feature #14721 [Security] Configuring a user checker per firewall (iltar)

This PR was squashed before being merged into the 2.8 branch (closes #14721).

Discussion
----------

[Security] Configuring a user checker per firewall

_Changed my base branch to avoid issues, closed old PR_

| Q             | A
| ------------- | ---
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed ticket | #11090 and helps #14673
| License       | MIT
| Doc PR        | symfony/symfony-docs/pull/5530

This pull request adds support for a configurable user checker per firewall. An example could be:

```yml
services:
    app.user_checker:
        class: App\Security\UserChecker
        arguments:
            - "@request_stack"

security:
    firewalls:
        secured_area:
            pattern: ^/
            anonymous: ~
            basic_auth: ~
            user_checker: app.user_checker

```
The above example will use the `UserChecker` defined as `app.user_checker`. If the `user_checker` option is left empty, `security.user_checker` will  be used. If the `user_checkers` option is not defined, it will fall back to the original behavior to not break backwards compatibility and will validate using the existing `UserChecker`: `security.user_checker`.

I left the default argument in the service definitions to be `security.user_checker` to include backwards compatibility for people who for some reason don't have the extension executed. You can obtain the checker for a specific firewall by appending the firewall name to it. For the firewall `secured_area`, this would be `security.user_checker.secured_area`.

Commits
-------

76bc662 [Security] Configuring a user checker per firewall

Author: fabpot

DependencyInjection/MainConfiguration.php

@@ -216,6 +216,11 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                 ->prototype('scalar')->end()
             ->end()
             ->booleanNode('security')->defaultTrue()->end()
+            ->scalarNode('user_checker')
+                ->defaultValue('security.user_checker')
+                ->treatNullLike('security.user_checker')
+                ->info('The UserChecker to use when authenticating users in this firewall.')
+            ->end()
             ->scalarNode('request_matcher')->end()
             ->scalarNode('access_denied_url')->end()
             ->scalarNode('access_denied_handler')->end()

DependencyInjection/Security/Factory/FormLoginFactory.php

@@ -65,6 +65,7 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,
         $container
             ->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.dao'))
             ->replaceArgument(0, new Reference($userProviderId))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
         ;
 

DependencyInjection/Security/Factory/FormLoginLdapFactory.php

@@ -30,6 +30,7 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,
         $container
             ->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.ldap_bind'))
             ->replaceArgument(0, new Reference($userProviderId))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
             ->replaceArgument(3, new Reference($config['service']))
             ->replaceArgument(4, $config['dn_string'])

DependencyInjection/Security/Factory/GuardAuthenticationFactory.php

@@ -69,6 +69,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
             ->replaceArgument(0, $authenticatorReferences)
             ->replaceArgument(1, new Reference($userProvider))
             ->replaceArgument(2, $id)
+            ->replaceArgument(3, new Reference('security.user_checker.'.$id))
         ;
 
         // listener

DependencyInjection/Security/Factory/HttpBasicFactory.php

@@ -29,6 +29,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $container
             ->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.dao'))
             ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
         ;
 

DependencyInjection/Security/Factory/HttpBasicLdapFactory.php

@@ -31,6 +31,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $container
             ->setDefinition($provider, new DefinitionDecorator('security.authentication.provider.ldap_bind'))
             ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
             ->replaceArgument(3, new Reference($config['service']))
             ->replaceArgument(4, $config['dn_string'])

DependencyInjection/Security/Factory/RememberMeFactory.php

@@ -35,6 +35,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $authProviderId = 'security.authentication.provider.rememberme.'.$id;
         $container
             ->setDefinition($authProviderId, new DefinitionDecorator('security.authentication.provider.rememberme'))
+            ->replaceArgument(0, new Reference('security.user_checker.'.$id))
             ->addArgument($config['secret'])
             ->addArgument($id)
         ;

DependencyInjection/Security/Factory/RemoteUserFactory.php

@@ -30,6 +30,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $container
             ->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.pre_authenticated'))
             ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->addArgument($id)
         ;
 

DependencyInjection/Security/Factory/X509Factory.php

@@ -29,6 +29,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $container
             ->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.pre_authenticated'))
             ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->addArgument($id)
         ;
 

DependencyInjection/SecurityExtension.php

@@ -14,6 +14,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
+use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\DefinitionDecorator;
 use Symfony\Component\DependencyInjection\Alias;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
@@ -100,16 +101,16 @@ public function load(array $configs, ContainerBuilder $container)
 
         // add some required classes for compilation
         $this->addClassesToCompile(array(
-            'Symfony\\Component\\Security\\Http\\Firewall',
-            'Symfony\\Component\\Security\\Core\\User\\UserProviderInterface',
-            'Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationProviderManager',
-            'Symfony\\Component\\Security\\Core\\Authentication\\Token\\Storage\\TokenStorage',
-            'Symfony\\Component\\Security\\Core\\Authorization\\AccessDecisionManager',
-            'Symfony\\Component\\Security\\Core\\Authorization\\AuthorizationChecker',
-            'Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface',
-            'Symfony\\Bundle\\SecurityBundle\\Security\\FirewallMap',
-            'Symfony\\Bundle\\SecurityBundle\\Security\\FirewallContext',
-            'Symfony\\Component\\HttpFoundation\\RequestMatcher',
+            'Symfony\Component\Security\Http\Firewall',
+            'Symfony\Component\Security\Core\User\UserProviderInterface',
+            'Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager',
+            'Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage',
+            'Symfony\Component\Security\Core\Authorization\AccessDecisionManager',
+            'Symfony\Component\Security\Core\Authorization\AuthorizationChecker',
+            'Symfony\Component\Security\Core\Authorization\Voter\VoterInterface',
+            'Symfony\Bundle\SecurityBundle\Security\FirewallMap',
+            'Symfony\Bundle\SecurityBundle\Security\FirewallContext',
+            'Symfony\Component\HttpFoundation\RequestMatcher',
         ));
     }
 
@@ -369,6 +370,8 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         // Exception listener
         $exceptionListener = new Reference($this->createExceptionListener($container, $firewall, $id, $configuredEntryPoint ?: $defaultEntryPoint, $firewall['stateless']));
 
+        $container->setAlias(new Alias('security.user_checker.'.$id, false), $firewall['user_checker']);
+
         return array($matcher, $listeners, $exceptionListener);
     }
 
@@ -577,6 +580,7 @@ private function createSwitchUserListener($container, $id, $config, $defaultProv
         $switchUserListenerId = 'security.authentication.switchuser_listener.'.$id;
         $listener = $container->setDefinition($switchUserListenerId, new DefinitionDecorator('security.authentication.switchuser_listener'));
         $listener->replaceArgument(1, new Reference($userProvider));
+        $listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
         $listener->replaceArgument(3, $id);
         $listener->replaceArgument(6, $config['parameter']);
         $listener->replaceArgument(7, $config['role']);

Resources/config/guard.xml

@@ -21,7 +21,7 @@
             <argument /> <!-- Simple Authenticator -->
             <argument /> <!-- User Provider -->
             <argument /> <!-- Provider-shared Key -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
         </service>
 
         <service id="security.authentication.listener.guard"

Resources/config/security_listeners.xml

@@ -217,15 +217,15 @@
 
         <service id="security.authentication.provider.dao" class="%security.authentication.provider.dao.class%" abstract="true" public="false">
             <argument /> <!-- User Provider -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
             <argument /> <!-- Provider-shared Key -->
             <argument type="service" id="security.encoder_factory" />
             <argument>%security.authentication.hide_user_not_found%</argument>
         </service>
 
         <service id="security.authentication.provider.ldap_bind" class="Symfony\Component\Security\Core\Authentication\Provider\LdapBindAuthenticationProvider" public="false" abstract="true">
             <argument /> <!-- User Provider -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- UserChecker -->
             <argument /> <!-- Provider-shared Key -->
             <argument /> <!-- LDAP -->
             <argument /> <!-- Base DN -->
@@ -240,7 +240,7 @@
 
         <service id="security.authentication.provider.pre_authenticated" class="%security.authentication.provider.pre_authenticated.class%" abstract="true" public="false">
             <argument /> <!-- User Provider -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
         </service>
 
         <service id="security.exception_listener" class="%security.exception_listener.class%" public="false" abstract="true">
@@ -260,7 +260,7 @@
             <tag name="monolog.logger" channel="security" />
             <argument type="service" id="security.token_storage" />
             <argument /> <!-- User Provider -->
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
             <argument /> <!--  Provider Key -->
             <argument type="service" id="security.access.decision_manager" />
             <argument type="service" id="logger" on-invalid="null" />

Resources/config/security_rememberme.xml

@@ -28,7 +28,7 @@
         </service>
 
         <service id="security.authentication.provider.rememberme" class="%security.authentication.provider.rememberme.class%" abstract="true" public="false">
-            <argument type="service" id="security.user_checker" />
+            <argument /> <!-- User Checker -->
         </service>
 
         <service id="security.rememberme.token.provider.in_memory" class="%security.rememberme.token.provider.in_memory.class%" public="false" />

Tests/DependencyInjection/CompleteConfigurationTest.php

@@ -93,6 +93,13 @@ public function testFirewalls()
                 'security.authentication.listener.anonymous.host',
                 'security.access_listener',
             ),
+            array(
+                'security.channel_listener',
+                'security.context_listener.1',
+                'security.authentication.listener.basic.with_user_checker',
+                'security.authentication.listener.anonymous.with_user_checker',
+                'security.access_listener',
+            ),
         ), $listeners);
     }
 
@@ -233,6 +240,21 @@ public function testRememberMeThrowExceptions()
         $this->assertFalse($service->getArgument(5));
     }
 
+    public function testUserCheckerConfig()
+    {
+        $this->assertEquals('app.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.with_user_checker'));
+    }
+
+    public function testUserCheckerConfigWithDefaultChecker()
+    {
+        $this->assertEquals('security.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.host'));
+    }
+
+    public function testUserCheckerConfigWithNoCheckers()
+    {
+        $this->assertEquals('security.user_checker', $this->getContainer('container1')->getAlias('security.user_checker.secure'));
+    }
+
     protected function getContainer($file)
     {
         $container = new ContainerBuilder();

Tests/DependencyInjection/Fixtures/php/container1.php

@@ -72,6 +72,7 @@
             'remote_user' => true,
             'logout' => true,
             'remember_me' => array('secret' => 'TheSecret'),
+            'user_checker' => null,
         ),
         'host' => array(
             'pattern' => '/test',
@@ -80,6 +81,11 @@
             'anonymous' => true,
             'http_basic' => true,
         ),
+        'with_user_checker' => array(
+            'user_checker' => 'app.user_checker',
+            'anonymous' => true,
+            'http_basic' => true,
+        ),
     ),
 
     'access_control' => array(

Tests/DependencyInjection/Fixtures/xml/container1.xml

@@ -55,6 +55,7 @@
             <switch-user />
             <x509 />
             <remote-user />
+            <user-checker />
             <logout />
             <remember-me secret="TheSecret"/>
         </firewall>
@@ -64,6 +65,12 @@
             <http-basic />
         </firewall>
 
+        <firewall name="with_user_checker">
+            <anonymous />
+            <http-basic />
+            <user-checker>app.user_checker</user-checker>
+        </firewall>
+
         <role id="ROLE_ADMIN">ROLE_USER</role>
         <role id="ROLE_SUPER_ADMIN">ROLE_USER,ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH</role>
         <role id="ROLE_REMOTE">ROLE_USER,ROLE_ADMIN</role>

Tests/DependencyInjection/Fixtures/yml/container1.yml

@@ -56,13 +56,20 @@ security:
             logout: true
             remember_me:
                 secret: TheSecret
+            user_checker: ~
+
         host:
             pattern: /test
             host: foo\.example\.org
             methods: [GET,POST]
             anonymous: true
             http_basic: true
 
+        with_user_checker:
+            anonymous: ~
+            http_basic: ~
+            user_checker: app.user_checker
+
     role_hierarchy:
         ROLE_ADMIN:       ROLE_USER
         ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

Tests/DependencyInjection/MainConfigurationTest.php

@@ -46,7 +46,7 @@ public function testNoConfigForProvider()
 
         $processor = new Processor();
         $configuration = new MainConfiguration(array(), array());
-        $config = $processor->processConfiguration($configuration, array($config));
+        $processor->processConfiguration($configuration, array($config));
     }
 
     /**
@@ -65,7 +65,7 @@ public function testManyConfigForProvider()
 
         $processor = new Processor();
         $configuration = new MainConfiguration(array(), array());
-        $config = $processor->processConfiguration($configuration, array($config));
+        $processor->processConfiguration($configuration, array($config));
     }
 
     public function testCsrfAliases()
@@ -108,8 +108,35 @@ public function testCsrfOriginalAndAliasValueCausesException()
         );
         $config = array_merge(static::$minimalConfig, $config);
 
+        $processor = new Processor();
+        $configuration = new MainConfiguration(array(), array());
+        $processor->processConfiguration($configuration, array($config));
+    }
+
+    public function testDefaultUserCheckers()
+    {
+        $processor = new Processor();
+        $configuration = new MainConfiguration(array(), array());
+        $processedConfig = $processor->processConfiguration($configuration, array(static::$minimalConfig));
+
+        $this->assertEquals('security.user_checker', $processedConfig['firewalls']['stub']['user_checker']);
+    }
+
+    public function testUserCheckers()
+    {
+        $config = array(
+            'firewalls' => array(
+                'stub' => array(
+                    'user_checker' => 'app.henk_checker',
+                ),
+            ),
+        );
+        $config = array_merge(static::$minimalConfig, $config);
+
         $processor = new Processor();
         $configuration = new MainConfiguration(array(), array());
         $processedConfig = $processor->processConfiguration($configuration, array($config));
+
+        $this->assertEquals('app.henk_checker', $processedConfig['firewalls']['stub']['user_checker']);
     }
 }

Tests/DependencyInjection/Security/Factory/GuardAuthenticationFactoryTest.php

@@ -109,6 +109,7 @@ public function testBasicCreate()
             'index_0' => array(new Reference('authenticator123')),
             'index_1' => new Reference('my_user_provider'),
             'index_2' => 'my_firewall',
+            'index_3' => new Reference('security.user_checker.my_firewall'),
         ), $providerDefinition->getArguments());
 
         $listenerDefinition = $container->getDefinition('security.authentication.listener.guard.my_firewall');
@@ -123,7 +124,7 @@ public function testExistingDefaultEntryPointUsed()
             'authenticators' => array('authenticator123'),
             'entry_point' => null,
         );
-        list($container, $entryPointId) = $this->executeCreate($config, 'some_default_entry_point');
+        list(, $entryPointId) = $this->executeCreate($config, 'some_default_entry_point');
         $this->assertEquals('some_default_entry_point', $entryPointId);
     }