NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

Commit998c066

committed

[Security] Make stateful firewalls turn responses private only when needed

1 parentba313d3 commit998c066Copy full SHA for 998c066

File tree

15 files changed

+353

-42

lines changed

src/Symfony
- Bundle/SecurityBundle
  - DependencyInjection/Compiler
    - RegisterTokenUsageTrackingPass.php
  - Resources/config
  - SecurityBundle.php
- Component
  - HttpFoundation/Session
    - Session.php
  - Security
    - Core
      - Authentication/Token/Storage
        UsageTrackingTokenStorage.php
      - Tests/Authentication/Token/Storage
        UsageTrackingTokenStorageTest.php
      - composer.json
    - Http
      - Firewall
        AccessListener.php
        ContextListener.php
      - Tests/Firewall
        AccessListenerTest.php
        ContextListenerTest.php
      - composer.json

15 files changed

+353

-42

lines changed

`‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterTokenUsageTrackingPass.php‎`

Lines changed: 51 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,51 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+/*`
	`4`	`+ * This file is part of the Symfony package.`
	`5`	`+ *`
	`6`	`+ * (c) Fabien Potencier <fabien@symfony.com>`
	`7`	`+ *`
	`8`	`+ * For the full copyright and license information, please view the LICENSE`
	`9`	`+ * file that was distributed with this source code.`
	`10`	`+ */`
	`11`	`+`
	`12`	`+namespaceSymfony\Bundle\SecurityBundle\DependencyInjection\Compiler;`
	`13`	`+`
	`14`	`+useSymfony\Bridge\Monolog\Processor\ProcessorInterface;`
	`15`	`+useSymfony\Component\DependencyInjection\Argument\BoundArgument;`
	`16`	`+useSymfony\Component\DependencyInjection\Compiler\CompilerPassInterface;`
	`17`	`+useSymfony\Component\DependencyInjection\ContainerBuilder;`
	`18`	`+useSymfony\Component\DependencyInjection\Reference;`
	`19`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;`
	`20`	`+`
	`21`	`+/**`
	`22`	`+ * Injects the session tracker enabler in "security.context_listener" + binds "security.untracked_token_storage" to ProcessorInterface instances.`
	`23`	`+ *`
	`24`	`+ * @author Nicolas Grekas <p@tchwork.com>`
	`25`	`+ *`
	`26`	`+ * @internal`
	`27`	`+ */`
	`28`	`+class RegisterTokenUsageTrackingPassimplements CompilerPassInterface`
	`29`	`+{`
	`30`	`+/**`
	`31`	`+ * {@inheritdoc}`
	`32`	`+ */`
	`33`	`+publicfunctionprocess(ContainerBuilder$container)`
	`34`	`+ {`
	`35`	`+if (!$container->has('security.untracked_token_storage')) {`
	`36`	`+return;`
	`37`	`+ }`
	`38`	`+`
	`39`	`+$processorAutoconfiguration =$container->registerForAutoconfiguration(ProcessorInterface::class);`
	`40`	`+$processorAutoconfiguration->setBindings($processorAutoconfiguration->getBindings() + [`
	`41`	`+ TokenStorageInterface::class =>newBoundArgument(newReference('security.untracked_token_storage'),false),`
	`42`	`+ ]);`
	`43`	`+`
	`44`	`+if (!$container->has('session')) {`
	`45`	`+$container->setAlias('security.token_storage','security.untracked_token_storage')->setPublic(true);`
	`46`	`+ }elseif ($container->hasDefinition('security.context_listener')) {`
	`47`	`+$container->getDefinition('security.context_listener')`
	`48`	`+ ->setArgument(6, [newReference('security.token_storage'),'enableUsageTracking']);`
	`49`	`+ }`
	`50`	`+ }`
	`51`	`+}`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/collectors.xml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`
`10`	`10`	`<serviceid="data_collector.security"class="Symfony\Bundle\SecurityBundle\DataCollector\SecurityDataCollector">`
`11`	`11`	`<tagname="data_collector"template="@Security/Collector/security.html.twig"id="security"priority="270" />`
`12`		`- <argumenttype="service"id="security.token_storage"on-invalid="ignore" />`
	`12`	`+ <argumenttype="service"id="security.untracked_token_storage" />`
`13`	`13`	`<argumenttype="service"id="security.role_hierarchy" />`
`14`	`14`	`<argumenttype="service"id="security.logout_url_generator" />`
`15`	`15`	`<argumenttype="service"id="security.access.decision_manager" />`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml‎`

Lines changed: 9 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,11 +21,17 @@`
`21`	`21`	`</service>`
`22`	`22`	`<serviceid="Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface"alias="security.authorization_checker" />`
`23`	`23`
`24`		`- <serviceid="security.token_storage"class="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage"public="true">`
`25`		`- <tagname="kernel.reset"method="setToken" />`
	`24`	`+ <serviceid="security.token_storage"class="Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage"public="true">`
	`25`	`+ <tagname="kernel.reset"method="disableUsageTracking" />`
	`26`	`+ <argumenttype="service"id="security.untracked_token_storage" />`
	`27`	`+ <argumenttype="service_locator">`
	`28`	`+ <argumentkey="session"type="service"id="session" />`
	`29`	`+ </argument>`
`26`	`30`	`</service>`
`27`	`31`	`<serviceid="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface"alias="security.token_storage" />`
`28`	`32`
	`33`	`+ <serviceid="security.untracked_token_storage"class="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage" />`
	`34`	`+`
`29`	`35`	`<serviceid="security.helper"class="Symfony\Component\Security\Core\Security">`
`30`	`36`	`<argumenttype="service_locator">`
`31`	`37`	`<argumentkey="security.token_storage"type="service"id="security.token_storage" />`
`@@ -162,7 +168,7 @@`
`162`	`168`	`<serviceid="security.logout_url_generator"class="Symfony\Component\Security\Http\Logout\LogoutUrlGenerator">`
`163`	`169`	`<argumenttype="service"id="request_stack"on-invalid="null" />`
`164`	`170`	`<argumenttype="service"id="router"on-invalid="null" />`
`165`		`- <argumenttype="service"id="security.token_storage"on-invalid="null"/>`
	`171`	`+ <argumenttype="service"id="security.token_storage" />`
`166`	`172`	`</service>`
`167`	`173`
`168`	`174`	`<!-- Provisioning-->`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`
`10`	`10`	`<serviceid="security.authentication.listener.anonymous"class="Symfony\Component\Security\Http\Firewall\AnonymousAuthenticationListener">`
`11`	`11`	`<tagname="monolog.logger"channel="security" />`
`12`		`- <argumenttype="service"id="security.token_storage" />`
	`12`	`+ <argumenttype="service"id="security.untracked_token_storage" />`
`13`	`13`	`<argument /><!-- Key-->`
`14`	`14`	`<argumenttype="service"id="logger"on-invalid="null" />`
`15`	`15`	`<argumenttype="service"id="security.authentication.manager" />`
`@@ -37,7 +37,7 @@`
`37`	`37`
`38`	`38`	`<serviceid="security.context_listener"class="Symfony\Component\Security\Http\Firewall\ContextListener">`
`39`	`39`	`<tagname="monolog.logger"channel="security" />`
`40`		`- <argumenttype="service"id="security.token_storage" />`
	`40`	`+ <argumenttype="service"id="security.untracked_token_storage" />`
`41`	`41`	`<argumenttype="collection" />`
`42`	`42`	`<argument /><!-- Provider Key-->`
`43`	`43`	`<argumenttype="service"id="logger"on-invalid="null" />`
`@@ -128,7 +128,7 @@`
`128`	`128`
`129`	`129`	`<serviceid="security.authentication.listener.simple_preauth"class="Symfony\Component\Security\Http\Firewall\SimplePreAuthenticationListener"abstract="true">`
`130`	`130`	`<tagname="monolog.logger"channel="security" />`
`131`		`- <argumenttype="service"id="security.token_storage" />`
	`131`	`+ <argumenttype="service"id="security.untracked_token_storage" />`
`132`	`132`	`<argumenttype="service"id="security.authentication.manager" />`
`133`	`133`	`<argument /><!-- Provider-shared Key-->`
`134`	`134`	`<argument /><!-- Authenticator-->`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`
`10`	`10`	`<serviceid="security.authentication.listener.rememberme"class="Symfony\Component\Security\Http\Firewall\RememberMeListener"abstract="true">`
`11`	`11`	`<tagname="monolog.logger"channel="security" />`
`12`		`- <argumenttype="service"id="security.token_storage" />`
	`12`	`+ <argumenttype="service"id="security.untracked_token_storage" />`
`13`	`13`	`<argumenttype="service"id="security.authentication.rememberme" />`
`14`	`14`	`<argumenttype="service"id="security.authentication.manager" />`
`15`	`15`	`<argumenttype="service"id="logger"on-invalid="null" />`

`‎src/Symfony/Bundle/SecurityBundle/SecurityBundle.php‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`useSymfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSecurityVotersPass;`
`16`	`16`	`useSymfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSessionDomainConstraintPass;`
`17`	`17`	`useSymfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterCsrfTokenClearingLogoutHandlerPass;`
	`18`	`+useSymfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterTokenUsageTrackingPass;`
`18`	`19`	`useSymfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AnonymousFactory;`
`19`	`20`	`useSymfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginFactory;`
`20`	`21`	`useSymfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginLdapFactory;`
`@@ -66,5 +67,6 @@ public function build(ContainerBuilder $container)`
`66`	`67`	`$container->addCompilerPass(newAddSecurityVotersPass());`
`67`	`68`	`$container->addCompilerPass(newAddSessionDomainConstraintPass(), PassConfig::TYPE_BEFORE_REMOVING);`
`68`	`69`	`$container->addCompilerPass(newRegisterCsrfTokenClearingLogoutHandlerPass());`
	`70`	`+$container->addCompilerPass(newRegisterTokenUsageTrackingPass(), PassConfig::TYPE_BEFORE_OPTIMIZATION,200);`
`69`	`71`	`}`
`70`	`72`	`}`

`‎src/Symfony/Component/HttpFoundation/Session/Session.php‎`

Lines changed: 1 addition & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -136,10 +136,7 @@ public function count()`
`136`	`136`	`return\count($this->getAttributeBag()->all());`
`137`	`137`	`}`
`138`	`138`
`139`		`-/**`
`140`		`- * @internal`
`141`		`- */`
`142`		`-publicfunctiongetUsageIndex():int`
	`139`	`+publicfunction &getUsageIndex():int`
`143`	`140`	`{`
`144`	`141`	`return$this->usageIndex;`
`145`	`142`	`}`

`‎src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php‎`

Lines changed: 73 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,73 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+/*`
	`4`	`+ * This file is part of the Symfony package.`
	`5`	`+ *`
	`6`	`+ * (c) Fabien Potencier <fabien@symfony.com>`
	`7`	`+ *`
	`8`	`+ * For the full copyright and license information, please view the LICENSE`
	`9`	`+ * file that was distributed with this source code.`
	`10`	`+ */`
	`11`	`+`
	`12`	`+namespaceSymfony\Component\Security\Core\Authentication\Token\Storage;`
	`13`	`+`
	`14`	`+usePsr\Container\ContainerInterface;`
	`15`	`+useSymfony\Component\HttpFoundation\Session\SessionInterface;`
	`16`	`+useSymfony\Component\Security\Core\Authentication\Token\TokenInterface;`
	`17`	`+useSymfony\Contracts\Service\ServiceSubscriberInterface;`
	`18`	`+`
	`19`	`+/**`
	`20`	`+ * A token storage that increments the session usage index when the token is accessed.`
	`21`	`+ *`
	`22`	`+ * @author Nicolas Grekas <p@tchwork.com>`
	`23`	`+ */`
	`24`	`+finalclass UsageTrackingTokenStorageimplements TokenStorageInterface, ServiceSubscriberInterface`
	`25`	`+{`
	`26`	`+private$storage;`
	`27`	`+private$sessionLocator;`
	`28`	`+private$enableUsageTracking =false;`
	`29`	`+`
	`30`	`+publicfunction__construct(TokenStorageInterface$storage,ContainerInterface$sessionLocator)`
	`31`	`+ {`
	`32`	`+$this->storage =$storage;`
	`33`	`+$this->sessionLocator =$sessionLocator;`
	`34`	`+ }`
	`35`	`+`
	`36`	`+/**`
	`37`	`+ * {@inheritdoc}`
	`38`	`+ */`
	`39`	`+publicfunctiongetToken(): ?TokenInterface`
	`40`	`+ {`
	`41`	`+if ($this->enableUsageTracking) {`
	`42`	`+// increments the internal session usage index`
	`43`	`+$this->sessionLocator->get('session')->getMetadataBag();`
	`44`	`+ }`
	`45`	`+`
	`46`	`+return$this->storage->getToken();`
	`47`	`+ }`
	`48`	`+`
	`49`	`+/**`
	`50`	`+ * {@inheritdoc}`
	`51`	`+ */`
	`52`	`+publicfunctionsetToken(TokenInterface$token =null):void`
	`53`	`+ {`
	`54`	`+$this->storage->setToken($token);`
	`55`	`+ }`
	`56`	`+`
	`57`	`+publicfunctionenableUsageTracking():void`
	`58`	`+ {`
	`59`	`+$this->enableUsageTracking =true;`
	`60`	`+ }`
	`61`	`+`
	`62`	`+publicfunctiondisableUsageTracking():void`
	`63`	`+ {`
	`64`	`+$this->enableUsageTracking =false;`
	`65`	`+ }`
	`66`	`+`
	`67`	`+publicstaticfunctiongetSubscribedServices():array`
	`68`	`+ {`
	`69`	`+return [`
	`70`	`+'session' => SessionInterface::class,`
	`71`	`+ ];`
	`72`	`+ }`
	`73`	`+}`

`‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php‎`

Lines changed: 57 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,57 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+/*`
	`4`	`+ * This file is part of the Symfony package.`
	`5`	`+ *`
	`6`	`+ * (c) Fabien Potencier <fabien@symfony.com>`
	`7`	`+ *`
	`8`	`+ * For the full copyright and license information, please view the LICENSE`
	`9`	`+ * file that was distributed with this source code.`
	`10`	`+ */`
	`11`	`+`
	`12`	`+namespaceSymfony\Component\Security\Core\Tests\Authentication\Token\Storage;`
	`13`	`+`
	`14`	`+usePHPUnit\Framework\TestCase;`
	`15`	`+usePsr\Container\ContainerInterface;`
	`16`	`+useSymfony\Component\HttpFoundation\Session\SessionInterface;`
	`17`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;`
	`18`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage;`
	`19`	`+useSymfony\Component\Security\Core\Authentication\Token\TokenInterface;`
	`20`	`+useSymfony\Contracts\Service\ServiceLocatorTrait;`
	`21`	`+`
	`22`	`+class UsageTrackingTokenStorageTestextends TestCase`
	`23`	`+{`
	`24`	`+publicfunctiontestGetSetToken()`
	`25`	`+ {`
	`26`	`+$sessionAccess =0;`
	`27`	`+$sessionLocator =newclass(['session' =>function ()use (&$sessionAccess) {`
	`28`	`+ ++$sessionAccess;`
	`29`	`+`
	`30`	`+$session =$this->createMock(SessionInterface::class);`
	`31`	`+$session->expects($this->once())`
	`32`	`+ ->method('getMetadataBag');`
	`33`	`+`
	`34`	`+return$session;`
	`35`	`+ }])implements ContainerInterface {`
	`36`	`+use ServiceLocatorTrait;`
	`37`	`+ };`
	`38`	`+$tokenStorage =newTokenStorage();`
	`39`	`+$trackingStorage =newUsageTrackingTokenStorage($tokenStorage,$sessionLocator);`
	`40`	`+`
	`41`	`+$this->assertNull($trackingStorage->getToken());`
	`42`	`+$token =$this->getMockBuilder(TokenInterface::class)->getMock();`
	`43`	`+`
	`44`	`+$trackingStorage->setToken($token);`
	`45`	`+$this->assertSame($token,$trackingStorage->getToken());`
	`46`	`+$this->assertSame($token,$tokenStorage->getToken());`
	`47`	`+$this->assertSame(0,$sessionAccess);`
	`48`	`+`
	`49`	`+$trackingStorage->enableUsageTracking();`
	`50`	`+$this->assertSame($token,$trackingStorage->getToken());`
	`51`	`+$this->assertSame(1,$sessionAccess);`
	`52`	`+`
	`53`	`+$trackingStorage->disableUsageTracking();`
	`54`	`+$this->assertSame($token,$trackingStorage->getToken());`
	`55`	`+$this->assertSame(1,$sessionAccess);`
	`56`	`+ }`
	`57`	`+}`

`‎src/Symfony/Component/Security/Core/composer.json‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@`
`18`	`18`	`"require": {`
`19`	`19`	`"php":"^7.1.3",`
`20`	`20`	`"symfony/event-dispatcher-contracts":"^1.1\|^2",`
`21`		`-"symfony/service-contracts":"^1.1\|^2"`
	`21`	`+"symfony/service-contracts":"^1.1.6\|^2"`
`22`	`22`	`},`
`23`	`23`	`"require-dev": {`
`24`	`24`	`"psr/container":"^1.0",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit998c066

File tree

15 files changed

15 files changed

`‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterTokenUsageTrackingPass.php‎`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/collectors.xml‎`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml‎`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml‎`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml‎`

`‎src/Symfony/Bundle/SecurityBundle/SecurityBundle.php‎`

`‎src/Symfony/Component/HttpFoundation/Session/Session.php‎`

`‎src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php‎`

`‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php‎`

`‎src/Symfony/Component/Security/Core/composer.json‎`

0 commit comments