[REMOVE TMP DEPENDENCY] IBX-8482: Fixed lack of JWT stateless calls recognition

konradoboza · konradoboza · commit c9ffbd48e65b · 2024-07-02T14:02:55.000+02:00
diff --git a/dependencies.json b/dependencies.json
@@ -0,0 +1,4 @@
+{
+  "recipesEndpoint": "https://api.github.com/repos/ibexa/recipes-dev/contents/index.json?ref=flex/pull-125",
+  "packages": []
+}
diff --git a/src/bundle/Resources/config/security.yml b/src/bundle/Resources/config/security.yml
@@ -11,6 +11,8 @@ services:
         arguments:
             $headerName: '%ibexa.rest.authorization_header_name%'
 
+    Ibexa\Rest\Security\JWTTokenCreationRESTRequestMatcher: ~
+
     Ibexa\Rest\Server\Security\CsrfTokenManager:
         arguments:
             - '@?security.csrf.token_generator'
diff --git a/src/lib/Security/AuthorizationHeaderRESTRequestMatcher.php b/src/lib/Security/AuthorizationHeaderRESTRequestMatcher.php
@@ -34,6 +34,7 @@ public function __construct(
         int $port = null
     ) {
         parent::__construct($path, $host, $methods, $ips, $attributes, $schemes, $port);
+
         $this->headerName = $headerName;
     }
 
@@ -43,10 +44,7 @@ public function matches(Request $request): bool
             return false;
         }
 
-        if (
-            $request->attributes->get('_route') === 'ibexa.rest.create_token'
-            || !empty($request->headers->get($this->headerName ?? 'Authorization'))
-        ) {
+        if (!empty($request->headers->get($this->headerName ?? 'Authorization'))) {
             return parent::matches($request);
         }
 
diff --git a/src/lib/Security/EventListener/JWT/AuthenticationSuccessSubscriber.php b/src/lib/Security/EventListener/JWT/AuthenticationSuccessSubscriber.php
@@ -8,8 +8,6 @@
 
 namespace Ibexa\Rest\Security\EventListener\JWT;
 
-use Ibexa\Contracts\Core\Repository\PermissionResolver;
-use Ibexa\Core\MVC\Symfony\Security\UserInterface as IbexaUser;
 use Ibexa\Rest\Server\Exceptions\BadResponseException;
 use Lexik\Bundle\JWTAuthenticationBundle\Event\AuthenticationSuccessEvent;
 use Lexik\Bundle\JWTAuthenticationBundle\Events;
@@ -19,7 +17,6 @@
 final readonly class AuthenticationSuccessSubscriber implements EventSubscriberInterface
 {
     public function __construct(
-        private PermissionResolver $permissionResolver,
         private RequestStack $requestStack,
     ) {
     }
@@ -42,11 +39,6 @@ public function onAuthenticationSuccess(AuthenticationSuccessEvent $event): void
             return;
         }
 
-        $user = $event->getUser();
-        if ($user instanceof IbexaUser) {
-            $this->permissionResolver->setCurrentUserReference($user->getAPIUser());
-        }
-
         $this->normalizeResponseToRest($event);
     }
 
diff --git a/src/lib/Security/JWTTokenCreationRESTRequestMatcher.php b/src/lib/Security/JWTTokenCreationRESTRequestMatcher.php
@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\Rest\Security;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestMatcher;
+
+/**
+ * @internal
+ *
+ * This class is mandatory for JWT REST calls recognition. It's used within security.firewalls.ibexa_jwt_rest.request_matcher configuration key.
+ */
+final class JWTTokenCreationRESTRequestMatcher extends RequestMatcher
+{
+    public function matches(Request $request): bool
+    {
+        if ($request->attributes->get('is_rest_request', false) !== true) {
+            return false;
+        }
+
+        if ($request->attributes->get('_route') === 'ibexa.rest.create_token') {
+            return parent::matches($request);
+        }
+
+        return false;
+    }
+}
diff --git a/tests/contracts/Security/AuthorizationHeaderRESTRequestMatcherTest.php b/tests/contracts/Security/AuthorizationHeaderRESTRequestMatcherTest.php
@@ -58,18 +58,6 @@ public function testMatchesRestRequestsWithCustomHeader(): void
         self::assertTrue($matcher->matches($request));
     }
 
-    public function testMatchesRestJwtCreationEndpoint(): void
-    {
-        $matcher = new AuthorizationHeaderRESTRequestMatcher();
-
-        $request = $this->createRequest([
-            'is_rest_request' => true,
-            '_route' => 'ibexa.rest.create_token',
-        ]);
-
-        self::assertTrue($matcher->matches($request));
-    }
-
     /**
      * @param array<string, mixed> $attributes
      * @param array<string, array<string>|string> $server
diff --git a/tests/contracts/Security/JWTTokenCreationRESTRequestMatcherTest.php b/tests/contracts/Security/JWTTokenCreationRESTRequestMatcherTest.php
@@ -0,0 +1,55 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\Tests\Contracts\Rest\Security;
+
+use Ibexa\Rest\Security\JWTTokenCreationRESTRequestMatcher;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+
+final class JWTTokenCreationRESTRequestMatcherTest extends TestCase
+{
+    public function testDoesNotMatchNonRestRequests(): void
+    {
+        $matcher = new JWTTokenCreationRESTRequestMatcher();
+
+        self::assertFalse($matcher->matches(new Request()));
+    }
+
+    public function testDoesNotMatchRestRequestsWithoutHeader(): void
+    {
+        $matcher = new JWTTokenCreationRESTRequestMatcher();
+
+        $request = $this->createRequest([
+            'is_rest_request' => true,
+        ]);
+
+        self::assertFalse($matcher->matches($request));
+    }
+
+    public function testMatchesRestJwtCreationEndpoint(): void
+    {
+        $matcher = new JWTTokenCreationRESTRequestMatcher();
+
+        $request = $this->createRequest([
+            'is_rest_request' => true,
+            '_route' => 'ibexa.rest.create_token',
+        ]);
+
+        self::assertTrue($matcher->matches($request));
+    }
+
+    /**
+     * @param array<string, mixed> $attributes
+     * @param array<string, array<string>|string> $server
+     */
+    private function createRequest(array $attributes = [], array $server = []): Request
+    {
+        return new Request([], [], $attributes, [], [], $server);
+    }
+}
diff --git a/tests/lib/Security/EventListener/JWT/AuthenticationSuccessSubscriberTest.php b/tests/lib/Security/EventListener/JWT/AuthenticationSuccessSubscriberTest.php
@@ -8,7 +8,6 @@
 
 namespace Ibexa\Tests\Rest\Security\EventListener\JWT;
 
-use Ibexa\Contracts\Core\Repository\PermissionResolver;
 use Ibexa\Core\MVC\Symfony\Security\User;
 use Ibexa\Core\Repository\Values\User\User as ApiUser;
 use Ibexa\Rest\Security\EventListener\JWT\AuthenticationSuccessSubscriber;
@@ -27,7 +26,6 @@ final class AuthenticationSuccessSubscriberTest extends TestCase
     public function testGetSubscribedEvents(): void
     {
         $subscriber = new AuthenticationSuccessSubscriber(
-            $this->createMock(PermissionResolver::class),
             $this->getRequestStackMock()
         );
 
@@ -46,15 +44,9 @@ public function testOnAuthenticationSuccess(
         UserInterface $user,
         bool $isPermissionResolverInvoked
     ): void {
-        $permissionResolver = $this->createMock(PermissionResolver::class);
-        $permissionResolver
-            ->expects($isPermissionResolverInvoked === true ? self::once() : self::never())
-            ->method('setCurrentUserReference');
-
         $event = new AuthenticationSuccessEvent(['token' => 'foo_token'], $user, new Response());
 
         $subscriber = new AuthenticationSuccessSubscriber(
-            $permissionResolver,
             $this->getRequestStackMock()
         );
 
@@ -91,7 +83,6 @@ public function dataProviderForTestOnAuthenticationSuccess(): iterable
     public function testResponseIsMissingJwtToken(): void
     {
         $subscriber = new AuthenticationSuccessSubscriber(
-            $this->createMock(PermissionResolver::class),
             $this->getRequestStackMock()
         );
 
@@ -113,7 +104,6 @@ public function testResponseIsMissingJwtToken(): void
     public function testSkippingResponseNormalizingForNonRestRequest(): void
     {
         $subscriber = new AuthenticationSuccessSubscriber(
-            $this->createMock(PermissionResolver::class),
             $this->getRequestStackMock(false)
         );
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +  "recipesEndpoint": "https://api.github.com/repos/ibexa/recipes-dev/contents/index.json?ref=flex/pull-125",
 +  "packages": []
 +}
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ public function __construct(`
`34`	`34`	`int $port = null`
`35`	`35`	`) {`
`36`	`36`	`parent::__construct($path, $host, $methods, $ips, $attributes, $schemes, $port);`
	`37`	`+`
`37`	`38`	`$this->headerName = $headerName;`
`38`	`39`	`}`
`39`	`40`
`@@ -43,10 +44,7 @@ public function matches(Request $request): bool`
`43`	`44`	`return false;`
`44`	`45`	`}`
`45`	`46`
`46`		`- if (`
`47`		`- $request->attributes->get('_route') === 'ibexa.rest.create_token'`
`48`		`- \|\| !empty($request->headers->get($this->headerName ?? 'Authorization'))`
`49`		`- ) {`
	`47`	`+ if (!empty($request->headers->get($this->headerName ?? 'Authorization'))) {`
`50`	`48`	`return parent::matches($request);`
`51`	`49`	`}`
`52`	`50`
Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@`
`8`	`8`
`9`	`9`	`namespace Ibexa\Rest\Security\EventListener\JWT;`
`10`	`10`
`11`		`-use Ibexa\Contracts\Core\Repository\PermissionResolver;`
`12`		`-use Ibexa\Core\MVC\Symfony\Security\UserInterface as IbexaUser;`
`13`	`11`	`use Ibexa\Rest\Server\Exceptions\BadResponseException;`
`14`	`12`	`use Lexik\Bundle\JWTAuthenticationBundle\Event\AuthenticationSuccessEvent;`
`15`	`13`	`use Lexik\Bundle\JWTAuthenticationBundle\Events;`
`@@ -19,7 +17,6 @@`
`19`	`17`	`final readonly class AuthenticationSuccessSubscriber implements EventSubscriberInterface`
`20`	`18`	`{`
`21`	`19`	`public function __construct(`
`22`		`- private PermissionResolver $permissionResolver,`
`23`	`20`	`private RequestStack $requestStack,`
`24`	`21`	`) {`
`25`	`22`	`}`
`@@ -42,11 +39,6 @@ public function onAuthenticationSuccess(AuthenticationSuccessEvent $event): void`
`42`	`39`	`return;`
`43`	`40`	`}`
`44`	`41`
`45`		`- $user = $event->getUser();`
`46`		`- if ($user instanceof IbexaUser) {`
`47`		`- $this->permissionResolver->setCurrentUserReference($user->getAPIUser());`
`48`		`- }`
`49`		`-`
`50`	`42`	`$this->normalizeResponseToRest($event);`
`51`	`43`	`}`
`52`	`44`