merged branch Seldaek/simplesecurity (PR #6069)

This PR was merged into the master branch.

Discussion
----------

[Security] Add simpler customization options

The goal of this is to provide a simpler extension point for people that don't have the time to dive into the whole security factory + authentication provider + user provider + authentication listener + token mess. As it stands, it gives you a way to just create one class that is handling all the security stuff in one (by implementing SimpleFormAuthenticatorInterface and UserProviderInterface) + one or more token classes.

I would like feedback on whether people think this makes sense or not before continuing and doing a SimpleHttpAuthenticatorInterface for non-form based stuff.

Just FYI that's how it would look in security.yml:

```yaml
security:
    providers:
        simple:
            id: simple_authenticator
    firewalls:
        foo:
            pattern: ^/
            simple_form:
                provider: simple
                authenticator: simple_authenticator
```

/cc @atrauzzi (who posted a long rant on the ML about how hard this all is, and I can't agree more - I hope it's the right account on github?)

Commits
-------

74cfc84 marked some classes as being experimental in 2.3
471e5bc [Security] allowed simple pre-auth to be optional if another auth mechanism already authenticated the user
01c913b moved the simple HTTP authenticator to a pre-auth one
887d9b8 fixed wrong Logger interface
65335ea [Security] Renamed simple_token to simple_http, added support for failure and success handler to both simple firewalls
f7a11a1 [Security] Add simple_token auth method
1fe2ed6 [Security] Add SimpleForm authentication

7 files changed, 471 insertions, 0 deletions

diff --git a/Core/Authentication/Provider/SimpleAuthenticationProvider.php b/Core/Authentication/Provider/SimpleAuthenticationProvider.php
new file mode 100644
index 0000000..50c9a08
--- /dev/null
+++ b/Core/Authentication/Provider/SimpleAuthenticationProvider.php
@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Provider;
+
+use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\SimpleAuthenticatorInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+
+/**
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ *
+ * @experimental This feature is experimental in 2.3 and might change in future versions
+ */
+class SimpleAuthenticationProvider implements AuthenticationProviderInterface
+{
+    private $simpleAuthenticator;
+    private $userProvider;
+    private $providerKey;
+
+    public function __construct(SimpleAuthenticatorInterface $simpleAuthenticator, UserProviderInterface $userProvider, $providerKey)
+    {
+        $this->simpleAuthenticator = $simpleAuthenticator;
+        $this->userProvider = $userProvider;
+        $this->providerKey = $providerKey;
+    }
+
+    public function authenticate(TokenInterface $token)
+    {
+        $authToken = $this->simpleAuthenticator->authenticateToken($token, $this->userProvider, $this->providerKey);
+
+        if ($authToken instanceof TokenInterface) {
+            return $authToken;
+        }
+
+        throw new AuthenticationException('Simple authenticator failed to return an authenticated token.');
+    }
+
+    public function supports(TokenInterface $token)
+    {
+        return $this->simpleAuthenticator->supportsToken($token, $this->providerKey);
+    }
+}
diff --git a/Core/Authentication/SimpleAuthenticatorInterface.php b/Core/Authentication/SimpleAuthenticatorInterface.php
new file mode 100644
index 0000000..e8ad7b8
--- /dev/null
+++ b/Core/Authentication/SimpleAuthenticatorInterface.php
@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+
+/**
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ *
+ * @experimental This feature is experimental in 2.3 and might change in future versions
+ */
+interface SimpleAuthenticatorInterface
+{
+    public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey);
+
+    public function supportsToken(TokenInterface $token, $providerKey);
+}
diff --git a/Core/Authentication/SimpleFormAuthenticatorInterface.php b/Core/Authentication/SimpleFormAuthenticatorInterface.php
new file mode 100644
index 0000000..bfc3ec2
--- /dev/null
+++ b/Core/Authentication/SimpleFormAuthenticatorInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ *
+ * @experimental This feature is experimental in 2.3 and might change in future versions
+ */
+interface SimpleFormAuthenticatorInterface extends SimpleAuthenticatorInterface
+{
+    public function createToken(Request $request, $username, $password, $providerKey);
+}
diff --git a/Core/Authentication/SimplePreAuthenticatorInterface.php b/Core/Authentication/SimplePreAuthenticatorInterface.php
new file mode 100644
index 0000000..8fa7037
--- /dev/null
+++ b/Core/Authentication/SimplePreAuthenticatorInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ *
+ * @experimental This feature is experimental in 2.3 and might change in future versions
+ */
+interface SimplePreAuthenticatorInterface extends SimpleAuthenticatorInterface
+{
+    public function createToken(Request $request, $providerKey);
+}
diff --git a/Http/Authentication/SimpleAuthenticationHandler.php b/Http/Authentication/SimpleAuthenticationHandler.php
new file mode 100644
index 0000000..88be8e4
--- /dev/null
+++ b/Http/Authentication/SimpleAuthenticationHandler.php
@@ -0,0 +1,107 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authentication;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\SimpleAuthenticatorInterface;
+
+/**
+ * Class to proxy authentication success/failure handlers
+ *
+ * Events are sent to the SimpleAuthenticatorInterface if it implements
+ * the right interface, otherwise (or if it fails to return a Response)
+ * the default handlers are triggered.
+ *
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ *
+ * @experimental This feature is experimental in 2.3 and might change in future versions
+ */
+class SimpleAuthenticationHandler implements AuthenticationFailureHandlerInterface, AuthenticationSuccessHandlerInterface
+{
+    protected $successHandler;
+    protected $failureHandler;
+    protected $simpleAuthenticator;
+
+    /**
+     * Constructor.
+     *
+     * @param SimpleAuthenticatorInterface          $authenticator  SimpleAuthenticatorInterface instance
+     * @param AuthenticationSuccessHandlerInterface $successHandler Default success handler
+     * @param AuthenticationFailureHandlerInterface $failureHandler Default failure handler
+     * @param LoggerInterface                       $logger         Optional logger
+     */
+    public function __construct(SimpleAuthenticatorInterface $authenticator, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, LoggerInterface $logger = null)
+    {
+        $this->simpleAuthenticator = $authenticator;
+        $this->successHandler = $successHandler;
+        $this->failureHandler = $failureHandler;
+        $this->logger = $logger;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token)
+    {
+        if ($this->simpleAuthenticator instanceof AuthenticationSuccessHandlerInterface) {
+            if ($this->logger) {
+                $this->logger->debug(sprintf('Using the %s object as authentication success handler', get_class($this->simpleAuthenticator)));
+            }
+
+            $response = $this->simpleAuthenticator->onAuthenticationSuccess($request, $token);
+            if ($response instanceof Response) {
+                return $response;
+            }
+
+            if (null !== $response) {
+                throw new \UnexpectedValueException(sprintf('The %s::onAuthenticationSuccess method must return null to use the default success handler, or a Response object', get_class($this->simpleAuthenticator)));
+            }
+        }
+
+        if ($this->logger) {
+            $this->logger->debug('Fallback to the default authentication success handler');
+        }
+
+        return $this->successHandler->onAuthenticationSuccess($request, $token);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
+    {
+        if ($this->simpleAuthenticator instanceof AuthenticationFailureHandlerInterface) {
+            if ($this->logger) {
+                $this->logger->debug(sprintf('Using the %s object as authentication failure handler', get_class($this->simpleAuthenticator)));
+            }
+
+            $response = $this->simpleAuthenticator->onAuthenticationFailure($request, $exception);
+            if ($response instanceof Response) {
+                return $response;
+            }
+
+            if (null !== $response) {
+                throw new \UnexpectedValueException(sprintf('The %s::onAuthenticationFailure method must return null to use the default failure handler, or a Response object', get_class($this->simpleAuthenticator)));
+            }
+        }
+
+        if ($this->logger) {
+            $this->logger->debug('Fallback to the default authentication failure handler');
+        }
+
+        return $this->failureHandler->onAuthenticationFailure($request, $exception);
+    }
+}
diff --git a/Http/Firewall/SimpleFormAuthenticationListener.php b/Http/Firewall/SimpleFormAuthenticationListener.php
new file mode 100644
index 0000000..8325bb1
--- /dev/null
+++ b/Http/Firewall/SimpleFormAuthenticationListener.php
@@ -0,0 +1,118 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Firewall;
+
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
+use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
+use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
+use Symfony\Component\Security\Core\Authentication\SimpleFormAuthenticatorInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\SessionUnavailableException;
+use Symfony\Component\Security\Core\SecurityContextInterface;
+use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
+use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
+use Symfony\Component\Security\Http\SecurityEvents;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
+use Psr\Log\LoggerInterface;
+
+/**
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ *
+ * @experimental This feature is experimental in 2.3 and might change in future versions
+ */
+class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
+{
+    private $simpleAuthenticator;
+    private $csrfProvider;
+
+    /**
+     * Constructor.
+     *
+     * @param SecurityContextInterface               $securityContext       A SecurityContext instance
+     * @param AuthenticationManagerInterface         $authenticationManager An AuthenticationManagerInterface instance
+     * @param SessionAuthenticationStrategyInterface $sessionStrategy
+     * @param HttpUtils                              $httpUtils             An HttpUtilsInterface instance
+     * @param string                                 $providerKey
+     * @param AuthenticationSuccessHandlerInterface  $successHandler
+     * @param AuthenticationFailureHandlerInterface  $failureHandler
+     * @param array                                  $options               An array of options for the processing of a
+     *                                                                      successful, or failed authentication attempt
+     * @param LoggerInterface                        $logger                A LoggerInterface instance
+     * @param EventDispatcherInterface               $dispatcher            An EventDispatcherInterface instance
+     * @param SimpleFormAuthenticatorInterface       $simpleAuthenticator   A SimpleFormAuthenticatorInterface instance
+     * @param CsrfProviderInterface                  $csrfProvider          A CsrfProviderInterface instance
+     */
+    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, SessionAuthenticationStrategyInterface $sessionStrategy, HttpUtils $httpUtils, $providerKey, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options = array(), LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, CsrfProviderInterface $csrfProvider = null, SimpleFormAuthenticatorInterface $simpleAuthenticator = null)
+    {
+        if (!$simpleAuthenticator) {
+            throw new \InvalidArgumentException('Missing simple authenticator');
+        }
+
+        $this->simpleAuthenticator = $simpleAuthenticator;
+        $this->csrfProvider = $csrfProvider;
+
+        $options = array_merge(array(
+            'username_parameter' => '_username',
+            'password_parameter' => '_password',
+            'csrf_parameter'     => '_csrf_token',
+            'intention'          => 'authenticate',
+            'post_only'          => true,
+        ), $options);
+        parent::__construct($securityContext, $authenticationManager, $sessionStrategy, $httpUtils, $providerKey, $successHandler, $failureHandler, $options, $logger, $dispatcher);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function requiresAuthentication(Request $request)
+    {
+        if ($this->options['post_only'] && !$request->isMethod('POST')) {
+            return false;
+        }
+
+        return parent::requiresAuthentication($request);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function attemptAuthentication(Request $request)
+    {
+        if (null !== $this->csrfProvider) {
+            $csrfToken = $request->get($this->options['csrf_parameter'], null, true);
+
+            if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
+                throw new InvalidCsrfTokenException('Invalid CSRF token.');
+            }
+        }
+
+        if ($this->options['post_only']) {
+            $username = trim($request->request->get($this->options['username_parameter'], null, true));
+            $password = $request->request->get($this->options['password_parameter'], null, true);
+        } else {
+            $username = trim($request->get($this->options['username_parameter'], null, true));
+            $password = $request->get($this->options['password_parameter'], null, true);
+        }
+
+        $request->getSession()->set(SecurityContextInterface::LAST_USERNAME, $username);
+
+        $token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey);
+
+        return $this->authenticationManager->authenticate($token);
+    }
+}
diff --git a/Http/Firewall/SimplePreAuthenticationListener.php b/Http/Firewall/SimplePreAuthenticationListener.php
new file mode 100644
index 0000000..637ed39
--- /dev/null
+++ b/Http/Firewall/SimplePreAuthenticationListener.php
@@ -0,0 +1,113 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Firewall;
+
+use Symfony\Component\Security\Core\SecurityContextInterface;
+use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
+use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\SimplePreAuthenticatorInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
+use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+
+/**
+ * SimplePreAuthenticationListener implements simple proxying to an authenticator.
+ *
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ *
+ * @experimental This feature is experimental in 2.3 and might change in future versions
+ */
+class SimplePreAuthenticationListener implements ListenerInterface
+{
+    private $securityContext;
+    private $authenticationManager;
+    private $providerKey;
+    private $simpleAuthenticator;
+    private $logger;
+
+    /**
+     * Constructor.
+     *
+     * @param SecurityContextInterface         $securityContext       A SecurityContext instance
+     * @param AuthenticationManagerInterface   $authenticationManager An AuthenticationManagerInterface instance
+     * @param string                           $providerKey
+     * @param SimplePreAuthenticatorInterface  $simpleAuthenticator   A SimplePreAuthenticatorInterface instance
+     * @param LoggerInterface                  $logger                A LoggerInterface instance
+     */
+    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, $providerKey, SimplePreAuthenticatorInterface $simpleAuthenticator, LoggerInterface $logger = null)
+    {
+        if (empty($providerKey)) {
+            throw new \InvalidArgumentException('$providerKey must not be empty.');
+        }
+
+        $this->securityContext = $securityContext;
+        $this->authenticationManager = $authenticationManager;
+        $this->providerKey = $providerKey;
+        $this->simpleAuthenticator = $simpleAuthenticator;
+        $this->logger = $logger;
+    }
+
+    /**
+     * Handles basic authentication.
+     *
+     * @param GetResponseEvent $event A GetResponseEvent instance
+     */
+    public function handle(GetResponseEvent $event)
+    {
+        $request = $event->getRequest();
+
+        if (null !== $this->logger) {
+            $this->logger->info(sprintf('Attempting simple pre-authorization %s', $this->providerKey));
+        }
+
+        if (null !== $this->context->getToken() && !$this->context->getToken() instanceof AnonymousToken) {
+            return;
+        }
+
+        try {
+            $token = $this->simpleAuthenticator->createToken($request, $this->providerKey);
+            $token = $this->authenticationManager->authenticate($token);
+            $this->securityContext->setToken($token);
+        } catch (AuthenticationException $e) {
+            $this->securityContext->setToken(null);
+
+            if (null !== $this->logger) {
+                $this->logger->info(sprintf('Authentication request failed: %s', $e->getMessage()));
+            }
+
+            if ($this->simpleAuthenticator instanceof AuthenticationFailureHandlerInterface) {
+                $response = $this->simpleAuthenticator->onAuthenticationFailure($request, $e);
+                if ($response instanceof Response) {
+                    $event->setResponse($response);
+                } elseif (null !== $response) {
+                    throw new \UnexpectedValueException(sprintf('The %s::onAuthenticationFailure method must return null or a Response object', get_class($this->simpleAuthenticator)));
+                }
+            }
+
+            return;
+        }
+
+        if ($this->simpleAuthenticator instanceof AuthenticationSuccessHandlerInterface) {
+            $response = $this->simpleAuthenticator->onAuthenticationSuccess($request, $token);
+            if ($response instanceof Response) {
+                $event->setResponse($response);
+            } elseif (null !== $response) {
+                throw new \UnexpectedValueException(sprintf('The %s::onAuthenticationSuccess method must return null or a Response object', get_class($this->simpleAuthenticator)));
+            }
+        }
+    }
+}