[Security] Add a method in the security helper to ease programmatic logout (symfony#40663)

johnkrovitch · chalasr · commit f576173a96ce · 2022-07-19T17:58:32.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -8,6 +8,7 @@ CHANGELOG
  * Deprecate the `Symfony\Component\Security\Core\Security` service alias, use `Symfony\Bundle\SecurityBundle\Security\Security` instead
  * Add `Security::getFirewallConfig()` to help to get the firewall configuration associated to the Request
  * Add `Security::login()` to login programmatically
+ * Add `Security::logout()` to logout programmatically
 
 6.1
 ---
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -376,6 +376,13 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
         $container->register($firewallEventDispatcherId, EventDispatcher::class)
             ->addTag('event_dispatcher.dispatcher', ['name' => $firewallEventDispatcherId]);
 
+        $eventDispatcherLocator = $container->getDefinition('security.firewall.event_dispatcher_locator');
+        $eventDispatcherLocator
+            ->replaceArgument(0, array_merge($eventDispatcherLocator->getArgument(0), [
+                $id => new ServiceClosureArgument(new Reference($firewallEventDispatcherId)),
+            ]))
+        ;
+
         // Register listeners
         $listeners = [];
         $listenerKeys = [];
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
@@ -86,6 +86,7 @@
                     'request_stack' => service('request_stack'),
                     'security.firewall.map' => service('security.firewall.map'),
                     'security.user_checker' => service('security.user_checker'),
+                    'security.firewall.event_dispatcher_locator' => service('security.firewall.event_dispatcher_locator'),
                 ]),
                 abstract_arg('authenticators'),
             ])
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
+use Symfony\Component\DependencyInjection\ServiceLocator;
 use Symfony\Component\Security\Http\AccessMap;
 use Symfony\Component\Security\Http\Authentication\CustomAuthenticationFailureHandler;
 use Symfony\Component\Security\Http\Authentication\CustomAuthenticationSuccessHandler;
@@ -160,5 +161,8 @@
                 service('security.access_map'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+
+        ->set('security.firewall.event_dispatcher_locator', ServiceLocator::class)
+            ->args([[]])
     ;
 };
diff --git a/src/Symfony/Bundle/SecurityBundle/Security/Security.php b/src/Symfony/Bundle/SecurityBundle/Security/Security.php
@@ -13,10 +13,12 @@
 
 use Psr\Container\ContainerInterface;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Exception\LogicException;
 use Symfony\Component\Security\Core\Security as LegacySecurity;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Contracts\Service\ServiceProviderInterface;
 
 /**
@@ -60,6 +62,28 @@ public function login(UserInterface $user, string $authenticatorName = null, str
         $this->container->get('security.user_authenticator')->authenticateUser($user, $authenticator, $request);
     }
 
+    /**
+     * Logout the current user by dispatching the LogoutEvent.
+     *
+     * @return Response|null The LogoutEvent's Response if any
+     */
+    public function logout(): ?Response
+    {
+        $request = $this->container->get('request_stack')->getMainRequest();
+        $logoutEvent = new LogoutEvent($request, $this->container->get('security.token_storage')->getToken());
+        $firewallConfig = $this->container->get('security.firewall.map')->getFirewallConfig($request);
+
+        if (!$firewallConfig) {
+            throw new LogicException('It is not possible to logout, as the request is not behind a firewall.');
+        }
+        $firewallName = $firewallConfig->getName();
+
+        $this->container->get('security.firewall.event_dispatcher_locator')->get($firewallName)->dispatch($logoutEvent);
+        $this->container->get('security.token_storage')->setToken();
+
+        return $logoutEvent->getResponse();
+    }
+
     private function getAuthenticator(?string $authenticatorName, string $firewallName): AuthenticatorInterface
     {
         if (!\array_key_exists($firewallName, $this->authenticators)) {
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityTest.php
@@ -99,6 +99,24 @@ public function testLoginWithBuiltInAuthenticator(string $authenticator)
         $this->assertSame(200, $response->getStatusCode());
         $this->assertSame(['message' => 'Welcome @chalasr!'], json_decode($response->getContent(), true));
     }
+
+    /**
+     * @testWith    ["json_login"]
+     *              ["Symfony\\Bundle\\SecurityBundle\\Tests\\Functional\\Bundle\\AuthenticatorBundle\\ApiAuthenticator"]
+     */
+    public function testLogout(string $authenticator)
+    {
+        $client = $this->createClient(['test_case' => 'SecurityHelper', 'root_config' => 'config.yml', 'debug' => true]);
+        static::getContainer()->get(WelcomeController::class)->authenticator = $authenticator;
+        $client->request('GET', '/welcome');
+        $this->assertEquals('chalasr', static::getContainer()->get('security.helper')->getUser()->getUserIdentifier());
+
+        $client->request('GET', '/auto-logout');
+        $response = $client->getResponse();
+        $this->assertSame(200, $response->getStatusCode());
+        $this->assertNull(static::getContainer()->get('security.helper')->getUser());
+        $this->assertSame(['message' => 'Logout successful'], json_decode($response->getContent(), true));
+    }
 }
 
 final class UserWithoutEquatable implements UserInterface, PasswordAuthenticatedUserInterface
@@ -224,3 +242,17 @@ public function welcome()
         return new JsonResponse(['message' => sprintf('Welcome @%s!', $this->security->getUser()->getUserIdentifier())]);
     }
 }
+
+class LogoutController
+{
+    public function __construct(private Security $security)
+    {
+    }
+
+    public function logout()
+    {
+        $this->security->logout();
+
+        return new JsonResponse(['message' => 'Logout successful']);
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/SecurityHelper/config.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/SecurityHelper/config.yml
@@ -15,6 +15,10 @@ services:
         arguments: ['@security.helper']
         public: true
 
+    Symfony\Bundle\SecurityBundle\Tests\Functional\LogoutController:
+        arguments: ['@security.helper']
+        public: true
+
     Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ApiAuthenticator: ~
 
 security:
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/SecurityHelper/routing.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/SecurityHelper/routing.yml
@@ -1,3 +1,7 @@
 welcome:
     path: /welcome
-    defaults: { _controller: Symfony\Bundle\SecurityBundle\Tests\Functional\WelcomeController::welcome }
+    controller: Symfony\Bundle\SecurityBundle\Tests\Functional\WelcomeController::welcome
+
+logout:
+    path: /auto-logout
+    controller: Symfony\Bundle\SecurityBundle\Tests\Functional\LogoutController::logout
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Security/SecurityTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Security/SecurityTest.php
@@ -19,15 +19,19 @@
 use Symfony\Component\DependencyInjection\ServiceLocator;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Exception\LogicException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Authentication\UserAuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 use Symfony\Contracts\Service\ServiceProviderInterface;
 
 class SecurityTest extends TestCase
@@ -117,7 +121,7 @@ public function getFirewallConfigTests()
         yield [$request, new FirewallConfig('main', 'acme_user_checker')];
     }
 
-    public function testAutoLogin()
+    public function testLogin()
     {
         $request = new Request();
         $authenticator = $this->createMock(AuthenticatorInterface::class);
@@ -163,6 +167,180 @@ public function testAutoLogin()
         $security->login($user);
     }
 
+    public function testLogout()
+    {
+        $request = new Request();
+        $requestStack = $this->createMock(RequestStack::class);
+        $requestStack
+            ->expects($this->once())
+            ->method('getMainRequest')
+            ->willReturn($request)
+        ;
+
+        $token = $this->createMock(TokenInterface::class);
+        $tokenStorage = $this->createMock(TokenStorageInterface::class);
+        $tokenStorage
+            ->expects($this->once())
+            ->method('getToken')
+            ->willReturn($token)
+        ;
+        $tokenStorage
+            ->expects($this->once())
+            ->method('setToken')
+        ;
+
+        $eventDispatcher = $this->createMock(EventDispatcherInterface::class);
+        $eventDispatcher
+            ->expects($this->once())
+            ->method('dispatch')
+            ->with(new LogoutEvent($request, $token))
+        ;
+
+        $firewallMap = $this->createMock(FirewallMap::class);
+        $firewallConfig = new FirewallConfig('my_firewall', 'user_checker');
+        $firewallMap
+            ->expects($this->once())
+            ->method('getFirewallConfig')
+            ->willReturn($firewallConfig)
+        ;
+
+        $eventDispatcherLocator = $this->createMock(ContainerInterface::class);
+        $eventDispatcherLocator
+            ->expects($this->atLeastOnce())
+            ->method('get')
+            ->willReturnMap([
+                ['my_firewall', $eventDispatcher],
+            ])
+        ;
+
+        $container = $this->createMock(ContainerInterface::class);
+        $container
+            ->expects($this->atLeastOnce())
+            ->method('get')
+            ->willReturnMap([
+                ['request_stack', $requestStack],
+                ['security.token_storage', $tokenStorage],
+                ['security.firewall.map', $firewallMap],
+                ['security.firewall.event_dispatcher_locator', $eventDispatcherLocator],
+            ])
+        ;
+        $security = new Security($container);
+        $security->logout();
+    }
+
+    public function testLogoutWithoutFirewall()
+    {
+        $request = new Request();
+        $requestStack = $this->createMock(RequestStack::class);
+        $requestStack
+            ->expects($this->once())
+            ->method('getMainRequest')
+            ->willReturn($request)
+        ;
+
+        $token = $this->createMock(TokenInterface::class);
+        $tokenStorage = $this->createMock(TokenStorageInterface::class);
+        $tokenStorage
+            ->expects($this->once())
+            ->method('getToken')
+            ->willReturn($token)
+        ;
+
+        $firewallMap = $this->createMock(FirewallMap::class);
+        $firewallMap
+            ->expects($this->once())
+            ->method('getFirewallConfig')
+            ->willReturn(null)
+        ;
+
+        $container = $this->createMock(ContainerInterface::class);
+        $container
+            ->expects($this->atLeastOnce())
+            ->method('get')
+            ->willReturnMap([
+                ['request_stack', $requestStack],
+                ['security.token_storage', $tokenStorage],
+                ['security.firewall.map', $firewallMap],
+            ])
+        ;
+
+        $this->expectException(LogicException::class);
+        $security = new Security($container);
+        $security->logout();
+    }
+
+    public function testLogoutWithResponse()
+    {
+        $request = new Request();
+        $requestStack = $this->createMock(RequestStack::class);
+        $requestStack
+            ->expects($this->once())
+            ->method('getMainRequest')
+            ->willReturn($request)
+        ;
+
+        $token = $this->createMock(TokenInterface::class);
+        $tokenStorage = $this->createMock(TokenStorageInterface::class);
+        $tokenStorage
+            ->expects($this->once())
+            ->method('getToken')
+            ->willReturn($token)
+        ;
+        $tokenStorage
+            ->expects($this->once())
+            ->method('setToken')
+        ;
+
+        $eventDispatcher = $this->createMock(EventDispatcherInterface::class);
+        $eventDispatcher
+            ->expects($this->once())
+            ->method('dispatch')
+            ->willReturnCallback(function ($event) use ($request, $token) {
+                $this->assertInstanceOf(LogoutEvent::class, $event);
+                $this->assertEquals($request, $event->getRequest());
+                $this->assertEquals($token, $event->getToken());
+
+                $event->setResponse(new Response('a custom response'));
+
+                return $event;
+            })
+        ;
+
+        $firewallMap = $this->createMock(FirewallMap::class);
+        $firewallConfig = new FirewallConfig('my_firewall', 'user_checker');
+        $firewallMap
+            ->expects($this->once())
+            ->method('getFirewallConfig')
+            ->willReturn($firewallConfig)
+        ;
+
+        $eventDispatcherLocator = $this->createMock(ContainerInterface::class);
+        $eventDispatcherLocator
+            ->expects($this->atLeastOnce())
+            ->method('get')
+            ->willReturnMap([
+                ['my_firewall', $eventDispatcher],
+            ])
+        ;
+
+        $container = $this->createMock(ContainerInterface::class);
+        $container
+            ->expects($this->atLeastOnce())
+            ->method('get')
+            ->willReturnMap([
+                ['request_stack', $requestStack],
+                ['security.token_storage', $tokenStorage],
+                ['security.firewall.map', $firewallMap],
+                ['security.firewall.event_dispatcher_locator', $eventDispatcherLocator],
+            ])
+        ;
+        $security = new Security($container);
+        $response = $security->logout();
+
+        $this->assertInstanceOf(Response::class, $response);
+        $this->assertEquals('a custom response', $response->getContent());
+    }
+
     private function createContainer(string $serviceId, object $serviceObject): ContainerInterface
     {
         return new ServiceLocator([$serviceId => fn () => $serviceObject]);
