vendor/hwi/oauth-bundle/src/DependencyInjection/Configuration.php line 76

  1. <?php
  3. /*
  4.  * This file is part of the HWIOAuthBundle package.
  5.  *
  6.  * (c) Hardware Info <opensource@hardware.info>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace HWI\Bundle\OAuthBundle\DependencyInjection;
  14. use HWI\Bundle\OAuthBundle\OAuth\ResourceOwner\GenericOAuth1ResourceOwner;
  15. use HWI\Bundle\OAuthBundle\OAuth\ResourceOwner\GenericOAuth2ResourceOwner;
  16. use HWI\Bundle\OAuthBundle\OAuth\ResourceOwnerInterface;
  17. use Symfony\Component\Config\Definition\BaseNode;
  18. use Symfony\Component\Config\Definition\Builder\ArrayNodeDefinition;
  19. use Symfony\Component\Config\Definition\Builder\TreeBuilder;
  20. use Symfony\Component\Config\Definition\ConfigurationInterface;
  21. use Symfony\Component\Finder\Finder;
  23. /**
  24.  * Configuration for the extension.
  25.  *
  26.  * @author Alexander <iam.asm89@gmail.com>
  27.  */
  28. final class Configuration implements ConfigurationInterface
  29. {
  30.     /**
  31.      * type => ResourceOwner mapping for hwi_oauth.resource_owner.*.class parameters.
  32.      *
  33.      * @var array<string, class-string<GenericOAuth1ResourceOwner|GenericOAuth2ResourceOwner|ResourceOwnerInterface>>
  34.      */
  35.     private static array $resourceOwnerTypesClassMap = [];
  37.     /**
  38.      * Array of supported resource owners.
  39.      *
  40.      * @var array<string, string>
  41.      */
  42.     private static array $resourceOwnerTypes = [];
  44.     public function __construct()
  45.     {
  46.         if ([] === self::$resourceOwnerTypes) {
  47.             self::loadResourceOwners();
  48.         }
  49.     }
  51.     public static function getResourceOwnerTypesClassMap(): array
  52.     {
  53.         return self::$resourceOwnerTypesClassMap;
  54.     }
  56.     /**
  57.      * Return the type (oauth1 or oauth2) of given resource owner.
  58.      */
  59.     public static function getResourceOwnerType(string $resourceOwner): ?string
  60.     {
  61.         $resourceOwner strtolower($resourceOwner);
  63.         return self::$resourceOwnerTypes[$resourceOwner] ?? null;
  64.     }
  66.     /**
  67.      * Checks that given resource owner is supported by this bundle.
  68.      */
  69.     public static function isResourceOwnerSupported(string $resourceOwner): bool
  70.     {
  71.         return isset(self::$resourceOwnerTypes[strtolower($resourceOwner)]);
  72.     }
  74.     public static function registerResourceOwner(string $resourceOwnerClass): void
  75.     {
  76.         $reflection = new \ReflectionClass($resourceOwnerClass);
  77.         if (!$reflection->implementsInterface(ResourceOwnerInterface::class)) {
  78.             throw new \LogicException('Resource owner class should implement "ResourceOwnerInterface", or extended class "GenericOAuth1ResourceOwner"/"GenericOAuth2ResourceOwner".');
  79.         }
  81.         $type \defined("$resourceOwnerClass::TYPE") ? $resourceOwnerClass::TYPE null;
  82.         if (null === $type) {
  83.             if (preg_match('~(?P<resource_owner>[^\\\\]+)ResourceOwner$~'$resourceOwnerClass$match)) {
  84.                 $type strtolower(preg_replace('/([a-z])([A-Z])/''$1_$2'$match['resource_owner']));
  85.             } else {
  86.                 throw new \LogicException(sprintf('Resource owner class either should have "TYPE" const defined or end with "ResourceOwner" so that type can be calculated by converting its class name without suffix to "snake_case". Given class name is "%s"'$resourceOwnerClass));
  87.             }
  88.         }
  90.         $oAuth 'unknown';
  91.         if ($reflection->isSubclassOf(GenericOAuth2ResourceOwner::class)) {
  92.             $oAuth 'oauth2';
  93.         } elseif ($reflection->isSubclassOf(GenericOAuth1ResourceOwner::class)) {
  94.             $oAuth 'oauth1';
  95.         }
  97.         self::$resourceOwnerTypes[$type] = $oAuth;
  98.         self::$resourceOwnerTypesClassMap[$type] = $resourceOwnerClass;
  99.     }
  101.     /**
  102.      * Generates the configuration tree builder.
  103.      */
  104.     public function getConfigTreeBuilder(): TreeBuilder
  105.     {
  106.         $builder = new TreeBuilder('hwi_oauth');
  108.         /** @var ArrayNodeDefinition $rootNode */
  109.         $rootNode $builder->getRootNode();
  111.         $rootNode
  112.             ->fixXmlConfig('firewall_name')
  113.             ->children()
  114.                 ->arrayNode('firewall_names')
  115.                     ->setDeprecated(...$this->getDeprecationParams())
  116.                     ->defaultValue([])
  117.                     ->prototype('scalar')->end()
  118.                 ->end()
  119.                 ->scalarNode('target_path_parameter')->defaultNull()->end()
  120.                 ->arrayNode('target_path_domains_whitelist')
  121.                     ->defaultValue([])
  122.                     ->prototype('scalar')->end()
  123.                 ->end()
  124.                 ->booleanNode('use_referer')->defaultFalse()->end()
  125.                 ->booleanNode('failed_use_referer')->defaultFalse()->end()
  126.                 ->scalarNode('failed_auth_path')->defaultValue('hwi_oauth_connect')->end()
  127.                 ->scalarNode('grant_rule')
  128.                     ->defaultValue('IS_AUTHENTICATED_REMEMBERED')
  129.                     ->validate()
  130.                         ->ifTrue(function ($role) {
  131.                             return !('IS_AUTHENTICATED_REMEMBERED' === $role || 'IS_AUTHENTICATED_FULLY' === $role);
  132.                         })
  133.                         ->thenInvalid('Unknown grant role set "%s".')
  134.                     ->end()
  135.                 ->end()
  136.             ->end()
  137.         ;
  139.         $this->addConnectConfiguration($rootNode);
  140.         $this->addResourceOwnersConfiguration($rootNode);
  142.         return $builder;
  143.     }
  145.     private function addResourceOwnersConfiguration(ArrayNodeDefinition $node): void
  146.     {
  147.         $node
  148.             ->fixXmlConfig('resource_owner')
  149.             ->children()
  150.                 ->arrayNode('resource_owners')
  151.                     ->isRequired()
  152.                     ->useAttributeAsKey('name')
  153.                     ->prototype('array')
  154.                         ->ignoreExtraKeys()
  155.                         ->children()
  156.                             ->scalarNode('base_url')->end()
  157.                             ->scalarNode('access_token_url')
  158.                                 ->validate()
  159.                                     ->ifEmpty()
  160.                                     ->thenUnset()
  161.                                 ->end()
  162.                             ->end()
  163.                             ->scalarNode('authorization_url')
  164.                                 ->validate()
  165.                                     ->ifEmpty()
  166.                                     ->thenUnset()
  167.                                 ->end()
  168.                             ->end()
  169.                             ->scalarNode('request_token_url')
  170.                                 ->validate()
  171.                                     ->ifEmpty()
  172.                                     ->thenUnset()
  173.                                 ->end()
  174.                             ->end()
  175.                             ->scalarNode('revoke_token_url')
  176.                                 ->validate()
  177.                                     ->ifEmpty()
  178.                                     ->thenUnset()
  179.                                 ->end()
  180.                             ->end()
  181.                             ->scalarNode('infos_url')
  182.                                 ->validate()
  183.                                     ->ifEmpty()
  184.                                     ->thenUnset()
  185.                                 ->end()
  186.                             ->end()
  187.                             ->scalarNode('client_id')->cannotBeEmpty()->end()
  188.                             ->scalarNode('client_secret')->cannotBeEmpty()->end()
  189.                             ->scalarNode('realm')
  190.                                 ->validate()
  191.                                     ->ifEmpty()
  192.                                     ->thenUnset()
  193.                                 ->end()
  194.                             ->end()
  195.                             ->scalarNode('scope')
  196.                                 ->validate()
  197.                                     ->ifEmpty()
  198.                                     ->thenUnset()
  199.                                 ->end()
  200.                             ->end()
  201.                             ->scalarNode('user_response_class')
  202.                                 ->validate()
  203.                                     ->ifEmpty()
  204.                                     ->thenUnset()
  205.                                 ->end()
  206.                             ->end()
  207.                             ->scalarNode('service')
  208.                                 ->validate()
  209.                                     ->ifEmpty()
  210.                                     ->thenUnset()
  211.                                 ->end()
  212.                             ->end()
  213.                             ->scalarNode('class')
  214.                                 ->validate()
  215.                                     ->ifEmpty()
  216.                                     ->thenUnset()
  217.                                 ->end()
  218.                             ->end()
  219.                             ->scalarNode('type')
  220.                                 // will be validated in ResourceOwnerCompilerPass, other apps can register own resource
  221.                                 // owner maps later with tag hwi_oauth.resource_owner
  222.                                 ->validate()
  223.                                     ->ifEmpty()
  224.                                     ->thenUnset()
  225.                                 ->end()
  226.                             ->end()
  227.                             ->scalarNode('use_authorization_to_get_token')
  228.                                 ->validate()
  229.                                     ->ifEmpty()
  230.                                     ->thenUnset()
  231.                                 ->end()
  232.                             ->end()
  233.                             ->arrayNode('paths')
  234.                                 ->useAttributeAsKey('name')
  235.                                 ->prototype('variable')
  236.                                     ->validate()
  237.                                         ->ifTrue(function ($v) {
  238.                                             if (null === $v) {
  239.                                                 return true;
  240.                                             }
  242.                                             if (\is_array($v)) {
  243.                                                 return === \count($v);
  244.                                             }
  246.                                             if (\is_string($v)) {
  247.                                                 return empty($v);
  248.                                             }
  250.                                             return !is_numeric($v);
  251.                                         })
  252.                                         ->thenInvalid('Path can be only string or array type.')
  253.                                     ->end()
  254.                                 ->end()
  255.                             ->end()
  256.                             ->arrayNode('options')
  257.                                 ->useAttributeAsKey('name')
  258.                                 ->prototype('scalar')->end()
  259.                             ->end()
  260.                         ->end()
  261.                         ->validate()
  262.                             ->ifTrue(function ($c) {
  263.                                 // skip if this contains a service
  264.                                 if (isset($c['service'])) {
  265.                                     return false;
  266.                                 }
  268.                                 // for each type at least these have to be set
  269.                                 foreach (['client_id''client_secret'] as $child) {
  270.                                     if (!isset($c[$child])) {
  271.                                         return true;
  272.                                     }
  273.                                 }
  275.                                 if (!isset($c['type']) && !isset($c['class'])) {
  276.                                     return true;
  277.                                 }
  279.                                 return false;
  280.                             })
  281.                             ->thenInvalid("You should set at least the 'type' or 'class' with 'client_id' and the 'client_secret' of a resource owner.")
  282.                         ->end()
  283.                         ->validate()
  284.                             ->ifTrue(function ($c) {
  285.                                 return isset($c['type'], $c['class']);
  286.                             })
  287.                             ->then(function ($c) {
  288.                                 trigger_deprecation('hwi/oauth-bundle''2.0''No need to set both "type" and "class" for resource owner.');
  290.                                 return $c;
  291.                             })
  292.                         ->end()
  293.                         ->validate()
  294.                             ->ifTrue(function ($c) {
  295.                                 // Skip if this contains a service or a class
  296.                                 if (isset($c['service']) || isset($c['class'])) {
  297.                                     return false;
  298.                                 }
  300.                                 // Only validate the 'oauth2' and 'oauth1' type
  301.                                 if ('oauth2' !== $c['type'] && 'oauth1' !== $c['type']) {
  302.                                     return false;
  303.                                 }
  305.                                 $children = ['authorization_url''access_token_url''request_token_url''infos_url'];
  306.                                 foreach ($children as $child) {
  307.                                     // This option exists only for OAuth1.0a
  308.                                     if ('request_token_url' === $child && 'oauth2' === $c['type']) {
  309.                                         continue;
  310.                                     }
  312.                                     if (!isset($c[$child])) {
  313.                                         return true;
  314.                                     }
  315.                                 }
  317.                                 return false;
  318.                             })
  319.                             ->thenInvalid("All parameters are mandatory for types 'oauth2' and 'oauth1'. Check if you're missing one of: 'access_token_url', 'authorization_url', 'infos_url' and 'request_token_url' for 'oauth1'.")
  320.                         ->end()
  321.                         ->validate()
  322.                             ->ifTrue(function ($c) {
  323.                                 // skip if this contains a service
  324.                                 if (isset($c['service']) || isset($c['class'])) {
  325.                                     return false;
  326.                                 }
  328.                                 // Only validate the 'oauth2' and 'oauth1' type
  329.                                 if ('oauth2' !== $c['type'] && 'oauth1' !== $c['type']) {
  330.                                     return false;
  331.                                 }
  333.                                 // one of this two options must be set
  334.                                 if (=== \count($c['paths'])) {
  335.                                     return !isset($c['user_response_class']);
  336.                                 }
  338.                                 foreach (['identifier''nickname''realname'] as $child) {
  339.                                     if (!isset($c['paths'][$child])) {
  340.                                         return true;
  341.                                     }
  342.                                 }
  344.                                 return false;
  345.                             })
  346.                             ->thenInvalid("At least the 'identifier', 'nickname' and 'realname' paths should be configured for 'oauth2' and 'oauth1' types.")
  347.                         ->end()
  348.                         ->validate()
  349.                             ->ifTrue(function ($c) {
  350.                                 if (isset($c['service'])) {
  351.                                     // ignore paths & options if none were set
  352.                                     return !== \count($c['paths']) || !== \count($c['options']) || \count($c);
  353.                                 }
  355.                                 return false;
  356.                             })
  357.                             ->thenInvalid("If you're setting a 'service', no other arguments should be set.")
  358.                         ->end()
  359.                         ->validate()
  360.                             ->ifTrue(function ($c) {
  361.                                 return isset($c['class']);
  362.                             })
  363.                             ->then(function ($c) {
  364.                                 self::registerResourceOwner($c['class']);
  366.                                 return $c;
  367.                             })
  368.                         ->end()
  369.                     ->end()
  370.                 ->end()
  371.             ->end()
  372.         ;
  373.     }
  375.     private function addConnectConfiguration(ArrayNodeDefinition $node): void
  376.     {
  377.         $node
  378.             ->children()
  379.                 ->arrayNode('connect')
  380.                     ->children()
  381.                         ->booleanNode('confirmation')->defaultTrue()->end()
  382.                         ->scalarNode('account_connector')->cannotBeEmpty()->end()
  383.                         ->scalarNode('registration_form_handler')->cannotBeEmpty()->end()
  384.                         ->scalarNode('registration_form')->cannotBeEmpty()->end()
  385.                     ->end()
  386.                 ->end()
  387.             ->end()
  388.         ;
  389.     }
  391.     private static function loadResourceOwners(): void
  392.     {
  393.         $files = (new Finder())
  394.             ->in(__DIR__.'/../OAuth/ResourceOwner')
  395.             ->name('~^(.+)ResourceOwner\.php$~')
  396.             ->files();
  398.         foreach ($files as $f) {
  399.             if (!str_contains($f->getFilename(), 'ResourceOwner')) {
  400.                 continue;
  401.             }
  403.             // Skip known abstract classes
  404.             if (\in_array($f->getFilename(), ['AbstractResourceOwner.php''GenericOAuth1ResourceOwner.php''GenericOAuth2ResourceOwner.php'], true)) {
  405.                 continue;
  406.             }
  408.             self::registerResourceOwner('HWI\Bundle\OAuthBundle\OAuth\ResourceOwner\\'.str_replace('.php'''$f->getFilename()));
  409.         }
  410.     }
  412.     /**
  413.      * Returns the correct deprecation params as an array for setDeprecated().
  414.      *
  415.      * symfony/config v5.1 introduces a deprecation notice when calling
  416.      * setDeprecated() with less than 3 args and the getDeprecation() method was
  417.      * introduced at the same time. By checking if getDeprecation() exists,
  418.      * we can determine the correct param count to use when calling setDeprecated().
  419.      *
  420.      * @return string[]
  421.      */
  422.     private function getDeprecationParams(): array
  423.     {
  424.         if (method_exists(BaseNode::class, 'getDeprecation')) {
  425.             return [
  426.                 'hwi/oauth-bundle',
  427.                 '2.0',
  428.                 'option "%path%.%node%" is deprecated. Firewall names are collected automatically.',
  429.             ];
  430.         }
  432.         return ['Since hwi/oauth-bundle 2.0: option "hwi_oauth.firewall_names" is deprecated. Firewall names are collected automatically.'];
  433.     }
  434. }