[Security] Deprecate UserInterface & TokenInterface's eraseCredentials()

Author: chalasr

UPGRADE-7.3.md

@@ -0,0 +1,39 @@
+UPGRADE FROM 7.2 to 7.3
+=======================
+
+Symfony 7.3 is a minor release. According to the Symfony release process, there should be no significant
+backward compatibility breaks. Minor backward compatibility breaks are prefixed in this document with
+`[BC BREAK]`, make sure your code is compatible with these entries before upgrading.
+Read more about this in the [Symfony documentation](https://symfony.com/doc/7.3/setup/upgrade_minor.html).
+
+If you're upgrading from a version below 7.2, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.
+
+Table of Contents
+-----------------
+
+Bundles
+
+ * [SecurityBundle](#SecurityBundle)
+
+Bridges
+
+Components
+
+ * [Ldap](#Ldap)
+ * [Security](#Security)
+
+Ldap
+----
+
+ * Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead
+
+Security
+--------
+
+ * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
+   use a dedicated DTO or erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
+
+SecurityBundle
+--------------
+
+ * Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead

src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/CacheAttributeListener/config.yml

@@ -10,6 +10,7 @@ services:
         public: true
 
 security:
+    erase_credentials: false
     providers:
         main:
             memory:

src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/Security/config.yml

@@ -8,6 +8,7 @@ services:
             - container.service_subscriber
 
 security:
+    erase_credentials: false
     providers:
         main:
             memory:

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Add `Security::isGrantedForUser()` to test user authorization without relying on the session. For example, users not currently logged in, or while processing a message from a message queue
+ * Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
 
 7.2
 ---

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LdapFactoryTrait.php

@@ -16,6 +16,7 @@
 use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
+use Symfony\Component\Ldap\Security\EraseLdapUserCredentialsListener;
 use Symfony\Component\Ldap\Security\LdapAuthenticator;
 
 /**
@@ -42,6 +43,10 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             ->addArgument(new Reference('security.ldap_locator'))
         ;
 
+        $container->setDefinition('security.listener.'.$key.'.'.$firewallName.'erase_ldap_credentials', new Definition(EraseLdapUserCredentialsListener::class))
+            ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
+        ;
+
         $ldapAuthenticatorId = 'security.authenticator.'.$key.'.'.$firewallName;
         $definition = $container->setDefinition($ldapAuthenticatorId, new Definition(LdapAuthenticator::class))
             ->setArguments([

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -135,6 +135,9 @@ public function load(array $configs, ContainerBuilder $container): void
 
         // set some global scalars
         $container->setParameter('security.access.denied_url', $config['access_denied_url']);
+        if (true === $config['erase_credentials']) {
+            trigger_deprecation('symfony/security-bundle', '7.3', 'Setting the "security.erase_credentials" config option to true is deprecated and won\'t have any effect in 8.0, set it to false instead and use your own erasing logic if needed.');
+        }
         $container->setParameter('security.authentication.manager.erase_credentials', $config['erase_credentials']);
         $container->setParameter('security.authentication.session_strategy.strategy', $config['session_fixation_strategy']);
 

src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php

@@ -103,7 +103,9 @@ public function testOnKernelRequestRecordsAuthenticatorsInfo()
             [new TraceableAuthenticator($notSupportingAuthenticator), new TraceableAuthenticator($supportingAuthenticator)],
             $tokenStorage,
             $dispatcher,
-            'main'
+            'main',
+            null,
+            false
         );
 
         $listener = new TraceableAuthenticatorManagerListener(new AuthenticatorManagerListener($authenticatorManager));

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php

@@ -139,6 +139,7 @@ private function createContainer($sessionStorageOptions)
 
         $config = [
             'security' => [
+                'erase_credentials' => false,
                 'providers' => ['some_provider' => ['id' => 'foo']],
                 'firewalls' => ['some_firewall' => ['security' => false]],
             ],

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/MakeFirewallsEventDispatcherTraceablePassTest.php

@@ -34,6 +34,7 @@ protected function setUp(): void
 
         $this->container->registerExtension(new SecurityExtension());
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);
 

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPassTest.php

@@ -56,6 +56,7 @@ protected function setUp(): void
     public function testEventIsPropagated(string $configuredEvent, string $registeredEvent)
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);
 
@@ -89,6 +90,7 @@ public static function providePropagatedEvents(): array
     public function testRegisterCustomListener()
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);
 
@@ -109,6 +111,7 @@ public function testRegisterCustomListener()
     public function testRegisterCustomSubscriber()
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);
 
@@ -128,6 +131,7 @@ public function testRegisterCustomSubscriber()
     public function testMultipleFirewalls()
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true], 'api' => ['pattern' => '/api', 'http_basic' => true]],
         ]);
 
@@ -157,6 +161,7 @@ public function testMultipleFirewalls()
     public function testListenerAlreadySpecific()
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);