feature #24 Add support for authenticator security system (mtarld)

This PR was squashed before being merged into the 0.1-dev branch.

Discussion
----------

Add support for authenticator security system

- Added support for the authenticator security system
- Updated OAuth2Token to not keep the whole request in token
- Added `LegacyTestKernel` to test the old security system
- Improved exception inheritance
- Return a `NullUser` when user is not found (for old and new system to be consistent)
- Removed support for Symfony < 5.1

Should we trigger deprecations when the bundle is used with the old security system?

Commits
-------

8fad2ae Fix for php-cs-fixer 3
d5bc3f8 Drop support for legacy security system
5695774 Drop support for Symfony < 5.2
61d4c2f Drop support for Symfony < 5.1
61b7e38 Add support for authenticator security system

Author: chalasr

.github/workflows/unit-tests.yml

@@ -11,7 +11,6 @@ jobs:
         strategy:
             matrix:
                 symfony-version:
-                    - "4.4.*"
                     - "5.2.*"
                 php-version:
                     - "7.2"

.gitignore

@@ -3,8 +3,8 @@ composer.lock
 vendor/
 
 # PHP Coding Standards Fixer
-.php_cs
-.php_cs.cache
+.php-cs-fixer.php
+.php-cs-fixer.cache
 
 # PHPUnit
 phpunit.xml

.php_cs.dist renamed to .php-cs-fixer.dist.php

@@ -9,7 +9,7 @@
     ->append([__FILE__])
 ;
 
-return PhpCsFixer\Config::create()
+return (new PhpCsFixer\Config())
     ->setUsingCache(true)
     ->setRules([
         '@DoctrineAnnotation' => true,

.psalm.baseline.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<files psalm-version="4.7.1@cd53e047a58f71f646dd6bf45476076ab07b5d44">
+  <file src="src/Resources/config/routes.php">
+    <InvalidArgument occurrences="2">
+      <code>['league.oauth2_server.controller.authorization', 'indexAction']</code>
+      <code>['league.oauth2_server.controller.token', 'indexAction']</code>
+    </InvalidArgument>
+  </file>
+  <file src="src/Resources/config/services.php">
+    <ImplicitToStringCast occurrences="1">
+      <code>service(GrantConfigurator::class)</code>
+    </ImplicitToStringCast>
+  </file>
+</files>

composer.json

@@ -22,15 +22,15 @@
         "league/oauth2-server": "^8.0",
         "nyholm/psr7": "^1.4",
         "psr/http-factory": "^1.0",
-        "symfony/framework-bundle": "^4.4|^5.0",
+        "symfony/framework-bundle": "^5.2",
         "symfony/psr-http-message-bridge": "^2.0",
-        "symfony/security-bundle": "^4.4|^5.0"
+        "symfony/security-bundle": "^5.2"
     },
     "require-dev": {
         "ext-pdo": "*",
         "ext-pdo_sqlite": "*",
         "psalm/plugin-symfony": "^2.2",
-        "symfony/browser-kit": "^4.4|^5.0",
+        "symfony/browser-kit": "^5.2",
         "symfony/phpunit-bridge": "^5.2",
         "vimeo/psalm": "^4.6"
     },

docs/basic-setup.md

@@ -95,10 +95,12 @@ Options:
 
 ## Configuring the Security layer
 
-Add two new firewalls in your security configuration:
+Add two new firewalls in your security configuration and enable the authenticator security system:
 
 ```yaml
 security:
+    enable_authenticator_manager: true
+
     firewalls:
         api_token:
             pattern: ^/api/token$

docs/index.md

@@ -13,7 +13,7 @@ For implementation into Symfony projects, please see [bundle documentation](docs
 ## Requirements
 
 * [PHP 7.2](http://php.net/releases/7_2_0.php) or greater
-* [Symfony 4.4](https://symfony.com/roadmap/4.4) or [Symfony 5.x](https://symfony.com/roadmap/5.0)
+* [Symfony 5.2](https://symfony.com/roadmap/5.2) or greater
 
 ## Installation
 
@@ -91,9 +91,6 @@ For implementation into Symfony projects, please see [bundle documentation](docs
                 entity_manager:       default
             in_memory:            ~
 
-        # The priority of the event listener that converts an Exception to a Response
-        exception_event_listener_priority: 10
-
         # Set a custom prefix that replaces the default 'ROLE_OAUTH2_' role prefix
         role_prefix:          ROLE_OAUTH2_
     ```
@@ -110,6 +107,13 @@ For implementation into Symfony projects, please see [bundle documentation](docs
     bin/console doctrine:schema:update --force
     ```
 
+1. Enable the authenticator security system in `config/security.yaml` file:
+
+```yaml
+security:
+    enable_authenticator_manager: true
+```
+
 1. Import the routes inside your `config/routes.yaml` file:
 
     ```yaml
@@ -121,7 +125,7 @@ You can verify that everything is working by issuing a `POST` request to the `/t
 
 **❮ NOTE ❯** It is recommended to control the access to the authorization endpoint
 so that only logged in users can approve authorization requests.
-You should review your `security.yml` file. Here is a sample configuration:
+You should review your `config/security.yaml` file. Here is a sample configuration:
 
 ```yaml
 security:

psalm.xml

@@ -11,6 +11,7 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="https://getpsalm.org/schema/config"
         xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
+        errorBaseline=".psalm.baseline.xml"
 >
     <projectFiles>
         <directory name="src"/>
@@ -44,27 +45,6 @@
         <RawObjectIteration errorLevel="error"/>
         <InvalidStringClass errorLevel="error"/>
         <UnresolvableInclude errorLevel="error"/>
-        <ImplicitToStringCast errorLevel="error">
-            <errorLevel type="suppress">
-                <file name="src/Resources/config/services.php" />
-            </errorLevel>
-        </ImplicitToStringCast>
-        <MixedInferredReturnType errorLevel="error">
-            <errorLevel type="suppress">
-                <file name="src/Resources/config/services.php" />
-            </errorLevel>
-        </MixedInferredReturnType>
-        <MixedReturnStatement errorLevel="error">
-            <errorLevel type="suppress">
-                <file name="src/Resources/config/services.php" />
-            </errorLevel>
-        </MixedReturnStatement>
-        <InvalidArgument errorLevel="error">
-            <errorLevel type="suppress">
-                <file name="src/Resources/config/routes.php" />
-                <referencedFunction name="Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator::controller" />
-            </errorLevel>
-        </InvalidArgument>
     </issueHandlers>
 
     <plugins>

src/DependencyInjection/Configuration.php

@@ -26,10 +26,6 @@ public function getConfigTreeBuilder(): TreeBuilder
 
         $rootNode
             ->children()
-                ->scalarNode('exception_event_listener_priority')
-                    ->info('The priority of the event listener that converts an Exception to a Response')
-                    ->defaultValue(10)
-                ->end()
                 ->scalarNode('role_prefix')
                     ->info('Set a custom prefix that replaces the default \'ROLE_OAUTH2_\' role prefix')
                     ->defaultValue('ROLE_OAUTH2_')

src/DependencyInjection/LeagueOAuth2ServerExtension.php

@@ -9,15 +9,14 @@
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\Grant as GrantType;
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\RedirectUri as RedirectUriType;
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\Scope as ScopeType;
-use League\Bundle\OAuth2ServerBundle\EventListener\ConvertExceptionToResponseListener;
 use League\Bundle\OAuth2ServerBundle\League\AuthorizationServer\GrantTypeInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\AccessTokenManager;
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\AuthorizationCodeManager;
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\ClientManager;
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\RefreshTokenManager;
 use League\Bundle\OAuth2ServerBundle\Manager\ScopeManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Model\Scope as ScopeModel;
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\OAuth2TokenFactory;
+use League\Bundle\OAuth2ServerBundle\Security\Authenticator\OAuth2Authenticator;
 use League\Bundle\OAuth2ServerBundle\Service\CredentialsRevoker\DoctrineCredentialsRevoker;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\CryptKey;
@@ -37,7 +36,6 @@
 use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
 use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
 use Symfony\Component\DependencyInjection\Reference;
-use Symfony\Component\HttpKernel\KernelEvents;
 
 final class LeagueOAuth2ServerExtension extends Extension implements PrependExtensionInterface, CompilerPassInterface
 {
@@ -60,15 +58,8 @@ public function load(array $configs, ContainerBuilder $container)
         $this->configureResourceServer($container, $config['resource_server']);
         $this->configureScopes($container, $config['scopes']);
 
-        $container->findDefinition(OAuth2TokenFactory::class)
-            ->setArgument(0, $config['role_prefix']);
-
-        $container->findDefinition(ConvertExceptionToResponseListener::class)
-            ->addTag('kernel.event_listener', [
-                'event' => KernelEvents::EXCEPTION,
-                'method' => 'onKernelException',
-                'priority' => $config['exception_event_listener_priority'],
-            ]);
+        $container->findDefinition(OAuth2Authenticator::class)
+            ->setArgument(3, $config['role_prefix']);
 
         $container->registerForAutoconfiguration(GrantTypeInterface::class)
             ->addTag('league.oauth2_server.authorization_server.grant');