* 3.4:
[FrameworkBundle] Register a NullLogger from test kernels
[SecurityBundle] Deprecate auto picking the first provider
[Security] Add user impersonation support for stateless authentication
This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] Deprecate auto picking the first provider
when no provider is explicitly configured on a firewall
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see comment below -->
| Bug fix? | no
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | yes <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | https://symfony-devs.slack.com/archives/C3A2XAQ20/p1506626210000345 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
From @Pierstoval on Slack:
> Hey, guys, I learnt a few days ago that if you don't specify a user provider in a firewall configuration, the security will use the first one in the list. Don't anyone think specifying the user provider should be mandatory ? Or at least mandatory if we have more than one provider registered?
- [x] UPGRADE files
- [x] CHANGELOG
- [x] Fix other tests
- [x] Removal PR #24380
Commits
-------
2d1e3347a6 [SecurityBundle] Deprecate auto picking the first provider
* 3.4:
Argon2i Password Encoder
[DI] EnvVarProcessorInterface: fix missing use
[FrameworkBundle] Use PhpExtractor from Translation
[DowCrawler] Default to UTF-8 when possible
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Argon2i Password Encoder
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | WIP
Since the [libsodium RFC](https://wiki.php.net/rfc/libsodium) passed with flying colours, I'd like to kick start a discussion about adding Argon2i as a password encoder to the security component. The initial code proposal in this PR supports both the upcoming public API confirmed for PHP 7.2, and the [libsodium PECL extension](https://pecl.php.net/package/libsodium) for those below 7.2 (available for PHP 5.4+).
#### Concerns
- Should the test cover hash length? At the moment the result of Argon2i is 96 characters, but because the hashing parameters are included in the result (`$argon2i$v=19$m=32768,t=4,p=1$...`) this is not guaranteed.
- I've used one password encoder class because the result *should* be the same whether running natively in 7.2 or from the PECL extension, but should the logic be split out into separate private methods (like `Argon2iPasswordEncoder::encodePassword()`) or not (like in `Argon2iPasswordEncoder::isPasswordValid()`)? Since I can't really find anything concrete on Symfony choosing one way over another I'm assuming it's down to personal preference?
#### The Future
Whilst the libsodium RFC has been approved and the public API confirmed, there has been no confirmation of Argon2i becoming an official algorithm for `passhword_hash()`. If that is confirmed, then the implementation should *absolutely* use the native `password_*` functions since the `sodium_*` functions do not have an equivalent to the `password_needs_rehash()` function.
Any feedback would be greatly appreciated 😃
Commits
-------
be093dd79a Argon2i Password Encoder
Add the Argon2i hashing algorithm provided by libsodium as a core encoder in the Security component, and enable it in the SecurityBundle.
Credit to @chalasr for help with unit tests.
* 3.4:
[PhpUnitBridge] Added a CoverageListener to enhance the code coverage report
Add a method to check if any results were found
[SecurityBundle] Deprecate ACL related code
[FrameworkBundle] Enable assets with templates only if the Asset component is installed
* 3.4:
[3.4][DI] Inline trivial services
sync upgrade file for Symfony 4.0 between branches
Fix ability to deprecate a config node
[DI] Minor fix in dumped code
[Console] Display file and line on Exception
Fix deprecations regarding core commands registered as services
#24046 added check for ext-dom to XmlUtil::loadFile
* 3.4: (22 commits)
Fix lazy commands registration
[TwigBridge] deprecate TwigRenderer
[FrameworkBundle] Set default public directory on install assets
[Security] Fix wrong term in UserProviderInterface
[HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
disable inlining deprecated services
[Stopwatch] Fix precision for root section
[Cache] add constructor docblocks for clarity
[WebServerBundle] allowed public/ root directory to be auto-discovered along side web/
[WebServerBundle] remove duplicate code
[SecurityBundle] Clarify deprecation in UserPasswordEncoderCommand::getContainer
[Profiler][Validator] ValidatorDataCollector: use new DataCollector::getCasters() method
[Profiler] Fix data collector getCasters() call
[VarDumper] Added setMinDepth to VarCloner
remove symfony/process suggestion
[DI] Remove unused dynamic property
[Cache] add constructor docblocks for clarity
[Security] validate empty passwords again
[Process] Fixed issue between process builder and exec
non-conflicting anonymous service ids across files
...
* 3.3:
[FrameworkBundle] Set default public directory on install assets
[Security] Fix wrong term in UserProviderInterface
[HttpFoundation] Set meta refresh time to 0 in RedirectResponse content
disable inlining deprecated services
[Cache] add constructor docblocks for clarity
[WebServerBundle] allowed public/ root directory to be auto-discovered along side web/
[WebServerBundle] remove duplicate code
[SecurityBundle] Clarify deprecation in UserPasswordEncoderCommand::getContainer
[Cache] add constructor docblocks for clarity
[Security] validate empty passwords again
[DI] Remove irrelevant comment from container
[TwigBridge] cleaner implementation of the TwigRenderer
* 3.4: (83 commits)
add missing version attribute
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
[SecurityBundle] Add user impersonation info and exit action to the profiler
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
Fix Predis client cluster with pipeline
[Dotenv] Test load() with multiple paths
[Console] Fix catching exception type in QuestionHelper
Improved the exception page when there is no message
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Profiler][Validator] Add a validator panel in profiler
[Validator] replace hardcoded service id
[Routing] Fix XmlFileLoader exception message
Remove duplicate changelog entries
[DI] Dedup tags when using instanceof/autoconfigure
[Translation] Fix FileLoader::loadResource() php doc
[Serializer] Fix workaround min php version
...
This PR was squashed before being merged into the 3.4 branch (closes#22629).
Discussion
----------
[Security] Trigger a deprecation when a voter is missing the VoterInterface
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Right now it's possible to add voters to the access decision manager that do not have a `VoterInterface`.
- No Interface, no `vote()` method, and it will give a PHP error.
- No Interface, but `vote()` method, it will still work.
- If I don't implement the interface _and_ have no `vote()` method, I will get weird exception that's not meaningful: `Attempted to call an undefined method named "vote" of class "App\Voter\MyVoter".`
This PR will deprecate the ability to use voters without the interface, it will also throw a proper exception when missing the interface _and_ the `vote()` method. Why when using and not when setting? Due to the fact that the voters can be set lazily via the `IteratorArgument`. The SecurityBundle will trigger a deprecation if the interface is not implemented and an exception if there's not even a `vote()` method present (to prevent exceptions at run-time).
This should have full backwards compatibility with 3.3, but give more meaningful errors. The only behavioral difference, might be that the container will throw an exception instead of maybe succeeding in voting when 1 voter would be broken at the end of the list (based on strategy). This case however, will be detected during development and deployment, rather than run-time.
Commits
-------
9c253e1ff6 [Security] Trigger a deprecation when a voter is missing the VoterInterface
* 3.4:
[FrameworkBundle] Deprecate useless --no-prefix option
Add Doctrine Cache to dev dependencies to fix failing unit tests.
Give info about called security listeners in profiler
Fix the usage of FrameworkBundle in debug mode without Stopwatch
* 3.4:
[FrameworkBundle] removed doctrine/cache as a dependency
drop hard dependency on the Stopwatch component
Fix the conditional definition of the SymfonyTestsListener
[DI] Fix keys resolution in ResolveParameterPlaceHoldersPass
[FrameworkBundle] Fix colliding service ids
[FrameworkBundle] deprecated validator.mapping.cache.doctrine.apc
remove now useless condition
Lazy load security listeners
[EventDispatcher] Remove dead code in WrappedListener
[Process] Deprecate ProcessBuilder
Fix non-dumped voters in security panel
search case insensitive
[VarDumper] Cyclic searching dumps
[Yaml] Remove line number in deprecation notices
[SecurityBundle] Made 2 service aliases private
Automatically enable the routing annotation loader
[FrameworkBundle] KernelTestCase: deprecate not using KERNEL_CLASS
