feature #14721 [Security] Configuring a user checker per firewall (iltar)

fabpot · fabpot · commit 194ad4cb4dba · 2015-10-02T14:49:38.000+02:00
This PR was squashed before being merged into the 2.8 branch (closes #14721). Discussion ---------- [Security] Configuring a user checker per firewall _Changed my base branch to avoid issues, closed old PR_ | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed ticket | #11090 and helps #14673 | License | MIT | Doc PR | symfony/symfony-docs/pull/5530 This pull request adds support for a configurable user checker per firewall. An example could be: ```yml services: app.user_checker: class: App\Security\UserChecker arguments: - "@request_stack" security: firewalls: secured_area: pattern: ^/ anonymous: ~ basic_auth: ~ user_checker: app.user_checker ``` The above example will use the `UserChecker` defined as `app.user_checker`. If the `user_checker` option is left empty, `security.user_checker` will be used. If the `user_checkers` option is not defined, it will fall back to the original behavior to not break backwards compatibility and will validate using the existing `UserChecker`: `security.user_checker`. I left the default argument in the service definitions to be `security.user_checker` to include backwards compatibility for people who for some reason don't have the extension executed. You can obtain the checker for a specific firewall by appending the firewall name to it. For the firewall `secured_area`, this would be `security.user_checker.secured_area`. Commits ------- 76bc662 [Security] Configuring a user checker per firewall
diff --git a/DependencyInjection/MainConfiguration.php b/DependencyInjection/MainConfiguration.php
@@ -216,6 +216,11 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                 ->prototype('scalar')->end()
             ->end()
             ->booleanNode('security')->defaultTrue()->end()
+            ->scalarNode('user_checker')
+                ->defaultValue('security.user_checker')
+                ->treatNullLike('security.user_checker')
+                ->info('The UserChecker to use when authenticating users in this firewall.')
+            ->end()
             ->scalarNode('request_matcher')->end()
             ->scalarNode('access_denied_url')->end()
             ->scalarNode('access_denied_handler')->end()
diff --git a/DependencyInjection/Security/Factory/FormLoginFactory.php b/DependencyInjection/Security/Factory/FormLoginFactory.php
@@ -65,6 +65,7 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,
         $container
             ->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.dao'))
             ->replaceArgument(0, new Reference($userProviderId))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
         ;
 
diff --git a/DependencyInjection/Security/Factory/FormLoginLdapFactory.php b/DependencyInjection/Security/Factory/FormLoginLdapFactory.php
@@ -30,6 +30,7 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,
         $container
             ->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.ldap_bind'))
             ->replaceArgument(0, new Reference($userProviderId))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
             ->replaceArgument(3, new Reference($config['service']))
             ->replaceArgument(4, $config['dn_string'])
diff --git a/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php b/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php
@@ -69,6 +69,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
             ->replaceArgument(0, $authenticatorReferences)
             ->replaceArgument(1, new Reference($userProvider))
             ->replaceArgument(2, $id)
+            ->replaceArgument(3, new Reference('security.user_checker.'.$id))
         ;
 
         // listener
diff --git a/DependencyInjection/Security/Factory/HttpBasicFactory.php b/DependencyInjection/Security/Factory/HttpBasicFactory.php
@@ -29,6 +29,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $container
             ->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.dao'))
             ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
         ;
 
diff --git a/DependencyInjection/Security/Factory/HttpBasicLdapFactory.php b/DependencyInjection/Security/Factory/HttpBasicLdapFactory.php
@@ -31,6 +31,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $container
             ->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.ldap_bind'))
             ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
             ->replaceArgument(3, new Reference($config['service']))
             ->replaceArgument(4, $config['dn_string'])
diff --git a/DependencyInjection/Security/Factory/RememberMeFactory.php b/DependencyInjection/Security/Factory/RememberMeFactory.php
@@ -35,6 +35,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $authProviderId = 'security.authentication.provider.rememberme.'.$id;
         $container
             ->setDefinition($authProviderId, new DefinitionDecorator('security.authentication.provider.rememberme'))
+            ->replaceArgument(0, new Reference('security.user_checker.'.$id))
             ->addArgument($config['secret'])
             ->addArgument($id)
         ;
diff --git a/DependencyInjection/Security/Factory/RemoteUserFactory.php b/DependencyInjection/Security/Factory/RemoteUserFactory.php
@@ -30,6 +30,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $container
             ->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.pre_authenticated'))
             ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->addArgument($id)
         ;
 
diff --git a/DependencyInjection/Security/Factory/X509Factory.php b/DependencyInjection/Security/Factory/X509Factory.php
@@ -29,6 +29,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $container
             ->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.pre_authenticated'))
             ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->addArgument($id)
         ;
 
diff --git a/DependencyInjection/SecurityExtension.php b/DependencyInjection/SecurityExtension.php
@@ -14,6 +14,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
+use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\DefinitionDecorator;
 use Symfony\Component\DependencyInjection\Alias;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
@@ -100,16 +101,16 @@ public function load(array $configs, ContainerBuilder $container)
 
         // add some required classes for compilation
         $this->addClassesToCompile(array(
-            'Symfony\\Component\\Security\\Http\\Firewall',
-            'Symfony\\Component\\Security\\Core\\User\\UserProviderInterface',
-            'Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationProviderManager',
-            'Symfony\\Component\\Security\\Core\\Authentication\\Token\\Storage\\TokenStorage',
-            'Symfony\\Component\\Security\\Core\\Authorization\\AccessDecisionManager',
-            'Symfony\\Component\\Security\\Core\\Authorization\\AuthorizationChecker',
-            'Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface',
-            'Symfony\\Bundle\\SecurityBundle\\Security\\FirewallMap',
-            'Symfony\\Bundle\\SecurityBundle\\Security\\FirewallContext',
-            'Symfony\\Component\\HttpFoundation\\RequestMatcher',
+            'Symfony\Component\Security\Http\Firewall',
+            'Symfony\Component\Security\Core\User\UserProviderInterface',
+            'Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager',
+            'Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage',
+            'Symfony\Component\Security\Core\Authorization\AccessDecisionManager',
+            'Symfony\Component\Security\Core\Authorization\AuthorizationChecker',
+            'Symfony\Component\Security\Core\Authorization\Voter\VoterInterface',
+            'Symfony\Bundle\SecurityBundle\Security\FirewallMap',
+            'Symfony\Bundle\SecurityBundle\Security\FirewallContext',
+            'Symfony\Component\HttpFoundation\RequestMatcher',
         ));
     }
 
@@ -369,6 +370,8 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         // Exception listener
         $exceptionListener = new Reference($this->createExceptionListener($container, $firewall, $id, $configuredEntryPoint ?: $defaultEntryPoint, $firewall['stateless']));
 
+        $container->setAlias(new Alias('security.user_checker.'.$id, false), $firewall['user_checker']);
+
         return array($matcher, $listeners, $exceptionListener);
     }
 
@@ -577,6 +580,7 @@ private function createSwitchUserListener($container, $id, $config, $defaultProv
         $switchUserListenerId = 'security.authentication.switchuser_listener.'.$id;
         $listener = $container->setDefinition($switchUserListenerId, new DefinitionDecorator('security.authentication.switchuser_listener'));
         $listener->replaceArgument(1, new Reference($userProvider));
+        $listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
         $listener->replaceArgument(3, $id);
         $listener->replaceArgument(6, $config['parameter']);
         $listener->replaceArgument(7, $config['role']);
diff --git a/Resources/config/guard.xml b/Resources/config/guard.xml
@@ -21,7 +21,7 @@
             <argument /> <!-- Simple Authenticator -->
             <argument /> <!-- User Provider -->
             <argument /> <!-- Provider-shared Key -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
         </service>
 
         <service id="security.authentication.listener.guard"
diff --git a/Resources/config/security_listeners.xml b/Resources/config/security_listeners.xml
@@ -217,15 +217,15 @@
 
         <service id="security.authentication.provider.dao" class="%security.authentication.provider.dao.class%" abstract="true" public="false">
             <argument /> <!-- User Provider -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
             <argument /> <!-- Provider-shared Key -->
             <argument type="service" id="security.encoder_factory" />
             <argument>%security.authentication.hide_user_not_found%</argument>
         </service>
 
         <service id="security.authentication.provider.ldap_bind" class="Symfony\Component\Security\Core\Authentication\Provider\LdapBindAuthenticationProvider" public="false" abstract="true">
             <argument /> <!-- User Provider -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- UserChecker -->
             <argument /> <!-- Provider-shared Key -->
             <argument /> <!-- LDAP -->
             <argument /> <!-- Base DN -->
@@ -240,7 +240,7 @@
 
         <service id="security.authentication.provider.pre_authenticated" class="%security.authentication.provider.pre_authenticated.class%" abstract="true" public="false">
             <argument /> <!-- User Provider -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
         </service>
 
         <service id="security.exception_listener" class="%security.exception_listener.class%" public="false" abstract="true">
@@ -260,7 +260,7 @@
             <tag name="monolog.logger" channel="security" />
             <argument type="service" id="security.token_storage" />
             <argument /> <!-- User Provider -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
             <argument /> <!--  Provider Key -->
             <argument type="service" id="security.access.decision_manager" />
             <argument type="service" id="logger" on-invalid="null" />
diff --git a/Resources/config/security_rememberme.xml b/Resources/config/security_rememberme.xml
@@ -28,7 +28,7 @@
         </service>
 
         <service id="security.authentication.provider.rememberme" class="%security.authentication.provider.rememberme.class%" abstract="true" public="false">
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
         </service>
 
         <service id="security.rememberme.token.provider.in_memory" class="%security.rememberme.token.provider.in_memory.class%" public="false" />
diff --git a/Tests/DependencyInjection/CompleteConfigurationTest.php b/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -93,6 +93,13 @@ public function testFirewalls()
                 'security.authentication.listener.anonymous.host',
                 'security.access_listener',
             ),
+            array(
+                'security.channel_listener',
+                'security.context_listener.1',
+                'security.authentication.listener.basic.with_user_checker',
+                'security.authentication.listener.anonymous.with_user_checker',
+                'security.access_listener',
+            ),
         ), $listeners);
     }
 
@@ -233,6 +240,21 @@ public function testRememberMeThrowExceptions()
         $this->assertFalse($service->getArgument(5));
     }
 
+    public function testUserCheckerConfig()
+    {
+        $this->assertEquals('app.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.with_user_checker'));
+    }
+
+    public function testUserCheckerConfigWithDefaultChecker()
+    {
+        $this->assertEquals('security.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.host'));
+    }
+
+    public function testUserCheckerConfigWithNoCheckers()
+    {
+        $this->assertEquals('security.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.secure'));
+    }
+
     protected function getContainer($file)
     {
         $container = new ContainerBuilder();
diff --git a/Tests/DependencyInjection/Fixtures/php/container1.php b/Tests/DependencyInjection/Fixtures/php/container1.php
@@ -72,6 +72,7 @@
             'remote_user' => true,
             'logout' => true,
             'remember_me' => array('secret' => 'TheSecret'),
+            'user_checker' => null,
         ),
         'host' => array(
             'pattern' => '/test',
@@ -80,6 +81,11 @@
             'anonymous' => true,
             'http_basic' => true,
         ),
+        'with_user_checker' => array(
+            'user_checker' => 'app.user_checker',
+            'anonymous' => true,
+            'http_basic' => true,
+        ),
     ),
 
     'access_control' => array(
diff --git a/Tests/DependencyInjection/Fixtures/xml/container1.xml b/Tests/DependencyInjection/Fixtures/xml/container1.xml
@@ -55,6 +55,7 @@
             <switch-user />
             <x509 />
             <remote-user />
+            <user-checker />
             <logout />
             <remember-me secret="TheSecret"/>
         </firewall>
@@ -64,6 +65,12 @@
             <http-basic />
         </firewall>
 
+        <firewall name="with_user_checker">
+            <anonymous />
+            <http-basic />
+            <user-checker>app.user_checker</user-checker>
+        </firewall>
+
         <role id="ROLE_ADMIN">ROLE_USER</role>
         <role id="ROLE_SUPER_ADMIN">ROLE_USER,ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH</role>
         <role id="ROLE_REMOTE">ROLE_USER,ROLE_ADMIN</role>
diff --git a/Tests/DependencyInjection/Fixtures/yml/container1.yml b/Tests/DependencyInjection/Fixtures/yml/container1.yml
@@ -56,13 +56,20 @@ security:
             logout: true
             remember_me:
                 secret: TheSecret
+            user_checker: ~
+
         host:
             pattern: /test
             host: foo\.example\.org
             methods: [GET,POST]
             anonymous: true
             http_basic: true
 
+        with_user_checker:
+            anonymous: ~
+            http_basic: ~
+            user_checker: app.user_checker
+
     role_hierarchy:
         ROLE_ADMIN:       ROLE_USER
         ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
diff --git a/Tests/DependencyInjection/MainConfigurationTest.php b/Tests/DependencyInjection/MainConfigurationTest.php
@@ -46,7 +46,7 @@ public function testNoConfigForProvider()
 
         $processor = new Processor();
         $configuration = new MainConfiguration(array(), array());
-        $config = $processor->processConfiguration($configuration, array($config));
+        $processor->processConfiguration($configuration, array($config));
     }
 
     /**
@@ -65,7 +65,7 @@ public function testManyConfigForProvider()
 
         $processor = new Processor();
         $configuration = new MainConfiguration(array(), array());
-        $config = $processor->processConfiguration($configuration, array($config));
+        $processor->processConfiguration($configuration, array($config));
     }
 
     public function testCsrfAliases()
@@ -108,8 +108,35 @@ public function testCsrfOriginalAndAliasValueCausesException()
         );
         $config = array_merge(static::$minimalConfig, $config);
 
+        $processor = new Processor();
+        $configuration = new MainConfiguration(array(), array());
+        $processor->processConfiguration($configuration, array($config));
+    }
+
+    public function testDefaultUserCheckers()
+    {
+        $processor = new Processor();
+        $configuration = new MainConfiguration(array(), array());
+        $processedConfig = $processor->processConfiguration($configuration, array(static::$minimalConfig));
+
+        $this->assertEquals('security.user_checker', $processedConfig['firewalls']['stub']['user_checker']);
+    }
+
+    public function testUserCheckers()
+    {
+        $config = array(
+            'firewalls' => array(
+                'stub' => array(
+                    'user_checker' => 'app.henk_checker',
+                ),
+            ),
+        );
+        $config = array_merge(static::$minimalConfig, $config);
+
         $processor = new Processor();
         $configuration = new MainConfiguration(array(), array());
         $processedConfig = $processor->processConfiguration($configuration, array($config));
+
+        $this->assertEquals('app.henk_checker', $processedConfig['firewalls']['stub']['user_checker']);
     }
 }
diff --git a/Tests/DependencyInjection/Security/Factory/GuardAuthenticationFactoryTest.php b/Tests/DependencyInjection/Security/Factory/GuardAuthenticationFactoryTest.php
@@ -109,6 +109,7 @@ public function testBasicCreate()
             'index_0' => array(new Reference('authenticator123')),
             'index_1' => new Reference('my_user_provider'),
             'index_2' => 'my_firewall',
+            'index_3' => new Reference('security.user_checker.my_firewall'),
         ), $providerDefinition->getArguments());
 
         $listenerDefinition = $container->getDefinition('security.authentication.listener.guard.my_firewall');
@@ -123,7 +124,7 @@ public function testExistingDefaultEntryPointUsed()
             'authenticators' => array('authenticator123'),
             'entry_point' => null,
         );
-        list($container, $entryPointId) = $this->executeCreate($config, 'some_default_entry_point');
+        list(, $entryPointId) = $this->executeCreate($config, 'some_default_entry_point');
         $this->assertEquals('some_default_entry_point', $entryPointId);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,`
`65`	`65`	`$container`
`66`	`66`	`->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.dao'))`
`67`	`67`	`->replaceArgument(0, new Reference($userProviderId))`
	`68`	`+ ->replaceArgument(1, new Reference('security.user_checker.'.$id))`
`68`	`69`	`->replaceArgument(2, $id)`
`69`	`70`	`;`
`70`	`71`
Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,`
`69`	`69`	`->replaceArgument(0, $authenticatorReferences)`
`70`	`70`	`->replaceArgument(1, new Reference($userProvider))`
`71`	`71`	`->replaceArgument(2, $id)`
	`72`	`+ ->replaceArgument(3, new Reference('security.user_checker.'.$id))`
`72`	`73`	`;`
`73`	`74`
`74`	`75`	`// listener`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,`
`29`	`29`	`$container`
`30`	`30`	`->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.dao'))`
`31`	`31`	`->replaceArgument(0, new Reference($userProvider))`
	`32`	`+ ->replaceArgument(1, new Reference('security.user_checker.'.$id))`
`32`	`33`	`->replaceArgument(2, $id)`
`33`	`34`	`;`
`34`	`35`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,`
`35`	`35`	`$authProviderId = 'security.authentication.provider.rememberme.'.$id;`
`36`	`36`	`$container`
`37`	`37`	`->setDefinition($authProviderId, new DefinitionDecorator('security.authentication.provider.rememberme'))`
	`38`	`+ ->replaceArgument(0, new Reference('security.user_checker.'.$id))`
`38`	`39`	`->addArgument($config['secret'])`
`39`	`40`	`->addArgument($id)`
`40`	`41`	`;`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,`
`30`	`30`	`$container`
`31`	`31`	`->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.pre_authenticated'))`
`32`	`32`	`->replaceArgument(0, new Reference($userProvider))`
	`33`	`+ ->replaceArgument(1, new Reference('security.user_checker.'.$id))`
`33`	`34`	`->addArgument($id)`
`34`	`35`	`;`
`35`	`36`