SecurityExtension.php 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  11. use Symfony\Component\DependencyInjection\DefinitionDecorator;
  12. use Symfony\Component\DependencyInjection\Alias;
  13. use Symfony\Component\HttpKernel\DependencyInjection\Extension;
  14. use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
  15. use Symfony\Component\DependencyInjection\ContainerBuilder;
  16. use Symfony\Component\DependencyInjection\Reference;
  17. use Symfony\Component\DependencyInjection\Parameter;
  18. use Symfony\Component\Config\FileLocator;
  19. use Symfony\Component\Config\Definition\Processor;
  20. /**
  21. * SecurityExtension.
  22. *
  23. * @author Fabien Potencier <fabien@symfony.com>
  24. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  25. */
  26. class SecurityExtension extends Extension
  27. {
  28. private $requestMatchers = array();
  29. private $contextListeners = array();
  30. private $listenerPositions = array('pre_auth', 'form', 'http', 'remember_me');
  31. private $factories;
  32. public function load(array $configs, ContainerBuilder $container)
  33. {
  34. if (!array_filter($configs)) {
  35. return;
  36. }
  37. $processor = new Processor();
  38. // first assemble the factories
  39. $factoriesConfig = new FactoryConfiguration();
  40. $config = $processor->processConfiguration($factoriesConfig, $configs);
  41. $factories = $this->createListenerFactories($container, $config);
  42. // normalize and merge the actual configuration
  43. $mainConfig = new MainConfiguration($factories);
  44. $config = $processor->processConfiguration($mainConfig, $configs);
  45. // load services
  46. $loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
  47. $loader->load('security.xml');
  48. $loader->load('security_listeners.xml');
  49. $loader->load('security_rememberme.xml');
  50. $loader->load('templating_php.xml');
  51. $loader->load('templating_twig.xml');
  52. $loader->load('collectors.xml');
  53. // set some global scalars
  54. $container->setParameter('security.access.denied_url', $config['access_denied_url']);
  55. $container->getDefinition('security.authentication.session_strategy')->replaceArgument(0, $config['session_fixation_strategy']);
  56. $container
  57. ->getDefinition('security.access.decision_manager')
  58. ->addArgument($config['access_decision_manager']['strategy'])
  59. ->addArgument($config['access_decision_manager']['allow_if_all_abstain'])
  60. ->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied'])
  61. ;
  62. $container->setParameter('security.access.always_authenticate_before_granting', $config['always_authenticate_before_granting']);
  63. $this->createFirewalls($config, $container);
  64. $this->createAuthorization($config, $container);
  65. $this->createRoleHierarchy($config, $container);
  66. if ($config['encoders']) {
  67. $this->createEncoders($config['encoders'], $container);
  68. }
  69. // load ACL
  70. if (isset($config['acl'])) {
  71. $this->aclLoad($config['acl'], $container);
  72. }
  73. // add some required classes for compilation
  74. $this->addClassesToCompile(array(
  75. 'Symfony\\Component\\Security\\Http\\Firewall',
  76. 'Symfony\\Component\\Security\\Http\\FirewallMapInterface',
  77. 'Symfony\\Component\\Security\\Core\\SecurityContext',
  78. 'Symfony\\Component\\Security\\Core\\SecurityContextInterface',
  79. 'Symfony\\Component\\Security\\Core\\User\\UserProviderInterface',
  80. 'Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationProviderManager',
  81. 'Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationManagerInterface',
  82. 'Symfony\\Component\\Security\\Core\\Authorization\\AccessDecisionManager',
  83. 'Symfony\\Component\\Security\\Core\\Authorization\\AccessDecisionManagerInterface',
  84. 'Symfony\\Component\\Security\\Core\\Authorization\\Voter\\VoterInterface',
  85. 'Symfony\\Bundle\\SecurityBundle\\Security\\FirewallMap',
  86. 'Symfony\\Bundle\\SecurityBundle\\Security\\FirewallContext',
  87. 'Symfony\\Component\\HttpFoundation\\RequestMatcher',
  88. 'Symfony\\Component\\HttpFoundation\\RequestMatcherInterface',
  89. ));
  90. }
  91. private function aclLoad($config, ContainerBuilder $container)
  92. {
  93. $loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
  94. $loader->load('security_acl.xml');
  95. if (isset($config['connection'])) {
  96. $container->setAlias('security.acl.dbal.connection', sprintf('doctrine.dbal.%s_connection', $config['connection']));
  97. }
  98. if (isset($config['cache']['id'])) {
  99. $container->setAlias('security.acl.cache', $config['cache']['id']);
  100. }
  101. $container->getDefinition('security.acl.cache.doctrine')->addArgument($config['cache']['prefix']);
  102. $container->setParameter('security.acl.dbal.class_table_name', $config['tables']['class']);
  103. $container->setParameter('security.acl.dbal.entry_table_name', $config['tables']['entry']);
  104. $container->setParameter('security.acl.dbal.oid_table_name', $config['tables']['object_identity']);
  105. $container->setParameter('security.acl.dbal.oid_ancestors_table_name', $config['tables']['object_identity_ancestors']);
  106. $container->setParameter('security.acl.dbal.sid_table_name', $config['tables']['security_identity']);
  107. $container->getDefinition('security.acl.voter.basic_permissions')->addArgument($config['voter']['allow_if_object_identity_unavailable']);
  108. }
  109. /**
  110. * Loads the web configuration.
  111. *
  112. * @param array $config An array of configuration settings
  113. * @param ContainerBuilder $container A ContainerBuilder instance
  114. */
  115. private function createRoleHierarchy($config, ContainerBuilder $container)
  116. {
  117. if (!isset($config['role_hierarchy'])) {
  118. $container->remove('security.access.role_hierarchy_voter');
  119. return;
  120. }
  121. $container->setParameter('security.role_hierarchy.roles', $config['role_hierarchy']);
  122. $container->remove('security.access.simple_role_voter');
  123. }
  124. private function createAuthorization($config, ContainerBuilder $container)
  125. {
  126. if (!$config['access_control']) {
  127. return;
  128. }
  129. $this->addClassesToCompile(array(
  130. 'Symfony\\Component\\Security\\Http\\AccessMap',
  131. ));
  132. foreach ($config['access_control'] as $access) {
  133. $matcher = $this->createRequestMatcher(
  134. $container,
  135. $access['path'],
  136. $access['host'],
  137. count($access['methods']) === 0 ? null : $access['methods'],
  138. $access['ip']
  139. );
  140. $container->getDefinition('security.access_map')
  141. ->addMethodCall('add', array($matcher, $access['roles'], $access['requires_channel']));
  142. }
  143. }
  144. private function createFirewalls($config, ContainerBuilder $container)
  145. {
  146. if (!isset($config['firewalls'])) {
  147. return;
  148. }
  149. $firewalls = $config['firewalls'];
  150. $providerIds = $this->createUserProviders($config, $container);
  151. // make the ContextListener aware of the configured user providers
  152. $definition = $container->getDefinition('security.context_listener');
  153. $arguments = $definition->getArguments();
  154. $userProviders = array();
  155. foreach ($providerIds as $userProviderId) {
  156. $userProviders[] = new Reference($userProviderId);
  157. }
  158. $arguments[1] = $userProviders;
  159. $definition->setArguments($arguments);
  160. // create security listener factories
  161. $factories = $this->createListenerFactories($container, $config);
  162. // load firewall map
  163. $mapDef = $container->getDefinition('security.firewall.map');
  164. $map = $authenticationProviders = array();
  165. foreach ($firewalls as $name => $firewall) {
  166. list($matcher, $listeners, $exceptionListener) = $this->createFirewall($container, $name, $firewall, $authenticationProviders, $providerIds, $factories);
  167. $contextId = 'security.firewall.map.context.'.$name;
  168. $context = $container->setDefinition($contextId, new DefinitionDecorator('security.firewall.context'));
  169. $context
  170. ->replaceArgument(0, $listeners)
  171. ->replaceArgument(1, $exceptionListener)
  172. ;
  173. $map[$contextId] = $matcher;
  174. }
  175. $mapDef->replaceArgument(1, $map);
  176. // add authentication providers to authentication manager
  177. $authenticationProviders = array_map(function($id) {
  178. return new Reference($id);
  179. }, array_values(array_unique($authenticationProviders)));
  180. $container
  181. ->getDefinition('security.authentication.manager')
  182. ->replaceArgument(0, $authenticationProviders)
  183. ;
  184. }
  185. private function createFirewall(ContainerBuilder $container, $id, $firewall, &$authenticationProviders, $providerIds, array $factories)
  186. {
  187. // Matcher
  188. $i = 0;
  189. $matcher = null;
  190. if (isset($firewall['request_matcher'])) {
  191. $matcher = new Reference($firewall['request_matcher']);
  192. } else if (isset($firewall['pattern'])) {
  193. $matcher = $this->createRequestMatcher($container, $firewall['pattern']);
  194. }
  195. // Security disabled?
  196. if (false === $firewall['security']) {
  197. return array($matcher, array(), null);
  198. }
  199. // Provider id (take the first registered provider if none defined)
  200. if (isset($firewall['provider'])) {
  201. $defaultProvider = $this->getUserProviderId($firewall['provider']);
  202. } else {
  203. $defaultProvider = reset($providerIds);
  204. }
  205. // Register listeners
  206. $listeners = array();
  207. $providers = array();
  208. // Channel listener
  209. $listeners[] = new Reference('security.channel_listener');
  210. // Context serializer listener
  211. if (false === $firewall['stateless']) {
  212. $contextKey = $id;
  213. if (isset($firewall['context'])) {
  214. $contextKey = $firewall['context'];
  215. }
  216. $listeners[] = new Reference($this->createContextListener($container, $contextKey));
  217. }
  218. // Logout listener
  219. if (isset($firewall['logout'])) {
  220. $listenerId = 'security.logout_listener.'.$id;
  221. $listener = $container->setDefinition($listenerId, new DefinitionDecorator('security.logout_listener'));
  222. $listener->replaceArgument(1, $firewall['logout']['path']);
  223. $listener->replaceArgument(2, $firewall['logout']['target']);
  224. $listeners[] = new Reference($listenerId);
  225. // add logout success handler
  226. if (isset($firewall['logout']['success_handler'])) {
  227. $listener->replaceArgument(3, new Reference($firewall['logout']['success_handler']));
  228. }
  229. // add session logout handler
  230. if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {
  231. $listener->addMethodCall('addHandler', array(new Reference('security.logout.handler.session')));
  232. }
  233. // add cookie logout handler
  234. if (count($firewall['logout']['delete_cookies']) > 0) {
  235. $cookieHandlerId = 'security.logout.handler.cookie_clearing.'.$id;
  236. $cookieHandler = $container->setDefinition($cookieHandlerId, new DefinitionDecorator('security.logout.handler.cookie_clearing'));
  237. $cookieHandler->addArgument($firewall['logout']['delete_cookies']);
  238. $listener->addMethodCall('addHandler', array(new Reference($cookieHandlerId)));
  239. }
  240. // add custom handlers
  241. foreach ($firewall['logout']['handlers'] as $handlerId) {
  242. $listener->addMethodCall('addHandler', array(new Reference($handlerId)));
  243. }
  244. }
  245. // Authentication listeners
  246. list($authListeners, $defaultEntryPoint) = $this->createAuthenticationListeners($container, $id, $firewall, $authenticationProviders, $defaultProvider, $factories);
  247. $listeners = array_merge($listeners, $authListeners);
  248. // Access listener
  249. $listeners[] = new Reference('security.access_listener');
  250. // Switch user listener
  251. if (isset($firewall['switch_user'])) {
  252. $listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider));
  253. }
  254. // Determine default entry point
  255. if (isset($firewall['entry_point'])) {
  256. $defaultEntryPoint = $firewall['entry_point'];
  257. }
  258. // Exception listener
  259. $exceptionListener = new Reference($this->createExceptionListener($container, $firewall, $id, $defaultEntryPoint));
  260. return array($matcher, $listeners, $exceptionListener);
  261. }
  262. private function createContextListener($container, $contextKey)
  263. {
  264. if (isset($this->contextListeners[$contextKey])) {
  265. return $this->contextListeners[$contextKey];
  266. }
  267. $listenerId = 'security.context_listener.'.count($this->contextListeners);
  268. $listener = $container->setDefinition($listenerId, new DefinitionDecorator('security.context_listener'));
  269. $listener->replaceArgument(2, $contextKey);
  270. return $this->contextListeners[$contextKey] = $listenerId;
  271. }
  272. private function createAuthenticationListeners($container, $id, $firewall, &$authenticationProviders, $defaultProvider, array $factories)
  273. {
  274. $listeners = array();
  275. $hasListeners = false;
  276. $defaultEntryPoint = null;
  277. foreach ($this->listenerPositions as $position) {
  278. foreach ($factories[$position] as $factory) {
  279. $key = str_replace('-', '_', $factory->getKey());
  280. if (isset($firewall[$key])) {
  281. $userProvider = isset($firewall[$key]['provider']) ? $this->getUserProviderId($firewall[$key]['provider']) : $defaultProvider;
  282. list($provider, $listenerId, $defaultEntryPoint) = $factory->create($container, $id, $firewall[$key], $userProvider, $defaultEntryPoint);
  283. $listeners[] = new Reference($listenerId);
  284. $authenticationProviders[] = $provider;
  285. $hasListeners = true;
  286. }
  287. }
  288. }
  289. // Anonymous
  290. if (isset($firewall['anonymous'])) {
  291. $listenerId = 'security.authentication.listener.anonymous.'.$id;
  292. $container
  293. ->setDefinition($listenerId, new DefinitionDecorator('security.authentication.listener.anonymous'))
  294. ->replaceArgument(1, $firewall['anonymous']['key'])
  295. ;
  296. $listeners[] = new Reference($listenerId);
  297. $providerId = 'security.authentication.provider.anonymous.'.$id;
  298. $container
  299. ->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.anonymous'))
  300. ->replaceArgument(0, $firewall['anonymous']['key'])
  301. ;
  302. $authenticationProviders[] = $providerId;
  303. $hasListeners = true;
  304. }
  305. if (false === $hasListeners) {
  306. throw new \LogicException(sprintf('No authentication listener registered for pattern "%s".', isset($firewall['pattern']) ? $firewall['pattern'] : ''));
  307. }
  308. return array($listeners, $defaultEntryPoint);
  309. }
  310. private function createEncoders($encoders, ContainerBuilder $container)
  311. {
  312. $encoderMap = array();
  313. foreach ($encoders as $class => $encoder) {
  314. $encoderMap[$class] = $this->createEncoder($encoder, $container);
  315. }
  316. $container
  317. ->getDefinition('security.encoder_factory.generic')
  318. ->setArguments(array($encoderMap))
  319. ;
  320. }
  321. private function createEncoder($config, ContainerBuilder $container)
  322. {
  323. // a custom encoder service
  324. if (isset($config['id'])) {
  325. return new Reference($config['id']);
  326. }
  327. // plaintext encoder
  328. if ('plaintext' === $config['algorithm']) {
  329. $arguments = array($config['ignore_case']);
  330. return array(
  331. 'class' => new Parameter('security.encoder.plain.class'),
  332. 'arguments' => $arguments,
  333. );
  334. }
  335. // message digest encoder
  336. $arguments = array(
  337. $config['algorithm'],
  338. $config['encode_as_base64'],
  339. $config['iterations'],
  340. );
  341. return array(
  342. 'class' => new Parameter('security.encoder.digest.class'),
  343. 'arguments' => $arguments,
  344. );
  345. }
  346. // Parses user providers and returns an array of their ids
  347. private function createUserProviders($config, ContainerBuilder $container)
  348. {
  349. $providerIds = array();
  350. foreach ($config['providers'] as $name => $provider) {
  351. $id = $this->createUserDaoProvider($name, $provider, $container);
  352. $providerIds[] = $id;
  353. }
  354. return $providerIds;
  355. }
  356. // Parses a <provider> tag and returns the id for the related user provider service
  357. private function createUserDaoProvider($name, $provider, ContainerBuilder $container, $master = true)
  358. {
  359. $name = $this->getUserProviderId(strtolower($name));
  360. // Existing DAO service provider
  361. if (isset($provider['id'])) {
  362. $container->setAlias($name, new Alias($provider['id'], false));
  363. return $provider['id'];
  364. }
  365. // Chain provider
  366. if ($provider['providers']) {
  367. $providers = array();
  368. foreach ($provider['providers'] as $providerName) {
  369. $providers[] = new Reference($this->getUserProviderId(strtolower($providerName)));
  370. }
  371. $container
  372. ->setDefinition($name, new DefinitionDecorator('security.user.provider.chain'))
  373. ->addArgument($providers)
  374. ;
  375. return $name;
  376. }
  377. // Doctrine Entity DAO provider
  378. if (isset($provider['entity'])) {
  379. $container
  380. ->setDefinition($name, new DefinitionDecorator('security.user.provider.entity'))
  381. ->addArgument($provider['entity']['class'])
  382. ->addArgument($provider['entity']['property'])
  383. ;
  384. return $name;
  385. }
  386. // In-memory DAO provider
  387. $definition = $container->setDefinition($name, new DefinitionDecorator('security.user.provider.in_memory'));
  388. foreach ($provider['users'] as $username => $user) {
  389. $userId = $name.'_'.$username;
  390. $container
  391. ->setDefinition($userId, new DefinitionDecorator('security.user.provider.in_memory.user'))
  392. ->setArguments(array($username, (string)$user['password'], $user['roles']))
  393. ;
  394. $definition->addMethodCall('createUser', array(new Reference($userId)));
  395. }
  396. return $name;
  397. }
  398. private function getUserProviderId($name)
  399. {
  400. return 'security.user.provider.concrete.'.$name;
  401. }
  402. private function createExceptionListener($container, $config, $id, $defaultEntryPoint)
  403. {
  404. $exceptionListenerId = 'security.exception_listener.'.$id;
  405. $listener = $container->setDefinition($exceptionListenerId, new DefinitionDecorator('security.exception_listener'));
  406. $listener->replaceArgument(2, null === $defaultEntryPoint ? null : new Reference($defaultEntryPoint));
  407. // access denied handler setup
  408. if (isset($config['access_denied_handler'])) {
  409. $listener->replaceArgument(4, new Reference($config['access_denied_handler']));
  410. } else if (isset($config['access_denied_url'])) {
  411. $listener->replaceArgument(3, $config['access_denied_url']);
  412. }
  413. return $exceptionListenerId;
  414. }
  415. private function createSwitchUserListener($container, $id, $config, $defaultProvider)
  416. {
  417. $userProvider = isset($config['provider']) ? $this->getUserProviderId($config['provider']) : $defaultProvider;
  418. $switchUserListenerId = 'security.authentication.switchuser_listener.'.$id;
  419. $listener = $container->setDefinition($switchUserListenerId, new DefinitionDecorator('security.authentication.switchuser_listener'));
  420. $listener->replaceArgument(1, new Reference($userProvider));
  421. $listener->replaceArgument(3, $id);
  422. $listener->replaceArgument(6, $config['parameter']);
  423. $listener->replaceArgument(7, $config['role']);
  424. return $switchUserListenerId;
  425. }
  426. private function createRequestMatcher($container, $path = null, $host = null, $methods = null, $ip = null, array $attributes = array())
  427. {
  428. $serialized = serialize(array($path, $host, $methods, $ip, $attributes));
  429. $id = 'security.request_matcher.'.md5($serialized).sha1($serialized);
  430. if (isset($this->requestMatchers[$id])) {
  431. return $this->requestMatchers[$id];
  432. }
  433. // only add arguments that are necessary
  434. $arguments = array($path, $host, $methods, $ip, $attributes);
  435. while (count($arguments) > 0 && !end($arguments)) {
  436. array_pop($arguments);
  437. }
  438. $container
  439. ->register($id, '%security.matcher.class%')
  440. ->setPublic(false)
  441. ->setArguments($arguments)
  442. ;
  443. return $this->requestMatchers[$id] = new Reference($id);
  444. }
  445. private function createListenerFactories(ContainerBuilder $container, $config)
  446. {
  447. if (null !== $this->factories) {
  448. return $this->factories;
  449. }
  450. // load service templates
  451. $c = new ContainerBuilder();
  452. $parameterBag = $container->getParameterBag();
  453. $loader = new XmlFileLoader($c, new FileLocator(__DIR__.'/../Resources/config'));
  454. $loader->load('security_factories.xml');
  455. // load user-created listener factories
  456. foreach ($config['factories'] as $factory) {
  457. $loader->load($parameterBag->resolveValue($factory));
  458. }
  459. $tags = $c->findTaggedServiceIds('security.listener.factory');
  460. $factories = array();
  461. foreach ($this->listenerPositions as $position) {
  462. $factories[$position] = array();
  463. }
  464. foreach (array_keys($tags) as $tag) {
  465. $factory = $c->get($tag);
  466. $factories[$factory->getPosition()][] = $factory;
  467. }
  468. return $this->factories = $factories;
  469. }
  470. /**
  471. * Returns the base path for the XSD files.
  472. *
  473. * @return string The XSD base path
  474. */
  475. public function getXsdValidationBasePath()
  476. {
  477. return __DIR__.'/../Resources/config/schema';
  478. }
  479. public function getNamespace()
  480. {
  481. return 'http://symfony.com/schema/dic/security';
  482. }
  483. }