Chris@0: <?php
Chris@0: 
Chris@0: namespace Drupal\Core\Authentication;
Chris@0: 
Chris@0: use Drupal\Core\Routing\RouteMatch;
Chris@0: use Symfony\Component\HttpFoundation\Request;
Chris@0: 
Chris@0: /**
Chris@0:  * Manager for authentication.
Chris@0:  *
Chris@0:  * On each request, let all authentication providers try to authenticate the
Chris@0:  * user. The providers are iterated according to their priority and the first
Chris@0:  * provider detecting credentials for its method wins. No further provider will
Chris@0:  * get triggered.
Chris@0:  *
Chris@0:  * If no provider set an active user then the user is set to anonymous.
Chris@0:  */
Chris@0: class AuthenticationManager implements AuthenticationProviderInterface, AuthenticationProviderFilterInterface, AuthenticationProviderChallengeInterface {
Chris@0: 
Chris@0:   /**
Chris@0:    * The authentication provider collector.
Chris@0:    *
Chris@0:    * @var \Drupal\Core\Authentication\AuthenticationCollectorInterface
Chris@0:    */
Chris@0:   protected $authCollector;
Chris@0: 
Chris@0:   /**
Chris@0:    * Creates a new authentication manager instance.
Chris@0:    *
Chris@0:    * @param \Drupal\Core\Authentication\AuthenticationCollectorInterface $auth_collector
Chris@0:    *   The authentication provider collector.
Chris@0:    */
Chris@0:   public function __construct(AuthenticationCollectorInterface $auth_collector) {
Chris@0:     $this->authCollector = $auth_collector;
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * {@inheritdoc}
Chris@0:    */
Chris@0:   public function applies(Request $request) {
Chris@0:     return (bool) $this->getProvider($request);
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * {@inheritdoc}
Chris@0:    */
Chris@0:   public function authenticate(Request $request) {
Chris@0:     $provider_id = $this->getProvider($request);
Chris@0:     $provider = $this->authCollector->getProvider($provider_id);
Chris@0: 
Chris@0:     if ($provider) {
Chris@0:       return $provider->authenticate($request);
Chris@0:     }
Chris@0: 
Chris@0:     return NULL;
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * {@inheritdoc}
Chris@0:    */
Chris@0:   public function appliesToRoutedRequest(Request $request, $authenticated) {
Chris@0:     $result = FALSE;
Chris@0: 
Chris@0:     if ($authenticated) {
Chris@0:       $result = $this->applyFilter($request, $authenticated, $this->getProvider($request));
Chris@0:     }
Chris@0:     else {
Chris@0:       foreach ($this->authCollector->getSortedProviders() as $provider_id => $provider) {
Chris@0:         if ($this->applyFilter($request, $authenticated, $provider_id)) {
Chris@0:           $result = TRUE;
Chris@0:           break;
Chris@0:         }
Chris@0:       }
Chris@0:     }
Chris@0: 
Chris@0:     return $result;
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * {@inheritdoc}
Chris@0:    */
Chris@0:   public function challengeException(Request $request, \Exception $previous) {
Chris@0:     $provider_id = $this->getChallenger($request);
Chris@0: 
Chris@0:     if ($provider_id) {
Chris@0:       $provider = $this->authCollector->getProvider($provider_id);
Chris@0:       return $provider->challengeException($request, $previous);
Chris@0:     }
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * Returns the id of the authentication provider for a request.
Chris@0:    *
Chris@0:    * @param \Symfony\Component\HttpFoundation\Request $request
Chris@0:    *   The incoming request.
Chris@0:    *
Chris@0:    * @return string|null
Chris@0:    *   The id of the first authentication provider which applies to the request.
Chris@0:    *   If no application detects appropriate credentials, then NULL is returned.
Chris@0:    */
Chris@0:   protected function getProvider(Request $request) {
Chris@0:     foreach ($this->authCollector->getSortedProviders() as $provider_id => $provider) {
Chris@0:       if ($provider->applies($request)) {
Chris@0:         return $provider_id;
Chris@0:       }
Chris@0:     }
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * Returns the ID of the challenge provider for a request.
Chris@0:    *
Chris@0:    * @param \Symfony\Component\HttpFoundation\Request $request
Chris@0:    *   The incoming request.
Chris@0:    *
Chris@0:    * @return string|null
Chris@0:    *   The ID of the first authentication provider which applies to the request.
Chris@0:    *   If no application detects appropriate credentials, then NULL is returned.
Chris@0:    */
Chris@0:   protected function getChallenger(Request $request) {
Chris@0:     foreach ($this->authCollector->getSortedProviders() as $provider_id => $provider) {
Chris@0:       if (($provider instanceof AuthenticationProviderChallengeInterface) && !$provider->applies($request) && $this->applyFilter($request, FALSE, $provider_id)) {
Chris@0:         return $provider_id;
Chris@0:       }
Chris@0:     }
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * Checks whether a provider is allowed on the given request.
Chris@0:    *
Chris@0:    * If no filter is registered for the given provider id, the default filter
Chris@0:    * is applied.
Chris@0:    *
Chris@0:    * @param \Symfony\Component\HttpFoundation\Request $request
Chris@0:    *   The incoming request.
Chris@0:    * @param bool $authenticated
Chris@0:    *   Whether or not the request is authenticated.
Chris@0:    * @param string $provider_id
Chris@0:    *   The id of the authentication provider to check access for.
Chris@0:    *
Chris@0:    * @return bool
Chris@0:    *   TRUE if provider is allowed, FALSE otherwise.
Chris@0:    */
Chris@0:   protected function applyFilter(Request $request, $authenticated, $provider_id) {
Chris@0:     $provider = $this->authCollector->getProvider($provider_id);
Chris@0: 
Chris@0:     if ($provider && ($provider instanceof AuthenticationProviderFilterInterface)) {
Chris@0:       $result = $provider->appliesToRoutedRequest($request, $authenticated);
Chris@0:     }
Chris@0:     else {
Chris@0:       $result = $this->defaultFilter($request, $provider_id);
Chris@0:     }
Chris@0: 
Chris@0:     return $result;
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * Default implementation of the provider filter.
Chris@0:    *
Chris@0:    * Checks whether a provider is allowed as per the _auth option on a route. If
Chris@0:    * the option is not set or if the request did not match any route, only
Chris@0:    * providers from the global provider set are allowed.
Chris@0:    *
Chris@0:    * If no filter is registered for the given provider id, the default filter
Chris@0:    * is applied.
Chris@0:    *
Chris@0:    * @param \Symfony\Component\HttpFoundation\Request $request
Chris@0:    *   The incoming request.
Chris@0:    * @param string $provider_id
Chris@0:    *   The id of the authentication provider to check access for.
Chris@0:    *
Chris@0:    * @return bool
Chris@0:    *   TRUE if provider is allowed, FALSE otherwise.
Chris@0:    */
Chris@0:   protected function defaultFilter(Request $request, $provider_id) {
Chris@0:     $route = RouteMatch::createFromRequest($request)->getRouteObject();
Chris@0:     $has_auth_option = isset($route) && $route->hasOption('_auth');
Chris@0: 
Chris@0:     if ($has_auth_option) {
Chris@0:       return in_array($provider_id, $route->getOption('_auth'));
Chris@0:     }
Chris@0:     else {
Chris@0:       return $this->authCollector->isGlobal($provider_id);
Chris@0:     }
Chris@0:   }
Chris@0: 
Chris@0: }