vendor/elements/azure-auth-bundle/src/Controller/AuthController.php line 23

Open in your IDE?
  1. <?php
  3. namespace Elements\Bundle\AzureAuthBundle\Controller;
  5. use Elements\Bundle\AzureAuthBundle\DependencyInjection\ElementsAzureAuthExtension;
  6. use Elements\Bundle\AzureAuthBundle\Service\RestrictionService;
  7. use Pimcore\Model\User;
  8. use Pimcore\File;
  9. use Pimcore\Model\WebsiteSetting;
  10. use Pimcore\Tool;
  11. use Psr\Log\LoggerAwareInterface;
  12. use Psr\Log\LoggerAwareTrait;
  13. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  14. use Symfony\Component\HttpFoundation\Request;
  15. use Exception;
  16. use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
  17. use Symfony\Component\HttpFoundation\Session\SessionBagInterface;
  18. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  19. use TheNetworg\OAuth2\Client\Provider\Azure as AzureProvider;
  20. use TheNetworg\OAuth2\Client\Token\AccessToken as AzureAccessToken;
  23. class AuthController extends AbstractController implements LoggerAwareInterface
  24. {
  25.     use LoggerAwareTrait;
  28.     public function endpointAction(Request $requestRestrictionService $restrictionService) {
  30.         if (!$restrictionService->checkIpAddresses($request->getClientIp())) {
  31.             throw new AccessDeniedException();
  32.         }
  34.         $session $request->getSession();
  36.         /** @var SessionBagInterface $sessionBag */
  37.         $sessionBag $session->getBag('azure_auth');
  39.         $provider = new AzureProvider([
  40.             'clientId'                  => $this->getParameter('elements.azure_auth.clientId'),
  41.             'clientSecret'              => $this->getParameter('elements.azure_auth.clientSecret'),
  42.             'redirectUri'               => $this->getRedirectUrl($request),
  43.             'tenant'                    => $this->getParameter('elements.azure_auth.tenant'),
  44.             'defaultEndPointVersion'    => '2.0'
  45.         ]);
  47.         // Set to use v2 API, skip the line or set the value to Azure::ENDPOINT_VERSION_1_0 if willing to use v1 API
  48.         $provider->defaultEndPointVersion \TheNetworg\OAuth2\Client\Provider\Azure::ENDPOINT_VERSION_2_0;
  50.         $baseGraphUri $provider->getRootMicrosoftGraphUri(null);
  52.         $provider->scope 'openid ' $baseGraphUri '/User.Read';
  55.         if (isset($_GET['code']) && $sessionBag->has('OAuth2.state') && isset($_GET['state'])) {
  56.             if ($_GET['state'] == $sessionBag->get('OAuth2.state')) {
  58.                 $sessionBag->remove('OAuth2.state');
  60.                 // Try to get an access token (using the authorization code grant)
  61.                 /** @var AzureAccessToken $token */
  62.                 $token $provider->getAccessToken('authorization_code', [
  63.                     'scope' => $provider->scope,
  64.                     'code' => $_GET['code'],
  65.                     'response_type' => 'code id_token',
  66.                 ]);
  68.                 try {
  70.                     $data $this->consolidateData($provider$token);
  71.                     $email $data['mail'];
  73.                     $isDomainPermitted false;
  74.                     if (isset($email)) {
  75.                         foreach ($this->getParameter(ElementsAzureAuthExtension::PERMITTED_DOMAINS) as $domain) {
  76.                             if (str_ends_with($email$domain)) {
  77.                                 $isDomainPermitted true;
  78.                                 break;
  79.                             }
  80.                         }
  81.                     }
  83.                     if(isset($email) && $isDomainPermitted) {
  84.                         $sessionBag->set('azureUser'$data);
  85.                         $sessionBag->set('azureAccessToken'$token);
  87.                         if ($this->getParameter(ElementsAzureAuthExtension::CHECK_USER_LOGIN_PERMISSION) == true) {
  88.                             if (WebsiteSetting::getByName('AzureLoginPreselect') instanceof WebsiteSetting){
  89.                                 $allowArray explode(',', (WebsiteSetting::getByName('AzureLoginPreselect')->getData() ?? ''));
  90.                                 if (!in_array($data['userPrincipalName'], $allowArray)) {
  91.                                     $sessionBag->clear();
  92.                                     return $this->redirect("/admin");
  93.                                 }
  94.                             }
  95.                         }
  98.                         $user $this->loadUser($data,$provider$token);
  99.                         if($user instanceof User && $user->getId() && $user->isActive()) {
  101.                             Tool\Session::useSession(function (AttributeBagInterface $adminSession) use ($user) {
  102.                                 $adminSession->set('user'$user);
  103.                                 Tool\Session::regenerateId();
  104.                             });
  105.                             return $this->redirect("/admin");
  106.                         } else {
  107.                             $message sprintf("User with email %s doesn't exist ... Sorry!"$email);
  108.                             $this->logger->error($message);
  109.                             throw new \Exception($message);
  110.                         }
  111.                     } else {
  112.                         $message sprintf("%s it seems that your email domain is currently not permitted ... Sorry!"$email);
  113.                         $this->logger->error($message);
  114.                         throw new \Exception($message);
  115.                     }
  116.                 } catch (Exception $e) {
  118.                     // Failed to get user details
  119.                     //exit('Oh dear...');
  120.                     $this->logger->error($e->getMessage());
  121.                     throw $e;
  122.                 }
  124.             } else {
  125.                 $message 'Invalid state';
  126.                 $this->logger->error($message);
  127.                 echo $message;
  128.                 exit;
  129.             }
  131.         } else {
  133.             $authorizationUrl $provider->getAuthorizationUrl(['scope' => $provider->scope]);
  134.             $sessionBag->set('OAuth2.state'$provider->getState());
  136.             return $this->redirect($authorizationUrl);
  137.         }
  141.     }
  143.     /**
  144.      * @param User $user
  145.      * @param AzureProvider $provider
  146.      * @param AzureAccessToken $token
  147.      * @return void
  148.      */
  149.     private function updateUserImage(User $userAzureProvider $providerAzureAccessToken $token)
  150.     {
  151.         try{
  152.             $photo $provider->get($provider->getRootMicrosoftGraphUri($token) . '/v1.0/me/photo/$value'$token);
  153.             if($photo){
  154.                 $tmpFile PIMCORE_SYSTEM_TEMP_DIRECTORY '/azure-image-download-' $user->getId() . ".jpg";
  155.                 File::put($tmpFile$photo);
  156.                 $user->setImage($tmpFile);
  157.                 $user->save();
  158.                 unlink($tmpFile);
  159.             }
  160.         } catch (\Exception $e){
  161.             $this->logger->error($e->getMessage());
  162.         }
  163.     }
  165.     /**
  166.      * @param AzureProvider $provider
  167.      * @param AzureAccessToken $token
  168.      * @return array|mixed|string
  169.      */
  170.     private function consolidateData(AzureProvider $providerAzureAccessToken $token)
  171.     {
  172.         $data $provider->get($provider->getRootMicrosoftGraphUri($token) . '/v1.0/me'$token);
  173.         $additionalData $provider->get($provider->getRootMicrosoftGraphUri($token) . '/v1.0/users/' $data['id'] . '?$select=onPremisesSamAccountName'$token);
  174.         $data['userPrincipalName'] = strtolower($data['userPrincipalName']);
  175.         $data['mail'] = strtolower($data['mail']);
  176.         $data['onPremisesSamAccountName'] = $additionalData['onPremisesSamAccountName'];
  178.         return $data;
  179.     }
  181.     /**
  182.      * @param array $data
  183.      * @return User
  184.      * @throws Exception
  185.      */
  186.     protected function loadUser(array $dataAzureProvider $providerAzureAccessToken $token)
  187.     {
  189.         $email $data['mail'] ?? $data['userPrincipalName'];
  191.         /** @var User $user */
  192.         $user User::getByName($email);
  194.         // rewrite user to email address
  195.         if (!$user) {
  196.             $user $this->rewriteEmail($data);
  197.         }
  199.         // check if user exists, if not create one
  200.         if (!$user) {
  201.             $user $this->createUser($data$provider$token);
  202.         }
  204.         // temp.
  205.         if (!$user->isAdmin() && $this->getParameter(ElementsAzureAuthExtension::CREATE_USER_AS_ADMIN) == true) {
  206.             $user->setAdmin(true);
  207.             $user->save();
  208.         }
  210.         if (!$user->isActive()) {
  211.             $user->setActive(true);
  212.         }
  214.         if(method_exists($user'setLastLogin')) {
  215.             $user->setLastLogin(time());
  216.         }
  217.         $user->save();
  219.         return $user;
  220.     }
  222.     /**
  223.      * @param array $data
  224.      * @param AzureProvider $provider
  225.      * @param AzureAccessToken $token
  226.      * @return User
  227.      * @throws Exception
  228.      */
  229.     protected function createUser(array $dataAzureProvider $providerAzureAccessToken $token)
  230.     {
  232.         $email $data['mail'] ?? $data['userPrincipalName'];
  233.         if (str_contains($email'@')) {
  234.             $domain explode('@'$email)[1]; // elements.at or any other company domain
  235.         } else {
  236.             $domain 'elements.at';
  237.         }
  239.         $folder User\Folder::getByName($domain);
  240.         if (!$folder) {
  241.             $folder = new User\Folder();
  242.             $folder->setName($domain);
  243.             $folder->setParentId(0);
  244.             $folder->save();
  245.         }
  247.         $user = new User;
  248.         $user->setParentId($folder->getId());
  249.         $user->setName($email);
  250.         $user->setActive(true);
  252.         if($isAdmin $this->getParameter(ElementsAzureAuthExtension::CREATE_USER_AS_ADMIN)) {
  253.             $user->setAdmin($isAdmin);
  254.         }
  256.         if($roleNames $this->getParameter(ElementsAzureAuthExtension::CREATE_USER_WITH_ROLES)) {
  257.             $rolesIds = [];
  259.             foreach ($roleNames as $roleName) {
  260.                 $role User\Role::getByName($roleName);
  261.                 if($role) {
  262.                     $rolesIds[] = $role->getId();
  263.                 }
  264.             }
  266.             $user->setRoles($rolesIds);
  267.         }
  270.         $user->setFirstname($data['givenName']);
  271.         $user->setLastname($data['surname']);
  272.         $user->setEmail($email);
  273.         $user->setPassword($data['id'] . microtime(true) . uniqid());
  274.         $user->save();
  276.         $this->updateUserImage($user$provider$token);
  278.         return $user;
  279.     }
  281.     /**
  282.      * @param array $data
  283.      * @return User|null
  284.      * @throws Exception
  285.      */
  286.     private function rewriteEmail(array $data)
  287.     {
  288.         if (!isset($data['onPremisesSamAccountName'])) {
  289.             return null;
  290.         }
  291.         // fetch user with old name
  292.         $user User::getByName($data['onPremisesSamAccountName']);
  293.         if($user){
  294.             // rewrite
  295.             $email $data['mail'] ?? $data['userPrincipalName'];
  296.             $user->setName($email);
  297.             $user->save();
  298.         }
  299.         return $user;
  300.     }
  302.     private function getRedirectUrl(Request $request)
  303.     {
  304.         $redirectUri 'https://' $request->getHttpHost() . $request->getPathInfo();
  305.         if(strpos($request->headers->get('x-original-host'), '.expose.eledevs.com') == true || strpos($request->headers->get('x-original-host'), '.expose.vdevs.at') == true) {
  306.             $redirectUri str_replace(':8080''''https://' $request->headers->get('x-original-host')) . $request->getPathInfo();
  307.         }
  309.         return $redirectUri;
  310.     }
  311. }