add security.firewalls.not_full_fledged_handler option

eltharin · eltharin · commit f64b805eea88 · 2024-07-11T13:04:38.000+02:00
if not authenticated at all

use callback instead boolean
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Allow configuring the secret used to sign login links
+ * Add `security.firewalls.not_full_fledged_handler` option to configure behavior where user is not full fledged
 
 7.1
 ---
diff --git a/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php b/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
@@ -176,6 +176,7 @@ public function collect(Request $request, Response $response, ?\Throwable $excep
                     'access_denied_url' => $firewallConfig->getAccessDeniedUrl(),
                     'user_checker' => $firewallConfig->getUserChecker(),
                     'authenticators' => $firewallConfig->getAuthenticators(),
+                    'not_full_fledged_handler' => $firewallConfig->getNotFullFledgedHandler(),
                 ];
 
                 // generate exit impersonation path from current request
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -19,6 +19,7 @@
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
+use Symfony\Component\Security\Http\Authorization\SameAsNotFullFledgedHandle;
 
 /**
  * SecurityExtension configuration structure.
@@ -214,6 +215,14 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
             ->booleanNode('stateless')->defaultFalse()->end()
             ->booleanNode('lazy')->defaultFalse()->end()
             ->scalarNode('context')->cannotBeEmpty()->end()
+            ->scalarNode('not_full_fledged_handler')
+                ->beforeNormalization()
+                    ->ifTrue(fn ($v): bool => $v == 'original')
+                        ->then(fn ($v) => null)
+                    ->ifTrue(fn ($v): bool => $v == 'same')
+                        ->then(fn ($v) => SameAsNotFullFledgedHandle::class)
+                    ->end()
+                ->end()
             ->arrayNode('logout')
                 ->treatTrueLike([])
                 ->canBeUnset()
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -579,6 +579,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
 
         $config->replaceArgument(10, $listenerKeys);
         $config->replaceArgument(11, $firewall['switch_user'] ?? null);
+        $config->replaceArgument(13, $firewall['not_full_fledged_handler'] ?? null);
 
         return [$matcher, $listeners, $exceptionListener, null !== $logoutListenerId ? new Reference($logoutListenerId) : null, $firewallAuthenticationProviders];
     }
@@ -885,6 +886,11 @@ private function createExceptionListener(ContainerBuilder $container, array $con
             $listener->replaceArgument(5, $config['access_denied_url']);
         }
 
+        // not full fledged handler setup
+        if (isset($config['not_full_fledged_handler'])) {
+            $listener->replaceArgument(9, new Reference($config['not_full_fledged_handler']));
+        }
+
         return $exceptionListenerId;
     }
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
@@ -42,6 +42,7 @@
 use Symfony\Component\Security\Core\User\MissingUserProvider;
 use Symfony\Component\Security\Core\Validator\Constraints\UserPasswordValidator;
 use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
+use Symfony\Component\Security\Http\Authorization\SameAsNotFullFledgedHandle;
 use Symfony\Component\Security\Http\Controller\SecurityTokenValueResolver;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
@@ -218,6 +219,7 @@
                 [], // listeners
                 null, // switch_user
                 null, // logout
+                null, //not_full_fledged_handler
             ])
 
         ->set('security.logout_url_generator', LogoutUrlGenerator::class)
@@ -310,5 +312,7 @@
         ->set('cache.security_is_csrf_token_valid_attribute_expression_language')
             ->parent('cache.system')
             ->tag('cache.pool')
+
+        ->set('security.same_as_not_full_fledged_handle', SameAsNotFullFledgedHandle::class)
     ;
 };
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php
@@ -139,6 +139,7 @@
                 service('security.access.denied_handler')->nullOnInvalid(),
                 service('logger')->nullOnInvalid(),
                 false, // Stateless
+                service('security.not.full.fledged_handler')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig b/src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
@@ -301,6 +301,10 @@
                                         <th>authenticators</th>
                                         <td>{{ collector.firewall.authenticators is empty ? '(none)' : profiler_dump(collector.firewall.authenticators, maxDepth=1) }}</td>
                                     </tr>
+                                    <tr>
+                                        <th>not_full_fledged_handler</th>
+                                        <td>{{ collector.firewall.not_full_fledged_handler ?: '(none)' }}</td>
+                                    </tr>
                                 </tbody>
                             </table>
                         {% endif %}
diff --git a/src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php b/src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php
@@ -30,6 +30,7 @@ public function __construct(
         private readonly array $authenticators = [],
         private readonly ?array $switchUser = null,
         private readonly ?array $logout = null,
+        private readonly ?string $notFullFledgedHandler = null,
     ) {
     }
 
@@ -104,4 +105,9 @@ public function getLogout(): ?array
     {
         return $this->logout;
     }
+
+    public function getNotFullFledgedHandler(): ?string
+    {
+        return $this->notFullFledgedHandler;
+    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php
@@ -149,6 +149,7 @@ public function testFirewalls()
                 [],
                 null,
                 null,
+                null,
             ],
             [
                 'secure',
@@ -184,6 +185,7 @@ public function testFirewalls()
                     'enable_csrf' => null,
                     'clear_site_data' => [],
                 ],
+                null,
             ],
             [
                 'host',
@@ -201,6 +203,7 @@ public function testFirewalls()
                 ],
                 null,
                 null,
+                null,
             ],
             [
                 'with_user_checker',
@@ -218,6 +221,7 @@ public function testFirewalls()
                 ],
                 null,
                 null,
+                null,
             ],
         ], $configs);
 
diff --git a/src/Symfony/Component/Security/Http/Authorization/NotFullFledgedHandlerInterface.php b/src/Symfony/Component/Security/Http/Authorization/NotFullFledgedHandlerInterface.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authorization;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+/**
+ * This is used by the ExceptionListener to translate an AccessDeniedException
+ * to a Response object.
+ *
+ * @author Roman JOLY <eltharin18@outlook.fr>
+ */
+interface NotFullFledgedHandlerInterface
+{
+    /**
+     * Handles a not full fledged case for acces denied failure.
+     * @return null|Response
+     *      null: throw original AcessDeniedException
+     *      Response: you can return your own response, AccesDeniedException wil be ignored
+     */
+    public function handle(Request $request, AccessDeniedException $accessDeniedException, AuthenticationTrustResolverInterface $trustResolver, ?TokenInterface $token, callable $reauthenticateResponse): ?Response;
+}
diff --git a/src/Symfony/Component/Security/Http/Authorization/SameAsNotFullFledgedHandle.php b/src/Symfony/Component/Security/Http/Authorization/SameAsNotFullFledgedHandle.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authorization;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+/**
+ * This is a basic NotFullFledgedHandle
+ * If IS_AUTHENTICATED_FULLY is in access denied Exception Attrribute, behavior will be as before,
+ * Otherwise The original AccessDeniedException is throw
+ *
+ * @author Roman JOLY <eltharin18@outlook.fr>
+ */
+class SameAsNotFullFledgedHandle implements NotFullFledgedHandlerInterface
+{
+    public function handle(Request $request, AccessDeniedException $accessDeniedException, AuthenticationTrustResolverInterface $trustResolver, ?TokenInterface $token, callable $reauthenticateResponse): ?Response
+    {
+        if( !$trustResolver->isAuthenticated($token)) {
+            $reauthenticateResponse();
+        }
+
+        foreach($accessDeniedException->getAttributes() as $attribute) {
+            if(in_array($attribute, [AuthenticatedVoter::IS_AUTHENTICATED_FULLY])) {
+                $reauthenticateResponse();
+            }
+        }
+        return null;
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
@@ -29,6 +29,7 @@
 use Symfony\Component\Security\Core\Exception\LazyResponseException;
 use Symfony\Component\Security\Core\Exception\LogoutException;
 use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
+use Symfony\Component\Security\Http\Authorization\NotFullFledgedHandlerInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
 use Symfony\Component\Security\Http\HttpUtils;
@@ -57,6 +58,7 @@ public function __construct(
         private ?AccessDeniedHandlerInterface $accessDeniedHandler = null,
         private ?LoggerInterface $logger = null,
         private bool $stateless = false,
+        private ?NotFullFledgedHandlerInterface $notFullFledgedHandler = null,
     ) {
     }
 
@@ -127,20 +129,33 @@ private function handleAccessDeniedException(ExceptionEvent $event, AccessDenied
 
         $token = $this->tokenStorage->getToken();
         if (!$this->authenticationTrustResolver->isFullFledged($token)) {
-            $this->logger?->debug('Access denied, the user is not fully authenticated; redirecting to authentication entry point.', ['exception' => $exception]);
 
-            try {
-                $insufficientAuthenticationException = new InsufficientAuthenticationException('Full authentication is required to access this resource.', 0, $exception);
-                if (null !== $token) {
-                    $insufficientAuthenticationException->setToken($token);
+            $starAuthenticationResponse = function () use($exception, $event, $token) {
+                $this->logger?->debug('Access denied, the user is not fully authenticated; redirecting to authentication entry point.', ['exception' => $exception]);
+
+                try {
+                    $insufficientAuthenticationException = new InsufficientAuthenticationException('Full authentication is required to access this resource.', 0, $exception);
+                    if (null !== $token) {
+                        $insufficientAuthenticationException->setToken($token);
+                    }
+
+                    $event->setResponse($this->startAuthentication($event->getRequest(), $insufficientAuthenticationException));
+                } catch (\Exception $e) {
+                    $event->setThrowable($e);
                 }
+            };
 
-                $event->setResponse($this->startAuthentication($event->getRequest(), $insufficientAuthenticationException));
-            } catch (\Exception $e) {
-                $event->setThrowable($e);
+            if(null === $this->notFullFledgedHandler) {
+                $starAuthenticationResponse();
+                return;
             }
 
-            return;
+            $response = $this->notFullFledgedHandler->handle($event->getRequest(), $exception,$this->authenticationTrustResolver, $token, $starAuthenticationResponse);
+
+            if ($response instanceof Response) {
+                $event->setResponse($response);
+                return;
+            }
         }
 
         $this->logger?->debug('Access denied, the user is neither anonymous, nor remember-me.', ['exception' => $exception]);
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php

Original file line number	Diff line number	Diff line change
`@@ -579,6 +579,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $`
`579`	`579`
`580`	`580`	`$config->replaceArgument(10, $listenerKeys);`
`581`	`581`	`$config->replaceArgument(11, $firewall['switch_user'] ?? null);`
	`582`	`+ $config->replaceArgument(13, $firewall['not_full_fledged_handler'] ?? null);`
`582`	`583`
`583`	`584`	`return [$matcher, $listeners, $exceptionListener, null !== $logoutListenerId ? new Reference($logoutListenerId) : null, $firewallAuthenticationProviders];`
`584`	`585`	`}`
`@@ -885,6 +886,11 @@ private function createExceptionListener(ContainerBuilder $container, array $con`
`885`	`886`	`$listener->replaceArgument(5, $config['access_denied_url']);`
`886`	`887`	`}`
`887`	`888`
	`889`	`+ // not full fledged handler setup`
	`890`	`+ if (isset($config['not_full_fledged_handler'])) {`
	`891`	`+ $listener->replaceArgument(9, new Reference($config['not_full_fledged_handler']));`
	`892`	`+ }`
	`893`	`+`
`888`	`894`	`return $exceptionListenerId;`
`889`	`895`	`}`
`890`	`896`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@ public function __construct(`
`30`	`30`	`private readonly array $authenticators = [],`
`31`	`31`	`private readonly ?array $switchUser = null,`
`32`	`32`	`private readonly ?array $logout = null,`
	`33`	`+ private readonly ?string $notFullFledgedHandler = null,`
`33`	`34`	`) {`
`34`	`35`	`}`
`35`	`36`
`@@ -104,4 +105,9 @@ public function getLogout(): ?array`
`104`	`105`	`{`
`105`	`106`	`return $this->logout;`
`106`	`107`	`}`
	`108`	`+`
	`109`	`+ public function getNotFullFledgedHandler(): ?string`
	`110`	`+ {`
	`111`	`+ return $this->notFullFledgedHandler;`
	`112`	`+ }`
`107`	`113`	`}`