Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit e84bd65

Browse filesBrowse files
fabpotfabpot
committed
feature #33663 [Security] Make stateful firewalls turn responses private only when needed (nicolas-grekas)
This PR was merged into the 4.4 branch. Discussion ---------- [Security] Make stateful firewalls turn responses private only when needed | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #26769 *et al.* | License | MIT | Doc PR | - Replaces #28089 By taking over session usage tracking and replacing it with token usage tracking, we can prevent responses that don't actually use the token from turning responses private without changing anything to the lifecycle of security listeners. This makes the behavior much more seamless, allowing to still log the user with the monolog processor, and display it in the profiler toolbar. This works by using two separate token storage services: - `security.token_storage` now tracks access to the token and increments the session usage tracker when needed. This is the service that is injected in userland. - `security.untracked_token_storage` is a raw token storage that just stores the token and is disconnected from the session. This service is injected in places where reading the session doesn't impact the generated output in any way (as e.g. in Monolog processors, etc.) Commits ------- 20df3a1 [Security] Make stateful firewalls turn responses private only when needed
2 parents e95d27b + 20df3a1 commit e84bd65
Copy full SHA for e84bd65

File tree

15 files changed

+353
-41
lines changed
Filter options

15 files changed

+353
-41
lines changed

‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterTokenUsageTrackingPass.php

Copy file name to clipboard
+51Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler;
13+
14+
use Symfony\Bridge\Monolog\Processor\ProcessorInterface;
15+
use Symfony\Component\DependencyInjection\Argument\BoundArgument;
16+
use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
17+
use Symfony\Component\DependencyInjection\ContainerBuilder;
18+
use Symfony\Component\DependencyInjection\Reference;
19+
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
20+
21+
/**
22+
* Injects the session tracker enabler in "security.context_listener" + binds "security.untracked_token_storage" to ProcessorInterface instances.
23+
*
24+
* @author Nicolas Grekas <p@tchwork.com>
25+
*
26+
* @internal
27+
*/
28+
class RegisterTokenUsageTrackingPass implements CompilerPassInterface
29+
{
30+
/**
31+
* {@inheritdoc}
32+
*/
33+
public function process(ContainerBuilder $container)
34+
{
35+
if (!$container->has('security.untracked_token_storage')) {
36+
return;
37+
}
38+
39+
$processorAutoconfiguration = $container->registerForAutoconfiguration(ProcessorInterface::class);
40+
$processorAutoconfiguration->setBindings($processorAutoconfiguration->getBindings() + [
41+
TokenStorageInterface::class => new BoundArgument(new Reference('security.untracked_token_storage'), false),
42+
]);
43+
44+
if (!$container->has('session')) {
45+
$container->setAlias('security.token_storage', 'security.untracked_token_storage')->setPublic(true);
46+
} elseif ($container->hasDefinition('security.context_listener')) {
47+
$container->getDefinition('security.context_listener')
48+
->setArgument(6, [new Reference('security.token_storage'), 'enableUsageTracking']);
49+
}
50+
}
51+
}

‎src/Symfony/Bundle/SecurityBundle/Resources/config/collectors.xml

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/collectors.xml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99

1010
<service id="data_collector.security" class="Symfony\Bundle\SecurityBundle\DataCollector\SecurityDataCollector">
1111
<tag name="data_collector" template="@Security/Collector/security.html.twig" id="security" priority="270" />
12-
<argument type="service" id="security.token_storage" on-invalid="ignore" />
12+
<argument type="service" id="security.untracked_token_storage" />
1313
<argument type="service" id="security.role_hierarchy" />
1414
<argument type="service" id="security.logout_url_generator" />
1515
<argument type="service" id="security.access.decision_manager" />

‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
+9-2Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,18 @@
2121
</service>
2222
<service id="Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface" alias="security.authorization_checker" />
2323

24-
<service id="security.token_storage" class="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage" public="true">
24+
<service id="security.token_storage" class="Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage" public="true">
25+
<tag name="kernel.reset" method="disableUsageTracking" />
2526
<tag name="kernel.reset" method="setToken" />
27+
<argument type="service" id="security.untracked_token_storage" />
28+
<argument type="service_locator">
29+
<argument key="session" type="service" id="session" />
30+
</argument>
2631
</service>
2732
<service id="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface" alias="security.token_storage" />
2833

34+
<service id="security.untracked_token_storage" class="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage" />
35+
2936
<service id="security.helper" class="Symfony\Component\Security\Core\Security">
3037
<argument type="service_locator">
3138
<argument key="security.token_storage" type="service" id="security.token_storage" />
@@ -162,7 +169,7 @@
162169
<service id="security.logout_url_generator" class="Symfony\Component\Security\Http\Logout\LogoutUrlGenerator">
163170
<argument type="service" id="request_stack" on-invalid="null" />
164171
<argument type="service" id="router" on-invalid="null" />
165-
<argument type="service" id="security.token_storage" on-invalid="null" />
172+
<argument type="service" id="security.token_storage" />
166173
</service>
167174

168175
<!-- Provisioning -->

‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
+3-3Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99

1010
<service id="security.authentication.listener.anonymous" class="Symfony\Component\Security\Http\Firewall\AnonymousAuthenticationListener">
1111
<tag name="monolog.logger" channel="security" />
12-
<argument type="service" id="security.token_storage" />
12+
<argument type="service" id="security.untracked_token_storage" />
1313
<argument /> <!-- Key -->
1414
<argument type="service" id="logger" on-invalid="null" />
1515
<argument type="service" id="security.authentication.manager" />
@@ -37,7 +37,7 @@
3737

3838
<service id="security.context_listener" class="Symfony\Component\Security\Http\Firewall\ContextListener">
3939
<tag name="monolog.logger" channel="security" />
40-
<argument type="service" id="security.token_storage" />
40+
<argument type="service" id="security.untracked_token_storage" />
4141
<argument type="collection" />
4242
<argument /> <!-- Provider Key -->
4343
<argument type="service" id="logger" on-invalid="null" />
@@ -128,7 +128,7 @@
128128

129129
<service id="security.authentication.listener.simple_preauth" class="Symfony\Component\Security\Http\Firewall\SimplePreAuthenticationListener" abstract="true">
130130
<tag name="monolog.logger" channel="security" />
131-
<argument type="service" id="security.token_storage" />
131+
<argument type="service" id="security.untracked_token_storage" />
132132
<argument type="service" id="security.authentication.manager" />
133133
<argument /> <!-- Provider-shared Key -->
134134
<argument /> <!-- Authenticator -->

‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99

1010
<service id="security.authentication.listener.rememberme" class="Symfony\Component\Security\Http\Firewall\RememberMeListener" abstract="true">
1111
<tag name="monolog.logger" channel="security" />
12-
<argument type="service" id="security.token_storage" />
12+
<argument type="service" id="security.untracked_token_storage" />
1313
<argument type="service" id="security.authentication.rememberme" />
1414
<argument type="service" id="security.authentication.manager" />
1515
<argument type="service" id="logger" on-invalid="null" />

‎src/Symfony/Bundle/SecurityBundle/SecurityBundle.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
+2Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSecurityVotersPass;
1616
use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSessionDomainConstraintPass;
1717
use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterCsrfTokenClearingLogoutHandlerPass;
18+
use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterTokenUsageTrackingPass;
1819
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AnonymousFactory;
1920
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginFactory;
2021
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginLdapFactory;
@@ -66,5 +67,6 @@ public function build(ContainerBuilder $container)
6667
$container->addCompilerPass(new AddSecurityVotersPass());
6768
$container->addCompilerPass(new AddSessionDomainConstraintPass(), PassConfig::TYPE_BEFORE_REMOVING);
6869
$container->addCompilerPass(new RegisterCsrfTokenClearingLogoutHandlerPass());
70+
$container->addCompilerPass(new RegisterTokenUsageTrackingPass(), PassConfig::TYPE_BEFORE_OPTIMIZATION, 200);
6971
}
7072
}

‎src/Symfony/Component/HttpFoundation/Session/Session.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Session/Session.php
+1-4Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -136,10 +136,7 @@ public function count()
136136
return \count($this->getAttributeBag()->all());
137137
}
138138

139-
/**
140-
* @internal
141-
*/
142-
public function getUsageIndex(): int
139+
public function &getUsageIndex(): int
143140
{
144141
return $this->usageIndex;
145142
}

‎src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php

Copy file name to clipboard
+73Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Component\Security\Core\Authentication\Token\Storage;
13+
14+
use Psr\Container\ContainerInterface;
15+
use Symfony\Component\HttpFoundation\Session\SessionInterface;
16+
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
17+
use Symfony\Contracts\Service\ServiceSubscriberInterface;
18+
19+
/**
20+
* A token storage that increments the session usage index when the token is accessed.
21+
*
22+
* @author Nicolas Grekas <p@tchwork.com>
23+
*/
24+
final class UsageTrackingTokenStorage implements TokenStorageInterface, ServiceSubscriberInterface
25+
{
26+
private $storage;
27+
private $sessionLocator;
28+
private $enableUsageTracking = false;
29+
30+
public function __construct(TokenStorageInterface $storage, ContainerInterface $sessionLocator)
31+
{
32+
$this->storage = $storage;
33+
$this->sessionLocator = $sessionLocator;
34+
}
35+
36+
/**
37+
* {@inheritdoc}
38+
*/
39+
public function getToken(): ?TokenInterface
40+
{
41+
if ($this->enableUsageTracking) {
42+
// increments the internal session usage index
43+
$this->sessionLocator->get('session')->getMetadataBag();
44+
}
45+
46+
return $this->storage->getToken();
47+
}
48+
49+
/**
50+
* {@inheritdoc}
51+
*/
52+
public function setToken(TokenInterface $token = null): void
53+
{
54+
$this->storage->setToken($token);
55+
}
56+
57+
public function enableUsageTracking(): void
58+
{
59+
$this->enableUsageTracking = true;
60+
}
61+
62+
public function disableUsageTracking(): void
63+
{
64+
$this->enableUsageTracking = false;
65+
}
66+
67+
public static function getSubscribedServices(): array
68+
{
69+
return [
70+
'session' => SessionInterface::class,
71+
];
72+
}
73+
}

‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php

Copy file name to clipboard
+57Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Component\Security\Core\Tests\Authentication\Token\Storage;
13+
14+
use PHPUnit\Framework\TestCase;
15+
use Psr\Container\ContainerInterface;
16+
use Symfony\Component\HttpFoundation\Session\SessionInterface;
17+
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
18+
use Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage;
19+
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
20+
use Symfony\Contracts\Service\ServiceLocatorTrait;
21+
22+
class UsageTrackingTokenStorageTest extends TestCase
23+
{
24+
public function testGetSetToken()
25+
{
26+
$sessionAccess = 0;
27+
$sessionLocator = new class(['session' => function () use (&$sessionAccess) {
28+
++$sessionAccess;
29+
30+
$session = $this->createMock(SessionInterface::class);
31+
$session->expects($this->once())
32+
->method('getMetadataBag');
33+
34+
return $session;
35+
}]) implements ContainerInterface {
36+
use ServiceLocatorTrait;
37+
};
38+
$tokenStorage = new TokenStorage();
39+
$trackingStorage = new UsageTrackingTokenStorage($tokenStorage, $sessionLocator);
40+
41+
$this->assertNull($trackingStorage->getToken());
42+
$token = $this->getMockBuilder(TokenInterface::class)->getMock();
43+
44+
$trackingStorage->setToken($token);
45+
$this->assertSame($token, $trackingStorage->getToken());
46+
$this->assertSame($token, $tokenStorage->getToken());
47+
$this->assertSame(0, $sessionAccess);
48+
49+
$trackingStorage->enableUsageTracking();
50+
$this->assertSame($token, $trackingStorage->getToken());
51+
$this->assertSame(1, $sessionAccess);
52+
53+
$trackingStorage->disableUsageTracking();
54+
$this->assertSame($token, $trackingStorage->getToken());
55+
$this->assertSame(1, $sessionAccess);
56+
}
57+
}

‎src/Symfony/Component/Security/Core/composer.json

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/composer.json
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
"require": {
1919
"php": "^7.1.3",
2020
"symfony/event-dispatcher-contracts": "^1.1|^2",
21-
"symfony/service-contracts": "^1.1|^2"
21+
"symfony/service-contracts": "^1.1.6|^2"
2222
},
2323
"require-dev": {
2424
"psr/container": "^1.0",

‎src/Symfony/Component/Security/Http/Firewall/AccessListener.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Firewall/AccessListener.php
+5-5Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -51,18 +51,18 @@ public function __construct(TokenStorageInterface $tokenStorage, AccessDecisionM
5151
*/
5252
public function __invoke(RequestEvent $event)
5353
{
54-
if (null === $token = $this->tokenStorage->getToken()) {
55-
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
56-
}
57-
5854
$request = $event->getRequest();
5955

6056
list($attributes) = $this->map->getPatterns($request);
6157

62-
if (null === $attributes) {
58+
if (!$attributes) {
6359
return;
6460
}
6561

62+
if (null === $token = $this->tokenStorage->getToken()) {
63+
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
64+
}
65+
6666
if (!$token->isAuthenticated()) {
6767
$token = $this->authManager->authenticate($token);
6868
$this->tokenStorage->setToken($token);

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.