From 854177a1219b859aa2552cd7d570937e32dec043 Mon Sep 17 00:00:00 2001
From: Brock H Caldwell <brock@caldwellnetworks.com>
Date: Sat, 10 May 2025 23:53:46 -0500
Subject: [PATCH] feat: command to set auth method

---
 config/dist/ldap.security.yaml   | 56 +++++++++++++++++++++++++++++
 config/dist/local.security.yaml  | 54 ++++++++++++++++++++++++++++
 config/packages/security.yaml    | 27 +++-----------
 config/security.yaml             | 61 ++++++++++++++++++++++++++++++++
 src/Command/ConfigSetCommand.php | 58 ++++++++++++++++++++++++++++++
 5 files changed, 234 insertions(+), 22 deletions(-)
 create mode 100644 config/dist/ldap.security.yaml
 create mode 100644 config/dist/local.security.yaml
 create mode 100644 config/security.yaml
 create mode 100644 src/Command/ConfigSetCommand.php

diff --git a/config/dist/ldap.security.yaml b/config/dist/ldap.security.yaml
new file mode 100644
index 0000000..4f6dbaf
--- /dev/null
+++ b/config/dist/ldap.security.yaml
@@ -0,0 +1,56 @@
+security:
+    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
+    password_hashers:
+        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
+    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
+    providers:
+        users_in_memory: { memory: null }
+        app_local:
+            entity:
+                class: App\User\Framework\Entity\User
+                property: email
+
+        app_ldap:
+            id: App\User\Framework\Security\LdapUserProvider
+
+    firewalls:
+        dev:
+            pattern: ^/(_(profiler|wdt)|css|images|js)/
+            security: false
+        main:
+            lazy: true
+            provider: app_ldap
+            form_login_ldap:
+                login_path: app_login
+                check_path: app_login
+                enable_csrf: true
+                service: Symfony\Component\Ldap\Ldap
+                dn_string: '%env(LDAP_DN_STRING)%'
+            logout:
+                path: app_logout
+
+            # activate different ways to authenticate
+            # https://symfony.com/doc/current/security.html#the-firewall
+
+            # https://symfony.com/doc/current/security/impersonating_user.html
+            # switch_user: true
+
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    access_control:
+        - { path: ^/register, roles: PUBLIC_ACCESS }
+        - { path: ^/login, roles: PUBLIC_ACCESS }
+        - { path: ^/, roles: ROLE_USER } # Or ROLE_ADMIN, ROLE_SUPER_ADMIN,
+
+when@test:
+    security:
+        password_hashers:
+            # By default, password hashers are resource intensive and take time. This is
+            # important to generate secure password hashes. In tests however, secure hashes
+            # are not important, waste resources and increase test times. The following
+            # reduces the work factor to the lowest possible values.
+            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
+                algorithm: auto
+                cost: 4 # Lowest possible value for bcrypt
+                time_cost: 3 # Lowest possible value for argon
+                memory_cost: 10 # Lowest possible value for argon
diff --git a/config/dist/local.security.yaml b/config/dist/local.security.yaml
new file mode 100644
index 0000000..b71b57c
--- /dev/null
+++ b/config/dist/local.security.yaml
@@ -0,0 +1,54 @@
+security:
+    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
+    password_hashers:
+        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
+    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
+    providers:
+        users_in_memory: { memory: null }
+        app_local:
+            entity:
+                class: App\User\Framework\Entity\User
+                property: email
+
+        app_ldap:
+            id: App\User\Framework\Security\LdapUserProvider
+
+    firewalls:
+        dev:
+            pattern: ^/(_(profiler|wdt)|css|images|js)/
+            security: false
+        main:
+            lazy: true
+            provider: app_local
+            form_login:
+                login_path: app_login
+                check_path: app_login
+                enable_csrf: true
+            logout:
+                path: app_logout
+
+            # activate different ways to authenticate
+            # https://symfony.com/doc/current/security.html#the-firewall
+
+            # https://symfony.com/doc/current/security/impersonating_user.html
+            # switch_user: true
+
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    access_control:
+        - { path: ^/register, roles: PUBLIC_ACCESS }
+        - { path: ^/login, roles: PUBLIC_ACCESS }
+        - { path: ^/, roles: ROLE_USER } # Or ROLE_ADMIN, ROLE_SUPER_ADMIN,
+
+when@test:
+    security:
+        password_hashers:
+            # By default, password hashers are resource intensive and take time. This is
+            # important to generate secure password hashes. In tests however, secure hashes
+            # are not important, waste resources and increase test times. The following
+            # reduces the work factor to the lowest possible values.
+            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
+                algorithm: auto
+                cost: 4 # Lowest possible value for bcrypt
+                time_cost: 3 # Lowest possible value for argon
+                memory_cost: 10 # Lowest possible value for argon
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index c40c018..4f6dbaf 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -5,46 +5,29 @@ security:
     # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
     providers:
         users_in_memory: { memory: null }
-        app_user_provider:
+        app_local:
             entity:
                 class: App\User\Framework\Entity\User
                 property: email
 
-        custom_ldap_provider:
+        app_ldap:
             id: App\User\Framework\Security\LdapUserProvider
 
-        app_ldap_provider:
-            ldap:
-                service: Symfony\Component\Ldap\Ldap
-                base_dn: '%env(LDAP_BASE_DN)%'
-                search_dn: '%env(LDAP_BIND_USER)%'
-                search_password: '%env(LDAP_BIND_PASS)%'
-                default_roles: ROLE_USER
-                uid_key: uid
-                extra_fields: ['mail', 'cn', 'givenname', 'sn', 'displayname', 'initials']
-
-
     firewalls:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
             lazy: true
-            provider: custom_ldap_provider
-#            form_login:
-#                login_path: app_login
-#                check_path: app_login
-#                enable_csrf: true
-            logout:
-                path: app_logout
+            provider: app_ldap
             form_login_ldap:
                 login_path: app_login
                 check_path: app_login
                 enable_csrf: true
                 service: Symfony\Component\Ldap\Ldap
                 dn_string: '%env(LDAP_DN_STRING)%'
-                # where to redirect after logout
-                # target: app_any_route
+            logout:
+                path: app_logout
 
             # activate different ways to authenticate
             # https://symfony.com/doc/current/security.html#the-firewall
diff --git a/config/security.yaml b/config/security.yaml
new file mode 100644
index 0000000..d1efd18
--- /dev/null
+++ b/config/security.yaml
@@ -0,0 +1,61 @@
+security:
+    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
+    password_hashers:
+        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
+    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
+    providers:
+        users_in_memory: { memory: null }
+        app_local:
+            entity:
+                class: App\User\Framework\Entity\User
+                property: email
+
+        app_ldap:
+            id: App\User\Framework\Security\LdapUserProvider
+
+    firewalls:
+        dev:
+            pattern: ^/(_(profiler|wdt)|css|images|js)/
+            security: false
+        main:
+            lazy: true
+            provider: app_ldap
+            entry_point: form_login_ldap
+            form_login_ldap:
+                login_path: app_login
+                check_path: app_login
+                enable_csrf: true
+                service: Symfony\Component\Ldap\Ldap
+                dn_string: '%env(LDAP_DN_STRING)%'
+            form_login:
+                login_path: app_login
+                check_path: app_login
+                enable_csrf: true
+            logout:
+                path: app_logout
+
+            # activate different ways to authenticate
+            # https://symfony.com/doc/current/security.html#the-firewall
+
+            # https://symfony.com/doc/current/security/impersonating_user.html
+            # switch_user: true
+
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    access_control:
+        - { path: ^/register, roles: PUBLIC_ACCESS }
+        - { path: ^/login, roles: PUBLIC_ACCESS }
+        - { path: ^/, roles: ROLE_USER } # Or ROLE_ADMIN, ROLE_SUPER_ADMIN,
+
+when@test:
+    security:
+        password_hashers:
+            # By default, password hashers are resource intensive and take time. This is
+            # important to generate secure password hashes. In tests however, secure hashes
+            # are not important, waste resources and increase test times. The following
+            # reduces the work factor to the lowest possible values.
+            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
+                algorithm: auto
+                cost: 4 # Lowest possible value for bcrypt
+                time_cost: 3 # Lowest possible value for argon
+                memory_cost: 10 # Lowest possible value for argon
diff --git a/src/Command/ConfigSetCommand.php b/src/Command/ConfigSetCommand.php
new file mode 100644
index 0000000..0aca7fb
--- /dev/null
+++ b/src/Command/ConfigSetCommand.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace App\Command;
+
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+
+#[AsCommand(
+    name: 'config:set',
+    description: 'Add a short description for your command',
+)]
+class ConfigSetCommand extends Command
+{
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this
+            ->addArgument('key', InputArgument::REQUIRED, 'Config key')
+            ->addArgument('value', InputArgument::REQUIRED, 'Config value')
+        ;
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+        $key = $input->getArgument('key');
+        $handlers = [
+            'auth.method' => 'setAuthMethod',
+        ];
+
+        $handler = $handlers[$key];
+        $this->$handler($input, $io);
+
+        $io->success('Success: "' . $input->getArgument('key') . '" set to "' . $input->getArgument('value') . '"');
+
+        return Command::SUCCESS;
+    }
+
+    private function setAuthMethod(InputInterface $input, SymfonyStyle $io)
+    {
+        $config = [
+            'local' => 'config/dist/local.security.yaml',
+            'ldap' => 'config/dist/ldap.security.yaml',
+        ];
+        $authMethod = $input->getArgument('value');
+        $io->text('> Setting auth method to: ' . $authMethod);
+        copy($config[$authMethod], 'config/packages/security.yaml');
+    }
+}