vendor/symfony/security-bundle/DependencyInjection/MainConfiguration.php line 54

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  14. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AbstractFactory;
  15. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
  16. use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
  17. use Symfony\Component\Config\Definition\Builder\TreeBuilder;
  18. use Symfony\Component\Config\Definition\ConfigurationInterface;
  19. use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
  20. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  21. use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
  23. /**
  24.  * SecurityExtension configuration structure.
  25.  *
  26.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  27.  */
  28. class MainConfiguration implements ConfigurationInterface
  29. {
  30.     /** @internal */
  31.     public const STRATEGY_AFFIRMATIVE 'affirmative';
  32.     /** @internal */
  33.     public const STRATEGY_CONSENSUS 'consensus';
  34.     /** @internal */
  35.     public const STRATEGY_UNANIMOUS 'unanimous';
  36.     /** @internal */
  37.     public const STRATEGY_PRIORITY 'priority';
  39.     private array $factories;
  40.     private array $userProviderFactories;
  42.     /**
  43.      * @param array<array-key, AuthenticatorFactoryInterface> $factories
  44.      */
  45.     public function __construct(array $factories, array $userProviderFactories)
  46.     {
  47.         $this->factories $factories;
  48.         $this->userProviderFactories $userProviderFactories;
  49.     }
  51.     /**
  52.      * Generates the configuration tree builder.
  53.      */
  54.     public function getConfigTreeBuilder(): TreeBuilder
  55.     {
  56.         $tb = new TreeBuilder('security');
  57.         $rootNode $tb->getRootNode();
  59.         $rootNode
  60.             ->children()
  61.                 ->scalarNode('access_denied_url')->defaultNull()->example('/foo/error403')->end()
  62.                 ->enumNode('session_fixation_strategy')
  63.                     ->values([SessionAuthenticationStrategy::NONESessionAuthenticationStrategy::MIGRATESessionAuthenticationStrategy::INVALIDATE])
  64.                     ->defaultValue(SessionAuthenticationStrategy::MIGRATE)
  65.                 ->end()
  66.                 ->booleanNode('hide_user_not_found')->defaultTrue()->end()
  67.                 ->booleanNode('erase_credentials')->defaultTrue()->end()
  68.                 ->booleanNode('enable_authenticator_manager')->defaultTrue()->end()
  69.                 ->arrayNode('access_decision_manager')
  70.                     ->addDefaultsIfNotSet()
  71.                     ->children()
  72.                         ->enumNode('strategy')
  73.                             ->values($this->getAccessDecisionStrategies())
  74.                         ->end()
  75.                         ->scalarNode('service')->end()
  76.                         ->scalarNode('strategy_service')->end()
  77.                         ->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
  78.                         ->booleanNode('allow_if_equal_granted_denied')->defaultTrue()->end()
  79.                     ->end()
  80.                     ->validate()
  81.                         ->ifTrue(function ($v) { return isset($v['strategy'], $v['service']); })
  82.                         ->thenInvalid('"strategy" and "service" cannot be used together.')
  83.                     ->end()
  84.                     ->validate()
  85.                         ->ifTrue(function ($v) { return isset($v['strategy'], $v['strategy_service']); })
  86.                         ->thenInvalid('"strategy" and "strategy_service" cannot be used together.')
  87.                     ->end()
  88.                     ->validate()
  89.                         ->ifTrue(function ($v) { return isset($v['service'], $v['strategy_service']); })
  90.                         ->thenInvalid('"service" and "strategy_service" cannot be used together.')
  91.                     ->end()
  92.                 ->end()
  93.             ->end()
  94.         ;
  96.         $this->addPasswordHashersSection($rootNode);
  97.         $this->addProvidersSection($rootNode);
  98.         $this->addFirewallsSection($rootNode$this->factories);
  99.         $this->addAccessControlSection($rootNode);
  100.         $this->addRoleHierarchySection($rootNode);
  102.         return $tb;
  103.     }
  105.     private function addRoleHierarchySection(ArrayNodeDefinition $rootNode)
  106.     {
  107.         $rootNode
  108.             ->fixXmlConfig('role''role_hierarchy')
  109.             ->children()
  110.                 ->arrayNode('role_hierarchy')
  111.                     ->useAttributeAsKey('id')
  112.                     ->prototype('array')
  113.                         ->performNoDeepMerging()
  114.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['value' => $v]; })->end()
  115.                         ->beforeNormalization()
  116.                             ->ifTrue(function ($v) { return \is_array($v) && isset($v['value']); })
  117.                             ->then(function ($v) { return preg_split('/\s*,\s*/'$v['value']); })
  118.                         ->end()
  119.                         ->prototype('scalar')->end()
  120.                     ->end()
  121.                 ->end()
  122.             ->end()
  123.         ;
  124.     }
  126.     private function addAccessControlSection(ArrayNodeDefinition $rootNode)
  127.     {
  128.         $rootNode
  129.             ->fixXmlConfig('rule''access_control')
  130.             ->children()
  131.                 ->arrayNode('access_control')
  132.                     ->cannotBeOverwritten()
  133.                     ->prototype('array')
  134.                         ->fixXmlConfig('ip')
  135.                         ->fixXmlConfig('method')
  136.                         ->children()
  137.                             ->scalarNode('request_matcher')->defaultNull()->end()
  138.                             ->scalarNode('requires_channel')->defaultNull()->end()
  139.                             ->scalarNode('path')
  140.                                 ->defaultNull()
  141.                                 ->info('use the urldecoded format')
  142.                                 ->example('^/path to resource/')
  143.                             ->end()
  144.                             ->scalarNode('host')->defaultNull()->end()
  145.                             ->integerNode('port')->defaultNull()->end()
  146.                             ->arrayNode('ips')
  147.                                 ->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
  148.                                 ->prototype('scalar')->end()
  149.                             ->end()
  150.                             ->arrayNode('methods')
  151.                                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  152.                                 ->prototype('scalar')->end()
  153.                             ->end()
  154.                             ->scalarNode('allow_if')->defaultNull()->end()
  155.                         ->end()
  156.                         ->fixXmlConfig('role')
  157.                         ->children()
  158.                             ->arrayNode('roles')
  159.                                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  160.                                 ->prototype('scalar')->end()
  161.                             ->end()
  162.                         ->end()
  163.                     ->end()
  164.                 ->end()
  165.             ->end()
  166.         ;
  167.     }
  169.     /**
  170.      * @param array<array-key, AuthenticatorFactoryInterface> $factories
  171.      */
  172.     private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $factories)
  173.     {
  174.         $firewallNodeBuilder $rootNode
  175.             ->fixXmlConfig('firewall')
  176.             ->children()
  177.                 ->arrayNode('firewalls')
  178.                     ->isRequired()
  179.                     ->requiresAtLeastOneElement()
  180.                     ->disallowNewKeysInSubsequentConfigs()
  181.                     ->useAttributeAsKey('name')
  182.                     ->prototype('array')
  183.                         ->fixXmlConfig('required_badge')
  184.                         ->children()
  185.         ;
  187.         $firewallNodeBuilder
  188.             ->scalarNode('pattern')->end()
  189.             ->scalarNode('host')->end()
  190.             ->arrayNode('methods')
  191.                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  192.                 ->prototype('scalar')->end()
  193.             ->end()
  194.             ->booleanNode('security')->defaultTrue()->end()
  195.             ->scalarNode('user_checker')
  196.                 ->defaultValue('security.user_checker')
  197.                 ->treatNullLike('security.user_checker')
  198.                 ->info('The UserChecker to use when authenticating users in this firewall.')
  199.             ->end()
  200.             ->scalarNode('request_matcher')->end()
  201.             ->scalarNode('access_denied_url')->end()
  202.             ->scalarNode('access_denied_handler')->end()
  203.             ->scalarNode('entry_point')
  204.                 ->info(sprintf('An enabled authenticator name or a service id that implements "%s"'AuthenticationEntryPointInterface::class))
  205.             ->end()
  206.             ->scalarNode('provider')->end()
  207.             ->booleanNode('stateless')->defaultFalse()->end()
  208.             ->booleanNode('lazy')->defaultFalse()->end()
  209.             ->scalarNode('context')->cannotBeEmpty()->end()
  210.             ->arrayNode('logout')
  211.                 ->treatTrueLike([])
  212.                 ->canBeUnset()
  213.                 ->children()
  214.                     ->scalarNode('csrf_parameter')->defaultValue('_csrf_token')->end()
  215.                     ->scalarNode('csrf_token_generator')->cannotBeEmpty()->end()
  216.                     ->scalarNode('csrf_token_id')->defaultValue('logout')->end()
  217.                     ->scalarNode('path')->defaultValue('/logout')->end()
  218.                     ->scalarNode('target')->defaultValue('/')->end()
  219.                     ->booleanNode('invalidate_session')->defaultTrue()->end()
  220.                 ->end()
  221.                 ->fixXmlConfig('delete_cookie')
  222.                 ->children()
  223.                     ->arrayNode('delete_cookies')
  224.                         ->normalizeKeys(false)
  225.                         ->beforeNormalization()
  226.                             ->ifTrue(function ($v) { return \is_array($v) && \is_int(key($v)); })
  227.                             ->then(function ($v) { return array_map(function ($v) { return ['name' => $v]; }, $v); })
  228.                         ->end()
  229.                         ->useAttributeAsKey('name')
  230.                         ->prototype('array')
  231.                             ->children()
  232.                                 ->scalarNode('path')->defaultNull()->end()
  233.                                 ->scalarNode('domain')->defaultNull()->end()
  234.                                 ->scalarNode('secure')->defaultFalse()->end()
  235.                                 ->scalarNode('samesite')->defaultNull()->end()
  236.                             ->end()
  237.                         ->end()
  238.                     ->end()
  239.                 ->end()
  240.             ->end()
  241.             ->arrayNode('switch_user')
  242.                 ->canBeUnset()
  243.                 ->children()
  244.                     ->scalarNode('provider')->end()
  245.                     ->scalarNode('parameter')->defaultValue('_switch_user')->end()
  246.                     ->scalarNode('role')->defaultValue('ROLE_ALLOWED_TO_SWITCH')->end()
  247.                 ->end()
  248.             ->end()
  249.             ->arrayNode('required_badges')
  250.                 ->info('A list of badges that must be present on the authenticated passport.')
  251.                 ->validate()
  252.                     ->always()
  253.                     ->then(function ($requiredBadges) {
  254.                         return array_map(function ($requiredBadge) {
  255.                             if (class_exists($requiredBadge)) {
  256.                                 return $requiredBadge;
  257.                             }
  259.                             if (!str_contains($requiredBadge'\\')) {
  260.                                 $fqcn 'Symfony\Component\Security\Http\Authenticator\Passport\Badge\\'.$requiredBadge;
  261.                                 if (class_exists($fqcn)) {
  262.                                     return $fqcn;
  263.                                 }
  264.                             }
  266.                             throw new InvalidConfigurationException(sprintf('Undefined security Badge class "%s" set in "security.firewall.required_badges".'$requiredBadge));
  267.                         }, $requiredBadges);
  268.                     })
  269.                 ->end()
  270.                 ->prototype('scalar')->end()
  271.             ->end()
  272.         ;
  274.         $abstractFactoryKeys = [];
  275.         foreach ($factories as $factory) {
  276.             $name str_replace('-''_'$factory->getKey());
  277.             $factoryNode $firewallNodeBuilder->arrayNode($name)
  278.                 ->canBeUnset()
  279.             ;
  281.             if ($factory instanceof AbstractFactory) {
  282.                 $abstractFactoryKeys[] = $name;
  283.             }
  285.             $factory->addConfiguration($factoryNode);
  286.         }
  288.         // check for unreachable check paths
  289.         $firewallNodeBuilder
  290.             ->end()
  291.             ->validate()
  292.                 ->ifTrue(function ($v) {
  293.                     return true === $v['security'] && isset($v['pattern']) && !isset($v['request_matcher']);
  294.                 })
  295.                 ->then(function ($firewall) use ($abstractFactoryKeys) {
  296.                     foreach ($abstractFactoryKeys as $k) {
  297.                         if (!isset($firewall[$k]['check_path'])) {
  298.                             continue;
  299.                         }
  301.                         if (str_contains($firewall[$k]['check_path'], '/') && !preg_match('#'.$firewall['pattern'].'#'$firewall[$k]['check_path'])) {
  302.                             throw new \LogicException(sprintf('The check_path "%s" for login method "%s" is not matched by the firewall pattern "%s".'$firewall[$k]['check_path'], $k$firewall['pattern']));
  303.                         }
  304.                     }
  306.                     return $firewall;
  307.                 })
  308.             ->end()
  309.         ;
  310.     }
  312.     private function addProvidersSection(ArrayNodeDefinition $rootNode)
  313.     {
  314.         $providerNodeBuilder $rootNode
  315.             ->fixXmlConfig('provider')
  316.             ->children()
  317.                 ->arrayNode('providers')
  318.                     ->example([
  319.                         'my_memory_provider' => [
  320.                             'memory' => [
  321.                                 'users' => [
  322.                                     'foo' => ['password' => 'foo''roles' => 'ROLE_USER'],
  323.                                     'bar' => ['password' => 'bar''roles' => '[ROLE_USER, ROLE_ADMIN]'],
  324.                                 ],
  325.                             ],
  326.                         ],
  327.                         'my_entity_provider' => ['entity' => ['class' => 'SecurityBundle:User''property' => 'username']],
  328.                     ])
  329.                     ->requiresAtLeastOneElement()
  330.                     ->useAttributeAsKey('name')
  331.                     ->prototype('array')
  332.         ;
  334.         $providerNodeBuilder
  335.             ->children()
  336.                 ->scalarNode('id')->end()
  337.                 ->arrayNode('chain')
  338.                     ->fixXmlConfig('provider')
  339.                     ->children()
  340.                         ->arrayNode('providers')
  341.                             ->beforeNormalization()
  342.                                 ->ifString()
  343.                                 ->then(function ($v) { return preg_split('/\s*,\s*/'$v); })
  344.                             ->end()
  345.                             ->prototype('scalar')->end()
  346.                         ->end()
  347.                     ->end()
  348.                 ->end()
  349.             ->end()
  350.         ;
  352.         foreach ($this->userProviderFactories as $factory) {
  353.             $name str_replace('-''_'$factory->getKey());
  354.             $factoryNode $providerNodeBuilder->children()->arrayNode($name)->canBeUnset();
  356.             $factory->addConfiguration($factoryNode);
  357.         }
  359.         $providerNodeBuilder
  360.             ->validate()
  361.                 ->ifTrue(function ($v) { return \count($v) > 1; })
  362.                 ->thenInvalid('You cannot set multiple provider types for the same provider')
  363.             ->end()
  364.             ->validate()
  365.                 ->ifTrue(function ($v) { return === \count($v); })
  366.                 ->thenInvalid('You must set a provider definition for the provider.')
  367.             ->end()
  368.         ;
  369.     }
  371.     private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
  372.     {
  373.         $rootNode
  374.             ->fixXmlConfig('password_hasher')
  375.             ->children()
  376.                 ->arrayNode('password_hashers')
  377.                     ->example([
  378.                         'App\Entity\User1' => 'auto',
  379.                         'App\Entity\User2' => [
  380.                             'algorithm' => 'auto',
  381.                             'time_cost' => 8,
  382.                             'cost' => 13,
  383.                         ],
  384.                     ])
  385.                     ->requiresAtLeastOneElement()
  386.                     ->useAttributeAsKey('class')
  387.                     ->prototype('array')
  388.                         ->canBeUnset()
  389.                         ->performNoDeepMerging()
  390.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
  391.                         ->children()
  392.                             ->scalarNode('algorithm')
  393.                                 ->cannotBeEmpty()
  394.                                 ->validate()
  395.                                     ->ifTrue(function ($v) { return !\is_string($v); })
  396.                                     ->thenInvalid('You must provide a string value.')
  397.                                 ->end()
  398.                             ->end()
  399.                             ->arrayNode('migrate_from')
  400.                                 ->prototype('scalar')->end()
  401.                                 ->beforeNormalization()->castToArray()->end()
  402.                             ->end()
  403.                             ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
  404.                             ->scalarNode('key_length')->defaultValue(40)->end()
  405.                             ->booleanNode('ignore_case')->defaultFalse()->end()
  406.                             ->booleanNode('encode_as_base64')->defaultTrue()->end()
  407.                             ->scalarNode('iterations')->defaultValue(5000)->end()
  408.                             ->integerNode('cost')
  409.                                 ->min(4)
  410.                                 ->max(31)
  411.                                 ->defaultNull()
  412.                             ->end()
  413.                             ->scalarNode('memory_cost')->defaultNull()->end()
  414.                             ->scalarNode('time_cost')->defaultNull()->end()
  415.                             ->scalarNode('id')->end()
  416.                         ->end()
  417.                     ->end()
  418.                 ->end()
  419.         ->end();
  420.     }
  422.     private function getAccessDecisionStrategies(): array
  423.     {
  424.         return [
  425.             self::STRATEGY_AFFIRMATIVE,
  426.             self::STRATEGY_CONSENSUS,
  427.             self::STRATEGY_UNANIMOUS,
  428.             self::STRATEGY_PRIORITY,
  429.         ];
  430.     }
  431. }