From a867ca1d0c8f5384ef18761178b17cc8b0d6d331 Mon Sep 17 00:00:00 2001 From: Robin Chalas Date: Wed, 27 Sep 2017 09:59:35 +0200 Subject: [PATCH] [SecurityBundle] Remove ACL related code --- .../Bundle/SecurityBundle/CHANGELOG.md | 3 + .../SecurityBundle/Command/InitAclCommand.php | 113 ---------- .../SecurityBundle/Command/SetAclCommand.php | 202 ------------------ .../DependencyInjection/MainConfiguration.php | 42 ---- .../DependencyInjection/SecurityExtension.php | 60 ------ .../Resources/config/console.xml | 11 - .../CompleteConfigurationTest.php | 38 ---- .../Fixtures/php/container1_with_acl.php | 101 --------- .../Fixtures/xml/container1_with_acl.xml | 80 ------- .../Fixtures/yml/container1_with_acl.yml | 81 ------- .../Tests/Functional/SetAclCommandTest.php | 177 --------------- 11 files changed, 3 insertions(+), 905 deletions(-) delete mode 100644 src/Symfony/Bundle/SecurityBundle/Command/InitAclCommand.php delete mode 100644 src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php delete mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php delete mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1_with_acl.xml delete mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1_with_acl.yml delete mode 100644 src/Symfony/Bundle/SecurityBundle/Tests/Functional/SetAclCommandTest.php diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md index d5f167f7ae..b5b0f6ec61 100644 --- a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md +++ b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md @@ -10,6 +10,9 @@ CHANGELOG * `UserPasswordEncoderCommand` does not extend `ContainerAwareCommand` anymore * removed support for voters that don't implement the `VoterInterface` * removed HTTP digest authentication + * removed command `acl:set` along with `SetAclCommand` class + * removed command `init:acl` along with `InitAclCommand` class + * removed `acl` configuration key and related services, use symfony/acl-bundle instead 3.4.0 ----- diff --git a/src/Symfony/Bundle/SecurityBundle/Command/InitAclCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/InitAclCommand.php deleted file mode 100644 index 42e4f8825d..0000000000 --- a/src/Symfony/Bundle/SecurityBundle/Command/InitAclCommand.php +++ /dev/null @@ -1,113 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Bundle\SecurityBundle\Command; - -@trigger_error(sprintf('Class "%s" is deprecated since version 3.4 and will be removed in 4.0. Use Symfony\Bundle\AclBundle\Command\SetAclCommand instead.', SetAclCommand::class), E_USER_DEPRECATED); - -use Symfony\Bundle\FrameworkBundle\Command\ContainerAwareCommand; -use Symfony\Component\Console\Input\InputInterface; -use Symfony\Component\Console\Output\ConsoleOutputInterface; -use Symfony\Component\Console\Output\OutputInterface; -use Symfony\Component\Console\Style\SymfonyStyle; -use Symfony\Component\Security\Acl\Dbal\Schema; -use Doctrine\DBAL\Connection; -use Doctrine\DBAL\Schema\SchemaException; - -/** - * Installs the tables required by the ACL system. - * - * @author Johannes M. Schmitt - * - * @deprecated since version 3.4, to be removed in 4.0. See Symfony\Bundle\AclBundle\Command\SetAclCommand instead. - */ -class InitAclCommand extends ContainerAwareCommand -{ - protected static $defaultName = 'init:acl'; - - private $connection; - private $schema; - - public function __construct($connection = null, Schema $schema = null) - { - if (!$connection instanceof Connection) { - parent::__construct($connection); - - return; - } - - parent::__construct(); - - $this->connection = $connection; - $this->schema = $schema; - } - - /** - * {@inheritdoc} - */ - public function isEnabled() - { - if (!$this->connection && !$this->getContainer()->has('security.acl.dbal.connection')) { - return false; - } - - return parent::isEnabled(); - } - - /** - * {@inheritdoc} - */ - protected function configure() - { - $this - ->setDescription('Mounts ACL tables in the database') - ->setHelp(<<<'EOF' -The %command.name% command mounts ACL tables in the database. - - php %command.full_name% - -The name of the DBAL connection must be configured in your app/config/security.yml configuration file in the security.acl.connection variable. - - security: - acl: - connection: default -EOF - ) - ; - } - - /** - * {@inheritdoc} - */ - protected function execute(InputInterface $input, OutputInterface $output) - { - (new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output))->warning('Command "init:acl" is deprecated since version 3.4 and will be removed from SecurityBundle in 4.0. Install symfony/acl-bundle and use "acl:init" instead.'); - - if (null === $this->connection) { - $this->connection = $this->getContainer()->get('security.acl.dbal.connection'); - $this->schema = $this->getContainer()->get('security.acl.dbal.schema'); - } - - try { - $this->schema->addToSchema($this->connection->getSchemaManager()->createSchema()); - } catch (SchemaException $e) { - $output->writeln('Aborting: '.$e->getMessage()); - - return 1; - } - - foreach ($this->schema->toSql($this->connection->getDatabasePlatform()) as $sql) { - $this->connection->exec($sql); - } - - $output->writeln('ACL tables have been initialized successfully.'); - } -} diff --git a/src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php deleted file mode 100644 index c0c51eff4e..0000000000 --- a/src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php +++ /dev/null @@ -1,202 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Bundle\SecurityBundle\Command; - -@trigger_error(sprintf('Class "%s" is deprecated since version 3.4 and will be removed in 4.0. Use Symfony\Bundle\AclBundle\Command\SetAclCommand instead.', SetAclCommand::class), E_USER_DEPRECATED); - -use Symfony\Bundle\FrameworkBundle\Command\ContainerAwareCommand; -use Symfony\Component\Console\Input\InputArgument; -use Symfony\Component\Console\Input\InputInterface; -use Symfony\Component\Console\Input\InputOption; -use Symfony\Component\Console\Output\ConsoleOutputInterface; -use Symfony\Component\Console\Output\OutputInterface; -use Symfony\Component\Console\Style\SymfonyStyle; -use Symfony\Component\Security\Acl\Domain\ObjectIdentity; -use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity; -use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity; -use Symfony\Component\Security\Acl\Exception\AclAlreadyExistsException; -use Symfony\Component\Security\Acl\Permission\MaskBuilder; -use Symfony\Component\Security\Acl\Model\MutableAclProviderInterface; - -/** - * Sets ACL for objects. - * - * @author Kévin Dunglas - * - * @deprecated since version 3.4, to be removed in 4.0. See Symfony\Bundle\AclBundle\Command\SetAclCommand instead. - */ -class SetAclCommand extends ContainerAwareCommand -{ - protected static $defaultName = 'acl:set'; - - private $provider; - - /** - * @param MutableAclProviderInterface $provider - */ - public function __construct($provider = null) - { - if (!$provider instanceof MutableAclProviderInterface) { - parent::__construct($provider); - - return; - } - - parent::__construct(); - - $this->provider = $provider; - } - - /** - * {@inheritdoc} - */ - public function isEnabled() - { - if (null !== $this->provider) { - return parent::isEnabled(); - } - if (!$this->getContainer()->has('security.acl.provider')) { - return false; - } - - $provider = $this->getContainer()->get('security.acl.provider'); - if (!$provider instanceof MutableAclProviderInterface) { - return false; - } - - return parent::isEnabled(); - } - - /** - * {@inheritdoc} - */ - protected function configure() - { - $this - ->setDescription('Sets ACL for objects') - ->setHelp(<<%command.name% command sets ACL. -The ACL system must have been initialized with the init:acl command. - -To set VIEW and EDIT permissions for the user kevin on the instance of -Acme\MyClass having the identifier 42: - - php %command.full_name% --user=Symfony/Component/Security/Core/User/User:kevin VIEW EDIT Acme/MyClass:42 - -Note that you can use / instead of \\ for the namespace delimiter to avoid any -problem. - -To set permissions for a role, use the --role option: - - php %command.full_name% --role=ROLE_USER VIEW Acme/MyClass:1936 - -To set permissions at the class scope, use the --class-scope option: - - php %command.full_name% --class-scope --user=Symfony/Component/Security/Core/User/User:anne OWNER Acme/MyClass:42 - -EOF - ) - ->addArgument('arguments', InputArgument::IS_ARRAY | InputArgument::REQUIRED, 'A list of permissions and object identities (class name and ID separated by a column)') - ->addOption('user', null, InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, 'A list of security identities') - ->addOption('role', null, InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, 'A list of roles') - ->addOption('class-scope', null, InputOption::VALUE_NONE, 'Use class-scope entries') - ; - } - - /** - * {@inheritdoc} - */ - protected function execute(InputInterface $input, OutputInterface $output) - { - (new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output))->warning('Command "acl:set" is deprecated since version 3.4 and will be removed from SecurityBundle in 4.0. Install symfony/acl-bundle to use this command.'); - - if (null === $this->provider) { - $this->provider = $this->getContainer()->get('security.acl.provider'); - } - - // Parse arguments - $objectIdentities = array(); - $maskBuilder = $this->getMaskBuilder(); - foreach ($input->getArgument('arguments') as $argument) { - $data = explode(':', $argument, 2); - - if (count($data) > 1) { - $objectIdentities[] = new ObjectIdentity($data[1], strtr($data[0], '/', '\\')); - } else { - $maskBuilder->add($data[0]); - } - } - - // Build permissions mask - $mask = $maskBuilder->get(); - - $userOption = $input->getOption('user'); - $roleOption = $input->getOption('role'); - $classScopeOption = $input->getOption('class-scope'); - - if (empty($userOption) && empty($roleOption)) { - throw new \InvalidArgumentException('A Role or a User must be specified.'); - } - - // Create security identities - $securityIdentities = array(); - - if ($userOption) { - foreach ($userOption as $user) { - $data = explode(':', $user, 2); - - if (1 === count($data)) { - throw new \InvalidArgumentException('The user must follow the format "Acme/MyUser:username".'); - } - - $securityIdentities[] = new UserSecurityIdentity($data[1], strtr($data[0], '/', '\\')); - } - } - - if ($roleOption) { - foreach ($roleOption as $role) { - $securityIdentities[] = new RoleSecurityIdentity($role); - } - } - - // Sets ACL - foreach ($objectIdentities as $objectIdentity) { - // Creates a new ACL if it does not already exist - try { - $this->provider->createAcl($objectIdentity); - } catch (AclAlreadyExistsException $e) { - } - - $acl = $this->provider->findAcl($objectIdentity, $securityIdentities); - - foreach ($securityIdentities as $securityIdentity) { - if ($classScopeOption) { - $acl->insertClassAce($securityIdentity, $mask); - } else { - $acl->insertObjectAce($securityIdentity, $mask); - } - } - - $this->provider->updateAcl($acl); - } - } - - /** - * Gets the mask builder. - * - * @return MaskBuilder - */ - protected function getMaskBuilder() - { - return new MaskBuilder(); - } -} diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php index 533b52cd4b..078817b3be 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php @@ -106,7 +106,6 @@ class MainConfiguration implements ConfigurationInterface ->end() ; - $this->addAclSection($rootNode); $this->addEncodersSection($rootNode); $this->addProvidersSection($rootNode); $this->addFirewallsSection($rootNode, $this->factories); @@ -116,47 +115,6 @@ class MainConfiguration implements ConfigurationInterface return $tb; } - private function addAclSection(ArrayNodeDefinition $rootNode) - { - $rootNode - ->children() - ->arrayNode('acl') - ->setDeprecated('The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.') - ->children() - ->scalarNode('connection') - ->defaultNull() - ->info('any name configured in doctrine.dbal section') - ->end() - ->arrayNode('cache') - ->addDefaultsIfNotSet() - ->children() - ->scalarNode('id')->end() - ->scalarNode('prefix')->defaultValue('sf2_acl_')->end() - ->end() - ->end() - ->scalarNode('provider')->end() - ->arrayNode('tables') - ->addDefaultsIfNotSet() - ->children() - ->scalarNode('class')->defaultValue('acl_classes')->end() - ->scalarNode('entry')->defaultValue('acl_entries')->end() - ->scalarNode('object_identity')->defaultValue('acl_object_identities')->end() - ->scalarNode('object_identity_ancestors')->defaultValue('acl_object_identity_ancestors')->end() - ->scalarNode('security_identity')->defaultValue('acl_security_identities')->end() - ->end() - ->end() - ->arrayNode('voter') - ->addDefaultsIfNotSet() - ->children() - ->booleanNode('allow_if_object_identity_unavailable')->defaultTrue()->end() - ->end() - ->end() - ->end() - ->end() - ->end() - ; - } - private function addRoleHierarchySection(ArrayNodeDefinition $rootNode) { $rootNode diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php index 9462575f34..b727c699da 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php @@ -11,8 +11,6 @@ namespace Symfony\Bundle\SecurityBundle\DependencyInjection; -use Symfony\Bundle\SecurityBundle\Command\InitAclCommand; -use Symfony\Bundle\SecurityBundle\Command\SetAclCommand; use Symfony\Bundle\SecurityBundle\Command\UserPasswordEncoderCommand; use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface; use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\UserProviderFactoryInterface; @@ -113,68 +111,10 @@ class SecurityExtension extends Extension $container->getDefinition(UserPasswordEncoderCommand::class)->replaceArgument(1, array_keys($config['encoders'])); } - // load ACL - if (isset($config['acl'])) { - $this->aclLoad($config['acl'], $container); - } else { - $container->removeDefinition(InitAclCommand::class); - $container->removeDefinition(SetAclCommand::class); - } - $container->registerForAutoconfiguration(VoterInterface::class) ->addTag('security.voter'); } - private function aclLoad($config, ContainerBuilder $container) - { - if (!interface_exists('Symfony\Component\Security\Acl\Model\AclInterface')) { - throw new \LogicException('You must install symfony/security-acl in order to use the ACL functionality.'); - } - - $loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config')); - $loader->load('security_acl.xml'); - - if (isset($config['cache']['id'])) { - $container->setAlias('security.acl.cache', $config['cache']['id'])->setPrivate(true); - } - $container->getDefinition('security.acl.voter.basic_permissions')->addArgument($config['voter']['allow_if_object_identity_unavailable']); - - // custom ACL provider - if (isset($config['provider'])) { - $container->setAlias('security.acl.provider', $config['provider'])->setPrivate(true); - - return; - } - - $this->configureDbalAclProvider($config, $container, $loader); - } - - private function configureDbalAclProvider(array $config, ContainerBuilder $container, $loader) - { - $loader->load('security_acl_dbal.xml'); - - if (null !== $config['connection']) { - $container->setAlias('security.acl.dbal.connection', sprintf('doctrine.dbal.%s_connection', $config['connection']))->setPrivate(true); - } - - $container - ->getDefinition('security.acl.dbal.schema_listener') - ->addTag('doctrine.event_listener', array( - 'connection' => $config['connection'], - 'event' => 'postGenerateSchema', - 'lazy' => true, - )) - ; - - $container->getDefinition('security.acl.cache.doctrine')->addArgument($config['cache']['prefix']); - - $container->setParameter('security.acl.dbal.class_table_name', $config['tables']['class']); - $container->setParameter('security.acl.dbal.entry_table_name', $config['tables']['entry']); - $container->setParameter('security.acl.dbal.oid_table_name', $config['tables']['object_identity']); - $container->setParameter('security.acl.dbal.oid_ancestors_table_name', $config['tables']['object_identity_ancestors']); - $container->setParameter('security.acl.dbal.sid_table_name', $config['tables']['security_identity']); - } - /** * Loads the web configuration. * diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/console.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/console.xml index b375d95eff..34feeeb9e8 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/console.xml +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/console.xml @@ -7,17 +7,6 @@ - - - - - - - - - - - diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php index 138c7e9233..d274d4005e 100644 --- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php +++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php @@ -36,20 +36,6 @@ abstract class CompleteConfigurationTest extends TestCase ), $container->getParameter('security.role_hierarchy.roles')); } - /** - * @group legacy - * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead. - */ - public function testRolesHierarchyWithAcl() - { - $container = $this->getContainer('container1_with_acl'); - $this->assertEquals(array( - 'ROLE_ADMIN' => array('ROLE_USER'), - 'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'), - 'ROLE_REMOTE' => array('ROLE_USER', 'ROLE_ADMIN'), - ), $container->getParameter('security.role_hierarchy.roles')); - } - public function testUserProviders() { $container = $this->getContainer('container1'); @@ -324,30 +310,6 @@ abstract class CompleteConfigurationTest extends TestCase )), $container->getDefinition('security.encoder_factory.generic')->getArguments()); } - /** - * @group legacy - * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead. - */ - public function testAcl() - { - $container = $this->getContainer('container1_with_acl'); - - $this->assertTrue($container->hasDefinition('security.acl.dbal.provider')); - $this->assertEquals('security.acl.dbal.provider', (string) $container->getAlias('security.acl.provider')); - } - - /** - * @group legacy - * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead. - */ - public function testCustomAclProvider() - { - $container = $this->getContainer('custom_acl_provider'); - - $this->assertFalse($container->hasDefinition('security.acl.dbal.provider')); - $this->assertEquals('foo', (string) $container->getAlias('security.acl.provider')); - } - public function testRememberMeThrowExceptionsDefault() { $container = $this->getContainer('container1'); diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php deleted file mode 100644 index 268ced04db..0000000000 --- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php +++ /dev/null @@ -1,101 +0,0 @@ -loadFromExtension('security', array( - 'acl' => array(), - 'encoders' => array( - 'JMS\FooBundle\Entity\User1' => 'plaintext', - 'JMS\FooBundle\Entity\User2' => array( - 'algorithm' => 'sha1', - 'encode_as_base64' => false, - 'iterations' => 5, - ), - 'JMS\FooBundle\Entity\User3' => array( - 'algorithm' => 'md5', - ), - 'JMS\FooBundle\Entity\User4' => array( - 'id' => 'security.encoder.foo', - ), - 'JMS\FooBundle\Entity\User5' => array( - 'algorithm' => 'pbkdf2', - 'hash_algorithm' => 'sha1', - 'encode_as_base64' => false, - 'iterations' => 5, - 'key_length' => 30, - ), - 'JMS\FooBundle\Entity\User6' => array( - 'algorithm' => 'bcrypt', - 'cost' => 15, - ), - ), - 'providers' => array( - 'default' => array( - 'memory' => array( - 'users' => array( - 'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER'), - ), - ), - ), - 'digest' => array( - 'memory' => array( - 'users' => array( - 'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER, ROLE_ADMIN'), - ), - ), - ), - 'basic' => array( - 'memory' => array( - 'users' => array( - 'foo' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => 'ROLE_SUPER_ADMIN'), - 'bar' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => array('ROLE_USER', 'ROLE_ADMIN')), - ), - ), - ), - 'service' => array( - 'id' => 'user.manager', - ), - 'chain' => array( - 'chain' => array( - 'providers' => array('service', 'basic'), - ), - ), - ), - - 'firewalls' => array( - 'simple' => array('pattern' => '/login', 'security' => false), - 'secure' => array('stateless' => true, - 'http_basic' => true, - 'form_login' => true, - 'anonymous' => true, - 'switch_user' => true, - 'x509' => true, - 'remote_user' => true, - 'logout' => true, - 'remember_me' => array('secret' => 'TheSecret'), - 'user_checker' => null, - ), - 'host' => array( - 'pattern' => '/test', - 'host' => 'foo\\.example\\.org', - 'methods' => array('GET', 'POST'), - 'anonymous' => true, - 'http_basic' => true, - ), - 'with_user_checker' => array( - 'user_checker' => 'app.user_checker', - 'anonymous' => true, - 'http_basic' => true, - ), - ), - - 'access_control' => array( - array('path' => '/blog/524', 'role' => 'ROLE_USER', 'requires_channel' => 'https', 'methods' => array('get', 'POST')), - array('path' => '/blog/.*', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'), - array('path' => '/blog/524', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', 'allow_if' => "token.getUsername() matches '/^admin/'"), - ), - - 'role_hierarchy' => array( - 'ROLE_ADMIN' => 'ROLE_USER', - 'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'), - 'ROLE_REMOTE' => 'ROLE_USER,ROLE_ADMIN', - ), -)); diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1_with_acl.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1_with_acl.xml deleted file mode 100644 index 7797c38287..0000000000 --- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1_with_acl.xml +++ /dev/null @@ -1,80 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - app.user_checker - - - ROLE_USER - ROLE_USER,ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH - ROLE_USER,ROLE_ADMIN - - - - - - diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1_with_acl.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1_with_acl.yml deleted file mode 100644 index 40e0f1a81e..0000000000 --- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1_with_acl.yml +++ /dev/null @@ -1,81 +0,0 @@ -security: - acl: ~ - encoders: - JMS\FooBundle\Entity\User1: plaintext - JMS\FooBundle\Entity\User2: - algorithm: sha1 - encode_as_base64: false - iterations: 5 - JMS\FooBundle\Entity\User3: - algorithm: md5 - JMS\FooBundle\Entity\User4: - id: security.encoder.foo - JMS\FooBundle\Entity\User5: - algorithm: pbkdf2 - hash_algorithm: sha1 - encode_as_base64: false - iterations: 5 - key_length: 30 - JMS\FooBundle\Entity\User6: - algorithm: bcrypt - cost: 15 - - providers: - default: - memory: - users: - foo: { password: foo, roles: ROLE_USER } - digest: - memory: - users: - foo: { password: foo, roles: 'ROLE_USER, ROLE_ADMIN' } - basic: - memory: - users: - foo: { password: 0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33, roles: ROLE_SUPER_ADMIN } - bar: { password: 0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33, roles: [ROLE_USER, ROLE_ADMIN] } - service: - id: user.manager - chain: - chain: - providers: [service, basic] - - - firewalls: - simple: { pattern: /login, security: false } - secure: - stateless: true - http_basic: true - form_login: true - anonymous: true - switch_user: true - x509: true - remote_user: true - logout: true - remember_me: - secret: TheSecret - user_checker: ~ - - host: - pattern: /test - host: foo\.example\.org - methods: [GET,POST] - anonymous: true - http_basic: true - - with_user_checker: - anonymous: ~ - http_basic: ~ - user_checker: app.user_checker - - role_hierarchy: - ROLE_ADMIN: ROLE_USER - ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] - ROLE_REMOTE: ROLE_USER,ROLE_ADMIN - - access_control: - - { path: /blog/524, role: ROLE_USER, requires_channel: https, methods: [get, POST]} - - - path: /blog/.* - role: IS_AUTHENTICATED_ANONYMOUSLY - - { path: /blog/524, role: IS_AUTHENTICATED_ANONYMOUSLY, allow_if: "token.getUsername() matches '/^admin/'" } diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SetAclCommandTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SetAclCommandTest.php deleted file mode 100644 index a658126fce..0000000000 --- a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SetAclCommandTest.php +++ /dev/null @@ -1,177 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Bundle\SecurityBundle\Tests\Functional; - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ -use Symfony\Bundle\FrameworkBundle\Console\Application; -use Symfony\Bundle\SecurityBundle\Command\SetAclCommand; -use Symfony\Component\Console\Tester\CommandTester; -use Symfony\Component\Security\Acl\Domain\ObjectIdentity; -use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity; -use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity; -use Symfony\Component\Security\Acl\Exception\NoAceFoundException; -use Symfony\Component\Security\Acl\Permission\BasicPermissionMap; - -/** - * Tests SetAclCommand. - * - * @author Kévin Dunglas - * @requires extension pdo_sqlite - * @group legacy - */ -class SetAclCommandTest extends WebTestCase -{ - const OBJECT_CLASS = 'Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AclBundle\Entity\Car'; - const SECURITY_CLASS = 'Symfony\Component\Security\Core\User\User'; - - public function testSetAclUser() - { - $objectId = 1; - $securityUsername1 = 'kevin'; - $securityUsername2 = 'anne'; - $grantedPermission1 = 'VIEW'; - $grantedPermission2 = 'EDIT'; - - $application = $this->getApplication(); - $application->add(new SetAclCommand($application->getKernel()->getContainer()->get('test.security.acl.provider'))); - - $setAclCommand = $application->find('acl:set'); - $setAclCommandTester = new CommandTester($setAclCommand); - $setAclCommandTester->execute(array( - 'command' => 'acl:set', - 'arguments' => array($grantedPermission1, $grantedPermission2, sprintf('%s:%s', self::OBJECT_CLASS, $objectId)), - '--user' => array(sprintf('%s:%s', self::SECURITY_CLASS, $securityUsername1), sprintf('%s:%s', self::SECURITY_CLASS, $securityUsername2)), - )); - - $objectIdentity = new ObjectIdentity($objectId, self::OBJECT_CLASS); - $securityIdentity1 = new UserSecurityIdentity($securityUsername1, self::SECURITY_CLASS); - $securityIdentity2 = new UserSecurityIdentity($securityUsername2, self::SECURITY_CLASS); - $permissionMap = new BasicPermissionMap(); - - /** @var \Symfony\Component\Security\Acl\Model\AclProviderInterface $aclProvider */ - $aclProvider = $application->getKernel()->getContainer()->get('test.security.acl.provider'); - $acl = $aclProvider->findAcl($objectIdentity, array($securityIdentity1)); - - $this->assertTrue($acl->isGranted($permissionMap->getMasks($grantedPermission1, null), array($securityIdentity1))); - $this->assertTrue($acl->isGranted($permissionMap->getMasks($grantedPermission1, null), array($securityIdentity2))); - $this->assertTrue($acl->isGranted($permissionMap->getMasks($grantedPermission2, null), array($securityIdentity2))); - - try { - $acl->isGranted($permissionMap->getMasks('OWNER', null), array($securityIdentity1)); - $this->fail('NoAceFoundException not throwed'); - } catch (NoAceFoundException $e) { - } - - try { - $acl->isGranted($permissionMap->getMasks('OPERATOR', null), array($securityIdentity2)); - $this->fail('NoAceFoundException not throwed'); - } catch (NoAceFoundException $e) { - } - } - - public function testSetAclRole() - { - $objectId = 1; - $securityUsername = 'kevin'; - $grantedPermission = 'VIEW'; - $role = 'ROLE_ADMIN'; - - $application = $this->getApplication(); - $application->add(new SetAclCommand($application->getKernel()->getContainer()->get('test.security.acl.provider'))); - - $setAclCommand = $application->find('acl:set'); - $setAclCommandTester = new CommandTester($setAclCommand); - $setAclCommandTester->execute(array( - 'command' => 'acl:set', - 'arguments' => array($grantedPermission, sprintf('%s:%s', str_replace('\\', '/', self::OBJECT_CLASS), $objectId)), - '--role' => array($role), - )); - - $objectIdentity = new ObjectIdentity($objectId, self::OBJECT_CLASS); - $userSecurityIdentity = new UserSecurityIdentity($securityUsername, self::SECURITY_CLASS); - $roleSecurityIdentity = new RoleSecurityIdentity($role); - $permissionMap = new BasicPermissionMap(); - - /** @var \Symfony\Component\Security\Acl\Model\AclProviderInterface $aclProvider */ - $aclProvider = $application->getKernel()->getContainer()->get('test.security.acl.provider'); - $acl = $aclProvider->findAcl($objectIdentity, array($roleSecurityIdentity, $userSecurityIdentity)); - - $this->assertTrue($acl->isGranted($permissionMap->getMasks($grantedPermission, null), array($roleSecurityIdentity))); - $this->assertTrue($acl->isGranted($permissionMap->getMasks($grantedPermission, null), array($roleSecurityIdentity))); - - try { - $acl->isGranted($permissionMap->getMasks('VIEW', null), array($userSecurityIdentity)); - $this->fail('NoAceFoundException not throwed'); - } catch (NoAceFoundException $e) { - } - - try { - $acl->isGranted($permissionMap->getMasks('OPERATOR', null), array($userSecurityIdentity)); - $this->fail('NoAceFoundException not throwed'); - } catch (NoAceFoundException $e) { - } - } - - public function testSetAclClassScope() - { - $objectId = 1; - $grantedPermission = 'VIEW'; - $role = 'ROLE_USER'; - - $application = $this->getApplication(); - $application->add(new SetAclCommand($application->getKernel()->getContainer()->get('test.security.acl.provider'))); - - $setAclCommand = $application->find('acl:set'); - $setAclCommandTester = new CommandTester($setAclCommand); - $setAclCommandTester->execute(array( - 'command' => 'acl:set', - 'arguments' => array($grantedPermission, sprintf('%s:%s', self::OBJECT_CLASS, $objectId)), - '--class-scope' => true, - '--role' => array($role), - )); - - $objectIdentity1 = new ObjectIdentity($objectId, self::OBJECT_CLASS); - $objectIdentity2 = new ObjectIdentity(2, self::OBJECT_CLASS); - $roleSecurityIdentity = new RoleSecurityIdentity($role); - $permissionMap = new BasicPermissionMap(); - - /** @var \Symfony\Component\Security\Acl\Model\AclProviderInterface $aclProvider */ - $aclProvider = $application->getKernel()->getContainer()->get('test.security.acl.provider'); - - $acl1 = $aclProvider->findAcl($objectIdentity1, array($roleSecurityIdentity)); - $this->assertTrue($acl1->isGranted($permissionMap->getMasks($grantedPermission, null), array($roleSecurityIdentity))); - - $acl2 = $aclProvider->createAcl($objectIdentity2); - $this->assertTrue($acl2->isGranted($permissionMap->getMasks($grantedPermission, null), array($roleSecurityIdentity))); - } - - private function getApplication() - { - $kernel = $this->createKernel(array('test_case' => 'Acl')); - $kernel->boot(); - - $application = new Application($kernel); - - $initAclCommand = $application->find('init:acl'); - $initAclCommandTester = new CommandTester($initAclCommand); - $initAclCommandTester->execute(array('command' => 'init:acl')); - - return $application; - } -}