src/Domain/User/Controller/SecurityController.php line 184

Open in your IDE?
  1. <?php
  3. /**
  4.  * This file is part of the MADIS - RGPD Management application.
  5.  *
  6.  * @copyright Copyright (c) 2018-2019 Soluris - Solutions Numériques Territoriales Innovantes
  7.  * @author Donovan Bourlard <donovan@awkan.fr>
  8.  *
  9.  * This program is free software: you can redistribute it and/or modify
  10.  * it under the terms of the GNU Affero General Public License as published by
  11.  * the Free Software Foundation, either version 3 of the License, or
  12.  * (at your option) any later version.
  13.  *
  14.  * This program is distributed in the hope that it will be useful,
  15.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17.  * GNU Affero General Public License for more details.
  18.  *
  19.  * You should have received a copy of the GNU Affero General Public License
  20.  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  21.  */
  23. declare(strict_types=1);
  25. namespace App\Domain\User\Controller;
  27. use App\Application\Controller\ControllerHelper;
  28. use App\Application\Symfony\Security\UserProvider;
  29. use App\Domain\User\Component\Mailer;
  30. use App\Domain\User\Component\TokenGenerator;
  31. use App\Domain\User\Form\Type\ResetPasswordType;
  32. use App\Domain\User\Model\User;
  33. use App\Domain\User\Repository;
  34. use Doctrine\ORM\EntityManagerInterface;
  35. use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
  36. use KnpU\OAuth2ClientBundle\Client\OAuth2Client;
  37. use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
  38. use Psr\Log\LoggerInterface;
  39. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  40. use Symfony\Component\HttpFoundation\RedirectResponse;
  41. use Symfony\Component\HttpFoundation\Request;
  42. use Symfony\Component\HttpFoundation\Response;
  43. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  44. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  45. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  46. use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
  47. use Twig\Error\LoaderError;
  48. use Twig\Error\RuntimeError;
  49. use Twig\Error\SyntaxError;
  51. class SecurityController extends AbstractController
  52. {
  53.     private ControllerHelper $helper;
  54.     private AuthenticationUtils $authenticationUtils;
  55.     private TokenGenerator $tokenGenerator;
  56.     private Repository\User $userRepository;
  57.     private Mailer $mailer;
  58.     private UserProvider $userProvider;
  59.     private EntityManagerInterface $entityManager;
  61.     private ?string $sso_type;
  62.     private ?string $sso_key_field;
  64.     public function __construct(
  65.         ControllerHelper $helper,
  66.         AuthenticationUtils $authenticationUtils,
  67.         TokenGenerator $tokenGenerator,
  68.         Repository\User $userRepository,
  69.         Mailer $mailer,
  70.         UserProvider $userProvider,
  71.         EntityManagerInterface $entityManager,
  72.         ?string $sso_type,
  73.         ?string $sso_key_field
  74.     ) {
  75.         $this->helper              $helper;
  76.         $this->authenticationUtils $authenticationUtils;
  77.         $this->tokenGenerator      $tokenGenerator;
  78.         $this->userRepository      $userRepository;
  79.         $this->mailer              $mailer;
  80.         $this->userProvider        $userProvider;
  81.         $this->entityManager       $entityManager;
  82.         $this->sso_type            $sso_type;
  83.         $this->sso_key_field       $sso_key_field;
  84.     }
  86.     /**
  87.      * Display login page.
  88.      *
  89.      * @throws LoaderError
  90.      * @throws RuntimeError
  91.      * @throws SyntaxError
  92.      */
  93.     public function loginAction(): Response
  94.     {
  95.         $error        $this->authenticationUtils->getLastAuthenticationError();
  96.         $lastUsername $this->authenticationUtils->getLastUsername();
  98.         return $this->helper->render('User/Security/login.html.twig', [
  99.             'last_username' => $lastUsername,
  100.             'error'         => $error,
  101.             'sso_type'      => $this->sso_type,
  102.         ]);
  103.     }
  105.     public function oauthConnectAction(Request $requestClientRegistry $clientRegistry): RedirectResponse
  106.     {
  107.         $currentUser $this->userProvider->getAuthenticatedUser();
  108.         if ($currentUser && null !== $currentUser->getSsoKey()) {
  109.             return $this->_handleUserLoggedAlreadyAssociated();
  110.         }
  112.         $oauthServiceName $request->get('service');
  113.         try {
  114.             $client $clientRegistry->getClient($oauthServiceName);
  115.         } catch (\Exception) {
  116.             return $this->_handleSsoClientError();
  117.         }
  119.         // scope openid required to get id_token needed for logout
  120.         return $client->redirect(['openid'], []);
  121.     }
  123.     public function oauthCheckAction(Request $requestClientRegistry $clientRegistryTokenStorageInterface $tokenStorageLoggerInterface $logger): RedirectResponse
  124.     {
  125.         $oauthServiceName $request->get('service');
  127.         /** @var OAuth2Client $client */
  128.         $client $clientRegistry->getClient($oauthServiceName);
  129.         try {
  130.             // scope openid required to get id_token needed for logout
  131.             $accessToken   $client->getAccessToken(['scope' => 'openid']);
  132.             $userOAuthData $client->fetchUserFromToken($accessToken)->toArray();
  133.         } catch (IdentityProviderException) {
  134.             return $this->_handleSsoClientError();
  135.         }
  137.         $sso_key_field $this->sso_key_field;
  138.         try {
  139.             $sso_value $userOAuthData[$sso_key_field];
  140.         } catch (\Exception) {
  141.             $logger->error('SSO field "' $sso_key_field '" not found.');
  142.             $logger->info('Data returned by SSO: ' json_encode($userOAuthData));
  144.             return $this->_handleSsoClientError();
  145.         }
  147.         $ssoLogoutUrl null;
  148.         $provider     $client->getOAuth2Provider();
  149.         if (method_exists($provider'getLogoutUrl')) {
  150.             $tokenValues  $accessToken->getValues();
  151.             $ssoLogoutUrl $provider->getLogoutUrl([
  152.                 'id_token_hint'            => $tokenValues['id_token'],
  153.                 'post_logout_redirect_uri' => $this->generateUrl('login', [], UrlGeneratorInterface::ABSOLUTE_URL),
  154.             ]);
  156.             $session $request->getSession();
  157.             $session->set('ssoLogoutUrl'$ssoLogoutUrl);
  158.         }
  160.         $currentUser $this->userProvider->getAuthenticatedUser();
  161.         if ($currentUser) {
  162.             return $this->_associateUserWithSsoKey($sso_value$currentUser);
  163.         }
  165.         $user $this->userRepository->findOneOrNullBySsoKey($sso_value);
  166.         if (!$user) {
  167.             return $this->_handleUserNotFound($ssoLogoutUrl);
  168.         }
  170.         // Login Programmatically
  171.         $token = new UsernamePasswordToken($user$user->getPassword(), 'public'$user->getRoles());
  172.         $tokenStorage->setToken($token);
  174.         return $this->helper->redirectToRoute('reporting_dashboard_index');
  175.     }
  177.     /**
  178.      * Display Forget password page.
  179.      *
  180.      * @throws LoaderError
  181.      * @throws RuntimeError
  182.      * @throws SyntaxError
  183.      */
  184.     public function forgetPasswordAction(): Response
  185.     {
  186.         return $this->helper->render('User/Security/forget_password.html.twig');
  187.     }
  189.     /**
  190.      * Forget password confirmation
  191.      * - Check if email exists on DB (redirect to forgetPasswordAction is not exists)
  192.      * - Generate user token
  193.      * - Send forget password email
  194.      * - Display forget password confirmation page.
  195.      *
  196.      * @throws RuntimeError
  197.      * @throws SyntaxError
  198.      * @throws LoaderError
  199.      */
  200.     public function forgetPasswordConfirmAction(Request $request): Response
  201.     {
  202.         $email $request->request->get('email');
  203.         $user  $this->userRepository->findOneOrNullByEmail($email);
  205.         if (!$user) {
  206.             return $this->helper->render('User/Security/forget_password_confirm.html.twig');
  207.         }
  209.         $user->setForgetPasswordToken($this->tokenGenerator->generateToken());
  210.         $this->userRepository->update($user);
  212.         $this->mailer->sendForgetPassword($user);
  214.         return $this->helper->render('User/Security/forget_password_confirm.html.twig');
  215.     }
  217.     /**
  218.      * Reset user password
  219.      * - Token does not exists in DB: redirect to login page with flashbag error
  220.      * - Token exists in DB: show reset password form for related user.
  221.      *
  222.      * @param Request $request The Request
  223.      * @param string  $token   The forgetPasswordToken to search the user with
  224.      *
  225.      * @throws LoaderError
  226.      * @throws RuntimeError
  227.      * @throws SyntaxError
  228.      */
  229.     public function resetPasswordAction(Request $requeststring $token): Response
  230.     {
  231.         $user $this->userRepository->findOneOrNullByForgetPasswordToken($token);
  233.         // If user doesn't exists, add flashbag error & return to login page
  234.         if (!$user) {
  235.             return $this->_handleUserNotFound();
  236.         }
  238.         // User exist, display reset password form
  239.         $form $this->helper->createForm(ResetPasswordType::class, $user);
  241.         $form->handleRequest($request);
  242.         if ($form->isSubmitted() && $form->isValid()) {
  243.             // Remove forgetPasswordToken on user since password is not reset
  244.             $user->setForgetPasswordToken(null);
  245.             $this->userRepository->update($user);
  247.             $this->helper->addFlash('success'$this->helper->trans('user.security.reset_password.flashbag.success'));
  249.             return $this->helper->redirectToRoute('login');
  250.         }
  252.         return $this->helper->render('User/Security/reset_password.html.twig', [
  253.             'form' => $form->createView(),
  254.         ]);
  255.     }
  257.     private function _handleUserLoggedAlreadyAssociated(): RedirectResponse
  258.     {
  259.         $this->helper->addFlash('warning',
  260.             $this->helper->trans('user.profile.flashbag.error.sso_already_associated')
  261.         );
  263.         return $this->helper->redirectToRoute('user_profile_user_edit');
  264.     }
  266.     private function _handleSsoClientError(): RedirectResponse
  267.     {
  268.         $this->helper->addFlash('danger',
  269.             $this->helper->trans('user.security.sso_login.flashbag.sso_client_error')
  270.         );
  272.         return $this->helper->redirectToRoute('login');
  273.     }
  275.     private function _handleUserNotFound(string $logoutUrl null): RedirectResponse
  276.     {
  277.         $this->helper->addFlash(
  278.             'danger',
  279.             $this->helper->trans('user.security.reset_password.flashbag.error')
  280.         );
  282.         if ($logoutUrl) {
  283.             return $this->redirect($logoutUrl);
  284.         }
  286.         return $this->helper->redirectToRoute('login');
  287.     }
  289.     private function _handleDuplicateUserWithSsoKey(User $alreadyExists): RedirectResponse
  290.     {
  291.         $this->helper->addFlash('danger',
  292.             $this->helper->trans('user.profile.flashbag.error.sso_key_duplicate', ['email' => $alreadyExists->getEmail()])
  293.         );
  295.         return $this->helper->redirectToRoute('user_profile_user_edit');
  296.     }
  298.     private function _associateUserWithSsoKey(mixed $sso_valueUser $currentUser): RedirectResponse
  299.     {
  300.         $alreadyExists $this->userRepository->findOneOrNullBySsoKey($sso_value);
  301.         if ($alreadyExists) {
  302.             return $this->_handleDuplicateUserWithSsoKey($alreadyExists);
  303.         }
  305.         // associate user with sso key
  306.         $currentUser->setSsoKey($sso_value);
  307.         $this->entityManager->persist($currentUser);
  308.         $this->entityManager->flush();
  309.         $this->helper->addFlash('success',
  310.             $this->helper->trans('user.profile.flashbag.success.sso_associated')
  311.         );
  313.         return $this->helper->redirectToRoute('user_profile_user_edit');
  314.     }
  315. }