[Security] Add logout configuration for Clear-Site-Data header

maxbeckers · maxbeckers · commit c9cebff157d8 · 2023-02-22T07:49:27.000+01:00
diff --git a/DependencyInjection/MainConfiguration.php b/DependencyInjection/MainConfiguration.php
@@ -251,6 +251,15 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                     ->scalarNode('path')->defaultValue('/logout')->end()
                     ->scalarNode('target')->defaultValue('/')->end()
                     ->booleanNode('invalidate_session')->defaultTrue()->end()
+                    ->arrayNode('clear_site_data')
+                        ->performNoDeepMerging()
+                        ->beforeNormalization()->ifString()->then(fn ($v) => $v ? array_map('trim', explode(',', $v)) : [])->end()
+                        ->enumPrototype()
+                            ->values([
+                                '*', 'cache', 'cookies', 'storage', 'executionContexts',
+                            ])
+                        ->end()
+                    ->end()
                 ->end()
                 ->fixXmlConfig('delete_cookie')
                 ->children()
diff --git a/DependencyInjection/SecurityExtension.php b/DependencyInjection/SecurityExtension.php
@@ -480,6 +480,13 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
             }
 
+            // add clear site data listener
+            if ($firewall['logout']['clear_site_data'] ?? false) {
+                $container->setDefinition('security.logout.listener.clear_site_data.'.$id, new ChildDefinition('security.logout.listener.clear_site_data'))
+                    ->addArgument($firewall['logout']['clear_site_data'])
+                    ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
+            }
+
             // register with LogoutUrlGenerator
             $container
                 ->getDefinition('security.logout_url_generator')
diff --git a/Resources/config/schema/security-1.0.xsd b/Resources/config/schema/security-1.0.xsd
@@ -171,9 +171,10 @@
     </xsd:complexType>
 
     <xsd:complexType name="logout">
-        <xsd:sequence>
+        <xsd:choice minOccurs="0" maxOccurs="unbounded">
             <xsd:element name="delete-cookie" type="delete_cookie" minOccurs="0" maxOccurs="unbounded" />
-        </xsd:sequence>
+            <xsd:element name="clear-site-data" type="clear_site_data" minOccurs="0" maxOccurs="unbounded" />
+        </xsd:choice>
         <xsd:attribute name="csrf-parameter" type="xsd:string" />
         <xsd:attribute name="csrf-token-generator" type="xsd:string" />
         <xsd:attribute name="csrf-token-id" type="xsd:string" />
@@ -407,4 +408,14 @@
         </xsd:simpleContent>
     </xsd:complexType>
 
+    <xsd:simpleType name="clear_site_data">
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="*" />
+            <xsd:enumeration value="cache" />
+            <xsd:enumeration value="cookies" />
+            <xsd:enumeration value="storage" />
+            <xsd:enumeration value="executionContexts" />
+        </xsd:restriction>
+    </xsd:simpleType>
+
 </xsd:schema>
diff --git a/Resources/config/security_listeners.php b/Resources/config/security_listeners.php
@@ -17,6 +17,7 @@
 use Symfony\Component\Security\Http\Authentication\CustomAuthenticationSuccessHandler;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationSuccessHandler;
+use Symfony\Component\Security\Http\EventListener\ClearSiteDataLogoutListener;
 use Symfony\Component\Security\Http\EventListener\CookieClearingLogoutListener;
 use Symfony\Component\Security\Http\EventListener\DefaultLogoutListener;
 use Symfony\Component\Security\Http\EventListener\SessionLogoutListener;
@@ -64,6 +65,9 @@
         ->set('security.logout.listener.session', SessionLogoutListener::class)
             ->abstract()
 
+        ->set('security.logout.listener.clear_site_data', ClearSiteDataLogoutListener::class)
+            ->abstract()
+
         ->set('security.logout.listener.cookie_clearing', CookieClearingLogoutListener::class)
             ->abstract()
 
diff --git a/Tests/DependencyInjection/CompleteConfigurationTestCase.php b/Tests/DependencyInjection/CompleteConfigurationTestCase.php
@@ -181,6 +181,7 @@ public function testFirewalls()
                     'invalidate_session' => true,
                     'delete_cookies' => [],
                     'enable_csrf' => null,
+                    'clear_site_data' => [],
                 ],
             ],
             [
@@ -708,6 +709,13 @@ public function testFirewallListenerWithProvider()
         $this->addToAssertionCount(1);
     }
 
+    public function testFirewallLogoutClearSiteData()
+    {
+        $container = $this->getContainer('logout_clear_site_data');
+        $ClearSiteDataConfig = $container->getDefinition('security.firewall.map.config.main')->getArgument(12)['clear_site_data'];
+        $this->assertSame(['cookies', 'executionContexts'], $ClearSiteDataConfig);
+    }
+
     protected function getContainer($file)
     {
         $file .= '.'.$this->getFileExtension();
diff --git a/Tests/DependencyInjection/Fixtures/php/logout_clear_site_data.php b/Tests/DependencyInjection/Fixtures/php/logout_clear_site_data.php
@@ -0,0 +1,20 @@
+<?php
+
+$container->loadFromExtension('security', [
+    'providers' => [
+        'default' => ['id' => 'foo'],
+    ],
+
+    'firewalls' => [
+        'main' => [
+            'provider' => 'default',
+            'form_login' => true,
+            'logout' => [
+                'clear-site-data' => [
+                    'cookies',
+                    'executionContexts',
+                ],
+            ],
+        ],
+    ],
+]);
diff --git a/Tests/DependencyInjection/Fixtures/xml/logout_clear_site_data.xml b/Tests/DependencyInjection/Fixtures/xml/logout_clear_site_data.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<srv:container xmlns="http://symfony.com/schema/dic/security"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:srv="http://symfony.com/schema/dic/services"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services
+        https://symfony.com/schema/dic/services/services-1.0.xsd
+        http://symfony.com/schema/dic/security
+        https://symfony.com/schema/dic/security/security-1.0.xsd">
+
+    <config>
+        <provider name="default" id="foo" />
+
+        <firewall name="main" provider="default">
+            <form-login />
+            <logout>
+                <clear-site-data>cookies</clear-site-data>
+                <clear-site-data>executionContexts</clear-site-data>
+            </logout>
+        </firewall>
+    </config>
+</srv:container>
diff --git a/Tests/DependencyInjection/Fixtures/yml/logout_clear_site_data.yml b/Tests/DependencyInjection/Fixtures/yml/logout_clear_site_data.yml
@@ -0,0 +1,13 @@
+security:
+    providers:
+        default:
+            id: foo
+
+    firewalls:
+        main:
+            provider: default
+            form_login: true
+            logout:
+                clear_site_data:
+                    - cookies
+                    - executionContexts
diff --git a/Tests/DependencyInjection/SecurityExtensionTest.php b/Tests/DependencyInjection/SecurityExtensionTest.php
@@ -848,6 +848,48 @@ public function testConfigureCustomFirewallListener()
         $this->assertContains('custom_firewall_listener_id', $firewallListeners);
     }
 
+    public function testClearSiteDataLogoutListenerEnabled()
+    {
+        $container = $this->getRawContainer();
+
+        $firewallId = 'logout_firewall';
+        $container->loadFromExtension('security', [
+            'firewalls' => [
+                $firewallId => [
+                    'logout' => [
+                        'clear_site_data' => ['*'],
+                    ],
+                ],
+            ],
+        ]);
+
+        $container->compile();
+
+        $this->assertTrue($container->has('security.logout.listener.clear_site_data.'.$firewallId));
+        $listenerArgument = $container->getDefinition('security.logout.listener.clear_site_data.'.$firewallId)->getArgument(0);
+        $this->assertSame(['*'], $listenerArgument);
+    }
+
+    public function testClearSiteDataLogoutListenerDisabled()
+    {
+        $container = $this->getRawContainer();
+
+        $firewallId = 'logout_firewall';
+        $container->loadFromExtension('security', [
+            'firewalls' => [
+                $firewallId => [
+                    'logout' => [
+                        'clear_site_data' => [],
+                    ],
+                ],
+            ],
+        ]);
+
+        $container->compile();
+
+        $this->assertFalse($container->has('security.logout.listener.clear_site_data.'.$firewallId));
+    }
+
     /**
      * @group legacy
      */
