vendor/symfony/security-bundle/DependencyInjection/SecurityExtension.php line 120

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  14. use Composer\InstalledVersions;
  15. use Symfony\Bridge\Twig\Extension\LogoutUrlExtension;
  16. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
  17. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FirewallListenerFactoryInterface;
  18. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
  19. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
  20. use Symfony\Bundle\SecurityBundle\Security\LegacyLogoutHandlerListener;
  21. use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
  22. use Symfony\Component\Config\FileLocator;
  23. use Symfony\Component\Console\Application;
  24. use Symfony\Component\DependencyInjection\Alias;
  25. use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
  26. use Symfony\Component\DependencyInjection\Argument\ServiceClosureArgument;
  27. use Symfony\Component\DependencyInjection\ChildDefinition;
  28. use Symfony\Component\DependencyInjection\Compiler\ServiceLocatorTagPass;
  29. use Symfony\Component\DependencyInjection\ContainerBuilder;
  30. use Symfony\Component\DependencyInjection\Definition;
  31. use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
  32. use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
  33. use Symfony\Component\DependencyInjection\Reference;
  34. use Symfony\Component\EventDispatcher\EventDispatcher;
  35. use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
  36. use Symfony\Component\HttpKernel\DependencyInjection\Extension;
  37. use Symfony\Component\HttpKernel\KernelEvents;
  38. use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
  39. use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
  40. use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
  41. use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
  42. use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
  43. use Symfony\Component\Security\Core\Authorization\Strategy\ConsensusStrategy;
  44. use Symfony\Component\Security\Core\Authorization\Strategy\PriorityStrategy;
  45. use Symfony\Component\Security\Core\Authorization\Strategy\UnanimousStrategy;
  46. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  47. use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
  48. use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
  49. use Symfony\Component\Security\Core\User\ChainUserProvider;
  50. use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
  51. use Symfony\Component\Security\Core\User\UserProviderInterface;
  52. use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener;
  53. use Symfony\Component\Security\Http\Event\CheckPassportEvent;
  55. /**
  56.  * SecurityExtension.
  57.  *
  58.  * @author Fabien Potencier <fabien@symfony.com>
  59.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  60.  */
  61. class SecurityExtension extends Extension implements PrependExtensionInterface
  62. {
  63.     private $requestMatchers = [];
  64.     private $expressions = [];
  65.     private $contextListeners = [];
  66.     /** @var list<array{int, AuthenticatorFactoryInterface|SecurityFactoryInterface}> */
  67.     private $factories = [];
  68.     /** @var list<AuthenticatorFactoryInterface|SecurityFactoryInterface> */
  69.     private $sortedFactories = [];
  70.     private $userProviderFactories = [];
  71.     private $statelessFirewallKeys = [];
  73.     private $authenticatorManagerEnabled false;
  75.     public function prepend(ContainerBuilder $container)
  76.     {
  77.         foreach ($this->getSortedFactories() as $factory) {
  78.             if ($factory instanceof PrependExtensionInterface) {
  79.                 $factory->prepend($container);
  80.             }
  81.         }
  82.     }
  84.     public function load(array $configsContainerBuilder $container)
  85.     {
  86.         if (!class_exists(InstalledVersions::class)) {
  87.             trigger_deprecation('symfony/security-bundle''5.4''Configuring Symfony without the Composer Runtime API is deprecated. Consider upgrading to Composer 2.1 or later.');
  88.         }
  90.         if (!array_filter($configs)) {
  91.             return;
  92.         }
  94.         $mainConfig $this->getConfiguration($configs$container);
  96.         $config $this->processConfiguration($mainConfig$configs);
  98.         // load services
  99.         $loader = new PhpFileLoader($container, new FileLocator(\dirname(__DIR__).'/Resources/config'));
  101.         $loader->load('security.php');
  102.         $loader->load('password_hasher.php');
  103.         $loader->load('security_listeners.php');
  104.         $loader->load('security_rememberme.php');
  106.         if ($this->authenticatorManagerEnabled $config['enable_authenticator_manager']) {
  107.             if ($config['always_authenticate_before_granting']) {
  108.                 throw new InvalidConfigurationException('The security option "always_authenticate_before_granting" cannot be used when "enable_authenticator_manager" is set to true. If you rely on this behavior, set it to false.');
  109.             }
  111.             $loader->load('security_authenticator.php');
  113.             // The authenticator system no longer has anonymous tokens. This makes sure AccessListener
  114.             // and AuthorizationChecker do not throw AuthenticationCredentialsNotFoundException when no
  115.             // token is available in the token storage.
  116.             $container->getDefinition('security.access_listener')->setArgument(3false);
  117.             $container->getDefinition('security.authorization_checker')->setArgument(3false);
  118.             $container->getDefinition('security.authorization_checker')->setArgument(4false);
  119.         } else {
  120.             trigger_deprecation('symfony/security-bundle''5.3''Not setting the "security.enable_authenticator_manager" config option to true is deprecated.');
  122.             if ($config['always_authenticate_before_granting']) {
  123.                 $authorizationChecker $container->getDefinition('security.authorization_checker');
  124.                 $authorizationCheckerArgs $authorizationChecker->getArguments();
  125.                 array_splice($authorizationCheckerArgs10, [new Reference('security.authentication.manager')]);
  126.                 $authorizationChecker->setArguments($authorizationCheckerArgs);
  127.             }
  129.             $loader->load('security_legacy.php');
  130.         }
  132.         if ($container::willBeAvailable('symfony/twig-bridge'LogoutUrlExtension::class, ['symfony/security-bundle'], true)) {
  133.             $loader->load('templating_twig.php');
  134.         }
  136.         $loader->load('collectors.php');
  137.         $loader->load('guard.php');
  139.         $container->getDefinition('data_collector.security')->addArgument($this->authenticatorManagerEnabled);
  141.         if ($container->hasParameter('kernel.debug') && $container->getParameter('kernel.debug')) {
  142.             $loader->load('security_debug.php');
  143.         }
  145.         if (!$container::willBeAvailable('symfony/expression-language'ExpressionLanguage::class, ['symfony/security-bundle'], true)) {
  146.             $container->removeDefinition('security.expression_language');
  147.             $container->removeDefinition('security.access.expression_voter');
  148.         }
  150.         // set some global scalars
  151.         $container->setParameter('security.access.denied_url'$config['access_denied_url']);
  152.         $container->setParameter('security.authentication.manager.erase_credentials'$config['erase_credentials']);
  153.         $container->setParameter('security.authentication.session_strategy.strategy'$config['session_fixation_strategy']);
  155.         if (isset($config['access_decision_manager']['service'])) {
  156.             $container->setAlias('security.access.decision_manager'$config['access_decision_manager']['service']);
  157.         } elseif (isset($config['access_decision_manager']['strategy_service'])) {
  158.             $container
  159.                 ->getDefinition('security.access.decision_manager')
  160.                 ->addArgument(new Reference($config['access_decision_manager']['strategy_service']));
  161.         } else {
  162.             $container
  163.                 ->getDefinition('security.access.decision_manager')
  164.                 ->addArgument($this->createStrategyDefinition(
  165.                     $config['access_decision_manager']['strategy'] ?? MainConfiguration::STRATEGY_AFFIRMATIVE,
  166.                     $config['access_decision_manager']['allow_if_all_abstain'],
  167.                     $config['access_decision_manager']['allow_if_equal_granted_denied']
  168.                 ));
  169.         }
  171.         $container->setParameter('security.access.always_authenticate_before_granting'$config['always_authenticate_before_granting']);
  172.         $container->setParameter('security.authentication.hide_user_not_found'$config['hide_user_not_found']);
  174.         if (class_exists(Application::class)) {
  175.             $loader->load('debug_console.php');
  176.             $debugCommand $container->getDefinition('security.command.debug_firewall');
  177.             $debugCommand->replaceArgument(4$this->authenticatorManagerEnabled);
  178.         }
  180.         $this->createFirewalls($config$container);
  181.         $this->createAuthorization($config$container);
  182.         $this->createRoleHierarchy($config$container);
  184.         $container->getDefinition('security.authentication.guard_handler')
  185.             ->replaceArgument(2$this->statelessFirewallKeys);
  187.         // @deprecated since Symfony 5.3
  188.         if ($config['encoders']) {
  189.             $this->createEncoders($config['encoders'], $container);
  190.         }
  192.         if ($config['password_hashers']) {
  193.             $this->createHashers($config['password_hashers'], $container);
  194.         }
  196.         if (class_exists(Application::class)) {
  197.             $loader->load('console.php');
  199.             // @deprecated since Symfony 5.3
  200.             $container->getDefinition('security.command.user_password_encoder')->replaceArgument(1array_keys($config['encoders']));
  202.             $container->getDefinition('security.command.user_password_hash')->replaceArgument(1array_keys($config['password_hashers']));
  203.         }
  205.         $container->registerForAutoconfiguration(VoterInterface::class)
  206.             ->addTag('security.voter');
  207.     }
  209.     /**
  210.      * @throws \InvalidArgumentException if the $strategy is invalid
  211.      */
  212.     private function createStrategyDefinition(string $strategybool $allowIfAllAbstainDecisionsbool $allowIfEqualGrantedDeniedDecisions): Definition
  213.     {
  214.         switch ($strategy) {
  215.             case MainConfiguration::STRATEGY_AFFIRMATIVE:
  216.                 return new Definition(AffirmativeStrategy::class, [$allowIfAllAbstainDecisions]);
  217.             case MainConfiguration::STRATEGY_CONSENSUS:
  218.                 return new Definition(ConsensusStrategy::class, [$allowIfAllAbstainDecisions$allowIfEqualGrantedDeniedDecisions]);
  219.             case MainConfiguration::STRATEGY_UNANIMOUS:
  220.                 return new Definition(UnanimousStrategy::class, [$allowIfAllAbstainDecisions]);
  221.             case MainConfiguration::STRATEGY_PRIORITY:
  222.                 return new Definition(PriorityStrategy::class, [$allowIfAllAbstainDecisions]);
  223.         }
  225.         throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.'$strategy));
  226.     }
  228.     private function createRoleHierarchy(array $configContainerBuilder $container)
  229.     {
  230.         if (!isset($config['role_hierarchy']) || === \count($config['role_hierarchy'])) {
  231.             $container->removeDefinition('security.access.role_hierarchy_voter');
  233.             return;
  234.         }
  236.         $container->setParameter('security.role_hierarchy.roles'$config['role_hierarchy']);
  237.         $container->removeDefinition('security.access.simple_role_voter');
  238.     }
  240.     private function createAuthorization(array $configContainerBuilder $container)
  241.     {
  242.         foreach ($config['access_control'] as $access) {
  243.             $matcher $this->createRequestMatcher(
  244.                 $container,
  245.                 $access['path'],
  246.                 $access['host'],
  247.                 $access['port'],
  248.                 $access['methods'],
  249.                 $access['ips']
  250.             );
  252.             $attributes $access['roles'];
  253.             if ($access['allow_if']) {
  254.                 $attributes[] = $this->createExpression($container$access['allow_if']);
  255.             }
  257.             $emptyAccess === \count(array_filter($access));
  259.             if ($emptyAccess) {
  260.                 throw new InvalidConfigurationException('One or more access control items are empty. Did you accidentally add lines only containing a "-" under "security.access_control"?');
  261.             }
  263.             $container->getDefinition('security.access_map')
  264.                       ->addMethodCall('add', [$matcher$attributes$access['requires_channel']]);
  265.         }
  267.         // allow cache warm-up for expressions
  268.         if (\count($this->expressions)) {
  269.             $container->getDefinition('security.cache_warmer.expression')
  270.                 ->replaceArgument(0, new IteratorArgument(array_values($this->expressions)));
  271.         } else {
  272.             $container->removeDefinition('security.cache_warmer.expression');
  273.         }
  274.     }
  276.     private function createFirewalls(array $configContainerBuilder $container)
  277.     {
  278.         if (!isset($config['firewalls'])) {
  279.             return;
  280.         }
  282.         $firewalls $config['firewalls'];
  283.         $providerIds $this->createUserProviders($config$container);
  285.         $container->setParameter('security.firewalls'array_keys($firewalls));
  287.         // make the ContextListener aware of the configured user providers
  288.         $contextListenerDefinition $container->getDefinition('security.context_listener');
  289.         $arguments $contextListenerDefinition->getArguments();
  290.         $userProviders = [];
  291.         foreach ($providerIds as $userProviderId) {
  292.             $userProviders[] = new Reference($userProviderId);
  293.         }
  294.         $arguments[1] = $userProviderIteratorsArgument = new IteratorArgument($userProviders);
  295.         $contextListenerDefinition->setArguments($arguments);
  296.         $nbUserProviders \count($userProviders);
  298.         if ($nbUserProviders 1) {
  299.             $container->setDefinition('security.user_providers', new Definition(ChainUserProvider::class, [$userProviderIteratorsArgument]))
  300.                 ->setPublic(false);
  301.         } elseif (=== $nbUserProviders) {
  302.             $container->removeDefinition('security.listener.user_provider');
  303.         } else {
  304.             $container->setAlias('security.user_providers', new Alias(current($providerIds)))->setPublic(false);
  305.         }
  307.         if (=== \count($providerIds)) {
  308.             $container->setAlias(UserProviderInterface::class, current($providerIds));
  309.         }
  311.         $customUserChecker false;
  313.         // load firewall map
  314.         $mapDef $container->getDefinition('security.firewall.map');
  315.         $map $authenticationProviders $contextRefs = [];
  316.         foreach ($firewalls as $name => $firewall) {
  317.             if (isset($firewall['user_checker']) && 'security.user_checker' !== $firewall['user_checker']) {
  318.                 $customUserChecker true;
  319.             }
  321.             $configId 'security.firewall.map.config.'.$name;
  323.             [$matcher$listeners$exceptionListener$logoutListener] = $this->createFirewall($container$name$firewall$authenticationProviders$providerIds$configId);
  325.             $contextId 'security.firewall.map.context.'.$name;
  326.             $isLazy = !$firewall['stateless'] && (!empty($firewall['anonymous']['lazy']) || $firewall['lazy']);
  327.             $context = new ChildDefinition($isLazy 'security.firewall.lazy_context' 'security.firewall.context');
  328.             $context $container->setDefinition($contextId$context);
  329.             $context
  330.                 ->replaceArgument(0, new IteratorArgument($listeners))
  331.                 ->replaceArgument(1$exceptionListener)
  332.                 ->replaceArgument(2$logoutListener)
  333.                 ->replaceArgument(3, new Reference($configId))
  334.             ;
  336.             $contextRefs[$contextId] = new Reference($contextId);
  337.             $map[$contextId] = $matcher;
  338.         }
  340.         $container->setAlias('security.firewall.context_locator', (string) ServiceLocatorTagPass::register($container$contextRefs));
  342.         $mapDef->replaceArgument(0, new Reference('security.firewall.context_locator'));
  343.         $mapDef->replaceArgument(1, new IteratorArgument($map));
  345.         if (!$this->authenticatorManagerEnabled) {
  346.             // add authentication providers to authentication manager
  347.             $authenticationProviders array_map(function ($id) {
  348.                 return new Reference($id);
  349.             }, array_values(array_unique($authenticationProviders)));
  351.             $container
  352.                 ->getDefinition('security.authentication.manager')
  353.                 ->replaceArgument(0, new IteratorArgument($authenticationProviders));
  354.         }
  356.         // register an autowire alias for the UserCheckerInterface if no custom user checker service is configured
  357.         if (!$customUserChecker) {
  358.             $container->setAlias('Symfony\Component\Security\Core\User\UserCheckerInterface', new Alias('security.user_checker'false));
  359.         }
  360.     }
  362.     private function createFirewall(ContainerBuilder $containerstring $id, array $firewall, array &$authenticationProviders, array $providerIdsstring $configId)
  363.     {
  364.         $config $container->setDefinition($configId, new ChildDefinition('security.firewall.config'));
  365.         $config->replaceArgument(0$id);
  366.         $config->replaceArgument(1$firewall['user_checker']);
  368.         // Matcher
  369.         $matcher null;
  370.         if (isset($firewall['request_matcher'])) {
  371.             $matcher = new Reference($firewall['request_matcher']);
  372.         } elseif (isset($firewall['pattern']) || isset($firewall['host'])) {
  373.             $pattern $firewall['pattern'] ?? null;
  374.             $host $firewall['host'] ?? null;
  375.             $methods $firewall['methods'] ?? [];
  376.             $matcher $this->createRequestMatcher($container$pattern$hostnull$methods);
  377.         }
  379.         $config->replaceArgument(2$matcher ? (string) $matcher null);
  380.         $config->replaceArgument(3$firewall['security']);
  382.         // Security disabled?
  383.         if (false === $firewall['security']) {
  384.             return [$matcher, [], nullnull];
  385.         }
  387.         $config->replaceArgument(4$firewall['stateless']);
  389.         $firewallEventDispatcherId 'security.event_dispatcher.'.$id;
  391.         // Provider id (must be configured explicitly per firewall/authenticator if more than one provider is set)
  392.         $defaultProvider null;
  393.         if (isset($firewall['provider'])) {
  394.             if (!isset($providerIds[$normalizedName str_replace('-''_'$firewall['provider'])])) {
  395.                 throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.'$id$firewall['provider']));
  396.             }
  397.             $defaultProvider $providerIds[$normalizedName];
  399.             if ($this->authenticatorManagerEnabled) {
  400.                 $container->setDefinition('security.listener.'.$id.'.user_provider', new ChildDefinition('security.listener.user_provider.abstract'))
  401.                     ->addTag('kernel.event_listener', ['dispatcher' => $firewallEventDispatcherId'event' => CheckPassportEvent::class, 'priority' => 2048'method' => 'checkPassport'])
  402.                     ->replaceArgument(0, new Reference($defaultProvider));
  403.             }
  404.         } elseif (=== \count($providerIds)) {
  405.             $defaultProvider reset($providerIds);
  406.         }
  408.         $config->replaceArgument(5$defaultProvider);
  410.         // Register Firewall-specific event dispatcher
  411.         $container->register($firewallEventDispatcherIdEventDispatcher::class)
  412.             ->addTag('event_dispatcher.dispatcher', ['name' => $firewallEventDispatcherId]);
  414.         // Register listeners
  415.         $listeners = [];
  416.         $listenerKeys = [];
  418.         // Channel listener
  419.         $listeners[] = new Reference('security.channel_listener');
  421.         $contextKey null;
  422.         $contextListenerId null;
  423.         // Context serializer listener
  424.         if (false === $firewall['stateless']) {
  425.             $contextKey $firewall['context'] ?? $id;
  426.             $listeners[] = new Reference($contextListenerId $this->createContextListener($container$contextKey$this->authenticatorManagerEnabled $firewallEventDispatcherId null));
  427.             $sessionStrategyId 'security.authentication.session_strategy';
  429.             if ($this->authenticatorManagerEnabled) {
  430.                 $container
  431.                     ->setDefinition('security.listener.session.'.$id, new ChildDefinition('security.listener.session'))
  432.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  433.             }
  434.         } else {
  435.             $this->statelessFirewallKeys[] = $id;
  436.             $sessionStrategyId 'security.authentication.session_strategy_noop';
  437.         }
  438.         $container->setAlias(new Alias('security.authentication.session_strategy.'.$idfalse), $sessionStrategyId);
  440.         $config->replaceArgument(6$contextKey);
  442.         // Logout listener
  443.         $logoutListenerId null;
  444.         if (isset($firewall['logout'])) {
  445.             $logoutListenerId 'security.logout_listener.'.$id;
  446.             $logoutListener $container->setDefinition($logoutListenerId, new ChildDefinition('security.logout_listener'));
  447.             $logoutListener->replaceArgument(2, new Reference($firewallEventDispatcherId));
  448.             $logoutListener->replaceArgument(3, [
  449.                 'csrf_parameter' => $firewall['logout']['csrf_parameter'],
  450.                 'csrf_token_id' => $firewall['logout']['csrf_token_id'],
  451.                 'logout_path' => $firewall['logout']['path'],
  452.             ]);
  454.             // add default logout listener
  455.             if (isset($firewall['logout']['success_handler'])) {
  456.                 // deprecated, to be removed in Symfony 6.0
  457.                 $logoutSuccessHandlerId $firewall['logout']['success_handler'];
  458.                 $container->register('security.logout.listener.legacy_success_listener.'.$idLegacyLogoutHandlerListener::class)
  459.                     ->setArguments([new Reference($logoutSuccessHandlerId)])
  460.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  461.             } else {
  462.                 $logoutSuccessListenerId 'security.logout.listener.default.'.$id;
  463.                 $container->setDefinition($logoutSuccessListenerId, new ChildDefinition('security.logout.listener.default'))
  464.                     ->replaceArgument(1$firewall['logout']['target'])
  465.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  466.             }
  468.             // add CSRF provider
  469.             if (isset($firewall['logout']['csrf_token_generator'])) {
  470.                 $logoutListener->addArgument(new Reference($firewall['logout']['csrf_token_generator']));
  471.             }
  473.             // add session logout listener
  474.             if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {
  475.                 $container->setDefinition('security.logout.listener.session.'.$id, new ChildDefinition('security.logout.listener.session'))
  476.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  477.             }
  479.             // add cookie logout listener
  480.             if (\count($firewall['logout']['delete_cookies']) > 0) {
  481.                 $container->setDefinition('security.logout.listener.cookie_clearing.'.$id, new ChildDefinition('security.logout.listener.cookie_clearing'))
  482.                     ->addArgument($firewall['logout']['delete_cookies'])
  483.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  484.             }
  486.             // add custom listeners (deprecated)
  487.             foreach ($firewall['logout']['handlers'] as $i => $handlerId) {
  488.                 $container->register('security.logout.listener.legacy_handler.'.$iLegacyLogoutHandlerListener::class)
  489.                     ->addArgument(new Reference($handlerId))
  490.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  491.             }
  493.             // register with LogoutUrlGenerator
  494.             $container
  495.                 ->getDefinition('security.logout_url_generator')
  496.                 ->addMethodCall('registerListener', [
  497.                     $id,
  498.                     $firewall['logout']['path'],
  499.                     $firewall['logout']['csrf_token_id'],
  500.                     $firewall['logout']['csrf_parameter'],
  501.                     isset($firewall['logout']['csrf_token_generator']) ? new Reference($firewall['logout']['csrf_token_generator']) : null,
  502.                     false === $firewall['stateless'] && isset($firewall['context']) ? $firewall['context'] : null,
  503.                 ])
  504.             ;
  505.         }
  507.         // Determine default entry point
  508.         $configuredEntryPoint $firewall['entry_point'] ?? null;
  510.         // Authentication listeners
  511.         $firewallAuthenticationProviders = [];
  512.         [$authListeners$defaultEntryPoint] = $this->createAuthenticationListeners($container$id$firewall$firewallAuthenticationProviders$defaultProvider$providerIds$configuredEntryPoint$contextListenerId);
  514.         if (!$this->authenticatorManagerEnabled) {
  515.             $authenticationProviders array_merge($authenticationProviders$firewallAuthenticationProviders);
  516.         } else {
  517.             // $configuredEntryPoint is resolved into a service ID and stored in $defaultEntryPoint
  518.             $configuredEntryPoint $defaultEntryPoint;
  520.             // authenticator manager
  521.             $authenticators array_map(function ($id) {
  522.                 return new Reference($id);
  523.             }, $firewallAuthenticationProviders);
  524.             $container
  525.                 ->setDefinition($managerId 'security.authenticator.manager.'.$id, new ChildDefinition('security.authenticator.manager'))
  526.                 ->replaceArgument(0$authenticators)
  527.                 ->replaceArgument(2, new Reference($firewallEventDispatcherId))
  528.                 ->replaceArgument(3$id)
  529.                 ->replaceArgument(7$firewall['required_badges'] ?? [])
  530.                 ->addTag('monolog.logger', ['channel' => 'security'])
  531.             ;
  533.             $managerLocator $container->getDefinition('security.authenticator.managers_locator');
  534.             $managerLocator->replaceArgument(0array_merge($managerLocator->getArgument(0), [$id => new ServiceClosureArgument(new Reference($managerId))]));
  536.             // authenticator manager listener
  537.             $container
  538.                 ->setDefinition('security.firewall.authenticator.'.$id, new ChildDefinition('security.firewall.authenticator'))
  539.                 ->replaceArgument(0, new Reference($managerId))
  540.             ;
  542.             if ($container->hasDefinition('debug.security.firewall') && $this->authenticatorManagerEnabled) {
  543.                 $container
  544.                     ->register('debug.security.firewall.authenticator.'.$idTraceableAuthenticatorManagerListener::class)
  545.                     ->setDecoratedService('security.firewall.authenticator.'.$id)
  546.                     ->setArguments([new Reference('debug.security.firewall.authenticator.'.$id.'.inner')])
  547.                 ;
  548.             }
  550.             // user checker listener
  551.             $container
  552.                 ->setDefinition('security.listener.user_checker.'.$id, new ChildDefinition('security.listener.user_checker'))
  553.                 ->replaceArgument(0, new Reference('security.user_checker.'.$id))
  554.                 ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  556.             $listeners[] = new Reference('security.firewall.authenticator.'.$id);
  558.             // Add authenticators to the debug:firewall command
  559.             if ($container->hasDefinition('security.command.debug_firewall')) {
  560.                 $debugCommand $container->getDefinition('security.command.debug_firewall');
  561.                 $debugCommand->replaceArgument(3array_merge($debugCommand->getArgument(3), [$id => $authenticators]));
  562.             }
  563.         }
  565.         $config->replaceArgument(7$configuredEntryPoint ?: $defaultEntryPoint);
  567.         $listeners array_merge($listeners$authListeners);
  569.         // Switch user listener
  570.         if (isset($firewall['switch_user'])) {
  571.             $listenerKeys[] = 'switch_user';
  572.             $listeners[] = new Reference($this->createSwitchUserListener($container$id$firewall['switch_user'], $defaultProvider$firewall['stateless']));
  573.         }
  575.         // Access listener
  576.         $listeners[] = new Reference('security.access_listener');
  578.         // Exception listener
  579.         $exceptionListener = new Reference($this->createExceptionListener($container$firewall$id$configuredEntryPoint ?: $defaultEntryPoint$firewall['stateless']));
  581.         $config->replaceArgument(8$firewall['access_denied_handler'] ?? null);
  582.         $config->replaceArgument(9$firewall['access_denied_url'] ?? null);
  584.         $container->setAlias('security.user_checker.'.$id, new Alias($firewall['user_checker'], false));
  586.         foreach ($this->getSortedFactories() as $factory) {
  587.             $key str_replace('-''_'$factory->getKey());
  588.             if ('custom_authenticators' !== $key && \array_key_exists($key$firewall)) {
  589.                 $listenerKeys[] = $key;
  590.             }
  591.         }
  593.         if ($firewall['custom_authenticators'] ?? false) {
  594.             foreach ($firewall['custom_authenticators'] as $customAuthenticatorId) {
  595.                 $listenerKeys[] = $customAuthenticatorId;
  596.             }
  597.         }
  599.         $config->replaceArgument(10$listenerKeys);
  600.         $config->replaceArgument(11$firewall['switch_user'] ?? null);
  602.         return [$matcher$listeners$exceptionListenernull !== $logoutListenerId ? new Reference($logoutListenerId) : null];
  603.     }
  605.     private function createContextListener(ContainerBuilder $containerstring $contextKey, ?string $firewallEventDispatcherId)
  606.     {
  607.         if (isset($this->contextListeners[$contextKey])) {
  608.             return $this->contextListeners[$contextKey];
  609.         }
  611.         $listenerId 'security.context_listener.'.\count($this->contextListeners);
  612.         $listener $container->setDefinition($listenerId, new ChildDefinition('security.context_listener'));
  613.         $listener->replaceArgument(2$contextKey);
  614.         if (null !== $firewallEventDispatcherId) {
  615.             $listener->replaceArgument(4, new Reference($firewallEventDispatcherId));
  616.             $listener->addTag('kernel.event_listener', ['event' => KernelEvents::RESPONSE'method' => 'onKernelResponse']);
  617.         }
  619.         return $this->contextListeners[$contextKey] = $listenerId;
  620.     }
  622.     private function createAuthenticationListeners(ContainerBuilder $containerstring $id, array $firewall, array &$authenticationProviders, ?string $defaultProvider, array $providerIds, ?string $defaultEntryPointstring $contextListenerId null)
  623.     {
  624.         $listeners = [];
  625.         $hasListeners false;
  626.         $entryPoints = [];
  628.         foreach ($this->getSortedFactories() as $factory) {
  629.             $key str_replace('-''_'$factory->getKey());
  631.             if (isset($firewall[$key])) {
  632.                 $userProvider $this->getUserProvider($container$id$firewall$key$defaultProvider$providerIds$contextListenerId);
  634.                 if ($this->authenticatorManagerEnabled) {
  635.                     if (!$factory instanceof AuthenticatorFactoryInterface) {
  636.                         throw new InvalidConfigurationException(sprintf('Cannot configure AuthenticatorManager as "%s" authentication does not support it, set "security.enable_authenticator_manager" to `false`.'$key));
  637.                     }
  639.                     $authenticators $factory->createAuthenticator($container$id$firewall[$key], $userProvider);
  640.                     if (\is_array($authenticators)) {
  641.                         foreach ($authenticators as $authenticator) {
  642.                             $authenticationProviders[] = $authenticator;
  643.                             $entryPoints[] = $authenticator;
  644.                         }
  645.                     } else {
  646.                         $authenticationProviders[] = $authenticators;
  647.                         $entryPoints[$key] = $authenticators;
  648.                     }
  649.                 } else {
  650.                     [$provider$listenerId$defaultEntryPoint] = $factory->create($container$id$firewall[$key], $userProvider$defaultEntryPoint);
  652.                     $listeners[] = new Reference($listenerId);
  653.                     $authenticationProviders[] = $provider;
  654.                 }
  656.                 if ($factory instanceof FirewallListenerFactoryInterface) {
  657.                     $firewallListenerIds $factory->createListeners($container$id$firewall[$key]);
  658.                     foreach ($firewallListenerIds as $firewallListenerId) {
  659.                         $listeners[] = new Reference($firewallListenerId);
  660.                     }
  661.                 }
  663.                 $hasListeners true;
  664.             }
  665.         }
  667.         // the actual entry point is configured by the RegisterEntryPointPass
  668.         $container->setParameter('security.'.$id.'._indexed_authenticators'$entryPoints);
  670.         if (false === $hasListeners && !$this->authenticatorManagerEnabled) {
  671.             throw new InvalidConfigurationException(sprintf('No authentication listener registered for firewall "%s".'$id));
  672.         }
  674.         return [$listeners$defaultEntryPoint];
  675.     }
  677.     private function getUserProvider(ContainerBuilder $containerstring $id, array $firewallstring $factoryKey, ?string $defaultProvider, array $providerIds, ?string $contextListenerId): string
  678.     {
  679.         if (isset($firewall[$factoryKey]['provider'])) {
  680.             if (!isset($providerIds[$normalizedName str_replace('-''_'$firewall[$factoryKey]['provider'])])) {
  681.                 throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.'$id$firewall[$factoryKey]['provider']));
  682.             }
  684.             return $providerIds[$normalizedName];
  685.         }
  687.         if ('remember_me' === $factoryKey && $contextListenerId) {
  688.             $container->getDefinition($contextListenerId)->addTag('security.remember_me_aware', ['id' => $id'provider' => 'none']);
  689.         }
  691.         if ($defaultProvider) {
  692.             return $defaultProvider;
  693.         }
  695.         if (!$providerIds) {
  696.             $userProvider sprintf('security.user.provider.missing.%s'$factoryKey);
  697.             $container->setDefinition(
  698.                 $userProvider,
  699.                 (new ChildDefinition('security.user.provider.missing'))->replaceArgument(0$id)
  700.             );
  702.             return $userProvider;
  703.         }
  705.         if ('remember_me' === $factoryKey || 'anonymous' === $factoryKey || 'custom_authenticators' === $factoryKey) {
  706.             if ('custom_authenticators' === $factoryKey) {
  707.                 trigger_deprecation('symfony/security-bundle''5.4''Not configuring explicitly the provider for the "%s" firewall is deprecated because it\'s ambiguous as there is more than one registered provider. Set the "provider" key to one of the configured providers, even if your custom authenticators don\'t use it.'$id);
  708.             }
  710.             return 'security.user_providers';
  711.         }
  713.         throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "%s" %s on "%s" firewall is ambiguous as there is more than one registered provider.'$factoryKey$this->authenticatorManagerEnabled 'authenticator' 'listener'$id));
  714.     }
  716.     private function createEncoders(array $encodersContainerBuilder $container)
  717.     {
  718.         $encoderMap = [];
  719.         foreach ($encoders as $class => $encoder) {
  720.             if (class_exists($class) && !is_a($classPasswordAuthenticatedUserInterface::class, true)) {
  721.                 trigger_deprecation('symfony/security-bundle''5.3''Configuring an encoder for a user class that does not implement "%s" is deprecated, class "%s" should implement it.'PasswordAuthenticatedUserInterface::class, $class);
  722.             }
  723.             $encoderMap[$class] = $this->createEncoder($encoder);
  724.         }
  726.         $container
  727.             ->getDefinition('security.encoder_factory.generic')
  728.             ->setArguments([$encoderMap])
  729.         ;
  730.     }
  732.     private function createEncoder(array $config)
  733.     {
  734.         // a custom encoder service
  735.         if (isset($config['id'])) {
  736.             return new Reference($config['id']);
  737.         }
  739.         if ($config['migrate_from'] ?? false) {
  740.             return $config;
  741.         }
  743.         // plaintext encoder
  744.         if ('plaintext' === $config['algorithm']) {
  745.             $arguments = [$config['ignore_case']];
  747.             return [
  748.                 'class' => 'Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder',
  749.                 'arguments' => $arguments,
  750.             ];
  751.         }
  753.         // pbkdf2 encoder
  754.         if ('pbkdf2' === $config['algorithm']) {
  755.             return [
  756.                 'class' => 'Symfony\Component\Security\Core\Encoder\Pbkdf2PasswordEncoder',
  757.                 'arguments' => [
  758.                     $config['hash_algorithm'],
  759.                     $config['encode_as_base64'],
  760.                     $config['iterations'],
  761.                     $config['key_length'],
  762.                 ],
  763.             ];
  764.         }
  766.         // bcrypt encoder
  767.         if ('bcrypt' === $config['algorithm']) {
  768.             $config['algorithm'] = 'native';
  769.             $config['native_algorithm'] = \PASSWORD_BCRYPT;
  771.             return $this->createEncoder($config);
  772.         }
  774.         // Argon2i encoder
  775.         if ('argon2i' === $config['algorithm']) {
  776.             if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  777.                 $config['algorithm'] = 'sodium';
  778.             } elseif (\defined('PASSWORD_ARGON2I')) {
  779.                 $config['algorithm'] = 'native';
  780.                 $config['native_algorithm'] = \PASSWORD_ARGON2I;
  781.             } else {
  782.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2i" is not available. Use "%s" instead.'\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id", "auto' 'auto'));
  783.             }
  785.             return $this->createEncoder($config);
  786.         }
  788.         if ('argon2id' === $config['algorithm']) {
  789.             if (($hasSodium SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  790.                 $config['algorithm'] = 'sodium';
  791.             } elseif (\defined('PASSWORD_ARGON2ID')) {
  792.                 $config['algorithm'] = 'native';
  793.                 $config['native_algorithm'] = \PASSWORD_ARGON2ID;
  794.             } else {
  795.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.'\defined('PASSWORD_ARGON2I') || $hasSodium 'argon2i", "auto' 'auto'));
  796.             }
  798.             return $this->createEncoder($config);
  799.         }
  801.         if ('native' === $config['algorithm']) {
  802.             return [
  803.                 'class' => NativePasswordEncoder::class,
  804.                 'arguments' => [
  805.                         $config['time_cost'],
  806.                         (($config['memory_cost'] ?? 0) << 10) ?: null,
  807.                         $config['cost'],
  808.                     ] + (isset($config['native_algorithm']) ? [=> $config['native_algorithm']] : []),
  809.             ];
  810.         }
  812.         if ('sodium' === $config['algorithm']) {
  813.             if (!SodiumPasswordHasher::isSupported()) {
  814.                 throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
  815.             }
  817.             return [
  818.                 'class' => SodiumPasswordEncoder::class,
  819.                 'arguments' => [
  820.                     $config['time_cost'],
  821.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  822.                 ],
  823.             ];
  824.         }
  826.         // run-time configured encoder
  827.         return $config;
  828.     }
  830.     private function createHashers(array $hashersContainerBuilder $container)
  831.     {
  832.         $hasherMap = [];
  833.         foreach ($hashers as $class => $hasher) {
  834.             // @deprecated since Symfony 5.3, remove the check in 6.0
  835.             if (class_exists($class) && !is_a($classPasswordAuthenticatedUserInterface::class, true)) {
  836.                 trigger_deprecation('symfony/security-bundle''5.3''Configuring a password hasher for a user class that does not implement "%s" is deprecated, class "%s" should implement it.'PasswordAuthenticatedUserInterface::class, $class);
  837.             }
  838.             $hasherMap[$class] = $this->createHasher($hasher);
  839.         }
  841.         $container
  842.             ->getDefinition('security.password_hasher_factory')
  843.             ->setArguments([$hasherMap])
  844.         ;
  845.     }
  847.     private function createHasher(array $config)
  848.     {
  849.         // a custom hasher service
  850.         if (isset($config['id'])) {
  851.             return new Reference($config['id']);
  852.         }
  854.         if ($config['migrate_from'] ?? false) {
  855.             return $config;
  856.         }
  858.         // plaintext hasher
  859.         if ('plaintext' === $config['algorithm']) {
  860.             $arguments = [$config['ignore_case']];
  862.             return [
  863.                 'class' => PlaintextPasswordHasher::class,
  864.                 'arguments' => $arguments,
  865.             ];
  866.         }
  868.         // pbkdf2 hasher
  869.         if ('pbkdf2' === $config['algorithm']) {
  870.             return [
  871.                 'class' => Pbkdf2PasswordHasher::class,
  872.                 'arguments' => [
  873.                     $config['hash_algorithm'],
  874.                     $config['encode_as_base64'],
  875.                     $config['iterations'],
  876.                     $config['key_length'],
  877.                 ],
  878.             ];
  879.         }
  881.         // bcrypt hasher
  882.         if ('bcrypt' === $config['algorithm']) {
  883.             $config['algorithm'] = 'native';
  884.             $config['native_algorithm'] = \PASSWORD_BCRYPT;
  886.             return $this->createHasher($config);
  887.         }
  889.         // Argon2i hasher
  890.         if ('argon2i' === $config['algorithm']) {
  891.             if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  892.                 $config['algorithm'] = 'sodium';
  893.             } elseif (\defined('PASSWORD_ARGON2I')) {
  894.                 $config['algorithm'] = 'native';
  895.                 $config['native_algorithm'] = \PASSWORD_ARGON2I;
  896.             } else {
  897.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2i" is not available. Either use "%s" or upgrade to PHP 7.2+ instead.'\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id", "auto' 'auto'));
  898.             }
  900.             return $this->createHasher($config);
  901.         }
  903.         if ('argon2id' === $config['algorithm']) {
  904.             if (($hasSodium SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  905.                 $config['algorithm'] = 'sodium';
  906.             } elseif (\defined('PASSWORD_ARGON2ID')) {
  907.                 $config['algorithm'] = 'native';
  908.                 $config['native_algorithm'] = \PASSWORD_ARGON2ID;
  909.             } else {
  910.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.'\defined('PASSWORD_ARGON2I') || $hasSodium 'argon2i", "auto' 'auto'));
  911.             }
  913.             return $this->createHasher($config);
  914.         }
  916.         if ('native' === $config['algorithm']) {
  917.             return [
  918.                 'class' => NativePasswordHasher::class,
  919.                 'arguments' => [
  920.                     $config['time_cost'],
  921.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  922.                     $config['cost'],
  923.                 ] + (isset($config['native_algorithm']) ? [=> $config['native_algorithm']] : []),
  924.             ];
  925.         }
  927.         if ('sodium' === $config['algorithm']) {
  928.             if (!SodiumPasswordHasher::isSupported()) {
  929.                 throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
  930.             }
  932.             return [
  933.                 'class' => SodiumPasswordHasher::class,
  934.                 'arguments' => [
  935.                     $config['time_cost'],
  936.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  937.                 ],
  938.             ];
  939.         }
  941.         // run-time configured hasher
  942.         return $config;
  943.     }
  945.     // Parses user providers and returns an array of their ids
  946.     private function createUserProviders(array $configContainerBuilder $container): array
  947.     {
  948.         $providerIds = [];
  949.         foreach ($config['providers'] as $name => $provider) {
  950.             $id $this->createUserDaoProvider($name$provider$container);
  951.             $providerIds[str_replace('-''_'$name)] = $id;
  952.         }
  954.         return $providerIds;
  955.     }
  957.     // Parses a <provider> tag and returns the id for the related user provider service
  958.     private function createUserDaoProvider(string $name, array $providerContainerBuilder $container): string
  959.     {
  960.         $name $this->getUserProviderId($name);
  962.         // Doctrine Entity and In-memory DAO provider are managed by factories
  963.         foreach ($this->userProviderFactories as $factory) {
  964.             $key str_replace('-''_'$factory->getKey());
  966.             if (!empty($provider[$key])) {
  967.                 $factory->create($container$name$provider[$key]);
  969.                 return $name;
  970.             }
  971.         }
  973.         // Existing DAO service provider
  974.         if (isset($provider['id'])) {
  975.             $container->setAlias($name, new Alias($provider['id'], false));
  977.             return $provider['id'];
  978.         }
  980.         // Chain provider
  981.         if (isset($provider['chain'])) {
  982.             $providers = [];
  983.             foreach ($provider['chain']['providers'] as $providerName) {
  984.                 $providers[] = new Reference($this->getUserProviderId($providerName));
  985.             }
  987.             $container
  988.                 ->setDefinition($name, new ChildDefinition('security.user.provider.chain'))
  989.                 ->addArgument(new IteratorArgument($providers));
  991.             return $name;
  992.         }
  994.         throw new InvalidConfigurationException(sprintf('Unable to create definition for "%s" user provider.'$name));
  995.     }
  997.     private function getUserProviderId(string $name): string
  998.     {
  999.         return 'security.user.provider.concrete.'.strtolower($name);
  1000.     }
  1002.     private function createExceptionListener(ContainerBuilder $container, array $configstring $id, ?string $defaultEntryPointbool $stateless): string
  1003.     {
  1004.         $exceptionListenerId 'security.exception_listener.'.$id;
  1005.         $listener $container->setDefinition($exceptionListenerId, new ChildDefinition('security.exception_listener'));
  1006.         $listener->replaceArgument(3$id);
  1007.         $listener->replaceArgument(4null === $defaultEntryPoint null : new Reference($defaultEntryPoint));
  1008.         $listener->replaceArgument(8$stateless);
  1010.         // access denied handler setup
  1011.         if (isset($config['access_denied_handler'])) {
  1012.             $listener->replaceArgument(6, new Reference($config['access_denied_handler']));
  1013.         } elseif (isset($config['access_denied_url'])) {
  1014.             $listener->replaceArgument(5$config['access_denied_url']);
  1015.         }
  1017.         return $exceptionListenerId;
  1018.     }
  1020.     private function createSwitchUserListener(ContainerBuilder $containerstring $id, array $config, ?string $defaultProviderbool $stateless): string
  1021.     {
  1022.         $userProvider = isset($config['provider']) ? $this->getUserProviderId($config['provider']) : $defaultProvider;
  1024.         if (!$userProvider) {
  1025.             throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "switch_user" listener on "%s" firewall is ambiguous as there is more than one registered provider.'$id));
  1026.         }
  1028.         $switchUserListenerId 'security.authentication.switchuser_listener.'.$id;
  1029.         $listener $container->setDefinition($switchUserListenerId, new ChildDefinition('security.authentication.switchuser_listener'));
  1030.         $listener->replaceArgument(1, new Reference($userProvider));
  1031.         $listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
  1032.         $listener->replaceArgument(3$id);
  1033.         $listener->replaceArgument(6$config['parameter']);
  1034.         $listener->replaceArgument(7$config['role']);
  1035.         $listener->replaceArgument(9$stateless);
  1037.         return $switchUserListenerId;
  1038.     }
  1040.     private function createExpression(ContainerBuilder $containerstring $expression): Reference
  1041.     {
  1042.         if (isset($this->expressions[$id '.security.expression.'.ContainerBuilder::hash($expression)])) {
  1043.             return $this->expressions[$id];
  1044.         }
  1046.         if (!$container::willBeAvailable('symfony/expression-language'ExpressionLanguage::class, ['symfony/security-bundle'], true)) {
  1047.             throw new \RuntimeException('Unable to use expressions as the Symfony ExpressionLanguage component is not installed. Try running "composer require symfony/expression-language".');
  1048.         }
  1050.         $container
  1051.             ->register($id'Symfony\Component\ExpressionLanguage\Expression')
  1052.             ->setPublic(false)
  1053.             ->addArgument($expression)
  1054.         ;
  1056.         return $this->expressions[$id] = new Reference($id);
  1057.     }
  1059.     private function createRequestMatcher(ContainerBuilder $containerstring $path nullstring $host nullint $port null, array $methods = [], array $ips null, array $attributes = []): Reference
  1060.     {
  1061.         if ($methods) {
  1062.             $methods array_map('strtoupper'$methods);
  1063.         }
  1065.         if (null !== $ips) {
  1066.             foreach ($ips as $ip) {
  1067.                 $container->resolveEnvPlaceholders($ipnull$usedEnvs);
  1069.                 if (!$usedEnvs && !$this->isValidIps($ip)) {
  1070.                     throw new \LogicException(sprintf('The given value "%s" in the "security.access_control" config option is not a valid IP address.'$ip));
  1071.                 }
  1073.                 $usedEnvs null;
  1074.             }
  1075.         }
  1077.         $id '.security.request_matcher.'.ContainerBuilder::hash([$path$host$port$methods$ips$attributes]);
  1079.         if (isset($this->requestMatchers[$id])) {
  1080.             return $this->requestMatchers[$id];
  1081.         }
  1083.         // only add arguments that are necessary
  1084.         $arguments = [$path$host$methods$ips$attributesnull$port];
  1085.         while (\count($arguments) > && !end($arguments)) {
  1086.             array_pop($arguments);
  1087.         }
  1089.         $container
  1090.             ->register($id'Symfony\Component\HttpFoundation\RequestMatcher')
  1091.             ->setPublic(false)
  1092.             ->setArguments($arguments)
  1093.         ;
  1095.         return $this->requestMatchers[$id] = new Reference($id);
  1096.     }
  1098.     /**
  1099.      * @deprecated since Symfony 5.4, use "addAuthenticatorFactory()" instead
  1100.      */
  1101.     public function addSecurityListenerFactory(SecurityFactoryInterface $factory)
  1102.     {
  1103.         trigger_deprecation('symfony/security-bundle''5.4''Method "%s()" is deprecated, use "addAuthenticatorFactory()" instead.'__METHOD__);
  1105.         $this->factories[] = [[
  1106.             'pre_auth' => -10,
  1107.             'form' => -30,
  1108.             'http' => -40,
  1109.             'remember_me' => -50,
  1110.             'anonymous' => -60,
  1111.         ][$factory->getPosition()], $factory];
  1112.         $this->sortedFactories = [];
  1113.     }
  1115.     public function addAuthenticatorFactory(AuthenticatorFactoryInterface $factory)
  1116.     {
  1117.         $this->factories[] = [method_exists($factory'getPriority') ? $factory->getPriority() : 0$factory];
  1118.         $this->sortedFactories = [];
  1119.     }
  1121.     public function addUserProviderFactory(UserProviderFactoryInterface $factory)
  1122.     {
  1123.         $this->userProviderFactories[] = $factory;
  1124.     }
  1126.     /**
  1127.      * {@inheritdoc}
  1128.      */
  1129.     public function getXsdValidationBasePath()
  1130.     {
  1131.         return __DIR__.'/../Resources/config/schema';
  1132.     }
  1134.     public function getNamespace()
  1135.     {
  1136.         return 'http://symfony.com/schema/dic/security';
  1137.     }
  1139.     public function getConfiguration(array $configContainerBuilder $container)
  1140.     {
  1141.         // first assemble the factories
  1142.         return new MainConfiguration($this->getSortedFactories(), $this->userProviderFactories);
  1143.     }
  1145.     private function isValidIps($ips): bool
  1146.     {
  1147.         $ipsList array_reduce((array) $ips, static function (array $ipsstring $ip) {
  1148.             return array_merge($ipspreg_split('/\s*,\s*/'$ip));
  1149.         }, []);
  1151.         if (!$ipsList) {
  1152.             return false;
  1153.         }
  1155.         foreach ($ipsList as $cidr) {
  1156.             if (!$this->isValidIp($cidr)) {
  1157.                 return false;
  1158.             }
  1159.         }
  1161.         return true;
  1162.     }
  1164.     private function isValidIp(string $cidr): bool
  1165.     {
  1166.         $cidrParts explode('/'$cidr);
  1168.         if (=== \count($cidrParts)) {
  1169.             return false !== filter_var($cidrParts[0], \FILTER_VALIDATE_IP);
  1170.         }
  1172.         $ip $cidrParts[0];
  1173.         $netmask $cidrParts[1];
  1175.         if (!ctype_digit($netmask)) {
  1176.             return false;
  1177.         }
  1179.         if (filter_var($ip\FILTER_VALIDATE_IP\FILTER_FLAG_IPV4)) {
  1180.             return $netmask <= 32;
  1181.         }
  1183.         if (filter_var($ip\FILTER_VALIDATE_IP\FILTER_FLAG_IPV6)) {
  1184.             return $netmask <= 128;
  1185.         }
  1187.         return false;
  1188.     }
  1190.     /**
  1191.      * @return array<int, SecurityFactoryInterface|AuthenticatorFactoryInterface>
  1192.      */
  1193.     private function getSortedFactories(): array
  1194.     {
  1195.         if (!$this->sortedFactories) {
  1196.             $factories = [];
  1197.             foreach ($this->factories as $i => $factory) {
  1198.                 $factories[] = array_merge($factory, [$i]);
  1199.             }
  1201.             usort($factories, function ($a$b) {
  1202.                 return $b[0] <=> $a[0] ?: $a[2] <=> $b[2];
  1203.             });
  1205.             $this->sortedFactories array_column($factories1);
  1206.         }
  1208.         return $this->sortedFactories;
  1209.     }
  1210. }