[Security] Add a method in the security helper to ease programmatic login (#40662)

johnkrovitch · chalasr · commit 80658d3f4881 · 2022-07-04T17:22:53.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ CHANGELOG
  * Add the `Security` helper class
  * Deprecate the `Symfony\Component\Security\Core\Security` service alias, use `Symfony\Bundle\SecurityBundle\Security\Security` instead
  * Add `Security::getFirewallConfig()` to help to get the firewall configuration associated to the Request
+ * Add `Security::login()` to login programmatically
 
 6.1
 ---
diff --git a/DependencyInjection/SecurityExtension.php b/DependencyInjection/SecurityExtension.php
@@ -277,16 +277,25 @@ private function createFirewalls(array $config, ContainerBuilder $container)
 
         // load firewall map
         $mapDef = $container->getDefinition('security.firewall.map');
-        $map = $authenticationProviders = $contextRefs = [];
+        $map = $authenticationProviders = $contextRefs = $authenticators = [];
         foreach ($firewalls as $name => $firewall) {
             if (isset($firewall['user_checker']) && 'security.user_checker' !== $firewall['user_checker']) {
                 $customUserChecker = true;
             }
 
             $configId = 'security.firewall.map.config.'.$name;
 
-            [$matcher, $listeners, $exceptionListener, $logoutListener] = $this->createFirewall($container, $name, $firewall, $authenticationProviders, $providerIds, $configId);
+            [$matcher, $listeners, $exceptionListener, $logoutListener, $firewallAuthenticators] = $this->createFirewall($container, $name, $firewall, $authenticationProviders, $providerIds, $configId);
 
+            if (!$firewallAuthenticators) {
+                $authenticators[$name] = null;
+            } else {
+                $firewallAuthenticatorRefs = [];
+                foreach ($firewallAuthenticators as $authenticatorId) {
+                    $firewallAuthenticatorRefs[$authenticatorId] = new Reference($authenticatorId);
+                }
+                $authenticators[$name] = ServiceLocatorTagPass::register($container, $firewallAuthenticatorRefs);
+            }
             $contextId = 'security.firewall.map.context.'.$name;
             $isLazy = !$firewall['stateless'] && (!empty($firewall['anonymous']['lazy']) || $firewall['lazy']);
             $context = new ChildDefinition($isLazy ? 'security.firewall.lazy_context' : 'security.firewall.context');
@@ -301,6 +310,10 @@ private function createFirewalls(array $config, ContainerBuilder $container)
             $contextRefs[$contextId] = new Reference($contextId);
             $map[$contextId] = $matcher;
         }
+        $container
+            ->getDefinition('security.helper')
+            ->replaceArgument(1, $authenticators)
+        ;
 
         $container->setAlias('security.firewall.context_locator', (string) ServiceLocatorTagPass::register($container, $contextRefs));
 
@@ -335,7 +348,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
 
         // Security disabled?
         if (false === $firewall['security']) {
-            return [$matcher, [], null, null];
+            return [$matcher, [], null, null, []];
         }
 
         $config->replaceArgument(4, $firewall['stateless']);
@@ -528,7 +541,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
         $config->replaceArgument(10, $listenerKeys);
         $config->replaceArgument(11, $firewall['switch_user'] ?? null);
 
-        return [$matcher, $listeners, $exceptionListener, null !== $logoutListenerId ? new Reference($logoutListenerId) : null];
+        return [$matcher, $listeners, $exceptionListener, null !== $logoutListenerId ? new Reference($logoutListenerId) : null, $firewallAuthenticationProviders];
     }
 
     private function createContextListener(ContainerBuilder $container, string $contextKey, ?string $firewallEventDispatcherId)
diff --git a/Resources/config/security.php b/Resources/config/security.php
@@ -77,11 +77,17 @@
         ->set('security.untracked_token_storage', TokenStorage::class)
 
         ->set('security.helper', Security::class)
-            ->args([service_locator([
-                'security.token_storage' => service('security.token_storage'),
-                'security.authorization_checker' => service('security.authorization_checker'),
-                'security.firewall.map' => service('security.firewall.map'),
-            ])])
+            ->args([
+                service_locator([
+                    'security.token_storage' => service('security.token_storage'),
+                    'security.authorization_checker' => service('security.authorization_checker'),
+                    'security.user_authenticator' => service('security.user_authenticator')->ignoreOnInvalid(),
+                    'request_stack' => service('request_stack'),
+                    'security.firewall.map' => service('security.firewall.map'),
+                    'security.user_checker' => service('security.user_checker'),
+                ]),
+                abstract_arg('authenticators'),
+            ])
         ->alias(Security::class, 'security.helper')
         ->alias(LegacySecurity::class, 'security.helper')
             ->deprecate('symfony/security-bundle', '6.2', 'The "%alias_id%" service alias is deprecated, use "'.Security::class.'" instead.')
diff --git a/Security/Security.php b/Security/Security.php
@@ -13,7 +13,11 @@
 
 use Psr\Container\ContainerInterface;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Exception\LogicException;
 use Symfony\Component\Security\Core\Security as LegacySecurity;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Contracts\Service\ServiceProviderInterface;
 
 /**
  * Helper class for commonly-needed security tasks.
@@ -22,7 +26,7 @@
  */
 class Security extends LegacySecurity
 {
-    public function __construct(private ContainerInterface $container)
+    public function __construct(private ContainerInterface $container, private array $authenticators = [])
     {
         parent::__construct($container, false);
     }
@@ -31,4 +35,58 @@ public function getFirewallConfig(Request $request): ?FirewallConfig
     {
         return $this->container->get('security.firewall.map')->getFirewallConfig($request);
     }
+
+    public function login(UserInterface $user, string $authenticatorName = null, string $firewallName = null): void
+    {
+        $request = $this->container->get('request_stack')->getCurrentRequest();
+
+        if (!class_exists(AuthenticatorInterface::class)) {
+            throw new \LogicException('Security HTTP is missing. Try running "composer require symfony/security-http".');
+        }
+        $authenticator = $this->getAuthenticator($authenticatorName, $firewallName ?? $this->getFirewallName($request));
+
+        $this->container->get('security.user_checker')->checkPreAuth($user);
+        $this->container->get('security.user_authenticator')->authenticateUser($user, $authenticator, $request);
+    }
+
+    private function getAuthenticator(?string $authenticatorName, string $firewallName): AuthenticatorInterface
+    {
+        if (!\array_key_exists($firewallName, $this->authenticators)) {
+            throw new LogicException(sprintf('No authenticators found for firewall "%s".', $firewallName));
+        }
+        /** @var ServiceProviderInterface $firewallAuthenticatorLocator */
+        $firewallAuthenticatorLocator = $this->authenticators[$firewallName];
+
+        if (!$authenticatorName) {
+            $authenticatorIds = array_keys($firewallAuthenticatorLocator->getProvidedServices());
+
+            if (!$authenticatorIds) {
+                throw new LogicException('No authenticator was found for the firewall "%s".');
+            }
+
+            if (1 < \count($authenticatorIds)) {
+                throw new LogicException(sprintf('Too much authenticators were found for the current firewall "%s". You must provide an instance of "%s" to login programmatically. The available authenticators for the firewall "%s" are "%s".', $firewallName, AuthenticatorInterface::class, $firewallName, implode('" ,"', $authenticatorIds)));
+            }
+
+            return $firewallAuthenticatorLocator->get($authenticatorIds[0]);
+        }
+        $authenticatorId = 'security.authenticator.'.$authenticatorName.'.'.$firewallName;
+
+        if (!$firewallAuthenticatorLocator->has($authenticatorId)) {
+            throw new LogicException(sprintf('Unable to find an authenticator named "%s" for the firewall "%s". Try to pass a firewall name in the Security::login() method.', $authenticatorName, $firewallName));
+        }
+
+        return $firewallAuthenticatorLocator->get($authenticatorId);
+    }
+
+    private function getFirewallName(Request $request): string
+    {
+        $firewall = $this->container->get('security.firewall.map')->getFirewallConfig($request);
+
+        if (null === $firewall) {
+            throw new LogicException('No firewall found as the current route is not covered by any firewall.');
+        }
+
+        return $firewall->getName();
+    }
 }
