src/Controller/SecurityController.php line 171

  1. <?php
  3. namespace App\Controller;
  5. use App\DTO\AzureApplicationInterface;
  6. use App\Enum\LoginErrorEnum;
  7. use App\Event\Admin\AdminLoginFailureEvent;
  8. use App\Exception\EmailDomainNotAuthorizedForSsoAdminException;
  9. use App\Exception\UnsupportedSsoAdminEntityException;
  10. use App\Utility\SsoAdminFactory;
  11. use Composer\CaBundle\CaBundle;
  12. use GuzzleHttp\Client;
  13. use GuzzleHttp\RequestOptions;
  14. use League\OAuth2\Client\Token\AccessToken;
  15. use LogicException;
  16. use Psr\Log\LoggerInterface;
  17. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  18. use Symfony\Component\Filesystem\Path;
  19. use Symfony\Component\HttpFoundation\Request;
  20. use Symfony\Component\HttpFoundation\Response;
  21. use Symfony\Component\Routing\Annotation\Route;
  22. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  23. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  24. use TheNetworg\OAuth2\Client\Provider\Azure;
  25. use TheNetworg\OAuth2\Client\Provider\AzureResourceOwner;
  27. class SecurityController extends AbstractController
  28. {
  29.     public function __construct(
  30.         private readonly EventDispatcherInterface $dispatcher,
  31.         private readonly SsoAdminFactory $ssoAdminFactory,
  32.         private readonly LoggerInterface $logger,
  33.     ) {
  34.     }
  36.     private function getProvider(string $email): Azure
  37.     {
  38.         $this->logger->debug('Looking for provider by email', ['email' => $email]);
  39.         $foundSsoAdminApplication $this->ssoAdminFactory->getSsoAdminApplication($email);
  41.         if (!$foundSsoAdminApplication) {
  42.             $this->logger->error('Could not find an SSO admin application with the supplied email address', ['email' => $email]);
  43.             throw new EmailDomainNotAuthorizedForSsoAdminException();
  44.         }
  46.         if (!$foundSsoAdminApplication instanceof AzureApplicationInterface) {
  47.             $this->logger->error('The system only supports Azure applications current', ['email' => $email'application' => $foundSsoAdminApplication]);
  48.             throw new UnsupportedSsoAdminEntityException();
  49.         }
  51.         $this->logger->debug('Found a provider', ['email' => $email]);
  53.         $httpClient = new Client([
  54.             'headers' => [
  55.                 'User-Agent' => 'AANA.com Admin SSO',
  56.             ],
  57.             RequestOptions::VERIFY => Path::canonicalize(CaBundle::getSystemCaRootBundlePath()),
  58.         ]);
  60.         return new Azure(
  61.             [
  62.                 'clientId' => $foundSsoAdminApplication->getClientId(),
  63.                 'clientSecret' => $foundSsoAdminApplication->getClientSecret(),
  64.                 'redirectUri' => $this->generateUrl('app_login_azure_redirect'referenceTypeUrlGeneratorInterface::ABSOLUTE_URL),
  65.                 'tenant' => $foundSsoAdminApplication->getTenantId(),
  66.                 'scopes' => ['openid'],
  67.                 'defaultEndPointVersion' => '2.0',
  68.             ],
  69.             [
  70.                 'httpClient' => $httpClient,
  71.             ]
  72.         );
  73.     }
  75.     private function tryGetLoginPostEmail(Request $request): ?string
  76.     {
  77.         if (!$request->isMethod('POST')) {
  78.             return null;
  79.         }
  81.         $email mb_strtolower(trim($request->get('email''')));
  82.         if (!$email) {
  83.             $this->addFlash('error''Please enter a username');
  85.             return null;
  86.         }
  88.         $emailParts explode('@'$email);
  89.         if (!== count($emailParts)) {
  90.             $this->addFlash('error''Invalid username');
  92.             $this->logger->info('Invalid username', ['email' => $email]);
  93.             $this->dispatcher->dispatch(new AdminLoginFailureEvent($email));
  95.             return null;
  96.         }
  98.         return $email;
  99.     }
  101.     #[Route(path'/login_azure_redirect'name'app_login_azure_redirect')]
  102.     public function login_azure_redirect(Request $request): Response
  103.     {
  104.         $email $request->getSession()->get('aana.email');
  106.         $this->logger->debug('Azure SSO redirect', ['email' => $email]);
  108.         try {
  109.             $provider $this->getProvider($email);
  110.         } catch (EmailDomainNotAuthorizedForSsoAdminException|UnsupportedSsoAdminEntityException $e) {
  111.             $this->addFlash('error''The supplied credentials are not valid on this site');
  113.             $this->logger->warning('Supplied email does not have have an admin SSO provider', ['email' => $email]);
  115.             return $this->redirectToRoute('app_login');
  116.         }
  118.         $request->getSession()->remove('OAuth2.state');
  120.         $accessToken $provider->getAccessToken('authorization_code', [
  121.             'code' => $_GET['code'],
  122.         ]);
  124.         $this->logger->debug('SSO token received from provider', ['token' => $accessToken]);
  126.         if (!$accessToken instanceof AccessToken) {
  127.             $this->logger->error('Invalid SSO token');
  128.             throw new \RuntimeException('Invalid token type');
  129.         }
  131.         /** @var AzureResourceOwner $resourceOwner */
  132.         $resourceOwner $provider->getResourceOwner($accessToken);
  134.         $this->logger->debug('Found resource owner', ['resourceOwner' => $resourceOwner->toArray()]);
  136.         $request->getSession()->set('azure'$resourceOwner);
  138. //        $this->dispatcher->dispatch(new AdminLoginSuccessEvent($resourceOwner->claim('email')));
  140.         return $this->redirectToRoute('admin_dashboard');
  141.     }
  143.     #[Route(path'/login_azure'name'app_login_azure')]
  144.     public function login_azure(Request $request): Response
  145.     {
  146.         $knownEmailAddress $this->tryGetLoginPostEmail($request);
  148.         try {
  149.             $provider $this->getProvider($knownEmailAddress);
  150.         } catch (EmailDomainNotAuthorizedForSsoAdminException|UnsupportedSsoAdminEntityException $e) {
  151.             $this->addFlash('error''The supplied credentials are not valid on this site');
  153.             return $this->redirectToRoute('app_login');
  154.         }
  156.         // Set to use v2 API, skip the line or set the value to Azure::ENDPOINT_VERSION_1_0 if willing to use v1 API
  157.         $provider->defaultEndPointVersion Azure::ENDPOINT_VERSION_2_0;
  159.         $baseGraphUri $provider->getRootMicrosoftGraphUri(null);
  160.         $provider->scope 'openid profile email offline_access '.$baseGraphUri.'/User.Read';
  162.         $authorizationUrl $provider->getAuthorizationUrl(['scope' => $provider->scope'login_hint' => $knownEmailAddress]);
  164.         $request->getSession()->set('aana.email'$knownEmailAddress);
  165.         $request->getSession()->set('OAuth2.state'$provider->getState());
  167.         return $this->redirect($authorizationUrl);
  168.     }
  170.     #[Route(path'/login'name'app_login')]
  171.     public function login(): Response
  172.     {
  173.         return $this->render(
  174.             'security/login.html.twig',
  175.             [
  176.                 'formAction' => 'app_login_azure',
  177.             ]
  178.         );
  179.     }
  181.     #[Route(path'/login-error/{id}'name'app_login_error')]
  182.     public function login_error(int $id): Response
  183.     {
  184.         $message = match (LoginErrorEnum::tryFrom($id)) {
  185.             LoginErrorEnum::NotLocal => 'The supplied user does not have permission to access this site',
  186.             default => 'An unknown error occurred while attempting to sign the user on',
  187.         };
  189.         $this->addFlash('error'$message);
  191.         return $this->redirectToRoute('app_login');
  192.     }
  194.     #[Route(path'/logout'name'app_logout')]
  195.     public function logout(): void
  196.     {
  197.         throw new LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
  198.     }
  199. }