Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security] Deprecate UserInterface & TokenInterface's eraseCredentials() #59106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[Security] Deprecate UserInterface & TokenInterface's eraseCredentials() #59106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
[Security] Deprecate UserInterface & TokenInterface's `eraseCrede… 
…ntials()`
  • Loading branch information
@chalasr
chalasr committed Jan 31, 2025
commit e36259db5c10d2a15d1a2028681b7341c1cd3e9f
19 changes: 18 additions & 1 deletion 19 UPGRADE-7.3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,23 @@ backward compatibility breaks. Minor backward compatibility breaks are prefixed
`[BC BREAK]`, make sure your code is compatible with these entries before upgrading.
Read more about this in the [Symfony documentation](https://symfony.com/doc/7.3/setup/upgrade_minor.html).

If you're upgrading from a version below 7.1, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.
If you're upgrading from a version below 7.2, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.

Ldap
----

* Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead
nicolas-grekas marked this conversation as resolved.
Show resolved Hide resolved

Security
--------

* Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
use a dedicated DTO or erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
nicolas-grekas marked this conversation as resolved.
Show resolved Hide resolved

SecurityBundle
--------------

* Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
nicolas-grekas marked this conversation as resolved.
Show resolved Hide resolved

Console
-------
Expand Down Expand Up @@ -109,3 +125,4 @@ VarDumper

chalasr marked this conversation as resolved.
Show resolved Hide resolved
* Deprecate `ResourceCaster::castCurl()`, `ResourceCaster::castGd()` and `ResourceCaster::castOpensslX509()`
* Mark all casters as `@internal`
* Deprecate the `CompiledClassMetadataFactory` and `CompiledClassMetadataCacheWarmer` classes
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/CacheAttributeListener/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ services:
public: true

security:
erase_credentials: false
providers:
main:
memory:
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/Security/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ services:
- container.service_subscriber

security:
erase_credentials: false
providers:
main:
memory:
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ CHANGELOG

* Add `Security::isGrantedForUser()` to test user authorization without relying on the session. For example, users not currently logged in, or while processing a message from a message queue
* Add encryption support to `OidcTokenHandler` (JWE)
* Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
nicolas-grekas marked this conversation as resolved.
Show resolved Hide resolved

7.2
---
Expand Down
7 changes: 7 additions & 0 deletions 7 src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LdapFactoryTrait.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
use Symfony\Component\DependencyInjection\Definition;
use Symfony\Component\DependencyInjection\Reference;
use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
use Symfony\Component\Ldap\Security\EraseLdapUserCredentialsListener;
use Symfony\Component\Ldap\Security\LdapAuthenticator;

/**
Expand All @@ -42,6 +43,12 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
->addArgument(new Reference('security.ldap_locator'))
;

if (class_exists(EraseLdapUserCredentialsListener::class && !$container->getParameter('security.authentication.manager.erase_credentials'))) {
nicolas-grekas marked this conversation as resolved.
Show resolved Hide resolved
$container->setDefinition('security.listener.'.$key.'.'.$firewallName.'erase_ldap_credentials', new Definition(EraseLdapUserCredentialsListener::class))
->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
;
}

$ldapAuthenticatorId = 'security.authenticator.'.$key.'.'.$firewallName;
$definition = $container->setDefinition($ldapAuthenticatorId, new Definition(LdapAuthenticator::class))
->setArguments([
Expand Down
3 changes: 3 additions & 0 deletions 3 src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,9 @@ public function load(array $configs, ContainerBuilder $container): void

// set some global scalars
$container->setParameter('security.access.denied_url', $config['access_denied_url']);
if (true === $config['erase_credentials']) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't we do this check in the MainConfiguration class instead?

trigger_deprecation('symfony/security-bundle', '7.3', 'Setting the "security.erase_credentials" config option to true is deprecated and won\'t have any effect in 8.0, set it to false instead and use your own erasing logic if needed.');
}
$container->setParameter('security.authentication.manager.erase_credentials', $config['erase_credentials']);
$container->setParameter('security.authentication.session_strategy.strategy', $config['session_fixation_strategy']);

Expand Down
4 changes: 3 additions & 1 deletion 4 src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,9 @@ public function testOnKernelRequestRecordsAuthenticatorsInfo()
[new TraceableAuthenticator($notSupportingAuthenticator), new TraceableAuthenticator($supportingAuthenticator)],
$tokenStorage,
$dispatcher,
'main'
'main',
null,
false
);

$listener = new TraceableAuthenticatorManagerListener(new AuthenticatorManagerListener($authenticatorManager));
Expand Down
1 change: 1 addition & 0 deletions 1 .../SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ private function createContainer($sessionStorageOptions)

$config = [
'security' => [
'erase_credentials' => false,
'providers' => ['some_provider' => ['id' => 'foo']],
'firewalls' => ['some_firewall' => ['security' => false]],
],
Expand Down
1 change: 1 addition & 0 deletions 1 ...ndle/Tests/DependencyInjection/Compiler/MakeFirewallsEventDispatcherTraceablePassTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ protected function setUp(): void

$this->container->registerExtension(new SecurityExtension());
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand Down
5 changes: 5 additions & 0 deletions 5 ...undle/Tests/DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPassTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ protected function setUp(): void
public function testEventIsPropagated(string $configuredEvent, string $registeredEvent)
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand Down Expand Up @@ -89,6 +90,7 @@ public static function providePropagatedEvents(): array
public function testRegisterCustomListener()
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand All @@ -109,6 +111,7 @@ public function testRegisterCustomListener()
public function testRegisterCustomSubscriber()
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand All @@ -128,6 +131,7 @@ public function testRegisterCustomSubscriber()
public function testMultipleFirewalls()
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true], 'api' => ['pattern' => '/api', 'http_basic' => true]],
]);

Expand Down Expand Up @@ -157,6 +161,7 @@ public function testMultipleFirewalls()
public function testListenerAlreadySpecific()
{
$this->container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
]);

Expand Down
1 change: 1 addition & 0 deletions 1 ...ndle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_customized_config.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'access_decision_manager' => [
'allow_if_all_abstain' => true,
'allow_if_equal_granted_denied' => false,
Expand Down
1 change: 1 addition & 0 deletions 1 ...undle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_default_strategy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions 1 ...SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_service.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'access_decision_manager' => [
'service' => 'app.access_decision_manager',
],
Expand Down
1 change: 1 addition & 0 deletions 1 ...e/Tests/DependencyInjection/Fixtures/php/access_decision_manager_service_and_strategy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'access_decision_manager' => [
'service' => 'app.access_decision_manager',
'strategy' => 'affirmative',
Expand Down
1 change: 1 addition & 0 deletions 1 ...undle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_strategy_service.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'access_decision_manager' => [
'strategy_service' => 'app.custom_access_decision_strategy',
],
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/argon2i_hasher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('container1.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User7' => [
'algorithm' => 'argon2i',
Expand Down
1 change: 1 addition & 0 deletions 1 ...ny/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/authenticator_manager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;

$container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => [
'main' => [
'required_badges' => [CsrfTokenBadge::class, 'RememberMeBadge'],
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/bcrypt_hasher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('container1.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User7' => [
'algorithm' => 'bcrypt',
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User1' => 'plaintext',
'JMS\FooBundle\Entity\User2' => [
Expand Down
1 change: 1 addition & 0 deletions 1 ...ymfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_patterns.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => [
'no_security' => [
'pattern' => [
Expand Down
1 change: 1 addition & 0 deletions 1 ...ymfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => $memory = [
Expand Down
1 change: 1 addition & 0 deletions 1 ...dle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_undefined_provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions 1 ...ymfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions 1 ...dle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_undefined_provider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions 1 ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/logout_clear_site_data.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => ['id' => 'foo'],
],
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/merge.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('merge_import.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => ['id' => 'foo'],
],
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/merge_import.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'firewalls' => [
'main' => [
'form_login' => [
Expand Down
1 change: 1 addition & 0 deletions 1 ...Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/migrating_hasher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('container1.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User7' => [
'algorithm' => 'argon2i',
Expand Down
1 change: 1 addition & 0 deletions 1 ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/no_custom_user_checker.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => [
'memory' => [
Expand Down
1 change: 1 addition & 0 deletions 1 ...fony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/remember_me_options.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<?php

$container->loadFromExtension('security', [
'erase_credentials' => false,
'providers' => [
'default' => ['id' => 'foo'],
],
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/sodium_hasher.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
$this->load('container1.php');

$container->loadFromExtension('security', [
'erase_credentials' => false,
'password_hashers' => [
'JMS\FooBundle\Entity\User7' => [
'algorithm' => 'sodium',
Expand Down
2 changes: 1 addition & 1 deletion 2 ...ndle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_customized_config.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<access-decision-manager allow-if-all-abstain="true" allow-if-equal-granted-denied="false" />

<provider name="default">
Expand Down
2 changes: 1 addition & 1 deletion 2 ...undle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_default_strategy.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<provider name="default">
<memory>
<user identifier="foo" password="foo" roles="ROLE_USER" />
Expand Down
2 changes: 1 addition & 1 deletion 2 ...SecurityBundle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_service.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<access-decision-manager service="app.access_decision_manager" />

<provider name="default">
Expand Down
2 changes: 1 addition & 1 deletion 2 ...e/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_service_and_strategy.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<access-decision-manager service="app.access_decision_manager" strategy="affirmative" />

<provider name="default">
Expand Down
2 changes: 1 addition & 1 deletion 2 ...undle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_strategy_service.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<access-decision-manager strategy-service="app.custom_access_decision_strategy" />

<provider name="default">
Expand Down
2 changes: 1 addition & 1 deletion 2 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/argon2i_hasher.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
<import resource="container1.xml"/>
</imports>

<sec:config>
<sec:config erase-credentials="false">
<sec:password_hasher class="JMS\FooBundle\Entity\User7" algorithm="argon2i" memory-cost="256" time-cost="1" />
</sec:config>

Expand Down
2 changes: 1 addition & 1 deletion 2 ...ny/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/authenticator_manager.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<config erase-credentials="false">
<firewall name="main">
<required-badge>Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge</required-badge>
<required-badge>RememberMeBadge</required-badge>
Expand Down
2 changes: 1 addition & 1 deletion 2 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/bcrypt_hasher.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
<import resource="container1.xml"/>
</imports>

<sec:config>
<sec:config erase-credentials="false">
<sec:password_hasher class="JMS\FooBundle\Entity\User7" algorithm="bcrypt" cost="15" />
</sec:config>

Expand Down
Loading
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.