vendor/symfony/security-bundle/DataCollector/SecurityDataCollector.php line 52

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Bundle\SecurityBundle\DataCollector;
  14. use Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener;
  15. use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
  16. use Symfony\Component\HttpFoundation\Request;
  17. use Symfony\Component\HttpFoundation\Response;
  18. use Symfony\Component\HttpKernel\DataCollector\DataCollector;
  19. use Symfony\Component\HttpKernel\DataCollector\LateDataCollectorInterface;
  20. use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
  21. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  23. use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
  24. use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
  25. use Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter;
  26. use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
  27. use Symfony\Component\Security\Http\Firewall\SwitchUserListener;
  28. use Symfony\Component\Security\Http\FirewallMapInterface;
  29. use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
  30. use Symfony\Component\VarDumper\Caster\ClassStub;
  31. use Symfony\Component\VarDumper\Cloner\Data;
  33. /**
  34. * @author Fabien Potencier <fabien@symfony.com>
  35. *
  36. * @final
  37. */
  38. class SecurityDataCollector extends DataCollector implements LateDataCollectorInterface
  39. {
  40. private $tokenStorage;
  41. private $roleHierarchy;
  42. private $logoutUrlGenerator;
  43. private $accessDecisionManager;
  44. private $firewallMap;
  45. private $firewall;
  46. private $hasVarDumper;
  47. private $authenticatorManagerEnabled;
  49. public function __construct(?TokenStorageInterface $tokenStorage = null, ?RoleHierarchyInterface $roleHierarchy = null, ?LogoutUrlGenerator $logoutUrlGenerator = null, ?AccessDecisionManagerInterface $accessDecisionManager = null, ?FirewallMapInterface $firewallMap = null, ?TraceableFirewallListener $firewall = null, bool $authenticatorManagerEnabled = false)
  50. {
  51. if (!$authenticatorManagerEnabled) {
  52. trigger_deprecation('symfony/security-bundle', '5.4', 'Setting the $authenticatorManagerEnabled argument of "%s" to "false" is deprecated, use the new authenticator system instead.', __METHOD__);
  53. }
  55. $this->tokenStorage = $tokenStorage;
  56. $this->roleHierarchy = $roleHierarchy;
  57. $this->logoutUrlGenerator = $logoutUrlGenerator;
  58. $this->accessDecisionManager = $accessDecisionManager;
  59. $this->firewallMap = $firewallMap;
  60. $this->firewall = $firewall;
  61. $this->hasVarDumper = class_exists(ClassStub::class);
  62. $this->authenticatorManagerEnabled = $authenticatorManagerEnabled;
  63. }
  65. /**
  66. * {@inheritdoc}
  67. */
  68. public function collect(Request $request, Response $response, ?\Throwable $exception = null)
  69. {
  70. if (null === $this->tokenStorage) {
  71. $this->data = [
  72. 'enabled' => false,
  73. 'authenticated' => false,
  74. 'impersonated' => false,
  75. 'impersonator_user' => null,
  76. 'impersonation_exit_path' => null,
  77. 'token' => null,
  78. 'token_class' => null,
  79. 'logout_url' => null,
  80. 'user' => '',
  81. 'roles' => [],
  82. 'inherited_roles' => [],
  83. 'supports_role_hierarchy' => null !== $this->roleHierarchy,
  84. ];
  85. } elseif (null === $token = $this->tokenStorage->getToken()) {
  86. $this->data = [
  87. 'enabled' => true,
  88. 'authenticated' => false,
  89. 'impersonated' => false,
  90. 'impersonator_user' => null,
  91. 'impersonation_exit_path' => null,
  92. 'token' => null,
  93. 'token_class' => null,
  94. 'logout_url' => null,
  95. 'user' => '',
  96. 'roles' => [],
  97. 'inherited_roles' => [],
  98. 'supports_role_hierarchy' => null !== $this->roleHierarchy,
  99. ];
  100. } else {
  101. $inheritedRoles = [];
  102. $assignedRoles = $token->getRoleNames();
  104. $impersonatorUser = null;
  105. if ($token instanceof SwitchUserToken) {
  106. $originalToken = $token->getOriginalToken();
  107. // @deprecated since Symfony 5.3, change to $originalToken->getUserIdentifier() in 6.0
  108. $impersonatorUser = method_exists($originalToken, 'getUserIdentifier') ? $originalToken->getUserIdentifier() : $originalToken->getUsername();
  109. }
  111. if (null !== $this->roleHierarchy) {
  112. foreach ($this->roleHierarchy->getReachableRoleNames($assignedRoles) as $role) {
  113. if (!\in_array($role, $assignedRoles, true)) {
  114. $inheritedRoles[] = $role;
  115. }
  116. }
  117. }
  119. $logoutUrl = null;
  120. try {
  121. if (null !== $this->logoutUrlGenerator && !$token instanceof AnonymousToken) {
  122. $logoutUrl = $this->logoutUrlGenerator->getLogoutPath();
  123. }
  124. } catch (\Exception $e) {
  125. // fail silently when the logout URL cannot be generated
  126. }
  128. $this->data = [
  129. 'enabled' => true,
  130. 'authenticated' => method_exists($token, 'isAuthenticated') ? $token->isAuthenticated(false) : (bool) $token->getUser(),
  131. 'impersonated' => null !== $impersonatorUser,
  132. 'impersonator_user' => $impersonatorUser,
  133. 'impersonation_exit_path' => null,
  134. 'token' => $token,
  135. 'token_class' => $this->hasVarDumper ? new ClassStub(\get_class($token)) : \get_class($token),
  136. 'logout_url' => $logoutUrl,
  137. // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
  138. 'user' => method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername(),
  139. 'roles' => $assignedRoles,
  140. 'inherited_roles' => array_unique($inheritedRoles),
  141. 'supports_role_hierarchy' => null !== $this->roleHierarchy,
  142. ];
  143. }
  145. // collect voters and access decision manager information
  146. if ($this->accessDecisionManager instanceof TraceableAccessDecisionManager) {
  147. $this->data['voter_strategy'] = $this->accessDecisionManager->getStrategy();
  148. $this->data['voters'] = [];
  150. foreach ($this->accessDecisionManager->getVoters() as $voter) {
  151. if ($voter instanceof TraceableVoter) {
  152. $voter = $voter->getDecoratedVoter();
  153. }
  155. $this->data['voters'][] = $this->hasVarDumper ? new ClassStub(\get_class($voter)) : \get_class($voter);
  156. }
  158. // collect voter details
  159. $decisionLog = $this->accessDecisionManager->getDecisionLog();
  160. foreach ($decisionLog as $key => $log) {
  161. $decisionLog[$key]['voter_details'] = [];
  162. foreach ($log['voterDetails'] as $voterDetail) {
  163. $voterClass = \get_class($voterDetail['voter']);
  164. $classData = $this->hasVarDumper ? new ClassStub($voterClass) : $voterClass;
  165. $decisionLog[$key]['voter_details'][] = [
  166. 'class' => $classData,
  167. 'attributes' => $voterDetail['attributes'], // Only displayed for unanimous strategy
  168. 'vote' => $voterDetail['vote'],
  169. ];
  170. }
  171. unset($decisionLog[$key]['voterDetails']);
  172. }
  174. $this->data['access_decision_log'] = $decisionLog;
  175. } else {
  176. $this->data['access_decision_log'] = [];
  177. $this->data['voter_strategy'] = 'unknown';
  178. $this->data['voters'] = [];
  179. }
  181. // collect firewall context information
  182. $this->data['firewall'] = null;
  183. if ($this->firewallMap instanceof FirewallMap) {
  184. $firewallConfig = $this->firewallMap->getFirewallConfig($request);
  185. if (null !== $firewallConfig) {
  186. $this->data['firewall'] = [
  187. 'name' => $firewallConfig->getName(),
  188. 'allows_anonymous' => $this->authenticatorManagerEnabled ? false : $firewallConfig->allowsAnonymous(),
  189. 'request_matcher' => $firewallConfig->getRequestMatcher(),
  190. 'security_enabled' => $firewallConfig->isSecurityEnabled(),
  191. 'stateless' => $firewallConfig->isStateless(),
  192. 'provider' => $firewallConfig->getProvider(),
  193. 'context' => $firewallConfig->getContext(),
  194. 'entry_point' => $firewallConfig->getEntryPoint(),
  195. 'access_denied_handler' => $firewallConfig->getAccessDeniedHandler(),
  196. 'access_denied_url' => $firewallConfig->getAccessDeniedUrl(),
  197. 'user_checker' => $firewallConfig->getUserChecker(),
  198. ];
  200. // in 6.0, always fill `$this->data['authenticators'] only
  201. if ($this->authenticatorManagerEnabled) {
  202. $this->data['firewall']['authenticators'] = $firewallConfig->getAuthenticators();
  203. } else {
  204. $this->data['firewall']['listeners'] = $firewallConfig->getAuthenticators();
  205. }
  207. // generate exit impersonation path from current request
  208. if ($this->data['impersonated'] && null !== $switchUserConfig = $firewallConfig->getSwitchUser()) {
  209. $exitPath = $request->getRequestUri();
  210. $exitPath .= null === $request->getQueryString() ? '?' : '&';
  211. $exitPath .= sprintf('%s=%s', urlencode($switchUserConfig['parameter']), SwitchUserListener::EXIT_VALUE);
  213. $this->data['impersonation_exit_path'] = $exitPath;
  214. }
  215. }
  216. }
  218. // collect firewall listeners information
  219. $this->data['listeners'] = [];
  220. if ($this->firewall) {
  221. $this->data['listeners'] = $this->firewall->getWrappedListeners();
  222. }
  224. $this->data['authenticator_manager_enabled'] = $this->authenticatorManagerEnabled;
  225. $this->data['authenticators'] = $this->firewall ? $this->firewall->getAuthenticatorsInfo() : [];
  226. }
  228. /**
  229. * {@inheritdoc}
  230. */
  231. public function reset()
  232. {
  233. $this->data = [];
  234. }
  236. public function lateCollect()
  237. {
  238. $this->data = $this->cloneVar($this->data);
  239. }
  241. /**
  242. * Checks if security is enabled.
  243. */
  244. public function isEnabled(): bool
  245. {
  246. return $this->data['enabled'];
  247. }
  249. /**
  250. * Gets the user.
  251. */
  252. public function getUser(): string
  253. {
  254. return $this->data['user'];
  255. }
  257. /**
  258. * Gets the roles of the user.
  259. *
  260. * @return array|Data
  261. */
  262. public function getRoles()
  263. {
  264. return $this->data['roles'];
  265. }
  267. /**
  268. * Gets the inherited roles of the user.
  269. *
  270. * @return array|Data
  271. */
  272. public function getInheritedRoles()
  273. {
  274. return $this->data['inherited_roles'];
  275. }
  277. /**
  278. * Checks if the data contains information about inherited roles. Still the inherited
  279. * roles can be an empty array.
  280. */
  281. public function supportsRoleHierarchy(): bool
  282. {
  283. return $this->data['supports_role_hierarchy'];
  284. }
  286. /**
  287. * Checks if the user is authenticated or not.
  288. */
  289. public function isAuthenticated(): bool
  290. {
  291. return $this->data['authenticated'];
  292. }
  294. public function isImpersonated(): bool
  295. {
  296. return $this->data['impersonated'];
  297. }
  299. public function getImpersonatorUser(): ?string
  300. {
  301. return $this->data['impersonator_user'];
  302. }
  304. public function getImpersonationExitPath(): ?string
  305. {
  306. return $this->data['impersonation_exit_path'];
  307. }
  309. /**
  310. * Get the class name of the security token.
  311. *
  312. * @return string|Data|null
  313. */
  314. public function getTokenClass()
  315. {
  316. return $this->data['token_class'];
  317. }
  319. /**
  320. * Get the full security token class as Data object.
  321. */
  322. public function getToken(): ?Data
  323. {
  324. return $this->data['token'];
  325. }
  327. /**
  328. * Get the logout URL.
  329. */
  330. public function getLogoutUrl(): ?string
  331. {
  332. return $this->data['logout_url'];
  333. }
  335. /**
  336. * Returns the FQCN of the security voters enabled in the application.
  337. *
  338. * @return string[]|Data
  339. */
  340. public function getVoters()
  341. {
  342. return $this->data['voters'];
  343. }
  345. /**
  346. * Returns the strategy configured for the security voters.
  347. */
  348. public function getVoterStrategy(): string
  349. {
  350. return $this->data['voter_strategy'];
  351. }
  353. /**
  354. * Returns the log of the security decisions made by the access decision manager.
  355. *
  356. * @return array|Data
  357. */
  358. public function getAccessDecisionLog()
  359. {
  360. return $this->data['access_decision_log'];
  361. }
  363. /**
  364. * Returns the configuration of the current firewall context.
  365. *
  366. * @return array|Data|null
  367. */
  368. public function getFirewall()
  369. {
  370. return $this->data['firewall'];
  371. }
  373. /**
  374. * @return array|Data
  375. */
  376. public function getListeners()
  377. {
  378. return $this->data['listeners'];
  379. }
  381. /**
  382. * @return array|Data
  383. */
  384. public function getAuthenticators()
  385. {
  386. return $this->data['authenticators'];
  387. }
  389. /**
  390. * {@inheritdoc}
  391. */
  392. public function getName(): string
  393. {
  394. return 'security';
  395. }
  397. public function isAuthenticatorManagerEnabled(): bool
  398. {
  399. return $this->data['authenticator_manager_enabled'];
  400. }
  401. }