vendor/symfony/symfony/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php line 518

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <[email protected]>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  14. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
  15. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
  16. use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
  17. use Symfony\Component\Console\Application;
  18. use Symfony\Component\DependencyInjection\Alias;
  19. use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
  20. use Symfony\Component\DependencyInjection\ChildDefinition;
  21. use Symfony\Component\DependencyInjection\Compiler\ServiceLocatorTagPass;
  22. use Symfony\Component\HttpKernel\DependencyInjection\Extension;
  23. use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
  24. use Symfony\Component\DependencyInjection\ContainerBuilder;
  25. use Symfony\Component\DependencyInjection\Reference;
  26. use Symfony\Component\Config\FileLocator;
  27. use Symfony\Component\Security\Core\Authorization\ExpressionLanguage;
  28. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  29. use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
  31. /**
  32.  * SecurityExtension.
  33.  *
  34.  * @author Fabien Potencier <[email protected]>
  35.  * @author Johannes M. Schmitt <[email protected]>
  36.  */
  37. class SecurityExtension extends Extension
  38. {
  39.     private $requestMatchers = array();
  40.     private $expressions = array();
  41.     private $contextListeners = array();
  42.     private $listenerPositions = array('pre_auth''form''http''remember_me');
  43.     private $factories = array();
  44.     private $userProviderFactories = array();
  45.     private $expressionLanguage;
  46.     private $logoutOnUserChangeByContextKey = array();
  48.     public function __construct()
  49.     {
  50.         foreach ($this->listenerPositions as $position) {
  51.             $this->factories[$position] = array();
  52.         }
  53.     }
  55.     public function load(array $configsContainerBuilder $container)
  56.     {
  57.         if (!array_filter($configs)) {
  58.             return;
  59.         }
  61.         $mainConfig $this->getConfiguration($configs$container);
  63.         $config $this->processConfiguration($mainConfig$configs);
  65.         // load services
  66.         $loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
  67.         $loader->load('security.xml');
  68.         $loader->load('security_listeners.xml');
  69.         $loader->load('security_rememberme.xml');
  70.         $loader->load('templating_php.xml');
  71.         $loader->load('templating_twig.xml');
  72.         $loader->load('collectors.xml');
  73.         $loader->load('guard.xml');
  75.         $container->getDefinition('security.authentication.guard_handler')->setPrivate(true);
  76.         $container->getDefinition('security.firewall')->setPrivate(true);
  77.         $container->getDefinition('security.firewall.context')->setPrivate(true);
  78.         $container->getDefinition('security.validator.user_password')->setPrivate(true);
  79.         $container->getDefinition('security.rememberme.response_listener')->setPrivate(true);
  80.         $container->getDefinition('templating.helper.logout_url')->setPrivate(true);
  81.         $container->getDefinition('templating.helper.security')->setPrivate(true);
  82.         $container->getAlias('security.encoder_factory')->setPrivate(true);
  84.         if ($container->hasParameter('kernel.debug') && $container->getParameter('kernel.debug')) {
  85.             $loader->load('security_debug.xml');
  87.             $container->getAlias('security.firewall')->setPrivate(true);
  88.         }
  90.         if (!class_exists('Symfony\Component\ExpressionLanguage\ExpressionLanguage')) {
  91.             $container->removeDefinition('security.expression_language');
  92.             $container->removeDefinition('security.access.expression_voter');
  93.         }
  95.         // set some global scalars
  96.         $container->setParameter('security.access.denied_url'$config['access_denied_url']);
  97.         $container->setParameter('security.authentication.manager.erase_credentials'$config['erase_credentials']);
  98.         $container->setParameter('security.authentication.session_strategy.strategy'$config['session_fixation_strategy']);
  100.         if (isset($config['access_decision_manager']['service'])) {
  101.             $container->setAlias('security.access.decision_manager'$config['access_decision_manager']['service'])->setPrivate(true);
  102.         } else {
  103.             $container
  104.                 ->getDefinition('security.access.decision_manager')
  105.                 ->addArgument($config['access_decision_manager']['strategy'])
  106.                 ->addArgument($config['access_decision_manager']['allow_if_all_abstain'])
  107.                 ->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied']);
  108.         }
  110.         $container->setParameter('security.access.always_authenticate_before_granting'$config['always_authenticate_before_granting']);
  111.         $container->setParameter('security.authentication.hide_user_not_found'$config['hide_user_not_found']);
  113.         $this->createFirewalls($config$container);
  114.         $this->createAuthorization($config$container);
  115.         $this->createRoleHierarchy($config$container);
  117.         if ($config['encoders']) {
  118.             $this->createEncoders($config['encoders'], $container);
  119.         }
  121.         if (class_exists(Application::class)) {
  122.             $loader->load('console.xml');
  123.             $container->getDefinition('security.command.user_password_encoder')->replaceArgument(1array_keys($config['encoders']));
  124.         }
  126.         // load ACL
  127.         if (isset($config['acl'])) {
  128.             $this->aclLoad($config['acl'], $container);
  129.         } else {
  130.             $container->removeDefinition('security.command.init_acl');
  131.             $container->removeDefinition('security.command.set_acl');
  132.         }
  134.         $container->registerForAutoconfiguration(VoterInterface::class)
  135.             ->addTag('security.voter');
  137.         if (\PHP_VERSION_ID 70000) {
  138.             // add some required classes for compilation
  139.             $this->addClassesToCompile(array(
  140.                 'Symfony\Component\Security\Http\Firewall',
  141.                 'Symfony\Component\Security\Core\User\UserProviderInterface',
  142.                 'Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager',
  143.                 'Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage',
  144.                 'Symfony\Component\Security\Core\Authorization\AccessDecisionManager',
  145.                 'Symfony\Component\Security\Core\Authorization\AuthorizationChecker',
  146.                 'Symfony\Component\Security\Core\Authorization\Voter\VoterInterface',
  147.                 'Symfony\Bundle\SecurityBundle\Security\FirewallConfig',
  148.                 'Symfony\Bundle\SecurityBundle\Security\FirewallContext',
  149.                 'Symfony\Component\HttpFoundation\RequestMatcher',
  150.             ));
  151.         }
  152.     }
  154.     private function aclLoad($configContainerBuilder $container)
  155.     {
  156.         if (!interface_exists('Symfony\Component\Security\Acl\Model\AclInterface')) {
  157.             throw new \LogicException('You must install symfony/security-acl in order to use the ACL functionality.');
  158.         }
  160.         $loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
  161.         $loader->load('security_acl.xml');
  163.         if (isset($config['cache']['id'])) {
  164.             $container->setAlias('security.acl.cache'$config['cache']['id'])->setPrivate(true);
  165.         }
  166.         $container->getDefinition('security.acl.voter.basic_permissions')->addArgument($config['voter']['allow_if_object_identity_unavailable']);
  168.         // custom ACL provider
  169.         if (isset($config['provider'])) {
  170.             $container->setAlias('security.acl.provider'$config['provider'])->setPrivate(true);
  172.             return;
  173.         }
  175.         $this->configureDbalAclProvider($config$container$loader);
  176.     }
  178.     private function configureDbalAclProvider(array $configContainerBuilder $container$loader)
  179.     {
  180.         $loader->load('security_acl_dbal.xml');
  182.         $container->getDefinition('security.acl.dbal.schema')->setPrivate(true);
  183.         $container->getAlias('security.acl.dbal.connection')->setPrivate(true);
  184.         $container->getAlias('security.acl.provider')->setPrivate(true);
  186.         if (null !== $config['connection']) {
  187.             $container->setAlias('security.acl.dbal.connection'sprintf('doctrine.dbal.%s_connection'$config['connection']))->setPrivate(true);
  188.         }
  190.         $container
  191.             ->getDefinition('security.acl.dbal.schema_listener')
  192.             ->addTag('doctrine.event_listener', array(
  193.                 'connection' => $config['connection'],
  194.                 'event' => 'postGenerateSchema',
  195.                 'lazy' => true,
  196.             ))
  197.         ;
  199.         $container->getDefinition('security.acl.cache.doctrine')->addArgument($config['cache']['prefix']);
  201.         $container->setParameter('security.acl.dbal.class_table_name'$config['tables']['class']);
  202.         $container->setParameter('security.acl.dbal.entry_table_name'$config['tables']['entry']);
  203.         $container->setParameter('security.acl.dbal.oid_table_name'$config['tables']['object_identity']);
  204.         $container->setParameter('security.acl.dbal.oid_ancestors_table_name'$config['tables']['object_identity_ancestors']);
  205.         $container->setParameter('security.acl.dbal.sid_table_name'$config['tables']['security_identity']);
  206.     }
  208.     private function createRoleHierarchy(array $configContainerBuilder $container)
  209.     {
  210.         if (!isset($config['role_hierarchy']) || === count($config['role_hierarchy'])) {
  211.             $container->removeDefinition('security.access.role_hierarchy_voter');
  213.             return;
  214.         }
  216.         $container->setParameter('security.role_hierarchy.roles'$config['role_hierarchy']);
  217.         $container->removeDefinition('security.access.simple_role_voter');
  218.     }
  220.     private function createAuthorization($configContainerBuilder $container)
  221.     {
  222.         if (!$config['access_control']) {
  223.             return;
  224.         }
  226.         if (\PHP_VERSION_ID 70000) {
  227.             $this->addClassesToCompile(array(
  228.                 'Symfony\\Component\\Security\\Http\\AccessMap',
  229.             ));
  230.         }
  232.         foreach ($config['access_control'] as $access) {
  233.             $matcher $this->createRequestMatcher(
  234.                 $container,
  235.                 $access['path'],
  236.                 $access['host'],
  237.                 $access['methods'],
  238.                 $access['ips']
  239.             );
  241.             $attributes $access['roles'];
  242.             if ($access['allow_if']) {
  243.                 $attributes[] = $this->createExpression($container$access['allow_if']);
  244.             }
  246.             $container->getDefinition('security.access_map')
  247.                       ->addMethodCall('add', array($matcher$attributes$access['requires_channel']));
  248.         }
  249.     }
  251.     private function createFirewalls($configContainerBuilder $container)
  252.     {
  253.         if (!isset($config['firewalls'])) {
  254.             return;
  255.         }
  257.         $firewalls $config['firewalls'];
  258.         $providerIds $this->createUserProviders($config$container);
  260.         // make the ContextListener aware of the configured user providers
  261.         $contextListenerDefinition $container->getDefinition('security.context_listener');
  262.         $arguments $contextListenerDefinition->getArguments();
  263.         $userProviders = array();
  264.         foreach ($providerIds as $userProviderId) {
  265.             $userProviders[] = new Reference($userProviderId);
  266.         }
  267.         $arguments[1] = new IteratorArgument($userProviders);
  268.         $contextListenerDefinition->setArguments($arguments);
  270.         $customUserChecker false;
  272.         // load firewall map
  273.         $mapDef $container->getDefinition('security.firewall.map');
  274.         $map $authenticationProviders $contextRefs = array();
  275.         foreach ($firewalls as $name => $firewall) {
  276.             if (isset($firewall['user_checker']) && 'security.user_checker' !== $firewall['user_checker']) {
  277.                 $customUserChecker true;
  278.             }
  280.             $configId 'security.firewall.map.config.'.$name;
  282.             list($matcher$listeners$exceptionListener) = $this->createFirewall($container$name$firewall$authenticationProviders$providerIds$configId);
  284.             $contextId 'security.firewall.map.context.'.$name;
  285.             $context $container->setDefinition($contextId, new ChildDefinition('security.firewall.context'));
  286.             $context
  287.                 ->replaceArgument(0, new IteratorArgument($listeners))
  288.                 ->replaceArgument(1$exceptionListener)
  289.                 ->replaceArgument(2, new Reference($configId))
  290.             ;
  292.             $contextRefs[$contextId] = new Reference($contextId);
  293.             $map[$contextId] = $matcher;
  294.         }
  295.         $mapDef->replaceArgument(0ServiceLocatorTagPass::register($container$contextRefs));
  296.         $mapDef->replaceArgument(1, new IteratorArgument($map));
  298.         // add authentication providers to authentication manager
  299.         $authenticationProviders array_map(function ($id) {
  300.             return new Reference($id);
  301.         }, array_values(array_unique($authenticationProviders)));
  302.         $container
  303.             ->getDefinition('security.authentication.manager')
  304.             ->replaceArgument(0, new IteratorArgument($authenticationProviders))
  305.         ;
  307.         // register an autowire alias for the UserCheckerInterface if no custom user checker service is configured
  308.         if (!$customUserChecker) {
  309.             $container->setAlias('Symfony\Component\Security\Core\User\UserCheckerInterface', new Alias('security.user_checker'false));
  310.         }
  311.     }
  313.     private function createFirewall(ContainerBuilder $container$id$firewall, &$authenticationProviders$providerIds$configId)
  314.     {
  315.         $config $container->setDefinition($configId, new ChildDefinition('security.firewall.config'));
  316.         $config->replaceArgument(0$id);
  317.         $config->replaceArgument(1$firewall['user_checker']);
  319.         // Matcher
  320.         $matcher null;
  321.         if (isset($firewall['request_matcher'])) {
  322.             $matcher = new Reference($firewall['request_matcher']);
  323.         } elseif (isset($firewall['pattern']) || isset($firewall['host'])) {
  324.             $pattern = isset($firewall['pattern']) ? $firewall['pattern'] : null;
  325.             $host = isset($firewall['host']) ? $firewall['host'] : null;
  326.             $methods = isset($firewall['methods']) ? $firewall['methods'] : array();
  327.             $matcher $this->createRequestMatcher($container$pattern$host$methods);
  328.         }
  330.         $config->replaceArgument(2$matcher ? (string) $matcher null);
  331.         $config->replaceArgument(3$firewall['security']);
  333.         // Security disabled?
  334.         if (false === $firewall['security']) {
  335.             return array($matcher, array(), null);
  336.         }
  338.         $config->replaceArgument(4$firewall['stateless']);
  340.         // Provider id (take the first registered provider if none defined)
  341.         $defaultProvider null;
  342.         if (isset($firewall['provider'])) {
  343.             if (!isset($providerIds[$normalizedName str_replace('-''_'$firewall['provider'])])) {
  344.                 throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.'$id$firewall['provider']));
  345.             }
  346.             $defaultProvider $providerIds[$normalizedName];
  347.         } elseif (=== count($providerIds)) {
  348.             $defaultProvider reset($providerIds);
  349.         }
  351.         $config->replaceArgument(5$defaultProvider);
  353.         // Register listeners
  354.         $listeners = array();
  355.         $listenerKeys = array();
  357.         // Channel listener
  358.         $listeners[] = new Reference('security.channel_listener');
  360.         $contextKey null;
  361.         // Context serializer listener
  362.         if (false === $firewall['stateless']) {
  363.             $contextKey $id;
  364.             if (isset($firewall['context'])) {
  365.                 $contextKey $firewall['context'];
  366.             }
  368.             if (!$logoutOnUserChange $firewall['logout_on_user_change']) {
  369.                 @trigger_error(sprintf('Not setting "logout_on_user_change" to true on firewall "%s" is deprecated as of 3.4, it will always be true in 4.0.'$id), E_USER_DEPRECATED);
  370.             }
  372.             if (isset($this->logoutOnUserChangeByContextKey[$contextKey]) && $this->logoutOnUserChangeByContextKey[$contextKey][1] !== $logoutOnUserChange) {
  373.                 throw new InvalidConfigurationException(sprintf('Firewalls "%s" and "%s" need to have the same value for option "logout_on_user_change" as they are sharing the context "%s"'$this->logoutOnUserChangeByContextKey[$contextKey][0], $id$contextKey));
  374.             }
  376.             $this->logoutOnUserChangeByContextKey[$contextKey] = array($id$logoutOnUserChange);
  377.             $listeners[] = new Reference($this->createContextListener($container$contextKey$logoutOnUserChange));
  378.         }
  380.         $config->replaceArgument(6$contextKey);
  382.         // Logout listener
  383.         if (isset($firewall['logout'])) {
  384.             $listenerKeys[] = 'logout';
  385.             $listenerId 'security.logout_listener.'.$id;
  386.             $listener $container->setDefinition($listenerId, new ChildDefinition('security.logout_listener'));
  387.             $listener->replaceArgument(3, array(
  388.                 'csrf_parameter' => $firewall['logout']['csrf_parameter'],
  389.                 'csrf_token_id' => $firewall['logout']['csrf_token_id'],
  390.                 'logout_path' => $firewall['logout']['path'],
  391.             ));
  392.             $listeners[] = new Reference($listenerId);
  394.             // add logout success handler
  395.             if (isset($firewall['logout']['success_handler'])) {
  396.                 $logoutSuccessHandlerId $firewall['logout']['success_handler'];
  397.             } else {
  398.                 $logoutSuccessHandlerId 'security.logout.success_handler.'.$id;
  399.                 $logoutSuccessHandler $container->setDefinition($logoutSuccessHandlerId, new ChildDefinition('security.logout.success_handler'));
  400.                 $logoutSuccessHandler->replaceArgument(1$firewall['logout']['target']);
  401.             }
  402.             $listener->replaceArgument(2, new Reference($logoutSuccessHandlerId));
  404.             // add CSRF provider
  405.             if (isset($firewall['logout']['csrf_token_generator'])) {
  406.                 $listener->addArgument(new Reference($firewall['logout']['csrf_token_generator']));
  407.             }
  409.             // add session logout handler
  410.             if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {
  411.                 $listener->addMethodCall('addHandler', array(new Reference('security.logout.handler.session')));
  412.             }
  414.             // add cookie logout handler
  415.             if (count($firewall['logout']['delete_cookies']) > 0) {
  416.                 $cookieHandlerId 'security.logout.handler.cookie_clearing.'.$id;
  417.                 $cookieHandler $container->setDefinition($cookieHandlerId, new ChildDefinition('security.logout.handler.cookie_clearing'));
  418.                 $cookieHandler->addArgument($firewall['logout']['delete_cookies']);
  420.                 $listener->addMethodCall('addHandler', array(new Reference($cookieHandlerId)));
  421.             }
  423.             // add custom handlers
  424.             foreach ($firewall['logout']['handlers'] as $handlerId) {
  425.                 $listener->addMethodCall('addHandler', array(new Reference($handlerId)));
  426.             }
  428.             // register with LogoutUrlGenerator
  429.             $container
  430.                 ->getDefinition('security.logout_url_generator')
  431.                 ->addMethodCall('registerListener', array(
  432.                     $id,
  433.                     $firewall['logout']['path'],
  434.                     $firewall['logout']['csrf_token_id'],
  435.                     $firewall['logout']['csrf_parameter'],
  436.                     isset($firewall['logout']['csrf_token_generator']) ? new Reference($firewall['logout']['csrf_token_generator']) : null,
  437.                     false === $firewall['stateless'] && isset($firewall['context']) ? $firewall['context'] : null,
  438.                 ))
  439.             ;
  440.         }
  442.         // Determine default entry point
  443.         $configuredEntryPoint = isset($firewall['entry_point']) ? $firewall['entry_point'] : null;
  445.         // Authentication listeners
  446.         list($authListeners$defaultEntryPoint) = $this->createAuthenticationListeners($container$id$firewall$authenticationProviders$defaultProvider$providerIds$configuredEntryPoint);
  448.         $config->replaceArgument(7$configuredEntryPoint ?: $defaultEntryPoint);
  450.         $listeners array_merge($listeners$authListeners);
  452.         // Switch user listener
  453.         if (isset($firewall['switch_user'])) {
  454.             $listenerKeys[] = 'switch_user';
  455.             $listeners[] = new Reference($this->createSwitchUserListener($container$id$firewall['switch_user'], $defaultProvider$firewall['stateless'], $providerIds));
  456.         }
  458.         // Access listener
  459.         $listeners[] = new Reference('security.access_listener');
  461.         // Exception listener
  462.         $exceptionListener = new Reference($this->createExceptionListener($container$firewall$id$configuredEntryPoint ?: $defaultEntryPoint$firewall['stateless']));
  464.         $config->replaceArgument(8, isset($firewall['access_denied_handler']) ? $firewall['access_denied_handler'] : null);
  465.         $config->replaceArgument(9, isset($firewall['access_denied_url']) ? $firewall['access_denied_url'] : null);
  467.         $container->setAlias('security.user_checker.'.$id, new Alias($firewall['user_checker'], false));
  469.         foreach ($this->factories as $position) {
  470.             foreach ($position as $factory) {
  471.                 $key str_replace('-''_'$factory->getKey());
  472.                 if (array_key_exists($key$firewall)) {
  473.                     $listenerKeys[] = $key;
  474.                 }
  475.             }
  476.         }
  478.         if (isset($firewall['anonymous'])) {
  479.             $listenerKeys[] = 'anonymous';
  480.         }
  482.         $config->replaceArgument(10$listenerKeys);
  483.         $config->replaceArgument(11, isset($firewall['switch_user']) ? $firewall['switch_user'] : null);
  485.         return array($matcher$listeners$exceptionListener);
  486.     }
  488.     private function createContextListener($container$contextKey$logoutUserOnChange)
  489.     {
  490.         if (isset($this->contextListeners[$contextKey])) {
  491.             return $this->contextListeners[$contextKey];
  492.         }
  494.         $listenerId 'security.context_listener.'.count($this->contextListeners);
  495.         $listener $container->setDefinition($listenerId, new ChildDefinition('security.context_listener'));
  496.         $listener->replaceArgument(2$contextKey);
  497.         $listener->addMethodCall('setLogoutOnUserChange', array($logoutUserOnChange));
  499.         return $this->contextListeners[$contextKey] = $listenerId;
  500.     }
  502.     private function createAuthenticationListeners($container$id$firewall, &$authenticationProviders$defaultProvider null, array $providerIds$defaultEntryPoint)
  503.     {
  504.         $listeners = array();
  505.         $hasListeners false;
  507.         foreach ($this->listenerPositions as $position) {
  508.             foreach ($this->factories[$position] as $factory) {
  509.                 $key str_replace('-''_'$factory->getKey());
  511.                 if (isset($firewall[$key])) {
  512.                     if (isset($firewall[$key]['provider'])) {
  513.                         if (!isset($providerIds[$normalizedName str_replace('-''_'$firewall[$key]['provider'])])) {
  514.                             throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.'$id$firewall[$key]['provider']));
  515.                         }
  516.                         $userProvider $providerIds[$normalizedName];
  517.                     } else {
  518.                         $userProvider $defaultProvider ?: $this->getFirstProvider($id$key$providerIds);
  519.                     }
  521.                     list($provider$listenerId$defaultEntryPoint) = $factory->create($container$id$firewall[$key], $userProvider$defaultEntryPoint);
  523.                     $listeners[] = new Reference($listenerId);
  524.                     $authenticationProviders[] = $provider;
  525.                     $hasListeners true;
  526.                 }
  527.             }
  528.         }
  530.         // Anonymous
  531.         if (isset($firewall['anonymous'])) {
  532.             $listenerId 'security.authentication.listener.anonymous.'.$id;
  533.             $container
  534.                 ->setDefinition($listenerId, new ChildDefinition('security.authentication.listener.anonymous'))
  535.                 ->replaceArgument(1$firewall['anonymous']['secret'])
  536.             ;
  538.             $listeners[] = new Reference($listenerId);
  540.             $providerId 'security.authentication.provider.anonymous.'.$id;
  541.             $container
  542.                 ->setDefinition($providerId, new ChildDefinition('security.authentication.provider.anonymous'))
  543.                 ->replaceArgument(0$firewall['anonymous']['secret'])
  544.             ;
  546.             $authenticationProviders[] = $providerId;
  547.             $hasListeners true;
  548.         }
  550.         if (false === $hasListeners) {
  551.             throw new InvalidConfigurationException(sprintf('No authentication listener registered for firewall "%s".'$id));
  552.         }
  554.         return array($listeners$defaultEntryPoint);
  555.     }
  557.     private function createEncoders($encodersContainerBuilder $container)
  558.     {
  559.         $encoderMap = array();
  560.         foreach ($encoders as $class => $encoder) {
  561.             $encoderMap[$class] = $this->createEncoder($encoder$container);
  562.         }
  564.         $container
  565.             ->getDefinition('security.encoder_factory.generic')
  566.             ->setArguments(array($encoderMap))
  567.         ;
  568.     }
  570.     private function createEncoder($configContainerBuilder $container)
  571.     {
  572.         // a custom encoder service
  573.         if (isset($config['id'])) {
  574.             return new Reference($config['id']);
  575.         }
  577.         // plaintext encoder
  578.         if ('plaintext' === $config['algorithm']) {
  579.             $arguments = array($config['ignore_case']);
  581.             return array(
  582.                 'class' => 'Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder',
  583.                 'arguments' => $arguments,
  584.             );
  585.         }
  587.         // pbkdf2 encoder
  588.         if ('pbkdf2' === $config['algorithm']) {
  589.             return array(
  590.                 'class' => 'Symfony\Component\Security\Core\Encoder\Pbkdf2PasswordEncoder',
  591.                 'arguments' => array(
  592.                     $config['hash_algorithm'],
  593.                     $config['encode_as_base64'],
  594.                     $config['iterations'],
  595.                     $config['key_length'],
  596.                 ),
  597.             );
  598.         }
  600.         // bcrypt encoder
  601.         if ('bcrypt' === $config['algorithm']) {
  602.             return array(
  603.                 'class' => 'Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder',
  604.                 'arguments' => array($config['cost']),
  605.             );
  606.         }
  608.         // Argon2i encoder
  609.         if ('argon2i' === $config['algorithm']) {
  610.             if (!Argon2iPasswordEncoder::isSupported()) {
  611.                 throw new InvalidConfigurationException('Argon2i algorithm is not supported. Please install the libsodium extension or upgrade to PHP 7.2+.');
  612.             }
  614.             return array(
  615.                 'class' => 'Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder',
  616.                 'arguments' => array(),
  617.             );
  618.         }
  620.         // run-time configured encoder
  621.         return $config;
  622.     }
  624.     // Parses user providers and returns an array of their ids
  625.     private function createUserProviders($configContainerBuilder $container)
  626.     {
  627.         $providerIds = array();
  628.         foreach ($config['providers'] as $name => $provider) {
  629.             $id $this->createUserDaoProvider($name$provider$container);
  630.             $providerIds[str_replace('-''_'$name)] = $id;
  631.         }
  633.         return $providerIds;
  634.     }
  636.     // Parses a <provider> tag and returns the id for the related user provider service
  637.     private function createUserDaoProvider($name$providerContainerBuilder $container)
  638.     {
  639.         $name $this->getUserProviderId($name);
  641.         // Doctrine Entity and In-memory DAO provider are managed by factories
  642.         foreach ($this->userProviderFactories as $factory) {
  643.             $key str_replace('-''_'$factory->getKey());
  645.             if (!empty($provider[$key])) {
  646.                 $factory->create($container$name$provider[$key]);
  648.                 return $name;
  649.             }
  650.         }
  652.         // Existing DAO service provider
  653.         if (isset($provider['id'])) {
  654.             $container->setAlias($name, new Alias($provider['id'], false));
  656.             return $provider['id'];
  657.         }
  659.         // Chain provider
  660.         if (isset($provider['chain'])) {
  661.             $providers = array();
  662.             foreach ($provider['chain']['providers'] as $providerName) {
  663.                 $providers[] = new Reference($this->getUserProviderId($providerName));
  664.             }
  666.             $container
  667.                 ->setDefinition($name, new ChildDefinition('security.user.provider.chain'))
  668.                 ->addArgument(new IteratorArgument($providers));
  670.             return $name;
  671.         }
  673.         throw new InvalidConfigurationException(sprintf('Unable to create definition for "%s" user provider'$name));
  674.     }
  676.     private function getUserProviderId($name)
  677.     {
  678.         return 'security.user.provider.concrete.'.strtolower($name);
  679.     }
  681.     private function createExceptionListener($container$config$id$defaultEntryPoint$stateless)
  682.     {
  683.         $exceptionListenerId 'security.exception_listener.'.$id;
  684.         $listener $container->setDefinition($exceptionListenerId, new ChildDefinition('security.exception_listener'));
  685.         $listener->replaceArgument(3$id);
  686.         $listener->replaceArgument(4null === $defaultEntryPoint null : new Reference($defaultEntryPoint));
  687.         $listener->replaceArgument(8$stateless);
  689.         // access denied handler setup
  690.         if (isset($config['access_denied_handler'])) {
  691.             $listener->replaceArgument(6, new Reference($config['access_denied_handler']));
  692.         } elseif (isset($config['access_denied_url'])) {
  693.             $listener->replaceArgument(5$config['access_denied_url']);
  694.         }
  696.         return $exceptionListenerId;
  697.     }
  699.     private function createSwitchUserListener($container$id$config$defaultProvider$stateless$providerIds)
  700.     {
  701.         $userProvider = isset($config['provider']) ? $this->getUserProviderId($config['provider']) : ($defaultProvider ?: $this->getFirstProvider($id'switch_user'$providerIds));
  703.         // in 4.0, ignore the `switch_user.stateless` key if $stateless is `true`
  704.         if ($stateless && false === $config['stateless']) {
  705.             @trigger_error(sprintf('Firewall "%s" is configured as "stateless" but the "switch_user.stateless" key is set to false. Both should have the same value, the firewall\'s "stateless" value will be used as default value for the "switch_user.stateless" key in 4.0.'$id), E_USER_DEPRECATED);
  706.         }
  708.         $switchUserListenerId 'security.authentication.switchuser_listener.'.$id;
  709.         $listener $container->setDefinition($switchUserListenerId, new ChildDefinition('security.authentication.switchuser_listener'));
  710.         $listener->replaceArgument(1, new Reference($userProvider));
  711.         $listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
  712.         $listener->replaceArgument(3$id);
  713.         $listener->replaceArgument(6$config['parameter']);
  714.         $listener->replaceArgument(7$config['role']);
  715.         $listener->replaceArgument(9$config['stateless']);
  717.         return $switchUserListenerId;
  718.     }
  720.     private function createExpression($container$expression)
  721.     {
  722.         if (isset($this->expressions[$id 'security.expression.'.ContainerBuilder::hash($expression)])) {
  723.             return $this->expressions[$id];
  724.         }
  726.         $container
  727.             ->register($id'Symfony\Component\ExpressionLanguage\SerializedParsedExpression')
  728.             ->setPublic(false)
  729.             ->addArgument($expression)
  730.             ->addArgument(serialize($this->getExpressionLanguage()->parse($expression, array('token''user''object''roles''request''trust_resolver'))->getNodes()))
  731.         ;
  733.         return $this->expressions[$id] = new Reference($id);
  734.     }
  736.     private function createRequestMatcher($container$path null$host null$methods = array(), $ip null, array $attributes = array())
  737.     {
  738.         if ($methods) {
  739.             $methods array_map('strtoupper', (array) $methods);
  740.         }
  742.         $id 'security.request_matcher.'.ContainerBuilder::hash(array($path$host$methods$ip$attributes));
  744.         if (isset($this->requestMatchers[$id])) {
  745.             return $this->requestMatchers[$id];
  746.         }
  748.         // only add arguments that are necessary
  749.         $arguments = array($path$host$methods$ip$attributes);
  750.         while (count($arguments) > && !end($arguments)) {
  751.             array_pop($arguments);
  752.         }
  754.         $container
  755.             ->register($id'Symfony\Component\HttpFoundation\RequestMatcher')
  756.             ->setPublic(false)
  757.             ->setArguments($arguments)
  758.         ;
  760.         return $this->requestMatchers[$id] = new Reference($id);
  761.     }
  763.     public function addSecurityListenerFactory(SecurityFactoryInterface $factory)
  764.     {
  765.         $this->factories[$factory->getPosition()][] = $factory;
  766.     }
  768.     public function addUserProviderFactory(UserProviderFactoryInterface $factory)
  769.     {
  770.         $this->userProviderFactories[] = $factory;
  771.     }
  773.     /**
  774.      * Returns the base path for the XSD files.
  775.      *
  776.      * @return string The XSD base path
  777.      */
  778.     public function getXsdValidationBasePath()
  779.     {
  780.         return __DIR__.'/../Resources/config/schema';
  781.     }
  783.     public function getNamespace()
  784.     {
  785.         return 'http://symfony.com/schema/dic/security';
  786.     }
  788.     public function getConfiguration(array $configContainerBuilder $container)
  789.     {
  790.         // first assemble the factories
  791.         return new MainConfiguration($this->factories$this->userProviderFactories);
  792.     }
  794.     private function getExpressionLanguage()
  795.     {
  796.         if (null === $this->expressionLanguage) {
  797.             if (!class_exists('Symfony\Component\ExpressionLanguage\ExpressionLanguage')) {
  798.                 throw new \RuntimeException('Unable to use expressions as the Symfony ExpressionLanguage component is not installed.');
  799.             }
  800.             $this->expressionLanguage = new ExpressionLanguage();
  801.         }
  803.         return $this->expressionLanguage;
  804.     }
  806.     /**
  807.      * @deprecated since version 3.4, to be removed in 4.0
  808.      */
  809.     private function getFirstProvider($firewallName$listenerName, array $providerIds)
  810.     {
  811.         @trigger_error(sprintf('Listener "%s" on firewall "%s" has no "provider" set but multiple providers exist. Using the first configured provider (%s) is deprecated since 3.4 and will throw an exception in 4.0, set the "provider" key on the firewall instead.'$listenerName$firewallName$first array_keys($providerIds)[0]), E_USER_DEPRECATED);
  813.         return $providerIds[$first];
  814.     }
  815. }