[FrameworkBundle] Move security-csrf configuration to PHP

Author: j.schmitt

DependencyInjection/FrameworkExtension.php

@@ -288,7 +288,7 @@ public function load(array $configs, ContainerBuilder $container)
         if (null === $config['csrf_protection']['enabled']) {
             $config['csrf_protection']['enabled'] = $this->sessionConfigEnabled && !class_exists(FullStack::class) && interface_exists(CsrfTokenManagerInterface::class);
         }
-        $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $loader);
+        $this->registerSecurityCsrfConfiguration($config['csrf_protection'], $container, $phpLoader);
 
         if ($this->isConfigEnabled($container, $config['form'])) {
             if (!class_exists('Symfony\Component\Form\Form')) {
@@ -1439,7 +1439,7 @@ private function registerSecretsConfiguration(array $config, ContainerBuilder $c
         }
     }
 
-    private function registerSecurityCsrfConfiguration(array $config, ContainerBuilder $container, XmlFileLoader $loader)
+    private function registerSecurityCsrfConfiguration(array $config, ContainerBuilder $container, PhpFileLoader $phpLoader)
     {
         if (!$this->isConfigEnabled($container, $config)) {
             return;
@@ -1454,7 +1454,7 @@ private function registerSecurityCsrfConfiguration(array $config, ContainerBuild
         }
 
         // Enable services for CSRF protection (even without forms)
-        $loader->load('security_csrf.xml');
+        $phpLoader->load('security_csrf.php');
 
         if (!class_exists(CsrfExtension::class)) {
             $container->removeDefinition('twig.extension.security_csrf');

Resources/config/security_csrf.php

@@ -0,0 +1,52 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\DependencyInjection\Loader\Configurator;
+
+use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
+use Symfony\Component\Security\Csrf\TokenGenerator\UriSafeTokenGenerator;
+use Symfony\Component\Security\Csrf\TokenGenerator\TokenGeneratorInterface;
+use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
+use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
+use Symfony\Component\Security\Csrf\CsrfTokenManager;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Bridge\Twig\Extension\CsrfRuntime;
+use Symfony\Bridge\Twig\Extension\CsrfExtension;
+
+return static function (ContainerConfigurator $container) {
+    $container->services()
+        ->set('security.csrf.token_generator', UriSafeTokenGenerator::class)
+
+        ->alias(TokenGeneratorInterface::class, 'security.csrf.token_generator')
+
+        ->set('security.csrf.token_storage', SessionTokenStorage::class)
+            ->args([service('session')])
+
+        ->alias(TokenStorageInterface::class, 'security.csrf.token_storage')
+
+        ->set('security.csrf.token_manager', CsrfTokenManager::class)
+            ->public()
+            ->args([
+                service('security.csrf.token_generator'),
+                service('security.csrf.token_storage'),
+                service('request_stack')->ignoreOnInvalid()
+            ])
+
+        ->alias(CsrfTokenManagerInterface::class, 'security.csrf.token_manager')
+
+        ->set('twig.runtime.security_csrf', CsrfRuntime::class)
+            ->args([service('security.csrf.token_manager')])
+            ->tag('twig.runtime')
+
+        ->set('twig.extension.security_csrf', CsrfExtension::class)
+            ->tag('twig.extension')
+    ;
+};