symfony · May 19, 2021 · May 19, 2021 · May 20, 2021 · May 23, 2021 · May 24, 2021
diff --git a/.gitattributes b/.gitattributes
@@ -1,4 +1,3 @@
 /Tests export-ignore
 /phpunit.xml.dist export-ignore
-/.gitattributes export-ignore
-/.gitignore export-ignore
+/.git* export-ignore
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,8 @@
+Please do not submit any Pull Requests here. They will be closed.
+---
+
+Please submit your PR here instead:
+https://github.com/symfony/symfony
+
+This repository is what we call a "subtree split": a read-only subset of that main repository.
+We're looking forward to your PR there!
diff --git a/.github/workflows/close-pull-request.yml b/.github/workflows/close-pull-request.yml
@@ -0,0 +1,20 @@
+name: Close Pull Request
+
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: superbrothers/close-pull-request@v3
+      with:
+        comment: |
+          Thanks for your Pull Request! We love contributions.
+
+          However, you should instead open your PR on the main repository:
+          https://github.com/symfony/symfony
+
+          This repository is what we call a "subtree split": a read-only subset of that main repository.
+          We're looking forward to your PR there!
diff --git a/AccessMap.php b/AccessMap.php
@@ -22,21 +22,18 @@
  */
 class AccessMap implements AccessMapInterface
 {
-    private $map = [];
+    private array $map = [];
 
     /**
      * @param array       $attributes An array of attributes to pass to the access decision manager (like roles)
      * @param string|null $channel    The channel to enforce (http, https, or null)
      */
-    public function add(RequestMatcherInterface $requestMatcher, array $attributes = [], string $channel = null)
+    public function add(RequestMatcherInterface $requestMatcher, array $attributes = [], ?string $channel = null): void
     {
         $this->map[] = [$requestMatcher, $attributes, $channel];
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getPatterns(Request $request)
+    public function getPatterns(Request $request): array
     {
         foreach ($this->map as $elements) {
             if (null === $elements[0] || $elements[0]->matches($request)) {

diff --git a/AccessMapInterface.php b/AccessMapInterface.php
@@ -27,5 +27,5 @@ interface AccessMapInterface
      *
      * @return array{0: array|null, 1: string|null} A tuple of security attributes and the required channel
      */
-    public function getPatterns(Request $request);
+    public function getPatterns(Request $request): array;
 }
diff --git a/AccessToken/AccessTokenExtractorInterface.php b/AccessToken/AccessTokenExtractorInterface.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * The token extractor retrieves the token from a request.
+ *
+ * @author Florent Morselli <florent.morselli@spomky-labs.com>
+ */
+interface AccessTokenExtractorInterface
+{
+    public function extractAccessToken(Request $request): ?string;
+}
diff --git a/AccessToken/AccessTokenHandlerInterface.php b/AccessToken/AccessTokenHandlerInterface.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken;
+
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+
+/**
+ * The token handler retrieves the user identifier from the token.
+ * In order to get the user identifier, implementations may need to load and validate the token (e.g. revocation, expiration time, digital signature...).
+ *
+ * @author Florent Morselli <florent.morselli@spomky-labs.com>
+ */
+interface AccessTokenHandlerInterface
+{
+    /**
+     * @throws AuthenticationException
+     */
+    public function getUserBadgeFrom(#[\SensitiveParameter] string $accessToken): UserBadge;
+}
diff --git a/AccessToken/Cas/Cas2Handler.php b/AccessToken/Cas/Cas2Handler.php
@@ -0,0 +1,85 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken\Cas;
+
+use Symfony\Component\HttpClient\HttpClient;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+/**
+ * @see https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-V2-Specification.html
+ *
+ * @author Nicolas Attard <contact@nicolasattard.fr>
+ */
+final class Cas2Handler implements AccessTokenHandlerInterface
+{
+    public function __construct(
+        private readonly RequestStack $requestStack,
+        private readonly string $validationUrl,
+        private readonly string $prefix = 'cas',
+        private ?HttpClientInterface $client = null,
+    ) {
+        if (null === $client) {
+            if (!class_exists(HttpClient::class)) {
+                throw new \LogicException(\sprintf('You cannot use "%s" as the HttpClient component is not installed. Try running "composer require symfony/http-client".', __CLASS__));
+            }
+
+            $this->client = HttpClient::create();
+        }
+    }
+
+    /**
+     * @throws AuthenticationException
+     */
+    public function getUserBadgeFrom(string $accessToken): UserBadge
+    {
+        $response = $this->client->request('GET', $this->getValidationUrl($accessToken));
+
+        $xml = new \SimpleXMLElement($response->getContent(), 0, false, $this->prefix, true);
+
+        if (isset($xml->authenticationSuccess)) {
+            return new UserBadge((string) $xml->authenticationSuccess->user);
+        }
+
+        if (isset($xml->authenticationFailure)) {
+            throw new AuthenticationException('CAS Authentication Failure: '.trim((string) $xml->authenticationFailure));
+        }
+
+        throw new AuthenticationException('Invalid CAS response.');
+    }
+
+    private function getValidationUrl(string $accessToken): string
+    {
+        $request = $this->requestStack->getCurrentRequest();
+
+        if (null === $request) {
+            throw new \LogicException('Request should exist so it can be processed for error.');
+        }
+
+        $query = $request->query->all();
+
+        if (!isset($query['ticket'])) {
+            throw new AuthenticationException('No ticket found in request.');
+        }
+        unset($query['ticket']);
+        $queryString = $query ? '?'.http_build_query($query) : '';
+
+        return \sprintf('%s?ticket=%s&service=%s',
+            $this->validationUrl,
+            urlencode($accessToken),
+            urlencode($request->getSchemeAndHttpHost().$request->getBaseUrl().$request->getPathInfo().$queryString)
+        );
+    }
+}
diff --git a/AccessToken/ChainAccessTokenExtractor.php b/AccessToken/ChainAccessTokenExtractor.php
@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * The token extractor retrieves the token from a request.
+ *
+ * @author Florent Morselli <florent.morselli@spomky-labs.com>
+ */
+final class ChainAccessTokenExtractor implements AccessTokenExtractorInterface
+{
+    /**
+     * @param AccessTokenExtractorInterface[] $accessTokenExtractors
+     */
+    public function __construct(
+        private readonly iterable $accessTokenExtractors,
+    ) {
+    }
+
+    public function extractAccessToken(Request $request): ?string
+    {
+        foreach ($this->accessTokenExtractors as $extractor) {
+            if ($accessToken = $extractor->extractAccessToken($request)) {
+                return $accessToken;
+            }
+        }
+
+        return null;
+    }
+}
diff --git a/AccessToken/FormEncodedBodyExtractor.php b/AccessToken/FormEncodedBodyExtractor.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Extracts a token from the body request.
+ *
+ * WARNING!
+ * Because of the security weaknesses associated with this method,
+ * the request body method SHOULD NOT be used except in application contexts
+ * where participating browsers do not have access to the "Authorization" request header field.
+ *
+ * @author Florent Morselli <florent.morselli@spomky-labs.com>
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.2
+ */
+final class FormEncodedBodyExtractor implements AccessTokenExtractorInterface
+{
+    public function __construct(
+        private readonly string $parameter = 'access_token',
+    ) {
+    }
+
+    public function extractAccessToken(Request $request): ?string
+    {
+        if (
+            Request::METHOD_POST !== $request->getMethod()
+            || !str_starts_with($request->headers->get('CONTENT_TYPE', ''), 'application/x-www-form-urlencoded')
+        ) {
+            return null;
+        }
+        $parameter = $request->request->get($this->parameter);
+
+        return \is_string($parameter) ? $parameter : null;
+    }
+}
diff --git a/AccessToken/HeaderAccessTokenExtractor.php b/AccessToken/HeaderAccessTokenExtractor.php
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Extracts a token from the request header.
+ *
+ * @author Florent Morselli <florent.morselli@spomky-labs.com>
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
+ */
+final class HeaderAccessTokenExtractor implements AccessTokenExtractorInterface
+{
+    private string $regex;
+
+    public function __construct(
+        private readonly string $headerParameter = 'Authorization',
+        private readonly string $tokenType = 'Bearer',
+    ) {
+        $this->regex = \sprintf(
+            '/^%s([a-zA-Z0-9\-_\+~\/\.]+=*)$/',
+            '' === $this->tokenType ? '' : preg_quote($this->tokenType).'\s+'
+        );
+    }
+
+    public function extractAccessToken(Request $request): ?string
+    {
+        if (!$request->headers->has($this->headerParameter) || !\is_string($header = $request->headers->get($this->headerParameter))) {
+            return null;
+        }
+
+        if (preg_match($this->regex, $header, $matches)) {
+            return $matches[1];
+        }
+
+        return null;
+    }
+}