Merge branch '7.4' into 8.0

* 7.4: (28 commits)
  [Messenger] Allow Pheanstalk v8
  [TypeInfo] Fix resolving constructor type with templates
  fix compatibility with RelayCluster 0.12
  fix type alias with template resolving
  fix compatibility with RelayCluster 0.11 and 0.12
  [DependencyInjection] Register a custom autoloader to generate `*Config` classes when they don't exist yet
  [Security] Add security:oidc-token:generate command
  [PropertyInfo][TypeInfo] Fix resolving constructor type with templates
  [WebProfilerBundle] ”finish” errored requests
  Add support for union types on AsEventListener
  [Console] Update CHANGELOG to reflect attribute name changes for interactive invokable commands
  bump ext-redis to 6.2 and ext-relay to 0.12 minimum
  [TypeInfo] Fix type alias with template resolving
  [Console] Add support for interactive invokable commands with `#[Interact]` and `#[Ask]` attributes
  bump ext-relay to 0.12+
  fix merge
  [Config] Generate the array-shape of the current node instead of the whole root node in Config classes
  [HttpFoundation] Deprecate Request::get() in favor of using properties ->attributes, query or request directly
  fix Relay Cluster 0.12 compatibility
  [TypeInfo] ArrayShape can resolve key type as callable instead of string
  ...

Author: nicolas-grekas

AccessToken/FormEncodedBodyExtractor.php

@@ -34,10 +34,7 @@ public function __construct(
 
     public function extractAccessToken(Request $request): ?string
     {
-        if (
-            Request::METHOD_POST !== $request->getMethod()
-            || !str_starts_with($request->headers->get('CONTENT_TYPE', ''), 'application/x-www-form-urlencoded')
-        ) {
+        if ('POST' !== $request->getMethod() || !str_starts_with($request->headers->get('CONTENT_TYPE', ''), 'application/x-www-form-urlencoded')) {
             return null;
         }
         $parameter = $request->request->get($this->parameter);

AccessToken/Oidc/OidcTokenGenerator.php

@@ -0,0 +1,105 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken\Oidc;
+
+use Jose\Component\Core\Algorithm;
+use Jose\Component\Core\AlgorithmManager;
+use Jose\Component\Core\JWKSet;
+use Jose\Component\Signature\JWSBuilder;
+use Jose\Component\Signature\Serializer\CompactSerializer;
+use Psr\Clock\ClockInterface;
+use Symfony\Component\Clock\Clock;
+
+class OidcTokenGenerator
+{
+    public function __construct(
+        private readonly AlgorithmManager $algorithmManager,
+        private readonly JWKSet $jwkset,
+        private readonly string $audience,
+        private readonly array $issuers,
+        private readonly string $claim = 'sub',
+        private readonly ClockInterface $clock = new Clock(),
+    ) {
+    }
+
+    public function generate(string $userIdentifier, ?string $algorithmAlias = null, ?string $issuer = null, ?int $ttl = null, ?\DateTimeImmutable $notBefore = null): string
+    {
+        $algorithm = $this->getAlgorithm($algorithmAlias);
+
+        if (!$jwk = $this->jwkset->selectKey('sig', $algorithm)) {
+            throw new \InvalidArgumentException(\sprintf('No JWK found to sign with "%s" algorithm.', $algorithm->name()));
+        }
+
+        $jwsBuilder = new JWSBuilder($this->algorithmManager);
+
+        $now = $this->clock->now();
+        $payload = [
+            $this->claim => $userIdentifier,
+            'iat' => $now->getTimestamp(), # https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
+            'aud' => $this->audience, # https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
+            'iss' => $this->getIssuer($issuer), # https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
+        ];
+        if ($ttl) {
+            if (0 > $ttl) {
+                throw new \InvalidArgumentException('Time to live must be a positive integer.');
+            }
+
+            $payload['exp'] = $now->add(new \DateInterval("PT{$ttl}S"))->getTimestamp(); # https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
+        }
+        if ($notBefore) {
+            $payload['nbf'] = $notBefore->getTimestamp(); # https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
+        }
+
+        $jws = $jwsBuilder
+            ->create()
+            ->withPayload(json_encode($payload, flags: \JSON_THROW_ON_ERROR))
+            ->addSignature($jwk, ['alg' => $algorithm->name()])
+            ->build();
+
+        $serializer = new CompactSerializer();
+
+        return $serializer->serialize($jws, 0);
+    }
+
+    private function getAlgorithm(?string $alias): Algorithm
+    {
+        if ($alias) {
+            if (!$this->algorithmManager->has($alias)) {
+                throw new \InvalidArgumentException(sprintf('"%s" is not a valid algorithm. Available algorithms: "%s".', $alias, implode('", "', $this->algorithmManager->list())));
+            }
+            return $this->algorithmManager->get($alias);
+        }
+
+        if (1 !== count($list = $this->algorithmManager->list())) {
+            throw new \InvalidArgumentException(sprintf('Please choose an algorithm. Available algorithms: "%s".', implode('", "', $list)));
+        }
+
+        return $this->algorithmManager->get($list[0]);
+    }
+
+    private function getIssuer(?string $issuer): string
+    {
+        if ($issuer) {
+            if (!in_array($issuer, $this->issuers, true)) {
+                throw new \InvalidArgumentException(sprintf('"%s" is not a valid issuer. Available issuers: "%s".', $issuer, implode('", "', $this->issuers)));
+            }
+
+            return $issuer;
+        }
+
+        if (1 !== count($this->issuers)) {
+            throw new \InvalidArgumentException(sprintf('Please choose an issuer. Available issuers: "%s".', implode('", "', $this->issuers)));
+        }
+
+        return $this->issuers[0];
+    }
+}

Authenticator/LoginLinkAuthenticator.php

@@ -51,7 +51,7 @@ public function supports(Request $request): ?bool
 
     public function authenticate(Request $request): Passport
     {
-        if (!$username = $request->get('user')) {
+        if (!$username = $request->query->get('user') ?? (!\in_array($request->getMethod(), ['GET', 'HEAD'], true) ? $request->request->get('user') : null)) {
             throw new InvalidLoginLinkAuthenticationException('Missing user from link.');
         }
 

Command/OidcTokenGenerateCommand.php

@@ -0,0 +1,116 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Command;
+
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Completion\CompletionInput;
+use Symfony\Component\Console\Completion\CompletionSuggestions;
+use Symfony\Component\Console\Completion\Suggestion;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenGenerator;
+
+#[AsCommand(name: 'security:oidc:generate-token', description: 'Generate an OIDC token for a given user')]
+final class OidcTokenGenerateCommand extends Command
+{
+    /** @var array<string, OidcTokenGenerator> */
+    private array $generators = [];
+    /** @var array<string, list<string>> */
+    private array $algorithms;
+    /** @var array<string, list<string>> */
+    private array $issuers;
+
+    protected function configure(): void
+    {
+        $this
+            ->addArgument('user-identifier', InputArgument::REQUIRED, 'User identifier')
+            ->addOption('firewall', null, InputOption::VALUE_REQUIRED, 'Firewall')
+            ->addOption('algorithm', null, InputOption::VALUE_REQUIRED, 'Algorithm name to use to sign')
+            ->addOption('issuer', null, InputOption::VALUE_REQUIRED, 'Set the Issuer claim (iss)')
+            ->addOption('ttl', null, InputOption::VALUE_REQUIRED, 'Set the Expiration Time claim (exp) (time to live in seconds)')
+            ->addOption('not-before', null, InputOption::VALUE_REQUIRED, 'Set the Not Before claim (nbf)')
+        ;
+    }
+
+
+    /**
+     * @params array<string, list<string>> $algorithms
+     * @params array<string, list<string>> $issuers
+     */
+    public function addGenerator(string $firewall, OidcTokenGenerator $oidcTokenGenerator, array $algorithms, array $issuers): void
+    {
+        $this->generators[$firewall] = $oidcTokenGenerator;
+        foreach ($algorithms as $algorithm) {
+            $this->algorithms[$algorithm] ??= [];
+            $this->algorithms[$algorithm][] = $firewall;
+        }
+        foreach ($issuers as $issuer) {
+            $this->issuers[$issuer] ??= [];
+            $this->issuers[$issuer][] = $firewall;
+        }
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $generator = $this->getGenerator($input->getOption('firewall'));
+        $token = $generator->generate(
+            $input->getArgument('user-identifier'),
+            $input->getOption('algorithm'),
+            $input->getOption('issuer'),
+            $input->getOption('ttl'),
+            ($nbf = $input->getOption('not-before')) ? new \DateTimeImmutable($nbf) : null,
+        );
+
+        $output->writeln($token);
+
+        return self::SUCCESS;
+    }
+
+    private function getGenerator(?string $firewall): OidcTokenGenerator
+    {
+        if (0 === count($this->generators)) {
+            throw new \InvalidArgumentException('No OIDC token generator configured.');
+        }
+
+        if ($firewall) {
+            return $this->generators[$firewall] ?? throw new \InvalidArgumentException(sprintf('Invalid firewall. Available firewalls: "%s".', implode('", "', array_keys($this->generators))));
+        }
+
+        if (1 === count($this->generators)) {
+            return end($this->generators);
+        }
+
+        throw new \InvalidArgumentException(sprintf('Please choose an firewall. Available firewalls: "%s".', implode('", "', array_keys($this->generators))));
+    }
+
+    public function complete(CompletionInput $input, CompletionSuggestions $suggestions): void
+    {
+        if ($input->mustSuggestOptionValuesFor('firewall')) {
+            $suggestions->suggestValues(array_keys($this->generators));
+        }
+
+        if ($input->mustSuggestOptionValuesFor('algorithm')) {
+            foreach ($this->algorithms as $algorithm => $firewalls) {
+                $suggestions->suggestValue(new Suggestion($algorithm, sprintf('Available firewalls: "%s".', implode('", "', $firewalls))));
+            }
+        }
+
+        if ($input->mustSuggestOptionValuesFor('issuer')) {
+            foreach ($this->issuers as $issuer => $firewalls) {
+                $suggestions->suggestValue(new Suggestion($issuer, sprintf('Available firewalls: "%s".', implode('", "', $firewalls))));
+            }
+        }
+    }
+}

Firewall/SwitchUserListener.php

@@ -65,7 +65,7 @@ public function __construct(
     public function supports(Request $request): ?bool
     {
         // usernames can be falsy
-        $username = $request->get($this->usernameParameter);
+        $username = $request->query->get($this->usernameParameter) ?? (!\in_array($request->getMethod(), ['GET', 'HEAD'], true) ? $request->request->get($this->usernameParameter) : null);
 
         if (null === $username || '' === $username) {
             $username = $request->headers->get($this->usernameParameter);

HttpUtils.php

@@ -88,8 +88,8 @@ public function createRequest(Request $request, string $path): Request
             $newRequest->attributes->set(SecurityRequestAttributes::LAST_USERNAME, $request->attributes->get(SecurityRequestAttributes::LAST_USERNAME));
         }
 
-        if ($request->get('_format')) {
-            $newRequest->attributes->set('_format', $request->get('_format'));
+        if ($request->attributes->has('_format')) {
+            $newRequest->attributes->set('_format', $request->attributes->get('_format'));
         }
         if ($request->getDefaultLocale() !== $request->getLocale()) {
             $newRequest->setLocale($request->getLocale());

LoginLink/LoginLinkHandler.php

@@ -22,6 +22,7 @@
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\LoginLink\Exception\ExpiredLoginLinkException;
 use Symfony\Component\Security\Http\LoginLink\Exception\InvalidLoginLinkException;
+use Symfony\Component\Security\Http\ParameterBagUtils;
 
 /**
  * @author Ryan Weaver <ryan@symfonycasts.com>
@@ -79,16 +80,16 @@ public function createLoginLink(UserInterface $user, ?Request $request = null, ?
 
     public function consumeLoginLink(Request $request): UserInterface
     {
-        $userIdentifier = $request->get('user');
+        $userIdentifier = ParameterBagUtils::getRequestParameterValue($request, 'user');
 
-        if (!$hash = $request->get('hash')) {
+        if (!$hash = ParameterBagUtils::getRequestParameterValue($request, 'hash')) {
             throw new InvalidLoginLinkException('Missing "hash" parameter.');
         }
         if (!\is_string($hash)) {
             throw new InvalidLoginLinkException('Invalid "hash" parameter.');
         }
 
-        if (!$expires = $request->get('expires')) {
+        if (!$expires = ParameterBagUtils::getRequestParameterValue($request, 'expires')) {
             throw new InvalidLoginLinkException('Missing "expires" parameter.');
         }
         if (!preg_match('/^\d+$/', $expires)) {

ParameterBagUtils.php

@@ -62,13 +62,15 @@ public static function getParameterBagValue(ParameterBag $parameters, string $pa
      */
     public static function getRequestParameterValue(Request $request, string $path, array $parameters = []): mixed
     {
+        $get = static fn ($path) => $request->attributes->get($path) ?? $request->query->all()[$path] ?? (!\in_array($request->getMethod(), ['GET', 'HEAD'], true) ? $request->request->all()[$path] ?? null : null);
+
         if (false === $pos = strpos($path, '[')) {
-            return $parameters[$path] ?? $request->get($path);
+            return $parameters[$path] ?? $get($path);
         }
 
         $root = substr($path, 0, $pos);
 
-        if (null === $value = $parameters[$root] ?? $request->get($root)) {
+        if (null === $value = $parameters[$root] ?? $get($root)) {
             return null;
         }
 
@@ -77,7 +79,7 @@ public static function getRequestParameterValue(Request $request, string $path,
         try {
             $value = self::$propertyAccessor->getValue($value, substr($path, $pos));
 
-            if (null === $value && isset($parameters[$root]) && null !== $value = $request->get($root)) {
+            if (null === $value && isset($parameters[$root]) && null !== $value = $get($root)) {
                 $value = self::$propertyAccessor->getValue($value, substr($path, $pos));
             }