Add access_control rule for form login auth

Author: Gary PEGEOT

src/Maker/MakeAuthenticator.php

@@ -226,7 +226,8 @@ public function generate(InputInterface $input, ConsoleStyle $io, Generator $gen
                 $entryPoint,
                 $input->getArgument('authenticator-class'),
                 $input->hasArgument('logout-setup') ? $input->getArgument('logout-setup') : false,
-                $this->useSecurity52
+                $this->useSecurity52,
+                self::AUTH_TYPE_FORM_LOGIN === $input->getArgument('authenticator-type')
             );
             $generator->dumpFile($path, $newYaml);
             $securityYamlUpdated = true;

src/Security/SecurityConfigUpdater.php

@@ -59,7 +59,7 @@ public function updateForUserClass(string $yamlSource, UserClassConfiguration $u
         return $contents;
     }
 
-    public function updateForAuthenticator(string $yamlSource, string $firewallName, $chosenEntryPoint, string $authenticatorClass, bool $logoutSetup, bool $useSecurity52): string
+    public function updateForAuthenticator(string $yamlSource, string $firewallName, $chosenEntryPoint, string $authenticatorClass, bool $logoutSetup, bool $useSecurity52, bool $addAccessControlRule = false): string
     {
         $this->manipulator = new YamlSourceManipulator($yamlSource);
 
@@ -134,6 +134,20 @@ public function updateForAuthenticator(string $yamlSource, string $firewallName,
 
         $newData['security']['firewalls'][$firewallName] = $firewall;
 
+        $accessControlRules = $newData['security']['access_control'] ?? [];
+
+        foreach ($accessControlRules as $rule) {
+            if ('^/login$' === $rule['path']) {
+                $addAccessControlRule = false;
+                break;
+            }
+        }
+
+        if ($addAccessControlRule) {
+            array_unshift($accessControlRules, ['path' => '^/login$', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY']);
+            $newData['security']['access_control'] = $accessControlRules;
+        }
+
         $this->manipulator->setData($newData);
 
         return $this->manipulator->getContents();

tests/Security/SecurityConfigUpdaterTest.php

@@ -100,13 +100,13 @@ public function getUserClassTests()
     /**
      * @dataProvider getAuthenticatorTests
      */
-    public function testUpdateForAuthenticator(string $firewallName, $entryPoint, string $expectedSourceFilename, string $startingSourceFilename, bool $logoutSetup, bool $useSecurity51)
+    public function testUpdateForAuthenticator(string $firewallName, $entryPoint, string $expectedSourceFilename, string $startingSourceFilename, bool $logoutSetup, bool $useSecurity51, bool $addAccessControl = false)
     {
         $this->createLogger();
 
         $updater = new SecurityConfigUpdater($this->ysmLogger);
         $source = file_get_contents(__DIR__.'/yaml_fixtures/source/'.$startingSourceFilename);
-        $actualSource = $updater->updateForAuthenticator($source, $firewallName, $entryPoint, 'App\\Security\\AppCustomAuthenticator', $logoutSetup, $useSecurity51);
+        $actualSource = $updater->updateForAuthenticator($source, $firewallName, $entryPoint, 'App\\Security\\AppCustomAuthenticator', $logoutSetup, $useSecurity51, $addAccessControl);
         $expectedSource = file_get_contents(__DIR__.'/yaml_fixtures/expected_authenticator/'.$expectedSourceFilename);
 
         $this->assertSame($expectedSource, $actualSource);
@@ -185,6 +185,26 @@ public function getAuthenticatorTests()
             false,
             true,
         ];
+
+        yield 'simple_security_with_access_control' => [
+            'main',
+            null,
+            'simple_security_with_access_control.yaml',
+            'simple_security_with_access_control.yaml',
+            false,
+            false,
+            true
+        ];
+
+        yield 'simple_security_without_access_control' => [
+            'main',
+            null,
+            'simple_security_with_added_access_control.yaml',
+            'simple_security.yaml',
+            false,
+            false,
+            true
+        ];
     }
 
     private function createLogger(): void

tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml

@@ -0,0 +1,17 @@
+security:
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        in_memory: { memory: ~ }
+
+    firewalls:
+        dev: ~
+        main:
+            anonymous: true
+            guard:
+                authenticators:
+                    - App\Security\AppCustomAuthenticator
+
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    access_control:
+        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }

tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml

@@ -0,0 +1,16 @@
+security:
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        in_memory: { memory: ~ }
+
+    firewalls:
+        dev: ~
+        main:
+            anonymous: true
+            guard:
+                authenticators:
+                    - App\Security\AppCustomAuthenticator
+    access_control:
+        -
+            path: ^/login$
+            roles: IS_AUTHENTICATED_ANONYMOUSLY

tests/Security/yaml_fixtures/source/simple_security_with_access_control.yaml

@@ -0,0 +1,13 @@
+security:
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        in_memory: { memory: ~ }
+
+    firewalls:
+        dev: ~
+        main: ~
+
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    access_control:
+        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }