Configures API security firewalls to be able to work with session

- allow overwrite cors defaults from docker
vtsykun · Jan 18, 2020 · 6dc05b2 · 6dc05b2
1 parent e23aa29
commit 6dc05b2
Show file tree

Hide file tree

Showing 9 changed files with 179 additions and 5 deletions.
diff --git a/app/AppKernel.php b/app/AppKernel.php
@@ -18,6 +18,7 @@ public function registerBundles()
             new Sensio\Bundle\FrameworkExtraBundle\SensioFrameworkExtraBundle(),
             new FOS\UserBundle\FOSUserBundle(),
             new Snc\RedisBundle\SncRedisBundle(),
+            new Nelmio\CorsBundle\NelmioCorsBundle(),
             new Okvpn\Bundle\CronBundle\OkvpnCronBundle(),
             new WhiteOctober\PagerfantaBundle\WhiteOctoberPagerfantaBundle(),
             new Knp\Bundle\MenuBundle\KnpMenuBundle(),

diff --git a/app/config/config.yml b/app/config/config.yml
@@ -2,6 +2,7 @@ imports:
     - { resource: defaults.yml }
     - { resource: parameters.yml }
     - { resource: security.yml }
+    - { resource: nelmio_cors.yml } # Easy overwrite using docker volume if need allow cors
 
 framework:
     secret:          '%secret%'

diff --git a/app/config/nelmio_cors.yml b/app/config/nelmio_cors.yml
@@ -0,0 +1,11 @@
+nelmio_cors:
+    defaults:
+        allow_credentials: false
+        allow_origin: []
+        allow_headers: []
+        allow_methods: []
+        expose_headers: []
+        max_age: 0
+        hosts: []
+        origin_regex: false
+        forced_allow_origin_value: ~
diff --git a/app/config/security.yml b/app/config/security.yml
@@ -13,6 +13,8 @@ security:
         packages:
             pattern: (^(/packages.json$|/p/|/zipball/|/feeds/.+(\.rss|\.atom)|/packages/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+?(\.json|/changelog)|/packages/list\.json|/downloads/|/api/))+
             api_basic: true
+            stateless: true
+            context: main
 
         main:
             pattern:      .*

diff --git a/composer.json b/composer.json
@@ -40,6 +40,7 @@
         "ezyang/htmlpurifier": "^4.6",
         "friendsofsymfony/user-bundle": "^2.1",
         "incenteev/composer-parameter-handler": "^2.0",
+        "nelmio/cors-bundle": "^1.5",
         "knplabs/knp-menu-bundle": "^2.1",
         "okvpn/cron-bundle": "^0.1.0",
         "oro/doctrine-extensions": "^1.2",

diff --git a/composer.lock b/composer.lock
diff --git a/docs/webhook.md b/docs/webhook.md
@@ -256,13 +256,12 @@ Payload
 
 Gitlab auto webhook
 -------------------
-You can use event `new_repo` to adds a hook to a specified Gitlab project.
-It can be useful, if you don't have a Gold Gitlab Plan that allow configure webhooks for your group,
-so you need add it manually for each repository.
+You can use the event `new_repo` to add a hook to the specified Gitlab project.
+It can be useful, if you don't have a Gold Gitlab Plan that allows configure webhooks for your group,
+so you need add it manually for each a new repository.
 
 POST `https://{{ host }}/api/v4/projects/{{ repo }}/hooks?private_token=xxxxxxxxxxxxxxxx`
 
-
 Options:
 
 ```json

diff --git a/src/Packagist/WebBundle/DependencyInjection/CompilerPass/ApiFirewallCompilerPass.php b/src/Packagist/WebBundle/DependencyInjection/CompilerPass/ApiFirewallCompilerPass.php
@@ -0,0 +1,99 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Packagist\WebBundle\DependencyInjection\CompilerPass;
+
+use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
+use Symfony\Component\DependencyInjection\ChildDefinition;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+
+/**
+ * Configures API security firewalls to be able to work in two modes: stateless and statefull (with session and api_key).
+ */
+final class ApiFirewallCompilerPass implements CompilerPassInterface
+{
+    /** @var array */
+    private $contextListeners = [];
+
+    /**
+     * {@inheritdoc}
+     */
+    public function process(ContainerBuilder $container): void
+    {
+        $securityConfigs = $container->getExtensionConfig('security');
+        if (empty($securityConfigs[0]['firewalls'])) {
+            return;
+        }
+
+        foreach ($securityConfigs[0]['firewalls'] as $name => $config) {
+            if ($this->isStatelessFirewallWithContext($config)) {
+                $this->configureStatelessFirewallWithContext($container, $name, $config);
+            }
+        }
+    }
+
+    /**
+     * Checks whether a firewall is stateless and have context parameter
+     *
+     * @param array $firewallConfig
+     *
+     * @return bool
+     */
+    private function isStatelessFirewallWithContext(array $firewallConfig): bool
+    {
+        return ($firewallConfig['stateless'] ?? null) && ($firewallConfig['context'] ?? null);
+    }
+
+    /**
+     * @param ContainerBuilder $container
+     * @param string           $firewallName
+     * @param array            $firewallConfig
+     */
+    private function configureStatelessFirewallWithContext(
+        ContainerBuilder $container,
+        string $firewallName,
+        array $firewallConfig
+    ): void {
+        $contextId = 'security.firewall.map.context.' . $firewallName;
+        if (!$container->hasDefinition($contextId)) {
+            return;
+        }
+
+        $contextDef = $container->getDefinition($contextId);
+        $contextKey = $firewallConfig['context'];
+
+        // add the context listener
+        $listenerId = $this->createContextListener($container, $contextKey);
+        /** @var IteratorArgument $listeners */
+        $listeners = $contextDef->getArgument(0);
+        $contextListeners = array_merge([new Reference($listenerId)], $listeners->getValues());
+
+        $contextDef->replaceArgument(0, $contextListeners);
+    }
+
+    /**
+     * @param ContainerBuilder $container
+     * @param string           $contextKey
+     *
+     * @return string
+     */
+    private function createContextListener(ContainerBuilder $container, $contextKey): string
+    {
+        if (isset($this->contextListeners[$contextKey])) {
+            return $this->contextListeners[$contextKey];
+        }
+
+        $listenerId = 'packagist.context_listener.' . $contextKey;
+        $container
+            ->setDefinition($listenerId, new ChildDefinition('security.context_listener'))
+            ->replaceArgument(2, $contextKey)
+            ->replaceArgument(4, null); // Remove event dispatcher to prevent save session for stateless api.
+
+        $this->contextListeners[$contextKey] = $listenerId;
+
+        return $listenerId;
+    }
+}
diff --git a/src/Packagist/WebBundle/PackagistWebBundle.php b/src/Packagist/WebBundle/PackagistWebBundle.php
@@ -12,6 +12,7 @@
 
 namespace Packagist\WebBundle;
 
+use Packagist\WebBundle\DependencyInjection\CompilerPass\ApiFirewallCompilerPass;
 use Packagist\WebBundle\DependencyInjection\CompilerPass\WorkerLocatorPass;
 use Packagist\WebBundle\DependencyInjection\Security\ApiHttpBasicFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension;
@@ -33,5 +34,6 @@ public function build(ContainerBuilder $container)
         $extension->addSecurityListenerFactory(new ApiHttpBasicFactory());
 
         $container->addCompilerPass(new WorkerLocatorPass());
+        $container->addCompilerPass(new ApiFirewallCompilerPass());
     }
 }