[SecurityBundle] Add shortcut option to enable logout CSRF protection

Author: wouterj

CHANGELOG.md

@@ -9,6 +9,7 @@ CHANGELOG
  * Add `Security::getFirewallConfig()` to help to get the firewall configuration associated to the Request
  * Add `Security::login()` to login programmatically
  * Add `Security::logout()` to logout programmatically
+ * Add `security.firewalls.logout.enable_csrf` to enable CSRF protection using the default CSRF token generator
 
 6.1
 ---

DependencyInjection/MainConfiguration.php

@@ -210,10 +210,23 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
             ->arrayNode('logout')
                 ->treatTrueLike([])
                 ->canBeUnset()
+                ->beforeNormalization()
+                    ->ifTrue(fn ($v): bool => \is_array($v) && (isset($v['csrf_token_generator']) xor isset($v['enable_csrf'])))
+                    ->then(function (array $v): array {
+                        if (isset($v['csrf_token_generator'])) {
+                            $v['enable_csrf'] = true;
+                        } elseif ($v['enable_csrf']) {
+                            $v['csrf_token_generator'] = 'security.csrf.token_generator';
+                        }
+
+                        return $v;
+                    })
+                ->end()
                 ->children()
-                    ->scalarNode('csrf_parameter')->defaultValue('_csrf_token')->end()
-                    ->scalarNode('csrf_token_generator')->cannotBeEmpty()->end()
+                    ->booleanNode('enable_csrf')->defaultNull()->end()
                     ->scalarNode('csrf_token_id')->defaultValue('logout')->end()
+                    ->scalarNode('csrf_parameter')->defaultValue('_csrf_token')->end()
+                    ->scalarNode('csrf_token_generator')->end()
                     ->scalarNode('path')->defaultValue('/logout')->end()
                     ->scalarNode('target')->defaultValue('/')->end()
                     ->booleanNode('invalidate_session')->defaultTrue()->end()

DependencyInjection/SecurityExtension.php

@@ -426,7 +426,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
                 ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
 
             // add CSRF provider
-            if (isset($firewall['logout']['csrf_token_generator'])) {
+            if ($firewall['logout']['enable_csrf']) {
                 $logoutListener->addArgument(new Reference($firewall['logout']['csrf_token_generator']));
             }
 

Resources/config/schema/security-1.0.xsd

@@ -177,6 +177,7 @@
         <xsd:attribute name="csrf-parameter" type="xsd:string" />
         <xsd:attribute name="csrf-token-generator" type="xsd:string" />
         <xsd:attribute name="csrf-token-id" type="xsd:string" />
+        <xsd:attribute name="enable-csrf" type="xsd:boolean" />
         <xsd:attribute name="path" type="xsd:string" />
         <xsd:attribute name="target" type="xsd:string" />
         <xsd:attribute name="invalidate-session" type="xsd:boolean" />

Tests/DependencyInjection/CompleteConfigurationTest.php

@@ -173,6 +173,7 @@ public function testFirewalls()
                     'target' => '/',
                     'invalidate_session' => true,
                     'delete_cookies' => [],
+                    'enable_csrf' => null,
                 ],
             ],
             [

Tests/DependencyInjection/MainConfigurationTest.php

@@ -88,6 +88,55 @@ public function testCsrfAliases()
         $this->assertEquals('a_token_id', $processedConfig['firewalls']['stub']['logout']['csrf_token_id']);
     }
 
+    public function testLogoutCsrf()
+    {
+        $config = [
+            'firewalls' => [
+                'custom_token_generator' => [
+                    'logout' => [
+                        'csrf_token_generator' => 'a_token_generator',
+                        'csrf_token_id' => 'a_token_id',
+                    ],
+                ],
+                'default_token_generator' => [
+                    'logout' => [
+                        'enable_csrf' => true,
+                        'csrf_token_id' => 'a_token_id',
+                    ],
+                ],
+                'disabled_csrf' => [
+                    'logout' => [
+                        'enable_csrf' => false,
+                    ],
+                ],
+                'empty' => [
+                    'logout' => true,
+                ],
+            ],
+        ];
+        $config = array_merge(static::$minimalConfig, $config);
+
+        $processor = new Processor();
+        $configuration = new MainConfiguration([], []);
+        $processedConfig = $processor->processConfiguration($configuration, [$config]);
+
+        $assertions = [
+            'custom_token_generator' => [true, 'a_token_generator'],
+            'default_token_generator' => [true, 'security.csrf.token_generator'],
+            'disabled_csrf' => [false, null],
+            'empty' => [false, null],
+        ];
+        foreach ($assertions as $firewallName => [$enabled, $tokenGenerator]) {
+            $this->assertEquals($enabled, $processedConfig['firewalls'][$firewallName]['logout']['enable_csrf']);
+            if ($tokenGenerator) {
+                $this->assertEquals($tokenGenerator, $processedConfig['firewalls'][$firewallName]['logout']['csrf_token_generator']);
+                $this->assertEquals('a_token_id', $processedConfig['firewalls'][$firewallName]['logout']['csrf_token_id']);
+            } else {
+                $this->assertArrayNotHasKey('csrf_token_generator', $processedConfig['firewalls'][$firewallName]['logout']);
+            }
+        }
+    }
+
     public function testDefaultUserCheckers()
     {
         $processor = new Processor();