Inject listener into the firewall context to handle access control "2fa in progress" phase

Author: scheb

src/bundle/DependencyInjection/Compiler/AccessListenerCompilerPass.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Exception\InvalidArgumentException;
+use Symfony\Component\DependencyInjection\Reference;
+
+/**
+ * Injects a listener into the firewall to handle access control during the "2fa in progress" phase.
+ */
+class AccessListenerCompilerPass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container): void
+    {
+        $taggedServices = $container->findTaggedServiceIds('scheb_two_factor.access_listener');
+        foreach ($taggedServices as $id => $attributes) {
+            if (!isset($attributes[0]['firewall'])) {
+                throw new InvalidArgumentException('Tag "scheb_two_factor.access_listener" requires attribute "firewall" to be set.');
+            }
+
+            $firewallContextId = 'security.firewall.map.context.'.$attributes[0]['firewall'];
+            $firewallContextDefinition = $container->getDefinition($firewallContextId);
+            $listenersIterator = $firewallContextDefinition->getArgument(0);
+            if (!($listenersIterator instanceof IteratorArgument)) {
+                throw new InvalidArgumentException(sprintf('Cannot inject access listener, argument 0 of "%s" must be instance of IteratorArgument.', $firewallContextId));
+            }
+
+            $listeners = $listenersIterator->getValues();
+            $listeners[] = new Reference($id);
+            $listenersIterator->setValues($listeners);
+        }
+    }
+}

src/bundle/DependencyInjection/Factory/Security/TwoFactorFactory.php

@@ -37,6 +37,7 @@ class TwoFactorFactory implements SecurityFactoryInterface
     public const PROVIDER_PREPARATION_LISTENER_ID_PREFIX = 'security.authentication.provider_preparation_listener.two_factor.';
     public const AUTHENTICATION_SUCCESS_EVENT_SUPPRESSOR_ID_PREFIX = 'security.authentication.authentication_success_event_suppressor.two_factor.';
     public const KERNEL_EXCEPTION_LISTENER_ID_PREFIX = 'security.authentication.kernel_exception_listener.two_factor.';
+    public const KERNEL_ACCESS_LISTENER_ID_PREFIX = 'security.authentication.access_listener.two_factor.';
 
     public const PROVIDER_DEFINITION_ID = 'scheb_two_factor.security.authentication.provider';
     public const LISTENER_DEFINITION_ID = 'scheb_two_factor.security.authentication.listener';
@@ -47,6 +48,7 @@ class TwoFactorFactory implements SecurityFactoryInterface
     public const PROVIDER_PREPARATION_LISTENER_DEFINITION_ID = 'scheb_two_factor.security.provider_preparation_listener';
     public const AUTHENTICATION_SUCCESS_EVENT_SUPPRESSOR_DEFINITION_ID = 'scheb_two_factor.security.authentication_success_event_suppressor';
     public const KERNEL_EXCEPTION_LISTENER_DEFINITION_ID = 'scheb_two_factor.security.kernel_exception_listener';
+    public const KERNEL_ACCESS_LISTENER_DEFINITION_ID = 'scheb_two_factor.security.access_listener';
 
     public function addConfiguration(NodeDefinition $node): void
     {
@@ -94,6 +96,7 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
         $authRequiredHandlerId = $this->createAuthenticationRequiredHandler($container, $id, $config, $twoFactorFirewallConfigId);
         $providerId = $this->createAuthenticationProvider($container, $id, $twoFactorFirewallConfigId);
         $this->createKernelExceptionListener($container, $id, $authRequiredHandlerId);
+        $this->createAccessListener($container, $id, $twoFactorFirewallConfigId);
         $this->createProviderPreparationListener($container, $id, $config);
         $this->createAuthenticationSuccessEventSuppressor($container, $id);
 
@@ -234,6 +237,17 @@ private function createKernelExceptionListener(ContainerBuilder $container, stri
             ->addTag('kernel.event_subscriber');
     }
 
+    private function createAccessListener(ContainerBuilder $container, string $firewallName, string $twoFactorFirewallConfigId): void
+    {
+        $firewallConfigId = self::KERNEL_ACCESS_LISTENER_ID_PREFIX.$firewallName;
+        $container
+            ->setDefinition($firewallConfigId, new ChildDefinition(self::KERNEL_ACCESS_LISTENER_DEFINITION_ID))
+            ->replaceArgument(0, new Reference($twoFactorFirewallConfigId))
+            // The SecurityFactory doesn't have access to the service definitions from the security bundle. Therefore we
+            // tag the definition so we can find it in a compiler pass inject it into the firewall context.
+            ->addTag('scheb_two_factor.access_listener', ['firewall' => $firewallName]);
+    }
+
     public function getPosition(): string
     {
         return 'form';

src/bundle/Resources/config/security.xml

@@ -76,6 +76,13 @@
 			<!-- <tag name="kernel.event_subscriber" /> -->
 		</service>
 
+		<service id="scheb_two_factor.security.access_listener" class="Scheb\TwoFactorBundle\Security\Http\Firewall\TwoFactorAccessListener" abstract="true">
+			<argument /> <!-- Two-factor firewall config -->
+			<argument type="service" id="security.token_storage"/>
+			<argument type="service" id="scheb_two_factor.security.access.access_decider"/>
+			<argument type="service" id="event_dispatcher" />
+		</service>
+
 		<service id="scheb_two_factor.security.authentication.success_handler" class="Scheb\TwoFactorBundle\Security\Http\Authentication\DefaultAuthenticationSuccessHandler" abstract="true">
 			<argument type="service" id="security.http_utils" />
 			<argument type="string" /> <!-- Firewall name -->

src/bundle/SchebTwoFactorBundle.php

@@ -4,6 +4,7 @@
 
 namespace Scheb\TwoFactorBundle;
 
+use Scheb\TwoFactorBundle\DependencyInjection\Compiler\AccessListenerCompilerPass;
 use Scheb\TwoFactorBundle\DependencyInjection\Compiler\AuthenticationProviderDecoratorCompilerPass;
 use Scheb\TwoFactorBundle\DependencyInjection\Compiler\MailerCompilerPass;
 use Scheb\TwoFactorBundle\DependencyInjection\Compiler\RememberMeServicesDecoratorCompilerPass;
@@ -22,6 +23,7 @@ public function build(ContainerBuilder $container): void
 
         $container->addCompilerPass(new AuthenticationProviderDecoratorCompilerPass());
         $container->addCompilerPass(new RememberMeServicesDecoratorCompilerPass());
+        $container->addCompilerPass(new AccessListenerCompilerPass());
         $container->addCompilerPass(new TwoFactorProviderCompilerPass());
         $container->addCompilerPass(new TwoFactorFirewallConfigCompilerPass());
         $container->addCompilerPass(new MailerCompilerPass());

src/bundle/Security/Http/Firewall/TwoFactorAccessListener.php

@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\Security\Http\Firewall;
+
+use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorTokenInterface;
+use Scheb\TwoFactorBundle\Security\Authorization\TwoFactorAccessDecider;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvent;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvents;
+use Scheb\TwoFactorBundle\Security\TwoFactor\TwoFactorFirewallConfig;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Http\Firewall\AbstractListener;
+use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
+
+/**
+ * Handles access control in the "2fa in progress" phase.
+ */
+class TwoFactorAccessListener extends AbstractListener
+{
+    /**
+     * @var TwoFactorFirewallConfig
+     */
+    private $twoFactorFirewallConfig;
+
+    /**
+     * @var TokenStorageInterface
+     */
+    private $tokenStorage;
+
+    /**
+     * @var TwoFactorAccessDecider
+     */
+    private $twoFactorAccessDecider;
+
+    /**
+     * @var EventDispatcherInterface
+     */
+    private $eventDispatcher;
+
+    public function __construct(
+        TwoFactorFirewallConfig $twoFactorFirewallConfig,
+        TokenStorageInterface $tokenStorage,
+        TwoFactorAccessDecider $twoFactorAccessDecider,
+        EventDispatcherInterface $eventDispatcher
+    ) {
+        $this->twoFactorFirewallConfig = $twoFactorFirewallConfig;
+        $this->tokenStorage = $tokenStorage;
+        $this->twoFactorAccessDecider = $twoFactorAccessDecider;
+        $this->eventDispatcher = $eventDispatcher;
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        $token = $this->tokenStorage->getToken();
+
+        // No need to check for firewall name here, the listener is bound to the firewall context
+        return $token instanceof TwoFactorTokenInterface;
+    }
+
+    public function authenticate(RequestEvent $requestEvent): void
+    {
+        /** @var TwoFactorTokenInterface $token */
+        $token = $this->tokenStorage->getToken();
+        $request = $requestEvent->getRequest();
+        if ($this->twoFactorFirewallConfig->isCheckPathRequest($request)) {
+            return;
+        }
+
+        if ($this->twoFactorFirewallConfig->isAuthFormRequest($request)) {
+            $event = new TwoFactorAuthenticationEvent($request, $token);
+            $this->eventDispatcher->dispatch($event, TwoFactorAuthenticationEvents::FORM);
+
+            return;
+        }
+
+        if (!$this->twoFactorAccessDecider->isAccessible($request, $token)) {
+            $exception = new AccessDeniedException('User is in a two-factor authentication process.');
+            $exception->setSubject($request);
+
+            throw $exception;
+        }
+    }
+}

tests/DependencyInjection/Compiler/AccessListenerCompilerPassTest.php

@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Scheb\TwoFactorBundle\Tests\DependencyInjection\Compiler;
+
+use Scheb\TwoFactorBundle\DependencyInjection\Compiler\AccessListenerCompilerPass;
+use Scheb\TwoFactorBundle\Tests\TestCase;
+use Symfony\Bundle\SecurityBundle\Security\FirewallContext;
+use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Definition;
+use Symfony\Component\DependencyInjection\Exception\InvalidArgumentException;
+use Symfony\Component\DependencyInjection\Reference;
+
+class AccessListenerCompilerPassTest extends TestCase
+{
+    /**
+     * @var AccessListenerCompilerPass
+     */
+    private $compilerPass;
+
+    /**
+     * @var ContainerBuilder
+     */
+    private $container;
+
+    /**
+     * @var Definition
+     */
+    private $firewallContextDefinition;
+
+    protected function setUp(): void
+    {
+        $this->container = new ContainerBuilder();
+        $this->compilerPass = new AccessListenerCompilerPass();
+
+        $this->firewallContextDefinition = new Definition(FirewallContext::class);
+        $this->container->setDefinition('security.firewall.map.context.firewallName', $this->firewallContextDefinition);
+    }
+
+    private function stubTaggedContainerService(array $taggedServices): void
+    {
+        foreach ($taggedServices as $id => $tags) {
+            $definition = $this->container->register($id);
+
+            foreach ($tags as $attributes) {
+                $definition->addTag('scheb_two_factor.access_listener', $attributes);
+            }
+        }
+    }
+
+    private function stubFirewallContextListeners($listenersArg): void
+    {
+        $this->firewallContextDefinition->setArgument(0, $listenersArg);
+    }
+
+    private function assertFirewallContextListeners(IteratorArgument $expected): void
+    {
+        $listenersArgument = $this->firewallContextDefinition->getArgument(0);
+        $this->assertEquals($expected, $listenersArgument);
+    }
+
+    /**
+     * @test
+     */
+    public function process_missingAlias_throwException(): void
+    {
+        $taggedServices = [
+            'serviceId' => [
+                0 => [],
+            ],
+        ];
+        $this->stubTaggedContainerService($taggedServices);
+
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('Tag "scheb_two_factor.access_listener" requires attribute "firewall" to be set');
+        $this->compilerPass->process($this->container);
+    }
+
+    /**
+     * @test
+     */
+    public function process_invalidListenersArgument_throwException(): void
+    {
+        $taggedServices = [
+            'serviceId' => [
+                0 => ['firewall' => 'firewallName'],
+            ],
+        ];
+        $this->stubTaggedContainerService($taggedServices);
+        $this->stubFirewallContextListeners([]);
+
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('Cannot inject access listener');
+        $this->compilerPass->process($this->container);
+    }
+
+    /**
+     * @test
+     */
+    public function process_requirementsFulfilled_addAccessListener(): void
+    {
+        $taggedServices = [
+            'serviceId' => [
+                0 => ['firewall' => 'firewallName'],
+            ],
+        ];
+
+        $this->stubTaggedContainerService($taggedServices);
+        $this->stubFirewallContextListeners(new IteratorArgument([
+            new Reference('firewallListener1'),
+            new Reference('firewallListener2'),
+        ]));
+
+        $this->compilerPass->process($this->container);
+
+        $this->assertFirewallContextListeners(new IteratorArgument([
+            new Reference('firewallListener1'),
+            new Reference('firewallListener2'),
+            new Reference('serviceId'),
+        ]));
+    }
+}

tests/DependencyInjection/Factory/Security/TwoFactorFactoryTest.php

@@ -351,6 +351,21 @@ public function create_createForFirewall_createExceptionListener(): void
         $this->assertEquals('firewallName', $definition->getArgument(0));
         $this->assertEquals(new Reference('security.authentication.authentication_required_handler.two_factor.firewallName'), $definition->getArgument(2));
     }
+
+    /**
+     * @test
+     */
+    public function create_createForFirewall_createAccessListener(): void
+    {
+        $this->callCreateFirewall();
+
+        $this->assertTrue($this->container->hasDefinition('security.authentication.access_listener.two_factor.firewallName'));
+        $definition = $this->container->getDefinition('security.authentication.access_listener.two_factor.firewallName');
+        $this->assertEquals(new Reference('security.firewall_config.two_factor.firewallName'), $definition->getArgument(0));
+        $this->assertTrue($definition->hasTag('scheb_two_factor.access_listener'));
+        $tag = $definition->getTag('scheb_two_factor.access_listener');
+        $this->assertEquals(['firewall' => 'firewallName'], $tag[0]);
+    }
 }
 
 // Helper class to process config

tests/SchebTwoFactorBundleTest.php

@@ -4,6 +4,7 @@
 
 namespace Scheb\TwoFactorBundle\Tests;
 
+use Scheb\TwoFactorBundle\DependencyInjection\Compiler\AccessListenerCompilerPass;
 use Scheb\TwoFactorBundle\DependencyInjection\Compiler\AuthenticationProviderDecoratorCompilerPass;
 use Scheb\TwoFactorBundle\DependencyInjection\Compiler\MailerCompilerPass;
 use Scheb\TwoFactorBundle\DependencyInjection\Compiler\RememberMeServicesDecoratorCompilerPass;
@@ -25,11 +26,12 @@ public function build_initializeBundle_addCompilerPass(): void
 
         //Expect compiler pass to be added
         $containerBuilder
-            ->expects($this->exactly(5))
+            ->expects($this->exactly(6))
             ->method('addCompilerPass')
             ->with($this->logicalOr(
                 $this->isInstanceOf(AuthenticationProviderDecoratorCompilerPass::class),
                 $this->isInstanceOf(RememberMeServicesDecoratorCompilerPass::class),
+                $this->isInstanceOf(AccessListenerCompilerPass::class),
                 $this->isInstanceOf(TwoFactorProviderCompilerPass::class),
                 $this->isInstanceOf(TwoFactorFirewallConfigCompilerPass::class),
                 $this->isInstanceOf(MailerCompilerPass::class)