src/Security/SecurityLdapFormAuthenticator.php line 41

  1. <?php
  3. namespace App\Security;
  5. use Symfony\Component\HttpFoundation\RedirectResponse;
  6. use Symfony\Component\HttpFoundation\Request;
  7. use Symfony\Component\HttpFoundation\Response;
  8. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  9. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
  11. use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
  12. use Symfony\Component\Security\Core\Security;
  13. use Symfony\Component\Security\Core\User\UserInterface;
  14. use Symfony\Component\Security\Core\User\UserProviderInterface;
  15. use Symfony\Component\Security\Csrf\CsrfToken;
  16. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  17. use Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator;
  18. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
  19. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  20. use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
  21. use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\CustomCredentials;
  22. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  23. use Symfony\Component\Security\Http\Util\TargetPathTrait;
  24. use Symfony\Component\Security\Http\SecurityRequestAttributes;
  26. use Symfony\Component\Ldap\Ldap;
  27. use Symfony\Component\Ldap\LdapInterface;
  28. use Symfony\Component\Ldap\Adapter\QueryInterface;
  30. use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
  31. use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
  32. use Symfony\Component\Security\Core\Exception\LockedException;
  33. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  35. use App\Repository\UserRepository;
  36. use App\Entity\User;
  38. use Symfony\Component\Ldap\Exception\InvalidCredentialsException;
  39. use Symfony\Component\Ldap\Exception\InvalidSearchCredentialsException;
  41. class SecurityLdapFormAuthenticator extends AbstractLoginFormAuthenticator
  42. {
  43.     use TargetPathTrait;
  45.     private UrlGeneratorInterface $urlGenerator;
  47.     private CsrfTokenManagerInterface $csrfTokenManager;
  49.     public function __construct(UrlGeneratorInterface $urlGeneratorCsrfTokenManagerInterface $csrfTokenManager)
  50.     {
  51.         $this->urlGenerator $urlGenerator;
  52.         $this->csrfTokenManager $csrfTokenManager;
  53.     }
  55.     protected function getLoginUrl(Request $request): string
  56.     {
  57.         return $this->urlGenerator->generate('security_ldap_login');
  58.     }
  60.     public function supports(Request $request): bool
  61.     {
  62.         return 'security_ldap_login' === $request->attributes->get('_route') && $request->isMethod('POST');
  63.     }
  65.     public function getCredentials(Request $request): array
  66.     {
  67.         $credentials = [
  68.             'username' => $request->request->get('_username'),
  69.             'password' => $request->request->get('_password'),
  70.             'csrf_token' => $request->request->get('_csrf_token'),
  71.         ];
  73.         $credentials['username'] = trim($credentials['username']);
  75.         $request->getSession()->set(
  76.             SecurityRequestAttributes::LAST_USERNAME,
  77.             $credentials['username']
  78.         );
  80.         return $credentials;
  81.     }
  83.     public function checkCredentials($credentialsUserInterface $user): bool
  84.     {
  85.         // In this scenario, this method is by-passed since user authentication need to be managed before in getUser method.
  86.         return true;
  87.     }
  89.     public function onAuthenticationSuccess(
  90.         Request $request,
  91.         TokenInterface $token,
  92.         string $firewallName
  93.     ): ?Response {
  94.         // $providerKey = $firewallName
  95.         $request->getSession()->getFlashBag()->add('info''connected!');
  96.         if ($targetPath $this->getTargetPath($request->getSession(), $firewallName)) {
  97.             return new RedirectResponse($targetPath);
  98.         }
  99.         return new RedirectResponse($this->urlGenerator->generate('home'));
  100.     }
  102.     public function authenticate(Request $request): Passport
  103.     {
  104.         $credentials $this->getCredentials($request);
  106.         $userBadge = new UserBadge($credentials["username"]);
  107.         $customCredentials = new CustomCredentials(
  108.             function($credentialsUserInterface $user) {
  109.                 if ($credentials["username"] && $credentials["password"
  110.                     && strtoupper($user->getUserIdentifier()) === strtoupper($credentials["username"])
  111.                     && $this->getUserEntityCheckedFromLdap($credentials["username"], $credentials["password"], $user) !== NULL) {
  112.                     return true;
  113.                 }
  114.                 return false;
  115.             },
  116.             $credentials
  117.         );
  118.         $passport = new Passport($userBadge$customCredentials, [new CsrfTokenBadge('authenticate'$request->request->get('_csrf_token'))]);
  120.         return ($passport);
  121.     }
  123.     /**
  124.      * search user against ldap and returns the matching App\Entity\User. The $user entity will be created if not exists.
  125.      * @param string $username
  126.      * @param string $password
  127.      * @return User|object|null
  128.      */
  129.     public function getUserEntityCheckedFromLdap(string $usernamestring $passwordUser $user)
  130.     {
  131.         $ldapSearchDn $_ENV["LDAP_USER"];
  132.         $ldapSearchPassword $_ENV["LDAP_PASS"];
  133.         $ldapSearchDnString $_ENV["LDAP_DN"];
  134.         $server $_ENV["LDAP_SERVER"];
  136.         $ldap Ldap::create('ext_ldap',[
  137.             'host' => $server,
  138.             'encryption' => 'tls',
  139.             'version' => '3',
  140.             'referrals' => false,
  141.             'options' => ['debug_level' => 7'x_tls_require_cert' => 'never'],
  142.         ]);
  144.         try {
  145.             $ldap->bind($ldapSearchDn$ldapSearchPassword);
  146.         } catch (InvalidCredentialsException) {
  147.             throw new InvalidSearchCredentialsException();
  148.         }
  150.         $username $ldap->escape($username''LdapInterface::ESCAPE_FILTER);
  151.         $search $ldap->query($ldapSearchDnString"(sAMAccountName=" $username ")", ['scope' => QueryInterface::SCOPE_SUB]);
  152.         $entries $search->execute()->toArray();
  153.         $count count($entries);
  155.         if (!$count) {
  156.             throw new AuthenticationException(sprintf('User "%s" not found.'$username));
  157.         }
  158.         if ($count 1) {
  159.             throw new AuthenticationException('More than one user found');
  160.         }
  161.         $ldapEntry $entries[0];
  162.         $dn $ldapEntry->getDn();
  164.         try {
  165.             $ldap->bind($dn$password);
  166.         } catch (InvalidCredentialsException) {
  167.             throw new AuthenticationException('Credentials Invalid');
  168.         }
  170.         //Si l'utilisateur n'existe pas en DB
  171.         if (!$user)
  172.             throw new AuthenticationException("User doesn't exist on ENSO");
  174.         //S'il existe, on récupère l'employee
  175.         $employee $user->getEmployee();
  176.         if (!$employee)
  177.             throw new LockedException();
  179.         return $user;
  180.     }
  181. }