Chris@0: <?php
Chris@0: 
Chris@0: namespace Drupal\Core\EventSubscriber;
Chris@0: 
Chris@0: use Drupal\Core\Authentication\AuthenticationProviderFilterInterface;
Chris@0: use Drupal\Core\Authentication\AuthenticationProviderChallengeInterface;
Chris@0: use Drupal\Core\Authentication\AuthenticationProviderInterface;
Chris@0: use Drupal\Core\Session\AccountProxyInterface;
Chris@0: use Symfony\Component\EventDispatcher\EventSubscriberInterface;
Chris@0: use Symfony\Component\HttpKernel\Event\GetResponseEvent;
Chris@0: use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
Chris@0: use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
Chris@0: use Symfony\Component\HttpKernel\KernelEvents;
Chris@0: 
Chris@0: /**
Chris@0:  * Authentication subscriber.
Chris@0:  *
Chris@0:  * Trigger authentication during the request.
Chris@0:  */
Chris@0: class AuthenticationSubscriber implements EventSubscriberInterface {
Chris@0: 
Chris@0:   /**
Chris@0:    * Authentication provider.
Chris@0:    *
Chris@0:    * @var \Drupal\Core\Authentication\AuthenticationProviderInterface
Chris@0:    */
Chris@0:   protected $authenticationProvider;
Chris@0: 
Chris@0:   /**
Chris@0:    * Authentication provider filter.
Chris@0:    *
Chris@0:    * @var \Drupal\Core\Authentication\AuthenticationProviderFilterInterface|null
Chris@0:    */
Chris@0:   protected $filter;
Chris@0: 
Chris@0:   /**
Chris@0:    * Authentication challenge provider.
Chris@0:    *
Chris@0:    * @var \Drupal\Core\Authentication\AuthenticationProviderChallengeInterface|null
Chris@0:    */
Chris@0:   protected $challengeProvider;
Chris@0: 
Chris@0:   /**
Chris@0:    * Account proxy.
Chris@0:    *
Chris@0:    * @var \Drupal\Core\Session\AccountProxyInterface
Chris@0:    */
Chris@0:   protected $accountProxy;
Chris@0: 
Chris@0:   /**
Chris@0:    * Constructs an authentication subscriber.
Chris@0:    *
Chris@0:    * @param \Drupal\Core\Authentication\AuthenticationProviderInterface $authentication_provider
Chris@0:    *   An authentication provider.
Chris@0:    * @param \Drupal\Core\Session\AccountProxyInterface $account_proxy
Chris@0:    *   Account proxy.
Chris@0:    */
Chris@0:   public function __construct(AuthenticationProviderInterface $authentication_provider, AccountProxyInterface $account_proxy) {
Chris@0:     $this->authenticationProvider = $authentication_provider;
Chris@0:     $this->filter = ($authentication_provider instanceof AuthenticationProviderFilterInterface) ? $authentication_provider : NULL;
Chris@0:     $this->challengeProvider = ($authentication_provider instanceof AuthenticationProviderChallengeInterface) ? $authentication_provider : NULL;
Chris@0:     $this->accountProxy = $account_proxy;
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * Authenticates user on request.
Chris@0:    *
Chris@0:    * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
Chris@0:    *   The request event.
Chris@0:    *
Chris@0:    * @see \Drupal\Core\Authentication\AuthenticationProviderInterface::authenticate()
Chris@0:    */
Chris@0:   public function onKernelRequestAuthenticate(GetResponseEvent $event) {
Chris@18:     if ($event->isMasterRequest()) {
Chris@0:       $request = $event->getRequest();
Chris@0:       if ($this->authenticationProvider->applies($request)) {
Chris@0:         $account = $this->authenticationProvider->authenticate($request);
Chris@0:         if ($account) {
Chris@0:           $this->accountProxy->setAccount($account);
Chris@0:           return;
Chris@0:         }
Chris@0:       }
Chris@0:       // No account has been set explicitly, initialize the timezone here.
Chris@0:       date_default_timezone_set(drupal_get_user_timezone());
Chris@0:     }
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * Denies access if authentication provider is not allowed on this route.
Chris@0:    *
Chris@0:    * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
Chris@0:    *   The request event.
Chris@0:    */
Chris@0:   public function onKernelRequestFilterProvider(GetResponseEvent $event) {
Chris@18:     if (isset($this->filter) && $event->isMasterRequest()) {
Chris@0:       $request = $event->getRequest();
Chris@0:       if ($this->authenticationProvider->applies($request) && !$this->filter->appliesToRoutedRequest($request, TRUE)) {
Chris@0:         throw new AccessDeniedHttpException('The used authentication method is not allowed on this route.');
Chris@0:       }
Chris@0:     }
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@0:    * Respond with a challenge on access denied exceptions if appropriate.
Chris@0:    *
Chris@0:    * On a 403 (access denied), if there are no credentials on the request, some
Chris@0:    * authentication methods (e.g. basic auth) require that a challenge is sent
Chris@0:    * to the client.
Chris@0:    *
Chris@0:    * @param \Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent $event
Chris@0:    *   The exception event.
Chris@0:    */
Chris@0:   public function onExceptionSendChallenge(GetResponseForExceptionEvent $event) {
Chris@18:     if (isset($this->challengeProvider) && $event->isMasterRequest()) {
Chris@0:       $request = $event->getRequest();
Chris@0:       $exception = $event->getException();
Chris@0:       if ($exception instanceof AccessDeniedHttpException && !$this->authenticationProvider->applies($request) && (!isset($this->filter) || $this->filter->appliesToRoutedRequest($request, FALSE))) {
Chris@0:         $challenge_exception = $this->challengeProvider->challengeException($request, $exception);
Chris@0:         if ($challenge_exception) {
Chris@0:           $event->setException($challenge_exception);
Chris@0:         }
Chris@0:       }
Chris@0:     }
Chris@0:   }
Chris@0: 
Chris@0:   /**
Chris@17:    * Detect disallowed authentication methods on access denied exceptions.
Chris@17:    *
Chris@17:    * @param \Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent $event
Chris@17:    */
Chris@18:   public function onExceptionAccessDenied(GetResponseForExceptionEvent $event) {
Chris@17:     if (isset($this->filter) && $event->isMasterRequest()) {
Chris@17:       $request = $event->getRequest();
Chris@17:       $exception = $event->getException();
Chris@17:       if ($exception instanceof AccessDeniedHttpException && $this->authenticationProvider->applies($request) && !$this->filter->appliesToRoutedRequest($request, TRUE)) {
Chris@17:         $event->setException(new AccessDeniedHttpException('The used authentication method is not allowed on this route.', $exception));
Chris@17:       }
Chris@17:     }
Chris@17:   }
Chris@17: 
Chris@17:   /**
Chris@0:    * {@inheritdoc}
Chris@0:    */
Chris@0:   public static function getSubscribedEvents() {
Chris@0:     // The priority for authentication must be higher than the highest event
Chris@0:     // subscriber accessing the current user. Especially it must be higher than
Chris@0:     // LanguageRequestSubscriber as LanguageManager accesses the current user if
Chris@0:     // the language module is enabled.
Chris@0:     $events[KernelEvents::REQUEST][] = ['onKernelRequestAuthenticate', 300];
Chris@0: 
Chris@0:     // Access check must be performed after routing.
Chris@0:     $events[KernelEvents::REQUEST][] = ['onKernelRequestFilterProvider', 31];
Chris@0:     $events[KernelEvents::EXCEPTION][] = ['onExceptionSendChallenge', 75];
Chris@18:     $events[KernelEvents::EXCEPTION][] = ['onExceptionAccessDenied', 80];
Chris@0:     return $events;
Chris@0:   }
Chris@0: 
Chris@0: }