|
|
|
|
<?php
|
|
|
|
|
/**
|
|
|
|
|
* Authserver, an OAuth2-based single-signon authentication provider written in PHP.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) $today.date Lars Vierbergen
|
|
|
|
|
*
|
|
|
|
|
* his program is free software: you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU Affero General Public License as
|
|
|
|
|
* published by the Free Software Foundation, either version 3 of the
|
|
|
|
|
* License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU Affero General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
namespace vierbergenlars\AuthserverOAuthAccountBundle\Security\Core\User;
|
|
|
|
|
|
|
|
|
|
use App\Entity\User;
|
|
|
|
|
use App\Security\User\UserProvider;
|
|
|
|
|
use Doctrine\Common\Persistence\ManagerRegistry;
|
|
|
|
|
use Symfony\Component\Security\Core\User\UserInterface;
|
|
|
|
|
use HWI\Bundle\OAuthBundle\Security\Core\User\OAuthAwareUserProviderInterface;
|
|
|
|
|
use HWI\Bundle\OAuthBundle\Connect\AccountConnectorInterface;
|
|
|
|
|
use HWI\Bundle\OAuthBundle\OAuth\Response\UserResponseInterface;
|
|
|
|
|
use HWI\Bundle\OAuthBundle\Security\Core\Exception\AccountNotLinkedException;
|
|
|
|
|
use vierbergenlars\AuthserverExternalAccountBundle\Entity\ExternalUser;
|
|
|
|
|
use vierbergenlars\AuthserverOAuthAccountBundle\Entity\TemporaryUser;
|
|
|
|
|
|
|
|
|
|
class OAuthUserProvider extends UserProvider implements OAuthAwareUserProviderInterface, AccountConnectorInterface
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*
|
|
|
|
|
* @var ManagerRegistry
|
|
|
|
|
*/
|
|
|
|
|
private $registry;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*
|
|
|
|
|
* @var boolean
|
|
|
|
|
*/
|
|
|
|
|
private $allowRegistrations;
|
|
|
|
|
|
|
|
|
|
public function __construct(ManagerRegistry $registry, $allowRegistrations)
|
|
|
|
|
{
|
|
|
|
|
parent::__construct($registry);
|
|
|
|
|
$this->registry = $registry;
|
|
|
|
|
$this->allowRegistrations = $allowRegistrations;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Loads the user by a given UserResponseInterface object.
|
|
|
|
|
*
|
|
|
|
|
* @param UserResponseInterface $response
|
|
|
|
|
*
|
|
|
|
|
* @return UserInterface
|
|
|
|
|
*
|
|
|
|
|
* @throws AccountNotLinkedException if the provider is not linked to an account
|
|
|
|
|
*/
|
|
|
|
|
public function loadUserByOAuthUserResponse(UserResponseInterface $response)
|
|
|
|
|
{
|
|
|
|
|
try {
|
|
|
|
|
return $this->getExternalAccount($response)->getUser();
|
|
|
|
|
} catch (AccountNotLinkedException $ex) {
|
|
|
|
|
if (!$this->allowRegistrations) {
|
|
|
|
|
throw $ex;
|
|
|
|
|
}
|
|
|
|
|
$user = new TemporaryUser();
|
|
|
|
|
$externalUser = $this->createExternalUser($response);
|
|
|
|
|
$user->setExternalUser($externalUser);
|
|
|
|
|
if ($response->getEmail())
|
|
|
|
|
$user->setEmail($response->getEmail());
|
|
|
|
|
return $user;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function createExternalUser(UserResponseInterface $response)
|
|
|
|
|
{
|
|
|
|
|
$externalUser = new ExternalUser();
|
|
|
|
|
$externalUser->setProvider('oauth_' . $response->getResourceOwner()
|
|
|
|
|
->getName());
|
|
|
|
|
$externalUser->setProviderRef($response->getUsername());
|
|
|
|
|
$externalUser->setProviderFriendlyName($response->getRealName());
|
|
|
|
|
|
|
|
|
|
return $externalUser;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function connect(UserInterface $user, UserResponseInterface $response)
|
|
|
|
|
{
|
|
|
|
|
if (!$user instanceof User)
|
|
|
|
|
throw new \UnexpectedValueException('User must be instance of ' . User::class . ', got ' . get_class($user));
|
|
|
|
|
try {
|
|
|
|
|
$externalUser = $this->getExternalAccount($response);
|
|
|
|
|
$this->disconnect($externalUser);
|
|
|
|
|
} catch (AccountNotLinkedException $ex) {
|
|
|
|
|
// do nothing
|
|
|
|
|
}
|
|
|
|
|
$externalUser = $this->createExternalUser($response);
|
|
|
|
|
$externalUser->setUser($user);
|
|
|
|
|
$this->getManager()->persist($externalUser);
|
|
|
|
|
$this->getManager()->flush();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function disconnect(ExternalUser $externalUser)
|
|
|
|
|
{
|
|
|
|
|
$this->getManager()->remove($externalUser);
|
|
|
|
|
$this->getManager()->flush();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*
|
|
|
|
|
* @return \Doctrine\Common\Persistence\ObjectRepository
|
|
|
|
|
*/
|
|
|
|
|
private function getRepo()
|
|
|
|
|
{
|
|
|
|
|
return $this->getManager()->getRepository('AuthserverExternalAccountBundle:ExternalUser');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*
|
|
|
|
|
* @return \Doctrine\Common\Persistence\ObjectManager|null
|
|
|
|
|
*/
|
|
|
|
|
private function getManager()
|
|
|
|
|
{
|
|
|
|
|
return $this->registry->getManagerForClass('AuthserverExternalAccountBundle:ExternalUser');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
*
|
|
|
|
|
* @param UserResponseInterface $response
|
|
|
|
|
* @return ExternalUser
|
|
|
|
|
*/
|
|
|
|
|
private function getExternalAccount(UserResponseInterface $response)
|
|
|
|
|
{
|
|
|
|
|
$repo = $this->getRepo();
|
|
|
|
|
|
|
|
|
|
$externalAccount = $repo->findOneBy([
|
|
|
|
|
'provider' => 'oauth_' . $response->getResourceOwner()
|
|
|
|
|
->getName(),
|
|
|
|
|
'provider_ref' => $response->getUsername()
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
if (!$externalAccount) {
|
|
|
|
|
throw new AccountNotLinkedException(sprintf('No external account registered for provider "%s", ref: "%s"', $response->getResourceOwner()->getName(), $response->getUsername()));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $externalAccount;
|
|
|
|
|
}
|
|
|
|
|
}
|
