introduce TokenHandlerFactory

vincentchalamon · vincentchalamon · commit e7644e74553e · 2022-11-24T17:58:56.000+01:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/IdTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/IdTokenHandlerFactory.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken;
+
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ChildDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * Configure a token handler from a service id.
+ *
+ * @author Vincent Chalamon <vincentchalamon@gmail.com>
+ */
+class IdTokenHandlerFactory implements TokenHandlerFactoryInterface
+{
+    public function create(ContainerBuilder $container, string $id, array|string $config): void
+    {
+        $container->setDefinition($id, new ChildDefinition($config));
+    }
+
+    public function getKey(): string
+    {
+        return 'id';
+    }
+
+    public function addConfiguration(NodeDefinition $node): void
+    {
+        $node
+            ->children()
+                ->scalarNode($this->getKey())->end()
+            ->end()
+        ;
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcUserInfoTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcUserInfoTokenHandlerFactory.php
@@ -0,0 +1,71 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken;
+
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ChildDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\HttpClient\HttpClient;
+
+/**
+ * Configure a token handler for an OIDC server.
+ *
+ * @author Vincent Chalamon <vincentchalamon@gmail.com>
+ */
+class OidcUserInfoTokenHandlerFactory implements TokenHandlerFactoryInterface
+{
+    public function create(ContainerBuilder $container, string $id, array|string $config): void
+    {
+        $tokenHandlerDefinition = $container->setDefinition($id, new ChildDefinition('security.access_token_handler.oidc_user_info'));
+        $tokenHandlerDefinition->setArgument(2, $config['claim']);
+
+        // Create the client service
+        if (!isset($config['client']['id'])) {
+            $clientDefinitionId = 'http_client.security.access_token_handler.oidc_user_info';
+            $container->register($clientDefinitionId, HttpClient::class)
+                ->setFactory([HttpClient::class, 'create'])
+                ->setArguments([$config['client']])
+                ->addTag('http_client.client')
+            ;
+            $config['client'] = ['id' => $clientDefinitionId];
+        }
+
+        $tokenHandlerDefinition->setArgument(0, new Reference($config['client']['id']));
+    }
+
+    public function getKey(): string
+    {
+        return 'oidc_user_info';
+    }
+
+    public function addConfiguration(NodeDefinition $node): void
+    {
+        $node
+            ->children()
+            ->arrayNode($this->getKey())
+                ->fixXmlConfig($this->getKey())
+                ->children()
+                    ->scalarNode('claim')->default('sub')->end()
+                    ->arrayNode('client')
+                        ->isRequired()
+                        ->beforeNormalization()
+                            ->ifString()
+                            ->then(static function ($v): array { return ['id' => $v]; })
+                        ->end()
+                        ->prototype('array')->end()
+                    ->end()
+                ->end()
+            ->end()
+        ;
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/TokenHandlerFactoryInterface.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/TokenHandlerFactoryInterface.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken;
+
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * TokenHandlerFactoryInterface is the interface for all token handler factories.
+ *
+ * @author Vincent Chalamon <vincentchalamon@gmail.com>
+ */
+interface TokenHandlerFactoryInterface
+{
+    /**
+     * Create a generic token handler service.
+     */
+    public function create(ContainerBuilder $container, string $id, array|string $config): void;
+
+    /**
+     * Get a generic token handler configuration key.
+     */
+    public function getKey(): string;
+
+    /**
+     * Add a generic token handler configuration.
+     */
+    public function addConfiguration(NodeDefinition $node): void;
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AccessTokenFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AccessTokenFactory.php
@@ -11,7 +11,9 @@
 
 namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
 
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken\TokenHandlerFactoryInterface;
 use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Reference;
@@ -27,7 +29,10 @@ final class AccessTokenFactory extends AbstractFactory
 {
     private const PRIORITY = -40;
 
-    public function __construct()
+    /**
+     * @param array<array-key, TokenHandlerFactoryInterface> $tokenHandlerFactories
+     */
+    public function __construct(private readonly array $tokenHandlerFactories)
     {
         $this->options = [];
         $this->defaultFailureHandlerOptions = [];
@@ -39,7 +44,6 @@ public function addConfiguration(NodeDefinition $node): void
         $builder = $node->children();
 
         $builder
-            ->scalarNode('token_handler')->isRequired()->end()
             ->scalarNode('user_provider')->defaultNull()->end()
             ->scalarNode('realm')->defaultNull()->end()
             ->scalarNode('success_handler')->defaultNull()->end()
@@ -57,6 +61,36 @@ public function addConfiguration(NodeDefinition $node): void
                 ->scalarPrototype()->end()
             ->end()
         ;
+
+        $tokenHandlerNodeBuilder = $builder
+            ->arrayNode('token_handler')
+                ->example([
+                    'id' => 'App\Security\CustomTokenHandler',
+                ])
+                ->requiresAtLeastOneElement()
+                ->useAttributeAsKey('name')
+                ->isRequired()
+                ->beforeNormalization()
+                    ->ifString()
+                    ->then(static function (string $v): array { return ['id' => $v]; })
+                ->end()
+                ->prototype('array')
+        ;
+
+        foreach ($this->tokenHandlerFactories as $factory) {
+            $factory->addConfiguration($tokenHandlerNodeBuilder);
+        }
+
+        $tokenHandlerNodeBuilder
+            ->beforeNormalization()
+                ->ifTrue(static function ($v) { return \is_array($v) && 1 < \count($v); })
+                ->then(static function () { throw new InvalidConfigurationException('You cannot configure multiple token handlers.'); })
+            ->end()
+            ->beforeNormalization()
+                ->ifTrue(static function ($v) { return \is_array($v) && 1 > \count($v); })
+                ->then(static function () { throw new InvalidConfigurationException('You must set a token handler.'); })
+            ->end()
+        ;
     }
 
     public function getPriority(): int
@@ -76,10 +110,11 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         $failureHandler = isset($config['failure_handler']) ? new Reference($this->createAuthenticationFailureHandler($container, $firewallName, $config)) : null;
         $authenticatorId = sprintf('security.authenticator.access_token.%s', $firewallName);
         $extractorId = $this->createExtractor($container, $firewallName, $config['token_extractors']);
+        $tokenHandlerId = $this->createTokenHandler($container, $firewallName, $config['token_handler']);
 
         $container
             ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.access_token'))
-            ->replaceArgument(0, new Reference($config['token_handler']))
+            ->replaceArgument(0, new Reference($tokenHandlerId))
             ->replaceArgument(1, new Reference($extractorId))
             ->replaceArgument(2, $userProvider)
             ->replaceArgument(3, $successHandler)
@@ -115,4 +150,20 @@ private function createExtractor(ContainerBuilder $container, string $firewallNa
 
         return $extractorId;
     }
+
+    private function createTokenHandler(ContainerBuilder $container, string $firewallName, array $config): string
+    {
+        $key = array_keys($config)[0];
+        $id = sprintf('security.access_token_handler.%s', $firewallName);
+
+        foreach ($this->tokenHandlerFactories as $factory) {
+            if ($key !== $factory->getKey()) {
+                continue;
+            }
+
+            $factory->create($container, $id, $config[$key]);
+        }
+
+        return $id;
+    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
@@ -42,6 +42,8 @@
                 abstract_arg('access token extractors'),
             ])
 
+        // OIDC
         ->set('security.access_token_handler.oidc_user_info', OidcUserInfoTokenHandler::class)
+            ->abstract()
     ;
 };
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php
@@ -37,11 +37,14 @@ public function testBasicServiceConfiguration()
         $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
     }
 
-    public function testDefaultServiceConfiguration()
+    /**
+     * @dataProvider getGenericTokenHandlers
+     */
+    public function testGenericTokenHandlerConfiguration(array|string $tokenHandler)
     {
         $container = new ContainerBuilder();
         $config = [
-            'token_handler' => 'in_memory_token_handler_service_id',
+            'token_handler' => $tokenHandler,
         ];
 
         $factory = new AccessTokenFactory();
@@ -52,6 +55,22 @@ public function testDefaultServiceConfiguration()
         $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
     }
 
+    public function getGenericTokenHandlers(): iterable
+    {
+        yield ['in_memory_token_handler_service_id'];
+        yield [['id' => 'in_memory_token_handler_service_id']];
+        yield [['oidc_user_info' => ['client' => 'oidc.client']]];
+        yield [[
+            'oidc_user_info' => [
+                'claim' => 'email',
+                'client' => ['base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo'],
+            ],
+        ]];
+    }
+
+    // TODO Test if multiple token handlers are configured
+    // TODO Test if no token handler is configured
+
     public function testNoExtractorsDefined()
     {
         $this->expectException(InvalidConfigurationException::class);
diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/Exception/InvalidOidcUserInfoException.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/Exception/InvalidOidcUserInfoException.php
@@ -18,7 +18,7 @@
  *
  * @author Vincent Chalamon <vincentchalamon@gmail.com>
  */
-class InvalidOidcUserException extends AuthenticationException
+class InvalidOidcUserInfoException extends AuthenticationException
 {
     public function getMessageKey(): string
     {
diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcUserInfoTokenHandler.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcUserInfoTokenHandler.php
@@ -14,7 +14,7 @@
 use Psr\Log\LoggerInterface;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
-use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\InvalidOidcUserException;
+use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\InvalidOidcUserInfoException;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
@@ -27,9 +27,8 @@ final class OidcUserInfoTokenHandler implements AccessTokenHandlerInterface
 {
     public function __construct(
         private HttpClientInterface $client,
-        private ?LoggerInterface    $logger = null,
-        private string              $claim = 'sub',
-        private string              $userinfoUrl = 'protocol/openid-connect/userinfo'
+        private ?LoggerInterface $logger = null,
+        private string $claim = 'sub'
     ) {
     }
 
@@ -38,12 +37,12 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
         try {
             // Call the OIDC server to retrieve the user info
             // If the token is invalid or expired, the OIDC server will return an error
-            $userinfo = $this->client->request('GET', $this->userinfoUrl, [
+            $userinfo = $this->client->request('GET', '', [
                 'auth_bearer' => $accessToken,
             ])->toArray();
 
             if (empty($userinfo[$this->claim])) {
-                throw new InvalidOidcUserException(sprintf('"%s" property not found on OIDC server response.', $this->claim));
+                throw new InvalidOidcUserInfoException(sprintf('"%s" claim not found on OIDC server response.', $this->claim));
             }
 
             return new UserBadge($userinfo[$this->claim]);
diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcUserInfoTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcUserInfoTokenHandlerTest.php

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@`
`42`	`42`	`abstract_arg('access token extractors'),`
`43`	`43`	`])`
`44`	`44`
	`45`	`+ // OIDC`
`45`	`46`	`->set('security.access_token_handler.oidc_user_info', OidcUserInfoTokenHandler::class)`
	`47`	`+ ->abstract()`
`46`	`48`	`;`
`47`	`49`	`};`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@`
`18`	`18`	`*`
`19`	`19`	`* @author Vincent Chalamon <vincentchalamon@gmail.com>`
`20`	`20`	`*/`
`21`		`-class InvalidOidcUserException extends AuthenticationException`
	`21`	`+class InvalidOidcUserInfoException extends AuthenticationException`
`22`	`22`	`{`
`23`	`23`	`public function getMessageKey(): string`
`24`	`24`	`{`