Skip to content

[Security] Deprecate UserInterface & TokenInterface's eraseCredentials() #59106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[Security] Deprecate UserInterface & TokenInterface's eraseCredentials() #59106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion UPGRADE-7.3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,23 @@ backward compatibility breaks. Minor backward compatibility breaks are prefixed
`[BC BREAK]`, make sure your code is compatible with these entries before upgrading.
Read more about this in the [Symfony documentation](https://symfony.com/doc/7.3/setup/upgrade_minor.html).

If you're upgrading from a version below 7.1, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.
If you're upgrading from a version below 7.2, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.

Ldap
----

* Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead

Security
--------

* Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
use a dedicated DTO or erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead

SecurityBundle
--------------

* Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead

Console
-------
Expand Down Expand Up @@ -109,3 +125,4 @@ VarDumper

* Deprecate `ResourceCaster::castCurl()`, `ResourceCaster::castGd()` and `ResourceCaster::castOpensslX509()`
* Mark all casters as `@internal`
* Deprecate the `CompiledClassMetadataFactory` and `CompiledClassMetadataCacheWarmer` classes
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/CacheAttributeListener/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ services:
public: true

security:
erase_credentials: false
providers:
main:
memory:
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/Security/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ services:
- container.service_subscriber

security:
erase_credentials: false
providers:
main:
memory:
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ CHANGELOG

* Add `Security::isGrantedForUser()` to test user authorization without relying on the session. For example, users not currently logged in, or while processing a message from a message queue
* Add encryption support to `OidcTokenHandler` (JWE)
* Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead

7.2
---
Expand Down
7 changes: 7 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LdapFactoryTrait.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
use Symfony\Component\DependencyInjection\Definition;
use Symfony\Component\DependencyInjection\Reference;
use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
use Symfony\Component\Ldap\Security\EraseLdapUserCredentialsListener;
use Symfony\Component\Ldap\Security\LdapAuthenticator;

/**
Expand All @@ -42,6 +43,12 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
->addArgument(new Reference('security.ldap_locator'))
;

if (class_exists(EraseLdapUserCredentialsListener::class && !$container->getParameter('security.authentication.manager.erase_credentials'))) {
$container->setDefinition('security.listener.'.$key.'.'.$firewallName.'erase_ldap_credentials', new Definition(EraseLdapUserCredentialsListener::class))
->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
;
}

$ldapAuthenticatorId = 'security.authenticator.'.$key.'.'.$firewallName;
$definition = $container->setDefinition($ldapAuthenticatorId, new Definition(LdapAuthenticator::class))
->setArguments([
Expand Down
3 changes: 3 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,9 @@ public function load(array $configs, ContainerBuilder $container): void

// set some global scalars
$container->setParameter('security.access.denied_url', $config['access_denied_url']);
if (true === $config['erase_credentials']) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't we do this check in the MainConfiguration class instead?

trigger_deprecation('symfony/security-bundle', '7.3', 'Setting the "security.erase_credentials" config option to true is deprecated and won\'t have any effect in 8.0, set it to false instead and use your own erasing logic if needed.');
}
$container->setParameter('security.authentication.manager.erase_credentials', $config['erase_credentials']);
$container->setParameter('security.authentication.session_strategy.strategy', $config['session_fixation_strategy']);

Expand Down
4 changes: 3 additions & 1 deletion src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,9 @@ public function testOnKernelRequestRecordsAuthenticatorsInfo()
[new TraceableAuthenticator($notSupportingAuthenticator), new TraceableAuthenticator($supportingAuthenticator)],
$tokenStorage,
$dispatcher,
'main'
'main',
null,
false
);

$listener = new TraceableAuthenticatorManagerListener(new AuthenticatorManagerListener($authenticatorManager));
Expand Down
1 change: 1 addition & 0 deletions .../SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ private function createContainer($sessionStorageOptions)

$config = [
'security' => [
'erase_credentials' => false,
'providers' => ['some_provider' => ['id' => 'foo']],
'firewalls' => ['some_firewall' => ['security' => false]],
],
Expand Down
1 change: 1 addition & 0 deletions ...ndle/Tests/DependencyInjection/Compiler/MakeFirewallsEventDispatcherTraceablePassTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ protected function setUp(): void

$this->container->registerExtension(new SecurityExtension());
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand Down
5 changes: 5 additions & 0 deletions ...undle/Tests/DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPassTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ protected function setUp(): void
public function testEventIsPropagated(string $configuredEvent, string $registeredEvent)
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand Down Expand Up @@ -89,6 +90,7 @@ public static function providePropagatedEvents(): array
public function testRegisterCustomListener()
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand All @@ -109,6 +111,7 @@ public function testRegisterCustomListener()
public function testRegisterCustomSubscriber()
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand All @@ -128,6 +131,7 @@ public function testRegisterCustomSubscriber()
public function testMultipleFirewalls()
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true], 'api' => ['pattern' => '/api', 'http_basic' => true]],
]);

Expand Down Expand Up @@ -157,6 +161,7 @@ public function testMultipleFirewalls()
public function testListenerAlreadySpecific()
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand Down
1 change: 1 addition & 0 deletions ...ndle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_customized_config.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'access_decision_manager' => [
'allow_if_all_abstain' => true,
'allow_if_equal_granted_denied' => false,
Expand Down
1 change: 1 addition & 0 deletions ...undle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_default_strategy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions ...SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_service.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'access_decision_manager' => [
'service' => 'app.access_decision_manager',
],
Expand Down
1 change: 1 addition & 0 deletions ...e/Tests/DependencyInjection/Fixtures/php/access_decision_manager_service_and_strategy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'access_decision_manager' => [
'service' => 'app.access_decision_manager',
'strategy' => 'affirmative',
Expand Down
1 change: 1 addition & 0 deletions ...undle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_strategy_service.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'access_decision_manager' => [
'strategy_service' => 'app.custom_access_decision_strategy',
],
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/argon2i_hasher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('container1.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User7' => [
'algorithm' => 'argon2i',
Expand Down
1 change: 1 addition & 0 deletions ...ny/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/authenticator_manager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;

$container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => [
'main' => [
'required_badges' => [CsrfTokenBadge::class, 'RememberMeBadge'],
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/bcrypt_hasher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('container1.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User7' => [
'algorithm' => 'bcrypt',
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User1' => 'plaintext',
'JMS\FooBundle\Entity\User2' => [
Expand Down
1 change: 1 addition & 0 deletions ...ymfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_patterns.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => [
'no_security' => [
'pattern' => [
Expand Down
1 change: 1 addition & 0 deletions ...ymfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => $memory = [
Expand Down
1 change: 1 addition & 0 deletions ...dle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_undefined_provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions ...ymfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions ...dle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_undefined_provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/logout_clear_site_data.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => ['id' => 'foo'],
],
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/merge.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('merge_import.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => ['id' => 'foo'],
],
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/merge_import.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => [
'main' => [
'form_login' => [
Expand Down
1 change: 1 addition & 0 deletions ...Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/migrating_hasher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('container1.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User7' => [
'algorithm' => 'argon2i',
Expand Down
1 change: 1 addition & 0 deletions ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/no_custom_user_checker.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions ...fony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/remember_me_options.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => ['id' => 'foo'],
],
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/sodium_hasher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('container1.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User7' => [
'algorithm' => 'sodium',
Expand Down
2 changes: 1 addition & 1 deletion ...ndle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_customized_config.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<access-decision-manager allow-if-all-abstain="true" allow-if-equal-granted-denied="false" />

<provider name="default">
Expand Down
2 changes: 1 addition & 1 deletion ...undle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_default_strategy.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<provider name="default">
<memory>
<user identifier="foo" password="foo" roles="ROLE_USER" />
Expand Down
2 changes: 1 addition & 1 deletion ...SecurityBundle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_service.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<access-decision-manager service="app.access_decision_manager" />

<provider name="default">
Expand Down
2 changes: 1 addition & 1 deletion ...e/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_service_and_strategy.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<access-decision-manager service="app.access_decision_manager" strategy="affirmative" />

<provider name="default">
Expand Down
2 changes: 1 addition & 1 deletion ...undle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_strategy_service.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<access-decision-manager strategy-service="app.custom_access_decision_strategy" />

<provider name="default">
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/argon2i_hasher.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
<import resource="container1.xml"/>
</imports>

<sec:config>
<sec:config erase-credentials="false">
<sec:password_hasher class="JMS\FooBundle\Entity\User7" algorithm="argon2i" memory-cost="256" time-cost="1" />
</sec:config>

Expand Down
2 changes: 1 addition & 1 deletion ...ny/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/authenticator_manager.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<firewall name="main">
<required-badge>Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge</required-badge>
<required-badge>RememberMeBadge</required-badge>
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/bcrypt_hasher.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
<import resource="container1.xml"/>
</imports>

<sec:config>
<sec:config erase-credentials="false">
<sec:password_hasher class="JMS\FooBundle\Entity\User7" algorithm="bcrypt" cost="15" />
</sec:config>

Expand Down
Loading
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy