bug #39621 [Security] Fix event propagation for globally registered security events (scheb)

nicolas-grekas · nicolas-grekas · commit fb8935eb195d · 2020-12-23T16:38:06.000+01:00
This PR was squashed before being merged into the 5.1 branch. Discussion ---------- [Security] Fix event propagation for globally registered security events | Q | A | ------------- | --- | Branch? | 5.1 | Bug fix? | yes | New feature? | no | Deprecations? | no | License | MIT When new authenticator security is enabled, the `AuthenticatorManager` is using its own firewall-specific event dispatcher. To allow security events being listened to on the global level, `RegisterGlobalSecurityEventListenersPass` is there to automatically add globally registered event listeners to the firewall-specific event dispatchers. `RegisterGlobalSecurityEventListenersPass` contains a list of events that are propagated, but unfortunately this list is incomplete as there are other events in `AuthenticatorManager` that would need too be propagated. So I added the missing (older) security events. These older events may also be registered by their name, rather than the FQN of the class, so I've also added those. As this is targeting 5.1, I'll file another PR for the `AuthenticationTokenCreatedEvent` that was introduced in 5.2, as soon as this change was merged into 5.x. On a note, I feel this "whitelist" approach to propagate security events to the global dispatcher isn't that great, because it's prone to error. Additional security events may be added in the future and adding these to `RegisterGlobalSecurityEventListenersPass` can easily be missed. When I added `AuthenticationTokenCreatedEvent` in PR #37359 I wasn't aware of this propagation mechanic existed and also no one reviewing the PR noticed it. Additional changes: - Typo fix :) - The `array_uintersect` in `RegisterGlobalSecurityEventListenersPassTest` wasn't implemented correctly * \* That function's behavior is really odd and easy to be used in the wrong way. The callback function isn't intended to return true/false for matching items, but return -1/0/1 like sorting functions. The tests seemingly only worked by chance as returning true/false is doing pretty much the opposite of what the callback function is supposed to do. Commits ------- 1675864 [Security] Fix event propagation for globally registered security events
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPass.php
@@ -13,14 +13,18 @@
 
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\Security\Core\AuthenticationEvents;
+use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
 use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Component\Security\Http\SecurityEvents;
 
 /**
  * Makes sure all event listeners on the global dispatcher are also listening
- * to events on the firewall-specific dipatchers.
+ * to events on the firewall-specific dispatchers.
  *
  * This compiler pass must be run after RegisterListenersPass of the
  * EventDispatcher component.
@@ -31,7 +35,18 @@
  */
 class RegisterGlobalSecurityEventListenersPass implements CompilerPassInterface
 {
-    private static $eventBubblingEvents = [CheckPassportEvent::class, LoginFailureEvent::class, LoginSuccessEvent::class, LogoutEvent::class];
+    private static $eventBubblingEvents = [
+        CheckPassportEvent::class,
+        LoginFailureEvent::class,
+        LoginSuccessEvent::class,
+        LogoutEvent::class,
+        AuthenticationSuccessEvent::class,
+        InteractiveLoginEvent::class,
+
+        // When events are registered by their name
+        AuthenticationEvents::AUTHENTICATION_SUCCESS,
+        SecurityEvents::INTERACTIVE_LOGIN,
+    ];
 
     /**
      * {@inheritdoc}
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPassTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPassTest.php
@@ -19,6 +19,7 @@
 use Symfony\Component\EventDispatcher\DependencyInjection\RegisterListenersPass;
 use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Core\AuthenticationEvents;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
@@ -53,13 +54,15 @@ public function testRegisterCustomListener()
 
         $this->container->register('app.security_listener', \stdClass::class)
             ->addTag('kernel.event_listener', ['method' => 'onLogout', 'event' => LogoutEvent::class])
-            ->addTag('kernel.event_listener', ['method' => 'onLoginSuccess', 'event' => LoginSuccessEvent::class, 'priority' => 20]);
+            ->addTag('kernel.event_listener', ['method' => 'onLoginSuccess', 'event' => LoginSuccessEvent::class, 'priority' => 20])
+            ->addTag('kernel.event_listener', ['method' => 'onAuthenticationSuccess', 'event' => AuthenticationEvents::AUTHENTICATION_SUCCESS]);
 
         $this->container->compile();
 
         $this->assertListeners([
             [LogoutEvent::class, ['app.security_listener', 'onLogout'], 0],
             [LoginSuccessEvent::class, ['app.security_listener', 'onLoginSuccess'], 20],
+            [AuthenticationEvents::AUTHENTICATION_SUCCESS, ['app.security_listener', 'onAuthenticationSuccess'], 0],
         ]);
     }
 
@@ -79,6 +82,7 @@ public function testRegisterCustomSubscriber()
             [LogoutEvent::class, [TestSubscriber::class, 'onLogout'], -200],
             [CheckPassportEvent::class, [TestSubscriber::class, 'onCheckPassport'], 120],
             [LoginSuccessEvent::class, [TestSubscriber::class, 'onLoginSuccess'], 0],
+            [AuthenticationEvents::AUTHENTICATION_SUCCESS, [TestSubscriber::class, 'onAuthenticationSuccess'], 0],
         ]);
     }
 
@@ -95,17 +99,20 @@ public function testMultipleFirewalls()
 
         $this->container->register('app.security_listener', \stdClass::class)
             ->addTag('kernel.event_listener', ['method' => 'onLogout', 'event' => LogoutEvent::class])
-            ->addTag('kernel.event_listener', ['method' => 'onLoginSuccess', 'event' => LoginSuccessEvent::class, 'priority' => 20]);
+            ->addTag('kernel.event_listener', ['method' => 'onLoginSuccess', 'event' => LoginSuccessEvent::class, 'priority' => 20])
+            ->addTag('kernel.event_listener', ['method' => 'onAuthenticationSuccess', 'event' => AuthenticationEvents::AUTHENTICATION_SUCCESS]);
 
         $this->container->compile();
 
         $this->assertListeners([
             [LogoutEvent::class, ['app.security_listener', 'onLogout'], 0],
             [LoginSuccessEvent::class, ['app.security_listener', 'onLoginSuccess'], 20],
+            [AuthenticationEvents::AUTHENTICATION_SUCCESS, ['app.security_listener', 'onAuthenticationSuccess'], 0],
         ], 'security.event_dispatcher.main');
         $this->assertListeners([
             [LogoutEvent::class, ['app.security_listener', 'onLogout'], 0],
             [LoginSuccessEvent::class, ['app.security_listener', 'onLoginSuccess'], 20],
+            [AuthenticationEvents::AUTHENTICATION_SUCCESS, ['app.security_listener', 'onAuthenticationSuccess'], 0],
         ], 'security.event_dispatcher.api');
     }
 
@@ -122,13 +129,15 @@ public function testListenerAlreadySpecific()
 
         $this->container->register('app.security_listener', \stdClass::class)
             ->addTag('kernel.event_listener', ['method' => 'onLogout', 'event' => LogoutEvent::class, 'dispatcher' => 'security.event_dispatcher.main'])
-            ->addTag('kernel.event_listener', ['method' => 'onLoginSuccess', 'event' => LoginSuccessEvent::class, 'priority' => 20]);
+            ->addTag('kernel.event_listener', ['method' => 'onLoginSuccess', 'event' => LoginSuccessEvent::class, 'priority' => 20])
+            ->addTag('kernel.event_listener', ['method' => 'onAuthenticationSuccess', 'event' => AuthenticationEvents::AUTHENTICATION_SUCCESS]);
 
         $this->container->compile();
 
         $this->assertListeners([
             [LogoutEvent::class, ['app.security_listener', 'onLogout'], 0],
             [LoginSuccessEvent::class, ['app.security_listener', 'onLoginSuccess'], 20],
+            [AuthenticationEvents::AUTHENTICATION_SUCCESS, ['app.security_listener', 'onAuthenticationSuccess'], 0],
         ], 'security.event_dispatcher.main');
     }
 
@@ -146,7 +155,8 @@ private function assertListeners(array $expectedListeners, string $dispatcherId
         }
 
         $foundListeners = array_uintersect($expectedListeners, $actualListeners, function (array $a, array $b) {
-            return $a === $b;
+            // PHP internally sorts all the arrays first, so returning proper 1 / -1 values is crucial
+            return $a <=> $b;
         });
 
         $this->assertEquals($expectedListeners, $foundListeners);
@@ -161,6 +171,7 @@ public static function getSubscribedEvents(): array
             LogoutEvent::class => ['onLogout', -200],
             CheckPassportEvent::class => ['onCheckPassport', 120],
             LoginSuccessEvent::class => 'onLoginSuccess',
+            AuthenticationEvents::AUTHENTICATION_SUCCESS => 'onAuthenticationSuccess',
         ];
     }
 }
