vendor/symfony/security-bundle/DependencyInjection/SecurityExtension.php line 87

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  14. use Composer\InstalledVersions;
  15. use Symfony\Bridge\Twig\Extension\LogoutUrlExtension;
  16. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
  17. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FirewallListenerFactoryInterface;
  18. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
  19. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
  20. use Symfony\Bundle\SecurityBundle\Security\LegacyLogoutHandlerListener;
  21. use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
  22. use Symfony\Component\Config\FileLocator;
  23. use Symfony\Component\Console\Application;
  24. use Symfony\Component\DependencyInjection\Alias;
  25. use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
  26. use Symfony\Component\DependencyInjection\Argument\ServiceClosureArgument;
  27. use Symfony\Component\DependencyInjection\ChildDefinition;
  28. use Symfony\Component\DependencyInjection\Compiler\ServiceLocatorTagPass;
  29. use Symfony\Component\DependencyInjection\ContainerBuilder;
  30. use Symfony\Component\DependencyInjection\Definition;
  31. use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
  32. use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
  33. use Symfony\Component\DependencyInjection\Reference;
  34. use Symfony\Component\EventDispatcher\EventDispatcher;
  35. use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
  36. use Symfony\Component\HttpKernel\DependencyInjection\Extension;
  37. use Symfony\Component\HttpKernel\KernelEvents;
  38. use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
  39. use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
  40. use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
  41. use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
  42. use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
  43. use Symfony\Component\Security\Core\Authorization\Strategy\ConsensusStrategy;
  44. use Symfony\Component\Security\Core\Authorization\Strategy\PriorityStrategy;
  45. use Symfony\Component\Security\Core\Authorization\Strategy\UnanimousStrategy;
  46. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  47. use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
  48. use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
  49. use Symfony\Component\Security\Core\User\ChainUserProvider;
  50. use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
  51. use Symfony\Component\Security\Core\User\UserProviderInterface;
  52. use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener;
  53. use Symfony\Component\Security\Http\Event\CheckPassportEvent;
  55. /**
  56.  * SecurityExtension.
  57.  *
  58.  * @author Fabien Potencier <fabien@symfony.com>
  59.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  60.  */
  61. class SecurityExtension extends Extension implements PrependExtensionInterface
  62. {
  63.     private $requestMatchers = [];
  64.     private $expressions = [];
  65.     private $contextListeners = [];
  66.     /** @var list<array{int, AuthenticatorFactoryInterface|SecurityFactoryInterface}> */
  67.     private $factories = [];
  68.     /** @var list<AuthenticatorFactoryInterface|SecurityFactoryInterface> */
  69.     private $sortedFactories = [];
  70.     private $userProviderFactories = [];
  71.     private $statelessFirewallKeys = [];
  73.     private $authenticatorManagerEnabled false;
  75.     public function prepend(ContainerBuilder $container)
  76.     {
  77.         foreach ($this->getSortedFactories() as $factory) {
  78.             if ($factory instanceof PrependExtensionInterface) {
  79.                 $factory->prepend($container);
  80.             }
  81.         }
  82.     }
  84.     public function load(array $configsContainerBuilder $container)
  85.     {
  86.         if (!class_exists(InstalledVersions::class)) {
  87.             trigger_deprecation('symfony/security-bundle''5.4''Configuring Symfony without the Composer Runtime API is deprecated. Consider upgrading to Composer 2.1 or later.');
  88.         }
  90.         if (!array_filter($configs)) {
  91.             return;
  92.         }
  94.         $mainConfig $this->getConfiguration($configs$container);
  96.         $config $this->processConfiguration($mainConfig$configs);
  98.         // load services
  99.         $loader = new PhpFileLoader($container, new FileLocator(\dirname(__DIR__).'/Resources/config'));
  101.         $loader->load('security.php');
  102.         $loader->load('password_hasher.php');
  103.         $loader->load('security_listeners.php');
  104.         $loader->load('security_rememberme.php');
  106.         if ($this->authenticatorManagerEnabled $config['enable_authenticator_manager']) {
  107.             if ($config['always_authenticate_before_granting']) {
  108.                 throw new InvalidConfigurationException('The security option "always_authenticate_before_granting" cannot be used when "enable_authenticator_manager" is set to true. If you rely on this behavior, set it to false.');
  109.             }
  111.             $loader->load('security_authenticator.php');
  113.             // The authenticator system no longer has anonymous tokens. This makes sure AccessListener
  114.             // and AuthorizationChecker do not throw AuthenticationCredentialsNotFoundException when no
  115.             // token is available in the token storage.
  116.             $container->getDefinition('security.access_listener')->setArgument(3false);
  117.             $container->getDefinition('security.authorization_checker')->setArgument(3false);
  118.             $container->getDefinition('security.authorization_checker')->setArgument(4false);
  119.         } else {
  120.             trigger_deprecation('symfony/security-bundle''5.3''Not setting the "security.enable_authenticator_manager" config option to true is deprecated.');
  122.             if ($config['always_authenticate_before_granting']) {
  123.                 $authorizationChecker $container->getDefinition('security.authorization_checker');
  124.                 $authorizationCheckerArgs $authorizationChecker->getArguments();
  125.                 array_splice($authorizationCheckerArgs10, [new Reference('security.authentication_manager')]);
  126.                 $authorizationChecker->setArguments($authorizationCheckerArgs);
  127.             }
  129.             $loader->load('security_legacy.php');
  130.         }
  132.         if ($container::willBeAvailable('symfony/twig-bridge'LogoutUrlExtension::class, ['symfony/security-bundle'], true)) {
  133.             $loader->load('templating_twig.php');
  134.         }
  136.         $loader->load('collectors.php');
  137.         $loader->load('guard.php');
  139.         $container->getDefinition('data_collector.security')->addArgument($this->authenticatorManagerEnabled);
  141.         if ($container->hasParameter('kernel.debug') && $container->getParameter('kernel.debug')) {
  142.             $loader->load('security_debug.php');
  143.         }
  145.         if (!$container::willBeAvailable('symfony/expression-language'ExpressionLanguage::class, ['symfony/security-bundle'], true)) {
  146.             $container->removeDefinition('security.expression_language');
  147.             $container->removeDefinition('security.access.expression_voter');
  148.         }
  150.         // set some global scalars
  151.         $container->setParameter('security.access.denied_url'$config['access_denied_url']);
  152.         $container->setParameter('security.authentication.manager.erase_credentials'$config['erase_credentials']);
  153.         $container->setParameter('security.authentication.session_strategy.strategy'$config['session_fixation_strategy']);
  155.         if (isset($config['access_decision_manager']['service'])) {
  156.             $container->setAlias('security.access.decision_manager'$config['access_decision_manager']['service']);
  157.         } elseif (isset($config['access_decision_manager']['strategy_service'])) {
  158.             $container
  159.                 ->getDefinition('security.access.decision_manager')
  160.                 ->addArgument(new Reference($config['access_decision_manager']['strategy_service']));
  161.         } else {
  162.             $container
  163.                 ->getDefinition('security.access.decision_manager')
  164.                 ->addArgument($this->createStrategyDefinition(
  165.                     $config['access_decision_manager']['strategy'] ?? MainConfiguration::STRATEGY_AFFIRMATIVE,
  166.                     $config['access_decision_manager']['allow_if_all_abstain'],
  167.                     $config['access_decision_manager']['allow_if_equal_granted_denied']
  168.                 ));
  169.         }
  171.         $container->setParameter('security.access.always_authenticate_before_granting'$config['always_authenticate_before_granting']);
  172.         $container->setParameter('security.authentication.hide_user_not_found'$config['hide_user_not_found']);
  174.         if (class_exists(Application::class)) {
  175.             $loader->load('debug_console.php');
  176.             $debugCommand $container->getDefinition('security.command.debug_firewall');
  177.             $debugCommand->replaceArgument(4$this->authenticatorManagerEnabled);
  178.         }
  180.         $this->createFirewalls($config$container);
  181.         $this->createAuthorization($config$container);
  182.         $this->createRoleHierarchy($config$container);
  184.         $container->getDefinition('security.authentication.guard_handler')
  185.             ->replaceArgument(2$this->statelessFirewallKeys);
  187.         // @deprecated since Symfony 5.3
  188.         if ($config['encoders']) {
  189.             $this->createEncoders($config['encoders'], $container);
  190.         }
  192.         if ($config['password_hashers']) {
  193.             $this->createHashers($config['password_hashers'], $container);
  194.         }
  196.         if (class_exists(Application::class)) {
  197.             $loader->load('console.php');
  199.             // @deprecated since Symfony 5.3
  200.             $container->getDefinition('security.command.user_password_encoder')->replaceArgument(1array_keys($config['encoders']));
  202.             $container->getDefinition('security.command.user_password_hash')->replaceArgument(1array_keys($config['password_hashers']));
  203.         }
  205.         $container->registerForAutoconfiguration(VoterInterface::class)
  206.             ->addTag('security.voter');
  207.     }
  209.     /**
  210.      * @throws \InvalidArgumentException if the $strategy is invalid
  211.      */
  212.     private function createStrategyDefinition(string $strategybool $allowIfAllAbstainDecisionsbool $allowIfEqualGrantedDeniedDecisions): Definition
  213.     {
  214.         switch ($strategy) {
  215.             case MainConfiguration::STRATEGY_AFFIRMATIVE:
  216.                 return new Definition(AffirmativeStrategy::class, [$allowIfAllAbstainDecisions]);
  217.             case MainConfiguration::STRATEGY_CONSENSUS:
  218.                 return new Definition(ConsensusStrategy::class, [$allowIfAllAbstainDecisions$allowIfEqualGrantedDeniedDecisions]);
  219.             case MainConfiguration::STRATEGY_UNANIMOUS:
  220.                 return new Definition(UnanimousStrategy::class, [$allowIfAllAbstainDecisions]);
  221.             case MainConfiguration::STRATEGY_PRIORITY:
  222.                 return new Definition(PriorityStrategy::class, [$allowIfAllAbstainDecisions]);
  223.         }
  225.         throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.'$strategy));
  226.     }
  228.     private function createRoleHierarchy(array $configContainerBuilder $container)
  229.     {
  230.         if (!isset($config['role_hierarchy']) || === \count($config['role_hierarchy'])) {
  231.             $container->removeDefinition('security.access.role_hierarchy_voter');
  233.             return;
  234.         }
  236.         $container->setParameter('security.role_hierarchy.roles'$config['role_hierarchy']);
  237.         $container->removeDefinition('security.access.simple_role_voter');
  238.     }
  240.     private function createAuthorization(array $configContainerBuilder $container)
  241.     {
  242.         foreach ($config['access_control'] as $access) {
  243.             $matcher $this->createRequestMatcher(
  244.                 $container,
  245.                 $access['path'],
  246.                 $access['host'],
  247.                 $access['port'],
  248.                 $access['methods'],
  249.                 $access['ips']
  250.             );
  252.             $attributes $access['roles'];
  253.             if ($access['allow_if']) {
  254.                 $attributes[] = $this->createExpression($container$access['allow_if']);
  255.             }
  257.             $emptyAccess === \count(array_filter($access));
  259.             if ($emptyAccess) {
  260.                 throw new InvalidConfigurationException('One or more access control items are empty. Did you accidentally add lines only containing a "-" under "security.access_control"?');
  261.             }
  263.             $container->getDefinition('security.access_map')
  264.                       ->addMethodCall('add', [$matcher$attributes$access['requires_channel']]);
  265.         }
  267.         // allow cache warm-up for expressions
  268.         if (\count($this->expressions)) {
  269.             $container->getDefinition('security.cache_warmer.expression')
  270.                 ->replaceArgument(0, new IteratorArgument(array_values($this->expressions)));
  271.         } else {
  272.             $container->removeDefinition('security.cache_warmer.expression');
  273.         }
  274.     }
  276.     private function createFirewalls(array $configContainerBuilder $container)
  277.     {
  278.         if (!isset($config['firewalls'])) {
  279.             return;
  280.         }
  282.         $firewalls $config['firewalls'];
  283.         $providerIds $this->createUserProviders($config$container);
  285.         $container->setParameter('security.firewalls'array_keys($firewalls));
  287.         // make the ContextListener aware of the configured user providers
  288.         $contextListenerDefinition $container->getDefinition('security.context_listener');
  289.         $arguments $contextListenerDefinition->getArguments();
  290.         $userProviders = [];
  291.         foreach ($providerIds as $userProviderId) {
  292.             $userProviders[] = new Reference($userProviderId);
  293.         }
  294.         $arguments[1] = $userProviderIteratorsArgument = new IteratorArgument($userProviders);
  295.         $contextListenerDefinition->setArguments($arguments);
  296.         $nbUserProviders = \count($userProviders);
  298.         if ($nbUserProviders 1) {
  299.             $container->setDefinition('security.user_providers', new Definition(ChainUserProvider::class, [$userProviderIteratorsArgument]))
  300.                 ->setPublic(false);
  301.         } elseif (=== $nbUserProviders) {
  302.             $container->removeDefinition('security.listener.user_provider');
  303.         } else {
  304.             $container->setAlias('security.user_providers', new Alias(current($providerIds)))->setPublic(false);
  305.         }
  307.         if (=== \count($providerIds)) {
  308.             $container->setAlias(UserProviderInterface::class, current($providerIds));
  309.         }
  311.         $customUserChecker false;
  313.         // load firewall map
  314.         $mapDef $container->getDefinition('security.firewall.map');
  315.         $map $authenticationProviders $contextRefs = [];
  316.         foreach ($firewalls as $name => $firewall) {
  317.             if (isset($firewall['user_checker']) && 'security.user_checker' !== $firewall['user_checker']) {
  318.                 $customUserChecker true;
  319.             }
  321.             $configId 'security.firewall.map.config.'.$name;
  323.             [$matcher$listeners$exceptionListener$logoutListener] = $this->createFirewall($container$name$firewall$authenticationProviders$providerIds$configId);
  325.             $contextId 'security.firewall.map.context.'.$name;
  326.             $isLazy = !$firewall['stateless'] && (!empty($firewall['anonymous']['lazy']) || $firewall['lazy']);
  327.             $context = new ChildDefinition($isLazy 'security.firewall.lazy_context' 'security.firewall.context');
  328.             $context $container->setDefinition($contextId$context);
  329.             $context
  330.                 ->replaceArgument(0, new IteratorArgument($listeners))
  331.                 ->replaceArgument(1$exceptionListener)
  332.                 ->replaceArgument(2$logoutListener)
  333.                 ->replaceArgument(3, new Reference($configId))
  334.             ;
  336.             $contextRefs[$contextId] = new Reference($contextId);
  337.             $map[$contextId] = $matcher;
  338.         }
  340.         $container->setAlias('security.firewall.context_locator', (string) ServiceLocatorTagPass::register($container$contextRefs));
  342.         $mapDef->replaceArgument(0, new Reference('security.firewall.context_locator'));
  343.         $mapDef->replaceArgument(1, new IteratorArgument($map));
  345.         if (!$this->authenticatorManagerEnabled) {
  346.             // add authentication providers to authentication manager
  347.             $authenticationProviders array_map(function ($id) {
  348.                 return new Reference($id);
  349.             }, array_values(array_unique($authenticationProviders)));
  351.             $container
  352.                 ->getDefinition('security.authentication.manager')
  353.                 ->replaceArgument(0, new IteratorArgument($authenticationProviders));
  354.         }
  356.         // register an autowire alias for the UserCheckerInterface if no custom user checker service is configured
  357.         if (!$customUserChecker) {
  358.             $container->setAlias('Symfony\Component\Security\Core\User\UserCheckerInterface', new Alias('security.user_checker'false));
  359.         }
  360.     }
  362.     private function createFirewall(ContainerBuilder $containerstring $id, array $firewall, array &$authenticationProviders, array $providerIdsstring $configId)
  363.     {
  364.         $config $container->setDefinition($configId, new ChildDefinition('security.firewall.config'));
  365.         $config->replaceArgument(0$id);
  366.         $config->replaceArgument(1$firewall['user_checker']);
  368.         // Matcher
  369.         $matcher null;
  370.         if (isset($firewall['request_matcher'])) {
  371.             $matcher = new Reference($firewall['request_matcher']);
  372.         } elseif (isset($firewall['pattern']) || isset($firewall['host'])) {
  373.             $pattern $firewall['pattern'] ?? null;
  374.             $host $firewall['host'] ?? null;
  375.             $methods $firewall['methods'] ?? [];
  376.             $matcher $this->createRequestMatcher($container$pattern$hostnull$methods);
  377.         }
  379.         $config->replaceArgument(2$matcher ? (string) $matcher null);
  380.         $config->replaceArgument(3$firewall['security']);
  382.         // Security disabled?
  383.         if (false === $firewall['security']) {
  384.             return [$matcher, [], nullnull];
  385.         }
  387.         $config->replaceArgument(4$firewall['stateless']);
  389.         $firewallEventDispatcherId 'security.event_dispatcher.'.$id;
  391.         // Provider id (must be configured explicitly per firewall/authenticator if more than one provider is set)
  392.         $defaultProvider null;
  393.         if (isset($firewall['provider'])) {
  394.             if (!isset($providerIds[$normalizedName str_replace('-''_'$firewall['provider'])])) {
  395.                 throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.'$id$firewall['provider']));
  396.             }
  397.             $defaultProvider $providerIds[$normalizedName];
  399.             if ($this->authenticatorManagerEnabled) {
  400.                 $container->setDefinition('security.listener.'.$id.'.user_provider', new ChildDefinition('security.listener.user_provider.abstract'))
  401.                     ->addTag('kernel.event_listener', ['dispatcher' => $firewallEventDispatcherId'event' => CheckPassportEvent::class, 'priority' => 2048'method' => 'checkPassport'])
  402.                     ->replaceArgument(0, new Reference($defaultProvider));
  403.             }
  404.         } elseif (=== \count($providerIds)) {
  405.             $defaultProvider reset($providerIds);
  406.         }
  408.         $config->replaceArgument(5$defaultProvider);
  410.         // Register Firewall-specific event dispatcher
  411.         $container->register($firewallEventDispatcherIdEventDispatcher::class)
  412.             ->addTag('event_dispatcher.dispatcher', ['name' => $firewallEventDispatcherId]);
  414.         // Register listeners
  415.         $listeners = [];
  416.         $listenerKeys = [];
  418.         // Channel listener
  419.         $listeners[] = new Reference('security.channel_listener');
  421.         $contextKey null;
  422.         $contextListenerId null;
  423.         // Context serializer listener
  424.         if (false === $firewall['stateless']) {
  425.             $contextKey $firewall['context'] ?? $id;
  426.             $listeners[] = new Reference($contextListenerId $this->createContextListener($container$contextKey$this->authenticatorManagerEnabled $firewallEventDispatcherId null));
  427.             $sessionStrategyId 'security.authentication.session_strategy';
  429.             if ($this->authenticatorManagerEnabled) {
  430.                 $container
  431.                     ->setDefinition('security.listener.session.'.$id, new ChildDefinition('security.listener.session'))
  432.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  433.             }
  434.         } else {
  435.             $this->statelessFirewallKeys[] = $id;
  436.             $sessionStrategyId 'security.authentication.session_strategy_noop';
  437.         }
  438.         $container->setAlias(new Alias('security.authentication.session_strategy.'.$idfalse), $sessionStrategyId);
  440.         $config->replaceArgument(6$contextKey);
  442.         // Logout listener
  443.         $logoutListenerId null;
  444.         if (isset($firewall['logout'])) {
  445.             $logoutListenerId 'security.logout_listener.'.$id;
  446.             $logoutListener $container->setDefinition($logoutListenerId, new ChildDefinition('security.logout_listener'));
  447.             $logoutListener->replaceArgument(2, new Reference($firewallEventDispatcherId));
  448.             $logoutListener->replaceArgument(3, [
  449.                 'csrf_parameter' => $firewall['logout']['csrf_parameter'],
  450.                 'csrf_token_id' => $firewall['logout']['csrf_token_id'],
  451.                 'logout_path' => $firewall['logout']['path'],
  452.             ]);
  454.             // add default logout listener
  455.             if (isset($firewall['logout']['success_handler'])) {
  456.                 // deprecated, to be removed in Symfony 6.0
  457.                 $logoutSuccessHandlerId $firewall['logout']['success_handler'];
  458.                 $container->register('security.logout.listener.legacy_success_listener.'.$idLegacyLogoutHandlerListener::class)
  459.                     ->setArguments([new Reference($logoutSuccessHandlerId)])
  460.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  461.             } else {
  462.                 $logoutSuccessListenerId 'security.logout.listener.default.'.$id;
  463.                 $container->setDefinition($logoutSuccessListenerId, new ChildDefinition('security.logout.listener.default'))
  464.                     ->replaceArgument(1$firewall['logout']['target'])
  465.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  466.             }
  468.             // add CSRF provider
  469.             if (isset($firewall['logout']['csrf_token_generator'])) {
  470.                 $logoutListener->addArgument(new Reference($firewall['logout']['csrf_token_generator']));
  471.             }
  473.             // add session logout listener
  474.             if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {
  475.                 $container->setDefinition('security.logout.listener.session.'.$id, new ChildDefinition('security.logout.listener.session'))
  476.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  477.             }
  479.             // add cookie logout listener
  480.             if (\count($firewall['logout']['delete_cookies']) > 0) {
  481.                 $container->setDefinition('security.logout.listener.cookie_clearing.'.$id, new ChildDefinition('security.logout.listener.cookie_clearing'))
  482.                     ->addArgument($firewall['logout']['delete_cookies'])
  483.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  484.             }
  486.             // add custom listeners (deprecated)
  487.             foreach ($firewall['logout']['handlers'] as $i => $handlerId) {
  488.                 $container->register('security.logout.listener.legacy_handler.'.$iLegacyLogoutHandlerListener::class)
  489.                     ->addArgument(new Reference($handlerId))
  490.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  491.             }
  493.             // register with LogoutUrlGenerator
  494.             $container
  495.                 ->getDefinition('security.logout_url_generator')
  496.                 ->addMethodCall('registerListener', [
  497.                     $id,
  498.                     $firewall['logout']['path'],
  499.                     $firewall['logout']['csrf_token_id'],
  500.                     $firewall['logout']['csrf_parameter'],
  501.                     isset($firewall['logout']['csrf_token_generator']) ? new Reference($firewall['logout']['csrf_token_generator']) : null,
  502.                     false === $firewall['stateless'] && isset($firewall['context']) ? $firewall['context'] : null,
  503.                 ])
  504.             ;
  505.         }
  507.         // Determine default entry point
  508.         $configuredEntryPoint $firewall['entry_point'] ?? null;
  510.         // Authentication listeners
  511.         $firewallAuthenticationProviders = [];
  512.         [$authListeners$defaultEntryPoint] = $this->createAuthenticationListeners($container$id$firewall$firewallAuthenticationProviders$defaultProvider$providerIds$configuredEntryPoint$contextListenerId);
  514.         if (!$this->authenticatorManagerEnabled) {
  515.             $authenticationProviders array_merge($authenticationProviders$firewallAuthenticationProviders);
  516.         } else {
  517.             // $configuredEntryPoint is resolved into a service ID and stored in $defaultEntryPoint
  518.             $configuredEntryPoint $defaultEntryPoint;
  520.             // authenticator manager
  521.             $authenticators array_map(function ($id) {
  522.                 return new Reference($id);
  523.             }, $firewallAuthenticationProviders);
  524.             $container
  525.                 ->setDefinition($managerId 'security.authenticator.manager.'.$id, new ChildDefinition('security.authenticator.manager'))
  526.                 ->replaceArgument(0$authenticators)
  527.                 ->replaceArgument(2, new Reference($firewallEventDispatcherId))
  528.                 ->replaceArgument(3$id)
  529.                 ->replaceArgument(7$firewall['required_badges'] ?? [])
  530.                 ->addTag('monolog.logger', ['channel' => 'security'])
  531.             ;
  533.             $managerLocator $container->getDefinition('security.authenticator.managers_locator');
  534.             $managerLocator->replaceArgument(0array_merge($managerLocator->getArgument(0), [$id => new ServiceClosureArgument(new Reference($managerId))]));
  536.             // authenticator manager listener
  537.             $container
  538.                 ->setDefinition('security.firewall.authenticator.'.$id, new ChildDefinition('security.firewall.authenticator'))
  539.                 ->replaceArgument(0, new Reference($managerId))
  540.             ;
  542.             if ($container->hasDefinition('debug.security.firewall') && $this->authenticatorManagerEnabled) {
  543.                 $container
  544.                     ->register('debug.security.firewall.authenticator.'.$idTraceableAuthenticatorManagerListener::class)
  545.                     ->setDecoratedService('security.firewall.authenticator.'.$id)
  546.                     ->setArguments([new Reference('debug.security.firewall.authenticator.'.$id.'.inner')])
  547.                 ;
  548.             }
  550.             // user checker listener
  551.             $container
  552.                 ->setDefinition('security.listener.user_checker.'.$id, new ChildDefinition('security.listener.user_checker'))
  553.                 ->replaceArgument(0, new Reference('security.user_checker.'.$id))
  554.                 ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  556.             $listeners[] = new Reference('security.firewall.authenticator.'.$id);
  558.             // Add authenticators to the debug:firewall command
  559.             if ($container->hasDefinition('security.command.debug_firewall')) {
  560.                 $debugCommand $container->getDefinition('security.command.debug_firewall');
  561.                 $debugCommand->replaceArgument(3array_merge($debugCommand->getArgument(3), [$id => $authenticators]));
  562.             }
  563.         }
  565.         $config->replaceArgument(7$configuredEntryPoint ?: $defaultEntryPoint);
  567.         $listeners array_merge($listeners$authListeners);
  569.         // Switch user listener
  570.         if (isset($firewall['switch_user'])) {
  571.             $listenerKeys[] = 'switch_user';
  572.             $listeners[] = new Reference($this->createSwitchUserListener($container$id$firewall['switch_user'], $defaultProvider$firewall['stateless']));
  573.         }
  575.         // Access listener
  576.         $listeners[] = new Reference('security.access_listener');
  578.         // Exception listener
  579.         $exceptionListener = new Reference($this->createExceptionListener($container$firewall$id$configuredEntryPoint ?: $defaultEntryPoint$firewall['stateless']));
  581.         $config->replaceArgument(8$firewall['access_denied_handler'] ?? null);
  582.         $config->replaceArgument(9$firewall['access_denied_url'] ?? null);
  584.         $container->setAlias('security.user_checker.'.$id, new Alias($firewall['user_checker'], false));
  586.         foreach ($this->getSortedFactories() as $factory) {
  587.             $key str_replace('-''_'$factory->getKey());
  588.             if ('custom_authenticators' !== $key && \array_key_exists($key$firewall)) {
  589.                 $listenerKeys[] = $key;
  590.             }
  591.         }
  593.         if ($firewall['custom_authenticators'] ?? false) {
  594.             foreach ($firewall['custom_authenticators'] as $customAuthenticatorId) {
  595.                 $listenerKeys[] = $customAuthenticatorId;
  596.             }
  597.         }
  599.         $config->replaceArgument(10$listenerKeys);
  600.         $config->replaceArgument(11$firewall['switch_user'] ?? null);
  602.         return [$matcher$listeners$exceptionListenernull !== $logoutListenerId ? new Reference($logoutListenerId) : null];
  603.     }
  605.     private function createContextListener(ContainerBuilder $containerstring $contextKey, ?string $firewallEventDispatcherId)
  606.     {
  607.         if (isset($this->contextListeners[$contextKey])) {
  608.             return $this->contextListeners[$contextKey];
  609.         }
  611.         $listenerId 'security.context_listener.'.\count($this->contextListeners);
  612.         $listener $container->setDefinition($listenerId, new ChildDefinition('security.context_listener'));
  613.         $listener->replaceArgument(2$contextKey);
  614.         if (null !== $firewallEventDispatcherId) {
  615.             $listener->replaceArgument(4, new Reference($firewallEventDispatcherId));
  616.             $listener->addTag('kernel.event_listener', ['event' => KernelEvents::RESPONSE'method' => 'onKernelResponse']);
  617.         }
  619.         return $this->contextListeners[$contextKey] = $listenerId;
  620.     }
  622.     private function createAuthenticationListeners(ContainerBuilder $containerstring $id, array $firewall, array &$authenticationProviders, ?string $defaultProvider, array $providerIds, ?string $defaultEntryPointstring $contextListenerId null)
  623.     {
  624.         $listeners = [];
  625.         $hasListeners false;
  626.         $entryPoints = [];
  628.         foreach ($this->getSortedFactories() as $factory) {
  629.             $key str_replace('-''_'$factory->getKey());
  631.             if (isset($firewall[$key])) {
  632.                 $userProvider $this->getUserProvider($container$id$firewall$key$defaultProvider$providerIds$contextListenerId);
  634.                 if ($this->authenticatorManagerEnabled) {
  635.                     if (!$factory instanceof AuthenticatorFactoryInterface) {
  636.                         throw new InvalidConfigurationException(sprintf('Cannot configure AuthenticatorManager as "%s" authentication does not support it, set "security.enable_authenticator_manager" to `false`.'$key));
  637.                     }
  639.                     $authenticators $factory->createAuthenticator($container$id$firewall[$key], $userProvider);
  640.                     if (\is_array($authenticators)) {
  641.                         foreach ($authenticators as $authenticator) {
  642.                             $authenticationProviders[] = $authenticator;
  643.                             $entryPoints[] = $authenticator;
  644.                         }
  645.                     } else {
  646.                         $authenticationProviders[] = $authenticators;
  647.                         $entryPoints[$key] = $authenticators;
  648.                     }
  649.                 } else {
  650.                     [$provider$listenerId$defaultEntryPoint] = $factory->create($container$id$firewall[$key], $userProvider$defaultEntryPoint);
  652.                     $listeners[] = new Reference($listenerId);
  653.                     $authenticationProviders[] = $provider;
  654.                 }
  656.                 if ($factory instanceof FirewallListenerFactoryInterface) {
  657.                     $firewallListenerIds $factory->createListeners($container$id$firewall[$key]);
  658.                     foreach ($firewallListenerIds as $firewallListenerId) {
  659.                         $listeners[] = new Reference($firewallListenerId);
  660.                     }
  661.                 }
  663.                 $hasListeners true;
  664.             }
  665.         }
  667.         // the actual entry point is configured by the RegisterEntryPointPass
  668.         $container->setParameter('security.'.$id.'._indexed_authenticators'$entryPoints);
  670.         if (false === $hasListeners && !$this->authenticatorManagerEnabled) {
  671.             throw new InvalidConfigurationException(sprintf('No authentication listener registered for firewall "%s".'$id));
  672.         }
  674.         return [$listeners$defaultEntryPoint];
  675.     }
  677.     private function getUserProvider(ContainerBuilder $containerstring $id, array $firewallstring $factoryKey, ?string $defaultProvider, array $providerIds, ?string $contextListenerId): string
  678.     {
  679.         if (isset($firewall[$factoryKey]['provider'])) {
  680.             if (!isset($providerIds[$normalizedName str_replace('-''_'$firewall[$factoryKey]['provider'])])) {
  681.                 throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.'$id$firewall[$factoryKey]['provider']));
  682.             }
  684.             return $providerIds[$normalizedName];
  685.         }
  687.         if ('remember_me' === $factoryKey && $contextListenerId) {
  688.             $container->getDefinition($contextListenerId)->addTag('security.remember_me_aware', ['id' => $id'provider' => 'none']);
  689.         }
  691.         if ($defaultProvider) {
  692.             return $defaultProvider;
  693.         }
  695.         if (!$providerIds) {
  696.             $userProvider sprintf('security.user.provider.missing.%s'$factoryKey);
  697.             $container->setDefinition(
  698.                 $userProvider,
  699.                 (new ChildDefinition('security.user.provider.missing'))->replaceArgument(0$id)
  700.             );
  702.             return $userProvider;
  703.         }
  705.         if ('remember_me' === $factoryKey || 'anonymous' === $factoryKey || 'custom_authenticators' === $factoryKey) {
  706.             if ('custom_authenticators' === $factoryKey) {
  707.                 trigger_deprecation('symfony/security-bundle''5.4''Not configuring explicitly the provider for the "%s" listener on "%s" firewall is deprecated because it\'s ambiguous as there is more than one registered provider.'$factoryKey$id);
  708.             }
  710.             return 'security.user_providers';
  711.         }
  713.         throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "%s" %s on "%s" firewall is ambiguous as there is more than one registered provider.'$factoryKey$this->authenticatorManagerEnabled 'authenticator' 'listener'$id));
  714.     }
  716.     private function createEncoders(array $encodersContainerBuilder $container)
  717.     {
  718.         $encoderMap = [];
  719.         foreach ($encoders as $class => $encoder) {
  720.             if (class_exists($class) && !is_a($classPasswordAuthenticatedUserInterface::class, true)) {
  721.                 trigger_deprecation('symfony/security-bundle''5.3''Configuring an encoder for a user class that does not implement "%s" is deprecated, class "%s" should implement it.'PasswordAuthenticatedUserInterface::class, $class);
  722.             }
  723.             $encoderMap[$class] = $this->createEncoder($encoder);
  724.         }
  726.         $container
  727.             ->getDefinition('security.encoder_factory.generic')
  728.             ->setArguments([$encoderMap])
  729.         ;
  730.     }
  732.     private function createEncoder(array $config)
  733.     {
  734.         // a custom encoder service
  735.         if (isset($config['id'])) {
  736.             return new Reference($config['id']);
  737.         }
  739.         if ($config['migrate_from'] ?? false) {
  740.             return $config;
  741.         }
  743.         // plaintext encoder
  744.         if ('plaintext' === $config['algorithm']) {
  745.             $arguments = [$config['ignore_case']];
  747.             return [
  748.                 'class' => 'Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder',
  749.                 'arguments' => $arguments,
  750.             ];
  751.         }
  753.         // pbkdf2 encoder
  754.         if ('pbkdf2' === $config['algorithm']) {
  755.             return [
  756.                 'class' => 'Symfony\Component\Security\Core\Encoder\Pbkdf2PasswordEncoder',
  757.                 'arguments' => [
  758.                     $config['hash_algorithm'],
  759.                     $config['encode_as_base64'],
  760.                     $config['iterations'],
  761.                     $config['key_length'],
  762.                 ],
  763.             ];
  764.         }
  766.         // bcrypt encoder
  767.         if ('bcrypt' === $config['algorithm']) {
  768.             $config['algorithm'] = 'native';
  769.             $config['native_algorithm'] = \PASSWORD_BCRYPT;
  771.             return $this->createEncoder($config);
  772.         }
  774.         // Argon2i encoder
  775.         if ('argon2i' === $config['algorithm']) {
  776.             if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  777.                 $config['algorithm'] = 'sodium';
  778.             } elseif (\defined('PASSWORD_ARGON2I')) {
  779.                 $config['algorithm'] = 'native';
  780.                 $config['native_algorithm'] = \PASSWORD_ARGON2I;
  781.             } else {
  782.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2i" is not available. Use "%s" instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id", "auto' 'auto'));
  783.             }
  785.             return $this->createEncoder($config);
  786.         }
  788.         if ('argon2id' === $config['algorithm']) {
  789.             if (($hasSodium SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  790.                 $config['algorithm'] = 'sodium';
  791.             } elseif (\defined('PASSWORD_ARGON2ID')) {
  792.                 $config['algorithm'] = 'native';
  793.                 $config['native_algorithm'] = \PASSWORD_ARGON2ID;
  794.             } else {
  795.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium 'argon2i", "auto' 'auto'));
  796.             }
  798.             return $this->createEncoder($config);
  799.         }
  801.         if ('native' === $config['algorithm']) {
  802.             return [
  803.                 'class' => NativePasswordEncoder::class,
  804.                 'arguments' => [
  805.                         $config['time_cost'],
  806.                         (($config['memory_cost'] ?? 0) << 10) ?: null,
  807.                         $config['cost'],
  808.                     ] + (isset($config['native_algorithm']) ? [=> $config['native_algorithm']] : []),
  809.             ];
  810.         }
  812.         if ('sodium' === $config['algorithm']) {
  813.             if (!SodiumPasswordHasher::isSupported()) {
  814.                 throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
  815.             }
  817.             return [
  818.                 'class' => SodiumPasswordEncoder::class,
  819.                 'arguments' => [
  820.                     $config['time_cost'],
  821.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  822.                 ],
  823.             ];
  824.         }
  826.         // run-time configured encoder
  827.         return $config;
  828.     }
  830.     private function createHashers(array $hashersContainerBuilder $container)
  831.     {
  832.         $hasherMap = [];
  833.         foreach ($hashers as $class => $hasher) {
  834.             // @deprecated since Symfony 5.3, remove the check in 6.0
  835.             if (class_exists($class) && !is_a($classPasswordAuthenticatedUserInterface::class, true)) {
  836.                 trigger_deprecation('symfony/security-bundle''5.3''Configuring a password hasher for a user class that does not implement "%s" is deprecated, class "%s" should implement it.'PasswordAuthenticatedUserInterface::class, $class);
  837.             }
  838.             $hasherMap[$class] = $this->createHasher($hasher);
  839.         }
  841.         $container
  842.             ->getDefinition('security.password_hasher_factory')
  843.             ->setArguments([$hasherMap])
  844.         ;
  845.     }
  847.     private function createHasher(array $config)
  848.     {
  849.         // a custom hasher service
  850.         if (isset($config['id'])) {
  851.             return new Reference($config['id']);
  852.         }
  854.         if ($config['migrate_from'] ?? false) {
  855.             return $config;
  856.         }
  858.         // plaintext hasher
  859.         if ('plaintext' === $config['algorithm']) {
  860.             $arguments = [$config['ignore_case']];
  862.             return [
  863.                 'class' => PlaintextPasswordHasher::class,
  864.                 'arguments' => $arguments,
  865.             ];
  866.         }
  868.         // pbkdf2 hasher
  869.         if ('pbkdf2' === $config['algorithm']) {
  870.             return [
  871.                 'class' => Pbkdf2PasswordHasher::class,
  872.                 'arguments' => [
  873.                     $config['hash_algorithm'],
  874.                     $config['encode_as_base64'],
  875.                     $config['iterations'],
  876.                     $config['key_length'],
  877.                 ],
  878.             ];
  879.         }
  881.         // bcrypt hasher
  882.         if ('bcrypt' === $config['algorithm']) {
  883.             $config['algorithm'] = 'native';
  884.             $config['native_algorithm'] = \PASSWORD_BCRYPT;
  886.             return $this->createHasher($config);
  887.         }
  889.         // Argon2i hasher
  890.         if ('argon2i' === $config['algorithm']) {
  891.             if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  892.                 $config['algorithm'] = 'sodium';
  893.             } elseif (\defined('PASSWORD_ARGON2I')) {
  894.                 $config['algorithm'] = 'native';
  895.                 $config['native_algorithm'] = \PASSWORD_ARGON2I;
  896.             } else {
  897.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2i" is not available. Either use "%s" or upgrade to PHP 7.2+ instead.', \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id", "auto' 'auto'));
  898.             }
  900.             return $this->createHasher($config);
  901.         }
  903.         if ('argon2id' === $config['algorithm']) {
  904.             if (($hasSodium SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  905.                 $config['algorithm'] = 'sodium';
  906.             } elseif (\defined('PASSWORD_ARGON2ID')) {
  907.                 $config['algorithm'] = 'native';
  908.                 $config['native_algorithm'] = \PASSWORD_ARGON2ID;
  909.             } else {
  910.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.', \defined('PASSWORD_ARGON2I') || $hasSodium 'argon2i", "auto' 'auto'));
  911.             }
  913.             return $this->createHasher($config);
  914.         }
  916.         if ('native' === $config['algorithm']) {
  917.             return [
  918.                 'class' => NativePasswordHasher::class,
  919.                 'arguments' => [
  920.                     $config['time_cost'],
  921.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  922.                     $config['cost'],
  923.                 ] + (isset($config['native_algorithm']) ? [=> $config['native_algorithm']] : []),
  924.             ];
  925.         }
  927.         if ('sodium' === $config['algorithm']) {
  928.             if (!SodiumPasswordHasher::isSupported()) {
  929.                 throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
  930.             }
  932.             return [
  933.                 'class' => SodiumPasswordHasher::class,
  934.                 'arguments' => [
  935.                     $config['time_cost'],
  936.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  937.                 ],
  938.             ];
  939.         }
  941.         // run-time configured hasher
  942.         return $config;
  943.     }
  945.     // Parses user providers and returns an array of their ids
  946.     private function createUserProviders(array $configContainerBuilder $container): array
  947.     {
  948.         $providerIds = [];
  949.         foreach ($config['providers'] as $name => $provider) {
  950.             $id $this->createUserDaoProvider($name$provider$container);
  951.             $providerIds[str_replace('-''_'$name)] = $id;
  952.         }
  954.         return $providerIds;
  955.     }
  957.     // Parses a <provider> tag and returns the id for the related user provider service
  958.     private function createUserDaoProvider(string $name, array $providerContainerBuilder $container): string
  959.     {
  960.         $name $this->getUserProviderId($name);
  962.         // Doctrine Entity and In-memory DAO provider are managed by factories
  963.         foreach ($this->userProviderFactories as $factory) {
  964.             $key str_replace('-''_'$factory->getKey());
  966.             if (!empty($provider[$key])) {
  967.                 $factory->create($container$name$provider[$key]);
  969.                 return $name;
  970.             }
  971.         }
  973.         // Existing DAO service provider
  974.         if (isset($provider['id'])) {
  975.             $container->setAlias($name, new Alias($provider['id'], false));
  977.             return $provider['id'];
  978.         }
  980.         // Chain provider
  981.         if (isset($provider['chain'])) {
  982.             $providers = [];
  983.             foreach ($provider['chain']['providers'] as $providerName) {
  984.                 $providers[] = new Reference($this->getUserProviderId($providerName));
  985.             }
  987.             $container
  988.                 ->setDefinition($name, new ChildDefinition('security.user.provider.chain'))
  989.                 ->addArgument(new IteratorArgument($providers));
  991.             return $name;
  992.         }
  994.         throw new InvalidConfigurationException(sprintf('Unable to create definition for "%s" user provider.'$name));
  995.     }
  997.     private function getUserProviderId(string $name): string
  998.     {
  999.         return 'security.user.provider.concrete.'.strtolower($name);
  1000.     }
  1002.     private function createExceptionListener(ContainerBuilder $container, array $configstring $id, ?string $defaultEntryPointbool $stateless): string
  1003.     {
  1004.         $exceptionListenerId 'security.exception_listener.'.$id;
  1005.         $listener $container->setDefinition($exceptionListenerId, new ChildDefinition('security.exception_listener'));
  1006.         $listener->replaceArgument(3$id);
  1007.         $listener->replaceArgument(4null === $defaultEntryPoint null : new Reference($defaultEntryPoint));
  1008.         $listener->replaceArgument(8$stateless);
  1010.         // access denied handler setup
  1011.         if (isset($config['access_denied_handler'])) {
  1012.             $listener->replaceArgument(6, new Reference($config['access_denied_handler']));
  1013.         } elseif (isset($config['access_denied_url'])) {
  1014.             $listener->replaceArgument(5$config['access_denied_url']);
  1015.         }
  1017.         return $exceptionListenerId;
  1018.     }
  1020.     private function createSwitchUserListener(ContainerBuilder $containerstring $id, array $config, ?string $defaultProviderbool $stateless): string
  1021.     {
  1022.         $userProvider = isset($config['provider']) ? $this->getUserProviderId($config['provider']) : $defaultProvider;
  1024.         if (!$userProvider) {
  1025.             throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "switch_user" listener on "%s" firewall is ambiguous as there is more than one registered provider.'$id));
  1026.         }
  1028.         $switchUserListenerId 'security.authentication.switchuser_listener.'.$id;
  1029.         $listener $container->setDefinition($switchUserListenerId, new ChildDefinition('security.authentication.switchuser_listener'));
  1030.         $listener->replaceArgument(1, new Reference($userProvider));
  1031.         $listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
  1032.         $listener->replaceArgument(3$id);
  1033.         $listener->replaceArgument(6$config['parameter']);
  1034.         $listener->replaceArgument(7$config['role']);
  1035.         $listener->replaceArgument(9$stateless);
  1037.         return $switchUserListenerId;
  1038.     }
  1040.     private function createExpression(ContainerBuilder $containerstring $expression): Reference
  1041.     {
  1042.         if (isset($this->expressions[$id '.security.expression.'.ContainerBuilder::hash($expression)])) {
  1043.             return $this->expressions[$id];
  1044.         }
  1046.         if (!$container::willBeAvailable('symfony/expression-language'ExpressionLanguage::class, ['symfony/security-bundle'], true)) {
  1047.             throw new \RuntimeException('Unable to use expressions as the Symfony ExpressionLanguage component is not installed. Try running "composer require symfony/expression-language".');
  1048.         }
  1050.         $container
  1051.             ->register($id'Symfony\Component\ExpressionLanguage\Expression')
  1052.             ->setPublic(false)
  1053.             ->addArgument($expression)
  1054.         ;
  1056.         return $this->expressions[$id] = new Reference($id);
  1057.     }
  1059.     private function createRequestMatcher(ContainerBuilder $containerstring $path nullstring $host nullint $port null, array $methods = [], array $ips null, array $attributes = []): Reference
  1060.     {
  1061.         if ($methods) {
  1062.             $methods array_map('strtoupper'$methods);
  1063.         }
  1065.         if (null !== $ips) {
  1066.             foreach ($ips as $ip) {
  1067.                 $container->resolveEnvPlaceholders($ipnull$usedEnvs);
  1069.                 if (!$usedEnvs && !$this->isValidIps($ip)) {
  1070.                     throw new \LogicException(sprintf('The given value "%s" in the "security.access_control" config option is not a valid IP address.'$ip));
  1071.                 }
  1073.                 $usedEnvs null;
  1074.             }
  1075.         }
  1077.         $id '.security.request_matcher.'.ContainerBuilder::hash([$path$host$port$methods$ips$attributes]);
  1079.         if (isset($this->requestMatchers[$id])) {
  1080.             return $this->requestMatchers[$id];
  1081.         }
  1083.         // only add arguments that are necessary
  1084.         $arguments = [$path$host$methods$ips$attributesnull$port];
  1085.         while (\count($arguments) > && !end($arguments)) {
  1086.             array_pop($arguments);
  1087.         }
  1089.         $container
  1090.             ->register($id'Symfony\Component\HttpFoundation\RequestMatcher')
  1091.             ->setPublic(false)
  1092.             ->setArguments($arguments)
  1093.         ;
  1095.         return $this->requestMatchers[$id] = new Reference($id);
  1096.     }
  1098.     /**
  1099.      * @deprecated since Symfony 5.4, use "addAuthenticatorFactory()" instead
  1100.      */
  1101.     public function addSecurityListenerFactory(SecurityFactoryInterface $factory)
  1102.     {
  1103.         trigger_deprecation('symfony/security-bundle''5.4''Method "%s()" is deprecated, use "addAuthenticatorFactory()" instead.'__METHOD__);
  1105.         $this->factories[] = [[
  1106.             'pre_auth' => -10,
  1107.             'form' => -30,
  1108.             'http' => -40,
  1109.             'remember_me' => -50,
  1110.             'anonymous' => -60,
  1111.         ][$factory->getPosition()], $factory];
  1112.         $this->sortedFactories = [];
  1113.     }
  1115.     public function addAuthenticatorFactory(AuthenticatorFactoryInterface $factory)
  1116.     {
  1117.         $this->factories[] = [method_exists($factory'getPriority') ? $factory->getPriority() : 0$factory];
  1118.         $this->sortedFactories = [];
  1119.     }
  1121.     public function addUserProviderFactory(UserProviderFactoryInterface $factory)
  1122.     {
  1123.         $this->userProviderFactories[] = $factory;
  1124.     }
  1126.     /**
  1127.      * {@inheritdoc}
  1128.      */
  1129.     public function getXsdValidationBasePath()
  1130.     {
  1131.         return __DIR__.'/../Resources/config/schema';
  1132.     }
  1134.     public function getNamespace()
  1135.     {
  1136.         return 'http://symfony.com/schema/dic/security';
  1137.     }
  1139.     public function getConfiguration(array $configContainerBuilder $container)
  1140.     {
  1141.         // first assemble the factories
  1142.         return new MainConfiguration($this->getSortedFactories(), $this->userProviderFactories);
  1143.     }
  1145.     private function isValidIps($ips): bool
  1146.     {
  1147.         $ipsList array_reduce((array) $ips, static function (array $ipsstring $ip) {
  1148.             return array_merge($ipspreg_split('/\s*,\s*/'$ip));
  1149.         }, []);
  1151.         if (!$ipsList) {
  1152.             return false;
  1153.         }
  1155.         foreach ($ipsList as $cidr) {
  1156.             if (!$this->isValidIp($cidr)) {
  1157.                 return false;
  1158.             }
  1159.         }
  1161.         return true;
  1162.     }
  1164.     private function isValidIp(string $cidr): bool
  1165.     {
  1166.         $cidrParts explode('/'$cidr);
  1168.         if (=== \count($cidrParts)) {
  1169.             return false !== filter_var($cidrParts[0], \FILTER_VALIDATE_IP);
  1170.         }
  1172.         $ip $cidrParts[0];
  1173.         $netmask $cidrParts[1];
  1175.         if (!ctype_digit($netmask)) {
  1176.             return false;
  1177.         }
  1179.         if (filter_var($ip, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV4)) {
  1180.             return $netmask <= 32;
  1181.         }
  1183.         if (filter_var($ip, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) {
  1184.             return $netmask <= 128;
  1185.         }
  1187.         return false;
  1188.     }
  1190.     /**
  1191.      * @return array<int, SecurityFactoryInterface|AuthenticatorFactoryInterface>
  1192.      */
  1193.     private function getSortedFactories(): array
  1194.     {
  1195.         if (!$this->sortedFactories) {
  1196.             $factories = [];
  1197.             foreach ($this->factories as $i => $factory) {
  1198.                 $factories[] = array_merge($factory, [$i]);
  1199.             }
  1201.             usort($factories, function ($a$b) {
  1202.                 return $b[0] <=> $a[0] ?: $a[2] <=> $b[2];
  1203.             });
  1205.             $this->sortedFactories array_column($factories1);
  1206.         }
  1208.         return $this->sortedFactories;
  1209.     }
  1210. }