[Security] Add logout configuration for Clear-Site-Data header

maxbeckers · maxbeckers · commit c20d516ee221 · 2023-02-10T13:46:16.000+01:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -251,6 +251,18 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                     ->scalarNode('path')->defaultValue('/logout')->end()
                     ->scalarNode('target')->defaultValue('/')->end()
                     ->booleanNode('invalidate_session')->defaultTrue()->end()
+                    ->scalarNode('clear_site_data')->defaultValue('off')->end()
+                    ->arrayNode('clear_site_data')
+                        ->fixXmlConfig('clear_site_data')
+                        ->performNoDeepMerging()
+                        ->defaultValue(['off'])
+                        ->beforeNormalization()->ifString()->then(function ($v) { return $v ? array_map('trim', explode(',', $v)) : []; })->end()
+                        ->enumPrototype()
+                        ->values([
+                            'off', '*', 'cache', 'cookies', 'storage', 'executionContexts',
+                        ])
+                        ->end()
+                    ->end()
                 ->end()
                 ->fixXmlConfig('delete_cookie')
                 ->children()
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -451,8 +451,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
                 'logout_path' => $firewall['logout']['path'],
             ]);
 
-            $logoutSuccessListenerId = 'security.logout.listener.default.'.$id;
-            $container->setDefinition($logoutSuccessListenerId, new ChildDefinition('security.logout.listener.default'))
+            $container->setDefinition('security.logout.listener.default.'.$id, new ChildDefinition('security.logout.listener.default'))
                 ->replaceArgument(1, $firewall['logout']['target'])
                 ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
 
@@ -474,6 +473,13 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
                     ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
             }
 
+            // add clear site data listener
+            if (!empty($firewall['logout']['clear_site_data']) && !\in_array('off', $firewall['logout']['clear_site_data'])) {
+                $container->setDefinition('security.logout.listener.clear_site_data.'.$id, new ChildDefinition('security.logout.listener.clear_site_data'))
+                    ->addArgument(implode(', ', array_map(function (string $clearSiteDataValue) { return '"'.$clearSiteDataValue.'"'; }, $firewall['logout']['clear_site_data'])))
+                    ->addTag('kernel.event_subscriber', ['dispatcher' => $firewallEventDispatcherId]);
+            }
+
             // register with LogoutUrlGenerator
             $container
                 ->getDefinition('security.logout_url_generator')
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php
@@ -17,6 +17,7 @@
 use Symfony\Component\Security\Http\Authentication\CustomAuthenticationSuccessHandler;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationSuccessHandler;
+use Symfony\Component\Security\Http\EventListener\ClearSiteDataLogoutListener;
 use Symfony\Component\Security\Http\EventListener\CookieClearingLogoutListener;
 use Symfony\Component\Security\Http\EventListener\DefaultLogoutListener;
 use Symfony\Component\Security\Http\EventListener\SessionLogoutListener;
@@ -64,6 +65,9 @@
         ->set('security.logout.listener.session', SessionLogoutListener::class)
             ->abstract()
 
+        ->set('security.logout.listener.clear_site_data', ClearSiteDataLogoutListener::class)
+            ->abstract()
+
         ->set('security.logout.listener.cookie_clearing', CookieClearingLogoutListener::class)
             ->abstract()
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTestCase.php
@@ -181,6 +181,7 @@ public function testFirewalls()
                     'invalidate_session' => true,
                     'delete_cookies' => [],
                     'enable_csrf' => null,
+                    'clear_site_data' => ['off'],
                 ],
             ],
             [
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
@@ -848,6 +848,48 @@ public function testConfigureCustomFirewallListener()
         $this->assertContains('custom_firewall_listener_id', $firewallListeners);
     }
 
+    public function testClearSiteDataLogoutListenerEnabled()
+    {
+        $container = $this->getRawContainer();
+
+        $firewallId = 'logout_firewall';
+        $container->loadFromExtension('security', [
+            'firewalls' => [
+                $firewallId => [
+                    'logout' => [
+                        'clear_site_data' => ['*'],
+                    ],
+                ],
+            ],
+        ]);
+
+        $container->compile();
+
+        $this->assertTrue($container->has('security.logout.listener.clear_site_data.'.$firewallId));
+        $listenerArgument = $container->getDefinition('security.logout.listener.clear_site_data.'.$firewallId)->getArgument(0);
+        $this->assertEquals('"*"', $listenerArgument);
+    }
+
+    public function testClearSiteDataLogoutListenerDisabled()
+    {
+        $container = $this->getRawContainer();
+
+        $firewallId = 'logout_firewall';
+        $container->loadFromExtension('security', [
+            'firewalls' => [
+                $firewallId => [
+                    'logout' => [
+                        'clear_site_data' => ['off'],
+                    ],
+                ],
+            ],
+        ]);
+
+        $container->compile();
+
+        $this->assertFalse($container->has('security.logout.listener.clear_site_data.'.$firewallId));
+    }
+
     /**
      * @group legacy
      */
diff --git a/src/Symfony/Component/Security/Http/EventListener/ClearSiteDataLogoutListener.php b/src/Symfony/Component/Security/Http/EventListener/ClearSiteDataLogoutListener.php
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+
+/**
+ * Handler for Clear-Site-Data header during logout.
+ *
+ * @author Max Beckers <beckers.maximilian@gmail.com>
+ *
+ * @final
+ */
+class ClearSiteDataLogoutListener implements EventSubscriberInterface
+{
+    private const HEADER_NAME = 'Clear-Site-Data';
+
+    /**
+     * @param string $cookieValue The value for the Clear-Site-Data header.
+     *                            Can be '*' or a subset of 'cache', 'cookies', 'storage', 'executionContexts'.
+     */
+    public function __construct(private readonly string $cookieValue)
+    {
+    }
+
+    public function onLogout(LogoutEvent $event): void
+    {
+        if (!$event->getResponse()?->headers->has(static::HEADER_NAME)) {
+            $event->getResponse()->headers->set(static::HEADER_NAME, $this->cookieValue);
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            LogoutEvent::class => 'onLogout',
+        ];
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/ClearSiteDataLogoutListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/ClearSiteDataLogoutListenerTest.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Tests\EventListener;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Component\Security\Http\EventListener\ClearSiteDataLogoutListener;
+
+class ClearSiteDataLogoutListenerTest extends TestCase
+{
+    /**
+     * @dataProvider provideClearSiteDataConfig
+     */
+    public function testLogout(string $clearSiteDataConfig)
+    {
+        $response = new Response();
+        $event = new LogoutEvent(new Request(), null);
+        $event->setResponse($response);
+
+        $listener = new ClearSiteDataLogoutListener($clearSiteDataConfig);
+
+        $headerCountBefore = $response->headers->count();
+
+        $listener->onLogout($event);
+
+        $this->assertEquals(++$headerCountBefore, $response->headers->count());
+
+        $this->assertNotNull($response->headers->get('Clear-Site-Data'));
+        $this->assertEquals($clearSiteDataConfig, $response->headers->get('Clear-Site-Data'));
+    }
+
+    public static function provideClearSiteDataConfig(): iterable
+    {
+        yield ['"*"'];
+        yield ['"cache", "cookies", "storage", "executionContexts"'];
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -181,6 +181,7 @@ public function testFirewalls()`
`181`	`181`	`'invalidate_session' => true,`
`182`	`182`	`'delete_cookies' => [],`
`183`	`183`	`'enable_csrf' => null,`
	`184`	`+ 'clear_site_data' => ['off'],`
`184`	`185`	`],`
`185`	`186`	`],`
`186`	`187`	`[`