10000 [Security] AuthenticatorManager to make "authenticators" first-class security by wouterj · Pull Request #33558 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] AuthenticatorManager to make "authenticators" first-class security #33558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 30 commits into from
Apr 21, 2020
Merged

[Security] AuthenticatorManager to make "authenticators" first-class security #33558

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
c321f4d
Created GuardAuthenticationManager to make Guard first-class Security
wouterj Sep 8, 2019
a6890db
Created HttpBasicAuthenticator and some Guard traits
wouterj Sep 8, 2019 8000
9b7fddd
Integrated GuardAuthenticationManager in the SecurityBundle
wouterj Sep 8, 2019
a172bac
Added FormLogin and Anonymous authenticators
wouterj Dec 13, 2019
526f756
Added GuardManagerListener
wouterj Dec 13, 2019
5013258
Add provider key in PreAuthenticationGuardToken
wouterj Jan 26, 2020
5efa892
Create a new core AuthenticatorInterface
wouterj Jan 26, 2020
fa4b3ec
Implemented password migration for the new authenticators
wouterj Jan 26, 2020
4c06236
Fixes after testing in Demo application
wouterj Jan 26, 2020
873b949
Mark new core authenticators as experimental
wouterj Jan 26, 2020
b923e4c
Enabled remember me for the GuardManagerListener
wouterj Jan 26, 2020
b14a5e8
Moved new authenticator to the HTTP namespace
wouterj Jan 26, 2020
999ec27
Refactor to an event based authentication approach
wouterj Feb 6, 2020
7859977
Removed all mentions of 'guard' in the new system
wouterj Feb 6, 2020
1c810d5
Added support for lazy firewalls
wouterj Feb 9, 2020
ddf430f
Added remember me functionality
wouterj Feb 12, 2020
09bed16
Only load old manager if new system is disabled
wouterj Feb 22, 2020
44cc76f
Use one AuthenticatorManager per firewall
wouterj Feb 29, 2020
bf1a452
Merge AuthenticatorManager and AuthenticatorHandler
wouterj Mar 1, 2020
60d396f
Added automatically CSRF protected authenticators
wouterj Mar 1, 2020
59f49b2
Rename AuthenticatingListener
wouterj Mar 7, 2020
6b9d78d
Added tests
wouterj Mar 7, 2020
ba3754a
Differentiate between interactive and non-interactive authenticators
wouterj Mar 13, 2020
f5e11e5
Reverted changes to the Guard component
wouterj Mar 14, 2020
95edc80
Added pre-authenticated authenticators (X.509 & REMOTE_USER)
wouterj Mar 14, 2020
7ef6a7a
Use the firewall event dispatcher
wouterj Apr 4, 2020
0fe5083
Added JSON login authenticator
wouterj Apr 5, 2020
9ea32c4
Also use authentication failure/success handlers in FormLoginAuthenti…
wouterj Apr 6, 2020
50224aa
Introduce Passport & Badges to extend authenticators
wouterj Apr 9, 2020
b1e040f
Rename providerKey to firewallName for more consistent naming
wouterj Apr 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Integrated GuardAuthenticationManager in the SecurityBundle
  • Loading branch information
@wouterj
wouterj committed Apr 20, 2020
commit 9b7fddd10c1ded1e19ccb3bd625c178b2128d15f
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ public function getConfigTreeBuilder()
->booleanNode('hide_user_not_found')->defaultTrue()->end()
->booleanNode('always_authenticate_before_granting')->defaultFalse()->end()
->booleanNode('erase_credentials')->defaultTrue()->end()
->booleanNode('guard_authentication_manager')->defaultFalse()->end()
->arrayNode('access_decision_manager')
->addDefaultsIfNotSet()
->children()
Expand Down
56 changes: 56 additions & 0 deletions ...Bundle/SecurityBundle/DependencyInjection/Security/Factory/CustomAuthenticatorFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;

use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
use Symfony\Component\Config\Definition\Builder\NodeDefinition;
use Symfony\Component\DependencyInjection\ContainerBuilder;

class CustomAuthenticatorFactory implements AuthenticatorFactoryInterface, SecurityFactoryInterface
{
public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
{
throw new \LogicException('Custom authenticators are not supported when "security.enable_authenticator_manager" is not set to true.');
}

public function getPosition(): string
{
return 'pre_auth';
}

public function getKey(): string
{
return 'custom_authenticator';
}

/**
* @param ArrayNodeDefinition $builder
*/
public function addConfiguration(NodeDefinition $builder)
{
$builder
->fixXmlConfig('service')
->children()
->arrayNode('services')
->info('An array of service ids for all of your "authenticators"')
->requiresAtLeastOneElement()
->prototype('scalar')->end()
->end()
->end()
;
}

public function createAuthenticator(ContainerBuilder $container, string $id, array $config, string $userProviderId): array
{
return $config['services'];
}
}
27 changes: 27 additions & 0 deletions ...fony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/GuardFactoryInterface.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;

use Symfony\Component\DependencyInjection\ContainerBuilder;

/**
* @author Wouter de Jong <wouter@wouterj.nl>
*/
interface GuardFactoryInterface
{
/**
* Creates the Guard service(s) for the provided configuration.
*
* @return string|string[] The Guard service ID(s) to be used by the firewall
*/
public function createGuard(ContainerBuilder $container, string $id, array $config, string $userProviderId);
}
13 changes: 12 additions & 1 deletion src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php
View file
Open in desktop
D7AE
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
*
* @author Fabien Potencier <fabien@symfony.com>
*/
class HttpBasicFactory implements SecurityFactoryInterface
class HttpBasicFactory implements SecurityFactoryInterface, GuardFactoryInterface
{
public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
{
Expand All @@ -46,6 +46,17 @@ public function create(ContainerBuilder $container, string $id, array $config, s
return [$provider, $listenerId, $entryPointId];
}

public function createGuard(ContainerBuilder $container, string $id, array $config, string $userProviderId): string
{
$authenticatorId = 'security.authenticator.http_basic.'.$id;
$container
->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.http_basic'))
->replaceArgument(0, $config['realm'])
->replaceArgument(1, new Reference($userProviderId));

return $authenticatorId;
}

public function getPosition()
{
return 'http';
Expand Down
84 changes: 63 additions & 21 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

namespace Symfony\Bundle\SecurityBundle\DependencyInjection;

use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\GuardFactoryInterface;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RememberMeFactory;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
Expand Down Expand Up @@ -52,6 +53,8 @@ class SecurityExtension extends Extension implements PrependExtensionInterface
private $userProviderFactories = [];
private $statelessFirewallKeys = [];

private $guardAuthenticationManagerEnabled = false;

public function __construct()
{
foreach ($this->listenerPositions as $position) {
Expand Down Expand Up @@ -135,6 +138,8 @@ public function load(array $configs, ContainerBuilder $container)
$container->setParameter('security.access.always_authenticate_before_granting', $config['always_authenticate_before_granting']);
$container->setParameter('security.authentication.hide_user_not_found', $config['hide_user_not_found']);

$this->guardAuthenticationManagerEnabled = $config['guard_authentication_manager'];

$this->createFirewalls($config, $container);
$this->createAuthorization($config, $container);
$this->createRoleHierarchy($config, $container);
Expand Down Expand Up @@ -258,8 +263,13 @@ private function createFirewalls(array $config, ContainerBuilder $container)
$authenticationProviders = array_map(function ($id) {
return new Reference($id);
}, array_values(array_unique($authenticationProviders)));
$authenticationManagerId = 'security.authentication.manager.provider';
if ($this->guardAuthenticationManagerEnabled) {
$authenticationManagerId = 'security.authentication.manager.guard';
$container->setAlias('security.authentication.manager', new Alias($authenticationManagerId));
}
$container
->getDefinition('security.authentication.manager')
->getDefinition($authenticationManagerId)
->replaceArgument(0, new IteratorArgument($authenticationProviders))
;

Expand Down Expand Up @@ -467,31 +477,27 @@ private function createAuthenticationListeners(ContainerBuilder $container, stri
$key = str_replace('-', '_', $factory->getKey());

if (isset($firewall[$key])) {
if (isset($firewall[$key]['provider'])) {
if (!isset($providerIds[$normalizedName = str_replace('-', '_', $firewall[$key]['provider'])])) {
throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.', $id, $firewall[$key]['provider']));
$userProvider = $this->getUserProvider($container, $id, $firewall, $key, $defaultProvider, $providerIds, $contextListenerId);

if ($this->guardAuthenticationManagerEnabled) {
if (!$factory instanceof GuardFactoryInterface) {
throw new InvalidConfigurationException(sprintf('Cannot configure GuardAuthenticationManager as %s authentication does not support it, set security.guard_authentication_manager to `false`.', $key));
}
$userProvider = $providerIds[$normalizedName];
} elseif ('remember_me' === $key || 'anonymous' === $key) {
// RememberMeFactory will use the firewall secret when created, AnonymousAuthenticationListener does not load users.
$userProvider = null;

if ('remember_me' === $key && $contextListenerId) {
$container->getDefinition($contextListenerId)->addTag('security.remember_me_aware', ['id' => $id, 'provider' => 'none']);
$authenticators = $factory->createGuard($container, $id, $firewall[$key], $userProvider);
if (\is_array($authenticators)) {
foreach ($authenticators as $i => $authenticator) {
$authenticationProviders[$id.'_'.$key.$i] = $authenticator;
}
} else {
$authenticationProviders[$id.'_'.$key] = $authenticators;
}
} elseif ($defaultProvider) {
$userProvider = $defaultProvider;
} elseif (empty($providerIds)) {
$userProvider = sprintf('security.user.provider.missing.%s', $key);
$container->setDefinition($userProvider, (new ChildDefinition('security.user.provider.missing'))->replaceArgument(0, $id));
} else {
throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "%s" listener on "%s" firewall is ambiguous as there is more than one registered provider.', $key, $id));
}

list($provider, $listenerId, $defaultEntryPoint) = $factory->create($container, $id, $firewall[$key], $userProvider, $defaultEntryPoint);
list($provider, $listenerId, $defaultEntryPoint) = $factory->create($container, $id, $firewall[$key], $userProvider, $defaultEntryPoint);

$listeners[] = new Reference($listenerId);
$authenticationProviders[] = $provider;
$listeners[] = new Reference($listenerId);
$authenticationProviders[] = $provider;
}
$hasListeners = true;
}
}
Expand All @@ -504,6 +510,42 @@ private function createAuthenticationListeners(ContainerBuilder $container, stri
return [$listeners, $defaultEntryPoint];
}

private function getUserProvider(ContainerBuilder $container, string $id, array $firewall, string $factoryKey, ?string $defaultProvider, array $providerIds, ?string $contextListenerId): ?string
{
if (isset($firewall[$factoryKey]['provider'])) {
if (!isset($providerIds[$normalizedName = str_replace('-', '_', $firewall[$factoryKey]['provider'])])) {
throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.', $id, $firewall[$factoryKey]['provider']));
}

return $providerIds[$normalizedName];
}

if ('remember_me' === $factoryKey || 'anonymous' === $factoryKey) {
if ('remember_me' === $factoryKey && $contextListenerId) {
$container->getDefinition($contextListenerId)->addTag('security.remember_me_aware', ['id' => $id, 'provider' => 'none']);
}

// RememberMeFactory will use the firewall secret when created
return null;
}

if ($defaultProvider) {
return $defaultProvider;
}

if (!$providerIds) {
$userProvider = sprintf('security.user.provider.missing.%s', $factoryKey);
$container->setDefinition(
$userProvider,
(new ChildDefinition('security.user.provider.missing'))->replaceArgument(0, $id)
);

return $userProvider;
}

throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "%s" listener on "%s" firewall is ambiguous as there is more than one registered provider.', $factoryKey, $id));
}

private function createEncoders(array $encoders, ContainerBuilder $container)
{
$encoderMap = [];
Expand Down
16 changes: 16 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Resources/config/authenticators.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<?xml version="1.0" ?>
<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd">

<services>
<service id="security.authenticator.http_basic"
class="Symfony\Component\Security\Core\Authentication\Authenticator\HttpBasicAuthenticator"
abstract="true">
<argument type="abstract">realm name</argument>
<argument type="abstract">user provider</argument>
<argument type="service" id="security.encoder_factory" />
<argument type="service" id="logger" on-invalid="null" />
</service>
</services>
</container>
11 changes: 10 additions & 1 deletion src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,13 +45,22 @@
</service>

<!-- Authentication related services -->
<service id="security.authentication.manager" class="Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager">
<service id="security.authentication.manager.provider" class="Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager">
<argument /> <!-- providers -->
<argument>%security.authentication.manager.erase_credentials%</argument>
<call method="setEventDispat DEC3 cher">
<argument type="service" id="event_dispatcher" />
</call>
</service>
<service id="security.authentication.manager.guard" class="Symfony\Component\Security\Core\Authentication\GuardAuthenticationManager">
<argument /> <!-- guard authenticators -->
<argument /> <!-- User Checker -->
<argument>%security.authentication.manager.erase_credentials%</argument>
<call method="setEventDispatcher">
<argument type="service" id="event_dispatcher" />
</call>
</service>
<service id="security.authentication.manager" alias="security.authentication.manager.provider"/>
<service id="Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface" alias="security.authentication.manager" />

<service id="security.authentication.trust_resolver" class="Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver" />
Expand Down
2 changes: 2 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterCsrfTokenClearingLogoutHandlerPass;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterTokenUsageTrackingPass;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AnonymousFactory;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\CustomAuthenticatorFactory;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginFactory;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginLdapFactory;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\GuardAuthenticationFactory;
Expand Down Expand Up @@ -63,6 +64,7 @@ public function build(ContainerBuilder $container)
$extension->addSecurityListenerFactory(new RemoteUserFactory());
$extension->addSecurityListenerFactory(new GuardAuthenticationFactory());
$extension->addSecurityListenerFactory(new AnonymousFactory());
$extension->addSecurityListenerFactory(new CustomAuthenticatorFactory());

$extension->addUserProviderFactory(new InMemoryFactory());
$extension->addUserProviderFactory(new LdapFactory());
Expand Down
0