vendor/symfony/security-bundle/DependencyInjection/MainConfiguration.php line 54

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  14. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AbstractFactory;
  15. use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
  16. use Symfony\Component\Config\Definition\Builder\TreeBuilder;
  17. use Symfony\Component\Config\Definition\ConfigurationInterface;
  18. use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
  19. use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
  20. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  21. use Symfony\Component\Security\Http\Event\LogoutEvent;
  22. use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
  24. /**
  25.  * SecurityExtension configuration structure.
  26.  *
  27.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  28.  */
  29. class MainConfiguration implements ConfigurationInterface
  30. {
  31.     private $factories;
  32.     private $userProviderFactories;
  34.     public function __construct(array $factories, array $userProviderFactories)
  35.     {
  36.         $this->factories $factories;
  37.         $this->userProviderFactories $userProviderFactories;
  38.     }
  40.     /**
  41.      * Generates the configuration tree builder.
  42.      *
  43.      * @return TreeBuilder The tree builder
  44.      */
  45.     public function getConfigTreeBuilder()
  46.     {
  47.         $tb = new TreeBuilder('security');
  48.         $rootNode $tb->getRootNode();
  50.         $rootNode
  51.             ->beforeNormalization()
  52.                 ->ifTrue(function ($v) {
  53.                     if ($v['encoders'] ?? false) {
  54.                         trigger_deprecation('symfony/security-bundle''5.3''The child node "encoders" at path "security" is deprecated, use "password_hashers" instead.');
  56.                         return true;
  57.                     }
  59.                     return $v['password_hashers'] ?? false;
  60.                 })
  61.                 ->then(function ($v) {
  62.                     $v['password_hashers'] = array_merge($v['password_hashers'] ?? [], $v['encoders'] ?? []);
  63.                     $v['encoders'] = $v['password_hashers'];
  65.                     return $v;
  66.                 })
  67.             ->end()
  68.             ->children()
  69.                 ->scalarNode('access_denied_url')->defaultNull()->example('/foo/error403')->end()
  70.                 ->enumNode('session_fixation_strategy')
  71.                     ->values([SessionAuthenticationStrategy::NONESessionAuthenticationStrategy::MIGRATESessionAuthenticationStrategy::INVALIDATE])
  72.                     ->defaultValue(SessionAuthenticationStrategy::MIGRATE)
  73.                 ->end()
  74.                 ->booleanNode('hide_user_not_found')->defaultTrue()->end()
  75.                 ->booleanNode('always_authenticate_before_granting')->defaultFalse()->end()
  76.                 ->booleanNode('erase_credentials')->defaultTrue()->end()
  77.                 ->booleanNode('enable_authenticator_manager')->defaultFalse()->info('Enables the new Symfony Security system based on Authenticators, all used authenticators must support this before enabling this.')->end()
  78.                 ->arrayNode('access_decision_manager')
  79.                     ->addDefaultsIfNotSet()
  80.                     ->children()
  81.                         ->enumNode('strategy')
  82.                             ->values($this->getAccessDecisionStrategies())
  83.                         ->end()
  84.                         ->scalarNode('service')->end()
  85.                         ->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
  86.                         ->booleanNode('allow_if_equal_granted_denied')->defaultTrue()->end()
  87.                     ->end()
  88.                     ->validate()
  89.                         ->ifTrue(function ($v) { return isset($v['strategy']) && isset($v['service']); })
  90.                         ->thenInvalid('"strategy" and "service" cannot be used together.')
  91.                     ->end()
  92.                 ->end()
  93.             ->end()
  94.         ;
  96.         $this->addEncodersSection($rootNode);
  97.         $this->addPasswordHashersSection($rootNode);
  98.         $this->addProvidersSection($rootNode);
  99.         $this->addFirewallsSection($rootNode$this->factories);
  100.         $this->addAccessControlSection($rootNode);
  101.         $this->addRoleHierarchySection($rootNode);
  103.         return $tb;
  104.     }
  106.     private function addRoleHierarchySection(ArrayNodeDefinition $rootNode)
  107.     {
  108.         $rootNode
  109.             ->fixXmlConfig('role''role_hierarchy')
  110.             ->children()
  111.                 ->arrayNode('role_hierarchy')
  112.                     ->useAttributeAsKey('id')
  113.                     ->prototype('array')
  114.                         ->performNoDeepMerging()
  115.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['value' => $v]; })->end()
  116.                         ->beforeNormalization()
  117.                             ->ifTrue(function ($v) { return \is_array($v) && isset($v['value']); })
  118.                             ->then(function ($v) { return preg_split('/\s*,\s*/'$v['value']); })
  119.                         ->end()
  120.                         ->prototype('scalar')->end()
  121.                     ->end()
  122.                 ->end()
  123.             ->end()
  124.         ;
  125.     }
  127.     private function addAccessControlSection(ArrayNodeDefinition $rootNode)
  128.     {
  129.         $rootNode
  130.             ->fixXmlConfig('rule''access_control')
  131.             ->children()
  132.                 ->arrayNode('access_control')
  133.                     ->cannotBeOverwritten()
  134.                     ->prototype('array')
  135.                         ->fixXmlConfig('ip')
  136.                         ->fixXmlConfig('method')
  137.                         ->children()
  138.                             ->scalarNode('requires_channel')->defaultNull()->end()
  139.                             ->scalarNode('path')
  140.                                 ->defaultNull()
  141.                                 ->info('use the urldecoded format')
  142.                                 ->example('^/path to resource/')
  143.                             ->end()
  144.                             ->scalarNode('host')->defaultNull()->end()
  145.                             ->integerNode('port')->defaultNull()->end()
  146.                             ->arrayNode('ips')
  147.                                 ->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
  148.                                 ->prototype('scalar')->end()
  149.                             ->end()
  150.                             ->arrayNode('methods')
  151.                                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  152.                                 ->prototype('scalar')->end()
  153.                             ->end()
  154.                             ->scalarNode('allow_if')->defaultNull()->end()
  155.                         ->end()
  156.                         ->fixXmlConfig('role')
  157.                         ->children()
  158.                             ->arrayNode('roles')
  159.                                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  160.                                 ->prototype('scalar')->end()
  161.                             ->end()
  162.                         ->end()
  163.                     ->end()
  164.                 ->end()
  165.             ->end()
  166.         ;
  167.     }
  169.     private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $factories)
  170.     {
  171.         $firewallNodeBuilder $rootNode
  172.             ->fixXmlConfig('firewall')
  173.             ->children()
  174.                 ->arrayNode('firewalls')
  175.                     ->isRequired()
  176.                     ->requiresAtLeastOneElement()
  177.                     ->disallowNewKeysInSubsequentConfigs()
  178.                     ->useAttributeAsKey('name')
  179.                     ->prototype('array')
  180.                         ->fixXmlConfig('required_badge')
  181.                         ->children()
  182.         ;
  184.         $firewallNodeBuilder
  185.             ->scalarNode('pattern')->end()
  186.             ->scalarNode('host')->end()
  187.             ->arrayNode('methods')
  188.                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  189.                 ->prototype('scalar')->end()
  190.             ->end()
  191.             ->booleanNode('security')->defaultTrue()->end()
  192.             ->scalarNode('user_checker')
  193.                 ->defaultValue('security.user_checker')
  194.                 ->treatNullLike('security.user_checker')
  195.                 ->info('The UserChecker to use when authenticating users in this firewall.')
  196.             ->end()
  197.             ->scalarNode('request_matcher')->end()
  198.             ->scalarNode('access_denied_url')->end()
  199.             ->scalarNode('access_denied_handler')->end()
  200.             ->scalarNode('entry_point')
  201.                 ->info(sprintf('An enabled authenticator name or a service id that implements "%s"'AuthenticationEntryPointInterface::class))
  202.             ->end()
  203.             ->scalarNode('provider')->end()
  204.             ->booleanNode('stateless')->defaultFalse()->end()
  205.             ->booleanNode('lazy')->defaultFalse()->end()
  206.             ->scalarNode('context')->cannotBeEmpty()->end()
  207.             ->arrayNode('logout')
  208.                 ->treatTrueLike([])
  209.                 ->canBeUnset()
  210.                 ->children()
  211.                     ->scalarNode('csrf_parameter')->defaultValue('_csrf_token')->end()
  212.                     ->scalarNode('csrf_token_generator')->cannotBeEmpty()->end()
  213.                     ->scalarNode('csrf_token_id')->defaultValue('logout')->end()
  214.                     ->scalarNode('path')->defaultValue('/logout')->end()
  215.                     ->scalarNode('target')->defaultValue('/')->end()
  216.                     ->scalarNode('success_handler')->setDeprecated('symfony/security-bundle''5.1'sprintf('The "%%node%%" at path "%%path%%" is deprecated, register a listener on the "%s" event instead.'LogoutEvent::class))->end()
  217.                     ->booleanNode('invalidate_session')->defaultTrue()->end()
  218.                 ->end()
  219.                 ->fixXmlConfig('delete_cookie')
  220.                 ->children()
  221.                     ->arrayNode('delete_cookies')
  222.                         ->normalizeKeys(false)
  223.                         ->beforeNormalization()
  224.                             ->ifTrue(function ($v) { return \is_array($v) && \is_int(key($v)); })
  225.                             ->then(function ($v) { return array_map(function ($v) { return ['name' => $v]; }, $v); })
  226.                         ->end()
  227.                         ->useAttributeAsKey('name')
  228.                         ->prototype('array')
  229.                             ->children()
  230.                                 ->scalarNode('path')->defaultNull()->end()
  231.                                 ->scalarNode('domain')->defaultNull()->end()
  232.                                 ->scalarNode('secure')->defaultFalse()->end()
  233.                                 ->scalarNode('samesite')->defaultNull()->end()
  234.                             ->end()
  235.                         ->end()
  236.                     ->end()
  237.                 ->end()
  238.                 ->fixXmlConfig('handler')
  239.                 ->children()
  240.                     ->arrayNode('handlers')
  241.                         ->prototype('scalar')->setDeprecated('symfony/security-bundle''5.1'sprintf('The "%%node%%" at path "%%path%%" is deprecated, register a listener on the "%s" event instead.'LogoutEvent::class))->end()
  242.                     ->end()
  243.                 ->end()
  244.             ->end()
  245.             ->arrayNode('switch_user')
  246.                 ->canBeUnset()
  247.                 ->children()
  248.                     ->scalarNode('provider')->end()
  249.                     ->scalarNode('parameter')->defaultValue('_switch_user')->end()
  250.                     ->scalarNode('role')->defaultValue('ROLE_ALLOWED_TO_SWITCH')->end()
  251.                 ->end()
  252.             ->end()
  253.             ->arrayNode('required_badges')
  254.                 ->info('A list of badges that must be present on the authenticated passport.')
  255.                 ->validate()
  256.                     ->always()
  257.                     ->then(function ($requiredBadges) {
  258.                         return array_map(function ($requiredBadge) {
  259.                             if (class_exists($requiredBadge)) {
  260.                                 return $requiredBadge;
  261.                             }
  263.                             if (false === strpos($requiredBadge'\\')) {
  264.                                 $fqcn 'Symfony\Component\Security\Http\Authenticator\Passport\Badge\\'.$requiredBadge;
  265.                                 if (class_exists($fqcn)) {
  266.                                     return $fqcn;
  267.                                 }
  268.                             }
  270.                             throw new InvalidConfigurationException(sprintf('Undefined security Badge class "%s" set in "security.firewall.required_badges".'$requiredBadge));
  271.                         }, $requiredBadges);
  272.                     })
  273.                 ->end()
  274.                 ->prototype('scalar')->end()
  275.             ->end()
  276.         ;
  278.         $abstractFactoryKeys = [];
  279.         foreach ($factories as $factoriesAtPosition) {
  280.             foreach ($factoriesAtPosition as $factory) {
  281.                 $name str_replace('-''_'$factory->getKey());
  282.                 $factoryNode $firewallNodeBuilder->arrayNode($name)
  283.                     ->canBeUnset()
  284.                 ;
  286.                 if ($factory instanceof AbstractFactory) {
  287.                     $abstractFactoryKeys[] = $name;
  288.                 }
  290.                 $factory->addConfiguration($factoryNode);
  291.             }
  292.         }
  294.         // check for unreachable check paths
  295.         $firewallNodeBuilder
  296.             ->end()
  297.             ->validate()
  298.                 ->ifTrue(function ($v) {
  299.                     return true === $v['security'] && isset($v['pattern']) && !isset($v['request_matcher']);
  300.                 })
  301.                 ->then(function ($firewall) use ($abstractFactoryKeys) {
  302.                     foreach ($abstractFactoryKeys as $k) {
  303.                         if (!isset($firewall[$k]['check_path'])) {
  304.                             continue;
  305.                         }
  307.                         if (str_contains($firewall[$k]['check_path'], '/') && !preg_match('#'.$firewall['pattern'].'#'$firewall[$k]['check_path'])) {
  308.                             throw new \LogicException(sprintf('The check_path "%s" for login method "%s" is not matched by the firewall pattern "%s".'$firewall[$k]['check_path'], $k$firewall['pattern']));
  309.                         }
  310.                     }
  312.                     return $firewall;
  313.                 })
  314.             ->end()
  315.         ;
  316.     }
  318.     private function addProvidersSection(ArrayNodeDefinition $rootNode)
  319.     {
  320.         $providerNodeBuilder $rootNode
  321.             ->fixXmlConfig('provider')
  322.             ->children()
  323.                 ->arrayNode('providers')
  324.                     ->example([
  325.                         'my_memory_provider' => [
  326.                             'memory' => [
  327.                                 'users' => [
  328.                                     'foo' => ['password' => 'foo''roles' => 'ROLE_USER'],
  329.                                     'bar' => ['password' => 'bar''roles' => '[ROLE_USER, ROLE_ADMIN]'],
  330.                                 ],
  331.                             ],
  332.                         ],
  333.                         'my_entity_provider' => ['entity' => ['class' => 'SecurityBundle:User''property' => 'username']],
  334.                     ])
  335.                     ->requiresAtLeastOneElement()
  336.                     ->useAttributeAsKey('name')
  337.                     ->prototype('array')
  338.         ;
  340.         $providerNodeBuilder
  341.             ->children()
  342.                 ->scalarNode('id')->end()
  343.                 ->arrayNode('chain')
  344.                     ->fixXmlConfig('provider')
  345.                     ->children()
  346.                         ->arrayNode('providers')
  347.                             ->beforeNormalization()
  348.                                 ->ifString()
  349.                                 ->then(function ($v) { return preg_split('/\s*,\s*/'$v); })
  350.                             ->end()
  351.                             ->prototype('scalar')->end()
  352.                         ->end()
  353.                     ->end()
  354.                 ->end()
  355.             ->end()
  356.         ;
  358.         foreach ($this->userProviderFactories as $factory) {
  359.             $name str_replace('-''_'$factory->getKey());
  360.             $factoryNode $providerNodeBuilder->children()->arrayNode($name)->canBeUnset();
  362.             $factory->addConfiguration($factoryNode);
  363.         }
  365.         $providerNodeBuilder
  366.             ->validate()
  367.                 ->ifTrue(function ($v) { return \count($v) > 1; })
  368.                 ->thenInvalid('You cannot set multiple provider types for the same provider')
  369.             ->end()
  370.             ->validate()
  371.                 ->ifTrue(function ($v) { return === \count($v); })
  372.                 ->thenInvalid('You must set a provider definition for the provider.')
  373.             ->end()
  374.         ;
  375.     }
  377.     private function addEncodersSection(ArrayNodeDefinition $rootNode)
  378.     {
  379.         $rootNode
  380.             ->fixXmlConfig('encoder')
  381.             ->children()
  382.                 ->arrayNode('encoders')
  383.                     ->example([
  384.                         'App\Entity\User1' => 'auto',
  385.                         'App\Entity\User2' => [
  386.                             'algorithm' => 'auto',
  387.                             'time_cost' => 8,
  388.                             'cost' => 13,
  389.                         ],
  390.                     ])
  391.                     ->requiresAtLeastOneElement()
  392.                     ->useAttributeAsKey('class')
  393.                     ->prototype('array')
  394.                         ->canBeUnset()
  395.                         ->performNoDeepMerging()
  396.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
  397.                         ->children()
  398.                             ->scalarNode('algorithm')
  399.                                 ->cannotBeEmpty()
  400.                                 ->validate()
  401.                                     ->ifTrue(function ($v) { return !\is_string($v); })
  402.                                     ->thenInvalid('You must provide a string value.')
  403.                                 ->end()
  404.                             ->end()
  405.                             ->arrayNode('migrate_from')
  406.                                 ->prototype('scalar')->end()
  407.                                 ->beforeNormalization()->castToArray()->end()
  408.                             ->end()
  409.                             ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
  410.                             ->scalarNode('key_length')->defaultValue(40)->end()
  411.                             ->booleanNode('ignore_case')->defaultFalse()->end()
  412.                             ->booleanNode('encode_as_base64')->defaultTrue()->end()
  413.                             ->scalarNode('iterations')->defaultValue(5000)->end()
  414.                             ->integerNode('cost')
  415.                                 ->min(4)
  416.                                 ->max(31)
  417.                                 ->defaultNull()
  418.                             ->end()
  419.                             ->scalarNode('memory_cost')->defaultNull()->end()
  420.                             ->scalarNode('time_cost')->defaultNull()->end()
  421.                             ->scalarNode('id')->end()
  422.                         ->end()
  423.                     ->end()
  424.                 ->end()
  425.             ->end()
  426.         ;
  427.     }
  429.     private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
  430.     {
  431.         $rootNode
  432.             ->fixXmlConfig('password_hasher')
  433.             ->children()
  434.                 ->arrayNode('password_hashers')
  435.                     ->example([
  436.                         'App\Entity\User1' => 'auto',
  437.                         'App\Entity\User2' => [
  438.                             'algorithm' => 'auto',
  439.                             'time_cost' => 8,
  440.                             'cost' => 13,
  441.                         ],
  442.                     ])
  443.                     ->requiresAtLeastOneElement()
  444.                     ->useAttributeAsKey('class')
  445.                     ->prototype('array')
  446.                         ->canBeUnset()
  447.                         ->performNoDeepMerging()
  448.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
  449.                         ->children()
  450.                             ->scalarNode('algorithm')
  451.                                 ->cannotBeEmpty()
  452.                                 ->validate()
  453.                                     ->ifTrue(function ($v) { return !\is_string($v); })
  454.                                     ->thenInvalid('You must provide a string value.')
  455.                                 ->end()
  456.                             ->end()
  457.                             ->arrayNode('migrate_from')
  458.                                 ->prototype('scalar')->end()
  459.                                 ->beforeNormalization()->castToArray()->end()
  460.                             ->end()
  461.                             ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
  462.                             ->scalarNode('key_length')->defaultValue(40)->end()
  463.                             ->booleanNode('ignore_case')->defaultFalse()->end()
  464.                             ->booleanNode('encode_as_base64')->defaultTrue()->end()
  465.                             ->scalarNode('iterations')->defaultValue(5000)->end()
  466.                             ->integerNode('cost')
  467.                                 ->min(4)
  468.                                 ->max(31)
  469.                                 ->defaultNull()
  470.                             ->end()
  471.                             ->scalarNode('memory_cost')->defaultNull()->end()
  472.                             ->scalarNode('time_cost')->defaultNull()->end()
  473.                             ->scalarNode('id')->end()
  474.                         ->end()
  475.                     ->end()
  476.                 ->end()
  477.         ->end();
  478.     }
  480.     private function getAccessDecisionStrategies()
  481.     {
  482.         $strategies = [
  483.             AccessDecisionManager::STRATEGY_AFFIRMATIVE,
  484.             AccessDecisionManager::STRATEGY_CONSENSUS,
  485.             AccessDecisionManager::STRATEGY_UNANIMOUS,
  486.         ];
  488.         if (\defined(AccessDecisionManager::class.'::STRATEGY_PRIORITY')) {
  489.             $strategies[] = AccessDecisionManager::STRATEGY_PRIORITY;
  490.         }
  492.         return $strategies;
  493.     }
  494. }