From b884c6612d80f723e5954a53c7d5e84c2d8ae61f Mon Sep 17 00:00:00 2001
From: Robin Chalas <robin.chalas@gmail.com>
Date: Thu, 7 Sep 2017 10:19:55 +0200
Subject: [PATCH] Throw a meaningful exception when an undefined user provider
 is used inside a firewall

---
 .../DependencyInjection/SecurityExtension.php | 16 ++++++++++++---
 .../CompleteConfigurationTest.php             | 18 +++++++++++++++++
 .../php/firewall_undefined_provider.php       | 17 ++++++++++++++++
 .../php/listener_undefined_provider.php       | 16 +++++++++++++++
 .../xml/firewall_undefined_provider.xml       | 20 +++++++++++++++++++
 .../xml/listener_undefined_provider.xml       | 20 +++++++++++++++++++
 .../yml/firewall_undefined_provider.yml       | 10 ++++++++++
 .../yml/listener_undefined_provider.yml       | 10 ++++++++++
 8 files changed, 124 insertions(+), 3 deletions(-)
 create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_undefined_provider.php
 create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_undefined_provider.php
 create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/firewall_undefined_provider.xml
 create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/listener_undefined_provider.xml
 create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/firewall_undefined_provider.yml
 create mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/listener_undefined_provider.yml

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
index dffe9d36879b2..adfe5b235752b 100644
--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -332,6 +332,9 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         // Provider id (take the first registered provider if none defined)
         if (isset($firewall['provider'])) {
             $defaultProvider = $this->getUserProviderId($firewall['provider']);
+            if (!in_array($defaultProvider, $providerIds, true)) {
+                throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.', $id, $firewall['provider']));
+            }
         } else {
             $defaultProvider = reset($providerIds);
         }
@@ -422,7 +425,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         $configuredEntryPoint = isset($firewall['entry_point']) ? $firewall['entry_point'] : null;
 
         // Authentication listeners
-        list($authListeners, $defaultEntryPoint) = $this->createAuthenticationListeners($container, $id, $firewall, $authenticationProviders, $defaultProvider, $configuredEntryPoint);
+        list($authListeners, $defaultEntryPoint) = $this->createAuthenticationListeners($container, $id, $firewall, $authenticationProviders, $defaultProvider, $providerIds, $configuredEntryPoint);
 
         $config->replaceArgument(7, $configuredEntryPoint ?: $defaultEntryPoint);
 
@@ -477,7 +480,7 @@ private function createContextListener($container, $contextKey)
         return $this->contextListeners[$contextKey] = $listenerId;
     }
 
-    private function createAuthenticationListeners($container, $id, $firewall, &$authenticationProviders, $defaultProvider, $defaultEntryPoint)
+    private function createAuthenticationListeners($container, $id, $firewall, &$authenticationProviders, $defaultProvider, array $providerIds, $defaultEntryPoint)
     {
         $listeners = array();
         $hasListeners = false;
@@ -487,7 +490,14 @@ private function createAuthenticationListeners($container, $id, $firewall, &$aut
                 $key = str_replace('-', '_', $factory->getKey());
 
                 if (isset($firewall[$key])) {
-                    $userProvider = isset($firewall[$key]['provider']) ? $this->getUserProviderId($firewall[$key]['provider']) : $defaultProvider;
+                    if (isset($firewall[$key]['provider'])) {
+                        if (!in_array($firewall[$key]['provider'], $providerIds, true)) {
+                            throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.', $id, $firewall[$key]['provider']));
+                        }
+                        $userProvider = $this->getUserProviderId($firewall[$key]['provider']);
+                    } else {
+                        $userProvider = $defaultProvider;
+                    }
 
                     list($provider, $listenerId, $defaultEntryPoint) = $factory->create($container, $id, $firewall[$key], $userProvider, $defaultEntryPoint);
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
index 4f000d3aee0f8..202107a57abf2 100644
--- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -387,6 +387,24 @@ public function testAccessDecisionManagerServiceAndStrategyCannotBeUsedAtTheSame
         $container = $this->getContainer('access_decision_manager_service_and_strategy');
     }
 
+    /**
+     * @expectedException \Symfony\Component\Config\Definition\Exception\InvalidConfigurationException
+     * @expectedExceptionMessage Invalid firewall "main": user provider "undefined" not found.
+     */
+    public function testFirewallUndefinedUserProvider()
+    {
+        $this->getContainer('firewall_undefined_provider');
+    }
+
+    /**
+     * @expectedException \Symfony\Component\Config\Definition\Exception\InvalidConfigurationException
+     * @expectedExceptionMessage Invalid firewall "main": user provider "undefined" not found.
+     */
+    public function testFirewallListenerUndefinedProvider()
+    {
+        $this->getContainer('listener_undefined_provider');
+    }
+
     protected function getContainer($file)
     {
         $file = $file.'.'.$this->getFileExtension();
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_undefined_provider.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_undefined_provider.php
new file mode 100644
index 0000000000000..78d461efe38d1
--- /dev/null
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_undefined_provider.php
@@ -0,0 +1,17 @@
+<?php
+
+$container->loadFromExtension('security', array(
+    'providers' => array(
+        'default' => array(
+            'memory' => array(
+                'users' => array('foo' => array('password' => 'foo', 'roles' => 'ROLE_USER')),
+            ),
+        ),
+    ),
+    'firewalls' => array(
+        'main' => array(
+            'provider' => 'undefined',
+            'form_login' => true,
+        ),
+    ),
+));
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_undefined_provider.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_undefined_provider.php
new file mode 100644
index 0000000000000..da54f025d1a70
--- /dev/null
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_undefined_provider.php
@@ -0,0 +1,16 @@
+<?php
+
+$container->loadFromExtension('security', array(
+    'providers' => array(
+        'default' => array(
+            'memory' => array(
+                'users' => array('foo' => array('password' => 'foo', 'roles' => 'ROLE_USER')),
+            ),
+        ),
+    ),
+    'firewalls' => array(
+        'main' => array(
+            'form_login' => array('provider' => 'undefined'),
+        ),
+    ),
+));
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/firewall_undefined_provider.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/firewall_undefined_provider.xml
new file mode 100644
index 0000000000000..f596ac5a6240b
--- /dev/null
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/firewall_undefined_provider.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+           xmlns:sec="http://symfony.com/schema/dic/security"
+           xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+    <sec:config>
+        <sec:providers>
+            <sec:provider name="default" id="foo" />
+        </sec:providers>
+
+        <sec:firewalls>
+            <sec:firewall name="main" provider="undefined">
+                <sec:form_login />
+            </sec:firewall>
+        </sec:firewalls>
+    </sec:config>
+
+</container>
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/listener_undefined_provider.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/listener_undefined_provider.xml
new file mode 100644
index 0000000000000..725e85a1d0f27
--- /dev/null
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/listener_undefined_provider.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+           xmlns:sec="http://symfony.com/schema/dic/security"
+           xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+    <sec:config>
+        <sec:providers>
+            <sec:provider name="default" id="foo" />
+        </sec:providers>
+
+        <sec:firewalls>
+            <sec:firewall name="main">
+                <sec:form_login provider="undefined" />
+            </sec:firewall>
+        </sec:firewalls>
+    </sec:config>
+
+</container>
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/firewall_undefined_provider.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/firewall_undefined_provider.yml
new file mode 100644
index 0000000000000..ec2664054009c
--- /dev/null
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/firewall_undefined_provider.yml
@@ -0,0 +1,10 @@
+security:
+    providers:
+        default:
+            memory:
+                users: { foo: { password: foo, roles: ROLE_USER } }
+
+    firewalls:
+        main:
+            provider: undefined
+            form_login: true
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/listener_undefined_provider.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/listener_undefined_provider.yml
new file mode 100644
index 0000000000000..1916df4c2e7ca
--- /dev/null
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/listener_undefined_provider.yml
@@ -0,0 +1,10 @@
+security:
+    providers:
+        default:
+            memory:
+                users: { foo: { password: foo, roles: ROLE_USER } }
+
+    firewalls:
+        main:
+            form_login:
+                provider: undefined