app/Plugin/ApgEnhanceSecurityOfAdmin/Event.php line 137

Open in your IDE?
  1. <?php
  3. namespace Plugin\ApgEnhanceSecurityOfAdmin;
  5. use Doctrine\ORM\EntityManager;
  6. use Doctrine\ORM\EntityManagerInterface;
  7. use Eccube\Application;
  8. use Eccube\Common\EccubeConfig;
  9. use Eccube\Entity\Master\Work;
  10. use Eccube\Entity\Member;
  11. use Eccube\Event\EccubeEvents;
  12. use Eccube\Event\EventArgs;
  13. use Eccube\Event\TemplateEvent;
  14. use Eccube\Repository\MemberRepository;
  15. use Eccube\Request\Context;
  16. use Plugin\ApgEnhanceSecurityOfAdmin\Domain\OnetimeType;
  17. use Plugin\ApgEnhanceSecurityOfAdmin\Entity\ApgLoginHistory;
  18. use Plugin\ApgEnhanceSecurityOfAdmin\Entity\ApgOperationHistory;
  19. use Plugin\ApgEnhanceSecurityOfAdmin\Entity\Config;
  20. use Plugin\ApgEnhanceSecurityOfAdmin\Repository\ConfigRepository;
  21. use Plugin\ApgEnhanceSecurityOfAdmin\Repository\LoginHistoryRepository;
  22. use Plugin\ApgEnhanceSecurityOfAdmin\Repository\OperationHistoryRepository;
  23. use Plugin\ApgEnhanceSecurityOfAdmin\Service\MailService;
  24. use Plugin\ApgEnhanceSecurityOfAdmin\Service\TwoFactorService;
  25. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  26. use Symfony\Component\HttpFoundation\RedirectResponse;
  27. use Symfony\Component\HttpFoundation\Request;
  28. use Symfony\Component\HttpFoundation\RequestStack;
  29. use Symfony\Component\HttpKernel\Event\GetResponseEvent;
  30. use Symfony\Component\HttpKernel\KernelEvents;
  31. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  32. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  33. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  34. use Symfony\Component\Security\Core\AuthenticationEvents;
  35. use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
  36. use Symfony\Component\Security\Core\Exception\LockedException;
  37. use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
  38. use Symfony\Component\Security\Http\SecurityEvents;
  40. class Event implements EventSubscriberInterface
  41. {
  43.     /**
  44.      * @var EntityManager
  45.      */
  46.     protected $em;
  48.     /** @var Context $requestContext */
  49.     protected $requestContext;
  51.     /** @var EccubeConfig $eccubeConfig */
  52.     protected $eccubeConfig;
  54.     /** @var RequestStack $requestStack */
  55.     protected $requestStack;
  57.     /** @var ConfigRepository $configRepository */
  58.     protected $configRepository;
  60.     /** @var MemberRepository $memberRepository */
  61.     protected $memberRepository;
  63.     /** @var LoginHistoryRepository */
  64.     protected $loginHistoryRepository;
  66.     /** @var OperationHistoryRepository */
  67.     protected $operationHistoryRepository;
  69.     /** @var UrlGeneratorInterface $generator */
  70.     protected $generator;
  72.     /** @var TokenStorageInterface $tokenStorage */
  73.     protected $tokenStorage;
  75.     /** @var MailService */
  76.     protected $mailService;
  78.     /** @var TwoFactorService */
  79.     protected $twoFactorService;
  81.     /** @var \Twig_Environment */
  82.     protected $twig;
  84.     const TEMPLATE_NAMESPACE '@ApgEnhanceSecurityOfAdmin';
  86.     const SESSION_ONETIME_PASSWORD_CODE "apg_onetime_password_code";
  87.     const SESSION_ONETIME_VALID "apg_onetime_valid";
  89.     public function __construct(
  90.         EntityManagerInterface $em
  91.         Context $context
  92.         , \Twig_Environment $twig
  93.         RequestStack $requestStack
  94.         EccubeConfig $eccubeConfig
  95.         ConfigRepository $configRepository
  96.         LoginHistoryRepository $loginHistoryRepository
  97.         MemberRepository $memberRepository
  98.         OperationHistoryRepository $operationRepository
  99.         UrlGeneratorInterface $generator
  100.         TokenStorageInterface $tokenStorage
  101.         MailService $mailService
  102.         TwoFactorService $twoFactorService
  103.     )
  104.     {
  105.         $this->em $em;
  106.         $this->twig $twig;
  107.         $this->requestStack $requestStack;
  108.         $this->eccubeConfig $eccubeConfig;
  109.         $this->requestContext $context;
  110.         $this->configRepository $configRepository;
  111.         $this->loginHistoryRepository $loginHistoryRepository;
  112.         $this->memberRepository $memberRepository;
  113.         $this->operationHistoryRepository $operationRepository;
  114.         $this->generator $generator;
  115.         $this->tokenStorage $tokenStorage;
  116.         $this->mailService $mailService;
  117.         $this->twoFactorService $twoFactorService;
  118.     }
  121.     /**
  122.      * @return array
  123.      */
  124.     public static function getSubscribedEvents()
  125.     {
  126.         return [
  127.             SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin',
  128.             AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure',
  129.             KernelEvents::REQUEST => 'onKernelRequest',
  130.             EccubeEvents::ADMIN_ADMIM_INDEX_COMPLETE => 'onAdminAdminIndexComplete',
  131.             EccubeEvents::ADMIN_SETTING_SYSTEM_MEMBER_EDIT_INITIALIZE => 'onAdminSettingSystemMemberEditInitialize',
  132.             EccubeEvents::ADMIN_ADMIN_CHANGE_PASSWORD_COMPLETE => 'onAdminAdminChangePasswordComplete',
  133.             '@admin/Setting/System/member.twig' => 'onRenderAdminSettingSystemMember',
  134.         ];
  135.     }
  137.     public function onKernelRequest(GetResponseEvent $event)
  138.     {
  140.         $app Application::getInstance();
  141. //        $security = $app->getParentContainer()->get('security');
  143.         if (!$event->isMasterRequest()) {
  144.             return;
  145.         }
  146.         if ($this->requestContext->isAdmin()) {
  147.             $config $this->configRepository->getOrNew();
  148.             /** @var Request $request */
  149.             $request $event->getRequest();
  150.             $requestUrl $request->getRequestUri();
  151.             $loginUrl $this->generator->generate('admin_login');
  152.             $onetimeUrl $this->generator->generate('apg_enhance_security_of_admin_onetime');
  153.             /** @var Member $user */
  154.             $member $this->requestContext->getCurrentUser();
  155.             if (!empty($member)) {
  156.                 if (!empty($config->getUseOperationHistory())) {
  157.                     // 操作ログの保存
  158.                     $operationHistory = new ApgOperationHistory();
  159.                     $operationHistory->setMetaFromServer($request);
  160.                     $operationHistory->setLoginId($member->getLoginId());
  161.                     $operationHistory->setMemberId($member->getId());
  162.                     $operationHistory->setMemberName($member->getName());
  163.                     $operationHistory->setAction($request->getMethod());
  164.                     $this->operationHistoryRepository->save($operationHistory);
  165.                     $this->em->flush();
  166.                 }
  167.             }
  168.             if (!empty($config->getUseOnetime())) {
  169.                 if (
  170.                     strpos($requestUrl$loginUrl) !== 0
  171.                     && strpos($requestUrl$onetimeUrl) !== 0
  172.                 ) {
  173.                     if ($request->getSession()->has(self::SESSION_ONETIME_VALID)) {
  174.                         $pass $request->getSession()->get(self::SESSION_ONETIME_VALID);
  175.                         if (empty($pass)) {
  176.                             $event->setResponse(new RedirectResponse($onetimeUrl));
  177.                         }
  178.                     } else {
  179.                         // ログアウト処理
  180.                         $this->tokenStorage->setToken(null);
  181.                         $request->getSession()->clear();
  182.                         $event->setResponse(new RedirectResponse($loginUrl));
  183.                     }
  184.                 }
  185.             }
  186.         }
  187.     }
  189.     public function onInteractiveLogin(InteractiveLoginEvent $event)
  190.     {
  191.         /** @var Request $request */
  192.         $request $event->getRequest();
  193.         $user $event
  194.             ->getAuthenticationToken()
  195.             ->getUser();
  197.         if ($user instanceof Member) {
  199.             $config $this->configRepository->getOrNew();
  201.             Request::setTrustedProxies(
  202.                 ['192.0.0.1''10.0.0.0/8'],
  203.                 // trust *all* "X-Forwarded-*" headers
  204.                 Request::HEADER_X_FORWARDED_ALL
  205. //            // or, if your proxy instead uses the "Forwarded" header
  206. //             Request::HEADER_FORWARDED
  207.             );
  208.             // @todo ロードバランサー対応(将来?)
  209. //            Request::setTrustedProxies(
  210. //            // trust *all* requests
  211. //                ['127.0.0.1', $request->server->get('REMOTE_ADDR')],
  212. //
  213. //                // if you're using ELB, otherwise use a constant from above
  214. //                Request::HEADER_X_FORWARDED_AWS_ELB
  215. //            );
  217.             $loginHistory $this->loginHistoryRepository->createLoginHistory($request$user);
  218.             if ($loginId $request->get('login_id'null)) {
  219.                 $loginHistory->setInputLoginId($loginId);
  220.             }
  221.             if ($config->isLocked($user)) {
  222.                 // ロックカウントをオーバーしていたら、ログインに成功していても弾く
  223.                 $locked true;
  224.                 $loginHistory->setLocked();
  225.             } else {
  226.                 $locked false;
  227.                 // 2段階認証用のセッションを保存
  228.                 $useOnetime false;
  229.                 if (!empty($config->getUseOnetime())) {
  230.                     if (!empty($user->getUseOnetime())) {
  231.                         $useOnetime true;
  232.                     }
  233.                 }
  234.                 $this->updateFailureCount($config$user0);
  235.                 if (!$useOnetime) {
  236.                     $loginHistory->setSuccess();
  237.                     $request->getSession()->set(self::SESSION_ONETIME_VALIDtrue);
  238.                 } else {
  239.                     $loginHistory->setSuccess();
  240.                     $request->getSession()->set(self::SESSION_ONETIME_VALIDfalse);
  242.                     $targetDate = new \DateTime();
  243.                     $expireTime $config->getOnetimeExpireTime();
  244.                     if (empty($expireTime) || $expireTime 0) {
  245.                         $expireTime 10;   // デフォルト10分
  246.                     }
  247.                     if ($config->getOnetimeType() === OnetimeType::EMAIL) {
  248.                         $aryOnetime $this->twoFactorService->createOnetime($targetDate$expireTime);
  249.                         $this->mailService->sendOnetimePasswordMail($user$aryOnetime['onetime'], $aryOnetime['expireDate']);
  250.                         $request->getSession()->set(self::SESSION_ONETIME_PASSWORD_CODE$aryOnetime);
  251.                     }
  252.                 }
  253.             }
  254.             if (!empty($config->getUseLoginHistory())) {
  255.                 $this->loginHistoryRepository->save($loginHistory);
  256.             }
  257.             $this->em->flush();
  258.             if ($locked) {
  259.                 throw new LockedException();
  260.             }
  261.             if (!$useOnetime) { // 2段階認証利用外のときだけ
  262.                 if (!empty($config->getUseLoginEmail())) {  // ログインメールが有効のときだけ
  263.                     $loginHistory $this->loginHistoryRepository->createLoginHistory($request$user);
  264.                     $this->mailService->sendLoginMail($user$loginHistory);
  266.                 }
  267.             }
  268.             $this->em->flush();
  269.         }
  270.     }
  272.     public function onAuthenticationFailure(AuthenticationFailureEvent $event)
  273.     {
  274.         /** @var UsernamePasswordToken $token */
  275.         $token $event->getAuthenticationToken();
  276.         if ($token->getProviderKey() === 'admin') {
  277.             $locked false;
  278.             $request $this->requestStack->getCurrentRequest();
  279.             $loginHistory = new ApgLoginHistory();
  280.             $loginHistory->setMetaFromServer($request);
  281.             $loginHistory->setFailure();
  282.             if ($loginId $request->get('login_id'null)) {
  283.                 $loginHistory->setInputLoginId($loginId);
  284.                 $user $this->getMember($loginId);
  285.                 if (!empty($user)) {
  286.                     $loginHistory->setMemberId($user->getId());
  287.                     $loginHistory->setMemberName($user->getName());
  288.                     $loginHistory->setMemberEmail($user->getNotifyEmail());
  289.                     $config $this->configRepository->getOrNew();
  290.                     if ($config->isLocked($user)) {
  291.                         // ロックカウントをオーバーしていたら、ロック用のメッセージを出力
  292.                         $locked true;
  293.                         $loginHistory->setLocked();
  294.                     } else {
  295.                         $user $this->updateFailureCount($config$user1);
  296.                         if ($config->isLocked($user)) {
  297.                             // 最初にロックされた段階でメールを飛ばす
  298.                             $this->mailService->sendAccountLockedMail($user$loginHistory);
  300.                         }
  301.                     }
  302.                 }
  303.             }
  304.             $this->loginHistoryRepository->save($loginHistory);
  305.             $this->em->flush();
  306.             if ($locked) {
  307.                 throw new LockedException();
  308.             }
  309.         }
  311.     }
  313.     private function getMember($loginId)
  314.     {
  315.         /** @var Member $member */
  316.         $member $this->memberRepository->findOneBy(['login_id' => $loginId'Work' => Work::ACTIVE]);
  317.         return $member;
  318.     }
  320.     /**
  321.      * @param Member $member
  322.      * @param int $count
  323.      * @return Member
  324.      */
  325.     private function updateFailureCount(Config $configMember $member$count 0)
  326.     {
  327.         if ($count 0) {
  328.             $storedCount $member->getLoginFailureCount();
  329.             if (empty($storedCount) || $config->isFailureExpired($member)) {
  330.                 // 最終ログイン失敗日時が有効期限切れの場合は、失敗回数を0に戻す
  331.                 $storedCount 0;
  332.             }
  333.             $count $storedCount $count;
  334.             $member->setLoginFailureLastDate(new \DateTime());
  335.         } else {
  336.             $count 0;
  337.             $member->setLoginFailureLastDate(null);
  338.         }
  339.         $member->setLoginFailureCount($count);
  340.         $this->em->persist($member);
  341.         return $member;
  342.     }
  345.     public function onAdminAdminIndexComplete(EventArgs $event)
  346.     {
  347.         /** @var Request $request */
  348.         $request $event->getRequest();
  349.         /** @var Member $user */
  350.         $member $this->requestContext->getCurrentUser();
  351.         if (empty($member->getNotifyEmail()) && !$request->isXmlHttpRequest()) {
  352.             $request->getSession()->getFlashBag()->add('eccube.admin.danger''メールアドレスが登録されていません。[登録情報]の[アカウント編集]よりメールアドレスを登録してください。');
  353.         }
  354.     }
  356.     public function onAdminSettingSystemMemberEditInitialize(EventArgs $event)
  357.     {
  359.     }
  361.     public function onAdminAdminChangePasswordComplete(EventArgs $event)
  362.     {
  363.         $config $this->configRepository->get();
  364.         if (!empty($config->getUseEditEmail())) {
  365.             /** @var Request $request */
  366.             $request $event->getRequest();
  368.             /** @var Member $member */
  369.             $member $event->getArgument('Member');
  370.             $operationHistory = new ApgOperationHistory();
  371.             $operationHistory->setMetaFromServer($request);
  372.             $operationHistory->setLoginId($member->getLoginId());
  373.             $this->mailService->sendEditPasswordMail($member$operationHistory);
  374.         }
  375.     }
  377.     public function onRenderAdminSettingSystemMember(TemplateEvent $event)
  378.     {
  379.         $source $event->getSource();
  381.         // data
  382.         $parameters $event->getParameters();
  383.         // setting
  384.         $loader $this->twig->getLoader();
  385.         // header
  386.         $pattern '|<th class="border-top-0 pt-2 pb-2 text-center"></th>|s';
  387.         $addRow '<th class="border-top-0 pt-2 pb-2 text-center">メールアドレス</th><th class="border-top-0 pt-2 pb-2 text-center">2段階認証</th>';
  388.         if (preg_match($pattern$source$matchesPREG_OFFSET_CAPTURE)) {
  389.             $replacement $addRow $matches[0][0];
  390.             $source preg_replace($pattern$replacement$source);
  391.         }
  392.         // data
  393.         $pattern '|{{ Member.Work.name }}(.*?)</td>|s';
  394.         $addRow $this->twig->getLoader()->getSourceContext(self::TEMPLATE_NAMESPACE '/admin/setting_system_member.twig')->getCode();
  395.         if (preg_match($pattern$source$matchesPREG_OFFSET_CAPTURE)) {
  396.             $replacement $matches[0][0] . $addRow;
  397.             $source preg_replace($pattern$replacement$source);
  398.         }
  399.         $event->setSource($source);
  400.         $event->setParameters($parameters);
  402.     }
  404. }