vendor/symfony/security-bundle/DependencyInjection/MainConfiguration.php line 73

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  14. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AbstractFactory;
  15. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
  16. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
  17. use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
  18. use Symfony\Component\Config\Definition\Builder\TreeBuilder;
  19. use Symfony\Component\Config\Definition\ConfigurationInterface;
  20. use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
  21. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  22. use Symfony\Component\Security\Http\Event\LogoutEvent;
  23. use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
  25. /**
  26.  * SecurityExtension configuration structure.
  27.  *
  28.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  29.  */
  30. class MainConfiguration implements ConfigurationInterface
  31. {
  32.     /** @internal */
  33.     public const STRATEGY_AFFIRMATIVE 'affirmative';
  34.     /** @internal */
  35.     public const STRATEGY_CONSENSUS 'consensus';
  36.     /** @internal */
  37.     public const STRATEGY_UNANIMOUS 'unanimous';
  38.     /** @internal */
  39.     public const STRATEGY_PRIORITY 'priority';
  41.     private $factories;
  42.     private $userProviderFactories;
  44.     /**
  45.      * @param array<array-key, SecurityFactoryInterface|AuthenticatorFactoryInterface> $factories
  46.      */
  47.     public function __construct(array $factories, array $userProviderFactories)
  48.     {
  49.         if (\is_array(current($factories))) {
  50.             trigger_deprecation('symfony/security-bundle''5.4''Passing an array of arrays as 1st argument to "%s" is deprecated, pass a sorted array of factories instead.'__METHOD__);
  52.             $factories array_merge(...array_values($factories));
  53.         }
  55.         $this->factories $factories;
  56.         $this->userProviderFactories $userProviderFactories;
  57.     }
  59.     /**
  60.      * Generates the configuration tree builder.
  61.      *
  62.      * @return TreeBuilder
  63.      */
  64.     public function getConfigTreeBuilder()
  65.     {
  66.         $tb = new TreeBuilder('security');
  67.         $rootNode $tb->getRootNode();
  69.         $rootNode
  70.             ->beforeNormalization()
  71.                 ->ifTrue(function ($v) {
  72.                     if ($v['encoders'] ?? false) {
  73.                         trigger_deprecation('symfony/security-bundle''5.3''The child node "encoders" at path "security" is deprecated, use "password_hashers" instead.');
  75.                         return true;
  76.                     }
  78.                     return $v['password_hashers'] ?? false;
  79.                 })
  80.                 ->then(function ($v) {
  81.                     $v['password_hashers'] = array_merge($v['password_hashers'] ?? [], $v['encoders'] ?? []);
  82.                     $v['encoders'] = $v['password_hashers'];
  84.                     return $v;
  85.                 })
  86.             ->end()
  87.             ->children()
  88.                 ->scalarNode('access_denied_url')->defaultNull()->example('/foo/error403')->end()
  89.                 ->enumNode('session_fixation_strategy')
  90.                     ->values([SessionAuthenticationStrategy::NONESessionAuthenticationStrategy::MIGRATESessionAuthenticationStrategy::INVALIDATE])
  91.                     ->defaultValue(SessionAuthenticationStrategy::MIGRATE)
  92.                 ->end()
  93.                 ->booleanNode('hide_user_not_found')->defaultTrue()->end()
  94.                 ->booleanNode('always_authenticate_before_granting')
  95.                     ->defaultFalse()
  96.                     ->setDeprecated('symfony/security-bundle''5.4')
  97.                 ->end()
  98.                 ->booleanNode('erase_credentials')->defaultTrue()->end()
  99.                 ->booleanNode('enable_authenticator_manager')->defaultFalse()->info('Enables the new Symfony Security system based on Authenticators, all used authenticators must support this before enabling this.')->end()
  100.                 ->arrayNode('access_decision_manager')
  101.                     ->addDefaultsIfNotSet()
  102.                     ->children()
  103.                         ->enumNode('strategy')
  104.                             ->values($this->getAccessDecisionStrategies())
  105.                         ->end()
  106.                         ->scalarNode('service')->end()
  107.                         ->scalarNode('strategy_service')->end()
  108.                         ->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
  109.                         ->booleanNode('allow_if_equal_granted_denied')->defaultTrue()->end()
  110.                     ->end()
  111.                     ->validate()
  112.                         ->ifTrue(function ($v) { return isset($v['strategy'], $v['service']); })
  113.                         ->thenInvalid('"strategy" and "service" cannot be used together.')
  114.                     ->end()
  115.                     ->validate()
  116.                         ->ifTrue(function ($v) { return isset($v['strategy'], $v['strategy_service']); })
  117.                         ->thenInvalid('"strategy" and "strategy_service" cannot be used together.')
  118.                     ->end()
  119.                     ->validate()
  120.                         ->ifTrue(function ($v) { return isset($v['service'], $v['strategy_service']); })
  121.                         ->thenInvalid('"service" and "strategy_service" cannot be used together.')
  122.                     ->end()
  123.                 ->end()
  124.             ->end()
  125.         ;
  127.         $this->addEncodersSection($rootNode);
  128.         $this->addPasswordHashersSection($rootNode);
  129.         $this->addProvidersSection($rootNode);
  130.         $this->addFirewallsSection($rootNode$this->factories);
  131.         $this->addAccessControlSection($rootNode);
  132.         $this->addRoleHierarchySection($rootNode);
  134.         return $tb;
  135.     }
  137.     private function addRoleHierarchySection(ArrayNodeDefinition $rootNode)
  138.     {
  139.         $rootNode
  140.             ->fixXmlConfig('role''role_hierarchy')
  141.             ->children()
  142.                 ->arrayNode('role_hierarchy')
  143.                     ->useAttributeAsKey('id')
  144.                     ->prototype('array')
  145.                         ->performNoDeepMerging()
  146.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['value' => $v]; })->end()
  147.                         ->beforeNormalization()
  148.                             ->ifTrue(function ($v) { return \is_array($v) && isset($v['value']); })
  149.                             ->then(function ($v) { return preg_split('/\s*,\s*/'$v['value']); })
  150.                         ->end()
  151.                         ->prototype('scalar')->end()
  152.                     ->end()
  153.                 ->end()
  154.             ->end()
  155.         ;
  156.     }
  158.     private function addAccessControlSection(ArrayNodeDefinition $rootNode)
  159.     {
  160.         $rootNode
  161.             ->fixXmlConfig('rule''access_control')
  162.             ->children()
  163.                 ->arrayNode('access_control')
  164.                     ->cannotBeOverwritten()
  165.                     ->prototype('array')
  166.                         ->fixXmlConfig('ip')
  167.                         ->fixXmlConfig('method')
  168.                         ->children()
  169.                             ->scalarNode('requires_channel')->defaultNull()->end()
  170.                             ->scalarNode('path')
  171.                                 ->defaultNull()
  172.                                 ->info('use the urldecoded format')
  173.                                 ->example('^/path to resource/')
  174.                             ->end()
  175.                             ->scalarNode('host')->defaultNull()->end()
  176.                             ->integerNode('port')->defaultNull()->end()
  177.                             ->arrayNode('ips')
  178.                                 ->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
  179.                                 ->prototype('scalar')->end()
  180.                             ->end()
  181.                             ->arrayNode('methods')
  182.                                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  183.                                 ->prototype('scalar')->end()
  184.                             ->end()
  185.                             ->scalarNode('allow_if')->defaultNull()->end()
  186.                         ->end()
  187.                         ->fixXmlConfig('role')
  188.                         ->children()
  189.                             ->arrayNode('roles')
  190.                                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  191.                                 ->prototype('scalar')->end()
  192.                             ->end()
  193.                         ->end()
  194.                     ->end()
  195.                 ->end()
  196.             ->end()
  197.         ;
  198.     }
  200.     /**
  201.      * @param array<array-key, SecurityFactoryInterface|AuthenticatorFactoryInterface> $factories
  202.      */
  203.     private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $factories)
  204.     {
  205.         $firewallNodeBuilder $rootNode
  206.             ->fixXmlConfig('firewall')
  207.             ->children()
  208.                 ->arrayNode('firewalls')
  209.                     ->isRequired()
  210.                     ->requiresAtLeastOneElement()
  211.                     ->disallowNewKeysInSubsequentConfigs()
  212.                     ->useAttributeAsKey('name')
  213.                     ->prototype('array')
  214.                         ->fixXmlConfig('required_badge')
  215.                         ->children()
  216.         ;
  218.         $firewallNodeBuilder
  219.             ->scalarNode('pattern')->end()
  220.             ->scalarNode('host')->end()
  221.             ->arrayNode('methods')
  222.                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  223.                 ->prototype('scalar')->end()
  224.             ->end()
  225.             ->booleanNode('security')->defaultTrue()->end()
  226.             ->scalarNode('user_checker')
  227.                 ->defaultValue('security.user_checker')
  228.                 ->treatNullLike('security.user_checker')
  229.                 ->info('The UserChecker to use when authenticating users in this firewall.')
  230.             ->end()
  231.             ->scalarNode('request_matcher')->end()
  232.             ->scalarNode('access_denied_url')->end()
  233.             ->scalarNode('access_denied_handler')->end()
  234.             ->scalarNode('entry_point')
  235.                 ->info(sprintf('An enabled authenticator name or a service id that implements "%s"'AuthenticationEntryPointInterface::class))
  236.             ->end()
  237.             ->scalarNode('provider')->end()
  238.             ->booleanNode('stateless')->defaultFalse()->end()
  239.             ->booleanNode('lazy')->defaultFalse()->end()
  240.             ->scalarNode('context')->cannotBeEmpty()->end()
  241.             ->arrayNode('logout')
  242.                 ->treatTrueLike([])
  243.                 ->canBeUnset()
  244.                 ->children()
  245.                     ->scalarNode('csrf_parameter')->defaultValue('_csrf_token')->end()
  246.                     ->scalarNode('csrf_token_generator')->cannotBeEmpty()->end()
  247.                     ->scalarNode('csrf_token_id')->defaultValue('logout')->end()
  248.                     ->scalarNode('path')->defaultValue('/logout')->end()
  249.                     ->scalarNode('target')->defaultValue('/')->end()
  250.                     ->scalarNode('success_handler')->setDeprecated('symfony/security-bundle''5.1'sprintf('The "%%node%%" at path "%%path%%" is deprecated, register a listener on the "%s" event instead.'LogoutEvent::class))->end()
  251.                     ->booleanNode('invalidate_session')->defaultTrue()->end()
  252.                 ->end()
  253.                 ->fixXmlConfig('delete_cookie')
  254.                 ->children()
  255.                     ->arrayNode('delete_cookies')
  256.                         ->normalizeKeys(false)
  257.                         ->beforeNormalization()
  258.                             ->ifTrue(function ($v) { return \is_array($v) && \is_int(key($v)); })
  259.                             ->then(function ($v) { return array_map(function ($v) { return ['name' => $v]; }, $v); })
  260.                         ->end()
  261.                         ->useAttributeAsKey('name')
  262.                         ->prototype('array')
  263.                             ->children()
  264.                                 ->scalarNode('path')->defaultNull()->end()
  265.                                 ->scalarNode('domain')->defaultNull()->end()
  266.                                 ->scalarNode('secure')->defaultFalse()->end()
  267.                                 ->scalarNode('samesite')->defaultNull()->end()
  268.                             ->end()
  269.                         ->end()
  270.                     ->end()
  271.                 ->end()
  272.                 ->fixXmlConfig('handler')
  273.                 ->children()
  274.                     ->arrayNode('handlers')
  275.                         ->prototype('scalar')->setDeprecated('symfony/security-bundle''5.1'sprintf('The "%%node%%" at path "%%path%%" is deprecated, register a listener on the "%s" event instead.'LogoutEvent::class))->end()
  276.                     ->end()
  277.                 ->end()
  278.             ->end()
  279.             ->arrayNode('switch_user')
  280.                 ->canBeUnset()
  281.                 ->children()
  282.                     ->scalarNode('provider')->end()
  283.                     ->scalarNode('parameter')->defaultValue('_switch_user')->end()
  284.                     ->scalarNode('role')->defaultValue('ROLE_ALLOWED_TO_SWITCH')->end()
  285.                 ->end()
  286.             ->end()
  287.             ->arrayNode('required_badges')
  288.                 ->info('A list of badges that must be present on the authenticated passport.')
  289.                 ->validate()
  290.                     ->always()
  291.                     ->then(function ($requiredBadges) {
  292.                         return array_map(function ($requiredBadge) {
  293.                             if (class_exists($requiredBadge)) {
  294.                                 return $requiredBadge;
  295.                             }
  297.                             if (false === strpos($requiredBadge'\\')) {
  298.                                 $fqcn 'Symfony\Component\Security\Http\Authenticator\Passport\Badge\\'.$requiredBadge;
  299.                                 if (class_exists($fqcn)) {
  300.                                     return $fqcn;
  301.                                 }
  302.                             }
  304.                             throw new InvalidConfigurationException(sprintf('Undefined security Badge class "%s" set in "security.firewall.required_badges".'$requiredBadge));
  305.                         }, $requiredBadges);
  306.                     })
  307.                 ->end()
  308.                 ->prototype('scalar')->end()
  309.             ->end()
  310.         ;
  312.         $abstractFactoryKeys = [];
  313.         foreach ($factories as $factory) {
  314.             $name str_replace('-''_'$factory->getKey());
  315.             $factoryNode $firewallNodeBuilder->arrayNode($name)
  316.                 ->canBeUnset()
  317.             ;
  319.             if ($factory instanceof AbstractFactory) {
  320.                 $abstractFactoryKeys[] = $name;
  321.             }
  323.             $factory->addConfiguration($factoryNode);
  324.         }
  326.         // check for unreachable check paths
  327.         $firewallNodeBuilder
  328.             ->end()
  329.             ->validate()
  330.                 ->ifTrue(function ($v) {
  331.                     return true === $v['security'] && isset($v['pattern']) && !isset($v['request_matcher']);
  332.                 })
  333.                 ->then(function ($firewall) use ($abstractFactoryKeys) {
  334.                     foreach ($abstractFactoryKeys as $k) {
  335.                         if (!isset($firewall[$k]['check_path'])) {
  336.                             continue;
  337.                         }
  339.                         if (str_contains($firewall[$k]['check_path'], '/') && !preg_match('#'.$firewall['pattern'].'#'$firewall[$k]['check_path'])) {
  340.                             throw new \LogicException(sprintf('The check_path "%s" for login method "%s" is not matched by the firewall pattern "%s".'$firewall[$k]['check_path'], $k$firewall['pattern']));
  341.                         }
  342.                     }
  344.                     return $firewall;
  345.                 })
  346.             ->end()
  347.         ;
  348.     }
  350.     private function addProvidersSection(ArrayNodeDefinition $rootNode)
  351.     {
  352.         $providerNodeBuilder $rootNode
  353.             ->fixXmlConfig('provider')
  354.             ->children()
  355.                 ->arrayNode('providers')
  356.                     ->example([
  357.                         'my_memory_provider' => [
  358.                             'memory' => [
  359.                                 'users' => [
  360.                                     'foo' => ['password' => 'foo''roles' => 'ROLE_USER'],
  361.                                     'bar' => ['password' => 'bar''roles' => '[ROLE_USER, ROLE_ADMIN]'],
  362.                                 ],
  363.                             ],
  364.                         ],
  365.                         'my_entity_provider' => ['entity' => ['class' => 'SecurityBundle:User''property' => 'username']],
  366.                     ])
  367.                     ->requiresAtLeastOneElement()
  368.                     ->useAttributeAsKey('name')
  369.                     ->prototype('array')
  370.         ;
  372.         $providerNodeBuilder
  373.             ->children()
  374.                 ->scalarNode('id')->end()
  375.                 ->arrayNode('chain')
  376.                     ->fixXmlConfig('provider')
  377.                     ->children()
  378.                         ->arrayNode('providers')
  379.                             ->beforeNormalization()
  380.                                 ->ifString()
  381.                                 ->then(function ($v) { return preg_split('/\s*,\s*/'$v); })
  382.                             ->end()
  383.                             ->prototype('scalar')->end()
  384.                         ->end()
  385.                     ->end()
  386.                 ->end()
  387.             ->end()
  388.         ;
  390.         foreach ($this->userProviderFactories as $factory) {
  391.             $name str_replace('-''_'$factory->getKey());
  392.             $factoryNode $providerNodeBuilder->children()->arrayNode($name)->canBeUnset();
  394.             $factory->addConfiguration($factoryNode);
  395.         }
  397.         $providerNodeBuilder
  398.             ->validate()
  399.                 ->ifTrue(function ($v) { return \count($v) > 1; })
  400.                 ->thenInvalid('You cannot set multiple provider types for the same provider')
  401.             ->end()
  402.             ->validate()
  403.                 ->ifTrue(function ($v) { return === \count($v); })
  404.                 ->thenInvalid('You must set a provider definition for the provider.')
  405.             ->end()
  406.         ;
  407.     }
  409.     private function addEncodersSection(ArrayNodeDefinition $rootNode)
  410.     {
  411.         $rootNode
  412.             ->fixXmlConfig('encoder')
  413.             ->children()
  414.                 ->arrayNode('encoders')
  415.                     ->example([
  416.                         'App\Entity\User1' => 'auto',
  417.                         'App\Entity\User2' => [
  418.                             'algorithm' => 'auto',
  419.                             'time_cost' => 8,
  420.                             'cost' => 13,
  421.                         ],
  422.                     ])
  423.                     ->requiresAtLeastOneElement()
  424.                     ->useAttributeAsKey('class')
  425.                     ->prototype('array')
  426.                         ->canBeUnset()
  427.                         ->performNoDeepMerging()
  428.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
  429.                         ->children()
  430.                             ->scalarNode('algorithm')
  431.                                 ->cannotBeEmpty()
  432.                                 ->validate()
  433.                                     ->ifTrue(function ($v) { return !\is_string($v); })
  434.                                     ->thenInvalid('You must provide a string value.')
  435.                                 ->end()
  436.                             ->end()
  437.                             ->arrayNode('migrate_from')
  438.                                 ->prototype('scalar')->end()
  439.                                 ->beforeNormalization()->castToArray()->end()
  440.                             ->end()
  441.                             ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
  442.                             ->scalarNode('key_length')->defaultValue(40)->end()
  443.                             ->booleanNode('ignore_case')->defaultFalse()->end()
  444.                             ->booleanNode('encode_as_base64')->defaultTrue()->end()
  445.                             ->scalarNode('iterations')->defaultValue(5000)->end()
  446.                             ->integerNode('cost')
  447.                                 ->min(4)
  448.                                 ->max(31)
  449.                                 ->defaultNull()
  450.                             ->end()
  451.                             ->scalarNode('memory_cost')->defaultNull()->end()
  452.                             ->scalarNode('time_cost')->defaultNull()->end()
  453.                             ->scalarNode('id')->end()
  454.                         ->end()
  455.                     ->end()
  456.                 ->end()
  457.             ->end()
  458.         ;
  459.     }
  461.     private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
  462.     {
  463.         $rootNode
  464.             ->fixXmlConfig('password_hasher')
  465.             ->children()
  466.                 ->arrayNode('password_hashers')
  467.                     ->example([
  468.                         'App\Entity\User1' => 'auto',
  469.                         'App\Entity\User2' => [
  470.                             'algorithm' => 'auto',
  471.                             'time_cost' => 8,
  472.                             'cost' => 13,
  473.                         ],
  474.                     ])
  475.                     ->requiresAtLeastOneElement()
  476.                     ->useAttributeAsKey('class')
  477.                     ->prototype('array')
  478.                         ->canBeUnset()
  479.                         ->performNoDeepMerging()
  480.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
  481.                         ->children()
  482.                             ->scalarNode('algorithm')
  483.                                 ->cannotBeEmpty()
  484.                                 ->validate()
  485.                                     ->ifTrue(function ($v) { return !\is_string($v); })
  486.                                     ->thenInvalid('You must provide a string value.')
  487.                                 ->end()
  488.                             ->end()
  489.                             ->arrayNode('migrate_from')
  490.                                 ->prototype('scalar')->end()
  491.                                 ->beforeNormalization()->castToArray()->end()
  492.                             ->end()
  493.                             ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
  494.                             ->scalarNode('key_length')->defaultValue(40)->end()
  495.                             ->booleanNode('ignore_case')->defaultFalse()->end()
  496.                             ->booleanNode('encode_as_base64')->defaultTrue()->end()
  497.                             ->scalarNode('iterations')->defaultValue(5000)->end()
  498.                             ->integerNode('cost')
  499.                                 ->min(4)
  500.                                 ->max(31)
  501.                                 ->defaultNull()
  502.                             ->end()
  503.                             ->scalarNode('memory_cost')->defaultNull()->end()
  504.                             ->scalarNode('time_cost')->defaultNull()->end()
  505.                             ->scalarNode('id')->end()
  506.                         ->end()
  507.                     ->end()
  508.                 ->end()
  509.         ->end();
  510.     }
  512.     private function getAccessDecisionStrategies(): array
  513.     {
  514.         return [
  515.             self::STRATEGY_AFFIRMATIVE,
  516.             self::STRATEGY_CONSENSUS,
  517.             self::STRATEGY_UNANIMOUS,
  518.             self::STRATEGY_PRIORITY,
  519.         ];
  520.     }
  521. }