From c6ab13724d6a562dcfe4df4aff43a02c67eec728 Mon Sep 17 00:00:00 2001
From: Gary PEGEOT <g.pegeot@til-technologies.fr>
Date: Wed, 21 Aug 2019 17:18:13 +0200
Subject: [PATCH 1/3] Add access_control rule for form login auth

---
 src/Maker/MakeAuthenticator.php               |  3 ++-
 src/Security/SecurityConfigUpdater.php        | 16 ++++++++++++-
 tests/Security/SecurityConfigUpdaterTest.php  | 24 +++++++++++++++++--
 .../simple_security_with_access_control.yaml  | 17 +++++++++++++
 ...le_security_with_added_access_control.yaml | 16 +++++++++++++
 .../simple_security_with_access_control.yaml  | 13 ++++++++++
 6 files changed, 85 insertions(+), 4 deletions(-)
 create mode 100644 tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml
 create mode 100644 tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml
 create mode 100644 tests/Security/yaml_fixtures/source/simple_security_with_access_control.yaml

diff --git a/src/Maker/MakeAuthenticator.php b/src/Maker/MakeAuthenticator.php
index 68abfc096..df2c7bcf5 100644
--- a/src/Maker/MakeAuthenticator.php
+++ b/src/Maker/MakeAuthenticator.php
@@ -226,7 +226,8 @@ public function generate(InputInterface $input, ConsoleStyle $io, Generator $gen
                 $entryPoint,
                 $input->getArgument('authenticator-class'),
                 $input->hasArgument('logout-setup') ? $input->getArgument('logout-setup') : false,
-                $this->useSecurity52
+                $this->useSecurity52,
+                self::AUTH_TYPE_FORM_LOGIN === $input->getArgument('authenticator-type')
             );
             $generator->dumpFile($path, $newYaml);
             $securityYamlUpdated = true;
diff --git a/src/Security/SecurityConfigUpdater.php b/src/Security/SecurityConfigUpdater.php
index 8355df15c..1e140854f 100644
--- a/src/Security/SecurityConfigUpdater.php
+++ b/src/Security/SecurityConfigUpdater.php
@@ -59,7 +59,7 @@ public function updateForUserClass(string $yamlSource, UserClassConfiguration $u
         return $contents;
     }
 
-    public function updateForAuthenticator(string $yamlSource, string $firewallName, $chosenEntryPoint, string $authenticatorClass, bool $logoutSetup, bool $useSecurity52): string
+    public function updateForAuthenticator(string $yamlSource, string $firewallName, $chosenEntryPoint, string $authenticatorClass, bool $logoutSetup, bool $useSecurity52, bool $addAccessControlRule = false): string
     {
         $this->manipulator = new YamlSourceManipulator($yamlSource);
 
@@ -134,6 +134,20 @@ public function updateForAuthenticator(string $yamlSource, string $firewallName,
 
         $newData['security']['firewalls'][$firewallName] = $firewall;
 
+        $accessControlRules = $newData['security']['access_control'] ?? [];
+
+        foreach ($accessControlRules as $rule) {
+            if ('^/login$' === $rule['path']) {
+                $addAccessControlRule = false;
+                break;
+            }
+        }
+
+        if ($addAccessControlRule) {
+            array_unshift($accessControlRules, ['path' => '^/login$', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY']);
+            $newData['security']['access_control'] = $accessControlRules;
+        }
+
         $this->manipulator->setData($newData);
 
         return $this->manipulator->getContents();
diff --git a/tests/Security/SecurityConfigUpdaterTest.php b/tests/Security/SecurityConfigUpdaterTest.php
index 05e43cc9e..70165c2c5 100644
--- a/tests/Security/SecurityConfigUpdaterTest.php
+++ b/tests/Security/SecurityConfigUpdaterTest.php
@@ -100,13 +100,13 @@ public function getUserClassTests()
     /**
      * @dataProvider getAuthenticatorTests
      */
-    public function testUpdateForAuthenticator(string $firewallName, $entryPoint, string $expectedSourceFilename, string $startingSourceFilename, bool $logoutSetup, bool $useSecurity51)
+    public function testUpdateForAuthenticator(string $firewallName, $entryPoint, string $expectedSourceFilename, string $startingSourceFilename, bool $logoutSetup, bool $useSecurity51, bool $addAccessControl = false)
     {
         $this->createLogger();
 
         $updater = new SecurityConfigUpdater($this->ysmLogger);
         $source = file_get_contents(__DIR__.'/yaml_fixtures/source/'.$startingSourceFilename);
-        $actualSource = $updater->updateForAuthenticator($source, $firewallName, $entryPoint, 'App\\Security\\AppCustomAuthenticator', $logoutSetup, $useSecurity51);
+        $actualSource = $updater->updateForAuthenticator($source, $firewallName, $entryPoint, 'App\\Security\\AppCustomAuthenticator', $logoutSetup, $useSecurity51, $addAccessControl);
         $expectedSource = file_get_contents(__DIR__.'/yaml_fixtures/expected_authenticator/'.$expectedSourceFilename);
 
         $this->assertSame($expectedSource, $actualSource);
@@ -185,6 +185,26 @@ public function getAuthenticatorTests()
             false,
             true,
         ];
+
+        yield 'simple_security_with_access_control' => [
+            'main',
+            null,
+            'simple_security_with_access_control.yaml',
+            'simple_security_with_access_control.yaml',
+            false,
+            false,
+            true
+        ];
+
+        yield 'simple_security_without_access_control' => [
+            'main',
+            null,
+            'simple_security_with_added_access_control.yaml',
+            'simple_security.yaml',
+            false,
+            false,
+            true
+        ];
     }
 
     private function createLogger(): void
diff --git a/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml b/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml
new file mode 100644
index 000000000..7f4d2666e
--- /dev/null
+++ b/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml
@@ -0,0 +1,17 @@
+security:
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        in_memory: { memory: ~ }
+
+    firewalls:
+        dev: ~
+        main:
+            anonymous: true
+            guard:
+                authenticators:
+                    - App\Security\AppCustomAuthenticator
+
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    access_control:
+        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
diff --git a/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml b/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml
new file mode 100644
index 000000000..8da79a079
--- /dev/null
+++ b/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml
@@ -0,0 +1,16 @@
+security:
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        in_memory: { memory: ~ }
+
+    firewalls:
+        dev: ~
+        main:
+            anonymous: true
+            guard:
+                authenticators:
+                    - App\Security\AppCustomAuthenticator
+    access_control:
+        -
+            path: ^/login$
+            roles: IS_AUTHENTICATED_ANONYMOUSLY
diff --git a/tests/Security/yaml_fixtures/source/simple_security_with_access_control.yaml b/tests/Security/yaml_fixtures/source/simple_security_with_access_control.yaml
new file mode 100644
index 000000000..09738e204
--- /dev/null
+++ b/tests/Security/yaml_fixtures/source/simple_security_with_access_control.yaml
@@ -0,0 +1,13 @@
+security:
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        in_memory: { memory: ~ }
+
+    firewalls:
+        dev: ~
+        main: ~
+
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    access_control:
+        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }

From ef5d7ccbc85a2e2aff2f01e07d6abe0969672d29 Mon Sep 17 00:00:00 2001
From: Gary PEGEOT <g.pegeot@til-technologies.fr>
Date: Tue, 22 Oct 2019 17:20:46 +0200
Subject: [PATCH 2/3] Add wider check for existing access control rule

---
 src/Security/SecurityConfigUpdater.php                         | 2 +-
 .../simple_security_with_access_control.yaml                   | 3 ++-
 .../simple_security_with_added_access_control.yaml             | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/Security/SecurityConfigUpdater.php b/src/Security/SecurityConfigUpdater.php
index 1e140854f..96ba1b11f 100644
--- a/src/Security/SecurityConfigUpdater.php
+++ b/src/Security/SecurityConfigUpdater.php
@@ -137,7 +137,7 @@ public function updateForAuthenticator(string $yamlSource, string $firewallName,
         $accessControlRules = $newData['security']['access_control'] ?? [];
 
         foreach ($accessControlRules as $rule) {
-            if ('^/login$' === $rule['path']) {
+            if (0 === strpos($rule['path'], '^/login')) {
                 $addAccessControlRule = false;
                 break;
             }
diff --git a/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml b/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml
index 7f4d2666e..5c74c4135 100644
--- a/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml
+++ b/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_access_control.yaml
@@ -6,11 +6,12 @@ security:
     firewalls:
         dev: ~
         main:
-            anonymous: true
+            anonymous: lazy
             guard:
                 authenticators:
                     - App\Security\AppCustomAuthenticator
 
+
     # Easy way to control access for large sections of your site
     # Note: Only the *first* access control that matches will be used
     access_control:
diff --git a/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml b/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml
index 8da79a079..1b56e5c4b 100644
--- a/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml
+++ b/tests/Security/yaml_fixtures/expected_authenticator/simple_security_with_added_access_control.yaml
@@ -6,7 +6,7 @@ security:
     firewalls:
         dev: ~
         main:
-            anonymous: true
+            anonymous: lazy
             guard:
                 authenticators:
                     - App\Security\AppCustomAuthenticator

From e3dd27547cced192a57b1f6396779deb17d869a2 Mon Sep 17 00:00:00 2001
From: Gary PEGEOT <garypegeot@gmail.com>
Date: Mon, 29 Mar 2021 11:12:50 +0200
Subject: [PATCH 3/3] CI Fix

---
 tests/Security/SecurityConfigUpdaterTest.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/Security/SecurityConfigUpdaterTest.php b/tests/Security/SecurityConfigUpdaterTest.php
index 70165c2c5..d27013d75 100644
--- a/tests/Security/SecurityConfigUpdaterTest.php
+++ b/tests/Security/SecurityConfigUpdaterTest.php
@@ -193,7 +193,7 @@ public function getAuthenticatorTests()
             'simple_security_with_access_control.yaml',
             false,
             false,
-            true
+            true,
         ];
 
         yield 'simple_security_without_access_control' => [
@@ -203,7 +203,7 @@ public function getAuthenticatorTests()
             'simple_security.yaml',
             false,
             false,
-            true
+            true,
         ];
     }