feat: added support for the new authenticator system

CHANGELOG.md

@@ -1,6 +1,10 @@
 CHANGELOG
 =========
 
+UNRELEASED
+----
+* Added support for the new authenticator-based SF Security
+
 2.4.2
 -----
 

config/packages/lti1p3.yaml

@@ -31,6 +31,12 @@ lti1p3:
             oidc_initiation_url: "%application_host%/lti1p3/oidc/initiation"
             launch_url: "%application_host%/tool/launch"
             deep_linking_url: "%application_host%/tool/launch"
+        authServerTool:
+            name: "Auth Server as LTI Tool"
+            audience: "http://localhost:8005/tool"
+            oidc_initiation_url: "http://localhost:8005/lti1p3/oidc/initiation"
+            launch_url: "%application_host%/tool/launch"
+            deep_linking_url: "%application_host%/tool/launch"
     registrations:
         devkit:
             client_id: "client_id"
@@ -44,3 +50,15 @@ lti1p3:
             platform_jwks_url: "%application_host%/lti1p3/.well-known/jwks/platformSet.json"
             tool_jwks_url: "%application_host%/lti1p3/.well-known/jwks/toolSet.json"
             order: 1
+        authServer:
+            client_id: "client-auth"
+            platform: "devkitPlatform"
+            tool: "authServerTool"
+            deployment_ids:
+                - "deploymentId1"
+                - "deploymentId2"
+            platform_key_chain: "platformKey"
+            tool_key_chain: ~
+            platform_jwks_url: "%application_host%/lti1p3/.well-known/jwks/platformSet.json"
+            tool_jwks_url: "http://localhost:8005/.well-known/jwks.json"
+            order: 2

config/packages/security.yaml

@@ -1,11 +1,13 @@
 security:
+    enable_authenticator_manager: true
     providers:
         users_in_memory: { memory: null }
     firewalls:
         api_area:
             pattern: ^/api/
             stateless: true
-            api_key: true
+            custom_authenticators:
+                - App\Security\Api\ApiKeyAuthenticator
         tool_message_area:
             pattern: ^/tool/launch
             stateless: true
@@ -53,7 +55,7 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: lazy
+            lazy: true
             provider: users_in_memory
 
     access_control:

config/services.yaml

@@ -24,17 +24,6 @@ services:
         resource: '../src/Action'
         tags: ['controller.service_arguments']
 
-    # API
-    App\Security\Api\Provider\ApiKeyProvider:
-        arguments:
-            - '@parameter_bag'
-
-    App\Security\Api\Firewall\ApiKeyListener:
-        arguments:
-            - '@security.token_storage'
-            - '@security.authentication.manager'
-            - '@Psr\Log\LoggerInterface'
-
     # LTI core dependencies
     OAT\Library\Lti1p3Core\Util\Generator\IdGeneratorInterface:
         class: OAT\Library\Lti1p3Core\Util\Generator\IdGenerator
@@ -203,4 +192,4 @@ services:
         tags: [ 'controller.service_arguments' ]
 
     # LTI submission review dependencies
-    OAT\Library\Lti1p3SubmissionReview\Message\Launch\Builder\SubmissionReviewLaunchRequestBuilder: ~
+    OAT\Library\Lti1p3SubmissionReview\Message\Launch\Builder\SubmissionReviewLaunchRequestBuilder: ~

src/Kernel.php

@@ -21,7 +21,6 @@
 namespace App;
 
 use App\DependencyInjection\Compiler\ConfigurationPass;
-use App\DependencyInjection\Security\Factory\ApiKeyFactory;
 use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
 use Symfony\Component\Config\Loader\LoaderInterface;
 use Symfony\Component\Config\Resource\FileResource;
@@ -50,12 +49,6 @@ public function getProjectDir(): string
         return \dirname(__DIR__);
     }
 
-    public function build(ContainerBuilder $container): void
-    {
-        $extension = $container->getExtension('security');
-        $extension->addSecurityListenerFactory(new ApiKeyFactory());
-    }
-
     protected function configureContainer(ContainerBuilder $container, LoaderInterface $loader): void
     {
         $container->addResource(new FileResource($this->getProjectDir().'/config/bundles.php'));

src/Security/Api/ApiKeyAuthenticator.php

@@ -0,0 +1,91 @@
+<?php
+
+/**
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; under version 2
+ * of the License (non-upgradable).
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * Copyright (c) 2022 (original work) Open Assessment Technologies SA;
+ */
+
+declare(strict_types=1);
+
+namespace App\Security\Api;
+
+use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+
+final class ApiKeyAuthenticator extends AbstractAuthenticator
+{
+    private const AUTHORIZATION_HEADER = 'Authorization';
+
+    /** @var ParameterBagInterface */
+    private $parameterBag;
+
+    public function __construct(ParameterBagInterface $parameterBag)
+    {
+        $this->parameterBag = $parameterBag;
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        return str_starts_with($request->getPathInfo(), '/api');
+    }
+
+    public function authenticate(Request $request): Passport
+    {
+        if (!$request->headers->has(self::AUTHORIZATION_HEADER)) {
+            throw new AuthenticationCredentialsNotFoundException('Auth header required');
+        }
+
+        $apiKey = substr($request->headers->get(self::AUTHORIZATION_HEADER), strlen('Bearer '));
+
+        if (null === $apiKey) {
+            throw new CustomUserMessageAuthenticationException('No API key provided');
+        }
+
+        if ($this->parameterBag->get('application_api_key') !== $apiKey) {
+            throw new CustomUserMessageAuthenticationException('Unauthorised API key provided');
+        }
+
+        return new SelfValidatingPassport(new UserBadge($apiKey, function () {
+            return new InMemoryUser('api', null);
+        }));
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return null;
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        return new JsonResponse(
+            [
+                'error' => $exception->getMessage(),
+            ],
+            Response::HTTP_UNAUTHORIZED
+        );
+    }
+}