[SecurityBundle] Fix semantic configuration for singulars/plurals in XML

Author: nicolas-grekas

DependencyInjection/Security/AccessToken/CasTokenHandlerFactory.php

@@ -42,7 +42,6 @@ public function addConfiguration(NodeBuilder $node): void
  {
  $node
  ->arrayNode($this->getKey())
- ->fixXmlConfig($this->getKey())
  ->children()
  ->scalarNode('validation_url')
  ->info('CAS server validation URL')

DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php

@@ -90,8 +90,8 @@ public function addConfiguration(NodeBuilder $node): void
  {
  $node
  ->arrayNode($this->getKey())
- ->fixXmlConfig($this->getKey())
  ->fixXmlConfig('issuer')
+ ->fixXmlConfig('algorithm')
  ->validate()
  ->ifTrue(static fn ($v) => !isset($v['algorithm']) && !isset($v['algorithms']))
  ->thenInvalid('You must set either "algorithm" or "algorithms".')
@@ -173,6 +173,7 @@ public function addConfiguration(NodeBuilder $node): void
  ->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).')
  ->end()
  ->arrayNode('encryption')
+ ->fixXmlConfig('algorithm')
  ->canBeEnabled()
  ->children()
  ->booleanNode('enforce')

DependencyInjection/Security/AccessToken/OidcUserInfoTokenHandlerFactory.php

@@ -63,7 +63,6 @@ public function addConfiguration(NodeBuilder $node): void
  {
  $node
  ->arrayNode($this->getKey())
- ->fixXmlConfig($this->getKey())
  ->beforeNormalization()
  ->ifString()
  ->then(fn ($v) => ['claim' => 'sub', 'base_uri' => $v])

DependencyInjection/Security/Factory/AccessTokenFactory.php

@@ -43,11 +43,10 @@ public function addConfiguration(NodeDefinition $node): void
  {
  parent::addConfiguration($node);
 
- $builder = $node->children();
+ $builder = $node->fixXmlConfig('token_extractor')->children();
  $builder
  ->scalarNode('realm')->defaultNull()->end()
  ->arrayNode('token_extractors')
- ->fixXmlConfig('token_extractors')
  ->beforeNormalization()
  ->ifString()
  ->then(fn ($v) => [$v])

DependencyInjection/Security/Factory/RememberMeFactory.php

@@ -126,6 +126,7 @@ public function getKey(): string
  public function addConfiguration(NodeDefinition $node): void
  {
  $builder = $node
+ ->fixXmlConfig('signature_property', 'signature_properties')
  ->fixXmlConfig('user_provider')
  ->children()
  ;

Resources/config/schema/security-1.0.xsd

@@ -9,40 +9,19 @@
  <xsd:complexType name="config">
  <xsd:choice maxOccurs="unbounded">
  <xsd:element name="access-decision-manager" type="access_decision_manager" minOccurs="0" maxOccurs="1" />
- <xsd:element name="password_hashers" type="password_hashers" minOccurs="0" maxOccurs="1" />
- <xsd:element name="password_hasher" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
- <xsd:element name="providers" type="providers" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="password-hasher" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
  <xsd:element name="provider" type="provider" minOccurs="0" maxOccurs="unbounded" />
- <xsd:element name="firewalls" type="firewalls" minOccurs="0" maxOccurs="1" />
  <xsd:element name="firewall" type="firewall" minOccurs="0" maxOccurs="unbounded" />
  <xsd:element name="rule" type="rule" minOccurs="0" maxOccurs="unbounded" />
  <xsd:element name="role" type="role" minOccurs="0" maxOccurs="unbounded" />
  </xsd:choice>
  <xsd:attribute name="access-denied-url" type="xsd:string" />
  <xsd:attribute name="session-fixation-strategy" type="session_fixation_strategy" />
  <xsd:attribute name="hide-user-not-found" type="xsd:boolean" />
- <xsd:attribute name="always-authenticate-before-granting" type="xsd:boolean" />
+ <xsd:attribute name="expose-security-errors" type="access_decision_manager_expose_security_level" />
  <xsd:attribute name="erase-credentials" type="xsd:boolean" />
  </xsd:complexType>
 
- <xsd:complexType name="password_hashers">
- <xsd:sequence>
- <xsd:element name="password_hasher" type="password_hasher" minOccurs="1" maxOccurs="unbounded" />
- </xsd:sequence>
- </xsd:complexType>
-
- <xsd:complexType name="providers">
- <xsd:sequence>
- <xsd:element name="provider" type="provider" minOccurs="1" maxOccurs="unbounded" />
- </xsd:sequence>
- </xsd:complexType>
-
- <xsd:complexType name="firewalls">
- <xsd:sequence>
- <xsd:element name="firewall" type="firewall" minOccurs="1" maxOccurs="unbounded" />
- </xsd:sequence>
- </xsd:complexType>
-
  <xsd:simpleType name="session_fixation_strategy">
  <xsd:restriction base="xsd:string">
  <xsd:enumeration value="none" />
@@ -55,7 +34,6 @@
  <xsd:attribute name="strategy" type="access_decision_manager_strategy" />
  <xsd:attribute name="service" type="xsd:string" />
  <xsd:attribute name="strategy-service" type="xsd:string" />
- <xsd:attribute name="expose-security-errors" type="access_decision_manager_expose_security_level" />
  <xsd:attribute name="allow-if-all-abstain" type="xsd:boolean" />
  <xsd:attribute name="allow-if-equal-granted-denied" type="xsd:boolean" />
  </xsd:complexType>
@@ -196,12 +174,16 @@
  <xsd:attribute name="name" type="xsd:string" use="required" />
  <xsd:attribute name="path" type="xsd:string" />
  <xsd:attribute name="domain" type="xsd:string" />
+ <xsd:attribute name="secure" type="xsd:boolean" />
+ <xsd:attribute name="samesite" type="remember_me_samesite" />
+ <xsd:attribute name="partitioned" type="xsd:boolean" />
  </xsd:complexType>
 
  <xsd:complexType name="switch_user">
  <xsd:attribute name="provider" type="xsd:string" />
  <xsd:attribute name="parameter" type="xsd:string" />
  <xsd:attribute name="role" type="xsd:string" />
+ <xsd:attribute name="target-route" type="xsd:string" />
  </xsd:complexType>
 
  <xsd:complexType name="anonymous">
@@ -304,6 +286,7 @@
  <xsd:attribute name="success-handler" type="xsd:string" />
  <xsd:attribute name="failure-handler" type="xsd:string" />
  <xsd:attribute name="provider" type="xsd:string" />
+ <xsd:attribute name="secret" type="xsd:string" />
  </xsd:complexType>
 
  <xsd:complexType name="access_token">
@@ -321,59 +304,66 @@
  <xsd:complexType name="oidc_token_handler">
  <xsd:sequence>
  <xsd:choice minOccurs="0" maxOccurs="1">
- <xsd:element name="oidc-user-info" type="oidc_user_info"></xsd:element>
- <xsd:element name="oidc" type="oidc"></xsd:element>
+ <xsd:element name="oidc-user-info" type="oidc_user_info" />
+ <xsd:element name="oidc" type="oidc" />
  </xsd:choice>
  </xsd:sequence>
- <xsd:attribute name="oidc-user-info" type="xsd:anyURI"></xsd:attribute>
+ <xsd:attribute name="oidc-user-info" type="xsd:string" />
  </xsd:complexType>
 
  <xsd:complexType name="oidc_user_info">
- <xsd:attribute name="base-uri" type="xsd:anyURI" use="required" />
+ <xsd:sequence>
+ <xsd:element name="discovery" minOccurs="0" maxOccurs="1">
+ <xsd:complexType>
+ <xsd:sequence>
+ <xsd:element name="cache" minOccurs="0" maxOccurs="1">
+ <xsd:complexType>
+ <xsd:attribute name="id" type="xsd:string" />
+ </xsd:complexType>
+ </xsd:element>
+ </xsd:sequence>
+ </xsd:complexType>
+ </xsd:element>
+ </xsd:sequence>
+ <xsd:attribute name="base-uri" type="xsd:string" use="required" />
  <xsd:attribute name="claim" type="xsd:string" />
  <xsd:attribute name="client" type="xsd:string" />
  </xsd:complexType>
 
  <xsd:complexType name="oidc">
  <xsd:choice maxOccurs="unbounded">
- <xsd:element name="issuers" type="oidc_issuers" minOccurs="0" maxOccurs="1" />
- <xsd:element name="issuer" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
+ <xsd:element name="issuer" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
+ <xsd:element name="algorithm" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
  <xsd:element name="encryption" type="oidc_encryption" />
  </xsd:choice>
  <xsd:attribute name="claim" type="xsd:string" />
  <xsd:attribute name="audience" type="xsd:string" use="required" />
- <xsd:attribute name="algorithm" type="xsd:string" use="required" />
- <xsd:attribute name="key" type="xsd:string" use="required" />
+ <xsd:attribute name="algorithm" type="xsd:string" />
+ <xsd:attribute name="key" type="xsd:string" />
+ <xsd:attribute name="keyset" type="xsd:string" />
  </xsd:complexType>
 
  <xsd:complexType name="oidc_encryption">
  <xsd:choice maxOccurs="unbounded">
- <xsd:element name="algorithms" type="oidc_encryption_algorithms" minOccurs="1" maxOccurs="1" />
+ <xsd:element name="algorithm" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
  </xsd:choice>
  <xsd:attribute name="enabled" type="xsd:boolean" />
  <xsd:attribute name="enforce" type="xsd:boolean" />
  <xsd:attribute name="keyset" type="xsd:string" use="required" />
  </xsd:complexType>
 
- <xsd:complexType name="oidc_encryption_algorithms">
- <xsd:sequence>
- <xsd:element name="algorithm" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
- </xsd:sequence>
- </xsd:complexType>
-
- <xsd:complexType name="oidc_issuers">
- <xsd:sequence>
- <xsd:element name="issuer" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
- </xsd:sequence>
- </xsd:complexType>
-
  <xsd:complexType name="login_throttling">
  <xsd:attribute name="limiter" type="xsd:string" />
  <xsd:attribute name="max-attempts" type="xsd:integer" />
+ <xsd:attribute name="interval" type="xsd:string" />
+ <xsd:attribute name="lock-factory" type="xsd:string" />
  </xsd:complexType>
 
  <xsd:complexType name="remember_me">
  <xsd:sequence minOccurs="0">
+ <xsd:choice minOccurs="0" maxOccurs="unbounded">
+ <xsd:element name="signature-property" type="xsd:string" />
+ </xsd:choice>
  <xsd:choice minOccurs="0" maxOccurs="unbounded">
  <xsd:element name="user-provider" type="xsd:string" />
  </xsd:choice>
@@ -442,7 +432,7 @@
  <xsd:element name="method" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
  <xsd:element name="role" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
  <xsd:element name="allow-if" type="xsd:string" minOccurs="0" maxOccurs="1" />
- <xsd:element name="attribute" type="rule_attribute" minOccurs="0" maxOccurs="1" />
+ <xsd:element name="attribute" type="rule_attribute" minOccurs="0" maxOccurs="unbounded" />
  </xsd:choice>
  <xsd:attribute name="requires-channel" type="xsd:string" />
  <xsd:attribute name="path" type="xsd:string" />
@@ -452,6 +442,7 @@
  <xsd:attribute name="methods" type="xsd:string" />
  <xsd:attribute name="allow-if" type="xsd:string" />
  <xsd:attribute name="route" type="xsd:string" />
+ <xsd:attribute name="request-matcher" type="xsd:string" />
  </xsd:complexType>
 
  <xsd:complexType name="role">

Tests/DependencyInjection/CompleteConfigurationTestCase.php

@@ -726,6 +726,41 @@ public function testFirewallPatterns()
  $this->assertSame('(?:^/register$|^/documentation$)', $container->getDefinition($requestMatcherId)->getArgument(0));
  }
 
+ public function testAccessTokenOidc()
+ {
+ $container = $this->getContainer('access_token_oidc');
+
+ $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+ $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+
+ $def = $container->getDefinition('security.access_token_handler.firewall1');
+ $this->assertSame('audience', $def->getArgument(2));
+ $this->assertSame(['https://www.example.com'], $def->getArgument(3));
+ $this->assertSame('sub', $def->getArgument(4));
+ }
+
+ public function testAccessTokenOidcWithEncryption()
+ {
+ $container = $this->getContainer('access_token_oidc_encryption');
+
+ $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+ $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+
+ $def = $container->getDefinition('security.access_token_handler.firewall1');
+ $this->assertSame(['RS256'], $def->getArgument(0)->getArgument(0));
+ }
+
+ public function testAccessTokenOidcUserInfoWithDiscovery()
+ {
+ if ('xml' === $this->getFileExtension()) {
+ $this->markTestSkipped('OIDC user info discovery is not supported by the XML schema.');
+ }
+ $container = $this->getContainer('access_token_oidc_user_info_discovery');
+
+ $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+ $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+ }
+
  protected function getContainer($file)
  {
  $file .= '.'.$this->getFileExtension();

Tests/DependencyInjection/Fixtures/php/access_token_oidc.php

@@ -0,0 +1,25 @@
+<?php
+
+$container->loadFromExtension('security', [
+ 'providers' => [
+ 'default' => [
+ 'memory' => null,
+ ],
+ ],
+ 'firewalls' => [
+ 'firewall1' => [
+ 'provider' => 'default',
+ 'access_token' => [
+ 'token_handler' => [
+ 'oidc' => [
+ 'algorithms' => ['RS256'],
+ 'issuers' => ['https://www.example.com'],
+ 'audience' => 'audience',
+ 'keyset' => '{"keys":[{"kty":"RSA","n":"abc","e":"AQAB"}]}',
+ ],
+ ],
+ ],
+ ],
+ ],
+]);
+

Tests/DependencyInjection/Fixtures/php/access_token_oidc_encryption.php

@@ -0,0 +1,30 @@
+<?php
+
+$container->loadFromExtension('security', [
+ 'providers' => [
+ 'default' => [
+ 'memory' => null,
+ ],
+ ],
+ 'firewalls' => [
+ 'firewall1' => [
+ 'provider' => 'default',
+ 'access_token' => [
+ 'token_handler' => [
+ 'oidc' => [
+ 'algorithms' => ['RS256'],
+ 'issuers' => ['https://www.example.com'],
+ 'audience' => 'audience',
+ 'keyset' => '{"keys":[{"kty":"RSA","n":"abc","e":"AQAB"}]}',
+ 'encryption' => [
+ 'enabled' => true,
+ 'keyset' => '{"keys":[{"kty":"RSA","n":"abc","e":"AQAB","d":"def"}]}',
+ 'algorithms' => ['RSA-OAEP'],
+ ],
+ ],
+ ],
+ ],
+ ],
+ ],
+]);
+

Tests/DependencyInjection/Fixtures/php/access_token_oidc_user_info_discovery.php

@@ -0,0 +1,27 @@
+<?php
+
+$container->loadFromExtension('security', [
+ 'providers' => [
+ 'default' => [
+ 'memory' => null,
+ ],
+ ],
+ 'firewalls' => [
+ 'firewall1' => [
+ 'provider' => 'default',
+ 'access_token' => [
+ 'token_handler' => [
+ 'oidc_user_info' => [
+ 'base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo',
+ 'discovery' => [
+ 'cache' => [
+ 'id' => 'oidc_cache',
+ ],
+ ],
+ ],
+ ],
+ ],
+ ],
+ ],
+]);
+