[Security] Move the Security helper to SecurityBundle

Author: chalasr

Authentication/AuthenticationUtils.php

@@ -14,7 +14,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
  * Extracts Security Errors from Request.
@@ -35,13 +35,13 @@ public function getLastAuthenticationError(bool $clearSession = true): ?Authenti
         $request = $this->getRequest();
         $authenticationException = null;
 
-        if ($request->attributes->has(Security::AUTHENTICATION_ERROR)) {
-            $authenticationException = $request->attributes->get(Security::AUTHENTICATION_ERROR);
-        } elseif ($request->hasSession() && ($session = $request->getSession())->has(Security::AUTHENTICATION_ERROR)) {
-            $authenticationException = $session->get(Security::AUTHENTICATION_ERROR);
+        if ($request->attributes->has(SecurityRequestAttributes::AUTHENTICATION_ERROR)) {
+            $authenticationException = $request->attributes->get(SecurityRequestAttributes::AUTHENTICATION_ERROR);
+        } elseif ($request->hasSession() && ($session = $request->getSession())->has(SecurityRequestAttributes::AUTHENTICATION_ERROR)) {
+            $authenticationException = $session->get(SecurityRequestAttributes::AUTHENTICATION_ERROR);
 
             if ($clearSession) {
-                $session->remove(Security::AUTHENTICATION_ERROR);
+                $session->remove(SecurityRequestAttributes::AUTHENTICATION_ERROR);
             }
         }
 
@@ -52,11 +52,11 @@ public function getLastUsername(): string
     {
         $request = $this->getRequest();
 
-        if ($request->attributes->has(Security::LAST_USERNAME)) {
-            return $request->attributes->get(Security::LAST_USERNAME, '');
+        if ($request->attributes->has(SecurityRequestAttributes::LAST_USERNAME)) {
+            return $request->attributes->get(SecurityRequestAttributes::LAST_USERNAME, '');
         }
 
-        return $request->hasSession() ? $request->getSession()->get(Security::LAST_USERNAME, '') : '';
+        return $request->hasSession() ? $request->getSession()->get(SecurityRequestAttributes::LAST_USERNAME, '') : '';
     }
 
     /**

Authentication/DefaultAuthenticationFailureHandler.php

@@ -16,9 +16,9 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\ParameterBagUtils;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
  * Class with the default authentication failure handling logic.
@@ -84,14 +84,14 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
             $this->logger?->debug('Authentication failure, forward triggered.', ['failure_path' => $options['failure_path']]);
 
             $subRequest = $this->httpUtils->createRequest($request, $options['failure_path']);
-            $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
+            $subRequest->attributes->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
 
             return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
         }
 
         $this->logger?->debug('Authentication failure, redirect triggered.', ['failure_path' => $options['failure_path']]);
 
-        $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
+        $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
 
         return $this->httpUtils->createRedirectResponse($request, $options['failure_path']);
     }

Authenticator/AbstractLoginFormAuthenticator.php

@@ -15,8 +15,8 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
  * A base class to make form login authentication easier!
@@ -50,7 +50,7 @@ public function supports(Request $request): bool
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
     {
         if ($request->hasSession()) {
-            $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
+            $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
         }
 
         $url = $this->getLoginUrl($request);

Authenticator/AuthenticatorInterface.php

@@ -26,6 +26,8 @@
  */
 interface AuthenticatorInterface
 {
+    public const MAX_USERNAME_LENGTH = 4096;
+
     /**
      * Does the authenticator support the given Request?
      *

Authenticator/FormLoginAuthenticator.php

@@ -19,7 +19,6 @@
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
@@ -32,6 +31,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\ParameterBagUtils;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
  * @author Wouter de Jong <wouter@wouterj.nl>
@@ -132,11 +132,11 @@ private function getCredentials(Request $request): array
 
         $credentials['username'] = trim($credentials['username']);
 
-        if (\strlen($credentials['username']) > Security::MAX_USERNAME_LENGTH) {
+        if (\strlen($credentials['username']) > self::MAX_USERNAME_LENGTH) {
             throw new BadCredentialsException('Invalid username.');
         }
 
-        $request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);
+        $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);
 
         return $credentials;
     }

Authenticator/JsonLoginAuthenticator.php

@@ -22,7 +22,6 @@
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
@@ -151,7 +150,7 @@ private function getCredentials(Request $request)
                 throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['username_path']));
             }
 
-            if (\strlen($credentials['username']) > Security::MAX_USERNAME_LENGTH) {
+            if (\strlen($credentials['username']) > self::MAX_USERNAME_LENGTH) {
                 throw new BadCredentialsException('Invalid username.');
             }
         } catch (AccessException $e) {

EventListener/LoginThrottlingListener.php

@@ -15,10 +15,10 @@
 use Symfony\Component\HttpFoundation\RateLimiter\RequestRateLimiterInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\Security\Core\Exception\TooManyLoginAttemptsAuthenticationException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
  * @author Wouter de Jong <wouter@wouterj.nl>
@@ -42,7 +42,7 @@ public function checkPassport(CheckPassportEvent $event): void
         }
 
         $request = $this->requestStack->getMainRequest();
-        $request->attributes->set(Security::LAST_USERNAME, $passport->getBadge(UserBadge::class)->getUserIdentifier());
+        $request->attributes->set(SecurityRequestAttributes::LAST_USERNAME, $passport->getBadge(UserBadge::class)->getUserIdentifier());
 
         $limit = $this->limiter->consume($request);
         if (!$limit->isAccepted()) {

Firewall/ExceptionListener.php

@@ -28,11 +28,11 @@
 use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
 use Symfony\Component\Security\Core\Exception\LazyResponseException;
 use Symfony\Component\Security\Core\Exception\LogoutException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
 use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 use Symfony\Component\Security\Http\Util\TargetPathTrait;
 
 /**
@@ -164,7 +164,7 @@ private function handleAccessDeniedException(ExceptionEvent $event, AccessDenied
                 }
             } elseif (null !== $this->errorPage) {
                 $subRequest = $this->httpUtils->createRequest($event->getRequest(), $this->errorPage);
-                $subRequest->attributes->set(Security::ACCESS_DENIED_ERROR, $exception);
+                $subRequest->attributes->set(SecurityRequestAttributes::ACCESS_DENIED_ERROR, $exception);
 
                 $event->setResponse($event->getKernel()->handle($subRequest, HttpKernelInterface::SUB_REQUEST, true));
                 $event->allowCustomResponseCode();

HttpUtils.php

@@ -18,7 +18,6 @@
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Symfony\Component\Routing\Matcher\RequestMatcherInterface;
 use Symfony\Component\Routing\Matcher\UrlMatcherInterface;
-use Symfony\Component\Security\Core\Security;
 
 /**
  * Encapsulates the logic needed to create sub-requests, redirect the user, and match URLs.
@@ -80,14 +79,14 @@ public function createRequest(Request $request, string $path): Request
         }
         $setSession($newRequest, $request);
 
-        if ($request->attributes->has(Security::AUTHENTICATION_ERROR)) {
-            $newRequest->attributes->set(Security::AUTHENTICATION_ERROR, $request->attributes->get(Security::AUTHENTICATION_ERROR));
+        if ($request->attributes->has(SecurityRequestAttributes::AUTHENTICATION_ERROR)) {
+            $newRequest->attributes->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $request->attributes->get(SecurityRequestAttributes::AUTHENTICATION_ERROR));
         }
-        if ($request->attributes->has(Security::ACCESS_DENIED_ERROR)) {
-            $newRequest->attributes->set(Security::ACCESS_DENIED_ERROR, $request->attributes->get(Security::ACCESS_DENIED_ERROR));
+        if ($request->attributes->has(SecurityRequestAttributes::ACCESS_DENIED_ERROR)) {
+            $newRequest->attributes->set(SecurityRequestAttributes::ACCESS_DENIED_ERROR, $request->attributes->get(SecurityRequestAttributes::ACCESS_DENIED_ERROR));
         }
-        if ($request->attributes->has(Security::LAST_USERNAME)) {
-            $newRequest->attributes->set(Security::LAST_USERNAME, $request->attributes->get(Security::LAST_USERNAME));
+        if ($request->attributes->has(SecurityRequestAttributes::LAST_USERNAME)) {
+            $newRequest->attributes->set(SecurityRequestAttributes::LAST_USERNAME, $request->attributes->get(SecurityRequestAttributes::LAST_USERNAME));
         }
 
         if ($request->get('_format')) {

RateLimiter/DefaultLoginRateLimiter.php

@@ -14,7 +14,7 @@
 use Symfony\Component\HttpFoundation\RateLimiter\AbstractRequestRateLimiter;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\RateLimiter\RateLimiterFactory;
-use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
  * A default login throttling limiter.
@@ -37,7 +37,7 @@ public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactor
 
     protected function getLimiters(Request $request): array
     {
-        $username = $request->attributes->get(Security::LAST_USERNAME, '');
+        $username = $request->attributes->get(SecurityRequestAttributes::LAST_USERNAME, '');
         $username = preg_match('//u', $username) ? mb_strtolower($username, 'UTF-8') : strtolower($username);
 
         return [

SecurityRequestAttributes.php

@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http;
+
+/**
+ * List of request attributes used along the security flow.
+ *
+ * @author Robin Chalas <robin.chalas@gmail.com>
+ */
+final class SecurityRequestAttributes
+{
+    public const ACCESS_DENIED_ERROR = '_security.403_error';
+    public const AUTHENTICATION_ERROR = '_security.last_error';
+    public const LAST_USERNAME = '_security.last_username';
+}

Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php

@@ -20,9 +20,9 @@
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
 use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 class DefaultAuthenticationFailureHandlerTest extends TestCase
 {
@@ -56,7 +56,7 @@ public function testForward()
 
         $subRequest = $this->getRequest();
         $subRequest->attributes->expects($this->once())
-            ->method('set')->with(Security::AUTHENTICATION_ERROR, $this->exception);
+            ->method('set')->with(SecurityRequestAttributes::AUTHENTICATION_ERROR, $this->exception);
         $this->httpUtils->expects($this->once())
             ->method('createRequest')->with($this->request, '/login')
             ->willReturn($subRequest);
@@ -83,7 +83,7 @@ public function testRedirect()
     public function testExceptionIsPersistedInSession()
     {
         $this->session->expects($this->once())
-            ->method('set')->with(Security::AUTHENTICATION_ERROR, $this->exception);
+            ->method('set')->with(SecurityRequestAttributes::AUTHENTICATION_ERROR, $this->exception);
 
         $handler = new DefaultAuthenticationFailureHandler($this->httpKernel, $this->httpUtils, [], $this->logger);
         $handler->onAuthenticationFailure($this->request, $this->exception);
@@ -95,7 +95,7 @@ public function testExceptionIsPassedInRequestOnForward()
 
         $subRequest = $this->getRequest();
         $subRequest->attributes->expects($this->once())
-            ->method('set')->with(Security::AUTHENTICATION_ERROR, $this->exception);
+            ->method('set')->with(SecurityRequestAttributes::AUTHENTICATION_ERROR, $this->exception);
 
         $this->httpUtils->expects($this->once())
             ->method('createRequest')->with($this->request, '/login')

Tests/Authenticator/FormLoginAuthenticatorTest.php

@@ -16,10 +16,10 @@
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\InMemoryUserProvider;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
@@ -62,8 +62,8 @@ public function testHandleWhenUsernameLength($username, $ok)
 
     public function provideUsernamesForLength()
     {
-        yield [str_repeat('x', Security::MAX_USERNAME_LENGTH + 1), false];
-        yield [str_repeat('x', Security::MAX_USERNAME_LENGTH - 1), true];
+        yield [str_repeat('x', AuthenticatorInterface::MAX_USERNAME_LENGTH + 1), false];
+        yield [str_repeat('x', AuthenticatorInterface::MAX_USERNAME_LENGTH - 1), true];
     }
 
     /**

Tests/Authenticator/JsonLoginAuthenticatorTest.php

@@ -16,8 +16,8 @@
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\InMemoryUserProvider;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\JsonLoginAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\HttpUtils;
@@ -121,7 +121,7 @@ public function provideInvalidAuthenticateData()
         $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "dunglas", "password": 1}');
         yield [$request, 'The key "password" must be a string.'];
 
-        $username = str_repeat('x', Security::MAX_USERNAME_LENGTH + 1);
+        $username = str_repeat('x', AuthenticatorInterface::MAX_USERNAME_LENGTH + 1);
         $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], sprintf('{"username": "%s", "password": 1}', $username));
         yield [$request, 'Invalid username.', BadCredentialsException::class];
     }

Tests/HttpUtilsTest.php

@@ -20,8 +20,8 @@
 use Symfony\Component\Routing\Matcher\RequestMatcherInterface;
 use Symfony\Component\Routing\Matcher\UrlMatcherInterface;
 use Symfony\Component\Routing\RequestContext;
-use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 class HttpUtilsTest extends TestCase
 {
@@ -162,9 +162,9 @@ public function testCreateRequestPassesSessionToTheNewRequest()
     }
 
     /**
-     * @dataProvider provideSecurityContextAttributes
+     * @dataProvider provideSecurityRequestAttributes
      */
-    public function testCreateRequestPassesSecurityContextAttributesToTheNewRequest($attribute)
+    public function testCreateRequestPassesSecurityRequestAttributesToTheNewRequest($attribute)
     {
         $request = $this->getRequest();
         $request->attributes->set($attribute, 'foo');
@@ -175,12 +175,12 @@ public function testCreateRequestPassesSecurityContextAttributesToTheNewRequest(
         $this->assertSame('foo', $subRequest->attributes->get($attribute));
     }
 
-    public function provideSecurityContextAttributes()
+    public function provideSecurityRequestAttributes()
     {
         return [
-            [Security::AUTHENTICATION_ERROR],
-            [Security::ACCESS_DENIED_ERROR],
-            [Security::LAST_USERNAME],
+            [SecurityRequestAttributes::AUTHENTICATION_ERROR],
+            [SecurityRequestAttributes::ACCESS_DENIED_ERROR],
+            [SecurityRequestAttributes::LAST_USERNAME],
         ];
     }