Lazily load the user during the check passport event

wouterj · fabpot · commit 7cd40b015c0a · 2020-08-27T16:28:46.000+02:00
diff --git a/DependencyInjection/SecurityExtension.php b/DependencyInjection/SecurityExtension.php
@@ -41,6 +41,7 @@
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 use Twig\Extension\AbstractExtension;
 
 /**
@@ -342,6 +343,12 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
                 throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.', $id, $firewall['provider']));
             }
             $defaultProvider = $providerIds[$normalizedName];
+
+            if ($this->authenticatorManagerEnabled) {
+                $container->setDefinition('security.listener.'.$id.'.user_provider', new ChildDefinition('security.listener.user_provider.abstract'))
+                    ->addTag('kernel.event_listener', ['event' => CheckPassportEvent::class, 'priority' => 2048, 'method' => 'checkPassport'])
+                    ->replaceArgument(0, new Reference($defaultProvider));
+            }
         } elseif (1 === \count($providerIds)) {
             $defaultProvider = reset($providerIds);
         }
@@ -632,7 +639,7 @@ private function getUserProvider(ContainerBuilder $container, string $id, array
             return $userProvider;
         }
 
-        if ('remember_me' === $factoryKey || 'anonymous' === $factoryKey) {
+        if ('remember_me' === $factoryKey || 'anonymous' === $factoryKey || 'custom_authenticators' === $factoryKey) {
             return 'security.user_providers';
         }
 
diff --git a/Resources/config/security_authenticator.php b/Resources/config/security_authenticator.php
@@ -23,11 +23,13 @@
 use Symfony\Component\Security\Http\Authenticator\RememberMeAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\RemoteUserAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\X509Authenticator;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 use Symfony\Component\Security\Http\EventListener\CheckCredentialsListener;
 use Symfony\Component\Security\Http\EventListener\PasswordMigratingListener;
 use Symfony\Component\Security\Http\EventListener\RememberMeListener;
 use Symfony\Component\Security\Http\EventListener\SessionStrategyListener;
 use Symfony\Component\Security\Http\EventListener\UserCheckerListener;
+use Symfony\Component\Security\Http\EventListener\UserProviderListener;
 use Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener;
 
 return static function (ContainerConfigurator $container) {
@@ -73,6 +75,18 @@
             ])
             ->tag('kernel.event_subscriber')
 
+        ->set('security.listener.user_provider', UserProviderListener::class)
+            ->args([
+                service('security.user_providers'),
+            ])
+            ->tag('kernel.event_listener', ['event' => CheckPassportEvent::class, 'priority' => 1024, 'method' => 'checkPassport'])
+
+        ->set('security.listener.user_provider.abstract', UserProviderListener::class)
+            ->abstract()
+            ->args([
+                abstract_arg('user provider'),
+            ])
+
         ->set('security.listener.password_migrating', PasswordMigratingListener::class)
             ->args([
                 service('security.encoder_factory'),
diff --git a/Tests/Functional/AuthenticatorTest.php b/Tests/Functional/AuthenticatorTest.php
@@ -0,0 +1,52 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
+
+class AuthenticatorTest extends AbstractWebTestCase
+{
+    /**
+     * @dataProvider provideEmails
+     */
+    public function testGlobalUserProvider($email)
+    {
+        $client = $this->createClient(['test_case' => 'Authenticator', 'root_config' => 'implicit_user_provider.yml']);
+
+        $client->request('GET', '/profile', [], [], [
+            'HTTP_X-USER-EMAIL' => $email,
+        ]);
+        $this->assertJsonStringEqualsJsonString('{"email":"'.$email.'"}', $client->getResponse()->getContent());
+    }
+
+    /**
+     * @dataProvider provideEmails
+     */
+    public function testFirewallUserProvider($email, $withinFirewall)
+    {
+        $client = $this->createClient(['test_case' => 'Authenticator', 'root_config' => 'firewall_user_provider.yml']);
+
+        $client->request('GET', '/profile', [], [], [
+            'HTTP_X-USER-EMAIL' => $email,
+        ]);
+
+        if ($withinFirewall) {
+            $this->assertJsonStringEqualsJsonString('{"email":"'.$email.'"}', $client->getResponse()->getContent());
+        } else {
+            $this->assertJsonStringEqualsJsonString('{"error":"Username could not be found."}', $client->getResponse()->getContent());
+        }
+    }
+
+    public function provideEmails()
+    {
+        yield ['jane@example.org', true];
+        yield ['john@example.org', false];
+    }
+}
diff --git a/Tests/Functional/Bundle/AuthenticatorBundle/ApiAuthenticator.php b/Tests/Functional/Bundle/AuthenticatorBundle/ApiAuthenticator.php
@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle;
+
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+
+class ApiAuthenticator extends AbstractAuthenticator
+{
+    public function supports(Request $request): ?bool
+    {
+        return $request->headers->has('X-USER-EMAIL');
+    }
+
+    public function authenticate(Request $request): PassportInterface
+    {
+        $email = $request->headers->get('X-USER-EMAIL');
+        if (false === strpos($email, '@')) {
+            throw new BadCredentialsException('Email is not a valid email address.');
+        }
+
+        return new SelfValidatingPassport(new UserBadge($email));
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return null;
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        return new JsonResponse([
+            'error' => $exception->getMessageKey(),
+        ], JsonResponse::HTTP_FORBIDDEN);
+    }
+}
diff --git a/Tests/Functional/Bundle/AuthenticatorBundle/ProfileController.php b/Tests/Functional/Bundle/AuthenticatorBundle/ProfileController.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle;
+
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+
+class ProfileController extends AbstractController
+{
+    public function __invoke()
+    {
+        $this->denyAccessUnlessGranted('ROLE_USER');
+
+        return $this->json(['email' => $this->getUser()->getUsername()]);
+    }
+}
diff --git a/Tests/Functional/CsrfFormLoginTest.php b/Tests/Functional/CsrfFormLoginTest.php
@@ -51,10 +51,6 @@ public function testFormLoginWithInvalidCsrfToken($options)
         $client = $this->createClient($options);
 
         $form = $client->request('GET', '/login')->selectButton('login')->form();
-        if ($options['enable_authenticator_manager'] ?? false) {
-            $form['user_login[username]'] = 'johannes';
-            $form['user_login[password]'] = 'test';
-        }
         $form['user_login[_token]'] = '';
         $client->submit($form);
 
diff --git a/Tests/Functional/app/Authenticator/bundles.php b/Tests/Functional/app/Authenticator/bundles.php
@@ -0,0 +1,15 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+return [
+    new Symfony\Bundle\FrameworkBundle\FrameworkBundle(),
+    new Symfony\Bundle\SecurityBundle\SecurityBundle(),
+];
diff --git a/Tests/Functional/app/Authenticator/config.yml b/Tests/Functional/app/Authenticator/config.yml
@@ -0,0 +1,33 @@
+framework:
+    secret: test
+    router: { resource: "%kernel.project_dir%/%kernel.test_case%/routing.yml", utf8: true }
+    test: ~
+    default_locale: en
+    profiler: false
+    session:
+        storage_id: session.storage.mock_file
+
+services:
+    logger: { class: Psr\Log\NullLogger }
+    Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ProfileController:
+        public: true
+        calls:
+            - ['setContainer', ['@Psr\Container\ContainerInterface']]
+        tags: [container.service_subscriber]
+    Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ApiAuthenticator: ~
+
+security:
+    enable_authenticator_manager: true
+
+    encoders:
+        Symfony\Component\Security\Core\User\User: plaintext
+
+    providers:
+        in_memory:
+            memory:
+                users:
+                    'jane@example.org': { password: test, roles: [ROLE_USER] }
+        in_memory2:
+            memory:
+                users:
+                    'john@example.org': { password: test, roles: [ROLE_USER] }
diff --git a/Tests/Functional/app/Authenticator/firewall_user_provider.yml b/Tests/Functional/app/Authenticator/firewall_user_provider.yml
@@ -0,0 +1,10 @@
+imports:
+- { resource: ./config.yml }
+
+security:
+    firewalls:
+        api:
+            pattern: /
+            provider: in_memory
+            custom_authenticator: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ApiAuthenticator
+
diff --git a/Tests/Functional/app/Authenticator/implicit_user_provider.yml b/Tests/Functional/app/Authenticator/implicit_user_provider.yml
@@ -0,0 +1,9 @@
+imports:
+- { resource: ./config.yml }
+
+security:
+    firewalls:
+        api:
+            pattern: /
+            custom_authenticator: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ApiAuthenticator
+
diff --git a/Tests/Functional/app/Authenticator/routing.yml b/Tests/Functional/app/Authenticator/routing.yml
@@ -0,0 +1,4 @@
+profile:
+    path: /profile
+    defaults:
+        _controller: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ProfileController
