8000 [Security] AuthenticatorManager to make "authenticators" first-class security by wouterj · Pull Request #33558 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] AuthenticatorManager to make "authenticators" first-class security #33558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 30 commits into from
Apr 21, 2020
Merged

[Security] AuthenticatorManager to make "authenticators" first-class security #33558

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
c321f4d
Created GuardAuthenticationManager to make Guard first-class Security
wouterj Sep 8, 2019
a6890db
Created HttpBasicAuthenticator and some Guard traits
wouterj Sep 8, 2019
9b7fddd
Integrated GuardAuthenticationManager in the SecurityBundle
wouterj Sep 8, 2019
a172bac
Added FormLogin and Anonymous authenticators
wouterj Dec 13, 2019
526f756
Added GuardManagerListener
wouterj Dec 13, 2019
5013258
Add provider key in PreAuthenticationGuardToken
wouterj Jan 26, 2020
5efa892
Create a new core AuthenticatorInterface
wouterj Jan 26, 2020
fa4b3ec
Implemented password migration for the new authenticators
wouterj Jan 26, 2020
4c06236
Fixes after testing in Demo application
wouterj Jan 26, 2020
873b949
Mark new core authenticators as experimental
wouterj Jan 26, 2020
b923e4c
Enabled remember me for the GuardManagerListener
wouterj Jan 26, 2020
b14a5e8
Moved new authenticator to the HTTP namespace
wouterj Jan 26, 2020
999ec27
Refactor to an event based authentication approach
wouterj Feb 6, 2020
7859977
Removed all mentions of 'guard' in the new system
wouterj Feb 6, 2020
1c810d5
Added support for lazy firewalls
wouterj Feb 9, 2020
ddf430f
Added remember me functionality
wouterj Feb 12, 2020
09bed16
Only load old manager if new system is disabled
wouterj Feb 22, 2020
44cc76f
Use one AuthenticatorManager per firewall
wouterj Feb 29, 2020
bf1a452
Merge AuthenticatorManager and AuthenticatorHandler
wouterj Mar 1, 2020
60d396f
Added automatically CSRF protected authenticators
wouterj Mar 1, 2020
59f49b2
Rename AuthenticatingListener
wouterj Mar 7, 2020
6b9d78d
Added tests
wouterj Mar 7, 2020
ba3754a
Differentiate between interactive and non-interactive authenticators
wouterj Mar 13, 2020
f5e11e5
Reverted changes to the Guard component
wouterj Mar 14, 2020
95edc80
Added pre-authenticated authenticators (X.509 & REMOTE_USER)
wouterj Mar 14, 2020
7ef6a7a
Use the firewall event dispatcher
wouterj Apr 4, 2020
0fe5083
Added JSON login authenticator
wouterj Apr 5, 2020
9ea32c4
Also use authentication failure/success handlers in FormLoginAuthenti…
wouterj Apr 6, 2020
50224aa
Introduce Passport & Badges to extend authenticators
wouterj Apr 9, 2020
b1e040f
Rename providerKey to firewallName for more consistent naming
wouterj Apr 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Removed all mentions of 'guard' in the new system 
This to remove confusion between the new system and Guard. When using the new
system, guard should not be installed. Guard did however influence the idea
behind the new system. Thus keeping the mentions of "guard" makes it confusing
to use the new system.
  • Loading branch information
@wouterj
wouterj committed Apr 20, 2020
commit 7859977324852dcb2b193106bb1066e6061fe010
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ public function getConfigTreeBuilder()
->booleanNode('hide_user_not_found')->defaultTrue()->end()
->booleanNode('always_authenticate_before_granting')->defaultFalse()->end()
->booleanNode('erase_credentials')->defaultTrue()->end()
->booleanNode('guard_authentication_manager')->defaultFalse()->end()
->booleanNode('enable_authenticator_manager')->defaultFalse()->info('Enables the new Symfony Security system based on Authenticators, all used authenticators must support this before enabling this.')->end()
->arrayNode('access_decision_manager')
->addDefaultsIfNotSet()
->children()
Expand Down
4 changes: 2 additions & 2 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
/**
* @author Wouter de Jong <wouter@wouterj.nl>
*/
class AnonymousFactory implements SecurityFactoryInterface, GuardFactoryInterface
class AnonymousFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
{
public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
{
Expand All @@ -42,7 +42,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
return [$providerId, $listenerId, $defaultEntryPoint];
}

public function createGuard(ContainerBuilder $container, string $id, array $config, ?string $userProviderId): string
public function createAuthenticator(ContainerBuilder $container, string $id, array $config, ?string $userProviderId): string
{
if (null === $config['secret']) {
$config['secret'] = new Parameter('container.build_hash');
Expand Down
8 changes: 4 additions & 4 deletions ...ecurity/Factory/GuardFactoryInterface.php → ...Factory/AuthenticatorFactoryInterface.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@
*
* @experimental in 5.1
*/
interface GuardFactoryInterface
interface AuthenticatorFactoryInterface
{
/**
* Creates the Guard service(s) for the provided configuration.
* Creates the authenticator service(s) for the provided configuration.
*
* @return string|string[] The Guard service ID(s) to be used by the firewall
* @return string|string[] The authenticator service ID(s) to be used by the firewall
*/
public function createGuard(ContainerBuilder $container, string $id, array $config, ?string $userProviderId);
public function createAuthenticator(ContainerBuilder $container, string $id, array $config, ?string $userProviderId);
}
4 changes: 2 additions & 2 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
* @author Fabien Potencier <fabien@symfony.com>
* @author Johannes M. Schmitt <schmittjoh@gmail.com>
*/
class FormLoginFactory extends AbstractFactory implements GuardFactoryInterface, EntryPointFactoryInterface
class FormLoginFactory extends AbstractFactory implements AuthenticatorFactoryInterface, EntryPointFactoryInterface
{
public function __construct()
{
Expand Down Expand Up @@ -97,7 +97,7 @@ public function createEntryPoint(ContainerBuilder $container, string $id, array
return $entryPointId;
}

public function createGuard(ContainerBuilder $container, string $id, array $config, ?string $userProviderId): string
public function createAuthenticator(ContainerBuilder $container, string $id, array $config, ?string $userProviderId): string
{
$authenticatorId = 'security.authenticator.form_login.'.$id;
$defaultOptions = array_merge($this->defaultSuccessHandlerOptions, $this->options);
Expand Down
4 changes: 2 additions & 2 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
*
* @author Fabien Potencier <fabien@symfony.com>
*/
class HttpBasicFactory implements SecurityFactoryInterface, GuardFactoryInterface
class HttpBasicFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
{
public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoin F41A t)
{
Expand All @@ -46,7 +46,7 @@ public function create(ContainerBuilder $container, string $id, array $config, s
return [$provider, $listenerId, $entryPointId];
}

public function createGuard(ContainerBuilder $container, string $id, array $config, ?string $userProviderId): string
public function createAuthenticator(ContainerBuilder $container, string $id, array $config, ?string $userProviderId): string
{
$authenticatorId = 'security.authenticator.http_basic.'.$id;
$container
Expand Down
37 changes: 21 additions & 16 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@

namespace Symfony\Bundle\SecurityBundle\DependencyInjection;

use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\EntryPointFactoryInterface;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\GuardFactoryInterface;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RememberMeFactory;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
Expand Down Expand Up @@ -54,7 +54,7 @@ class SecurityExtension extends Extension implements PrependExtensionInterface
private $userProviderFactories = [];
private $statelessFirewallKeys = [];

private $guardAuthenticationManagerEnabled = false;
private $authenticatorManagerEnabled = false;

public function __construct()
{
Expand Down Expand Up @@ -139,7 +139,7 @@ public function load(array $configs, ContainerBuilder $container)
$container->setParameter('security.access.always_authenticate_before_granting', $config['always_authenticate_before_granting']);
$container->setParameter('security.authentication.hide_user_not_found', $config['hide_user_not_found']);

if ($this->guardAuthenticationManagerEnabled = $config['guard_authentication_manager']) {
if ($this->authenticatorManagerEnabled = $config['enable_authenticator_manager']) {
$loader->load('authenticators.xml');
}

Expand All @@ -150,6 +150,11 @@ public function load(array $configs, ContainerBuilder $container)
$container->getDefinition('security.authentication.guard_handler')
->replaceArgument(2, $this->statelessFirewallKeys);

if ($this->authenticatorManagerEnabled) {
$container->getDefinition('security.authenticator_handler')
->replaceArgument(2, $this->statelessFirewallKeys);
}

if ($config['encoders']) {
$this->createEncoders($config['encoders'], $container);
}
Expand Down Expand Up @@ -267,8 +272,8 @@ private function createFirewalls(array $config, ContainerBuilder $container)
return new Reference($id);
}, array_unique($authenticationProviders));
$authenticationManagerId = 'security.authentication.manager.provider';
if ($this->guardAuthenticationManagerEnabled) {
$authenticationManagerId = 'security.authentication.manager.guard';
if ($this->authenticatorManagerEnabled) {
$authenticationManagerId = 'security.authentication.manager.authenticator';
$container->setAlias('security.authentication.manager', new Alias($authenticationManagerId));
}
$container
Expand Down Expand Up @@ -418,7 +423,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
// Determine default entry point
$configuredEntryPoint = isset($firewall['entry_point']) ? $firewall['entry_point'] : null;

if ($this->guardAuthenticationManagerEnabled) {
if ($this->authenticatorManagerEnabled) {
// Remember me listener (must be before calling createAuthenticationListeners() to inject remember me services)
$container
->setDefinition('security.listener.remember_me.'.$id, new ChildDefinition('security.listener.remember_me'))
Expand All @@ -434,24 +439,24 @@ private function createFirewall(ContainerBuilder $container, string $id, array $

$authenticationProviders = array_merge($authenticationProviders, $firewallAuthenticationProviders);

if ($this->guardAuthenticationManagerEnabled) {
// guard authentication manager listener
if ($this->authenticatorManagerEnabled) {
// authenticator manager listener
$container
->setDefinition('security.firewall.guard.'.$id.'.locator', new ChildDefinition('security.firewall.guard.locator'))
->setDefinition('security.firewall.authenticator.'.$id.'.locator', new ChildDefinition('security.firewall.authenticator.locator'))
->setArguments([array_map(function ($id) {
return new Reference($id);
}, $firewallAuthenticationProviders)])
->addTag('container.service_locator')
;

$container
->setDefinition('security.firewall.guard.'.$id, new ChildDefinition('security.firewall.guard'))
->replaceArgument(2, new Reference('security.firewall.guard.'.$id.'.locator'))
->setDefinition('security.firewall.authenticator.'.$id, new ChildDefinition('security.firewall.authenticator'))
->replaceArgument(2, new Reference('security.firewall.authenticator.'.$id.'.locator'))
->replaceArgument(3, $id)
->addTag('kernel.event_listener', ['event' => KernelEvents::REQUEST])
;

$listeners[] = new Reference('security.firewall.guard.'.$id);
$listeners[] = new Reference('security.firewall.authenticator.'.$id);
}

$config->replaceArgument(7, $configuredEntryPoint ?: $defaultEntryPoint);
Expand Down Expand Up @@ -515,12 +520,12 @@ private function createAuthenticationListeners(ContainerBuilder $container, stri
if (isset($firewall[$key])) {
$userProvider = $this->getUserProvider($container, $id, $firewall, $key, $defaultProvider, $providerIds, $contextListenerId);

if ($this->guardAuthenticationManagerEnabled) {
if (!$factory instanceof GuardFactoryInterface) {
throw new InvalidConfigurationException(sprintf('Cannot configure GuardAuthenticationManager as %s authentication does not support it, set security.guard_authentication_manager to `false`.', $key));
if ($this->authenticatorManagerEnabled) {
if (!$factory instanceof AuthenticatorFactoryInterface) {
throw new InvalidConfigurationException(sprintf('Cannot configure AuthenticatorManager as "%s" authentication does not support it, set "security.enable_authenticator_manager" to `false`.', $key));
}

$authenticators = $factory->createGuard($container, $id, $firewall[$key], $userProvider);
$authenticators = $factory->createAuthenticator($container, $id, $firewall[$key], $userProvider);
if (\is_array($authenticators)) {
foreach ($authenticators as $i => $authenticator) {
$authenticationProviders[$id.'_'.$key.$i] = $authenticator;
Expand Down
12 changes: 6 additions & 6 deletions ...ventListener/LazyGuardManagerListener.php → ...ener/LazyAuthenticatorManagerListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,32 +16,32 @@
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Symfony\Component\Security\Guard\GuardAuthenticatorHandler;
use Symfony\Component\Security\Http\Firewall\GuardManagerListener;
use Symfony\Component\Security\Http\Authentication\AuthenticatorHandler;
use Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener;

/**
* @author Wouter de Jong <wouter@wouterj.nl>
*
* @experimental in 5.1
*/
class LazyGuardManagerListener extends GuardManagerListener
class LazyAuthenticatorManagerListener extends AuthenticatorManagerListener
{
private $guardLocator;

public function __construct(
AuthenticationManagerInterface $authenticationManager,
GuardAuthenticatorHandler $guardHandler,
AuthenticatorHandler $authenticatorHandler,
ServiceLocator $guardLocator,
string $providerKey,
EventDispatcherInterface $eventDispatcher,
?LoggerInterface $logger = null
) {
parent::__construct($authenticationManager, $guardHandler, [], $providerKey, $eventDispatcher, $logger);
parent::__construct($authenticationManager, $authenticatorHandler, [], $providerKey, $eventDispatcher, $logger);

$this->guardLocator = $guardLocator;
}

protected function getSupportingGuardAuthenticators(Request $request): array
protected function getSupportingAuthenticators(Request $request): array
{
$guardAuthenticators = [];
foreach ($this->guardLocator->getProvidedServices() as $key => $type) {
Expand Down
27 changes: 19 additions & 8 deletions src/Symfony/Bundle/SecurityBundle/Resources/config/authenticators.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,28 @@
xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd">

<services>
<service id="security.firewall.guard.locator"
<service id="security.authenticator_handler"
class="Symfony\Component\Security\Http\Authentication\AuthenticatorHandler"
>
<argument type="service" id="security.token_storage" />
<argument type="service" id="event_dispatcher" on-invalid="null" />
<argument /> <!-- stateless firewall keys -->
<call method="setSessionAuthenticationStrategy">
<argument type="service" id="security.authentication.session_strategy" />
</call>
</service>

<service id="security.firewall.authenticator.locator"
class="Symfony\Component\DependencyInjection\ServiceLocator"
abstract="true" />

<service id="security.firewall.guard"
class="Symfony\Bundle\SecurityBundle\EventListener\LazyGuardManagerListener"
<service id="security.firewall.authenticator"
class="Symfony\Bundle\SecurityBundle\EventListener\LazyAuthenticatorManagerListener"
abstract="true">
<tag name="monolog.logger" channel="security" />
<argument type="service" id="security.authentication.manager" />
<argument type="service" id="security.authentication.guard_handler" />
<argument/> <!-- guard authenticator locator -->
<argument type="service" id="security.authenticator_handler" />
<argument/> <!-- authenticator locator -->
<argument/> <!-- provider key -->
<argument type="service" id="event_dispatcher" />
<argument type="service" id="logger" on-invalid="null" />
Expand Down Expand Up @@ -48,7 +59,7 @@
<!-- Authenticators -->

<service id="security.authenticator.http_basic"
class="Symfony\Component\Security\Http\Authentication\Authenticator\HttpBasicAuthenticator"
class="Symfony\Component\Security\Http\Authenticator\HttpBasicAuthenticator"
abstract="true">
<argument type="abstract">realm name</argument>
<argument type="abstract">user provider</argument>
Expand All @@ -57,7 +68,7 @@
</service>

<service id="security.authenticator.form_login"
class="Symfony\Component\Security\Http\Authentication\Authenticator\FormLoginAuthenticator"
class="Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator"
abstract="true">
<argument type="service" id="security.http_utils" />
<argument /> <!-- csrf token generator -->
Expand All @@ -66,7 +77,7 @@
</service>

<service id="security.authenticator.anonymous"
class="Symfony\Component\Security\Http\Authentication\Authenticator\AnonymousAuthenticator"
class="Symfony\Component\Security\Http\Authenticator\AnonymousAuthenticator"
abstract="true">
<argument type="abstract">secret</argument>
<argument type="service" id="security.token_storage" />
Expand Down
6 changes: 3 additions & 3 deletions src/Symfony/Bundle/SecurityBundle/Resources/config/guard.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
<defaults public="false" />

<service id="security.authentication.guard_handler"
class="Symfony\Component\Security\Guard\GuardAuthenticatorHandler"
class="Symfony\Component\Security\Guard\GuardHandler"
>
<argument type="service" id="security.token_storage" />
CC2C <argument type="service" id="event_dispatcher" on-invalid="null" />
Expand All @@ -17,8 +17,8 @@
<argument type="service" id="security.authentication.session_strategy" />
</call>
</service>
<service id="Symfony\Component\Security\Guard\GuardAuthenticatorHandler" alias="security.authentication.guard_handler" />

<service id="AuthenticatorHandler" alias="security.authentication.guard_handler" />

<!-- See GuardAuthenticationFactory -->
<service id="security.authentication.provider.guard"
Expand Down
4 changes: 2 additions & 2 deletions src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@
<argument type="service" id="event_dispatcher" />
</call>
</service>
<service id="security.authentication.manager.guard" class="Symfony\Component\Security\Http\Authentication\GuardAuthenticationManager">
<argument /> <!-- guard authenticators -->
<service id="security.authentication.manager.authenticator" class="Symfony\Component\Security\Http\Authentication\AuthenticatorManager">
<argument /> <!-- authenticators -->
<argument type="service" id="event_dispatcher" />
<argument>%security.authentication.manager.erase_credentials%</argument>
<call method="setEventDispatcher">
Expand Down
Loading
0