2020-07-24 00:33:00 +01:00
< ? php
2021-10-10 09:26:18 +01:00
declare ( strict_types = 1 );
2020-07-24 00:33:00 +01:00
// {{{ License
// This file is part of GNU social - https://www.gnu.org/software/social
//
// GNU social is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// GNU social is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with GNU social. If not, see <http://www.gnu.org/licenses/>.
// }}}
/**
* Wrapper around Symfony ' s Security service , for static access
*
* @ package GNUsocial
* @ category Security
*
2021-02-19 23:29:43 +00:00
* @ author Hugo Sales < hugo @ hsal . es >
* @ copyright 2020 - 2021 Free Software Foundation , Inc http :// www . fsf . org
2020-07-24 00:33:00 +01:00
* @ license https :// www . gnu . org / licenses / agpl . html GNU AGPL v3 or later
*/
namespace App\Core ;
2021-09-09 01:08:45 +01:00
use App\Entity\LocalUser ;
2022-04-03 18:02:54 +01:00
use App\Util\Common ;
use App\Util\Formatting ;
2021-10-10 09:26:18 +01:00
use BadMethodCallException ;
2022-04-03 18:02:54 +01:00
use Functional as F ;
2022-03-08 22:32:18 +00:00
use Symfony\Component\EventDispatcher\EventSubscriberInterface ;
2021-09-06 20:59:36 +01:00
use Symfony\Component\Security\Core\Security as SymfonySecurity ;
2022-03-08 22:32:18 +00:00
use Symfony\Component\Security\Http\Event\LoginFailureEvent ;
use Symfony\Component\Security\Http\Event\LoginSuccessEvent ;
2020-07-24 00:33:00 +01:00
2021-07-22 13:35:43 +01:00
/**
* Forwards method calls to either Symfony\Component\Security\Core\Security or
* HtmlSanitizer\SanitizerInterface , calling the first existing method , in that order
*
* @ codeCoverageIgnore
2021-09-06 20:59:36 +01:00
* @ mixin SymfonySecurity
2021-09-09 01:08:45 +01:00
*
* @ method static LocalUser getUser ()
2021-07-22 13:35:43 +01:00
*/
2022-03-08 22:32:18 +00:00
class Security implements EventSubscriberInterface //implements AuthenticatorInterface
2020-07-24 00:33:00 +01:00
{
2021-09-06 20:59:36 +01:00
private static ? SymfonySecurity $security ;
2022-01-12 17:12:26 +00:00
public static function setHelper ( $sec ) : void
2020-07-24 00:33:00 +01:00
{
2022-01-12 17:12:26 +00:00
self :: $security = $sec ;
2020-07-24 00:33:00 +01:00
}
2022-03-08 22:32:18 +00:00
public function loginSucess ( LoginSuccessEvent $event ) : LoginSuccessEvent
{
Event :: handle ( 'LoginSuccess' , [ $event ]);
return $event ;
}
public function loginFailure ( LoginFailureEvent $event ) : LoginFailureEvent
{
Event :: handle ( 'LoginFailure' , [ $event ]);
return $event ;
}
public static function getSubscribedEvents () : array
{
return [
LoginSuccessEvent :: class => 'loginSucess' ,
LoginFailureEvent :: class => 'loginFailure' ,
];
}
2022-04-03 18:02:54 +01:00
/**
* Harden running instance . Called once from `index.php`
*/
public static function harden () : void
{
// Remove sensitive information from the
[ $_ENV , $to_remove ] = F\partition (
$_ENV ,
fn ( $_ , string $key ) => Formatting :: startsWith ( $key , [ 'HTTP' , 'APP' , 'CONFIG' ]) && $key !== 'APP_SECRET' ,
);
F\each ( $to_remove , fn ( mixed $value , string $key ) => putenv ( $key )); // Unset
// Disable stream wrappers, that could be used in things like
// `file_get_contents('https://gnu.org')`. This is done
// because this is a unexpected feature for most developers,
// and some wrappers can be abused. For instance, `phar://`
// can be used to essentially override any class when such a
// file is opened and thus provide code execution to an
// attacker. Not a complete solution, since `file://`,
// `php://` and `glob://` get used _somewhere_, so we can't
// disable them
F\each (
[ 'http' , 'https' , 'ftp' , 'ftps' , 'compress.zlib' , 'data' , 'phar' ], // Making this configurable might be a nice feature, but it's tricky because this happens before general initialization
fn ( string $protocol ) => \stream_wrapper_unregister ( $protocol )
);;
}
2020-07-24 00:33:00 +01:00
public static function __callStatic ( string $name , array $args )
{
2020-08-20 01:37:00 +01:00
if ( method_exists ( self :: $security , $name )) {
return self :: $security -> { $name }( ... $args );
} else {
2022-01-12 17:12:26 +00:00
throw new BadMethodCallException ( " Method Security:: { $name } doesn't exist " );
2020-08-20 01:37:00 +01:00
}
2020-07-24 00:33:00 +01:00
}
}