Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 1abdcbb

Browse files
fabpotfabpot
committed
feature #33558 [Security] AuthenticatorManager to make "authenticators" first-class security (wouterj)
This PR was squashed before being merged into the 5.1-dev branch. Discussion ---------- [Security] AuthenticatorManager to make "authenticators" first-class security | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | - | License | MIT | Doc PR | tbd The tl;dr --- The old authentication listener + authentication provider system was replaced by a new "authenticator" system (similar to Guard authentication). All existing "auth systems" (e.g. `form_login` are now written as an "authenticator" in core). Instead of each "authentication system" registering its own listener in the `Firewall`, there is now only one listener: `AuthenticatorManagerListener` * `Firewall` -> executes `AuthenticatorManagerListener` * `AuthenticatorManagerListener` -> calls `AuthenticatorManager` * `AuthenticatorManager` -> calls each authenticator This PR contains *no deprecations* and the "new system" is *marked as experimental*. This allows to continue to develop the new Security system during the 5.x release cycle without disturbing Symfony users. In 5.4, we can deprecate "old" Security and remove it completely in 6.0. Important Decisions --- * A) **The new authentication manager - `AuthenticatorManager` - now dispatches 3 important "hook" events**: * `VerifyAuthenticatorCredentialsEvent`: occurs at the point when a "password" needs to be checked. Allows us to centralize password checking, CSRF validation, password upgrading and the "user checker" logic. * `LoginSuccessEvent`: Dispatched after a successful authentication. E.g. used by remember me listener. * `LoginFailedEvent`: Dispatched after an unsuccessful authentication. Also used by remember me (and in theory could be used for login throttling). * B) **`getCredentials()`, `getUser()` and `checkCredentials()` methods from old Guard are gone: their logic is centralized**. Authenticators now have an `authenticate(Request $request): PassportInterface` method. A passport contains the user object, the credentials and any other add-in Security badges (e.g. CSRF): ```php public function authenticate(Request $request): PassportInterface { return new Passport( $user, new PasswordCredentials($request->get('_password')), [ new CsrfBadge($request->get('_token')) ] ); } ``` All badges (including the credentials) need to be resolved by listeners to `VerifyAuthenticatorCredentialsEvent`. There is build-in core support for the following badges/credentials: * `PasswordCredentials`: validated using the password encoder factory * `CustomCredentials`: allows a closure to do credentials checking * `CsrfTokenBadge`: automatic CSRF token verification * `PasswordUpgradeBadge`: enables password migration * `RememberMeBadge`: enables remember-me support for this authenticator * C) **`AuthenticatorManager` contains all logic to authenticate** As authenticators always relate to HTTP, the `AuthenticatorManager` contains all logic to authenticate. It has three methods, the most important two are: * `authenticateRequest(Request $request): TokenInterface`: Doing what is previously done by a listener and an authentication provider; * `authenticateUser(UserInterface $user, AuthenticatorInterface $authenticator, Request $request, array $badges = [])` for manual login in e.g. a controller. * D) **One AuthenticatorManager per firewall** In the old system, there was 1 authentication manager containing all providers and each firewall had a specific firewall listener. In the new system, each firewall has a specific authentication manager. * E) **Pre-authentication tokens are dropped.** As everything is now handled inside `AuthenticatorManager` and everything is stored in the Security `Passport`, there was no need for a token anymore (removing lots of confusion about what information is inside the token). This change deprecates 2 authentication calls: one in `AuthorizationChecker#isGranted()` and one in `AccessListener`. These seem now to be mis-used to reload users (e.g. re-authenticate the user after you change their roles). This (some "way" to change a user's roles *without* logging them out) needs to be "fixed"/added in another PR. * F) **The remember me service now uses *all* user providers** Previously, only user providers of authentication providers listening on that firewall were used. This change is due to practical reasons and we don't think it is common to have 2 user providers supporting the same user instance. In any case, you can always explicitly configure the user provider under `remember_me`. * G) **Auth Providers No Longer Clear the Token on Auth Failure** Previously, authentication providers did `$this->tokenStorage->setToken(null)` upon authentication failure. This is not yet implemented: our reasoning is that if you've authenticated successfully using e.g. the login form, why should you be logged out if you visit the same login form and enter wrong credentials? The pre-authenticated authenticators are an exception here, they do reset the token upon authentication failure, just like the old system. * H) **CSRF Generator Service ID No Longer Configurable** The old Form login authentication provider allowed you to configure the CSRF generator service ID. This is no longer possible with the automated CSRF listener. This feature was introduced in the first CSRF commit and didn't get any updates ever since, so we don't think this feature is required. This could also be accomplished by checking CSRF manually in your authenticator, instead of using the automated check. Future Considerations --- * Remove Security sub-components: Move CSRF to `Symfony\Component\Csrf` (just like mime); Deprecated Guard; Put HTTP + Core as `symfony/security`. This means moving the new classes to `Symfony\Component\Security` * Convert LDAP to the new system * This is fixed (and merged) by #36243 <s>There is a need for some listeners to listen for events on one firewall, but not another (e.g. `RememberMeListener`). This is now fixed by checking the `$providerKey`. We thought it might be nice to introduce a feature to the event dispatcher:</s> * <s>Create one event dispatcher per firewall;</s> * <s>Extend the `kernel.event_subscriber` tag, so that you can optionally specify the dispatcher service ID (to allow listening on events for a specific dispatcher);</s> * <s>Add a listener that always also triggers the events on the main event dispatcher, in case you want a listener that is listening on all firewalls.</s> * Drop the `AnonymousToken` and `AnonymousAuthenticator`: Anonymous authentication has never made much sense and complicates things (e.g. the user can be a string). For access control, an anonymous user has the same meaning as an un-authenticated one (`null`). This require changes in the `AccessListener` and `AuthorizationChecker` and probably also a new Security attribute (to replace `IS_AUTHENTICATED_ANONYMOUSLY`). Related issues: #34909, #30609 > **How to test** > 1. Install the Symfony demo application (or any Symfony application) > 2. Clone my Symfony fork (`git clone [email protected]:wouterj/symfony`) and checkout my branch (`git checkout security/deprecate-providers-listeners`) > 3. Use the link utility to link my fork to the Symfony application: `/path/to/symfony-fork/link /path/to/project` > 4. Enable the new system by setting `security.enable_authenticator_manager` to `true` Commits ------- b1e040f Rename providerKey to firewallName for more consistent naming 50224aa Introduce Passport & Badges to extend authenticators 9ea32c4 Also use authentication failure/success handlers in FormLoginAuthenticator 0fe5083 Added JSON login authenticator 7ef6a7a Use the firewall event dispatcher 95edc80 Added pre-authenticated authenticators (X.509 & REMOTE_USER) f5e11e5 Reverted changes to the Guard component ba3754a Differentiate between interactive and non-interactive authenticators 6b9d78d Added tests 59f49b2 Rename AuthenticatingListener 60d396f Added automatically CSRF protected authenticators bf1a452 Merge AuthenticatorManager and AuthenticatorHandler 44cc76f Use one AuthenticatorManager per firewall 09bed16 Only load old manager if new system is disabled ddf430f Added remember me functionality 1c810d5 Added support for lazy firewalls 7859977 Removed all mentions of 'guard' in the new system 999ec27 Refactor to an event based authentication approach b14a5e8 Moved new authenticator to the HTTP namespace b923e4c Enabled remember me for the GuardManagerListener 873b949 Mark new core authenticators as experimental 4c06236 Fixes after testing in Demo application fa4b3ec Implemented password migration for the new authenticators 5efa892 Create a new core AuthenticatorInterface 5013258 Add provider key in PreAuthenticationGuardToken 526f756 Added GuardManagerListener a172bac Added FormLogin and Anonymous authenticators 9b7fddd Integrated GuardAuthenticationManager in the SecurityBundle a6890db Created HttpBasicAuthenticator and some Guard traits c321f4d Created GuardAuthenticationManager to make Guard first-class Security
2 parents 01794d0 + b1e040f commit 1abdcbb

File tree

77 files changed

+4857
-82
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

77 files changed

+4857
-82
lines changed

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,7 @@ public function getConfigTreeBuilder()
7373
->booleanNode('hide_user_not_found')->defaultTrue()->end()
7474
->booleanNode('always_authenticate_before_granting')->defaultFalse()->end()
7575
->booleanNode('erase_credentials')->defaultTrue()->end()
76+
->booleanNode('enable_authenticator_manager')->defaultFalse()->info('Enables the new Symfony Security system based on Authenticators, all used authenticators must support this before enabling this.')->end()
7677
->arrayNode('access_decision_manager')
7778
->addDefaultsIfNotSet()
7879
->children()

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AbstractFactory.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ abstract class AbstractFactory implements SecurityFactoryInterface
3030
'check_path' => '/login_check',
3131
'use_forward' => false,
3232
'require_previous_session' => false,
33+
'login_path' => '/login',
3334
];
3435

3536
protected $defaultSuccessHandlerOptions = [

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousFactory.php

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919
/**
2020
* @author Wouter de Jong <[email protected]>
2121
*/
22-
class AnonymousFactory implements SecurityFactoryInterface
22+
class AnonymousFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
2323
{
2424
public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
2525
{
@@ -42,6 +42,20 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
4242
return [$providerId, $listenerId, $defaultEntryPoint];
4343
}
4444

45+
public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
46+
{
47+
if (null === $config['secret']) {
48+
$config['secret'] = new Parameter('container.build_hash');
49+
}
50+
51+
$authenticatorId = 'security.authenticator.anonymous.'.$firewallName;
52+
$container
53+
->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.anonymous'))
54+
->replaceArgument(0, $config['secret']);
55+
56+
return $authenticatorId;
57+
}
58+
4559
public function getPosition()
4660
{
4761
return 'anonymous';

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AuthenticatorFactoryInterface.php

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <[email protected]>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
13+
14+
use Symfony\Component\DependencyInjection\ContainerBuilder;
15+
16+
/**
17+
* @author Wouter de Jong <[email protected]>
18+
*
19+
* @experimental in 5.1
20+
*/
21+
interface AuthenticatorFactoryInterface
22+
{
23+
/**
24+
* Creates the authenticator service(s) for the provided configuration.
25+
*
26+
* @return string|string[] The authenticator service ID(s) to be used by the firewall
27+
*/
28+
public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId);
29+
}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/CustomAuthenticatorFactory.php

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <[email protected]>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
13+
14+
use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
15+
use Symfony\Component\Config\Definition\Builder\NodeDefinition;
16+
use Symfony\Component\DependencyInjection\ContainerBuilder;
17+
18+
class CustomAuthenticatorFactory implements AuthenticatorFactoryInterface, SecurityFactoryInterface
19+
{
20+
public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
21+
{
22+
throw new \LogicException('Custom authenticators are not supported when "security.enable_authenticator_manager" is not set to true.');
23+
}
24+
25+
public function getPosition(): string
26+
{
27+
return 'pre_auth';
28+
}
29+
30+
public function getKey(): string
31+
{
32+
return 'custom_authenticator';
33+
}
34+
35+
/**
36+
* @param ArrayNodeDefinition $builder
37+
*/
38+
public function addConfiguration(NodeDefinition $builder)
39+
{
40+
$builder
41+
->fixXmlConfig('service')
42+
->children()
43+
->arrayNode('services')
44+
->info('An array of service ids for all of your "authenticators"')
45+
->requiresAtLeastOneElement()
46+
->prototype('scalar')->end()
47+
->end()
48+
->end()
49+
;
50+
}
51+
52+
public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): array
53+
{
54+
return $config['services'];
55+
}
56+
}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/EntryPointFactoryInterface.php

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <[email protected]>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
13+
14+
use Symfony\Component\DependencyInjection\ContainerBuilder;
15+
16+
/**
17+
* @author Wouter de Jong <[email protected]>
18+
*
19+
* @experimental in 5.1
20+
*/
21+
interface EntryPointFactoryInterface
22+
{
23+
/**
24+
* Creates the entry point and returns the service ID.
25+
*/
26+
public function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPointId): string;
27+
}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
1313

1414
use Symfony\Component\Config\Definition\Builder\NodeDefinition;
15+
use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
1516
use Symfony\Component\DependencyInjection\ChildDefinition;
1617
use Symfony\Component\DependencyInjection\ContainerBuilder;
1718
use Symfony\Component\DependencyInjection\Reference;
@@ -22,14 +23,15 @@
2223
* @author Fabien Potencier <[email protected]>
2324
* @author Johannes M. Schmitt <[email protected]>
2425
*/
25-
class FormLoginFactory extends AbstractFactory
26+
class FormLoginFactory extends AbstractFactory implements AuthenticatorFactoryInterface, EntryPointFactoryInterface
2627
{
2728
public function __construct()
2829
{
2930
$this->addOption('username_parameter', '_username');
3031
$this->addOption('password_parameter', '_password');
3132
$this->addOption('csrf_parameter', '_csrf_token');
3233
$this->addOption('csrf_token_id', 'authenticate');
34+
$this->addOption('enable_csrf', false);
3335
$this->addOption('post_only', true);
3436
}
3537

@@ -61,6 +63,10 @@ protected function getListenerId()
6163

6264
protected function createAuthProvider(ContainerBuilder $container, string $id, array $config, string $userProviderId)
6365
{
66+
if ($config['enable_csrf'] ?? false) {
67+
throw new InvalidConfigurationException('The "enable_csrf" option of "form_login" is only available when "security.enable_authenticator_manager" is set to "true", use "csrf_token_generator" instead.');
68+
}
69+
6470
$provider = 'security.authentication.provider.dao.'.$id;
6571
$container
6672
->setDefinition($provider, new ChildDefinition('security.authentication.provider.dao'))
@@ -84,7 +90,7 @@ protected function createListener(ContainerBuilder $container, string $id, array
8490
return $listenerId;
8591
}
8692

87-
protected function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPoint)
93+
public function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPoint): string
8894
{
8995
$entryPointId = 'security.authentication.form_entry_point.'.$id;
9096
$container
@@ -96,4 +102,22 @@ protected function createEntryPoint(ContainerBuilder $container, string $id, arr
96102

97103
return $entryPointId;
98104
}
105+
106+
public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
107+
{
108+
if (isset($config['csrf_token_generator'])) {
109+
throw new InvalidConfigurationException('The "csrf_token_generator" option of "form_login" is only available when "security.enable_authenticator_manager" is set to "false", use "enable_csrf" instead.');
110+
}
111+
112+
$authenticatorId = 'security.authenticator.form_login.'.$firewallName;
113+
$options = array_intersect_key($config, $this->options);
114+
$container
115+
->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.form_login'))
116+
->replaceArgument(1, new Reference($userProviderId))
117+
->replaceArgument(2, new Reference($this->createAuthenticationSuccessHandler($container, $firewallName, $config)))
118+
->replaceArgument(3, new Reference($this->createAuthenticationFailureHandler($container, $firewallName, $config)))
119+
->replaceArgument(4, $options);
120+
121+
return $authenticatorId;
122+
}
99123
}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
*
2222
* @author Fabien Potencier <[email protected]>
2323
*/
24-
class HttpBasicFactory implements SecurityFactoryInterface
24+
class HttpBasicFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
2525
{
2626
public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
2727
{
@@ -46,6 +46,17 @@ public function create(ContainerBuilder $container, string $id, array $config, s
4646
return [$provider, $listenerId, $entryPointId];
4747
}
4848

49+
public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
50+
{
51+
$authenticatorId = 'security.authenticator.http_basic.'.$firewallName;
52+
$container
53+
->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.http_basic'))
54+
->replaceArgument(0, $config['realm'])
55+
->replaceArgument(1, new Reference($userProviderId));
56+
57+
return $authenticatorId;
58+
}
59+
4960
public function getPosition()
5061
{
5162
return 'http';

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/JsonLoginFactory.php

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
*
2121
* @author Kévin Dunglas <[email protected]>
2222
*/
23-
class JsonLoginFactory extends AbstractFactory
23+
class JsonLoginFactory extends AbstractFactory implements AuthenticatorFactoryInterface
2424
{
2525
public function __construct()
2626
{
@@ -96,4 +96,18 @@ protected function createListener(ContainerBuilder $container, string $id, array
9696

9797
return $listenerId;
9898
}
99+
100+
public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId)
101+
{
102+
$authenticatorId = 'security.authenticator.json_login.'.$firewallName;
103+
$options = array_intersect_key($config, $this->options);
104+
$container
105+
->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.json_login'))
106+
->replaceArgument(1, new Reference($userProviderId))
107+
->replaceArgument(2, isset($config['success_handler']) ? new Reference($this->createAuthenticationSuccessHandler($container, $firewallName, $config)) : null)
108+
->replaceArgument(3, isset($config['failure_handler']) ? new Reference($this->createAuthenticationFailureHandler($container, $firewallName, $config)) : null)
109+
->replaceArgument(4, $options);
110+
111+
return $authenticatorId;
112+
}
99113
}

0 commit comments

Comments
 (0)