Merge branch '7.3' into 7.4

* 7.3:
  [SecurityBundle] Fix semantic configuration for singulars/plurals in XML
  [JsonPath] Make the component RFC compliant
  Fix `#[IsCsrfTokenValid]` to ensure `$tokenKey` is non-nullable

Author: nicolas-grekas

src/Symfony/Bundle/DebugBundle/Resources/config/schema/debug-1.0.xsd

@@ -11,5 +11,13 @@
         <xsd:attribute name="min-depth" type="xsd:integer" />
         <xsd:attribute name="max-string-length" type="xsd:integer" />
         <xsd:attribute name="dump-destination" type="xsd:string" />
+        <xsd:attribute name="theme" type="debug_theme" />
     </xsd:complexType>
+
+    <xsd:simpleType name="debug_theme">
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="dark" />
+            <xsd:enumeration value="light" />
+        </xsd:restriction>
+    </xsd:simpleType>
 </xsd:schema>

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php

@@ -86,6 +86,7 @@ public function getConfigTreeBuilder(): TreeBuilder
                 })
             ->end()
             ->fixXmlConfig('enabled_locale')
+            ->fixXmlConfig('trusted_header')
             ->children()
                 ->scalarNode('secret')->end()
                 ->booleanNode('http_method_override')
@@ -124,7 +125,6 @@ public function getConfigTreeBuilder(): TreeBuilder
                     ->defaultValue(['%env(default::SYMFONY_TRUSTED_PROXIES)%'])
                 ->end()
                 ->arrayNode('trusted_headers')
-                    ->fixXmlConfig('trusted_header')
                     ->performNoDeepMerging()
                     ->beforeNormalization()->ifString()->then(static fn ($v) => $v ? [$v] : [])->end()
                     ->prototype('scalar')->end()
@@ -276,6 +276,7 @@ private function addHttpCacheSection(ArrayNodeDefinition $rootNode): void
                     ->info('HTTP cache configuration')
                     ->canBeEnabled()
                     ->fixXmlConfig('private_header')
+                    ->fixXmlConfig('skip_response_header')
                     ->children()
                         ->booleanNode('debug')->defaultValue('%kernel.debug%')->end()
                         ->enumNode('trace_level')

src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd

@@ -47,6 +47,7 @@
             <xsd:element name="webhook" type="webhook" minOccurs="0" maxOccurs="1" />
             <xsd:element name="remote-event" type="remote-event" minOccurs="0" maxOccurs="1" />
             <xsd:element name="json-streamer" type="json-streamer" minOccurs="0" maxOccurs="1" />
+            <xsd:element name="secrets" type="secrets" minOccurs="0" maxOccurs="1" />
         </xsd:choice>
 
         <xsd:attribute name="http-method-override" type="xsd:boolean" />
@@ -62,6 +63,7 @@
         <xsd:attribute name="trusted-hosts" type="xsd:string" />
         <xsd:attribute name="trusted-proxies" type="xsd:string" />
         <xsd:attribute name="trusted-headers" type="xsd:string" />
+        <xsd:attribute name="disallow-search-engine-index" type="xsd:boolean" />
     </xsd:complexType>
 
     <xsd:complexType name="form">
@@ -724,6 +726,7 @@
         <xsd:choice maxOccurs="unbounded">
             <xsd:element name="resolve" type="http_resolve" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="header" type="http_header" minOccurs="0" maxOccurs="unbounded" />
+            <xsd:element name="var" type="http_var" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="peer-fingerprint" type="fingerprint" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="retry-failed" type="http_client_retry_failed" minOccurs="0" maxOccurs="1" />
             <xsd:element name="extra" type="xsd:anyType" minOccurs="0" maxOccurs="unbounded" />
@@ -818,6 +821,10 @@
         <xsd:attribute name="name" type="xsd:string" />
     </xsd:complexType>
 
+    <xsd:complexType name="http_var" mixed="true">
+        <xsd:attribute name="name" type="xsd:string" />
+    </xsd:complexType>
+
     <xsd:complexType name="mailer">
         <xsd:sequence>
             <xsd:element name="transport" type="mailer_transport" minOccurs="0" maxOccurs="unbounded" />
@@ -875,6 +882,7 @@
     <xsd:complexType name="http_cache">
         <xsd:sequence>
             <xsd:element name="private-header" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
+            <xsd:element name="skip-response-header" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
         </xsd:sequence>
 
         <xsd:attribute name="enabled" type="xsd:boolean" />
@@ -1077,4 +1085,11 @@
         <xsd:attribute name="enabled" type="xsd:boolean" />
     </xsd:complexType>
 
+    <xsd:complexType name="secrets">
+        <xsd:attribute name="enabled" type="xsd:boolean" />
+        <xsd:attribute name="vault-directory" type="xsd:string" />
+        <xsd:attribute name="local-dotenv-file" type="xsd:string" />
+        <xsd:attribute name="decryption-env-var" type="xsd:string" />
+    </xsd:complexType>
+
 </xsd:schema>

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/CasTokenHandlerFactory.php

@@ -42,7 +42,6 @@ public function addConfiguration(NodeBuilder $node): void
     {
         $node
             ->arrayNode($this->getKey())
-                ->fixXmlConfig($this->getKey())
                 ->children()
                     ->scalarNode('validation_url')
                         ->info('CAS server validation URL')

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php

@@ -90,8 +90,8 @@ public function addConfiguration(NodeBuilder $node): void
     {
         $node
             ->arrayNode($this->getKey())
-                ->fixXmlConfig($this->getKey())
                 ->fixXmlConfig('issuer')
+                ->fixXmlConfig('algorithm')
                 ->validate()
                     ->ifTrue(static fn ($v) => !isset($v['algorithm']) && !isset($v['algorithms']))
                     ->thenInvalid('You must set either "algorithm" or "algorithms".')
@@ -173,6 +173,7 @@ public function addConfiguration(NodeBuilder $node): void
                         ->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).')
                     ->end()
                     ->arrayNode('encryption')
+                        ->fixXmlConfig('algorithm')
                         ->canBeEnabled()
                         ->children()
                             ->booleanNode('enforce')

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcUserInfoTokenHandlerFactory.php

@@ -63,7 +63,6 @@ public function addConfiguration(NodeBuilder $node): void
     {
         $node
             ->arrayNode($this->getKey())
-                ->fixXmlConfig($this->getKey())
                 ->beforeNormalization()
                     ->ifString()
                     ->then(fn ($v) => ['claim' => 'sub', 'base_uri' => $v])

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AccessTokenFactory.php

@@ -43,11 +43,10 @@ public function addConfiguration(NodeDefinition $node): void
     {
         parent::addConfiguration($node);
 
-        $builder = $node->children();
+        $builder = $node->fixXmlConfig('token_extractor')->children();
         $builder
             ->scalarNode('realm')->defaultNull()->end()
             ->arrayNode('token_extractors')
-                ->fixXmlConfig('token_extractors')
                 ->beforeNormalization()
                     ->ifString()
                     ->then(fn ($v) => [$v])

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php

@@ -126,6 +126,7 @@ public function getKey(): string
     public function addConfiguration(NodeDefinition $node): void
     {
         $builder = $node
+            ->fixXmlConfig('signature_property', 'signature_properties')
             ->fixXmlConfig('user_provider')
             ->children()
         ;

src/Symfony/Bundle/SecurityBundle/Resources/config/schema/security-1.0.xsd

@@ -9,40 +9,19 @@
     <xsd:complexType name="config">
         <xsd:choice maxOccurs="unbounded">
             <xsd:element name="access-decision-manager" type="access_decision_manager" minOccurs="0" maxOccurs="1" />
-            <xsd:element name="password_hashers" type="password_hashers" minOccurs="0" maxOccurs="1" />
-            <xsd:element name="password_hasher" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
-            <xsd:element name="providers" type="providers" minOccurs="0" maxOccurs="1" />
+            <xsd:element name="password-hasher" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="provider" type="provider" minOccurs="0" maxOccurs="unbounded" />
-            <xsd:element name="firewalls" type="firewalls" minOccurs="0" maxOccurs="1" />
             <xsd:element name="firewall" type="firewall" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="rule" type="rule" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="role" type="role" minOccurs="0" maxOccurs="unbounded" />
         </xsd:choice>
         <xsd:attribute name="access-denied-url" type="xsd:string" />
         <xsd:attribute name="session-fixation-strategy" type="session_fixation_strategy" />
         <xsd:attribute name="hide-user-not-found" type="xsd:boolean" />
-        <xsd:attribute name="always-authenticate-before-granting" type="xsd:boolean" />
+        <xsd:attribute name="expose-security-errors" type="access_decision_manager_expose_security_level" />
         <xsd:attribute name="erase-credentials" type="xsd:boolean" />
     </xsd:complexType>
 
-    <xsd:complexType name="password_hashers">
-        <xsd:sequence>
-            <xsd:element name="password_hasher" type="password_hasher" minOccurs="1" maxOccurs="unbounded" />
-        </xsd:sequence>
-    </xsd:complexType>
-
-    <xsd:complexType name="providers">
-        <xsd:sequence>
-            <xsd:element name="provider" type="provider" minOccurs="1" maxOccurs="unbounded" />
-        </xsd:sequence>
-    </xsd:complexType>
-
-    <xsd:complexType name="firewalls">
-        <xsd:sequence>
-            <xsd:element name="firewall" type="firewall" minOccurs="1" maxOccurs="unbounded" />
-        </xsd:sequence>
-    </xsd:complexType>
-
     <xsd:simpleType name="session_fixation_strategy">
         <xsd:restriction base="xsd:string">
             <xsd:enumeration value="none" />
@@ -55,7 +34,6 @@
         <xsd:attribute name="strategy" type="access_decision_manager_strategy" />
         <xsd:attribute name="service" type="xsd:string" />
         <xsd:attribute name="strategy-service" type="xsd:string" />
-        <xsd:attribute name="expose-security-errors" type="access_decision_manager_expose_security_level" />
         <xsd:attribute name="allow-if-all-abstain" type="xsd:boolean" />
         <xsd:attribute name="allow-if-equal-granted-denied" type="xsd:boolean" />
     </xsd:complexType>
@@ -196,12 +174,16 @@
         <xsd:attribute name="name" type="xsd:string" use="required" />
         <xsd:attribute name="path" type="xsd:string" />
         <xsd:attribute name="domain" type="xsd:string" />
+        <xsd:attribute name="secure" type="xsd:boolean" />
+        <xsd:attribute name="samesite" type="remember_me_samesite" />
+        <xsd:attribute name="partitioned" type="xsd:boolean" />
     </xsd:complexType>
 
     <xsd:complexType name="switch_user">
         <xsd:attribute name="provider" type="xsd:string" />
         <xsd:attribute name="parameter" type="xsd:string" />
         <xsd:attribute name="role" type="xsd:string" />
+        <xsd:attribute name="target-route" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="anonymous">
@@ -304,6 +286,7 @@
         <xsd:attribute name="success-handler" type="xsd:string" />
         <xsd:attribute name="failure-handler" type="xsd:string" />
         <xsd:attribute name="provider" type="xsd:string" />
+        <xsd:attribute name="secret" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="access_token">
@@ -321,59 +304,66 @@
     <xsd:complexType name="oidc_token_handler">
         <xsd:sequence>
             <xsd:choice minOccurs="0" maxOccurs="1">
-                <xsd:element name="oidc-user-info" type="oidc_user_info"></xsd:element>
-                <xsd:element name="oidc" type="oidc"></xsd:element>
+                <xsd:element name="oidc-user-info" type="oidc_user_info" />
+                <xsd:element name="oidc" type="oidc" />
             </xsd:choice>
         </xsd:sequence>
-        <xsd:attribute name="oidc-user-info" type="xsd:anyURI"></xsd:attribute>
+        <xsd:attribute name="oidc-user-info" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="oidc_user_info">
-        <xsd:attribute name="base-uri" type="xsd:anyURI" use="required" />
+        <xsd:sequence>
+            <xsd:element name="discovery" minOccurs="0" maxOccurs="1">
+                <xsd:complexType>
+                    <xsd:sequence>
+                        <xsd:element name="cache" minOccurs="0" maxOccurs="1">
+                            <xsd:complexType>
+                                <xsd:attribute name="id" type="xsd:string" />
+                            </xsd:complexType>
+                        </xsd:element>
+                    </xsd:sequence>
+                </xsd:complexType>
+            </xsd:element>
+        </xsd:sequence>
+        <xsd:attribute name="base-uri" type="xsd:string" use="required" />
         <xsd:attribute name="claim" type="xsd:string" />
         <xsd:attribute name="client" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="oidc">
         <xsd:choice maxOccurs="unbounded">
-            <xsd:element name="issuers" type="oidc_issuers" minOccurs="0" maxOccurs="1" />
-            <xsd:element name="issuer" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
+            <xsd:element name="issuer" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
+            <xsd:element name="algorithm" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
             <xsd:element name="encryption" type="oidc_encryption" />
         </xsd:choice>
         <xsd:attribute name="claim" type="xsd:string" />
         <xsd:attribute name="audience" type="xsd:string" use="required" />
-        <xsd:attribute name="algorithm" type="xsd:string" use="required" />
-        <xsd:attribute name="key" type="xsd:string" use="required" />
+        <xsd:attribute name="algorithm" type="xsd:string" />
+        <xsd:attribute name="key" type="xsd:string" />
+        <xsd:attribute name="keyset" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="oidc_encryption">
         <xsd:choice maxOccurs="unbounded">
-            <xsd:element name="algorithms" type="oidc_encryption_algorithms" minOccurs="1" maxOccurs="1" />
+            <xsd:element name="algorithm" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
         </xsd:choice>
         <xsd:attribute name="enabled" type="xsd:boolean" />
         <xsd:attribute name="enforce" type="xsd:boolean" />
         <xsd:attribute name="keyset" type="xsd:string" use="required" />
     </xsd:complexType>
 
-    <xsd:complexType name="oidc_encryption_algorithms">
-        <xsd:sequence>
-            <xsd:element name="algorithm" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
-        </xsd:sequence>
-    </xsd:complexType>
-
-    <xsd:complexType name="oidc_issuers">
-        <xsd:sequence>
-            <xsd:element name="issuer" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
-        </xsd:sequence>
-    </xsd:complexType>
-
     <xsd:complexType name="login_throttling">
         <xsd:attribute name="limiter" type="xsd:string" />
         <xsd:attribute name="max-attempts" type="xsd:integer" />
+        <xsd:attribute name="interval" type="xsd:string" />
+        <xsd:attribute name="lock-factory" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="remember_me">
         <xsd:sequence minOccurs="0">
+            <xsd:choice minOccurs="0" maxOccurs="unbounded">
+                <xsd:element name="signature-property" type="xsd:string" />
+            </xsd:choice>
             <xsd:choice minOccurs="0" maxOccurs="unbounded">
                 <xsd:element name="user-provider" type="xsd:string" />
             </xsd:choice>
@@ -442,7 +432,7 @@
             <xsd:element name="method" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="role" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="allow-if" type="xsd:string" minOccurs="0" maxOccurs="1" />
-            <xsd:element name="attribute" type="rule_attribute" minOccurs="0" maxOccurs="1" />
+            <xsd:element name="attribute" type="rule_attribute" minOccurs="0" maxOccurs="unbounded" />
         </xsd:choice>
         <xsd:attribute name="requires-channel" type="xsd:string" />
         <xsd:attribute name="path" type="xsd:string" />
@@ -452,6 +442,7 @@
         <xsd:attribute name="methods" type="xsd:string" />
         <xsd:attribute name="allow-if" type="xsd:string" />
         <xsd:attribute name="route" type="xsd:string" />
+        <xsd:attribute name="request-matcher" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="role">

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php

@@ -726,6 +726,41 @@ public function testFirewallPatterns()
         $this->assertSame('(?:^/register$|^/documentation$)', $container->getDefinition($requestMatcherId)->getArgument(0));
     }
 
+    public function testAccessTokenOidc()
+    {
+        $container = $this->getContainer('access_token_oidc');
+
+        $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+        $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+
+        $def = $container->getDefinition('security.access_token_handler.firewall1');
+        $this->assertSame('audience', $def->getArgument(2));
+        $this->assertSame(['https://www.example.com'], $def->getArgument(3));
+        $this->assertSame('sub', $def->getArgument(4));
+    }
+
+    public function testAccessTokenOidcWithEncryption()
+    {
+        $container = $this->getContainer('access_token_oidc_encryption');
+
+        $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+        $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+
+        $def = $container->getDefinition('security.access_token_handler.firewall1');
+        $this->assertSame(['RS256'], $def->getArgument(0)->getArgument(0));
+    }
+
+    public function testAccessTokenOidcUserInfoWithDiscovery()
+    {
+        if ('xml' === $this->getFileExtension()) {
+            $this->markTestSkipped('OIDC user info discovery is not supported by the XML schema.');
+        }
+        $container = $this->getContainer('access_token_oidc_user_info_discovery');
+
+        $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+        $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+    }
+
     protected function getContainer($file)
     {
         $file .= '.'.$this->getFileExtension();