This PR was merged into the 5.1-dev branch.
Discussion
----------
[DependencyInjection] Add a mechanism to deprecate public services to private
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This PR adds a mechanism to easily deprecate public services to private, ie a public service will be private in a next version.
It works with a tag and a compiler pass. The pass creates a deprecated public alias of the public service.
It is ran "after removing" because we want to trigger only on direct accesses to the public service (`$container->get()`): if the public service was removed, we don't need to do anything because there is no impact.
~All references to the public service are kept because the deprecated public alias is created after `ResolveReferencesToAliasesPass` so only direct access actually uses the deprecated alias.~
All references to the public service are altered to a direct reference to the alias target service so that they don't trigger the alias deprecation.
Thanks to @nicolas-grekas for sharing some ideas and helping me !
Commits
-------
3e80e461a9 [DependencyInjection] Add a mechanism to deprecate public services to private
This PR was merged into the 5.1-dev branch.
Discussion
----------
[FrameworkBundle] Allow configuring the default base URI with a DSN
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fixes#35121, replaces #35580, partially reverts #35281
| License | MIT
| Doc PR | -
Instead of defining 3-4 parameters, this PR enables using a single DSN to configure the default URL context (for commands mainly):
```
framework:
router:
base_uri: 'https://my.host:8443/base-path/'
```
When using parameters directly, one can now set the same absolute URI in the `router.request_context.base_url` parameter, this will provide the same benefit.
Commits
-------
250fa7e979 [FrameworkBundle] Allow configuring the default base URI with a DSN
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Security] Added LDAP support to Authenticator system
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
The last missing authenticator in the new system 🎉
I have no experience with LDAP at all and I didn't succeed in setting up a server locally. So I can't test whether this works, but the unit test works (and also tested in a real app, while adding a `dd()` call in the listener).
---
I want to share with you the current state of Security LDAP, how this PR implements it and a possible other solution (which I think I would prefer most). Is there anyone who can share their opinions on this? (hopefully @weaverryan and @csarrazi can share their opinion, as they have most experience on this topic)
1. **Current Solution: An LDAP authentication provider + duplicated `SecurityFactory` classes**
LDAP is done in one centralized authentication provider. This provider is configured by security factories for each core factory (e.g. `form_login` becomes `form_login_ldap`, `http_basic` becomes `http_basic_ldap`).
2. **Implementation in this PR: A listener is executed before the default `VerifyCredentialsListener`, to verify `PasswordCredentials`**
This listener must be configured for each specific authenticator wanting to use LDAP. This is a technique similar to (1). It's a bit difficult to use this for your own authenticator (you need to configure a custom listener service) and still needs the duplicated factory classes
3. **Proposal: Introduce a `LdapCredentials` class and always register a listener**
If an authentictor returns `LdapCredentials`, it'll be checked using the LDAP verification listener. This is the easiest for custom authenticators and would remove the duplicated factories, I can imagine `form_login` getting a new `ldap` sub option to configure the settings.
The main disadvantage (I think) is that we would need to make `LdapCredentials` configure all options: ldap service, dnString, searchDn, searchPassword & queryString. Especially passing around the ldap service seems a bit weird. The main questions here are: Is it weird to pass all these things in the `LdapCredentials`? And, do we really need to support having multiple LDAP configuration sets for different authenticators? Or can we e.g. add a global `security.ldap` configuration, that registers the listener for all authenticators returning `LdapCredentials`?
Commits
-------
20962e604a [Security] Added LDAP support to Authenticator system
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[Messenger] Add option to stop the worker after a message failed
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#34414
| License | MIT
| Doc PR |
This pull request adds a new option to the `messenger:consume` command, to stop the worker after a specified amount of failed messages was handled by the worker.
Commits
-------
ea79206470 [Messenger] Add option to stop the worker after a message failed
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[Translations] Throw exception if xFileLoader dependencies don't exist.
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#36658
| License | MIT
| Doc PR |
`XliffFileLoader` & `QtFileLoader` both require `XmlUtils::class` from the `Config` component. This PR throws a friendly exception is the `Config` component does not exist.
Original idea by @xabbuh was to throw the exception from the __constructor. This PR throws the exception from the `load()` method to be consistent with the `YamlFileLoader::class`. But that can easily be changed.
Commits
-------
627e476eb4 [Translations] Throw exception if xFileLoader dependencies don't exist.
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[AmazonSqsMessenger] Use AsyncAws to handle SQS communication
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | /
| License | MIT
| Doc PR | /
Similar to #35992 this PR use AsyncAws to handle Sqs messages sent/receive
It move complexity of authentication/streaming outside Symfony while keeping HttpClient integration.
Commits
-------
7c4888eed1 [AmazonSqsMessenger] Use AsyncAws to handle SQS communication
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Messenger] Fix messenger:failed:remove can not remove single message
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36659
| License | MIT
| Doc PR | -
Fix this error:
```
count(): Parameter must be an array or an object that implements Countable
```
When calling `messenger:failed:remove` command from other code with single id
Commits
-------
e66cd97ec3 [Messenger] Fix messenger:failed:remove can not remove single message
This PR was merged into the 5.1-dev branch.
Discussion
----------
Add support of PHP8 static return type for withers
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | https://github.com/orgs/symfony/projects/1#card-35852557
| License | MIT
| Doc PR |
Commits
-------
04fdf05cff Add support of PHP8 static return type for withers
This PR was merged into the 5.1-dev branch.
Discussion
----------
[DI] allow loading and dumping tags with an attribute named "name"
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This is a minor feature added for consistency: using PHP, we can already define tags with an attribute named `"name"`. But then, we cannot dump such definitions in YAML nor XML since we don't have a syntax to declare such tags in these formats.
I spotted this while looking at a dumped container: we already use an attribute named `"name"` on two tags: `cache.pool` and `workflow.definition`. Currently, the dumped XML is wrong because of this.
This PR enables the following new syntaxes (the current style still works as usual):
- in YAML, consistently with the new syntax for method calls:
```yaml
tags:
- cache.pool: { name: my_cache_pool }
```
- in XML:
```xml
<tag name="my_cache_pool">cache.pool</tag>
```
Commits
-------
b023e4cac3 [DI] allow loading and dumping tags with an attribute named "name"
This PR was merged into the 5.1-dev branch.
Discussion
----------
[HttpKernel] make kernels implementing `WarmableInterface` be part of the cache warmup stage
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This allows your kernel to return extra classes to preload also (which was my main motivation for creating this PR actually.)
```php
// ...
use Symfony\Component\HttpKernel\CacheWarmer\WarmableInterface;
// ...
class Kernel ... implements ..., WarmableInterface
{
// ...
public function warmUp(string $cacheDir): array
{
// ...
return [
SomeClassToPreload::class,
AnotherClassClassToPreload::class,
$cacheDir.'/some-file-to-preload.php',
// ...
];
}
// ...
}
```
Commits
-------
649e530356 [HttpKernel] make kernels implementing `WarmableInterface` be part of the cache warmup stage
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Form] deprecate not using a rounding mode
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | yes
| Tickets |
| License | MIT
| Doc PR |
Commits
-------
25ba1a241d deprecate not using a rounding mode
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[Mailer] Use AsyncAws to handle SES requests
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | #33183, #35468 and #35037
| License | MIT
| Doc PR | TODO
alternative to #33326
This PR replace the native code to call AWS SES by the new [AsyncAws](https://github.com/async-aws/aws) project maintained by @Nyholm and me.
This removes complexity of signing request, and adds new features likes:
- authentication via .aws/config.ini, Instance profile, WebIdentity (K8S service account)
- usesignature V4 (the one recommanded by the Official SDK )
- fully compatible with API (uses the official AWS SDK interface contract to generate classes)
Because it's based on `symfony/http-client`, it's fully integrable with Symfony application.
Commits
-------
21243874bc [Mailer] Use AsyncAws to handle SES requests
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Security] Removed anonymous in the new security system
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | tbd
This was one of the "Future considerations" of #33558:
> Drop the AnonymousToken and AnonymousAuthenticator: Anonymous authentication has never made much sense and complicates things (e.g. the user can be a string). For access control, an anonymous user has the same meaning as an un-authenticated one (null). This require changes in the AccessListener and AuthorizationChecker and probably also a new Security attribute (to replace IS_AUTHENTICATED_ANONYMOUSLY). Related issues: #34909, #30609
This new experimental system is probably a once-in-a-lifetime change to make this change. @weaverryan and I have had some brainstorming about this. Some reasons why we think it makes 100% sense to do this change:
* From a Security perspective, **a user that is not authenticated is similar to an "unknown" user**: They both have no rights at all.
* **The higher level consequences of the AnonymousToken are confusing and inconsistent**:
* It's hard to explain people new to Symfony Security that not being logged in still means you're authenticated within the Symfony app
* To counter this, some higher level APIs explicitly mark anonymous tokens as not being authenticated, see e.g. the [`is_authenticated()` expression language function](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authorization/ExpressionLanguageProvider.php#L33-L37)
* The anonymous authentication resulted in the `IS_AUTHENTICATED` security attribute being removed from #35854, as there was no clear consensus on what its meaning should be
* **Spring Security, which is where this originated from, makes Anonymous a very special case**:
> Finally, there is an AnonymousAuthenticationFilter, which is chained after the normal authentication mechanisms and automatically adds an AnonymousAuthenticationToken to the SecurityContextHolder if there is no existing Authentication held there.
>
> Note that there is no real conceptual difference between a user who is “anonymously authenticated” and an unauthenticated user. Spring Security's anonymous authentication just gives you a more convenient way to configure your access-control attributes. Calls to servlet API calls such as getCallerPrincipal, for example, will still return null even though there is actually an anonymous authentication object in the SecurityContextHolder.
* Symfony uses AnonymousToken much more than "just for convience in access-control attributes". **Removing anonymous tokens allows us to move towards only allowing `UserInterface` users**: #34909
---
Removing anonymous tokens do have an impact on `AccessListener` and `AuthorizationChecker`. These currently throw an exception if there is no token in the storage, instead of treating them like "unknown users" (i.e. no roles). See #30609 on a RFC about removing this exception. We can also see e.g. the [Twig `is_granted()` function explicitly catching this exception](https://github.com/symfony/symfony/blob/master/src/Symfony/Bridge/Twig/Extension/SecurityExtension.php#L37-L52).
* **To make the changes in `AccessListener` and `AuthorizationChecker` BC, a flag has been added - default enabled - to throw an exception when no token is present** (which is automatically disabled when the new system is used). In Symfony 5.4 (or whenever the new system is no longer experimental), we can deprecate this flag and in 6.0 we can never throw the exception anymore.
* **`anonymous: lazy` has been deprecated in favor of `{ anonymous: true, lazy: true }`** This fixes the dependency on `AnonymousFactory` from the `SecurityExtension` and allows removing the `anonymous` option.
* **Introduced `PUBLIC_ACCESS` Security attribute** as alternative of `IS_AUTHENTICATED_ANONYMOUSLY`. Both work in the new system, the latter only triggers a deprecation notice (but may be usefull to allow switching back and forth between old and new system).
cc @javiereguiluz you might be interested, as I recently talked with you about this topic
Commits
-------
ac84a6c5d9 Removed AnonymousToken from the authenticator system
* Anonymous users are actual to unauthenticated users, both are now represented by no token
* Added a PUBLIC_ACCESS Security attribute to be used in access_control
* Deprecated "anonymous: lazy" in favor of "lazy: true"
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[SecurityBundle] Fixed entry point service ID resolving and multiple guard entry points
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | n/a
@fabpot I am not able to reproduce [the error you reported](https://github.com/symfony/symfony/pull/36575#issuecomment-622272051) in any of my demo applications or in the tests introduced in this PR. The error indicates that no entry point is configured in your application, can you maybe try out this patch (given it now makes a hard error when more than one guard is used)? If it still doesn't work, can you maybe share your firewall configuration?
---
_build failures are unrelated_
Commits
-------
c75659350e Do not make AbstractFactory internal and revert method rename
6870a18803 Fixed entry point resolving and guard entry point configuration
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Security] Renamed VerifyAuthenticatorCredentialsEvent to CheckPassportEvent
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36608
| License | MIT
| Doc PR | -
This event was named long before we introduced the concept of passports. Listeners on this event check the user, the credentials and any badges of the Security passport. I think `CheckPassportEvent` makes the most sense (more than `CheckCredentialsEvent`).
Also, I managed to break fabbot in the large PR. Just checked all new classes and added license headers in case they were missing (fabbot complained about most of them in this PR already).
Commits
-------
5ba4d1de86 Renamed VerifyAuthenticatorCredentialsEvent to CheckPassportEvent
This PR was merged into the 5.1-dev branch.
Discussion
----------
Add missing port SQS Host Header request
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | /
| License | MIT
| Doc PR | /
When user provides a custom endpoint, the port is missing from the `Host` headers, leading to wrong URL when calling `getQueueUrl`
Commits
-------
41165beb48 Add missing port SQS Host Header request
This PR was merged into the 5.1-dev branch.
Discussion
----------
[FrameworkBundle][CacheWarmupCommand] Append files to preload
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Files returned by the warmUp() method must be added to the preload file.
I also added checks to avoid empty preload calls in the preload file like this:
```
$classes = [];
Preloader::preload($classes);
```
Commits
-------
a82c7ab4c0 [FrameworkBundle][CacheWarmupCommand] Append files to preload
This PR was merged into the 5.1-dev branch.
Discussion
----------
[HttpFoundation][HttpKernel] Add more preload always-needed symbols
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Part of https://github.com/orgs/symfony/projects/1#card-37082675
| License | MIT
| Doc PR | -
`ConfigCache` is in the hot path because it is used for every request in the kernel boot (initializeContainer() method). I guess we can consider that every kernel is going to be booted so it should always be used.
`InputBag` should be added too - it is used in the Request initialization so it will likely be hit on every request as well - but maybe it wasn't added in the first place for a reason since other bags are already there?
Commits
-------
636a8bdf12 [HttpFoundation][HttpKernel] Add more preload always-needed symbols
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[Security] Require entry_point to be configured with multiple authenticators
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | tbd
See @weaverryan's comment at https://github.com/symfony/symfony/pull/33558#discussion_r403740402:
> I have it on my list to look at the entrypoint stuff more closely. But my gut reaction is this: let's fix them (or try to... or maybe in a PR after this) :). What I mean is this:
>
> - It's always been confusing that your firewall may have multiple auth mechanisms that have their own "entry point"... and one is chosen seemingly at random :). I know it's not random, but why does the entrypoint from `form_login` "win" over `http_basic` if I have both defined under my firewall?
>
> - Since we're moving to a new system, why not throw an exception the _moment_ that a firewall has multiple entrypoints available to it. Then we _force_ the user to choose the _one_ entrypoint that should be used.
---
**Before** (one authenticator)
```yaml
security:
enable_authenticator_manager: true
firewalls:
main:
form_login: ...
# form login is your entry point
```
**After**
Same as before
---
**Before** (multiple authenticators)
```yaml
security:
enable_authenticator_manager: true
firewalls:
main:
http_basic: ...
form_login: ...
# for some reason, FormLogin is now your entry point! (config order doesn't matter)
```
**After**
```yaml
security:
enable_authenticator_manager: true
firewalls:
main:
http_basic: ...
form_login: ...
entry_point: form_login
```
---
**Before** (custom entry point service)
```yaml
security:
enable_authenticator_manager: true
firewalls:
main:
http_basic: ...
form_login: ...
entry_point: App\Security\CustomEntryPoint
```
**After**
Same as before
Commits
-------
7e861698e7 [Security] Require entry_point to be configured with multiple authenticators
This PR was merged into the 5.1-dev branch.
Discussion
----------
Fxi missing use statement
| Q | A
| ------------- | ---
| Branch? | master <!-- see below -->
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | n/a
Commits
-------
8022f6c4eb Fxi missing use statement
This PR was merged into the 5.1-dev branch.
Discussion
----------
[DI] limit recursivity of ResolveNoPreloadPass
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Let's save some nesting levels, these definitions will be processed by the main loop anyway.
Commits
-------
6dd52f9719 [DI] limit recursivity of ResolveNoPreloadPass
* 5.0:
updated VERSION for 3.4.40
update CONTRIBUTORS for 3.4.40
updated CHANGELOG for 3.4.40
[WebProfilerBundle] changed label of peak memory usage in the time & memory panels (MB into MiB)
add tests for the ConstraintViolationBuilder class
Improve dirname usage
[PhpUnitBridge] Use COMPOSER_BINARY env var if available
Allow invalidateTags calls to be traced by data collector
[YAML] escape DEL(\x7f)
fix compatibility with phpunit 9
[Cache] skip APCu in chains when the backend is disabled
[Mailer] Add a comment to avoid more wrong PRs on this piece of code
[Form] apply automatically step=1 for datetime-local input
remove getContainer overwrites in tests
Fixing a bug where class_alias would cause incorrect items in debug:autowiring
[DependencyInjection][ServiceSubscriber] Support late aliases
Fix profiler nullable string type
* 4.4:
updated VERSION for 3.4.40
update CONTRIBUTORS for 3.4.40
updated CHANGELOG for 3.4.40
[WebProfilerBundle] changed label of peak memory usage in the time & memory panels (MB into MiB)
add tests for the ConstraintViolationBuilder class
Improve dirname usage
[PhpUnitBridge] Use COMPOSER_BINARY env var if available
Allow invalidateTags calls to be traced by data collector
[YAML] escape DEL(\x7f)
fix compatibility with phpunit 9
[Cache] skip APCu in chains when the backend is disabled
[Mailer] Add a comment to avoid more wrong PRs on this piece of code
[Form] apply automatically step=1 for datetime-local input
Fixing a bug where class_alias would cause incorrect items in debug:autowiring
[DependencyInjection][ServiceSubscriber] Support late aliases
