[Security] Make stateful firewalls turn responses private only when needed

nicolas-grekas · nicolas-grekas · commit c8a4fef490a1 · 2019-09-23T15:14:29.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterSessionUsageIndexPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterSessionUsageIndexPass.php
@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler;
+
+use Symfony\Bridge\Monolog\Processor\ProcessorInterface;
+use Symfony\Component\DependencyInjection\Argument\BoundArgument;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+
+/**
+ * Injects the session tracker enabler in "security.context_listener" + binds "security.untracked_token_storage" to ProcessorInterface instances.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ *
+ * @internal
+ */
+class RegisterSessionUsageIndexPass implements CompilerPassInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function process(ContainerBuilder $container)
+    {
+        if (!$container->has('security.untracked_token_storage')) {
+            return;
+        }
+
+        $processorAutoconfiguration = $container->registerForAutoconfiguration(ProcessorInterface::class);
+        $processorAutoconfiguration->setBindings($processorAutoconfiguration->getBindings() + [
+            TokenStorageInterface::class => new BoundArgument(new Reference('security.untracked_token_storage'), false),
+        ]);
+
+        if (!$container->has('session')) {
+            $container->setAlias('security.token_storage', 'security.untracked_token_storage')->setPublic(true);
+        } elseif ($container->hasDefinition('security.context_listener')) {
+            $container->getDefinition('security.context_listener')
+                ->setArgument(6, [new Reference('security.token_storage'), 'enableUsageTracking']);
+        }
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/collectors.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/collectors.xml
@@ -9,7 +9,7 @@
 
         <service id="data_collector.security" class="Symfony\Bundle\SecurityBundle\DataCollector\SecurityDataCollector">
             <tag name="data_collector" template="@Security/Collector/security.html.twig" id="security" priority="270" />
-            <argument type="service" id="security.token_storage" on-invalid="ignore" />
+            <argument type="service" id="security.untracked_token_storage" />
             <argument type="service" id="security.role_hierarchy" />
             <argument type="service" id="security.logout_url_generator" />
             <argument type="service" id="security.access.decision_manager" />
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
@@ -21,11 +21,17 @@
         </service>
         <service id="Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface" alias="security.authorization_checker" />
 
-        <service id="security.token_storage" class="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage" public="true">
-            <tag name="kernel.reset" method="setToken" />
+        <service id="security.token_storage" class="Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage" public="true">
+            <tag name="kernel.reset" method="disableUsageTracking" />
+            <argument type="service" id="security.untracked_token_storage" />
+            <argument type="service_locator">
+                <argument key="session" type="service" id="session" />
+            </argument>
         </service>
         <service id="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface" alias="security.token_storage" />
 
+        <service id="security.untracked_token_storage" class="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage" />
+
         <service id="security.helper" class="Symfony\Component\Security\Core\Security">
             <argument type="service_locator">
                 <argument key="security.token_storage" type="service" id="security.token_storage" />
@@ -162,7 +168,7 @@
         <service id="security.logout_url_generator" class="Symfony\Component\Security\Http\Logout\LogoutUrlGenerator">
             <argument type="service" id="request_stack" on-invalid="null" />
             <argument type="service" id="router" on-invalid="null" />
-            <argument type="service" id="security.token_storage" on-invalid="null" />
+            <argument type="service" id="security.token_storage" />
         </service>
 
         <!-- Provisioning -->
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
@@ -9,7 +9,7 @@
 
         <service id="security.authentication.listener.anonymous" class="Symfony\Component\Security\Http\Firewall\AnonymousAuthenticationListener">
             <tag name="monolog.logger" channel="security" />
-            <argument type="service" id="security.token_storage" />
+            <argument type="service" id="security.untracked_token_storage" />
             <argument /> <!-- Key -->
             <argument type="service" id="logger" on-invalid="null" />
             <argument type="service" id="security.authentication.manager" />
@@ -37,7 +37,7 @@
 
         <service id="security.context_listener" class="Symfony\Component\Security\Http\Firewall\ContextListener">
             <tag name="monolog.logger" channel="security" />
-            <argument type="service" id="security.token_storage" />
+            <argument type="service" id="security.untracked_token_storage" />
             <argument type="collection" />
             <argument /> <!-- Provider Key -->
             <argument type="service" id="logger" on-invalid="null" />
@@ -128,7 +128,7 @@
 
         <service id="security.authentication.listener.simple_preauth" class="Symfony\Component\Security\Http\Firewall\SimplePreAuthenticationListener" abstract="true">
             <tag name="monolog.logger" channel="security" />
-            <argument type="service" id="security.token_storage" />
+            <argument type="service" id="security.untracked_token_storage" />
             <argument type="service" id="security.authentication.manager" />
             <argument /> <!-- Provider-shared Key -->
             <argument /> <!-- Authenticator -->
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml
@@ -9,7 +9,7 @@
 
         <service id="security.authentication.listener.rememberme" class="Symfony\Component\Security\Http\Firewall\RememberMeListener" abstract="true">
             <tag name="monolog.logger" channel="security" />
-            <argument type="service" id="security.token_storage" />
+            <argument type="service" id="security.untracked_token_storage" />
             <argument type="service" id="security.authentication.rememberme" />
             <argument type="service" id="security.authentication.manager" />
             <argument type="service" id="logger" on-invalid="null" />
diff --git a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
@@ -15,6 +15,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSecurityVotersPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSessionDomainConstraintPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterCsrfTokenClearingLogoutHandlerPass;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterSessionUsageIndexPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AnonymousFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginLdapFactory;
@@ -66,5 +67,6 @@ public function build(ContainerBuilder $container)
         $container->addCompilerPass(new AddSecurityVotersPass());
         $container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_BEFORE_REMOVING);
         $container->addCompilerPass(new RegisterCsrfTokenClearingLogoutHandlerPass());
+        $container->addCompilerPass(new RegisterSessionUsageIndexPass(), PassConfig::TYPE_BEFORE_OPTIMIZATION, 200);
     }
 }
diff --git a/src/Symfony/Component/HttpFoundation/Session/Session.php b/src/Symfony/Component/HttpFoundation/Session/Session.php
@@ -139,7 +139,7 @@ public function count()
     /**
      * @internal
      */
-    public function getUsageIndex(): int
+    public function &getUsageIndex(): int
     {
         return $this->usageIndex;
     }
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php b/src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php
@@ -0,0 +1,73 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Token\Storage;
+
+use Psr\Container\ContainerInterface;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Contracts\Service\ServiceSubscriberInterface;
+
+/**
+ * A token storage that increments the session usage index when the token is accessed.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class UsageTrackingTokenStorage implements TokenStorageInterface, ServiceSubscriberInterface
+{
+    private $storage;
+    private $sessionLocator;
+    private $enableUsageTracking = false;
+
+    public function __construct(TokenStorageInterface $storage, ContainerInterface $sessionLocator)
+    {
+        $this->storage = $storage;
+        $this->sessionLocator = $sessionLocator;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getToken(): ?TokenInterface
+    {
+        if ($this->enableUsageTracking) {
+            // increments the internal session usage index
+            $this->sessionLocator->get('session')->getMetadataBag();
+        }
+
+        return $this->storage->getToken();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function setToken(TokenInterface $token = null): void
+    {
+        $this->storage->setToken($token);
+    }
+
+    public function enableUsageTracking(): void
+    {
+        $this->enableUsageTracking = true;
+    }
+
+    public function disableUsageTracking(): void
+    {
+        $this->enableUsageTracking = false;
+    }
+
+    public static function getSubscribedServices(): array
+    {
+        return [
+            'session' => SessionInterface::class,
+        ];
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php
@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authentication\Token\Storage;
+
+use PHPUnit\Framework\TestCase;
+use Psr\Container\ContainerInterface;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Contracts\Service\ServiceLocatorTrait;
+
+class UsageTrackingTokenStorageTest extends TestCase
+{
+    public function testGetSetToken()
+    {
+        $sessionAccess = 0;
+        $sessionLocator = new class(['session' => function () use (&$sessionAccess) {
+            ++$sessionAccess;
+
+            $session = $this->createMock(SessionInterface::class);
+            $session->expects($this->once())
+                    ->method('getMetadataBag');
+
+            return $session;
+        }]) implements ContainerInterface {
+            use ServiceLocatorTrait;
+        };
+        $tokenStorage = new TokenStorage();
+        $trackingStorage = new UsageTrackingTokenStorage($tokenStorage, $sessionLocator);
+
+        $this->assertNull($trackingStorage->getToken());
+        $token = $this->getMockBuilder(TokenInterface::class)->getMock();
+
+        $trackingStorage->setToken($token);
+        $this->assertSame($token, $trackingStorage->getToken());
+        $this->assertSame($token, $tokenStorage->getToken());
+        $this->assertSame(0, $sessionAccess);
+
+        $trackingStorage->enableUsageTracking();
+        $this->assertSame($token, $trackingStorage->getToken());
+        $this->assertSame(1, $sessionAccess);
+
+        $trackingStorage->disableUsageTracking();
+        $this->assertSame($token, $trackingStorage->getToken());
+        $this->assertSame(1, $sessionAccess);
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Firewall/AccessListener.php b/src/Symfony/Component/Security/Http/Firewall/AccessListener.php
@@ -51,18 +51,18 @@ public function __construct(TokenStorageInterface $tokenStorage, AccessDecisionM
      */
     public function __invoke(RequestEvent $event)
     {
-        if (null === $token = $this->tokenStorage->getToken()) {
-            throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
-        }
-
         $request = $event->getRequest();
 
         list($attributes) = $this->map->getPatterns($request);
 
-        if (null === $attributes) {
+        if (!$attributes) {
             return;
         }
 
+        if (null === $token = $this->tokenStorage->getToken()) {
+            throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
+        }
+
         if (!$token->isAuthenticated()) {
             $token = $this->authManager->authenticate($token);
             $this->tokenStorage->setToken($token);
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php
diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSecurityVotersPass;`
`16`	`16`	`use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSessionDomainConstraintPass;`
`17`	`17`	`use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterCsrfTokenClearingLogoutHandlerPass;`
	`18`	`+use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterSessionUsageIndexPass;`
`18`	`19`	`use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AnonymousFactory;`
`19`	`20`	`use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginFactory;`
`20`	`21`	`use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginLdapFactory;`
`@@ -66,5 +67,6 @@ public function build(ContainerBuilder $container)`
`66`	`67`	`$container->addCompilerPass(new AddSecurityVotersPass());`
`67`	`68`	`$container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_BEFORE_REMOVING);`
`68`	`69`	`$container->addCompilerPass(new RegisterCsrfTokenClearingLogoutHandlerPass());`
	`70`	`+ $container->addCompilerPass(new RegisterSessionUsageIndexPass(), PassConfig::TYPE_BEFORE_OPTIMIZATION, 200);`
`69`	`71`	`}`
`70`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,7 @@ public function count()`
`139`	`139`	`/**`
`140`	`140`	`* @internal`
`141`	`141`	`*/`
`142`		`- public function getUsageIndex(): int`
	`142`	`+ public function &getUsageIndex(): int`
`143`	`143`	`{`
`144`	`144`	`return $this->usageIndex;`
`145`	`145`	`}`