feature #41754 [SecurityBundle] Create a smooth upgrade path for security factories (wouterj)

chalasr · chalasr · commit 8e984fae27f9 · 2021-08-07T18:09:48.000+02:00
This PR was merged into the 5.4 branch. Discussion ---------- [SecurityBundle] Create a smooth upgrade path for security factories | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | yes | Deprecations? | yes | Tickets | Ref #41613 (comment) | License | MIT | Doc PR | - This change allows removing `SecurityFactoryInterface` in Symfony 6. I've also changed the discrete ordering using "listener positions" to the much more common continuous ordering using priorities. I feel like priorities are much more self-explanatory. Commits ------- 7385fd5 [SecurityBundle] Create a smooth upgrade path for security factories
diff --git a/UPGRADE-5.4.md b/UPGRADE-5.4.md
@@ -37,6 +37,21 @@ Messenger
 SecurityBundle
 --------------
 
+ * Deprecate `SecurityFactoryInterface` and `SecurityExtension::addSecurityListenerFactory()` in favor of
+   `AuthenticatorFactoryInterface` and `SecurityExtension::addAuthenticatorFactory()`
+ * Add `AuthenticatorFactoryInterface::getPriority()` which replaces `SecurityFactoryInterface::getPosition()`.
+   Previous positions are mapped to the following priorities:
+
+    | Position    | Constant                                              | Priority |
+    | ----------- | ----------------------------------------------------- | -------- |
+    | pre_auth    | `RemoteUserFactory::PRIORITY`/`X509Factory::PRIORITY` | -10      |
+    | form        | `FormLoginFactory::PRIORITY`                          | -30      |
+    | http        | `HttpBasicFactory::PRIORITY`                          | -50      |
+    | remember_me | `RememberMeFactory::PRIORITY`                         | -60      |
+    | anonymous   | n/a                                                   | -70      |
+
+ * Deprecate passing an array of arrays as 1st argument to `MainConfiguration`, pass a sorted flat array of
+   factories instead.
  * Deprecate the `always_authenticate_before_granting` option
 
 Security
diff --git a/UPGRADE-6.0.md b/UPGRADE-6.0.md
@@ -355,6 +355,21 @@ Security
 SecurityBundle
 --------------
 
+ * Remove `SecurityFactoryInterface` and `SecurityExtension::addSecurityListenerFactory()` in favor of
+   `AuthenticatorFactoryInterface` and `SecurityExtension::addAuthenticatorFactory()`
+ * Add `AuthenticatorFactoryInterface::getPriority()` which replaces `SecurityFactoryInterface::getPosition()`.
+   Previous positions are mapped to the following priorities:
+
+    | Position    | Constant                                              | Priority |
+    | ----------- | ----------------------------------------------------- | -------- |
+    | pre_auth    | `RemoteUserFactory::PRIORITY`/`X509Factory::PRIORITY` | -10      |
+    | form        | `FormLoginFactory::PRIORITY`                          | -30      |
+    | http        | `HttpBasicFactory::PRIORITY`                          | -50      |
+    | remember_me | `RememberMeFactory::PRIORITY`                         | -60      |
+    | anonymous   | n/a                                                   | -70      |
+
+ * Remove passing an array of arrays as 1st argument to `MainConfiguration`, pass a sorted flat array of
+   factories instead.
  * Remove the `always_authenticate_before_granting` option
  * Remove the `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command,
    use `UserPasswordHashCommand` and `user:hash-password` instead
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -4,6 +4,11 @@ CHANGELOG
 5.4
 ---
 
+ * Deprecate `SecurityFactoryInterface` and `SecurityExtension::addSecurityListenerFactory()` in favor of
+   `AuthenticatorFactoryInterface` and `SecurityExtension::addAuthenticatorFactory()`
+ * Add `AuthenticatorFactoryInterface::getPriority()` which replaces `SecurityFactoryInterface::getPosition()`
+ * Deprecate passing an array of arrays as 1st argument to `MainConfiguration`, pass a sorted flat array of
+   factories instead.
  * Deprecate the `always_authenticate_before_granting` option
 
 5.3
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -12,6 +12,8 @@
 namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
 
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AbstractFactory;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
 use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
@@ -31,8 +33,17 @@ class MainConfiguration implements ConfigurationInterface
     private $factories;
     private $userProviderFactories;
 
+    /**
+     * @param (SecurityFactoryInterface|AuthenticatorFactoryInterface)[] $factories
+     */
     public function __construct(array $factories, array $userProviderFactories)
     {
+        if (\is_array(current($factories))) {
+            trigger_deprecation('symfony/security-bundle', '5.4', 'Passing an array of arrays as 1st argument to "%s" is deprecated, pass a sorted array of factories instead.', __METHOD__);
+
+            $factories = array_merge(...array_values($factories));
+        }
+
         $this->factories = $factories;
         $this->userProviderFactories = $userProviderFactories;
     }
@@ -297,19 +308,17 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
         ;
 
         $abstractFactoryKeys = [];
-        foreach ($factories as $factoriesAtPosition) {
-            foreach ($factoriesAtPosition as $factory) {
-                $name = str_replace('-', '_', $factory->getKey());
-                $factoryNode = $firewallNodeBuilder->arrayNode($name)
-                    ->canBeUnset()
-                ;
-
-                if ($factory instanceof AbstractFactory) {
-                    $abstractFactoryKeys[] = $name;
-                }
-
-                $factory->addConfiguration($factoryNode);
+        foreach ($factories as $factory) {
+            $name = str_replace('-', '_', $factory->getKey());
+            $factoryNode = $firewallNodeBuilder->arrayNode($name)
+                ->canBeUnset()
+            ;
+
+            if ($factory instanceof AbstractFactory) {
+                $abstractFactoryKeys[] = $name;
             }
+
+            $factory->addConfiguration($factoryNode);
         }
 
         // check for unreachable check paths
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousFactory.php
@@ -52,6 +52,11 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         throw new InvalidConfigurationException(sprintf('The authenticator manager no longer has "anonymous" security. Please remove this option under the "%s" firewall'.($config['lazy'] ? ' and add "lazy: true"' : '').'.', $firewallName));
     }
 
+    public function getPriority()
+    {
+        return -60;
+    }
+
     public function getPosition()
     {
         return 'anonymous';
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AuthenticatorFactoryInterface.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AuthenticatorFactoryInterface.php
@@ -11,9 +11,12 @@
 
 namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
 
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 
 /**
+ * @method int getPriority() defines the position at which the authenticator is called
+ *
  * @author Wouter de Jong <wouter@wouterj.nl>
  */
 interface AuthenticatorFactoryInterface
@@ -24,4 +27,14 @@ interface AuthenticatorFactoryInterface
      * @return string|string[] The authenticator service ID(s) to be used by the firewall
      */
     public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId);
+
+    /**
+     * Defines the configuration key used to reference the authenticator
+     * in the firewall configuration.
+     *
+     * @return string
+     */
+    public function getKey();
+
+    public function addConfiguration(NodeDefinition $builder);
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/CustomAuthenticatorFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/CustomAuthenticatorFactory.php
@@ -27,6 +27,11 @@ public function create(ContainerBuilder $container, string $id, array $config, s
         throw new \LogicException('Custom authenticators are not supported when "security.enable_authenticator_manager" is not set to true.');
     }
 
+    public function getPriority(): int
+    {
+        return 0;
+    }
+
     public function getPosition(): string
     {
         return 'pre_auth';
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php
@@ -27,6 +27,8 @@
  */
 class FormLoginFactory extends AbstractFactory implements AuthenticatorFactoryInterface
 {
+    public const PRIORITY = -30;
+
     public function __construct()
     {
         $this->addOption('username_parameter', '_username');
@@ -37,6 +39,11 @@ public function __construct()
         $this->addOption('post_only', true);
     }
 
+    public function getPriority(): int
+    {
+        return self::PRIORITY;
+    }
+
     public function getPosition()
     {
         return 'form';
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php
@@ -34,6 +34,11 @@ public function getPosition()
         return 'pre_auth';
     }
 
+    public function getPriority(): int
+    {
+        return 0;
+    }
+
     public function getKey()
     {
         return 'guard';
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php
@@ -25,6 +25,8 @@
  */
 class HttpBasicFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
 {
+    public const PRIORITY = -50;
+
     public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
     {
         $provider = 'security.authentication.provider.dao.'.$id;
@@ -66,6 +68,11 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         return $authenticatorId;
     }
 
+    public function getPriority(): int
+    {
+        return self::PRIORITY;
+    }
+
     public function getPosition()
     {
         return 'http';
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/JsonLoginFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/JsonLoginFactory.php
@@ -24,6 +24,8 @@
  */
 class JsonLoginFactory extends AbstractFactory implements AuthenticatorFactoryInterface
 {
+    public const PRIORITY = -40;
+
     public function __construct()
     {
         $this->addOption('username_path', 'username');
@@ -32,6 +34,11 @@ public function __construct()
         $this->defaultSuccessHandlerOptions = [];
     }
 
+    public function getPriority(): int
+    {
+        return self::PRIORITY;
+    }
+
     /**
      * {@inheritdoc}
      */
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginLinkFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginLinkFactory.php
@@ -27,6 +27,8 @@
  */
 class LoginLinkFactory extends AbstractFactory implements AuthenticatorFactoryInterface
 {
+    public const PRIORITY = -20;
+
     public function addConfiguration(NodeDefinition $node)
     {
         /** @var NodeBuilder $builder */
@@ -147,6 +149,11 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         return $authenticatorId;
     }
 
+    public function getPriority(): int
+    {
+        return self::PRIORITY;
+    }
+
     public function getPosition()
     {
         return 'form';
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php
@@ -34,6 +34,12 @@ public function create(ContainerBuilder $container, string $id, array $config, s
         throw new \LogicException('Login throttling is not supported when "security.enable_authenticator_manager" is not set to true.');
     }
 
+    public function getPriority(): int
+    {
+        // this factory doesn't register any authenticators, this priority doesn't matter
+        return 0;
+    }
+
     public function getPosition(): string
     {
         // this factory doesn't register any authenticators, this position doesn't matter
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
@@ -21,6 +21,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\DependencyInjection\Definition;
+use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
 use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\HttpFoundation\Cookie;
@@ -30,8 +31,10 @@
 /**
  * @internal
  */
-class RememberMeFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
+class RememberMeFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface, PrependExtensionInterface
 {
+    public const PRIORITY = -50;
+
     protected $options = [
         'name' => 'REMEMBERME',
         'lifetime' => 31536000,
@@ -181,6 +184,14 @@ public function getPosition()
         return 'remember_me';
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    public function getPriority(): int
+    {
+        return self::PRIORITY;
+    }
+
     public function getKey()
     {
         return 'remember-me';
@@ -331,4 +342,27 @@ private function createTokenVerifier(ContainerBuilder $container, string $firewa
 
         return new Reference($tokenVerifierId, ContainerInterface::NULL_ON_INVALID_REFERENCE);
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function prepend(ContainerBuilder $container)
+    {
+        $rememberMeSecureDefault = false;
+        $rememberMeSameSiteDefault = null;
+
+        if (!isset($container->getExtensions()['framework'])) {
+            return;
+        }
+
+        foreach ($container->getExtensionConfig('framework') as $config) {
+            if (isset($config['session']) && \is_array($config['session'])) {
+                $rememberMeSecureDefault = $config['session']['cookie_secure'] ?? $rememberMeSecureDefault;
+                $rememberMeSameSiteDefault = \array_key_exists('cookie_samesite', $config['session']) ? $config['session']['cookie_samesite'] : $rememberMeSameSiteDefault;
+            }
+        }
+
+        $this->options['secure'] = $rememberMeSecureDefault;
+        $this->options['samesite'] = $rememberMeSameSiteDefault;
+    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RemoteUserFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RemoteUserFactory.php
@@ -26,6 +26,8 @@
  */
 class RemoteUserFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
 {
+    public const PRIORITY = -10;
+
     public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
     {
         $providerId = 'security.authentication.provider.pre_authenticated.'.$id;
@@ -58,6 +60,11 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         return $authenticatorId;
     }
 
+    public function getPriority(): int
+    {
+        return self::PRIORITY;
+    }
+
     public function getPosition()
     {
         return 'pre_auth';
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SecurityFactoryInterface.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SecurityFactoryInterface.php
@@ -18,6 +18,8 @@
  * SecurityFactoryInterface is the interface for all security authentication listener.
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ *
+ * @deprecated since Symfony 5.3, use AuthenticatorFactoryInterface instead.
  */
 interface SecurityFactoryInterface
 {
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/X509Factory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/X509Factory.php
@@ -25,6 +25,8 @@
  */
 class X509Factory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
 {
+    public const PRIORITY = -10;
+
     public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
     {
         $providerId = 'security.authentication.provider.pre_authenticated.'.$id;
@@ -60,6 +62,11 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         return $authenticatorId;
     }
 
+    public function getPriority(): int
+    {
+        return self::PRIORITY;
+    }
+
     public function getPosition()
     {
         return 'pre_auth';
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
diff --git a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/MainConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/MainConfigurationTest.php

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,11 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal`
`52`	`52`	`throw new InvalidConfigurationException(sprintf('The authenticator manager no longer has "anonymous" security. Please remove this option under the "%s" firewall'.($config['lazy'] ? ' and add "lazy: true"' : '').'.', $firewallName));`
`53`	`53`	`}`
`54`	`54`
	`55`	`+ public function getPriority()`
	`56`	`+ {`
	`57`	`+ return -60;`
	`58`	`+ }`
	`59`	`+`
`55`	`60`	`public function getPosition()`
`56`	`61`	`{`
`57`	`62`	`return 'anonymous';`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,11 @@ public function create(ContainerBuilder $container, string $id, array $config, s`
`27`	`27`	`throw new \LogicException('Custom authenticators are not supported when "security.enable_authenticator_manager" is not set to true.');`
`28`	`28`	`}`
`29`	`29`
	`30`	`+ public function getPriority(): int`
	`31`	`+ {`
	`32`	`+ return 0;`
	`33`	`+ }`
	`34`	`+`
`30`	`35`	`public function getPosition(): string`
`31`	`36`	`{`
`32`	`37`	`return 'pre_auth';`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,8 @@`
`27`	`27`	`*/`
`28`	`28`	`class FormLoginFactory extends AbstractFactory implements AuthenticatorFactoryInterface`
`29`	`29`	`{`
	`30`	`+ public const PRIORITY = -30;`
	`31`	`+`
`30`	`32`	`public function __construct()`
`31`	`33`	`{`
`32`	`34`	`$this->addOption('username_parameter', '_username');`
`@@ -37,6 +39,11 @@ public function __construct()`
`37`	`39`	`$this->addOption('post_only', true);`
`38`	`40`	`}`
`39`	`41`
	`42`	`+ public function getPriority(): int`
	`43`	`+ {`
	`44`	`+ return self::PRIORITY;`
	`45`	`+ }`
	`46`	`+`
`40`	`47`	`public function getPosition()`
`41`	`48`	`{`
`42`	`49`	`return 'form';`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,11 @@ public function getPosition()`
`34`	`34`	`return 'pre_auth';`
`35`	`35`	`}`
`36`	`36`
	`37`	`+ public function getPriority(): int`
	`38`	`+ {`
	`39`	`+ return 0;`
	`40`	`+ }`
	`41`	`+`
`37`	`42`	`public function getKey()`
`38`	`43`	`{`
`39`	`44`	`return 'guard';`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@`
`25`	`25`	`*/`
`26`	`26`	`class HttpBasicFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface`
`27`	`27`	`{`
	`28`	`+ public const PRIORITY = -50;`
	`29`	`+`
`28`	`30`	`public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)`
`29`	`31`	`{`
`30`	`32`	`$provider = 'security.authentication.provider.dao.'.$id;`
`@@ -66,6 +68,11 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal`
`66`	`68`	`return $authenticatorId;`
`67`	`69`	`}`
`68`	`70`
	`71`	`+ public function getPriority(): int`
	`72`	`+ {`
	`73`	`+ return self::PRIORITY;`
	`74`	`+ }`
	`75`	`+`
`69`	`76`	`public function getPosition()`
`70`	`77`	`{`
`71`	`78`	`return 'http';`