Add listeners to check expiry on authentication and hande unverifying and reverifying of email addresses
parent
11e22f0362
commit
5768c06f25
@ -0,0 +1,37 @@ |
||||
<?php |
||||
/** |
||||
* Authserver, an OAuth2-based single-signon authentication provider written in PHP. |
||||
* |
||||
* Copyright (C) 2017 Lars Vierbergen |
||||
* |
||||
* his program is free software: you can redistribute it and/or modify |
||||
* it under the terms of the GNU Affero General Public License as |
||||
* published by the Free Software Foundation, either version 3 of the |
||||
* License, or (at your option) any later version. |
||||
* |
||||
* This program is distributed in the hope that it will be useful, |
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
* GNU Affero General Public License for more details. |
||||
* |
||||
* You should have received a copy of the GNU Affero General Public License |
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
||||
*/ |
||||
namespace vierbergenlars\AuthserverAutoExpireUsersBundle\DependencyInjection; |
||||
|
||||
use Symfony\Component\DependencyInjection\ContainerBuilder; |
||||
use Symfony\Component\Config\FileLocator; |
||||
use Symfony\Component\HttpKernel\DependencyInjection\Extension; |
||||
use Symfony\Component\DependencyInjection\Loader; |
||||
|
||||
class AuthserverAutoExpireUsersExtension extends Extension |
||||
{ |
||||
|
||||
public function load(array $configs, ContainerBuilder $container) |
||||
{ |
||||
$servicesDirectory = __DIR__ . '/../Resources/config'; |
||||
$fileLocator = new FileLocator($servicesDirectory); |
||||
$xmlLoader = new Loader\XmlFileLoader($container, $fileLocator); |
||||
$xmlLoader->load('services.xml'); |
||||
} |
||||
} |
||||
@ -0,0 +1,99 @@ |
||||
<?php |
||||
namespace vierbergenlars\AuthserverAutoExpireUsersBundle\Entity; |
||||
|
||||
use App\Entity\User; |
||||
use Doctrine\ORM\Mapping\Entity; |
||||
use Doctrine\ORM\Mapping\Table; |
||||
use Doctrine\ORM\Mapping\OneToOne; |
||||
use Doctrine\ORM\Mapping\Id; |
||||
use Doctrine\ORM\Mapping\Column; |
||||
|
||||
/** |
||||
* @Entity() |
||||
* @Table(name="vierbergenlars_expire_users") |
||||
*/ |
||||
class ExpiredUser |
||||
{ |
||||
|
||||
/** |
||||
* @OneToOne(targetEntity="App\Entity\User") |
||||
* @Id() |
||||
* |
||||
* @var User |
||||
*/ |
||||
private $user; |
||||
|
||||
/** |
||||
* @Column(name="last_login", type="datetime", nullable=true) |
||||
* |
||||
* @var \DateTime|null |
||||
*/ |
||||
private $lastLogin; |
||||
|
||||
/** |
||||
* @Column(name="expired_at", type="datetime", nullable=true) |
||||
* |
||||
* @var \DateTime|null |
||||
*/ |
||||
private $expiredAt; |
||||
|
||||
public function __construct(User $user) |
||||
{ |
||||
$this->user = $user; |
||||
} |
||||
|
||||
/** |
||||
* |
||||
* @return \App\Entity\User |
||||
*/ |
||||
public function getUser() |
||||
{ |
||||
return $this->user; |
||||
} |
||||
|
||||
/** |
||||
* |
||||
* @return \DateTime|null |
||||
*/ |
||||
public function getLastLogin() |
||||
{ |
||||
return $this->lastLogin; |
||||
} |
||||
|
||||
/** |
||||
* |
||||
* @param \DateTime|null $lastLogin |
||||
*/ |
||||
public function setLastLogin($lastLogin) |
||||
{ |
||||
$this->lastLogin = $lastLogin; |
||||
} |
||||
|
||||
/** |
||||
* |
||||
* @return \DateTime|null |
||||
*/ |
||||
public function getExpiredAt() |
||||
{ |
||||
return $this->expiredAt; |
||||
} |
||||
|
||||
/** |
||||
* |
||||
* @param \DateTime|null $expiredAt |
||||
*/ |
||||
public function setExpiredAt($expiredAt) |
||||
{ |
||||
$this->expiredAt = $expiredAt; |
||||
} |
||||
|
||||
/** |
||||
* Checks if the user is expired (expiry date is not null and in the past) |
||||
* |
||||
* @return boolean |
||||
*/ |
||||
public function isExpired() |
||||
{ |
||||
return $this->expiredAt !== null && $this->expiredAt < new \DateTime(); |
||||
} |
||||
} |
||||
@ -0,0 +1,189 @@ |
||||
<?php |
||||
namespace vierbergenlars\AuthserverAutoExpireUsersBundle\EventListener; |
||||
|
||||
use App\AppEvents; |
||||
use App\Event\UserCheckerEvent; |
||||
use App\Entity\User; |
||||
use Doctrine\ORM\EntityManagerInterface; |
||||
use Doctrine\ORM\EntityRepository; |
||||
use Symfony\Component\EventDispatcher\EventSubscriberInterface; |
||||
use Symfony\Component\Security\Core\Exception\AccountExpiredException; |
||||
use Symfony\Component\Security\Core\AuthenticationEvents; |
||||
use Symfony\Component\Security\Core\Event\AuthenticationEvent; |
||||
use vierbergenlars\AuthserverAutoExpireUsersBundle\Entity\ExpiredUser; |
||||
use vierbergenlars\AuthserverStatsBundle\Event\StatsEvent; |
||||
use Symfony\Component\VarDumper\VarDumper; |
||||
use Psr\Log\LoggerInterface; |
||||
use App\Mail\PrimedTwigMailer; |
||||
use Symfony\Component\Security\Core\Role\SwitchUserRole; |
||||
|
||||
class CheckExpiryListener implements EventSubscriberInterface |
||||
{ |
||||
|
||||
/** |
||||
* |
||||
* @var EntityManagerInterface |
||||
*/ |
||||
private $em; |
||||
|
||||
/** |
||||
* |
||||
* @var LoggerInterface |
||||
*/ |
||||
private $logger; |
||||
|
||||
/** |
||||
* |
||||
* @var PrimedTwigMailer |
||||
*/ |
||||
private $mailer; |
||||
|
||||
public static function getSubscribedEvents() |
||||
{ |
||||
return [ |
||||
AppEvents::SECURITY_USER_CHECK_POST => [ |
||||
'onUserCheck' |
||||
], |
||||
AuthenticationEvents::AUTHENTICATION_SUCCESS => [ |
||||
'onAuthenticationSuccess' |
||||
], |
||||
StatsEvent::class => [ |
||||
'getExpiryStats', |
||||
-10 |
||||
] |
||||
]; |
||||
} |
||||
|
||||
public function __construct(EntityManagerInterface $em, PrimedTwigMailer $mailer, LoggerInterface $logger) |
||||
{ |
||||
$this->em = $em; |
||||
$this->mailer = $mailer; |
||||
$this->logger = $logger; |
||||
} |
||||
|
||||
/** |
||||
* |
||||
* @return EntityRepository |
||||
*/ |
||||
private function getRepository() |
||||
{ |
||||
return $this->em->getRepository(ExpiredUser::class); |
||||
} |
||||
|
||||
/** |
||||
* |
||||
* @param User $user |
||||
* @return ExpiredUser|null |
||||
*/ |
||||
private function getExpiredUserForUser(User $user) |
||||
{ |
||||
return $this->getRepository()->findOneBy([ |
||||
'user' => $user |
||||
]); |
||||
} |
||||
|
||||
public function onUserCheck(UserCheckerEvent $event) |
||||
{ |
||||
$user = $event->getUser(); |
||||
$this->logger->debug("Checking expiry of user", [ |
||||
'user' => $user |
||||
]); |
||||
if (!($user instanceof User)) { |
||||
$this->logger->debug('Not applicable to this type of user', [ |
||||
'user' => $user |
||||
]); |
||||
return; |
||||
} |
||||
|
||||
/* @var $user User */ |
||||
$expiredUser = $this->getExpiredUserForUser($user); |
||||
|
||||
$this->logger->debug('Fetched user expiry record', [ |
||||
'expired_user' => $expiredUser, |
||||
'is_expired' => $expiredUser->isExpired() |
||||
]); |
||||
|
||||
if ($expiredUser !== null && $expiredUser->isExpired()) { |
||||
$emailAddresses = $user->getEmailAddresses()->toArray(); |
||||
$this->logger->info('User marked as expired. Unverifying all email addresses.', [ |
||||
'user' => $user, |
||||
'email_addresses' => $emailAddresses |
||||
]); |
||||
foreach ($emailAddresses as $emailAddress) { |
||||
/* @var $emailAddress \App\Entity\EmailAddress */ |
||||
$emailAddress->setVerified(false); |
||||
if (!$this->mailer->sendMessage($emailAddress->getEmail(), $emailAddress)) { |
||||
$this->logger->error('Verification email could not be sent.', [ |
||||
'email_address' => $emailAddress |
||||
]); |
||||
} |
||||
} |
||||
$this->em->flush(); |
||||
throw new AccountExpiredException('Account has expired.'); |
||||
} |
||||
} |
||||
|
||||
public function onAuthenticationSuccess(AuthenticationEvent $event) |
||||
{ |
||||
$this->logger->debug("Updating last login time of user", [ |
||||
'token' => $event->getAuthenticationToken(), |
||||
'user' => $event->getAuthenticationToken() |
||||
->getUser() |
||||
]); |
||||
$token = $event->getAuthenticationToken(); |
||||
foreach ($token->getRoles() as $role) { |
||||
if ($role instanceof SwitchUserRole) { |
||||
$this->logger->info('Authentication success event is caused by an impersonation. Not registering a new login.', [ |
||||
'role' => $role |
||||
]); |
||||
return; |
||||
} |
||||
} |
||||
$user = $token->getUser(); |
||||
|
||||
if (!($user instanceof User)) { |
||||
$this->logger->debug('Not applicable to this type of user', [ |
||||
'user' => $user |
||||
]); |
||||
return; |
||||
} |
||||
|
||||
$expiredUser = $this->getExpiredUserForUser($user); |
||||
|
||||
$this->logger->debug('Fetched user expiry record', [ |
||||
'expired_user' => $expiredUser, |
||||
'is_expired' => $expiredUser->isExpired() |
||||
]); |
||||
|
||||
if ($expiredUser === null) { |
||||
$this->logger->debug('No user expiry record exists. Creating a new one.'); |
||||
$expiredUser = new ExpiredUser($user); |
||||
$this->em->persist($expiredUser); |
||||
} |
||||
|
||||
$expiredUser->setLastLogin(new \DateTime()); |
||||
|
||||
$this->em->flush($expiredUser); |
||||
} |
||||
|
||||
public function getExpiryStats(StatsEvent $event) |
||||
{ |
||||
if (!$event->isEnabled('autoexpire')) |
||||
return; |
||||
|
||||
$event->setMuninConfig('user', $event->getMuninConfig('user') + [ |
||||
'autoexpire.label' => 'Expired users', |
||||
'autoexpire.draw' => 'LINE' |
||||
]); |
||||
|
||||
$expiredUsers = $this->getRepository() |
||||
->createQueryBuilder('e') |
||||
->select('count(e.expiredAt)') |
||||
->where('e.expiredAt IS NOT NULL AND e.expiredAt < :now') |
||||
->setParameter('now', new \DateTime()) |
||||
->getQuery() |
||||
->getSingleScalarResult(); |
||||
|
||||
$event->addStatistic('user.autoexpire', $expiredUsers); |
||||
} |
||||
} |
||||
@ -0,0 +1,113 @@ |
||||
<?php |
||||
namespace vierbergenlars\AuthserverAutoExpireUsersBundle\EventListener; |
||||
|
||||
use App\AppEvents; |
||||
use App\Event\UserCheckerEvent; |
||||
use App\Entity\EmailAddress; |
||||
use App\Entity\User; |
||||
use Doctrine\ORM\EntityManagerInterface; |
||||
use Doctrine\ORM\EntityRepository; |
||||
use Symfony\Component\EventDispatcher\EventSubscriberInterface; |
||||
use Symfony\Component\Security\Core\Exception\AccountExpiredException; |
||||
use Symfony\Component\Security\Core\AuthenticationEvents; |
||||
use Symfony\Component\Security\Core\Event\AuthenticationEvent; |
||||
use vierbergenlars\AuthserverAutoExpireUsersBundle\Entity\ExpiredUser; |
||||
use vierbergenlars\AuthserverStatsBundle\Event\StatsEvent; |
||||
use Symfony\Component\VarDumper\VarDumper; |
||||
use Psr\Log\LoggerInterface; |
||||
use App\Mail\PrimedTwigMailer; |
||||
use Doctrine\Common\EventSubscriber; |
||||
use Doctrine\ORM\Events; |
||||
use Doctrine\ORM\Event\PreUpdateEventArgs; |
||||
use Doctrine\ORM\Event\PreFlushEventArgs; |
||||
use Doctrine\ORM\Event\OnFlushEventArgs; |
||||
use Doctrine\ORM\UnitOfWork; |
||||
use Doctrine\ORM\EntityManager; |
||||
|
||||
class EmailAddressVerificationListener implements EventSubscriber |
||||
{ |
||||
|
||||
/** |
||||
* |
||||
* @var EntityManagerInterface |
||||
*/ |
||||
private $em; |
||||
|
||||
/** |
||||
* |
||||
* @var LoggerInterface |
||||
*/ |
||||
private $logger; |
||||
|
||||
public function getSubscribedEvents() |
||||
{ |
||||
return [ |
||||
Events::onFlush |
||||
]; |
||||
} |
||||
|
||||
public function __construct(LoggerInterface $logger) |
||||
{ |
||||
$this->logger = $logger; |
||||
} |
||||
|
||||
public function onFlush(OnFlushEventArgs $event) |
||||
{ |
||||
$uow = $event->getEntityManager()->getUnitOfWork(); |
||||
$updates = $uow->getScheduledEntityUpdates(); |
||||
foreach ($updates as $update) { |
||||
$this->processEntity($update, $event->getEntityManager(), $uow); |
||||
} |
||||
} |
||||
|
||||
private function processEntity($entity, EntityManager $em, UnitOfWork $uow) |
||||
{ |
||||
if (!($entity instanceof EmailAddress)) |
||||
return; |
||||
|
||||
$changeSet = $uow->getEntityChangeSet($entity); |
||||
|
||||
/* @var $entity EmailAddress */ |
||||
|
||||
// verification status of the email address has changed and it is not the primary email address |
||||
if (isset($changeSet['verified']) && $entity->isVerified()) { |
||||
$expiredUser = $em->find(ExpiredUser::class, $entity->getUser()); |
||||
$this->logger->debug('User expiration record for user.', [ |
||||
'user' => $entity->getUser(), |
||||
'expired_user' => $expiredUser, |
||||
'is_expired' => $expiredUser ? $expiredUser->isExpired() : null |
||||
]); |
||||
if (!$expiredUser || !$expiredUser->isExpired()) |
||||
return; |
||||
|
||||
/* @var $expiredUser ExpiredUser */ |
||||
$this->logger->info('An email address has been verified, clearing expiration for user.', [ |
||||
'user' => $entity->getUser(), |
||||
'expired_user' => $expiredUser |
||||
]); |
||||
|
||||
$expiredUserMeta = $em->getMetadataFactory()->getMetadataFor(ExpiredUser::class); |
||||
$expiredUser->setExpiredAt(null); |
||||
$uow->recomputeSingleEntityChangeSet($expiredUserMeta, $expiredUser); |
||||
|
||||
if (!$entity->isPrimary()) { |
||||
$primaryAddress = $entity->getUser()->getPrimaryEmailAddress(); |
||||
if ($primaryAddress->isVerified()) |
||||
return; |
||||
|
||||
$this->logger->info('An email address has been verified, but the primary email address has not been verified. Switching primary email address to the verified email address.', [ |
||||
'user' => $entity->getUser(), |
||||
'old_primary_address' => $primaryAddress, |
||||
'verified_address' => $entity |
||||
]); |
||||
|
||||
$emailAddressMeta = $em->getMetadataFactory()->getMetadataFor(EmailAddress::class); |
||||
|
||||
$primaryAddress->setPrimary(false); |
||||
$uow->recomputeSingleEntityChangeSet($emailAddressMeta, $primaryAddress); |
||||
$entity->setPrimary(true); |
||||
$uow->recomputeSingleEntityChangeSet($emailAddressMeta, $entity); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
Reference in new issue