[Security] AuthenticatorManager to make "authenticators" first-class security

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

@@ -73,6 +73,7 @@ public function getConfigTreeBuilder()
                 ->booleanNode('hide_user_not_found')->defaultTrue()->end()
                 ->booleanNode('always_authenticate_before_granting')->defaultFalse()->end()
                 ->booleanNode('erase_credentials')->defaultTrue()->end()
+                ->booleanNode('enable_authenticator_manager')->defaultFalse()->info('Enables the new Symfony Security system based on Authenticators, all used authenticators must support this before enabling this.')->end()
                 ->arrayNode('access_decision_manager')
                     ->addDefaultsIfNotSet()
                     ->children()

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AbstractFactory.php

@@ -30,6 +30,7 @@ abstract class AbstractFactory implements SecurityFactoryInterface
         'check_path' => '/login_check',
         'use_forward' => false,
         'require_previous_session' => false,
+        'login_path' => '/login',
     ];
 
     protected $defaultSuccessHandlerOptions = [

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousFactory.php

@@ -19,7 +19,7 @@
 /**
  * @author Wouter de Jong <wouter@wouterj.nl>
  */
-class AnonymousFactory implements SecurityFactoryInterface
+class AnonymousFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
 {
     public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
     {
@@ -42,6 +42,20 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         return [$providerId, $listenerId, $defaultEntryPoint];
     }
 
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
+    {
+        if (null === $config['secret']) {
+            $config['secret'] = new Parameter('container.build_hash');
+        }
+
+        $authenticatorId = 'security.authenticator.anonymous.'.$firewallName;
+        $container
+            ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.anonymous'))
+            ->replaceArgument(0, $config['secret']);
+
+        return $authenticatorId;
+    }
+
     public function getPosition()
     {
         return 'anonymous';

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AuthenticatorFactoryInterface.php

@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
+
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ *
+ * @experimental in 5.1
+ */
+interface AuthenticatorFactoryInterface
+{
+    /**
+     * Creates the authenticator service(s) for the provided configuration.
+     *
+     * @return string|string[] The authenticator service ID(s) to be used by the firewall
+     */
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId);
+}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/CustomAuthenticatorFactory.php

@@ -0,0 +1,56 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
+
+use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+class CustomAuthenticatorFactory implements AuthenticatorFactoryInterface, SecurityFactoryInterface
+{
+    public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
+    {
+        throw new \LogicException('Custom authenticators are not supported when "security.enable_authenticator_manager" is not set to true.');
+    }
+
+    public function getPosition(): string
+    {
+        return 'pre_auth';
+    }
+
+    public function getKey(): string
+    {
+        return 'custom_authenticator';
+    }
+
+    /**
+     * @param ArrayNodeDefinition $builder
+     */
+    public function addConfiguration(NodeDefinition $builder)
+    {
+        $builder
+            ->fixXmlConfig('service')
+            ->children()
+                ->arrayNode('services')
+                    ->info('An array of service ids for all of your "authenticators"')
+                    ->requiresAtLeastOneElement()
+                    ->prototype('scalar')->end()
+                ->end()
+            ->end()
+        ;
+    }
+
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): array
+    {
+        return $config['services'];
+    }
+}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/EntryPointFactoryInterface.php

@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
+
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ *
+ * @experimental in 5.1
+ */
+interface EntryPointFactoryInterface
+{
+    /**
+     * Creates the entry point and returns the service ID.
+     */
+    public function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPointId): string;
+}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php

@@ -12,6 +12,7 @@
 namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
 
 use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Reference;
@@ -22,14 +23,15 @@
  * @author Fabien Potencier <fabien@symfony.com>
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  */
-class FormLoginFactory extends AbstractFactory
+class FormLoginFactory extends AbstractFactory implements AuthenticatorFactoryInterface, EntryPointFactoryInterface
 {
     public function __construct()
     {
         $this->addOption('username_parameter', '_username');
         $this->addOption('password_parameter', '_password');
         $this->addOption('csrf_parameter', '_csrf_token');
         $this->addOption('csrf_token_id', 'authenticate');
+        $this->addOption('enable_csrf', false);
         $this->addOption('post_only', true);
     }
 
@@ -61,6 +63,10 @@ protected function getListenerId()
 
     protected function createAuthProvider(ContainerBuilder $container, string $id, array $config, string $userProviderId)
     {
+        if ($config['enable_csrf'] ?? false) {
+            throw new InvalidConfigurationException('The "enable_csrf" option of "form_login" is only available when "security.enable_authenticator_manager" is set to "true", use "csrf_token_generator" instead.');
+        }
+
         $provider = 'security.authentication.provider.dao.'.$id;
         $container
             ->setDefinition($provider, new ChildDefinition('security.authentication.provider.dao'))
@@ -84,7 +90,7 @@ protected function createListener(ContainerBuilder $container, string $id, array
         return $listenerId;
     }
 
-    protected function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPoint)
+    public function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPoint): string
     {
         $entryPointId = 'security.authentication.form_entry_point.'.$id;
         $container
@@ -96,4 +102,22 @@ protected function createEntryPoint(ContainerBuilder $container, string $id, arr
 
         return $entryPointId;
     }
+
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
+    {
+        if (isset($config['csrf_token_generator'])) {
+            throw new InvalidConfigurationException('The "csrf_token_generator" option of "form_login" is only available when "security.enable_authenticator_manager" is set to "false", use "enable_csrf" instead.');
+        }
+
+        $authenticatorId = 'security.authenticator.form_login.'.$firewallName;
+        $options = array_intersect_key($config, $this->options);
+        $container
+            ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.form_login'))
+            ->replaceArgument(1, new Reference($userProviderId))
+            ->replaceArgument(2, new Reference($this->createAuthenticationSuccessHandler($container, $firewallName, $config)))
+            ->replaceArgument(3, new Reference($this->createAuthenticationFailureHandler($container, $firewallName, $config)))
+            ->replaceArgument(4, $options);
+
+        return $authenticatorId;
+    }
 }

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php

@@ -21,7 +21,7 @@
  *
  * @author Fabien Potencier <fabien@symfony.com>
  */
-class HttpBasicFactory implements SecurityFactoryInterface
+class HttpBasicFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
 {
     public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
     {
@@ -46,6 +46,17 @@ public function create(ContainerBuilder $container, string $id, array $config, s
         return [$provider, $listenerId, $entryPointId];
     }
 
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
+    {
+        $authenticatorId = 'security.authenticator.http_basic.'.$firewallName;
+        $container
+            ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.http_basic'))
+            ->replaceArgument(0, $config['realm'])
+            ->replaceArgument(1, new Reference($userProviderId));
+
+        return $authenticatorId;
+    }
+
     public function getPosition()
     {
         return 'http';

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/JsonLoginFactory.php

@@ -20,7 +20,7 @@
  *
  * @author Kévin Dunglas <dunglas@gmail.com>
  */
-class JsonLoginFactory extends AbstractFactory
+class JsonLoginFactory extends AbstractFactory implements AuthenticatorFactoryInterface
 {
     public function __construct()
     {
@@ -96,4 +96,18 @@ protected function createListener(ContainerBuilder $container, string $id, array
 
         return $listenerId;
     }
+
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId)
+    {
+        $authenticatorId = 'security.authenticator.json_login.'.$firewallName;
+        $options = array_intersect_key($config, $this->options);
+        $container
+            ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.json_login'))
+            ->replaceArgument(1, new Reference($userProviderId))
+            ->replaceArgument(2, isset($config['success_handler']) ? new Reference($this->createAuthenticationSuccessHandler($container, $firewallName, $config)) : null)
+            ->replaceArgument(3, isset($config['failure_handler']) ? new Reference($this->createAuthenticationFailureHandler($container, $firewallName, $config)) : null)
+            ->replaceArgument(4, $options);
+
+        return $authenticatorId;
+    }
 }