src/Listener/JWTListener.php line 50

Open in your IDE?
  1. <?php
  3. namespace App\Listener;
  5. use App\Entity\User;
  6. use App\Manager\UserRightsManagerInterface;
  7. use App\Model\Permissions\AreaRights;
  8. use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
  9. use Psr\Log\LoggerInterface;
  10. use RuntimeException;
  11. use Symfony\Component\Security\Core\User\UserInterface;
  13. class JWTListener
  14. {
  15.     /**
  16.      * @var UserRightsManagerInterface
  17.      */
  18.     protected $rightsManager;
  20.     /**
  21.      * @var LoggerInterface
  22.      */
  23.     protected $logger;
  25.     /**
  26.      * JWTListener constructor.
  27.      *
  28.      * @param UserRightsManagerInterface $rightsManager
  29.      * @param LoggerInterface            $logger
  30.      */
  31.     public function __construct(
  32.         UserRightsManagerInterface $rightsManager,
  33.         LoggerInterface $logger
  34.     ) {
  35.         $this->rightsManager $rightsManager;
  36.         $this->logger        $logger;
  37.     }
  39.     public const TOKEN_TTL 3600// one hour
  41.     /**
  42.      * Hook for when JWT is created: let's customize the payload.
  43.      *
  44.      * @see https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/2-data-customization.md
  45.      *
  46.      * @param JWTCreatedEvent $event
  47.      *
  48.      * @return void
  49.      */
  50.     public function onJWTCreated(JWTCreatedEvent $event)
  51.     {
  52.         $eventUser $event->getUser();
  53.         $payload   $event->getData();
  55.         // Authentication
  56.         $payload['id']           = $eventUser->getId(); //uidNumber
  57.         $payload['email']        = $eventUser->getEmail(); //uid
  58.         $payload['firstName']    = $eventUser->getFirstName(); //givenName
  59.         $payload['lastName']     = $eventUser->getLastName(); //sn
  60.         $payload['ldapUuid']     = $eventUser->getLdapUuid(); //ldapUuid
  61.         $payload['phone']        = $eventUser->getPhone(); //telephonenumber
  62.         $payload['mobilePhone']  = $eventUser->getMobilePhone(); // mobile
  63.         $payload['organisation'] = $eventUser->getOrganisation(); // o
  65.         // Authorizations
  66.         $payload['roles'] = array_merge($this->getRoles($eventUser), $eventUser->getRoles());
  67.         $areas            $this->getAreas($eventUser);
  68.         $payload['areas'] = $areas->toJson();
  70.         $event->setData($payload);
  71.     }
  73.     /**
  74.      * Defines set of role for User.
  75.      *
  76.      * @param UserInterface $user
  77.      *
  78.      * @return array
  79.      *
  80.      * @throws RuntimeException When user has an illegal type
  81.      */
  82.     protected function getRoles(UserInterface $user): array
  83.     {
  84.         switch ($user->getType()) {
  85.             case User::TYPE_SAML:
  86.             case User::TYPE_PUBLIK_SSO_POLE_MANAGER:
  87.                 return $this->getSamlRights($user);
  88.             case User::TYPE_PUBLIK_SSO:
  89.                 // Roles set by entrypoint, no need to recalculate them.
  90.                 return $user->getRoles();
  91.             default:
  92.                 $this->logger->critical(
  93.                     '[JWTCreated] User with type {type} is not eligible to role computation!',
  94.                     [
  95.                         'type'  => $user->getType(),
  96.                         'email' => $user->getEmail(),
  97.                     ]
  98.                 );
  99.                 throw new RuntimeException('Invalid user type');
  100.         }
  101.     }
  103.     /**
  104.      * Defines set of areas for User.
  105.      *
  106.      * @param UserInterface $user
  107.      *
  108.      * @return AreaRights
  109.      *
  110.      * @throws RuntimeException When user has an illegal type
  111.      */
  112.     protected function getAreas(UserInterface $user): AreaRights
  113.     {
  114.         switch ($user->getType()) {
  115.             case User::TYPE_SAML:
  116.             case User::TYPE_PUBLIK_SSO_POLE_MANAGER:
  117.                 return $this->getSamlAreas($user);
  118.             case User::TYPE_PUBLIK_SSO:
  119.                 // Areas set by entrypoint, no need to recalculate them.
  120.                 return $user->getAreaRights();
  121.             default:
  122.                 $this->logger->critical(
  123.                     '[JWTCreated] User with type {type} is not eligible to area computation!',
  124.                     [
  125.                         'type'  => $user->getType(),
  126.                         'email' => $user->getEmail(),
  127.                     ]
  128.                 );
  129.                 throw new RuntimeException('Invalid user type');
  130.         }
  131.     }
  133.     /**
  134.      * Calls Heimdall to compute user roles
  135.      *
  136.      * @param User $user
  137.      *
  138.      * @return array
  139.      */
  140.     protected function getSamlRights(User $user): array
  141.     {
  142.         $roles $this->rightsManager->getUserRoles($user);
  144.         $this->logger->info(
  145.             '[JWTCreated] Computing rights for SAML user {email}. Granted: {roles}',
  146.             [
  147.                 'email' => $user->getEmail(),
  148.                 'roles' => json_encode($roles),
  149.             ]
  150.         );
  152.         return $roles;
  153.     }
  155.     /**
  156.      * Calls Heimdall to compute user areas
  157.      *
  158.      * @param UserInterface $user
  159.      *
  160.      * @return AreaRights
  161.      */
  162.     protected function getSamlAreas(UserInterface $user): AreaRights
  163.     {
  164.         $areas $this->rightsManager->getAreaRights($user);
  166.         $this->logger->info(
  167.             '[JWTCreated] Computing rights for SAML user {email}. Granted: {roles}',
  168.             [
  169.                 'email' => $user->getEmail(),
  170.                 'areas' => $areas->toJson(),
  171.             ]
  172.         );
  174.         return $areas;
  175.     }
  176. }