->setAttributes($token->getAttributes());
$authenticatedToken->setUser($user);
$authenticatedToken->setProviderKey($this->providerKey);
$authenticatedToken->setAuthenticated(true);
return $authenticatedToken;
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
}
if (!($user = $token->getUser())) {
throw new BadCredentialsException('The required token is not found.');
}
$user = $this->userProvider->loadUserByUsername($user);
$this->userChecker->checkPostAuth($user);
$authenticatedToken = new phpBBToken($user, $this->providerKey, $user->getRoles());
$authenticatedToken->setAttributes($token->getAttributes());
return $authenticatedToken;
}
/**
* Attempts to authenticate a TokenInterface object.
*
* @param TokenInterface $token The TokenInterface instance to authenticate
*
* @return TokenInterface An authenticated TokenInterface instance, never null
*
* @throws AuthenticationException if the authentication fails
*/
public function authenticate(TokenInterface $token)
{
/** @var SignedTokenInterface $token */
$user = $this->userProvider->loadUserByUsername($token->getUsername());
$signData = $this->getAuthSignData($token->getRequest());
$signData[] = $user->{$this->config['secret_getter']}();
$expectedSignature = hash($this->config['hash_alg'], implode($this->config['data_delimiter'], $signData));
if ($token->getSignature() == $expectedSignature) {
$token->setUser($user);
return $token;
}
$this->logger->critical(sprintf('Invalid auth signature. Expect "%s", got "%s"', $expectedSignature, $token->getSignature()), ['signData' => $signData]);
throw new AuthenticationException("Invalid auth signature " . $token->getSignature());
}
/**
* Attempts to authenticate a TokenInterface object.
*
* @param TokenInterface $token The TokenInterface instance to authenticate
*
* @return TokenInterface An authenticated TokenInterface instance, never null
*
* @throws AuthenticationException if the authentication fails
*/
public function authenticate(TokenInterface $token)
{
if ($token instanceof JWTToken) {
$userName = $token->getTokenContext()->name;
} else {
$userName = $token->getUsername();
}
$user = $this->userProvider->loadUserByUsername($userName);
if (null != $user) {
$token->setUser($user);
return $token;
}
throw new AuthenticationException('JWT auth failed');
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($user instanceof UserInterface) {
if ("" === $token->getDigest()) {
throw new BadCredentialsException('The presented password cannot be empty.');
}
if ($this->validateDigest($user, $token)) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
return $authenticatedToken;
}
}
throw new AuthenticationException('The WSSE authentication failed.');
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
/** @var HmacUserToken $token */
if ($this->validateServiceLabel($token->getServiceLabel())) {
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($this->validateSignature($token->getRequest(), $token->getSignature(), $user->getPassword())) {
$authenticatedToken = new HmacUserToken();
$authenticatedToken->setUser($user);
$authenticatedToken->setServiceLabel($token->getServiceLabel());
$authenticatedToken->setRequest($token->getRequest());
return $authenticatedToken;
}
}
throw new AuthenticationException('The HMAC authentication failed.');
}
/**
* {@inheritdoc}
*/
public function notify(NotificationInterface $notification, array $users)
{
$userNotifications = [];
foreach ($users as $user) {
try {
$user = is_object($user) ? $user : $this->userProvider->loadUserByUsername($user);
$userNotifications[] = $this->userNotifFactory->createUserNotification($notification, $user);
} catch (UsernameNotFoundException $e) {
continue;
}
}
$this->notificationSaver->save($notification);
$this->userNotifsSaver->saveAll($userNotifications);
return $this;
}
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
$secret = $token->getCredentials();
$userData = $this->session->getFlashBag()->get('arcanys_sso_auth.user_data');
if ($userData) {
// TODO create mapping config in the future
$username = reset($userData['uid']);
$email = reset($userData['email']);
$firstname = reset($userData['firstname']);
$lastname = reset($userData['lastname']);
$token = reset($userData['token']);
$roles = $userData['rights'];
if (!$roles) {
$roles = ['ROLE_USER'];
}
} else {
$this->saml2->login();
exit;
}
if (!$username) {
throw new AuthenticationException("Failed to authenticate from SSO");
}
$user = $userProvider->loadUserByUsername(['username' => $username, 'email' => $email, 'firstname' => $firstname, 'lastname' => $lastname, 'token' => $token, 'roles' => $roles]);
return new PreAuthenticatedToken($user, $secret, $providerKey, $user->getRoles($roles));
}
/**
* @inheritdoc
*/
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
try {
$user = $userProvider->loadUserByUsername($token->getUsername());
} catch (UsernameNotFoundException $e) {
throw new CustomUserMessageAuthenticationException('Invalid username or password');
}
$username = $token->getUsername();
$password = $token->getCredentials();
$sessionCreationResult = null;
try {
$sessionCreationResult = $this->userSessionRepository->createSessionIdByCredentials($username, $password);
} catch (\InvalidArgumentException $e) {
throw new CustomUserMessageAuthenticationException('Invalid username or password');
} catch (RepositoryInfrastructureException $e) {
throw new CustomUserMessageAuthenticationException('Cannot connect to Revive service');
}
$passwordValid = $sessionCreationResult !== null && UserSessionCreationAuthenticationResult::isSuccess($sessionCreationResult->getSessionCreationAuthenticationResult());
if ($passwordValid) {
$sessionId = $sessionCreationResult->getSessionId();
$roles = [];
$roles[] = 'USER';
if (UserSessionCreationAuthorizationSessionCreationResult::isSuccess($sessionCreationResult->getSessionCreationAuthorizationSessionCreation())) {
$roles[] = 'ADMIN';
}
$token = new ReviveAuthenticationToken($user, $sessionId, $providerKey, $roles);
return $token;
}
throw new CustomUserMessageAuthenticationException('Invalid username or password');
}
/**
* {@InheritDoc}
*/
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
$isUser = $user instanceof UserInterface;
if (!$isUser) {
throw new WsseAuthenticationException('User not found.');
}
$this->userChecker->checkPreAuth($user);
if (!$this->digestValidator->validateDigest($token, $user)) {
throw new WsseAuthenticationException('Invalid Digest.');
}
$this->userChecker->checkPostAuth($user);
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
return $authenticatedToken;
}
/**
* Function used for user authentication based on token object
*
* @param \Symfony\Component\Security\Core\Authentication\Token\TokenInterface $token
* @param \Symfony\Component\Security\Core\User\UserProviderInterface $userProvider
* @param string $providerKey
* @return \Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
* @throws BadCredentialsException
*/
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
$passwordValid = false;
// Load user object
try {
$user = $userProvider->loadUserByUsername($token->getUsername());
} catch (UsernameNotFoundException $e) {
throw new BadCredentialsException('Invalid username or password', 0, $e);
}
try {
$this->userChecker->checkPreAuth($user);
// Call the correct authentication method
if (null !== $this->ldapManager && $user->isLdapEnabled()) {
$passwordValid = $this->checkAuthenticationLdap($user, $token);
} else {
$passwordValid = $this->checkAuthentication($user, $token);
}
$this->userChecker->checkPostAuth($user);
} catch (BadCredentialsException $e) {
if ($this->hideUserNotFoundExceptions) {
throw new BadCredentialsException('Invalid username or password', 0, $e);
}
throw $e;
}
// Set the authenticated token
if ($passwordValid) {
return new UsernamePasswordToken($user, $user->getPassword(), $providerKey, $user->getRoles());
}
throw new BadCredentialsException('Invalid username or password');
}
/**
* Attempt to authenticate the provided token using the provided user provider.
* @param TokenInterface $token
* @param UserProviderInterface $userProvider
* @param string $providerKey
* @return UsernamePasswordToken
* @throws BadCredentialsException
*/
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
{
if (($user = $userProvider->loadUserByUsername($token->getUsername())) && $user->getPassword() == $token->getCredentials()) {
return new UsernamePasswordToken($user, $user->getPassword(), $providerKey, $user->getRoles());
}
throw new BadCredentialsException('The presented password is invalid.');
}
/**
* Initialize the SecurityContext from the given $stepExecution
*
* @param StepExecution $stepExecution
*/
protected function initSecurityContext(StepExecution $stepExecution)
{
$username = $stepExecution->getJobExecution()->getUser();
$user = $this->userProvider->loadUserByUsername($username);
$token = new UsernamePasswordToken($user, null, 'main', $user->getRoles());
$this->tokenStorage->setToken($token);
}
public function checkUserCredentials(IOAuth2Client $client, $username, $password)
{
if (!$client instanceof ClientInterface) {
throw new \InvalidArgumentException('Client has to implement the ClientInterface');
}
try {
$user = $this->userProvider->loadUserByUsername($username);
} catch (AuthenticationException $e) {
return false;
}
if (null !== $user) {
$data = array('data' => $user);
if ($this->tokenPathAuth === 'plain') {
$encoder = $this->encoderFactory->getEncoder($user);
if ($encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
return $data;
}
} elseif ($this->tokenPathAuth === 'hash') {
if ($user->getPassword() === $password) {
return $data;
}
} else {
throw new \InvalidArgumentException('Token Path Auth is not valid');
}
}
return false;
}
/**
* Validates WordPress authentication cookie
*
* @param UserProviderInterface $userProvider
* @param Cookie $cookie
* @return UserInterface UserInterface if valid.
* @throws RuntimeException
* @throws AuthenticationException
*/
public function validateCookie(UserProviderInterface $userProvider, $cookie)
{
$cookieParts = $this->decodeCookie($cookie);
switch (count($cookieParts)) {
case 3:
list($username, $expiration, $hmac) = $cookieParts;
$token = null;
break;
case 4:
list($username, $expiration, $token, $hmac) = $cookieParts;
break;
default:
throw new AuthenticationException('Invalid WordPress cookie.');
}
if ($expiration < time()) {
throw new AuthenticationException('The WordPress cookie has expired.');
}
try {
$user = $userProvider->loadUserByUsername($username);
} catch (Exception $exception) {
if (!$exception instanceof AuthenticationException) {
$exception = new AuthenticationException($exception->getMessage(), $exception->getCode(), $exception);
}
throw $exception;
}
if (!$user instanceof UserInterface) {
throw new RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user)));
}
if ($token && $hmac !== $this->generateHmacWithToken($username, $expiration, $token, $user->getPassword()) || !$token && $hmac !== $this->generateHmac($username, $expiration, $user->getPassword())) {
throw new AuthenticationException('The WordPress cookie\'s hash is invalid. Your logged in key and salt settings could be wrong.');
}
return $user;
}
