feature #54443 [Security] Add support for dynamic CSRF id with Expression in #[IsCsrfTokenValid] (yguedidi)

This PR was merged into the 7.1 branch.

Discussion
----------

[Security] Add support for dynamic CSRF id with Expression in `#[IsCsrfTokenValid]`

| Q             | A
| ------------- | ---
| Branch?       | 7.1
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Issues        | continuation of #52961 from Hackday
| License       | MIT

Use case is for example on a list page with delete action per item, and you want a CSRF token per item, so in the template you have something like the following:

```twig
{# in a loop over multiple posts #}
<form action="{{ path('post_delete', {post: post.id}) }}" method="POST">
    <input type="hidden" name="_token" value="{{ csrf_token('delete-post-' ~ post.id) }}">
    ...
</form>
```

The new feature will allow:
```php
#[IsCsrfTokenValid(new Expression('"delete-post-" ~ args["post"].id'))]
public function delete(Request $request, Post $post): Response
{
    // ... delete the post
}
```

Maybe this need more tests but need help identify which test cases are useful.
Hope this can pass before the feature freeze

Commits
-------

8f99ca58a8 Add support for dynamic CSRF id in IsCsrfTokenValid

Author: nicolas-grekas

DependencyInjection/Compiler/RegisterCsrfFeaturesPass.php

@@ -13,6 +13,7 @@
 
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface;
 use Symfony\Component\Security\Http\EventListener\CsrfProtectionListener;
@@ -35,6 +36,10 @@ public function process(ContainerBuilder $container): void
 
     private function registerCsrfProtectionListener(ContainerBuilder $container): void
     {
+        if (!$container->hasDefinition('cache.system')) {
+            $container->removeDefinition('cache.security_is_csrf_token_valid_attribute_expression_language');
+        }
+
         if (!$container->has('security.authenticator.manager') || !$container->has('security.csrf.token_manager')) {
             return;
         }
@@ -45,6 +50,7 @@ private function registerCsrfProtectionListener(ContainerBuilder $container): vo
 
         $container->register('controller.is_csrf_token_valid_attribute_listener', IsCsrfTokenValidAttributeListener::class)
             ->addArgument(new Reference('security.csrf.token_manager'))
+            ->addArgument(new Reference('security.is_csrf_token_valid_attribute_expression_language', ContainerInterface::NULL_ON_INVALID_REFERENCE))
             ->addTag('kernel.event_subscriber');
     }
 

DependencyInjection/SecurityExtension.php

@@ -123,6 +123,7 @@ public function load(array $configs, ContainerBuilder $container): void
             $container->removeDefinition('security.expression_language');
             $container->removeDefinition('security.access.expression_voter');
             $container->removeDefinition('security.is_granted_attribute_expression_language');
+            $container->removeDefinition('security.is_csrf_token_valid_attribute_expression_language');
         }
 
         if (!class_exists(PasswordHasherExtension::class)) {

Resources/config/security.php

@@ -303,5 +303,12 @@
         ->set('cache.security_is_granted_attribute_expression_language')
             ->parent('cache.system')
             ->tag('cache.pool')
+
+        ->set('security.is_csrf_token_valid_attribute_expression_language', BaseExpressionLanguage::class)
+            ->args([service('cache.security_is_csrf_token_valid_attribute_expression_language')->nullOnInvalid()])
+
+        ->set('cache.security_is_csrf_token_valid_attribute_expression_language')
+            ->parent('cache.system')
+            ->tag('cache.pool')
     ;
 };