vendor/symfony/security-bundle/DependencyInjection/MainConfiguration.php line 72

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  14. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AbstractFactory;
  15. use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
  16. use Symfony\Component\Config\Definition\Builder\TreeBuilder;
  17. use Symfony\Component\Config\Definition\ConfigurationInterface;
  18. use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
  19. use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
  20. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  21. use Symfony\Component\Security\Http\Event\LogoutEvent;
  22. use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
  24. /**
  25.  * SecurityExtension configuration structure.
  26.  *
  27.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  28.  */
  29. class MainConfiguration implements ConfigurationInterface
  30. {
  31.     private $factories;
  32.     private $userProviderFactories;
  34.     public function __construct(array $factories, array $userProviderFactories)
  35.     {
  36.         $this->factories $factories;
  37.         $this->userProviderFactories $userProviderFactories;
  38.     }
  40.     /**
  41.      * Generates the configuration tree builder.
  42.      *
  43.      * @return TreeBuilder The tree builder
  44.      */
  45.     public function getConfigTreeBuilder()
  46.     {
  47.         $tb = new TreeBuilder('security');
  48.         $rootNode $tb->getRootNode();
  50.         $rootNode
  51.             ->beforeNormalization()
  52.                 ->ifTrue(function ($v) {
  53.                     if (!isset($v['access_decision_manager'])) {
  54.                         return true;
  55.                     }
  57.                     if (!isset($v['access_decision_manager']['strategy']) && !isset($v['access_decision_manager']['service'])) {
  58.                         return true;
  59.                     }
  61.                     return false;
  62.                 })
  63.                 ->then(function ($v) {
  64.                     $v['access_decision_manager']['strategy'] = AccessDecisionManager::STRATEGY_AFFIRMATIVE;
  66.                     return $v;
  67.                 })
  68.             ->end()
  69.             ->beforeNormalization()
  70.                 ->ifTrue(function ($v) {
  71.                     if ($v['encoders'] ?? false) {
  72.                         trigger_deprecation('symfony/security-bundle''5.3''The child node "encoders" at path "security" is deprecated, use "password_hashers" instead.');
  74.                         return true;
  75.                     }
  77.                     return $v['password_hashers'] ?? false;
  78.                 })
  79.                 ->then(function ($v) {
  80.                     $v['password_hashers'] = array_merge($v['password_hashers'] ?? [], $v['encoders'] ?? []);
  81.                     $v['encoders'] = $v['password_hashers'];
  83.                     return $v;
  84.                 })
  85.             ->end()
  86.             ->children()
  87.                 ->scalarNode('access_denied_url')->defaultNull()->example('/foo/error403')->end()
  88.                 ->enumNode('session_fixation_strategy')
  89.                     ->values([SessionAuthenticationStrategy::NONESessionAuthenticationStrategy::MIGRATESessionAuthenticationStrategy::INVALIDATE])
  90.                     ->defaultValue(SessionAuthenticationStrategy::MIGRATE)
  91.                 ->end()
  92.                 ->booleanNode('hide_user_not_found')->defaultTrue()->end()
  93.                 ->booleanNode('always_authenticate_before_granting')->defaultFalse()->end()
  94.                 ->booleanNode('erase_credentials')->defaultTrue()->end()
  95.                 ->booleanNode('enable_authenticator_manager')->defaultFalse()->info('Enables the new Symfony Security system based on Authenticators, all used authenticators must support this before enabling this.')->end()
  96.                 ->arrayNode('access_decision_manager')
  97.                     ->addDefaultsIfNotSet()
  98.                     ->children()
  99.                         ->enumNode('strategy')
  100.                             ->values($this->getAccessDecisionStrategies())
  101.                         ->end()
  102.                         ->scalarNode('service')->end()
  103.                         ->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
  104.                         ->booleanNode('allow_if_equal_granted_denied')->defaultTrue()->end()
  105.                     ->end()
  106.                     ->validate()
  107.                         ->ifTrue(function ($v) { return isset($v['strategy']) && isset($v['service']); })
  108.                         ->thenInvalid('"strategy" and "service" cannot be used together.')
  109.                     ->end()
  110.                 ->end()
  111.             ->end()
  112.         ;
  114.         $this->addEncodersSection($rootNode);
  115.         $this->addPasswordHashersSection($rootNode);
  116.         $this->addProvidersSection($rootNode);
  117.         $this->addFirewallsSection($rootNode$this->factories);
  118.         $this->addAccessControlSection($rootNode);
  119.         $this->addRoleHierarchySection($rootNode);
  121.         return $tb;
  122.     }
  124.     private function addRoleHierarchySection(ArrayNodeDefinition $rootNode)
  125.     {
  126.         $rootNode
  127.             ->fixXmlConfig('role''role_hierarchy')
  128.             ->children()
  129.                 ->arrayNode('role_hierarchy')
  130.                     ->useAttributeAsKey('id')
  131.                     ->prototype('array')
  132.                         ->performNoDeepMerging()
  133.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['value' => $v]; })->end()
  134.                         ->beforeNormalization()
  135.                             ->ifTrue(function ($v) { return \is_array($v) && isset($v['value']); })
  136.                             ->then(function ($v) { return preg_split('/\s*,\s*/'$v['value']); })
  137.                         ->end()
  138.                         ->prototype('scalar')->end()
  139.                     ->end()
  140.                 ->end()
  141.             ->end()
  142.         ;
  143.     }
  145.     private function addAccessControlSection(ArrayNodeDefinition $rootNode)
  146.     {
  147.         $rootNode
  148.             ->fixXmlConfig('rule''access_control')
  149.             ->children()
  150.                 ->arrayNode('access_control')
  151.                     ->cannotBeOverwritten()
  152.                     ->prototype('array')
  153.                         ->fixXmlConfig('ip')
  154.                         ->fixXmlConfig('method')
  155.                         ->children()
  156.                             ->scalarNode('requires_channel')->defaultNull()->end()
  157.                             ->scalarNode('path')
  158.                                 ->defaultNull()
  159.                                 ->info('use the urldecoded format')
  160.                                 ->example('^/path to resource/')
  161.                             ->end()
  162.                             ->scalarNode('host')->defaultNull()->end()
  163.                             ->integerNode('port')->defaultNull()->end()
  164.                             ->arrayNode('ips')
  165.                                 ->beforeNormalization()->ifString()->then(function ($v) { return [$v]; })->end()
  166.                                 ->prototype('scalar')->end()
  167.                             ->end()
  168.                             ->arrayNode('methods')
  169.                                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  170.                                 ->prototype('scalar')->end()
  171.                             ->end()
  172.                             ->scalarNode('allow_if')->defaultNull()->end()
  173.                         ->end()
  174.                         ->fixXmlConfig('role')
  175.                         ->children()
  176.                             ->arrayNode('roles')
  177.                                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  178.                                 ->prototype('scalar')->end()
  179.                             ->end()
  180.                         ->end()
  181.                     ->end()
  182.                 ->end()
  183.             ->end()
  184.         ;
  185.     }
  187.     private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $factories)
  188.     {
  189.         $firewallNodeBuilder $rootNode
  190.             ->fixXmlConfig('firewall')
  191.             ->children()
  192.                 ->arrayNode('firewalls')
  193.                     ->isRequired()
  194.                     ->requiresAtLeastOneElement()
  195.                     ->disallowNewKeysInSubsequentConfigs()
  196.                     ->useAttributeAsKey('name')
  197.                     ->prototype('array')
  198.                         ->fixXmlConfig('required_badge')
  199.                         ->children()
  200.         ;
  202.         $firewallNodeBuilder
  203.             ->scalarNode('pattern')->end()
  204.             ->scalarNode('host')->end()
  205.             ->arrayNode('methods')
  206.                 ->beforeNormalization()->ifString()->then(function ($v) { return preg_split('/\s*,\s*/'$v); })->end()
  207.                 ->prototype('scalar')->end()
  208.             ->end()
  209.             ->booleanNode('security')->defaultTrue()->end()
  210.             ->scalarNode('user_checker')
  211.                 ->defaultValue('security.user_checker')
  212.                 ->treatNullLike('security.user_checker')
  213.                 ->info('The UserChecker to use when authenticating users in this firewall.')
  214.             ->end()
  215.             ->scalarNode('request_matcher')->end()
  216.             ->scalarNode('access_denied_url')->end()
  217.             ->scalarNode('access_denied_handler')->end()
  218.             ->scalarNode('entry_point')
  219.                 ->info(sprintf('An enabled authenticator name or a service id that implements "%s"'AuthenticationEntryPointInterface::class))
  220.             ->end()
  221.             ->scalarNode('provider')->end()
  222.             ->booleanNode('stateless')->defaultFalse()->end()
  223.             ->booleanNode('lazy')->defaultFalse()->end()
  224.             ->scalarNode('context')->cannotBeEmpty()->end()
  225.             ->arrayNode('logout')
  226.                 ->treatTrueLike([])
  227.                 ->canBeUnset()
  228.                 ->children()
  229.                     ->scalarNode('csrf_parameter')->defaultValue('_csrf_token')->end()
  230.                     ->scalarNode('csrf_token_generator')->cannotBeEmpty()->end()
  231.                     ->scalarNode('csrf_token_id')->defaultValue('logout')->end()
  232.                     ->scalarNode('path')->defaultValue('/logout')->end()
  233.                     ->scalarNode('target')->defaultValue('/')->end()
  234.                     ->scalarNode('success_handler')->setDeprecated('symfony/security-bundle''5.1'sprintf('The "%%node%%" at path "%%path%%" is deprecated, register a listener on the "%s" event instead.'LogoutEvent::class))->end()
  235.                     ->booleanNode('invalidate_session')->defaultTrue()->end()
  236.                 ->end()
  237.                 ->fixXmlConfig('delete_cookie')
  238.                 ->children()
  239.                     ->arrayNode('delete_cookies')
  240.                         ->normalizeKeys(false)
  241.                         ->beforeNormalization()
  242.                             ->ifTrue(function ($v) { return \is_array($v) && \is_int(key($v)); })
  243.                             ->then(function ($v) { return array_map(function ($v) { return ['name' => $v]; }, $v); })
  244.                         ->end()
  245.                         ->useAttributeAsKey('name')
  246.                         ->prototype('array')
  247.                             ->children()
  248.                                 ->scalarNode('path')->defaultNull()->end()
  249.                                 ->scalarNode('domain')->defaultNull()->end()
  250.                                 ->scalarNode('secure')->defaultFalse()->end()
  251.                                 ->scalarNode('samesite')->defaultNull()->end()
  252.                             ->end()
  253.                         ->end()
  254.                     ->end()
  255.                 ->end()
  256.                 ->fixXmlConfig('handler')
  257.                 ->children()
  258.                     ->arrayNode('handlers')
  259.                         ->prototype('scalar')->setDeprecated('symfony/security-bundle''5.1'sprintf('The "%%node%%" at path "%%path%%" is deprecated, register a listener on the "%s" event instead.'LogoutEvent::class))->end()
  260.                     ->end()
  261.                 ->end()
  262.             ->end()
  263.             ->arrayNode('switch_user')
  264.                 ->canBeUnset()
  265.                 ->children()
  266.                     ->scalarNode('provider')->end()
  267.                     ->scalarNode('parameter')->defaultValue('_switch_user')->end()
  268.                     ->scalarNode('role')->defaultValue('ROLE_ALLOWED_TO_SWITCH')->end()
  269.                 ->end()
  270.             ->end()
  271.             ->arrayNode('required_badges')
  272.                 ->info('A list of badges that must be present on the authenticated passport.')
  273.                 ->validate()
  274.                     ->always()
  275.                     ->then(function ($requiredBadges) {
  276.                         return array_map(function ($requiredBadge) {
  277.                             if (class_exists($requiredBadge)) {
  278.                                 return $requiredBadge;
  279.                             }
  281.                             if (false === strpos($requiredBadge'\\')) {
  282.                                 $fqcn 'Symfony\Component\Security\Http\Authenticator\Passport\Badge\\'.$requiredBadge;
  283.                                 if (class_exists($fqcn)) {
  284.                                     return $fqcn;
  285.                                 }
  286.                             }
  288.                             throw new InvalidConfigurationException(sprintf('Undefined security Badge class "%s" set in "security.firewall.required_badges".'$requiredBadge));
  289.                         }, $requiredBadges);
  290.                     })
  291.                 ->end()
  292.                 ->prototype('scalar')->end()
  293.             ->end()
  294.         ;
  296.         $abstractFactoryKeys = [];
  297.         foreach ($factories as $factoriesAtPosition) {
  298.             foreach ($factoriesAtPosition as $factory) {
  299.                 $name str_replace('-''_'$factory->getKey());
  300.                 $factoryNode $firewallNodeBuilder->arrayNode($name)
  301.                     ->canBeUnset()
  302.                 ;
  304.                 if ($factory instanceof AbstractFactory) {
  305.                     $abstractFactoryKeys[] = $name;
  306.                 }
  308.                 $factory->addConfiguration($factoryNode);
  309.             }
  310.         }
  312.         // check for unreachable check paths
  313.         $firewallNodeBuilder
  314.             ->end()
  315.             ->validate()
  316.                 ->ifTrue(function ($v) {
  317.                     return true === $v['security'] && isset($v['pattern']) && !isset($v['request_matcher']);
  318.                 })
  319.                 ->then(function ($firewall) use ($abstractFactoryKeys) {
  320.                     foreach ($abstractFactoryKeys as $k) {
  321.                         if (!isset($firewall[$k]['check_path'])) {
  322.                             continue;
  323.                         }
  325.                         if (str_contains($firewall[$k]['check_path'], '/') && !preg_match('#'.$firewall['pattern'].'#'$firewall[$k]['check_path'])) {
  326.                             throw new \LogicException(sprintf('The check_path "%s" for login method "%s" is not matched by the firewall pattern "%s".'$firewall[$k]['check_path'], $k$firewall['pattern']));
  327.                         }
  328.                     }
  330.                     return $firewall;
  331.                 })
  332.             ->end()
  333.         ;
  334.     }
  336.     private function addProvidersSection(ArrayNodeDefinition $rootNode)
  337.     {
  338.         $providerNodeBuilder $rootNode
  339.             ->fixXmlConfig('provider')
  340.             ->children()
  341.                 ->arrayNode('providers')
  342.                     ->example([
  343.                         'my_memory_provider' => [
  344.                             'memory' => [
  345.                                 'users' => [
  346.                                     'foo' => ['password' => 'foo''roles' => 'ROLE_USER'],
  347.                                     'bar' => ['password' => 'bar''roles' => '[ROLE_USER, ROLE_ADMIN]'],
  348.                                 ],
  349.                             ],
  350.                         ],
  351.                         'my_entity_provider' => ['entity' => ['class' => 'SecurityBundle:User''property' => 'username']],
  352.                     ])
  353.                     ->requiresAtLeastOneElement()
  354.                     ->useAttributeAsKey('name')
  355.                     ->prototype('array')
  356.         ;
  358.         $providerNodeBuilder
  359.             ->children()
  360.                 ->scalarNode('id')->end()
  361.                 ->arrayNode('chain')
  362.                     ->fixXmlConfig('provider')
  363.                     ->children()
  364.                         ->arrayNode('providers')
  365.                             ->beforeNormalization()
  366.                                 ->ifString()
  367.                                 ->then(function ($v) { return preg_split('/\s*,\s*/'$v); })
  368.                             ->end()
  369.                             ->prototype('scalar')->end()
  370.                         ->end()
  371.                     ->end()
  372.                 ->end()
  373.             ->end()
  374.         ;
  376.         foreach ($this->userProviderFactories as $factory) {
  377.             $name str_replace('-''_'$factory->getKey());
  378.             $factoryNode $providerNodeBuilder->children()->arrayNode($name)->canBeUnset();
  380.             $factory->addConfiguration($factoryNode);
  381.         }
  383.         $providerNodeBuilder
  384.             ->validate()
  385.                 ->ifTrue(function ($v) { return \count($v) > 1; })
  386.                 ->thenInvalid('You cannot set multiple provider types for the same provider')
  387.             ->end()
  388.             ->validate()
  389.                 ->ifTrue(function ($v) { return === \count($v); })
  390.                 ->thenInvalid('You must set a provider definition for the provider.')
  391.             ->end()
  392.         ;
  393.     }
  395.     private function addEncodersSection(ArrayNodeDefinition $rootNode)
  396.     {
  397.         $rootNode
  398.             ->fixXmlConfig('encoder')
  399.             ->children()
  400.                 ->arrayNode('encoders')
  401.                     ->example([
  402.                         'App\Entity\User1' => 'auto',
  403.                         'App\Entity\User2' => [
  404.                             'algorithm' => 'auto',
  405.                             'time_cost' => 8,
  406.                             'cost' => 13,
  407.                         ],
  408.                     ])
  409.                     ->requiresAtLeastOneElement()
  410.                     ->useAttributeAsKey('class')
  411.                     ->prototype('array')
  412.                         ->canBeUnset()
  413.                         ->performNoDeepMerging()
  414.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
  415.                         ->children()
  416.                             ->scalarNode('algorithm')
  417.                                 ->cannotBeEmpty()
  418.                                 ->validate()
  419.                                     ->ifTrue(function ($v) { return !\is_string($v); })
  420.                                     ->thenInvalid('You must provide a string value.')
  421.                                 ->end()
  422.                             ->end()
  423.                             ->arrayNode('migrate_from')
  424.                                 ->prototype('scalar')->end()
  425.                                 ->beforeNormalization()->castToArray()->end()
  426.                             ->end()
  427.                             ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
  428.                             ->scalarNode('key_length')->defaultValue(40)->end()
  429.                             ->booleanNode('ignore_case')->defaultFalse()->end()
  430.                             ->booleanNode('encode_as_base64')->defaultTrue()->end()
  431.                             ->scalarNode('iterations')->defaultValue(5000)->end()
  432.                             ->integerNode('cost')
  433.                                 ->min(4)
  434.                                 ->max(31)
  435.                                 ->defaultNull()
  436.                             ->end()
  437.                             ->scalarNode('memory_cost')->defaultNull()->end()
  438.                             ->scalarNode('time_cost')->defaultNull()->end()
  439.                             ->scalarNode('id')->end()
  440.                         ->end()
  441.                     ->end()
  442.                 ->end()
  443.             ->end()
  444.         ;
  445.     }
  447.     private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
  448.     {
  449.         $rootNode
  450.             ->fixXmlConfig('password_hasher')
  451.             ->children()
  452.                 ->arrayNode('password_hashers')
  453.                     ->example([
  454.                         'App\Entity\User1' => 'auto',
  455.                         'App\Entity\User2' => [
  456.                             'algorithm' => 'auto',
  457.                             'time_cost' => 8,
  458.                             'cost' => 13,
  459.                         ],
  460.                     ])
  461.                     ->requiresAtLeastOneElement()
  462.                     ->useAttributeAsKey('class')
  463.                     ->prototype('array')
  464.                         ->canBeUnset()
  465.                         ->performNoDeepMerging()
  466.                         ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
  467.                         ->children()
  468.                             ->scalarNode('algorithm')
  469.                                 ->cannotBeEmpty()
  470.                                 ->validate()
  471.                                     ->ifTrue(function ($v) { return !\is_string($v); })
  472.                                     ->thenInvalid('You must provide a string value.')
  473.                                 ->end()
  474.                             ->end()
  475.                             ->arrayNode('migrate_from')
  476.                                 ->prototype('scalar')->end()
  477.                                 ->beforeNormalization()->castToArray()->end()
  478.                             ->end()
  479.                             ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
  480.                             ->scalarNode('key_length')->defaultValue(40)->end()
  481.                             ->booleanNode('ignore_case')->defaultFalse()->end()
  482.                             ->booleanNode('encode_as_base64')->defaultTrue()->end()
  483.                             ->scalarNode('iterations')->defaultValue(5000)->end()
  484.                             ->integerNode('cost')
  485.                                 ->min(4)
  486.                                 ->max(31)
  487.                                 ->defaultNull()
  488.                             ->end()
  489.                             ->scalarNode('memory_cost')->defaultNull()->end()
  490.                             ->scalarNode('time_cost')->defaultNull()->end()
  491.                             ->scalarNode('id')->end()
  492.                         ->end()
  493.                     ->end()
  494.                 ->end()
  495.         ->end();
  496.     }
  498.     private function getAccessDecisionStrategies()
  499.     {
  500.         $strategies = [
  501.             AccessDecisionManager::STRATEGY_AFFIRMATIVE,
  502.             AccessDecisionManager::STRATEGY_CONSENSUS,
  503.             AccessDecisionManager::STRATEGY_UNANIMOUS,
  504.         ];
  506.         if (\defined(AccessDecisionManager::class.'::STRATEGY_PRIORITY')) {
  507.             $strategies[] = AccessDecisionManager::STRATEGY_PRIORITY;
  508.         }
  510.         return $strategies;
  511.     }
  512. }