src/EventSubscriber/SecurityEventSubscriber.php line 236

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\EventSubscriber;
  5. use DateTime;
  6. use DeviceDetector\DeviceDetector;
  7. use Doctrine\ORM\EntityManagerInterface;
  8. use GeoIp2\Database\Reader;
  9. use MedBrief\MSR\Entity\AuditRecord\User as UserAuditRecord;
  10. use MedBrief\MSR\Entity\Firm;
  11. use MedBrief\MSR\Entity\User;
  12. use MedBrief\MSR\Entity\UserLogin;
  13. use MedBrief\MSR\Event\AuditRecordEvent;
  14. use MedBrief\MSR\Factory\AuditRecordEventFactory;
  15. use MedBrief\MSR\Factory\AuditRecordFactory;
  16. use MedBrief\MSR\Security\Exception\GenericOAuthException;
  17. use MedBrief\MSR\Service\EntityHelper\UserHelper;
  18. use MedBrief\MSR\Service\Notification\Generators\UserLoginNotification;
  19. use Override;
  20. use Ramsey\Uuid\Uuid;
  22. use function Sentry\captureException;
  24. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  26. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  27. use Symfony\Component\HttpFoundation\Cookie;
  28. use Symfony\Component\HttpFoundation\RequestStack;
  29. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  30. use Symfony\Component\HttpKernel\KernelEvents;
  31. use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
  32. use Symfony\Component\Security\Core\AuthenticationEvents;
  33. use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
  34. use Symfony\Component\Security\Core\User\UserInterface;
  36. use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
  37. use Symfony\Component\Security\Http\Event\SwitchUserEvent;
  38. use Symfony\Component\Security\Http\SecurityEvents;
  39. use Throwable;
  41. class SecurityEventSubscriber implements EventSubscriberInterface
  42. {
  43. public const LOGIN_NEW_IP = 'ip';
  44. public const LOGIN_NEW_DEVICE = 'device';
  46. public function __construct(protected EntityManagerInterface $entityManager, protected Reader $reader, protected UserLoginNotification $loginNotificationGenerator, protected UserHelper $userHelper, protected RequestStack $request, protected EventDispatcherInterface $eventDispatcher)
  47. {
  48. }
  50. /**
  51. * @inheritDoc
  52. */
  53. #[Override]
  54. public static function getSubscribedEvents(): array
  55. {
  56. return [
  57. LoginSuccessEvent::class => [
  58. ['logUserLogin', 0],
  59. ],
  60. SecurityEvents::SWITCH_USER => [
  61. ['logUserSimulation', 0],
  62. ],
  63. AuthenticationEvents::AUTHENTICATION_FAILURE => [
  64. ['logFailedUserLogin', 0],
  65. ],
  66. KernelEvents::RESPONSE => [
  67. ['setDeviceId', 50],
  68. ],
  69. ];
  70. }
  72. /**
  73. *
  74. *
  75. *
  76. * @param AuthenticationFailureEvent $event
  77. *
  78. * @throws \Exception
  79. */
  80. public function logFailedUserLogin(AuthenticationFailureEvent $event): void
  81. {
  82. // Because OAuth exceptions cannot be traced to a specific user, skip them
  83. if (!$event->getAuthenticationException() instanceof GenericOAuthException) {
  84. // Grab the user account that the failure was logged for
  85. $email = $this->request->getMasterRequest()->get('username');
  86. $user = $this->entityManager->getRepository(User::class)
  87. ->findOneBy(['email' => $email])
  88. ;
  90. // If we actually have a user
  91. if ($user instanceof UserInterface) {
  92. // Grab the user's IP address
  93. $ipAddress = $this->request->getMasterRequest()->getClientIp();
  94. // Grab the user's browser
  95. $dd = new DeviceDetector($this->request->getMasterRequest()->headers->get('User-Agent'));
  96. $dd->parse();
  97. $browser = $dd->getClient();
  98. $os = $dd->getOs();
  99. // Get the user's location
  100. try {
  101. $record = $this->reader->city($ipAddress);
  102. // City, County/State, Country
  103. $location = sprintf('%s, %s, %s', $record->city->name, $record->mostSpecificSubdivision->name, $record->country->name);
  104. } catch (Throwable $exception) {
  105. captureException($exception);
  106. $location = 'Unknown Location';
  107. }
  109. // Create a UserLogin object
  110. $login = new UserLogin($user, $ipAddress, $browser, $os, $location, false);
  112. $this->entityManager->persist($login);
  113. $this->entityManager->flush();
  114. }
  115. }
  116. }
  118. /**
  119. * Logs a user's login (login success event) and persists the details to the database to ensure an auditable track
  120. * of IP addresses they accessed from as well as what platform and browser, including emailing users when a new
  121. * login is detected.
  122. *
  123. *
  124. *
  125. * @todo: Correctly log DocSorter logins rather than bypassing them
  126. *
  127. * @param LoginSuccessEvent $loginEvent
  128. *
  129. * @throws \Exception
  130. */
  131. public function logUserLogin(LoginSuccessEvent $loginEvent): void
  132. {
  133. // Grab the path and make sure we are not doing this check on anything but login events
  134. $path = $loginEvent->getRequest()->getRequestUri();
  135. // Putting this logic back for now, until we have time to prevent the interactive login happening on every DocSorter request.
  136. if (preg_match("/^\/api\/sort\/(?!login).*$/", $path)) {
  137. return;
  138. }
  140. // Grab the User
  141. /** @var User $user */
  142. $user = $loginEvent->getUser();
  144. if ($user instanceof Firm) {
  145. // Firms do not get logged here (at the moment)
  146. return;
  147. }
  149. // Grab the device identifier cookie, if it exists
  150. $deviceId = $loginEvent->getRequest()->cookies->get('msr_dev_id');
  151. if ($deviceId !== null) {
  152. $deviceId = Uuid::fromString($deviceId);
  153. }
  155. // Grab the user's IP address
  156. $ipAddress = $loginEvent->getRequest()->getClientIp();
  158. // Grab the user's browser
  159. $dd = new DeviceDetector($loginEvent->getRequest()->headers->get('User-Agent'));
  160. $dd->parse();
  161. $browser = $dd->getClient();
  162. $os = $dd->getOs();
  164. // Get the user's location
  165. try {
  166. $record = $this->reader->city($ipAddress);
  167. // City, County/State, Country
  168. $location = sprintf('%s, %s, %s', $record->city->name, $record->mostSpecificSubdivision->name, $record->country->name);
  169. } catch (Throwable $exception) {
  170. captureException($exception);
  171. $location = 'Unknown Location';
  172. }
  174. // Create a UserLogin object
  175. $login = new UserLogin($user, $ipAddress, $browser, $os, $location, true, $deviceId);
  177. // Set the device ID in the attributes to persist it to cookies
  178. $loginEvent->getRequest()->attributes->set('msr_dev_id', $login->getDevice()->toString());
  180. // First time user has logged in. Set firstLoginDate
  181. if ($user->getFirstLoginDate() === null) {
  182. $user->setFirstLoginDate(new DateTime('NOW'));
  183. }
  185. // Set the last login date for the user as well
  186. $user->setLastLogin(new DateTime('NOW'));
  188. // This user has never logged in before or we can't match so...
  189. // Register this login
  190. $this->entityManager->persist($user);
  191. $this->entityManager->persist($login);
  192. $this->entityManager->flush();
  194. // ... and email the user
  195. // @TODO: This caused issues with clients who were spammed.
  196. // $this->sendAlertNotification($login, self::LOGIN_NEW_DEVICE);
  197. }
  199. /**
  200. * Logs the simulation of users
  201. *
  202. * @param SwitchUserEvent $event
  203. */
  204. public function logUserSimulation(SwitchUserEvent $event): void
  205. {
  206. $token = $event->getToken();
  208. if ($token instanceof SwitchUserToken) {
  209. $user = $event->getToken()->getOriginalToken()->getUser();
  210. $targetUser = $event->getTargetUser();
  211. $verb = UserAuditRecord::VERB_SIMULATE;
  212. } else {
  213. $user = $event->getToken()->getUser();
  214. $targetUser = null;
  215. $verb = UserAuditRecord::VERB_SIMULATE_EXIT;
  216. }
  218. $auditRecord = AuditRecordFactory::create(
  219. UserAuditRecord::class,
  220. $user,
  221. $targetUser,
  222. $verb
  223. );
  225. $this->eventDispatcher->dispatch(
  226. AuditRecordEventFactory::create($auditRecord),
  227. AuditRecordEvent::AUDIT
  228. );
  229. }
  231. /**
  232. * Sets a device ID cookie during the kernel.response
  233. *
  234. * @param ResponseEvent $event
  235. */
  236. public function setDeviceId(ResponseEvent $event): void
  237. {
  238. $attr = $event->getRequest()->attributes->get('msr_dev_id');
  240. if ($attr !== null) {
  241. $event->getResponse()->headers->setCookie(Cookie::create('msr_dev_id', $attr, new DateTime('+2 year')));
  242. }
  243. }
  245. /**
  246. * Sends a login alert notification to the user
  247. *
  248. * @param $type
  249. * @param UserLogin $login
  250. */
  251. protected function sendAlertNotification(UserLogin $login, $type)
  252. {
  253. // Disable notification temporarily, until there is a way to unsubscribe
  254. // $this->loginNotificationGenerator->generate($login, $type);
  255. }
  256. }