[Security][WIP] Add authenticators info to the profiler

symfony · fabpot · Oct 11, 2021 · Nov 9, 2020 · Oct 10, 2021 · 3ec5e96a87542fc9bccca106f5fcfd57e8c780cf
commit 3ec5e96a87542fc9bccca106f5fcfd57e8c780cf
diff --git a/UPGRADE-5.4.md b/UPGRADE-5.4.md
@@ -51,6 +51,7 @@ Messenger
 SecurityBundle
 --------------

+ * Deprecate `FirewallConfig::getListeners()`, use `FirewallConfig::getAuthenticators()` instead
 * Deprecate `security.authentication.basic_entry_point` and `security.authentication.retry_entry_point` services, the logic is moved into the
   `HttpBasicAuthenticator` and `ChannelListener` respectively
 * Deprecate not setting `$authenticatorManagerEnabled` to `true` in `SecurityDataCollector` and `DebugFirewallCommand`

diff --git a/UPGRADE-6.0.md b/UPGRADE-6.0.md
@@ -394,6 +394,7 @@ Security
 SecurityBundle
 --------------

+ * Remove `FirewallConfig::getListeners()`, use `FirewallConfig::getAuthenticators()` instead
 * Remove `security.authentication.basic_entry_point` and `security.authentication.retry_entry_point` services,
   the logic is moved into the `HttpBasicAuthenticator` and `ChannelListener` respectively
 * Remove `SecurityFactoryInterface` and `SecurityExtension::addSecurityListenerFactory()` in favor of

@@ -4,6 +4,7 @@ CHANGELOG
 5.4
 ---

+ * Deprecate `FirewallConfig::getListeners()`, use `FirewallConfig::getAuthenticators()` instead
 * Deprecate `security.authentication.basic_entry_point` and `security.authentication.retry_entry_point` services, the logic is moved into the
   `HttpBasicAuthenticator` and `ChannelListener` respectively
 * Deprecate `FirewallConfig::allowsAnonymous()` and the `allows_anonymous` from the data collector data, there will be no anonymous concept as of version 6.

@@ -194,7 +194,7 @@ public function collect(Request $request, Response $response, \Throwable $except
                    'access_denied_handler' => $firewallConfig->getAccessDeniedHandler(),
                    'access_denied_url' => $firewallConfig->getAccessDeniedUrl(),
                    'user_checker' => $firewallConfig->getUserChecker(),
-                    'listeners' => $firewallConfig->getListeners(),
+                    'authenticators' => $firewallConfig->getAuthenticators(),
                ];

                // generate exit impersonation path from current request
@@ -215,6 +215,7 @@ public function collect(Request $request, Response $response, \Throwable $except
        }

        $this->data['authenticator_manager_enabled'] = $this->authenticatorManagerEnabled;
+        $this->data['authenticators'] = $this->firewall ? $this->firewall->getAuthenticatorsInfo() : [];
    }

    /**
@@ -370,6 +371,14 @@ public function getListeners()
        return $this->data['listeners'];
    }

+    /**
+     * @return array|Data
+     */
+    public function getAuthenticators()
+    {
+        return $this->data['authenticators'];
+    }
+
    /**
     * {@inheritdoc}
     */

@@ -0,0 +1,106 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Debug\Authenticator;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Guard\Authenticator\GuardBridgeAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
+use Symfony\Component\VarDumper\Caster\ClassStub;
+
+/**
+ * @author Robin Chalas <robin.chalas@gmail.com>
+ *
+ * @internal
+ */
+final class TraceableAuthenticator implements AuthenticatorInterface, InteractiveAuthenticatorInterface, AuthenticationEntryPointInterface
+{
+    private $authenticator;
+    private $passport;
+    private $duration;
+    private $stub;
+
+    public function __construct(AuthenticatorInterface $authenticator)
+    {
+        $this->authenticator = $authenticator;
+    }
+
+    public function getInfo(): array
+    {
+        return [
+            'supports' => true,
+            'passport' => $this->passport,
+            'duration' => $this->duration,
+            'stub' => $this->stub ?? $this->stub = new ClassStub(\get_class($this->authenticator instanceof GuardBridgeAuthenticator ? $this->authenticator->getGuardAuthenticator() : $this->authenticator)),
+        ];
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        return $this->authenticator->supports($request);
+    }
+
+    public function authenticate(Request $request): PassportInterface
+    {
+        $startTime = microtime(true);
+        $this->passport = $this->authenticator->authenticate($request);
+        $this->duration = microtime(true) - $startTime;
+
+        return $this->passport;
+    }
+
+    public function createToken(Passport $passport, string $firewallName): TokenInterface
+    {
+        return method_exists($this->authenticator, 'createToken') ? $this->authenticator->createToken($passport, $firewallName) : $this->authenticator->createAuthenticatedToken($passport, $firewallName);
+    }
+
+    public function createAuthenticatedToken(PassportInterface $passport, string $firewallName): TokenInterface
+    {
+        return $this->authenticator->createAuthenticatedToken($passport, $firewallName);
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return $this->authenticator->onAuthenticationSuccess($request, $token, $firewallName);
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        return $this->authenticator->onAuthenticationFailure($request, $exception);
+    }
+
+    public function start(Request $request, AuthenticationException $authException = null): Response
+    {
+        if (!$this->authenticator instanceof AuthenticationEntryPointInterface) {
+            throw new NotAnEntryPointException();
+        }
+
+        return $this->authenticator->start($request, $authException);
+    }
+
+    public function isInteractive(): bool
+    {
+        return $this->authenticator instanceof InteractiveAuthenticatorInterface && $this->authenticator->isInteractive();
+    }
+
+    public function __call($method, $args)
+    {
+        return $this->authenticator->{$method}(...$args);
+    }
+}
@@ -0,0 +1,81 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Debug\Authenticator;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Security\Http\Firewall\AbstractListener;
+use Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener;
+use Symfony\Component\VarDumper\Caster\ClassStub;
+
+/**
+ * Decorates the AuthenticatorManagerListener to collect information about security authenticators.
+ *
+ * @author Robin Chalas <robin.chalas@gmail.com>
+ *
+ * @internal
+ */
+class TraceableAuthenticatorManagerListener extends AbstractListener
+{
+    private $authenticationManagerListener;
+    private $authenticatorsInfo = [];
+
+    public function __construct(AuthenticatorManagerListener $authenticationManagerListener)
+    {
+        $this->authenticationManagerListener = $authenticationManagerListener;
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        return $this->authenticationManagerListener->supports($request);
+    }
+
+    public function authenticate(RequestEvent $event): void
+    {
+        $request = $event->getRequest();
+
+        if (!$authenticators = $request->attributes->get('_security_authenticators')) {
+            return;
+        }
+
+        foreach ($request->attributes->get('_security_skipped_authenticators') as $skippedAuthenticator) {
+            $this->authenticatorsInfo[] = [
+                'supports' => false,
+                'stub' => new ClassStub(\get_class($skippedAuthenticator)),
+                'passport' => null,
+                'duration' => 0,
+            ];
+        }
+
+        foreach ($authenticators as $key => $authenticator) {
+            $authenticators[$key] = new TraceableAuthenticator($authenticator);
+        }
+
+        $request->attributes->set('_security_authenticators', $authenticators);
+
+        $this->authenticationManagerListener->authenticate($event);
+
+        foreach ($authenticators as $authenticator) {
+            $this->authenticatorsInfo[] = $authenticator->getInfo();
+        }
+    }
+
+    public function getAuthenticatorManagerListener(): AuthenticatorManagerListener
+    {
+        return $this->authenticationManagerListener;
+    }
+
+    public function getAuthenticatorsInfo(): array
+    {
+        return $this->authenticatorsInfo;
+    }
+}
@@ -11,36 +11,47 @@

 namespace Symfony\Bundle\SecurityBundle\Debug;

+use Symfony\Bundle\SecurityBundle\Debug\Authenticator\TraceableAuthenticatorManagerListener;
 use Symfony\Bundle\SecurityBundle\EventListener\FirewallListener;
 use Symfony\Bundle\SecurityBundle\Security\FirewallContext;
 use Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;

 /**
- * Firewall collecting called listeners.
+ * Firewall collecting called security listeners and authenticators.
 *
 * @author Robin Chalas <robin.chalas@gmail.com>
 */
 final class TraceableFirewallListener extends FirewallListener
 {
    private $wrappedListeners = [];
+    private $authenticatorsInfo = [];

    public function getWrappedListeners()
    {
        return $this->wrappedListeners;
    }

+    public function getAuthenticatorsInfo(): array
+    {
+        return $this->authenticatorsInfo;
+    }
+
    protected function callListeners(RequestEvent $event, iterable $listeners)
    {
        $wrappedListeners = [];
        $wrappedLazyListeners = [];
+        $authenticatorManagerListener = null;

        foreach ($listeners as $listener) {
            if ($listener instanceof LazyFirewallContext) {
-                \Closure::bind(function () use (&$wrappedLazyListeners, &$wrappedListeners) {
+                \Closure::bind(function () use (&$wrappedLazyListeners, &$wrappedListeners, &$authenticatorManagerListener) {
                    $listeners = [];
                    foreach ($this->listeners as $listener) {
+                        if (!$authenticatorManagerListener && $listener instanceof TraceableAuthenticatorManagerListener) {
+                            $authenticatorManagerListener = $listener;
+                        }
                        if ($listener instanceof FirewallListenerInterface) {
                            $listener = new WrappedLazyListener($listener);
                            $listeners[] = $listener;
@@ -61,6 +72,9 @@ protected function callListeners(RequestEvent $event, iterable $listeners)
                $wrappedListener = $listener instanceof FirewallListenerInterface ? new WrappedLazyListener($listener) : new WrappedListener($listener);
                $wrappedListener($event);
                $wrappedListeners[] = $wrappedListener->getInfo();
+                if (!$authenticatorManagerListener && $listener instanceof TraceableAuthenticatorManagerListener) {
+                    $authenticatorManagerListener = $listener;
+                }
            }

            if ($event->hasResponse()) {
@@ -75,5 +89,9 @@ protected function callListeners(RequestEvent $event, iterable $listeners)
        }

        $this->wrappedListeners = array_merge($this->wrappedListeners, $wrappedListeners);
+
+        if ($authenticatorManagerListener) {
+            $this->authenticatorsInfo = $authenticatorManagerListener->getAuthenticatorsInfo();
+        }
    }
 }
@@ -11,6 +11,7 @@

 namespace Symfony\Bundle\SecurityBundle\Debug;

+use Symfony\Bundle\SecurityBundle\Debug\Authenticator\TraceableAuthenticatorManagerListener;
 use Symfony\Component\VarDumper\Caster\ClassStub;

 /**
@@ -43,7 +44,7 @@ public function getInfo(): array
        return [
            'response' => $this->response,
            'time' => $this->time,
-            'stub' => $this->stub ?? $this->stub = ClassStub::wrapCallable($this->listener),
+            'stub' => $this->stub ?? $this->stub = ClassStub::wrapCallable($this->listener instanceof TraceableAuthenticatorManagerListener ? $this->listener->getAuthenticatorManagerListener() : $this->listener),
        ];
    }
 }
@@ -12,6 +12,7 @@
 namespace Symfony\Bundle\SecurityBundle\DependencyInjection;

 use Symfony\Bridge\Twig\Extension\LogoutUrlExtension;
+use Symfony\Bundle\SecurityBundle\Debug\Authenticator\TraceableAuthenticatorManagerListener;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FirewallListenerFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
@@ -504,6 +505,14 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
                ->replaceArgument(0, new Reference($managerId))
            ;

+            if ($container->hasDefinition('debug.security.firewall') && $this->authenticatorManagerEnabled) {
+                $container
+                    ->register('debug.security.firewall.authenticator.'.$id, TraceableAuthenticatorManagerListener::class)
+                    ->setDecoratedService('security.firewall.authenticator.'.$id)
+                    ->setArguments([new Reference('debug.security.firewall.authenticator.'.$id.'.inner')])
+                ;
+            }
+
            // user checker listener
            $container
                ->setDefinition('security.listener.user_checker.'.$id, new ChildDefinition('security.listener.user_checker'))
@@ -542,11 +551,17 @@ private function createFirewall(ContainerBuilder $container, string $id, array $

        foreach ($this->getSortedFactories() as $factory) {
            $key = str_replace('-', '_', $factory->getKey());
-            if (\array_key_exists($key, $firewall)) {
+            if ('custom_authenticators' !== $key && \array_key_exists($key, $firewall)) {
                $listenerKeys[] = $key;
            }
        }

+        if ($firewall['custom_authenticators'] ?? false) {
+            foreach ($firewall['custom_authenticators'] as $customAuthenticatorId) {
+                $listenerKeys[] = $customAuthenticatorId;
+            }
+        }
+
        $config->replaceArgument(10, $listenerKeys);
        $config->replaceArgument(11, $firewall['switch_user'] ?? null);