vendor/symfony/security-bundle/DependencyInjection/SecurityExtension.php line 688

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
  14. use Symfony\Bridge\Twig\Extension\LogoutUrlExtension;
  15. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
  16. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FirewallListenerFactoryInterface;
  17. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RememberMeFactory;
  18. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
  19. use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface;
  20. use Symfony\Bundle\SecurityBundle\Security\LegacyLogoutHandlerListener;
  21. use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
  22. use Symfony\Component\Config\FileLocator;
  23. use Symfony\Component\Console\Application;
  24. use Symfony\Component\DependencyInjection\Alias;
  25. use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
  26. use Symfony\Component\DependencyInjection\Argument\ServiceClosureArgument;
  27. use Symfony\Component\DependencyInjection\ChildDefinition;
  28. use Symfony\Component\DependencyInjection\Compiler\ServiceLocatorTagPass;
  29. use Symfony\Component\DependencyInjection\ContainerBuilder;
  30. use Symfony\Component\DependencyInjection\Definition;
  31. use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
  32. use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
  33. use Symfony\Component\DependencyInjection\Reference;
  34. use Symfony\Component\EventDispatcher\EventDispatcher;
  35. use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
  36. use Symfony\Component\HttpKernel\DependencyInjection\Extension;
  37. use Symfony\Component\HttpKernel\KernelEvents;
  38. use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
  39. use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
  40. use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
  41. use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
  42. use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
  43. use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
  44. use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
  45. use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
  46. use Symfony\Component\Security\Core\User\ChainUserProvider;
  47. use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
  48. use Symfony\Component\Security\Core\User\UserProviderInterface;
  49. use Symfony\Component\Security\Http\Event\CheckPassportEvent;
  51. /**
  52.  * SecurityExtension.
  53.  *
  54.  * @author Fabien Potencier <fabien@symfony.com>
  55.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  56.  */
  57. class SecurityExtension extends Extension implements PrependExtensionInterface
  58. {
  59.     private $requestMatchers = [];
  60.     private $expressions = [];
  61.     private $contextListeners = [];
  62.     private $listenerPositions = ['pre_auth''form''http''remember_me''anonymous'];
  63.     private $factories = [];
  64.     private $userProviderFactories = [];
  65.     private $statelessFirewallKeys = [];
  67.     private $authenticatorManagerEnabled false;
  69.     public function __construct()
  70.     {
  71.         foreach ($this->listenerPositions as $position) {
  72.             $this->factories[$position] = [];
  73.         }
  74.     }
  76.     public function prepend(ContainerBuilder $container)
  77.     {
  78.         $rememberMeSecureDefault false;
  79.         $rememberMeSameSiteDefault null;
  81.         if (!isset($container->getExtensions()['framework'])) {
  82.             return;
  83.         }
  84.         foreach ($container->getExtensionConfig('framework') as $config) {
  85.             if (isset($config['session']) && \is_array($config['session'])) {
  86.                 $rememberMeSecureDefault $config['session']['cookie_secure'] ?? $rememberMeSecureDefault;
  87.                 $rememberMeSameSiteDefault \array_key_exists('cookie_samesite'$config['session']) ? $config['session']['cookie_samesite'] : $rememberMeSameSiteDefault;
  88.             }
  89.         }
  90.         foreach ($this->listenerPositions as $position) {
  91.             foreach ($this->factories[$position] as $factory) {
  92.                 if ($factory instanceof RememberMeFactory) {
  93.                     \Closure::bind(function () use ($rememberMeSecureDefault$rememberMeSameSiteDefault) {
  94.                         $this->options['secure'] = $rememberMeSecureDefault;
  95.                         $this->options['samesite'] = $rememberMeSameSiteDefault;
  96.                     }, $factory$factory)();
  97.                 }
  98.             }
  99.         }
  100.     }
  102.     public function load(array $configsContainerBuilder $container)
  103.     {
  104.         if (!array_filter($configs)) {
  105.             return;
  106.         }
  108.         $mainConfig $this->getConfiguration($configs$container);
  110.         $config $this->processConfiguration($mainConfig$configs);
  112.         // load services
  113.         $loader = new PhpFileLoader($container, new FileLocator(\dirname(__DIR__).'/Resources/config'));
  115.         $loader->load('security.php');
  116.         $loader->load('password_hasher.php');
  117.         $loader->load('security_listeners.php');
  118.         $loader->load('security_rememberme.php');
  120.         if ($this->authenticatorManagerEnabled $config['enable_authenticator_manager']) {
  121.             if ($config['always_authenticate_before_granting']) {
  122.                 throw new InvalidConfigurationException('The security option "always_authenticate_before_granting" cannot be used when "enable_authenticator_manager" is set to true. If you rely on this behavior, set it to false.');
  123.             }
  125.             $loader->load('security_authenticator.php');
  127.             // The authenticator system no longer has anonymous tokens. This makes sure AccessListener
  128.             // and AuthorizationChecker do not throw AuthenticationCredentialsNotFoundException when no
  129.             // token is available in the token storage.
  130.             $container->getDefinition('security.access_listener')->setArgument(4false);
  131.             $container->getDefinition('security.authorization_checker')->setArgument(4false);
  132.             $container->getDefinition('security.authorization_checker')->setArgument(5false);
  133.         } else {
  134.             trigger_deprecation('symfony/security-bundle''5.3''Not setting the "security.enable_authenticator_manager" config option to true is deprecated.');
  136.             $loader->load('security_legacy.php');
  137.         }
  139.         if ($container::willBeAvailable('symfony/twig-bridge'LogoutUrlExtension::class, ['symfony/security-bundle'])) {
  140.             $loader->load('templating_twig.php');
  141.         }
  143.         $loader->load('collectors.php');
  144.         $loader->load('guard.php');
  146.         $container->getDefinition('data_collector.security')->addArgument($this->authenticatorManagerEnabled);
  148.         if ($container->hasParameter('kernel.debug') && $container->getParameter('kernel.debug')) {
  149.             $loader->load('security_debug.php');
  150.         }
  152.         if (!$container::willBeAvailable('symfony/expression-language'ExpressionLanguage::class, ['symfony/security-bundle'])) {
  153.             $container->removeDefinition('security.expression_language');
  154.             $container->removeDefinition('security.access.expression_voter');
  155.         }
  157.         // set some global scalars
  158.         $container->setParameter('security.access.denied_url'$config['access_denied_url']);
  159.         $container->setParameter('security.authentication.manager.erase_credentials'$config['erase_credentials']);
  160.         $container->setParameter('security.authentication.session_strategy.strategy'$config['session_fixation_strategy']);
  162.         if (isset($config['access_decision_manager']['service'])) {
  163.             $container->setAlias('security.access.decision_manager'$config['access_decision_manager']['service']);
  164.         } else {
  165.             $container
  166.                 ->getDefinition('security.access.decision_manager')
  167.                 ->addArgument($config['access_decision_manager']['strategy'] ?? AccessDecisionManager::STRATEGY_AFFIRMATIVE)
  168.                 ->addArgument($config['access_decision_manager']['allow_if_all_abstain'])
  169.                 ->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied']);
  170.         }
  172.         $container->setParameter('security.access.always_authenticate_before_granting'$config['always_authenticate_before_granting']);
  173.         $container->setParameter('security.authentication.hide_user_not_found'$config['hide_user_not_found']);
  175.         if (class_exists(Application::class)) {
  176.             $loader->load('debug_console.php');
  177.             $debugCommand $container->getDefinition('security.command.debug_firewall');
  178.             $debugCommand->replaceArgument(4$this->authenticatorManagerEnabled);
  179.         }
  181.         $this->createFirewalls($config$container);
  182.         $this->createAuthorization($config$container);
  183.         $this->createRoleHierarchy($config$container);
  185.         $container->getDefinition('security.authentication.guard_handler')
  186.             ->replaceArgument(2$this->statelessFirewallKeys);
  188.         // @deprecated since Symfony 5.3
  189.         if ($config['encoders']) {
  190.             $this->createEncoders($config['encoders'], $container);
  191.         }
  193.         if ($config['password_hashers']) {
  194.             $this->createHashers($config['password_hashers'], $container);
  195.         }
  197.         if (class_exists(Application::class)) {
  198.             $loader->load('console.php');
  200.             // @deprecated since Symfony 5.3
  201.             $container->getDefinition('security.command.user_password_encoder')->replaceArgument(1array_keys($config['encoders']));
  203.             $container->getDefinition('security.command.user_password_hash')->replaceArgument(1array_keys($config['password_hashers']));
  204.         }
  206.         $container->registerForAutoconfiguration(VoterInterface::class)
  207.             ->addTag('security.voter');
  208.     }
  210.     private function createRoleHierarchy(array $configContainerBuilder $container)
  211.     {
  212.         if (!isset($config['role_hierarchy']) || === \count($config['role_hierarchy'])) {
  213.             $container->removeDefinition('security.access.role_hierarchy_voter');
  215.             return;
  216.         }
  218.         $container->setParameter('security.role_hierarchy.roles'$config['role_hierarchy']);
  219.         $container->removeDefinition('security.access.simple_role_voter');
  220.     }
  222.     private function createAuthorization(array $configContainerBuilder $container)
  223.     {
  224.         foreach ($config['access_control'] as $access) {
  225.             $matcher $this->createRequestMatcher(
  226.                 $container,
  227.                 $access['path'],
  228.                 $access['host'],
  229.                 $access['port'],
  230.                 $access['methods'],
  231.                 $access['ips']
  232.             );
  234.             $attributes $access['roles'];
  235.             if ($access['allow_if']) {
  236.                 $attributes[] = $this->createExpression($container$access['allow_if']);
  237.             }
  239.             $emptyAccess === \count(array_filter($access));
  241.             if ($emptyAccess) {
  242.                 throw new InvalidConfigurationException('One or more access control items are empty. Did you accidentally add lines only containing a "-" under "security.access_control"?');
  243.             }
  245.             $container->getDefinition('security.access_map')
  246.                       ->addMethodCall('add', [$matcher$attributes$access['requires_channel']]);
  247.         }
  249.         // allow cache warm-up for expressions
  250.         if (\count($this->expressions)) {
  251.             $container->getDefinition('security.cache_warmer.expression')
  252.                 ->replaceArgument(0, new IteratorArgument(array_values($this->expressions)));
  253.         } else {
  254.             $container->removeDefinition('security.cache_warmer.expression');
  255.         }
  256.     }
  258.     private function createFirewalls(array $configContainerBuilder $container)
  259.     {
  260.         if (!isset($config['firewalls'])) {
  261.             return;
  262.         }
  264.         $firewalls $config['firewalls'];
  265.         $providerIds $this->createUserProviders($config$container);
  267.         $container->setParameter('security.firewalls'array_keys($firewalls));
  269.         // make the ContextListener aware of the configured user providers
  270.         $contextListenerDefinition $container->getDefinition('security.context_listener');
  271.         $arguments $contextListenerDefinition->getArguments();
  272.         $userProviders = [];
  273.         foreach ($providerIds as $userProviderId) {
  274.             $userProviders[] = new Reference($userProviderId);
  275.         }
  276.         $arguments[1] = $userProviderIteratorsArgument = new IteratorArgument($userProviders);
  277.         $contextListenerDefinition->setArguments($arguments);
  278.         $nbUserProviders \count($userProviders);
  280.         if ($nbUserProviders 1) {
  281.             $container->setDefinition('security.user_providers', new Definition(ChainUserProvider::class, [$userProviderIteratorsArgument]))
  282.                 ->setPublic(false);
  283.         } elseif (=== $nbUserProviders) {
  284.             $container->removeDefinition('security.listener.user_provider');
  285.         } else {
  286.             $container->setAlias('security.user_providers', new Alias(current($providerIds)))->setPublic(false);
  287.         }
  289.         if (=== \count($providerIds)) {
  290.             $container->setAlias(UserProviderInterface::class, current($providerIds));
  291.         }
  293.         $customUserChecker false;
  295.         // load firewall map
  296.         $mapDef $container->getDefinition('security.firewall.map');
  297.         $map $authenticationProviders $contextRefs = [];
  298.         foreach ($firewalls as $name => $firewall) {
  299.             if (isset($firewall['user_checker']) && 'security.user_checker' !== $firewall['user_checker']) {
  300.                 $customUserChecker true;
  301.             }
  303.             $configId 'security.firewall.map.config.'.$name;
  305.             [$matcher$listeners$exceptionListener$logoutListener] = $this->createFirewall($container$name$firewall$authenticationProviders$providerIds$configId);
  307.             $contextId 'security.firewall.map.context.'.$name;
  308.             $isLazy = !$firewall['stateless'] && (!empty($firewall['anonymous']['lazy']) || $firewall['lazy']);
  309.             $context = new ChildDefinition($isLazy 'security.firewall.lazy_context' 'security.firewall.context');
  310.             $context $container->setDefinition($contextId$context);
  311.             $context
  312.                 ->replaceArgument(0, new IteratorArgument($listeners))
  313.                 ->replaceArgument(1$exceptionListener)
  314.                 ->replaceArgument(2$logoutListener)
  315.                 ->replaceArgument(3, new Reference($configId))
  316.             ;
  318.             $contextRefs[$contextId] = new Reference($contextId);
  319.             $map[$contextId] = $matcher;
  320.         }
  322.         $container->setAlias('security.firewall.context_locator', (string) ServiceLocatorTagPass::register($container$contextRefs));
  324.         $mapDef->replaceArgument(0, new Reference('security.firewall.context_locator'));
  325.         $mapDef->replaceArgument(1, new IteratorArgument($map));
  327.         if (!$this->authenticatorManagerEnabled) {
  328.             // add authentication providers to authentication manager
  329.             $authenticationProviders array_map(function ($id) {
  330.                 return new Reference($id);
  331.             }, array_values(array_unique($authenticationProviders)));
  333.             $container
  334.                 ->getDefinition('security.authentication.manager')
  335.                 ->replaceArgument(0, new IteratorArgument($authenticationProviders));
  336.         }
  338.         // register an autowire alias for the UserCheckerInterface if no custom user checker service is configured
  339.         if (!$customUserChecker) {
  340.             $container->setAlias('Symfony\Component\Security\Core\User\UserCheckerInterface', new Alias('security.user_checker'false));
  341.         }
  342.     }
  344.     private function createFirewall(ContainerBuilder $containerstring $id, array $firewall, array &$authenticationProviders, array $providerIdsstring $configId)
  345.     {
  346.         $config $container->setDefinition($configId, new ChildDefinition('security.firewall.config'));
  347.         $config->replaceArgument(0$id);
  348.         $config->replaceArgument(1$firewall['user_checker']);
  350.         // Matcher
  351.         $matcher null;
  352.         if (isset($firewall['request_matcher'])) {
  353.             $matcher = new Reference($firewall['request_matcher']);
  354.         } elseif (isset($firewall['pattern']) || isset($firewall['host'])) {
  355.             $pattern $firewall['pattern'] ?? null;
  356.             $host $firewall['host'] ?? null;
  357.             $methods $firewall['methods'] ?? [];
  358.             $matcher $this->createRequestMatcher($container$pattern$hostnull$methods);
  359.         }
  361.         $config->replaceArgument(2$matcher ? (string) $matcher null);
  362.         $config->replaceArgument(3$firewall['security']);
  364.         // Security disabled?
  365.         if (false === $firewall['security']) {
  366.             return [$matcher, [], nullnull];
  367.         }
  369.         $config->replaceArgument(4$firewall['stateless']);
  371.         $firewallEventDispatcherId 'security.event_dispatcher.'.$id;
  373.         // Provider id (must be configured explicitly per firewall/authenticator if more than one provider is set)
  374.         $defaultProvider null;
  375.         if (isset($firewall['provider'])) {
  376.             if (!isset($providerIds[$normalizedName str_replace('-''_'$firewall['provider'])])) {
  377.                 throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.'$id$firewall['provider']));
  378.             }
  379.             $defaultProvider $providerIds[$normalizedName];
  381.             if ($this->authenticatorManagerEnabled) {
  382.                 $container->setDefinition('security.listener.'.$id.'.user_provider', new ChildDefinition('security.listener.user_provider.abstract'))
  383.                     ->addTag('kernel.event_listener', ['dispatcher' => $firewallEventDispatcherId'event' => CheckPassportEvent::class, 'priority' => 2048'method' => 'checkPassport'])
  384.                     ->replaceArgument(0, new Reference($defaultProvider));
  385.             }
  386.         } elseif (=== \count($providerIds)) {
  387.             $defaultProvider reset($providerIds);
  388.         }
  390.         $config->replaceArgument(5$defaultProvider);
  392.         // Register Firewall-specific event dispatcher
  393.         $container->register($firewallEventDispatcherIdEventDispatcher::class)
  394.             ->addTag('event_dispatcher.dispatcher', ['name' => $firewallEventDispatcherId]);
  396.         // Register listeners
  397.         $listeners = [];
  398.         $listenerKeys = [];
  400.         // Channel listener
  401.         $listeners[] = new Reference('security.channel_listener');
  403.         $contextKey null;
  404.         $contextListenerId null;
  405.         // Context serializer listener
  406.         if (false === $firewall['stateless']) {
  407.             $contextKey $firewall['context'] ?? $id;
  408.             $listeners[] = new Reference($contextListenerId $this->createContextListener($container$contextKey$this->authenticatorManagerEnabled $firewallEventDispatcherId null));
  409.             $sessionStrategyId 'security.authentication.session_strategy';
  411.             if ($this->authenticatorManagerEnabled) {
  412.                 $container
  413.                     ->setDefinition('security.listener.session.'.$id, new ChildDefinition('security.listener.session'))
  414.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  415.             }
  416.         } else {
  417.             $this->statelessFirewallKeys[] = $id;
  418.             $sessionStrategyId 'security.authentication.session_strategy_noop';
  419.         }
  420.         $container->setAlias(new Alias('security.authentication.session_strategy.'.$idfalse), $sessionStrategyId);
  422.         $config->replaceArgument(6$contextKey);
  424.         // Logout listener
  425.         $logoutListenerId null;
  426.         if (isset($firewall['logout'])) {
  427.             $logoutListenerId 'security.logout_listener.'.$id;
  428.             $logoutListener $container->setDefinition($logoutListenerId, new ChildDefinition('security.logout_listener'));
  429.             $logoutListener->replaceArgument(2, new Reference($firewallEventDispatcherId));
  430.             $logoutListener->replaceArgument(3, [
  431.                 'csrf_parameter' => $firewall['logout']['csrf_parameter'],
  432.                 'csrf_token_id' => $firewall['logout']['csrf_token_id'],
  433.                 'logout_path' => $firewall['logout']['path'],
  434.             ]);
  436.             // add default logout listener
  437.             if (isset($firewall['logout']['success_handler'])) {
  438.                 // deprecated, to be removed in Symfony 6.0
  439.                 $logoutSuccessHandlerId $firewall['logout']['success_handler'];
  440.                 $container->register('security.logout.listener.legacy_success_listener.'.$idLegacyLogoutHandlerListener::class)
  441.                     ->setArguments([new Reference($logoutSuccessHandlerId)])
  442.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  443.             } else {
  444.                 $logoutSuccessListenerId 'security.logout.listener.default.'.$id;
  445.                 $container->setDefinition($logoutSuccessListenerId, new ChildDefinition('security.logout.listener.default'))
  446.                     ->replaceArgument(1$firewall['logout']['target'])
  447.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  448.             }
  450.             // add CSRF provider
  451.             if (isset($firewall['logout']['csrf_token_generator'])) {
  452.                 $logoutListener->addArgument(new Reference($firewall['logout']['csrf_token_generator']));
  453.             }
  455.             // add session logout listener
  456.             if (true === $firewall['logout']['invalidate_session'] && false === $firewall['stateless']) {
  457.                 $container->setDefinition('security.logout.listener.session.'.$id, new ChildDefinition('security.logout.listener.session'))
  458.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  459.             }
  461.             // add cookie logout listener
  462.             if (\count($firewall['logout']['delete_cookies']) > 0) {
  463.                 $container->setDefinition('security.logout.listener.cookie_clearing.'.$id, new ChildDefinition('security.logout.listener.cookie_clearing'))
  464.                     ->addArgument($firewall['logout']['delete_cookies'])
  465.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  466.             }
  468.             // add custom listeners (deprecated)
  469.             foreach ($firewall['logout']['handlers'] as $i => $handlerId) {
  470.                 $container->register('security.logout.listener.legacy_handler.'.$iLegacyLogoutHandlerListener::class)
  471.                     ->addArgument(new Reference($handlerId))
  472.                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  473.             }
  475.             // register with LogoutUrlGenerator
  476.             $container
  477.                 ->getDefinition('security.logout_url_generator')
  478.                 ->addMethodCall('registerListener', [
  479.                     $id,
  480.                     $firewall['logout']['path'],
  481.                     $firewall['logout']['csrf_token_id'],
  482.                     $firewall['logout']['csrf_parameter'],
  483.                     isset($firewall['logout']['csrf_token_generator']) ? new Reference($firewall['logout']['csrf_token_generator']) : null,
  484.                     false === $firewall['stateless'] && isset($firewall['context']) ? $firewall['context'] : null,
  485.                 ])
  486.             ;
  487.         }
  489.         // Determine default entry point
  490.         $configuredEntryPoint $firewall['entry_point'] ?? null;
  492.         // Authentication listeners
  493.         $firewallAuthenticationProviders = [];
  494.         [$authListeners$defaultEntryPoint] = $this->createAuthenticationListeners($container$id$firewall$firewallAuthenticationProviders$defaultProvider$providerIds$configuredEntryPoint$contextListenerId);
  496.         if (!$this->authenticatorManagerEnabled) {
  497.             $authenticationProviders array_merge($authenticationProviders$firewallAuthenticationProviders);
  498.         } else {
  499.             // $configuredEntryPoint is resolved into a service ID and stored in $defaultEntryPoint
  500.             $configuredEntryPoint $defaultEntryPoint;
  502.             // authenticator manager
  503.             $authenticators array_map(function ($id) {
  504.                 return new Reference($id);
  505.             }, $firewallAuthenticationProviders);
  506.             $container
  507.                 ->setDefinition($managerId 'security.authenticator.manager.'.$id, new ChildDefinition('security.authenticator.manager'))
  508.                 ->replaceArgument(0$authenticators)
  509.                 ->replaceArgument(2, new Reference($firewallEventDispatcherId))
  510.                 ->replaceArgument(3$id)
  511.                 ->replaceArgument(7$firewall['required_badges'] ?? [])
  512.                 ->addTag('monolog.logger', ['channel' => 'security'])
  513.             ;
  515.             $managerLocator $container->getDefinition('security.authenticator.managers_locator');
  516.             $managerLocator->replaceArgument(0array_merge($managerLocator->getArgument(0), [$id => new ServiceClosureArgument(new Reference($managerId))]));
  518.             // authenticator manager listener
  519.             $container
  520.                 ->setDefinition('security.firewall.authenticator.'.$id, new ChildDefinition('security.firewall.authenticator'))
  521.                 ->replaceArgument(0, new Reference($managerId))
  522.             ;
  524.             // user checker listener
  525.             $container
  526.                 ->setDefinition('security.listener.user_checker.'.$id, new ChildDefinition('security.listener.user_checker'))
  527.                 ->replaceArgument(0, new Reference('security.user_checker.'.$id))
  528.                 ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
  530.             $listeners[] = new Reference('security.firewall.authenticator.'.$id);
  532.             // Add authenticators to the debug:firewall command
  533.             if ($container->hasDefinition('security.command.debug_firewall')) {
  534.                 $debugCommand $container->getDefinition('security.command.debug_firewall');
  535.                 $debugCommand->replaceArgument(3array_merge($debugCommand->getArgument(3), [$id => $authenticators]));
  536.             }
  537.         }
  539.         $config->replaceArgument(7$configuredEntryPoint ?: $defaultEntryPoint);
  541.         $listeners array_merge($listeners$authListeners);
  543.         // Switch user listener
  544.         if (isset($firewall['switch_user'])) {
  545.             $listenerKeys[] = 'switch_user';
  546.             $listeners[] = new Reference($this->createSwitchUserListener($container$id$firewall['switch_user'], $defaultProvider$firewall['stateless']));
  547.         }
  549.         // Access listener
  550.         $listeners[] = new Reference('security.access_listener');
  552.         // Exception listener
  553.         $exceptionListener = new Reference($this->createExceptionListener($container$firewall$id$configuredEntryPoint ?: $defaultEntryPoint$firewall['stateless']));
  555.         $config->replaceArgument(8$firewall['access_denied_handler'] ?? null);
  556.         $config->replaceArgument(9$firewall['access_denied_url'] ?? null);
  558.         $container->setAlias('security.user_checker.'.$id, new Alias($firewall['user_checker'], false));
  560.         foreach ($this->factories as $position) {
  561.             foreach ($position as $factory) {
  562.                 $key str_replace('-''_'$factory->getKey());
  563.                 if (\array_key_exists($key$firewall)) {
  564.                     $listenerKeys[] = $key;
  565.                 }
  566.             }
  567.         }
  569.         $config->replaceArgument(10$listenerKeys);
  570.         $config->replaceArgument(11$firewall['switch_user'] ?? null);
  572.         return [$matcher$listeners$exceptionListenernull !== $logoutListenerId ? new Reference($logoutListenerId) : null];
  573.     }
  575.     private function createContextListener(ContainerBuilder $containerstring $contextKey, ?string $firewallEventDispatcherId)
  576.     {
  577.         if (isset($this->contextListeners[$contextKey])) {
  578.             return $this->contextListeners[$contextKey];
  579.         }
  581.         $listenerId 'security.context_listener.'.\count($this->contextListeners);
  582.         $listener $container->setDefinition($listenerId, new ChildDefinition('security.context_listener'));
  583.         $listener->replaceArgument(2$contextKey);
  584.         if (null !== $firewallEventDispatcherId) {
  585.             $listener->replaceArgument(4, new Reference($firewallEventDispatcherId));
  586.             $listener->addTag('kernel.event_listener', ['event' => KernelEvents::RESPONSE'method' => 'onKernelResponse']);
  587.         }
  589.         return $this->contextListeners[$contextKey] = $listenerId;
  590.     }
  592.     private function createAuthenticationListeners(ContainerBuilder $containerstring $id, array $firewall, array &$authenticationProviders, ?string $defaultProvider, array $providerIds, ?string $defaultEntryPointstring $contextListenerId null)
  593.     {
  594.         $listeners = [];
  595.         $hasListeners false;
  596.         $entryPoints = [];
  598.         foreach ($this->listenerPositions as $position) {
  599.             foreach ($this->factories[$position] as $factory) {
  600.                 $key str_replace('-''_'$factory->getKey());
  602.                 if (isset($firewall[$key])) {
  603.                     $userProvider $this->getUserProvider($container$id$firewall$key$defaultProvider$providerIds$contextListenerId);
  605.                     if ($this->authenticatorManagerEnabled) {
  606.                         if (!$factory instanceof AuthenticatorFactoryInterface) {
  607.                             throw new InvalidConfigurationException(sprintf('Cannot configure AuthenticatorManager as "%s" authentication does not support it, set "security.enable_authenticator_manager" to `false`.'$key));
  608.                         }
  610.                         $authenticators $factory->createAuthenticator($container$id$firewall[$key], $userProvider);
  611.                         if (\is_array($authenticators)) {
  612.                             foreach ($authenticators as $authenticator) {
  613.                                 $authenticationProviders[] = $authenticator;
  614.                                 $entryPoints[] = $authenticator;
  615.                             }
  616.                         } else {
  617.                             $authenticationProviders[] = $authenticators;
  618.                             $entryPoints[$key] = $authenticators;
  619.                         }
  620.                     } else {
  621.                         [$provider$listenerId$defaultEntryPoint] = $factory->create($container$id$firewall[$key], $userProvider$defaultEntryPoint);
  623.                         $listeners[] = new Reference($listenerId);
  624.                         $authenticationProviders[] = $provider;
  625.                     }
  627.                     if ($factory instanceof FirewallListenerFactoryInterface) {
  628.                         $firewallListenerIds $factory->createListeners($container$id$firewall[$key]);
  629.                         foreach ($firewallListenerIds as $firewallListenerId) {
  630.                             $listeners[] = new Reference($firewallListenerId);
  631.                         }
  632.                     }
  634.                     $hasListeners true;
  635.                 }
  636.             }
  637.         }
  639.         // the actual entry point is configured by the RegisterEntryPointPass
  640.         $container->setParameter('security.'.$id.'._indexed_authenticators'$entryPoints);
  642.         if (false === $hasListeners && !$this->authenticatorManagerEnabled) {
  643.             throw new InvalidConfigurationException(sprintf('No authentication listener registered for firewall "%s".'$id));
  644.         }
  646.         return [$listeners$defaultEntryPoint];
  647.     }
  649.     private function getUserProvider(ContainerBuilder $containerstring $id, array $firewallstring $factoryKey, ?string $defaultProvider, array $providerIds, ?string $contextListenerId): string
  650.     {
  651.         if (isset($firewall[$factoryKey]['provider'])) {
  652.             if (!isset($providerIds[$normalizedName str_replace('-''_'$firewall[$factoryKey]['provider'])])) {
  653.                 throw new InvalidConfigurationException(sprintf('Invalid firewall "%s": user provider "%s" not found.'$id$firewall[$factoryKey]['provider']));
  654.             }
  656.             return $providerIds[$normalizedName];
  657.         }
  659.         if ('remember_me' === $factoryKey && $contextListenerId) {
  660.             $container->getDefinition($contextListenerId)->addTag('security.remember_me_aware', ['id' => $id'provider' => 'none']);
  661.         }
  663.         if ($defaultProvider) {
  664.             return $defaultProvider;
  665.         }
  667.         if (!$providerIds) {
  668.             $userProvider sprintf('security.user.provider.missing.%s'$factoryKey);
  669.             $container->setDefinition(
  670.                 $userProvider,
  671.                 (new ChildDefinition('security.user.provider.missing'))->replaceArgument(0$id)
  672.             );
  674.             return $userProvider;
  675.         }
  677.         if ('remember_me' === $factoryKey || 'anonymous' === $factoryKey || 'custom_authenticators' === $factoryKey) {
  678.             return 'security.user_providers';
  679.         }
  681.         throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "%s" %s on "%s" firewall is ambiguous as there is more than one registered provider.'$factoryKey$this->authenticatorManagerEnabled 'authenticator' 'listener'$id));
  682.     }
  684.     private function createEncoders(array $encodersContainerBuilder $container)
  685.     {
  686.         $encoderMap = [];
  687.         foreach ($encoders as $class => $encoder) {
  688.             if (class_exists($class) && !is_a($classPasswordAuthenticatedUserInterface::class, true)) {
  689.                 trigger_deprecation('symfony/security-bundle''5.3''Configuring an encoder for a user class that does not implement "%s" is deprecated, class "%s" should implement it.'PasswordAuthenticatedUserInterface::class, $class);
  690.             }
  691.             $encoderMap[$class] = $this->createEncoder($encoder);
  692.         }
  694.         $container
  695.             ->getDefinition('security.encoder_factory.generic')
  696.             ->setArguments([$encoderMap])
  697.         ;
  698.     }
  700.     private function createEncoder(array $config)
  701.     {
  702.         // a custom encoder service
  703.         if (isset($config['id'])) {
  704.             return new Reference($config['id']);
  705.         }
  707.         if ($config['migrate_from'] ?? false) {
  708.             return $config;
  709.         }
  711.         // plaintext encoder
  712.         if ('plaintext' === $config['algorithm']) {
  713.             $arguments = [$config['ignore_case']];
  715.             return [
  716.                 'class' => 'Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder',
  717.                 'arguments' => $arguments,
  718.             ];
  719.         }
  721.         // pbkdf2 encoder
  722.         if ('pbkdf2' === $config['algorithm']) {
  723.             return [
  724.                 'class' => 'Symfony\Component\Security\Core\Encoder\Pbkdf2PasswordEncoder',
  725.                 'arguments' => [
  726.                     $config['hash_algorithm'],
  727.                     $config['encode_as_base64'],
  728.                     $config['iterations'],
  729.                     $config['key_length'],
  730.                 ],
  731.             ];
  732.         }
  734.         // bcrypt encoder
  735.         if ('bcrypt' === $config['algorithm']) {
  736.             $config['algorithm'] = 'native';
  737.             $config['native_algorithm'] = \PASSWORD_BCRYPT;
  739.             return $this->createEncoder($config);
  740.         }
  742.         // Argon2i encoder
  743.         if ('argon2i' === $config['algorithm']) {
  744.             if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  745.                 $config['algorithm'] = 'sodium';
  746.             } elseif (\defined('PASSWORD_ARGON2I')) {
  747.                 $config['algorithm'] = 'native';
  748.                 $config['native_algorithm'] = \PASSWORD_ARGON2I;
  749.             } else {
  750.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2i" is not available. Use "%s" instead.'\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id", "auto' 'auto'));
  751.             }
  753.             return $this->createEncoder($config);
  754.         }
  756.         if ('argon2id' === $config['algorithm']) {
  757.             if (($hasSodium SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  758.                 $config['algorithm'] = 'sodium';
  759.             } elseif (\defined('PASSWORD_ARGON2ID')) {
  760.                 $config['algorithm'] = 'native';
  761.                 $config['native_algorithm'] = \PASSWORD_ARGON2ID;
  762.             } else {
  763.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.'\defined('PASSWORD_ARGON2I') || $hasSodium 'argon2i", "auto' 'auto'));
  764.             }
  766.             return $this->createEncoder($config);
  767.         }
  769.         if ('native' === $config['algorithm']) {
  770.             return [
  771.                 'class' => NativePasswordEncoder::class,
  772.                 'arguments' => [
  773.                         $config['time_cost'],
  774.                         (($config['memory_cost'] ?? 0) << 10) ?: null,
  775.                         $config['cost'],
  776.                     ] + (isset($config['native_algorithm']) ? [=> $config['native_algorithm']] : []),
  777.             ];
  778.         }
  780.         if ('sodium' === $config['algorithm']) {
  781.             if (!SodiumPasswordHasher::isSupported()) {
  782.                 throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
  783.             }
  785.             return [
  786.                 'class' => SodiumPasswordEncoder::class,
  787.                 'arguments' => [
  788.                     $config['time_cost'],
  789.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  790.                 ],
  791.             ];
  792.         }
  794.         // run-time configured encoder
  795.         return $config;
  796.     }
  798.     private function createHashers(array $hashersContainerBuilder $container)
  799.     {
  800.         $hasherMap = [];
  801.         foreach ($hashers as $class => $hasher) {
  802.             // @deprecated since Symfony 5.3, remove the check in 6.0
  803.             if (class_exists($class) && !is_a($classPasswordAuthenticatedUserInterface::class, true)) {
  804.                 trigger_deprecation('symfony/security-bundle''5.3''Configuring a password hasher for a user class that does not implement "%s" is deprecated, class "%s" should implement it.'PasswordAuthenticatedUserInterface::class, $class);
  805.             }
  806.             $hasherMap[$class] = $this->createHasher($hasher);
  807.         }
  809.         $container
  810.             ->getDefinition('security.password_hasher_factory')
  811.             ->setArguments([$hasherMap])
  812.         ;
  813.     }
  815.     private function createHasher(array $config)
  816.     {
  817.         // a custom hasher service
  818.         if (isset($config['id'])) {
  819.             return new Reference($config['id']);
  820.         }
  822.         if ($config['migrate_from'] ?? false) {
  823.             return $config;
  824.         }
  826.         // plaintext hasher
  827.         if ('plaintext' === $config['algorithm']) {
  828.             $arguments = [$config['ignore_case']];
  830.             return [
  831.                 'class' => PlaintextPasswordHasher::class,
  832.                 'arguments' => $arguments,
  833.             ];
  834.         }
  836.         // pbkdf2 hasher
  837.         if ('pbkdf2' === $config['algorithm']) {
  838.             return [
  839.                 'class' => Pbkdf2PasswordHasher::class,
  840.                 'arguments' => [
  841.                     $config['hash_algorithm'],
  842.                     $config['encode_as_base64'],
  843.                     $config['iterations'],
  844.                     $config['key_length'],
  845.                 ],
  846.             ];
  847.         }
  849.         // bcrypt hasher
  850.         if ('bcrypt' === $config['algorithm']) {
  851.             $config['algorithm'] = 'native';
  852.             $config['native_algorithm'] = \PASSWORD_BCRYPT;
  854.             return $this->createHasher($config);
  855.         }
  857.         // Argon2i hasher
  858.         if ('argon2i' === $config['algorithm']) {
  859.             if (SodiumPasswordHasher::isSupported() && !\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  860.                 $config['algorithm'] = 'sodium';
  861.             } elseif (\defined('PASSWORD_ARGON2I')) {
  862.                 $config['algorithm'] = 'native';
  863.                 $config['native_algorithm'] = \PASSWORD_ARGON2I;
  864.             } else {
  865.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2i" is not available. Either use "%s" or upgrade to PHP 7.2+ instead.'\defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13') ? 'argon2id", "auto' 'auto'));
  866.             }
  868.             return $this->createHasher($config);
  869.         }
  871.         if ('argon2id' === $config['algorithm']) {
  872.             if (($hasSodium SodiumPasswordHasher::isSupported()) && \defined('SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13')) {
  873.                 $config['algorithm'] = 'sodium';
  874.             } elseif (\defined('PASSWORD_ARGON2ID')) {
  875.                 $config['algorithm'] = 'native';
  876.                 $config['native_algorithm'] = \PASSWORD_ARGON2ID;
  877.             } else {
  878.                 throw new InvalidConfigurationException(sprintf('Algorithm "argon2id" is not available. Either use "%s", upgrade to PHP 7.3+ or use libsodium 1.0.15+ instead.'\defined('PASSWORD_ARGON2I') || $hasSodium 'argon2i", "auto' 'auto'));
  879.             }
  881.             return $this->createHasher($config);
  882.         }
  884.         if ('native' === $config['algorithm']) {
  885.             return [
  886.                 'class' => NativePasswordHasher::class,
  887.                 'arguments' => [
  888.                     $config['time_cost'],
  889.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  890.                     $config['cost'],
  891.                 ] + (isset($config['native_algorithm']) ? [=> $config['native_algorithm']] : []),
  892.             ];
  893.         }
  895.         if ('sodium' === $config['algorithm']) {
  896.             if (!SodiumPasswordHasher::isSupported()) {
  897.                 throw new InvalidConfigurationException('Libsodium is not available. Install the sodium extension or use "auto" instead.');
  898.             }
  900.             return [
  901.                 'class' => SodiumPasswordHasher::class,
  902.                 'arguments' => [
  903.                     $config['time_cost'],
  904.                     (($config['memory_cost'] ?? 0) << 10) ?: null,
  905.                 ],
  906.             ];
  907.         }
  909.         // run-time configured hasher
  910.         return $config;
  911.     }
  913.     // Parses user providers and returns an array of their ids
  914.     private function createUserProviders(array $configContainerBuilder $container): array
  915.     {
  916.         $providerIds = [];
  917.         foreach ($config['providers'] as $name => $provider) {
  918.             $id $this->createUserDaoProvider($name$provider$container);
  919.             $providerIds[str_replace('-''_'$name)] = $id;
  920.         }
  922.         return $providerIds;
  923.     }
  925.     // Parses a <provider> tag and returns the id for the related user provider service
  926.     private function createUserDaoProvider(string $name, array $providerContainerBuilder $container): string
  927.     {
  928.         $name $this->getUserProviderId($name);
  930.         // Doctrine Entity and In-memory DAO provider are managed by factories
  931.         foreach ($this->userProviderFactories as $factory) {
  932.             $key str_replace('-''_'$factory->getKey());
  934.             if (!empty($provider[$key])) {
  935.                 $factory->create($container$name$provider[$key]);
  937.                 return $name;
  938.             }
  939.         }
  941.         // Existing DAO service provider
  942.         if (isset($provider['id'])) {
  943.             $container->setAlias($name, new Alias($provider['id'], false));
  945.             return $provider['id'];
  946.         }
  948.         // Chain provider
  949.         if (isset($provider['chain'])) {
  950.             $providers = [];
  951.             foreach ($provider['chain']['providers'] as $providerName) {
  952.                 $providers[] = new Reference($this->getUserProviderId($providerName));
  953.             }
  955.             $container
  956.                 ->setDefinition($name, new ChildDefinition('security.user.provider.chain'))
  957.                 ->addArgument(new IteratorArgument($providers));
  959.             return $name;
  960.         }
  962.         throw new InvalidConfigurationException(sprintf('Unable to create definition for "%s" user provider.'$name));
  963.     }
  965.     private function getUserProviderId(string $name): string
  966.     {
  967.         return 'security.user.provider.concrete.'.strtolower($name);
  968.     }
  970.     private function createExceptionListener(ContainerBuilder $container, array $configstring $id, ?string $defaultEntryPointbool $stateless): string
  971.     {
  972.         $exceptionListenerId 'security.exception_listener.'.$id;
  973.         $listener $container->setDefinition($exceptionListenerId, new ChildDefinition('security.exception_listener'));
  974.         $listener->replaceArgument(3$id);
  975.         $listener->replaceArgument(4null === $defaultEntryPoint null : new Reference($defaultEntryPoint));
  976.         $listener->replaceArgument(8$stateless);
  978.         // access denied handler setup
  979.         if (isset($config['access_denied_handler'])) {
  980.             $listener->replaceArgument(6, new Reference($config['access_denied_handler']));
  981.         } elseif (isset($config['access_denied_url'])) {
  982.             $listener->replaceArgument(5$config['access_denied_url']);
  983.         }
  985.         return $exceptionListenerId;
  986.     }
  988.     private function createSwitchUserListener(ContainerBuilder $containerstring $id, array $config, ?string $defaultProviderbool $stateless): string
  989.     {
  990.         $userProvider = isset($config['provider']) ? $this->getUserProviderId($config['provider']) : $defaultProvider;
  992.         if (!$userProvider) {
  993.             throw new InvalidConfigurationException(sprintf('Not configuring explicitly the provider for the "switch_user" listener on "%s" firewall is ambiguous as there is more than one registered provider.'$id));
  994.         }
  996.         $switchUserListenerId 'security.authentication.switchuser_listener.'.$id;
  997.         $listener $container->setDefinition($switchUserListenerId, new ChildDefinition('security.authentication.switchuser_listener'));
  998.         $listener->replaceArgument(1, new Reference($userProvider));
  999.         $listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
  1000.         $listener->replaceArgument(3$id);
  1001.         $listener->replaceArgument(6$config['parameter']);
  1002.         $listener->replaceArgument(7$config['role']);
  1003.         $listener->replaceArgument(9$stateless);
  1005.         return $switchUserListenerId;
  1006.     }
  1008.     private function createExpression(ContainerBuilder $containerstring $expression): Reference
  1009.     {
  1010.         if (isset($this->expressions[$id '.security.expression.'.ContainerBuilder::hash($expression)])) {
  1011.             return $this->expressions[$id];
  1012.         }
  1014.         if (!$container::willBeAvailable('symfony/expression-language'ExpressionLanguage::class, ['symfony/security-bundle'])) {
  1015.             throw new \RuntimeException('Unable to use expressions as the Symfony ExpressionLanguage component is not installed. Try running "composer require symfony/expression-language".');
  1016.         }
  1018.         $container
  1019.             ->register($id'Symfony\Component\ExpressionLanguage\Expression')
  1020.             ->setPublic(false)
  1021.             ->addArgument($expression)
  1022.         ;
  1024.         return $this->expressions[$id] = new Reference($id);
  1025.     }
  1027.     private function createRequestMatcher(ContainerBuilder $containerstring $path nullstring $host nullint $port null, array $methods = [], array $ips null, array $attributes = []): Reference
  1028.     {
  1029.         if ($methods) {
  1030.             $methods array_map('strtoupper'$methods);
  1031.         }
  1033.         if (null !== $ips) {
  1034.             foreach ($ips as $ip) {
  1035.                 $container->resolveEnvPlaceholders($ipnull$usedEnvs);
  1037.                 if (!$usedEnvs && !$this->isValidIps($ip)) {
  1038.                     throw new \LogicException(sprintf('The given value "%s" in the "security.access_control" config option is not a valid IP address.'$ip));
  1039.                 }
  1041.                 $usedEnvs null;
  1042.             }
  1043.         }
  1045.         $id '.security.request_matcher.'.ContainerBuilder::hash([$path$host$port$methods$ips$attributes]);
  1047.         if (isset($this->requestMatchers[$id])) {
  1048.             return $this->requestMatchers[$id];
  1049.         }
  1051.         // only add arguments that are necessary
  1052.         $arguments = [$path$host$methods$ips$attributesnull$port];
  1053.         while (\count($arguments) > && !end($arguments)) {
  1054.             array_pop($arguments);
  1055.         }
  1057.         $container
  1058.             ->register($id'Symfony\Component\HttpFoundation\RequestMatcher')
  1059.             ->setPublic(false)
  1060.             ->setArguments($arguments)
  1061.         ;
  1063.         return $this->requestMatchers[$id] = new Reference($id);
  1064.     }
  1066.     public function addSecurityListenerFactory(SecurityFactoryInterface $factory)
  1067.     {
  1068.         $this->factories[$factory->getPosition()][] = $factory;
  1069.     }
  1071.     public function addUserProviderFactory(UserProviderFactoryInterface $factory)
  1072.     {
  1073.         $this->userProviderFactories[] = $factory;
  1074.     }
  1076.     /**
  1077.      * {@inheritdoc}
  1078.      */
  1079.     public function getXsdValidationBasePath()
  1080.     {
  1081.         return __DIR__.'/../Resources/config/schema';
  1082.     }
  1084.     public function getNamespace()
  1085.     {
  1086.         return 'http://symfony.com/schema/dic/security';
  1087.     }
  1089.     public function getConfiguration(array $configContainerBuilder $container)
  1090.     {
  1091.         // first assemble the factories
  1092.         return new MainConfiguration($this->factories$this->userProviderFactories);
  1093.     }
  1095.     private function isValidIps($ips): bool
  1096.     {
  1097.         $ipsList array_reduce((array) $ips, static function (array $ipsstring $ip) {
  1098.             return array_merge($ipspreg_split('/\s*,\s*/'$ip));
  1099.         }, []);
  1101.         if (!$ipsList) {
  1102.             return false;
  1103.         }
  1105.         foreach ($ipsList as $cidr) {
  1106.             if (!$this->isValidIp($cidr)) {
  1107.                 return false;
  1108.             }
  1109.         }
  1111.         return true;
  1112.     }
  1114.     private function isValidIp(string $cidr): bool
  1115.     {
  1116.         $cidrParts explode('/'$cidr);
  1118.         if (=== \count($cidrParts)) {
  1119.             return false !== filter_var($cidrParts[0], \FILTER_VALIDATE_IP);
  1120.         }
  1122.         $ip $cidrParts[0];
  1123.         $netmask $cidrParts[1];
  1125.         if (!ctype_digit($netmask)) {
  1126.             return false;
  1127.         }
  1129.         if (filter_var($ip\FILTER_VALIDATE_IP\FILTER_FLAG_IPV4)) {
  1130.             return $netmask <= 32;
  1131.         }
  1133.         if (filter_var($ip\FILTER_VALIDATE_IP\FILTER_FLAG_IPV6)) {
  1134.             return $netmask <= 128;
  1135.         }
  1137.         return false;
  1138.     }
  1139. }