diff options
Diffstat (limited to 'Core')
39 files changed, 485 insertions, 1195 deletions
diff --git a/Core/Authentication/Provider/AuthenticationProviderInterface.php b/Core/Authentication/Provider/AuthenticationProviderInterface.php index adad258..f3e1590 100644 --- a/Core/Authentication/Provider/AuthenticationProviderInterface.php +++ b/Core/Authentication/Provider/AuthenticationProviderInterface.php @@ -25,6 +25,13 @@ use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterfac interface AuthenticationProviderInterface extends AuthenticationManagerInterface { /** + * Use this constant for not provided username. + * + * @var string + */ + const USERNAME_NONE_PROVIDED = 'NONE_PROVIDED'; + + /** * Checks whether this provider supports the given token. * * @param TokenInterface $token A TokenInterface instance diff --git a/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/Core/Authentication/Provider/LdapBindAuthenticationProvider.php index e887f99..5ebb09a 100644 --- a/Core/Authentication/Provider/LdapBindAuthenticationProvider.php +++ b/Core/Authentication/Provider/LdapBindAuthenticationProvider.php @@ -17,7 +17,7 @@ use Symfony\Component\Security\Core\Exception\UsernameNotFoundException; use Symfony\Component\Security\Core\User\UserCheckerInterface; use Symfony\Component\Security\Core\User\UserInterface; use Symfony\Component\Security\Core\User\UserProviderInterface; -use Symfony\Component\Ldap\LdapClientInterface; +use Symfony\Component\Ldap\LdapInterface; use Symfony\Component\Ldap\Exception\ConnectionException; /** @@ -40,11 +40,11 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider * @param UserProviderInterface $userProvider A UserProvider * @param UserCheckerInterface $userChecker A UserChecker * @param string $providerKey The provider key - * @param LdapClientInterface $ldap An Ldap client + * @param LdapInterface $ldap A Ldap client * @param string $dnString A string used to create the bind DN * @param bool $hideUserNotFoundExceptions Whether to hide user not found exception or not */ - public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, $providerKey, LdapClientInterface $ldap, $dnString = '{username}', $hideUserNotFoundExceptions = true) + public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, $providerKey, LdapInterface $ldap, $dnString = '{username}', $hideUserNotFoundExceptions = true) { parent::__construct($userChecker, $providerKey, $hideUserNotFoundExceptions); @@ -58,7 +58,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider */ protected function retrieveUser($username, UsernamePasswordToken $token) { - if ('NONE_PROVIDED' === $username) { + if (AuthenticationProviderInterface::USERNAME_NONE_PROVIDED === $username) { throw new UsernameNotFoundException('Username can not be null'); } @@ -78,7 +78,7 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider } try { - $username = $this->ldap->escape($username, '', LDAP_ESCAPE_DN); + $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN); $dn = str_replace('{username}', $username, $this->dnString); $this->ldap->bind($dn, $password); diff --git a/Core/Authentication/Provider/UserAuthenticationProvider.php b/Core/Authentication/Provider/UserAuthenticationProvider.php index 2674088..9dc4751 100644 --- a/Core/Authentication/Provider/UserAuthenticationProvider.php +++ b/Core/Authentication/Provider/UserAuthenticationProvider.php @@ -63,7 +63,7 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter $username = $token->getUsername(); if ('' === $username || null === $username) { - $username = 'NONE_PROVIDED'; + $username = AuthenticationProviderInterface::USERNAME_NONE_PROVIDED; } try { diff --git a/Core/Authentication/SimpleFormAuthenticatorInterface.php b/Core/Authentication/SimpleFormAuthenticatorInterface.php deleted file mode 100644 index ae2b58b..0000000 --- a/Core/Authentication/SimpleFormAuthenticatorInterface.php +++ /dev/null @@ -1,24 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Authentication; - -use Symfony\Component\HttpFoundation\Request; - -/** - * @deprecated Deprecated since version 2.8, to be removed in 3.0. Use the same interface from Security\Http\Authentication instead. - * - * @author Jordi Boggiano <j.boggiano@seld.be> - */ -interface SimpleFormAuthenticatorInterface extends SimpleAuthenticatorInterface -{ - public function createToken(Request $request, $username, $password, $providerKey); -} diff --git a/Core/Authentication/SimplePreAuthenticatorInterface.php b/Core/Authentication/SimplePreAuthenticatorInterface.php deleted file mode 100644 index c01f064..0000000 --- a/Core/Authentication/SimplePreAuthenticatorInterface.php +++ /dev/null @@ -1,24 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Authentication; - -use Symfony\Component\HttpFoundation\Request; - -/** - * @deprecated Since version 2.8, to be removed in 3.0. Use the same interface from Security\Http\Authentication instead. - * - * @author Jordi Boggiano <j.boggiano@seld.be> - */ -interface SimplePreAuthenticatorInterface extends SimpleAuthenticatorInterface -{ - public function createToken(Request $request, $providerKey); -} diff --git a/Core/Authentication/Token/AnonymousToken.php b/Core/Authentication/Token/AnonymousToken.php index bbbfe64..76c88ba 100644 --- a/Core/Authentication/Token/AnonymousToken.php +++ b/Core/Authentication/Token/AnonymousToken.php @@ -47,16 +47,6 @@ class AnonymousToken extends AbstractToken } /** - * @deprecated Since version 2.8, to be removed in 3.0. Use getSecret() instead. - */ - public function getKey() - { - @trigger_error(__method__.'() is deprecated since version 2.8 and will be removed in 3.0. Use getSecret() instead.', E_USER_DEPRECATED); - - return $this->getSecret(); - } - - /** * Returns the secret. * * @return string diff --git a/Core/Authentication/Token/RememberMeToken.php b/Core/Authentication/Token/RememberMeToken.php index 60e36f2..edd77ab 100644 --- a/Core/Authentication/Token/RememberMeToken.php +++ b/Core/Authentication/Token/RememberMeToken.php @@ -74,16 +74,6 @@ class RememberMeToken extends AbstractToken } /** - * @deprecated Since version 2.8, to be removed in 3.0. Use getSecret() instead. - */ - public function getKey() - { - @trigger_error(__method__.'() is deprecated since version 2.8 and will be removed in 3.0. Use getSecret() instead.', E_USER_DEPRECATED); - - return $this->getSecret(); - } - - /** * Returns the secret. * * @return string diff --git a/Core/AuthenticationEvents.php b/Core/AuthenticationEvents.php index 13bce30..dfbd903 100644 --- a/Core/AuthenticationEvents.php +++ b/Core/AuthenticationEvents.php @@ -17,10 +17,7 @@ final class AuthenticationEvents * The AUTHENTICATION_SUCCESS event occurs after a user is authenticated * by one provider. * - * The event listener method receives a - * Symfony\Component\Security\Core\Event\AuthenticationEvent instance. - * - * @Event + * @Event("Symfony\Component\Security\Core\Event\AuthenticationEvent") * * @var string */ @@ -30,11 +27,7 @@ final class AuthenticationEvents * The AUTHENTICATION_FAILURE event occurs after a user cannot be * authenticated by any of the providers. * - * The event listener method receives a - * Symfony\Component\Security\Core\Event\AuthenticationFailureEvent - * instance. - * - * @Event + * @Event("Symfony\Component\Security\Core\Event\AuthenticationFailureEvent") * * @var string */ diff --git a/Core/Authorization/AccessDecisionManager.php b/Core/Authorization/AccessDecisionManager.php index 7cefef1..e40d906 100644 --- a/Core/Authorization/AccessDecisionManager.php +++ b/Core/Authorization/AccessDecisionManager.php @@ -73,38 +73,6 @@ class AccessDecisionManager implements AccessDecisionManagerInterface } /** - * {@inheritdoc} - */ - public function supportsAttribute($attribute) - { - @trigger_error('The '.__METHOD__.' is deprecated since version 2.8 and will be removed in version 3.0.', E_USER_DEPRECATED); - - foreach ($this->voters as $voter) { - if ($voter->supportsAttribute($attribute)) { - return true; - } - } - - return false; - } - - /** - * {@inheritdoc} - */ - public function supportsClass($class) - { - @trigger_error('The '.__METHOD__.' is deprecated since version 2.8 and will be removed in version 3.0.', E_USER_DEPRECATED); - - foreach ($this->voters as $voter) { - if ($voter->supportsClass($class)) { - return true; - } - } - - return false; - } - - /** * Grants access if any voter returns an affirmative response. * * If all voters abstained from voting, the decision will be based on the diff --git a/Core/Authorization/AccessDecisionManagerInterface.php b/Core/Authorization/AccessDecisionManagerInterface.php index d18b5e3..723ef19 100644 --- a/Core/Authorization/AccessDecisionManagerInterface.php +++ b/Core/Authorization/AccessDecisionManagerInterface.php @@ -30,26 +30,4 @@ interface AccessDecisionManagerInterface * @return bool true if the access is granted, false otherwise */ public function decide(TokenInterface $token, array $attributes, $object = null); - - /** - * Checks if the access decision manager supports the given attribute. - * - * @param string $attribute An attribute - * - * @return bool true if this decision manager supports the attribute, false otherwise - * - * @deprecated since version 2.8, to be removed in 3.0. - */ - public function supportsAttribute($attribute); - - /** - * Checks if the access decision manager supports the given class. - * - * @param string $class A class name - * - * @return true if this decision manager can process the class - * - * @deprecated since version 2.8, to be removed in 3.0. - */ - public function supportsClass($class); } diff --git a/Core/Authorization/DebugAccessDecisionManager.php b/Core/Authorization/DebugAccessDecisionManager.php new file mode 100644 index 0000000..aa15443 --- /dev/null +++ b/Core/Authorization/DebugAccessDecisionManager.php @@ -0,0 +1,134 @@ +<?php + +/* + * This file is part of the Symfony package. + * + * (c) Fabien Potencier <fabien@symfony.com> + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Symfony\Component\Security\Core\Authorization; + +use Doctrine\Common\Util\ClassUtils; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; + +/** + * Decorates the original AccessDecisionManager class to log information + * about the security voters and the decisions made by them. + * + * @author Javier Eguiluz <javier.eguiluz@gmail.com> + * + * @internal + */ +class DebugAccessDecisionManager implements AccessDecisionManagerInterface +{ + private $manager; + private $strategy; + private $voters = array(); + private $decisionLog = array(); + + public function __construct(AccessDecisionManagerInterface $manager) + { + $this->manager = $manager; + + if ($this->manager instanceof AccessDecisionManager) { + // The strategy is stored in a private property of the decorated service + $reflection = new \ReflectionProperty(AccessDecisionManager::class, 'strategy'); + $reflection->setAccessible(true); + $this->strategy = $reflection->getValue($manager); + } + } + + /** + * {@inheritdoc} + */ + public function decide(TokenInterface $token, array $attributes, $object = null) + { + $result = $this->manager->decide($token, $attributes, $object); + + $this->decisionLog[] = array( + 'attributes' => $attributes, + 'object' => $this->getStringRepresentation($object), + 'result' => $result, + ); + + return $result; + } + + /** + * {@inheritdoc} + */ + public function setVoters(array $voters) + { + if (!method_exists($this->manager, 'setVoters')) { + return; + } + + $this->voters = $voters; + $this->manager->setVoters($voters); + } + + /** + * @return string + */ + public function getStrategy() + { + // The $strategy property is misleading because it stores the name of its + // method (e.g. 'decideAffirmative') instead of the original strategy name + // (e.g. 'affirmative') + return null === $this->strategy ? '-' : strtolower(substr($this->strategy, 6)); + } + + /** + * @return array + */ + public function getVoters() + { + return $this->voters; + } + + /** + * @return array + */ + public function getDecisionLog() + { + return $this->decisionLog; + } + + /** + * @param mixed $object + * + * @return string + */ + private function getStringRepresentation($object) + { + if (null === $object) { + return 'NULL'; + } + + if (!is_object($object)) { + if (is_bool($object)) { + return sprintf('%s (%s)', gettype($object), $object ? 'true' : 'false'); + } + if (is_scalar($object)) { + return sprintf('%s (%s)', gettype($object), $object); + } + + return gettype($object); + } + + $objectClass = class_exists('Doctrine\Common\Util\ClassUtils') ? ClassUtils::getClass($object) : get_class($object); + + if (method_exists($object, 'getId')) { + $objectAsString = sprintf('ID: %s', $object->getId()); + } elseif (method_exists($object, '__toString')) { + $objectAsString = (string) $object; + } else { + $objectAsString = sprintf('object hash: %s', spl_object_hash($object)); + } + + return sprintf('%s (%s)', $objectClass, $objectAsString); + } +} diff --git a/Core/Authorization/Voter/AbstractVoter.php b/Core/Authorization/Voter/AbstractVoter.php deleted file mode 100644 index 5dcf787..0000000 --- a/Core/Authorization/Voter/AbstractVoter.php +++ /dev/null @@ -1,117 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Authorization\Voter; - -@trigger_error('The '.__NAMESPACE__.'\AbstractVoter class is deprecated since version 2.8, to be removed in 3.0. Upgrade to Symfony\Component\Security\Core\Authorization\Voter\Voter instead.', E_USER_DEPRECATED); - -use Symfony\Component\Security\Core\User\UserInterface; -use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; - -/** - * Abstract Voter implementation that reduces boilerplate code required to create a custom Voter. - * - * @author Roman Marintšenko <inoryy@gmail.com> - * - * @deprecated since version 2.8, to be removed in 3.0. Upgrade to Symfony\Component\Security\Core\Authorization\Voter\Voter instead. - */ -abstract class AbstractVoter implements VoterInterface -{ - /** - * {@inheritdoc} - */ - public function supportsAttribute($attribute) - { - return in_array($attribute, $this->getSupportedAttributes()); - } - - /** - * {@inheritdoc} - */ - public function supportsClass($class) - { - foreach ($this->getSupportedClasses() as $supportedClass) { - if ($supportedClass === $class || is_subclass_of($class, $supportedClass)) { - return true; - } - } - - return false; - } - - /** - * Iteratively check all given attributes by calling isGranted. - * - * This method terminates as soon as it is able to return ACCESS_GRANTED - * If at least one attribute is supported, but access not granted, then ACCESS_DENIED is returned - * Otherwise it will return ACCESS_ABSTAIN - * - * @param TokenInterface $token A TokenInterface instance - * @param object $object The object to secure - * @param array $attributes An array of attributes associated with the method being invoked - * - * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED - */ - public function vote(TokenInterface $token, $object, array $attributes) - { - if (!$object || !$this->supportsClass(get_class($object))) { - return self::ACCESS_ABSTAIN; - } - - // abstain vote by default in case none of the attributes are supported - $vote = self::ACCESS_ABSTAIN; - - foreach ($attributes as $attribute) { - if (!$this->supportsAttribute($attribute)) { - continue; - } - - // as soon as at least one attribute is supported, default is to deny access - $vote = self::ACCESS_DENIED; - - if ($this->isGranted($attribute, $object, $token->getUser())) { - // grant access as soon as at least one voter returns a positive response - return self::ACCESS_GRANTED; - } - } - - return $vote; - } - - /** - * Return an array of supported classes. This will be called by supportsClass. - * - * @return array an array of supported classes, i.e. array('Acme\DemoBundle\Model\Product') - */ - abstract protected function getSupportedClasses(); - - /** - * Return an array of supported attributes. This will be called by supportsAttribute. - * - * @return array an array of supported attributes, i.e. array('CREATE', 'READ') - */ - abstract protected function getSupportedAttributes(); - - /** - * Perform a single access check operation on a given attribute, object and (optionally) user - * It is safe to assume that $attribute and $object's class pass supportsAttribute/supportsClass - * $user can be one of the following: - * a UserInterface object (fully authenticated user) - * a string (anonymously authenticated user). - * - * @param string $attribute - * @param object $object - * @param UserInterface|string $user - * - * @return bool - */ - abstract protected function isGranted($attribute, $object, $user = null); -} diff --git a/Core/Authorization/Voter/AuthenticatedVoter.php b/Core/Authorization/Voter/AuthenticatedVoter.php index 5847e0d..dc1407b 100644 --- a/Core/Authorization/Voter/AuthenticatedVoter.php +++ b/Core/Authorization/Voter/AuthenticatedVoter.php @@ -44,27 +44,13 @@ class AuthenticatedVoter implements VoterInterface /** * {@inheritdoc} */ - public function supportsAttribute($attribute) - { - return null !== $attribute && (self::IS_AUTHENTICATED_FULLY === $attribute || self::IS_AUTHENTICATED_REMEMBERED === $attribute || self::IS_AUTHENTICATED_ANONYMOUSLY === $attribute); - } - - /** - * {@inheritdoc} - */ - public function supportsClass($class) - { - return true; - } - - /** - * {@inheritdoc} - */ - public function vote(TokenInterface $token, $object, array $attributes) + public function vote(TokenInterface $token, $subject, array $attributes) { $result = VoterInterface::ACCESS_ABSTAIN; foreach ($attributes as $attribute) { - if (!$this->supportsAttribute($attribute)) { + if (null === $attribute || (self::IS_AUTHENTICATED_FULLY !== $attribute + && self::IS_AUTHENTICATED_REMEMBERED !== $attribute + && self::IS_AUTHENTICATED_ANONYMOUSLY !== $attribute)) { continue; } diff --git a/Core/Authorization/Voter/ExpressionVoter.php b/Core/Authorization/Voter/ExpressionVoter.php index 96a7ece..5fd8b83 100644 --- a/Core/Authorization/Voter/ExpressionVoter.php +++ b/Core/Authorization/Voter/ExpressionVoter.php @@ -52,33 +52,17 @@ class ExpressionVoter implements VoterInterface /** * {@inheritdoc} */ - public function supportsAttribute($attribute) - { - return $attribute instanceof Expression; - } - - /** - * {@inheritdoc} - */ - public function supportsClass($class) - { - return true; - } - - /** - * {@inheritdoc} - */ - public function vote(TokenInterface $token, $object, array $attributes) + public function vote(TokenInterface $token, $subject, array $attributes) { $result = VoterInterface::ACCESS_ABSTAIN; $variables = null; foreach ($attributes as $attribute) { - if (!$this->supportsAttribute($attribute)) { + if (!$attribute instanceof Expression) { continue; } if (null === $variables) { - $variables = $this->getVariables($token, $object); + $variables = $this->getVariables($token, $subject); } $result = VoterInterface::ACCESS_DENIED; @@ -90,7 +74,7 @@ class ExpressionVoter implements VoterInterface return $result; } - private function getVariables(TokenInterface $token, $object) + private function getVariables(TokenInterface $token, $subject) { if (null !== $this->roleHierarchy) { $roles = $this->roleHierarchy->getReachableRoles($token->getRoles()); @@ -101,8 +85,8 @@ class ExpressionVoter implements VoterInterface $variables = array( 'token' => $token, 'user' => $token->getUser(), - 'object' => $object, - 'subject' => $object, + 'object' => $subject, + 'subject' => $subject, 'roles' => array_map(function ($role) { return $role->getRole(); }, $roles), 'trust_resolver' => $this->trustResolver, ); @@ -110,8 +94,8 @@ class ExpressionVoter implements VoterInterface // this is mainly to propose a better experience when the expression is used // in an access control rule, as the developer does not know that it's going // to be handled by this voter - if ($object instanceof Request) { - $variables['request'] = $object; + if ($subject instanceof Request) { + $variables['request'] = $subject; } return $variables; diff --git a/Core/Authorization/Voter/RoleVoter.php b/Core/Authorization/Voter/RoleVoter.php index 539dcda..d5f3176 100644 --- a/Core/Authorization/Voter/RoleVoter.php +++ b/Core/Authorization/Voter/RoleVoter.php @@ -36,23 +36,7 @@ class RoleVoter implements VoterInterface /** * {@inheritdoc} */ - public function supportsAttribute($attribute) - { - return is_string($attribute) && 0 === strpos($attribute, $this->prefix); - } - - /** - * {@inheritdoc} - */ - public function supportsClass($class) - { - return true; - } - - /** - * {@inheritdoc} - */ - public function vote(TokenInterface $token, $object, array $attributes) + public function vote(TokenInterface $token, $subject, array $attributes) { $result = VoterInterface::ACCESS_ABSTAIN; $roles = $this->extractRoles($token); @@ -62,7 +46,7 @@ class RoleVoter implements VoterInterface $attribute = $attribute->getRole(); } - if (!$this->supportsAttribute($attribute)) { + if (!is_string($attribute) || 0 !== strpos($attribute, $this->prefix)) { continue; } diff --git a/Core/Authorization/Voter/Voter.php b/Core/Authorization/Voter/Voter.php index 2396b1e..0641486 100644 --- a/Core/Authorization/Voter/Voter.php +++ b/Core/Authorization/Voter/Voter.php @@ -24,36 +24,20 @@ abstract class Voter implements VoterInterface /** * {@inheritdoc} */ - public function supportsAttribute($attribute) - { - throw new \BadMethodCallException('supportsAttribute method is deprecated since version 2.8, to be removed in 3.0'); - } - - /** - * {@inheritdoc} - */ - public function supportsClass($class) - { - throw new \BadMethodCallException('supportsClass method is deprecated since version 2.8, to be removed in 3.0'); - } - - /** - * {@inheritdoc} - */ - public function vote(TokenInterface $token, $object, array $attributes) + public function vote(TokenInterface $token, $subject, array $attributes) { // abstain vote by default in case none of the attributes are supported $vote = self::ACCESS_ABSTAIN; foreach ($attributes as $attribute) { - if (!$this->supports($attribute, $object)) { + if (!$this->supports($attribute, $subject)) { continue; } // as soon as at least one attribute is supported, default is to deny access $vote = self::ACCESS_DENIED; - if ($this->voteOnAttribute($attribute, $object, $token)) { + if ($this->voteOnAttribute($attribute, $subject, $token)) { // grant access as soon as at least one attribute returns a positive response return self::ACCESS_GRANTED; } diff --git a/Core/Authorization/Voter/VoterInterface.php b/Core/Authorization/Voter/VoterInterface.php index 91ddc1f..4bb7367 100644 --- a/Core/Authorization/Voter/VoterInterface.php +++ b/Core/Authorization/Voter/VoterInterface.php @@ -25,38 +25,16 @@ interface VoterInterface const ACCESS_DENIED = -1; /** - * Checks if the voter supports the given attribute. - * - * @param mixed $attribute An attribute (usually the attribute name string) - * - * @return bool true if this Voter supports the attribute, false otherwise - * - * @deprecated since version 2.8, to be removed in 3.0. - */ - public function supportsAttribute($attribute); - - /** - * Checks if the voter supports the given class. - * - * @param string $class A class name - * - * @return bool true if this Voter can process the class - * - * @deprecated since version 2.8, to be removed in 3.0. - */ - public function supportsClass($class); - - /** * Returns the vote for the given parameters. * * This method must return one of the following constants: * ACCESS_GRANTED, ACCESS_DENIED, or ACCESS_ABSTAIN. * * @param TokenInterface $token A TokenInterface instance - * @param object|null $object The object to secure + * @param mixed $subject The subject to secure * @param array $attributes An array of attributes associated with the method being invoked * * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED */ - public function vote(TokenInterface $token, $object, array $attributes); + public function vote(TokenInterface $token, $subject, array $attributes); } diff --git a/Core/Encoder/BCryptPasswordEncoder.php b/Core/Encoder/BCryptPasswordEncoder.php index e10941f..8278ef3 100644 --- a/Core/Encoder/BCryptPasswordEncoder.php +++ b/Core/Encoder/BCryptPasswordEncoder.php @@ -73,9 +73,7 @@ class BCryptPasswordEncoder extends BasePasswordEncoder $options = array('cost' => $this->cost); if ($salt) { - @trigger_error('Passing a $salt to '.__METHOD__.'() is deprecated since version 2.8 and will be ignored in 3.0.', E_USER_DEPRECATED); - - $options['salt'] = $salt; + // Ignore $salt, the auto-generated one is always the best } return password_hash($raw, PASSWORD_BCRYPT, $options); diff --git a/Core/SecurityContext.php b/Core/SecurityContext.php deleted file mode 100644 index 027ff49..0000000 --- a/Core/SecurityContext.php +++ /dev/null @@ -1,104 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core; - -@trigger_error('The '.__NAMESPACE__.'\SecurityContext class is deprecated since version 2.6 and will be removed in 3.0. Use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage or Symfony\Component\Security\Core\Authorization\AuthorizationChecker instead.', E_USER_DEPRECATED); - -use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; -use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage; -use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; -use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; -use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface; -use Symfony\Component\Security\Core\Authorization\AuthorizationChecker; -use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface; - -/** - * SecurityContext is the main entry point of the Security component. - * - * It gives access to the token representing the current user authentication. - * - * @author Fabien Potencier <fabien@symfony.com> - * @author Johannes M. Schmitt <schmittjoh@gmail.com> - * - * @deprecated since version 2.6, to be removed in 3.0. - */ -class SecurityContext implements SecurityContextInterface -{ - /** - * @var TokenStorageInterface - */ - private $tokenStorage; - - /** - * @var AuthorizationCheckerInterface - */ - private $authorizationChecker; - - /** - * For backwards compatibility, the signature of sf <2.6 still works. - * - * @param TokenStorageInterface|AuthenticationManagerInterface $tokenStorage - * @param AuthorizationCheckerInterface|AccessDecisionManagerInterface $authorizationChecker - * @param bool $alwaysAuthenticate only applicable with old signature - */ - public function __construct($tokenStorage, $authorizationChecker, $alwaysAuthenticate = false) - { - $oldSignature = $tokenStorage instanceof AuthenticationManagerInterface && $authorizationChecker instanceof AccessDecisionManagerInterface; - $newSignature = $tokenStorage instanceof TokenStorageInterface && $authorizationChecker instanceof AuthorizationCheckerInterface; - - // confirm possible signatures - if (!$oldSignature && !$newSignature) { - throw new \BadMethodCallException('Unable to construct SecurityContext, please provide the correct arguments'); - } - - if ($oldSignature) { - // renamed for clarity - $authenticationManager = $tokenStorage; - $accessDecisionManager = $authorizationChecker; - $tokenStorage = new TokenStorage(); - $authorizationChecker = new AuthorizationChecker($tokenStorage, $authenticationManager, $accessDecisionManager, $alwaysAuthenticate); - } - - $this->tokenStorage = $tokenStorage; - $this->authorizationChecker = $authorizationChecker; - } - - /** - * @deprecated since version 2.6, to be removed in 3.0. Use TokenStorageInterface::getToken() instead. - * - * {@inheritdoc} - */ - public function getToken() - { - return $this->tokenStorage->getToken(); - } - - /** - * @deprecated since version 2.6, to be removed in 3.0. Use TokenStorageInterface::setToken() instead. - * - * {@inheritdoc} - */ - public function setToken(TokenInterface $token = null) - { - return $this->tokenStorage->setToken($token); - } - - /** - * @deprecated since version 2.6, to be removed in 3.0. Use AuthorizationCheckerInterface::isGranted() instead. - * - * {@inheritdoc} - */ - public function isGranted($attributes, $object = null) - { - return $this->authorizationChecker->isGranted($attributes, $object); - } -} diff --git a/Core/SecurityContextInterface.php b/Core/SecurityContextInterface.php deleted file mode 100644 index 73edd23..0000000 --- a/Core/SecurityContextInterface.php +++ /dev/null @@ -1,30 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core; - -use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; -use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface; - -/** - * The SecurityContextInterface. - * - * @author Johannes M. Schmitt <schmittjoh@gmail.com> - * - * @deprecated since version 2.6, to be removed in 3.0. - */ -interface SecurityContextInterface extends TokenStorageInterface, AuthorizationCheckerInterface -{ - const ACCESS_DENIED_ERROR = Security::ACCESS_DENIED_ERROR; - const AUTHENTICATION_ERROR = Security::AUTHENTICATION_ERROR; - const LAST_USERNAME = Security::LAST_USERNAME; - const MAX_USERNAME_LENGTH = Security::MAX_USERNAME_LENGTH; -} diff --git a/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php b/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php index fbb4d73..da3068f 100644 --- a/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php +++ b/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php @@ -11,10 +11,13 @@ namespace Symfony\Component\Security\Core\Tests\Authentication\Provider; +use Symfony\Component\Ldap\LdapInterface; use Symfony\Component\Security\Core\Authentication\Provider\LdapBindAuthenticationProvider; use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; use Symfony\Component\Security\Core\User\User; use Symfony\Component\Ldap\Exception\ConnectionException; +use Symfony\Component\Security\Core\User\UserCheckerInterface; +use Symfony\Component\Security\Core\User\UserProviderInterface; /** * @requires extension ldap @@ -44,14 +47,14 @@ class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase */ public function testBindFailureShouldThrowAnException() { - $userProvider = $this->getMock('Symfony\Component\Security\Core\User\UserProviderInterface'); - $ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface'); + $userProvider = $this->getMock(UserProviderInterface::class); + $ldap = $this->getMock(LdapInterface::class); $ldap ->expects($this->once()) ->method('bind') ->will($this->throwException(new ConnectionException())) ; - $userChecker = $this->getMock('Symfony\Component\Security\Core\User\UserCheckerInterface'); + $userChecker = $this->getMock(UserCheckerInterface::class); $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap); $reflection = new \ReflectionMethod($provider, 'checkAuthentication'); @@ -62,15 +65,15 @@ class LdapBindAuthenticationProviderTest extends \PHPUnit_Framework_TestCase public function testRetrieveUser() { - $userProvider = $this->getMock('Symfony\Component\Security\Core\User\UserProviderInterface'); + $userProvider = $this->getMock(UserProviderInterface::class); $userProvider ->expects($this->once()) ->method('loadUserByUsername') ->with('foo') ; - $ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface'); + $ldap = $this->getMock(LdapInterface::class); - $userChecker = $this->getMock('Symfony\Component\Security\Core\User\UserCheckerInterface'); + $userChecker = $this->getMock(UserCheckerInterface::class); $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap); $reflection = new \ReflectionMethod($provider, 'retrieveUser'); diff --git a/Core/Tests/Authorization/AccessDecisionManagerTest.php b/Core/Tests/Authorization/AccessDecisionManagerTest.php index 412af91..0e77c75 100644 --- a/Core/Tests/Authorization/AccessDecisionManagerTest.php +++ b/Core/Tests/Authorization/AccessDecisionManagerTest.php @@ -17,42 +17,6 @@ use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface; class AccessDecisionManagerTest extends \PHPUnit_Framework_TestCase { /** - * @group legacy - */ - public function testSupportsClass() - { - $manager = new AccessDecisionManager(array( - $this->getVoterSupportsClass(true), - $this->getVoterSupportsClass(false), - )); - $this->assertTrue($manager->supportsClass('FooClass')); - - $manager = new AccessDecisionManager(array( - $this->getVoterSupportsClass(false), - $this->getVoterSupportsClass(false), - )); - $this->assertFalse($manager->supportsClass('FooClass')); - } - - /** - * @group legacy - */ - public function testSupportsAttribute() - { - $manager = new AccessDecisionManager(array( - $this->getVoterSupportsAttribute(true), - $this->getVoterSupportsAttribute(false), - )); - $this->assertTrue($manager->supportsAttribute('foo')); - - $manager = new AccessDecisionManager(array( - $this->getVoterSupportsAttribute(false), - $this->getVoterSupportsAttribute(false), - )); - $this->assertFalse($manager->supportsAttribute('foo')); - } - - /** * @expectedException \InvalidArgumentException */ public function testSetUnsupportedStrategy() @@ -173,24 +137,4 @@ class AccessDecisionManagerTest extends \PHPUnit_Framework_TestCase return $voter; } - - protected function getVoterSupportsClass($ret) - { - $voter = $this->getMock('Symfony\Component\Security\Core\Authorization\Voter\VoterInterface'); - $voter->expects($this->any()) - ->method('supportsClass') - ->will($this->returnValue($ret)); - - return $voter; - } - - protected function getVoterSupportsAttribute($ret) - { - $voter = $this->getMock('Symfony\Component\Security\Core\Authorization\Voter\VoterInterface'); - $voter->expects($this->any()) - ->method('supportsAttribute') - ->will($this->returnValue($ret)); - - return $voter; - } } diff --git a/Core/Tests/Authorization/DebugAccessDecisionManagerTest.php b/Core/Tests/Authorization/DebugAccessDecisionManagerTest.php new file mode 100644 index 0000000..f90f776 --- /dev/null +++ b/Core/Tests/Authorization/DebugAccessDecisionManagerTest.php @@ -0,0 +1,43 @@ +<?php + +/* + * This file is part of the Symfony package. + * + * (c) Fabien Potencier <fabien@symfony.com> + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Symfony\Component\Security\Core\Tests\Authorization; + +use Symfony\Component\Security\Core\Authorization\AccessDecisionManager; +use Symfony\Component\Security\Core\Authorization\DebugAccessDecisionManager; +use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; + +class DebugAccessDecisionManagerTest extends \PHPUnit_Framework_TestCase +{ + /** + * @dataProvider provideObjectsAndLogs + */ + public function testDecideLog($expectedLog, $object) + { + $adm = new DebugAccessDecisionManager(new AccessDecisionManager()); + $adm->decide($this->getMock(TokenInterface::class), array('ATTRIBUTE_1'), $object); + + $this->assertSame($expectedLog, $adm->getDecisionLog()); + } + + public function provideObjectsAndLogs() + { + $object = new \stdClass(); + + yield array(array(array('attributes' => array('ATTRIBUTE_1'), 'object' => 'NULL', 'result' => false)), null); + yield array(array(array('attributes' => array('ATTRIBUTE_1'), 'object' => 'boolean (true)', 'result' => false)), true); + yield array(array(array('attributes' => array('ATTRIBUTE_1'), 'object' => 'string (jolie string)', 'result' => false)), 'jolie string'); + yield array(array(array('attributes' => array('ATTRIBUTE_1'), 'object' => 'integer (12345)', 'result' => false)), 12345); + yield array(array(array('attributes' => array('ATTRIBUTE_1'), 'object' => 'resource', 'result' => false)), fopen(__FILE__, 'r')); + yield array(array(array('attributes' => array('ATTRIBUTE_1'), 'object' => 'array', 'result' => false)), array()); + yield array(array(array('attributes' => array('ATTRIBUTE_1'), 'object' => sprintf('stdClass (object hash: %s)', spl_object_hash($object)), 'result' => false)), $object); + } +} diff --git a/Core/Tests/Authorization/Voter/AbstractVoterTest.php b/Core/Tests/Authorization/Voter/AbstractVoterTest.php deleted file mode 100644 index b537c1b..0000000 --- a/Core/Tests/Authorization/Voter/AbstractVoterTest.php +++ /dev/null @@ -1,58 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Tests\Authorization\Voter; - -use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface; - -/** - * @group legacy - */ -class AbstractVoterTest extends \PHPUnit_Framework_TestCase -{ - protected $token; - - protected function setUp() - { - $this->token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface'); - } - - public function getTests() - { - return array( - array(array('EDIT'), VoterInterface::ACCESS_GRANTED, new \stdClass(), 'ACCESS_GRANTED if attribute and class are supported and attribute grants access'), - array(array('CREATE'), VoterInterface::ACCESS_DENIED, new \stdClass(), 'ACCESS_DENIED if attribute and class are supported and attribute does not grant access'), - - array(array('DELETE', 'EDIT'), VoterInterface::ACCESS_GRANTED, new \stdClass(), 'ACCESS_GRANTED if one attribute is supported and grants access'), - array(array('DELETE', 'CREATE'), VoterInterface::ACCESS_DENIED, new \stdClass(), 'ACCESS_DENIED if one attribute is supported and denies access'), - - array(array('CREATE', 'EDIT'), VoterInterface::ACCESS_GRANTED, new \stdClass(), 'ACCESS_GRANTED if one attribute grants access'), - - array(array('DELETE'), VoterInterface::ACCESS_ABSTAIN, new \stdClass(), 'ACCESS_ABSTAIN if no attribute is supported'), - - array(array('EDIT'), VoterInterface::ACCESS_ABSTAIN, $this, 'ACCESS_ABSTAIN if class is not supported'), - - array(array('EDIT'), VoterInterface::ACCESS_ABSTAIN, null, 'ACCESS_ABSTAIN if object is null'), - - array(array(), VoterInterface::ACCESS_ABSTAIN, new \stdClass(), 'ACCESS_ABSTAIN if no attributes were provided'), - ); - } - - /** - * @dataProvider getTests - */ - public function testVote(array $attributes, $expectedVote, $object, $message) - { - $voter = new Fixtures\MyVoter(); - - $this->assertEquals($expectedVote, $voter->vote($this->token, $object, $attributes), $message); - } -} diff --git a/Core/Tests/Authorization/Voter/AuthenticatedVoterTest.php b/Core/Tests/Authorization/Voter/AuthenticatedVoterTest.php index 4679c0f..60e2a19 100644 --- a/Core/Tests/Authorization/Voter/AuthenticatedVoterTest.php +++ b/Core/Tests/Authorization/Voter/AuthenticatedVoterTest.php @@ -17,12 +17,6 @@ use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface; class AuthenticatedVoterTest extends \PHPUnit_Framework_TestCase { - public function testSupportsClass() - { - $voter = new AuthenticatedVoter($this->getResolver()); - $this->assertTrue($voter->supportsClass('stdClass')); - } - /** * @dataProvider getVoteTests */ diff --git a/Core/Tests/Authorization/Voter/ExpressionVoterTest.php b/Core/Tests/Authorization/Voter/ExpressionVoterTest.php index dc8ea79..5296296 100644 --- a/Core/Tests/Authorization/Voter/ExpressionVoterTest.php +++ b/Core/Tests/Authorization/Voter/ExpressionVoterTest.php @@ -17,15 +17,6 @@ use Symfony\Component\Security\Core\Role\Role; class ExpressionVoterTest extends \PHPUnit_Framework_TestCase { - public function testSupportsAttribute() - { - $expression = $this->createExpression(); - $expressionLanguage = $this->getMock('Symfony\Component\Security\Core\Authorization\ExpressionLanguage'); - $voter = new ExpressionVoter($expressionLanguage, $this->createTrustResolver(), $this->createRoleHierarchy()); - - $this->assertTrue($voter->supportsAttribute($expression)); - } - /** * @dataProvider getVoteTests */ diff --git a/Core/Tests/Authorization/Voter/Fixtures/MyVoter.php b/Core/Tests/Authorization/Voter/Fixtures/MyVoter.php deleted file mode 100644 index b75f798..0000000 --- a/Core/Tests/Authorization/Voter/Fixtures/MyVoter.php +++ /dev/null @@ -1,27 +0,0 @@ -<?php - -namespace Symfony\Component\Security\Core\Tests\Authorization\Voter\Fixtures; - -use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; -use Symfony\Component\Security\Core\Authorization\Voter\AbstractVoter; - -/** - * @group legacy - */ -class MyVoter extends AbstractVoter -{ - protected function getSupportedClasses() - { - return array('stdClass'); - } - - protected function getSupportedAttributes() - { - return array('EDIT', 'CREATE'); - } - - protected function isGranted($attribute, $object, $user = null) - { - return 'EDIT' === $attribute; - } -} diff --git a/Core/Tests/Authorization/Voter/RoleVoterTest.php b/Core/Tests/Authorization/Voter/RoleVoterTest.php index c15e936..45535ca 100644 --- a/Core/Tests/Authorization/Voter/RoleVoterTest.php +++ b/Core/Tests/Authorization/Voter/RoleVoterTest.php @@ -17,13 +17,6 @@ use Symfony\Component\Security\Core\Role\Role; class RoleVoterTest extends \PHPUnit_Framework_TestCase { - public function testSupportsClass() - { - $voter = new RoleVoter(); - - $this->assertTrue($voter->supportsClass('Foo')); - } - /** * @dataProvider getVoteTests */ diff --git a/Core/Tests/LegacySecurityContextTest.php b/Core/Tests/LegacySecurityContextTest.php deleted file mode 100644 index 4502261..0000000 --- a/Core/Tests/LegacySecurityContextTest.php +++ /dev/null @@ -1,132 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Tests; - -use Symfony\Component\Security\Core\Security; -use Symfony\Component\Security\Core\SecurityContext; -use Symfony\Component\Security\Core\SecurityContextInterface; - -/** - * @group legacy - */ -class LegacySecurityContextTest extends \PHPUnit_Framework_TestCase -{ - private $tokenStorage; - private $authorizationChecker; - private $securityContext; - - protected function setUp() - { - $this->tokenStorage = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface'); - $this->authorizationChecker = $this->getMock('Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface'); - $this->securityContext = new SecurityContext($this->tokenStorage, $this->authorizationChecker); - } - - public function testGetTokenDelegation() - { - $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface'); - - $this->tokenStorage - ->expects($this->once()) - ->method('getToken') - ->will($this->returnValue($token)); - - $this->assertTrue($token === $this->securityContext->getToken()); - } - - public function testSetTokenDelegation() - { - $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface'); - - $this->tokenStorage - ->expects($this->once()) - ->method('setToken') - ->with($token); - - $this->securityContext->setToken($token); - } - - /** - * @dataProvider isGrantedDelegationProvider - */ - public function testIsGrantedDelegation($attributes, $object, $return) - { - $this->authorizationChecker - ->expects($this->once()) - ->method('isGranted') - ->with($attributes, $object) - ->will($this->returnValue($return)); - - $this->assertEquals($return, $this->securityContext->isGranted($attributes, $object)); - } - - public function isGrantedDelegationProvider() - { - return array( - array(array(), new \stdClass(), true), - array(array('henk'), new \stdClass(), false), - array(null, new \stdClass(), false), - array('henk', null, true), - array(array(1), 'henk', true), - ); - } - - /** - * Test dedicated to check if the backwards compatibility is still working. - */ - public function testOldConstructorSignature() - { - $authenticationManager = $this->getMock('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface'); - $accessDecisionManager = $this->getMock('Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface'); - new SecurityContext($authenticationManager, $accessDecisionManager); - } - - /** - * @dataProvider oldConstructorSignatureFailuresProvider - * @expectedException \BadMethodCallException - */ - public function testOldConstructorSignatureFailures($first, $second) - { - new SecurityContext($first, $second); - } - - public function oldConstructorSignatureFailuresProvider() - { - $tokenStorage = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface'); - $authorizationChecker = $this->getMock('Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface'); - $authenticationManager = $this->getMock('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface'); - $accessDecisionManager = $this->getMock('Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface'); - - return array( - array(new \stdClass(), new \stdClass()), - array($tokenStorage, $accessDecisionManager), - array($accessDecisionManager, $tokenStorage), - array($authorizationChecker, $accessDecisionManager), - array($accessDecisionManager, $authorizationChecker), - array($tokenStorage, $accessDecisionManager), - array($authenticationManager, $authorizationChecker), - array('henk', 'hans'), - array(null, false), - array(true, null), - ); - } - - /** - * Test if the BC Layer is working as intended. - */ - public function testConstantSync() - { - $this->assertSame(Security::ACCESS_DENIED_ERROR, SecurityContextInterface::ACCESS_DENIED_ERROR); - $this->assertSame(Security::AUTHENTICATION_ERROR, SecurityContextInterface::AUTHENTICATION_ERROR); - $this->assertSame(Security::LAST_USERNAME, SecurityContextInterface::LAST_USERNAME); - } -} diff --git a/Core/Tests/User/LdapUserProviderTest.php b/Core/Tests/User/LdapUserProviderTest.php index 9b126e9..b942e76 100644 --- a/Core/Tests/User/LdapUserProviderTest.php +++ b/Core/Tests/User/LdapUserProviderTest.php @@ -11,6 +11,10 @@ namespace Symfony\Component\Security\Core\Tests\User; +use Symfony\Component\Ldap\Adapter\CollectionInterface; +use Symfony\Component\Ldap\Adapter\QueryInterface; +use Symfony\Component\Ldap\Entry; +use Symfony\Component\Ldap\LdapInterface; use Symfony\Component\Security\Core\User\LdapUserProvider; use Symfony\Component\Ldap\Exception\ConnectionException; @@ -24,7 +28,7 @@ class LdapUserProviderTest extends \PHPUnit_Framework_TestCase */ public function testLoadUserByUsernameFailsIfCantConnectToLdap() { - $ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface'); + $ldap = $this->getMock(LdapInterface::class); $ldap ->expects($this->once()) ->method('bind') @@ -40,12 +44,29 @@ class LdapUserProviderTest extends \PHPUnit_Framework_TestCase */ public function testLoadUserByUsernameFailsIfNoLdapEntries() { - $ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface'); + $result = $this->getMock(CollectionInterface::class); + $query = $this->getMock(QueryInterface::class); + $query + ->expects($this->once()) + ->method('execute') + ->will($this->returnValue($result)) + ; + $result + ->expects($this->once()) + ->method('count') + ->will($this->returnValue(0)) + ; + $ldap = $this->getMock(LdapInterface::class); $ldap ->expects($this->once()) ->method('escape') ->will($this->returnValue('foo')) ; + $ldap + ->expects($this->once()) + ->method('query') + ->will($this->returnValue($query)) + ; $provider = new LdapUserProvider($ldap, 'ou=MyBusiness,dc=symfony,dc=com'); $provider->loadUserByUsername('foo'); @@ -56,7 +77,19 @@ class LdapUserProviderTest extends \PHPUnit_Framework_TestCase */ public function testLoadUserByUsernameFailsIfMoreThanOneLdapEntry() { - $ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface'); + $result = $this->getMock(CollectionInterface::class); + $query = $this->getMock(QueryInterface::class); + $query + ->expects($this->once()) + ->method('execute') + ->will($this->returnValue($result)) + ; + $result + ->expects($this->once()) + ->method('count') + ->will($this->returnValue(2)) + ; + $ldap = $this->getMock(LdapInterface::class); $ldap ->expects($this->once()) ->method('escape') @@ -64,21 +97,42 @@ class LdapUserProviderTest extends \PHPUnit_Framework_TestCase ; $ldap ->expects($this->once()) - ->method('find') - ->will($this->returnValue(array( - array(), - array(), - 'count' => 2, - ))) + ->method('query') + ->will($this->returnValue($query)) ; $provider = new LdapUserProvider($ldap, 'ou=MyBusiness,dc=symfony,dc=com'); $provider->loadUserByUsername('foo'); } - public function testSuccessfulLoadUserByUsername() + /** + * @expectedException \Symfony\Component\Security\Core\Exception\InvalidArgumentException + */ + public function testLoadUserByUsernameFailsIfMoreThanOneLdapPasswordsInEntry() { - $ldap = $this->getMock('Symfony\Component\Ldap\LdapClientInterface'); + $result = $this->getMock(CollectionInterface::class); + $query = $this->getMock(QueryInterface::class); + $query + ->expects($this->once()) + ->method('execute') + ->will($this->returnValue($result)) + ; + $ldap = $this->getMock(LdapInterface::class); + $result + ->expects($this->once()) + ->method('offsetGet') + ->with(0) + ->will($this->returnValue(new Entry('foo', array( + 'sAMAccountName' => array('foo'), + 'userpassword' => array('bar', 'baz'), + ) + ))) + ; + $result + ->expects($this->once()) + ->method('count') + ->will($this->returnValue(1)) + ; $ldap ->expects($this->once()) ->method('escape') @@ -86,15 +140,96 @@ class LdapUserProviderTest extends \PHPUnit_Framework_TestCase ; $ldap ->expects($this->once()) - ->method('find') - ->will($this->returnValue(array( - array( - 'sAMAccountName' => 'foo', - 'userpassword' => 'bar', - ), - 'count' => 1, + ->method('query') + ->will($this->returnValue($query)) + ; + + $provider = new LdapUserProvider($ldap, 'ou=MyBusiness,dc=symfony,dc=com', null, null, array(), 'sAMAccountName', '({uid_key}={username})', 'userpassword'); + $this->assertInstanceOf( + 'Symfony\Component\Security\Core\User\User', + $provider->loadUserByUsername('foo') + ); + } + + /** + * @expectedException \Symfony\Component\Security\Core\Exception\InvalidArgumentException + */ + public function testLoadUserByUsernameFailsIfEntryHasNoPasswordAttribute() + { + $result = $this->getMock(CollectionInterface::class); + $query = $this->getMock(QueryInterface::class); + $query + ->expects($this->once()) + ->method('execute') + ->will($this->returnValue($result)) + ; + $ldap = $this->getMock(LdapInterface::class); + $result + ->expects($this->once()) + ->method('offsetGet') + ->with(0) + ->will($this->returnValue(new Entry('foo', array( + 'sAMAccountName' => array('foo'), + ) ))) ; + $result + ->expects($this->once()) + ->method('count') + ->will($this->returnValue(1)) + ; + $ldap + ->expects($this->once()) + ->method('escape') + ->will($this->returnValue('foo')) + ; + $ldap + ->expects($this->once()) + ->method('query') + ->will($this->returnValue($query)) + ; + + $provider = new LdapUserProvider($ldap, 'ou=MyBusiness,dc=symfony,dc=com', null, null, array(), 'sAMAccountName', '({uid_key}={username})', 'userpassword'); + $this->assertInstanceOf( + 'Symfony\Component\Security\Core\User\User', + $provider->loadUserByUsername('foo') + ); + } + + public function testLoadUserByUsernameIsSuccessfulWithoutPasswordAttribute() + { + $result = $this->getMock(CollectionInterface::class); + $query = $this->getMock(QueryInterface::class); + $query + ->expects($this->once()) + ->method('execute') + ->will($this->returnValue($result)) + ; + $ldap = $this->getMock(LdapInterface::class); + $result + ->expects($this->once()) + ->method('offsetGet') + ->with(0) + ->will($this->returnValue(new Entry('foo', array( + 'sAMAccountName' => array('foo'), + ) + ))) + ; + $result + ->expects($this->once()) + ->method('count') + ->will($this->returnValue(1)) + ; + $ldap + ->expects($this->once()) + ->method('escape') + ->will($this->returnValue('foo')) + ; + $ldap + ->expects($this->once()) + ->method('query') + ->will($this->returnValue($query)) + ; $provider = new LdapUserProvider($ldap, 'ou=MyBusiness,dc=symfony,dc=com'); $this->assertInstanceOf( @@ -102,4 +237,47 @@ class LdapUserProviderTest extends \PHPUnit_Framework_TestCase $provider->loadUserByUsername('foo') ); } + + public function testLoadUserByUsernameIsSuccessfulWithPasswordAttribute() + { + $result = $this->getMock(CollectionInterface::class); + $query = $this->getMock(QueryInterface::class); + $query + ->expects($this->once()) + ->method('execute') + ->will($this->returnValue($result)) + ; + $ldap = $this->getMock(LdapInterface::class); + $result + ->expects($this->once()) + ->method('offsetGet') + ->with(0) + ->will($this->returnValue(new Entry('foo', array( + 'sAMAccountName' => array('foo'), + 'userpassword' => array('bar'), + ) + ))) + ; + $result + ->expects($this->once()) + ->method('count') + ->will($this->returnValue(1)) + ; + $ldap + ->expects($this->once()) + ->method('escape') + ->will($this->returnValue('foo')) + ; + $ldap + ->expects($this->once()) + ->method('query') + ->will($this->returnValue($query)) + ; + + $provider = new LdapUserProvider($ldap, 'ou=MyBusiness,dc=symfony,dc=com', null, null, array(), 'sAMAccountName', '({uid_key}={username})', 'userpassword'); + $this->assertInstanceOf( + 'Symfony\Component\Security\Core\User\User', + $provider->loadUserByUsername('foo') + ); + } } diff --git a/Core/Tests/Util/ClassUtilsTest.php b/Core/Tests/Util/ClassUtilsTest.php deleted file mode 100644 index b048206..0000000 --- a/Core/Tests/Util/ClassUtilsTest.php +++ /dev/null @@ -1,53 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Tests\Util -{ - use Symfony\Component\Security\Core\Util\ClassUtils; - - /** - * @group legacy - */ - class ClassUtilsTest extends \PHPUnit_Framework_TestCase - { - public static function dataGetClass() - { - return array( - array('stdClass', 'stdClass'), - array('Symfony\Component\Security\Core\Util\ClassUtils', 'Symfony\Component\Security\Core\Util\ClassUtils'), - array('MyProject\Proxies\__CG__\stdClass', 'stdClass'), - array('MyProject\Proxies\__CG__\OtherProject\Proxies\__CG__\stdClass', 'stdClass'), - array('MyProject\Proxies\__CG__\Symfony\Component\Security\Core\Tests\Util\ChildObject', 'Symfony\Component\Security\Core\Tests\Util\ChildObject'), - array(new TestObject(), 'Symfony\Component\Security\Core\Tests\Util\TestObject'), - array(new \Acme\DemoBundle\Proxy\__CG__\Symfony\Component\Security\Core\Tests\Util\TestObject(), 'Symfony\Component\Security\Core\Tests\Util\TestObject'), - ); - } - - /** - * @dataProvider dataGetClass - */ - public function testGetRealClass($object, $expectedClassName) - { - $this->assertEquals($expectedClassName, ClassUtils::getRealClass($object)); - } - } - - class TestObject - { - } -} - -namespace Acme\DemoBundle\Proxy\__CG__\Symfony\Component\Security\Core\Tests\Util -{ - class TestObject extends \Symfony\Component\Security\Core\Tests\Util\TestObject - { - } -} diff --git a/Core/Tests/Util/StringUtilsTest.php b/Core/Tests/Util/StringUtilsTest.php deleted file mode 100644 index 78d9b05..0000000 --- a/Core/Tests/Util/StringUtilsTest.php +++ /dev/null @@ -1,63 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Tests\Util; - -use Symfony\Component\Security\Core\Util\StringUtils; - -/** - * Data from PHP.net's hash_equals tests. - * - * @group legacy - */ -class StringUtilsTest extends \PHPUnit_Framework_TestCase -{ - public function dataProviderTrue() - { - return array( - array('same', 'same'), - array('', ''), - array(123, 123), - array(null, ''), - array(null, null), - ); - } - - public function dataProviderFalse() - { - return array( - array('not1same', 'not2same'), - array('short', 'longer'), - array('longer', 'short'), - array('', 'notempty'), - array('notempty', ''), - array(123, 'NaN'), - array('NaN', 123), - array(null, 123), - ); - } - - /** - * @dataProvider dataProviderTrue - */ - public function testEqualsTrue($known, $user) - { - $this->assertTrue(StringUtils::equals($known, $user)); - } - - /** - * @dataProvider dataProviderFalse - */ - public function testEqualsFalse($known, $user) - { - $this->assertFalse(StringUtils::equals($known, $user)); - } -} diff --git a/Core/Tests/Validator/Constraints/LegacyUserPasswordValidatorTest.php b/Core/Tests/Validator/Constraints/LegacyUserPasswordValidatorTest.php deleted file mode 100644 index f7da8c0..0000000 --- a/Core/Tests/Validator/Constraints/LegacyUserPasswordValidatorTest.php +++ /dev/null @@ -1,26 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Tests\Validator\Constraints; - -use Symfony\Component\Validator\Validation; - -/** - * @author Bernhard Schussek <bschussek@gmail.com> - * @group legacy - */ -class LegacyUserPasswordValidatorTest extends UserPasswordValidatorTest -{ - protected function getApiVersion() - { - return Validation::API_VERSION_2_5_BC; - } -} diff --git a/Core/User/LdapUserProvider.php b/Core/User/LdapUserProvider.php index 1593564..fc42419 100644 --- a/Core/User/LdapUserProvider.php +++ b/Core/User/LdapUserProvider.php @@ -11,10 +11,12 @@ namespace Symfony\Component\Security\Core\User; +use Symfony\Component\Ldap\Entry; +use Symfony\Component\Security\Core\Exception\InvalidArgumentException; use Symfony\Component\Security\Core\Exception\UnsupportedUserException; use Symfony\Component\Security\Core\Exception\UsernameNotFoundException; use Symfony\Component\Ldap\Exception\ConnectionException; -use Symfony\Component\Ldap\LdapClientInterface; +use Symfony\Component\Ldap\LdapInterface; /** * LdapUserProvider is a simple user provider on top of ldap. @@ -30,17 +32,19 @@ class LdapUserProvider implements UserProviderInterface private $searchPassword; private $defaultRoles; private $defaultSearch; + private $passwordAttribute; /** - * @param LdapClientInterface $ldap - * @param string $baseDn - * @param string $searchDn - * @param string $searchPassword - * @param array $defaultRoles - * @param string $uidKey - * @param string $filter + * @param LdapInterface $ldap + * @param string $baseDn + * @param string $searchDn + * @param string $searchPassword + * @param array $defaultRoles + * @param string $uidKey + * @param string $filter + * @param string $passwordAttribute */ - public function __construct(LdapClientInterface $ldap, $baseDn, $searchDn = null, $searchPassword = null, array $defaultRoles = array(), $uidKey = 'sAMAccountName', $filter = '({uid_key}={username})') + public function __construct(LdapInterface $ldap, $baseDn, $searchDn = null, $searchPassword = null, array $defaultRoles = array(), $uidKey = 'sAMAccountName', $filter = '({uid_key}={username})', $passwordAttribute = null) { $this->ldap = $ldap; $this->baseDn = $baseDn; @@ -48,6 +52,7 @@ class LdapUserProvider implements UserProviderInterface $this->searchPassword = $searchPassword; $this->defaultRoles = $defaultRoles; $this->defaultSearch = str_replace('{uid_key}', $uidKey, $filter); + $this->passwordAttribute = $passwordAttribute; } /** @@ -57,33 +62,25 @@ class LdapUserProvider implements UserProviderInterface { try { $this->ldap->bind($this->searchDn, $this->searchPassword); - $username = $this->ldap->escape($username, '', LDAP_ESCAPE_FILTER); + $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_FILTER); $query = str_replace('{username}', $username, $this->defaultSearch); - $search = $this->ldap->find($this->baseDn, $query); + $search = $this->ldap->query($this->baseDn, $query); } catch (ConnectionException $e) { throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username), 0, $e); } - if (!$search) { + $entries = $search->execute(); + $count = count($entries); + + if (!$count) { throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username)); } - if ($search['count'] > 1) { + if ($count > 1) { throw new UsernameNotFoundException('More than one user found'); } - $user = $search[0]; - - return $this->loadUser($username, $user); - } - - public function loadUser($username, $user) - { - $password = isset($user['userpassword']) ? $user['userpassword'] : null; - - $roles = $this->defaultRoles; - - return new User($username, $password, $roles); + return $this->loadUser($username, $entries[0]); } /** @@ -105,4 +102,43 @@ class LdapUserProvider implements UserProviderInterface { return $class === 'Symfony\Component\Security\Core\User\User'; } + + /** + * Loads a user from an LDAP entry. + * + * @param string $username + * @param Entry $entry + * + * @return User + */ + protected function loadUser($username, Entry $entry) + { + $password = $this->getPassword($entry); + + return new User($username, $password, $this->defaultRoles); + } + + /** + * Fetches the password from an LDAP entry. + * + * @param null|Entry $entry + */ + private function getPassword(Entry $entry) + { + if (null === $this->passwordAttribute) { + return; + } + + if (!$entry->hasAttribute($this->passwordAttribute)) { + throw new InvalidArgumentException(sprintf('Missing attribute "%s" for user "%s".', $this->passwordAttribute, $entry->getDn())); + } + + $values = $entry->getAttribute($this->passwordAttribute); + + if (1 !== count($values)) { + throw new InvalidArgumentException(sprintf('Attribute "%s" has multiple values.', $this->passwordAttribute)); + } + + return $values[0]; + } } diff --git a/Core/Util/ClassUtils.php b/Core/Util/ClassUtils.php deleted file mode 100644 index 06186ef..0000000 --- a/Core/Util/ClassUtils.php +++ /dev/null @@ -1,72 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Util; - -use Symfony\Component\Security\Acl\Util\ClassUtils as AclClassUtils; - -@trigger_error('The '.__NAMESPACE__.'\ClassUtils class is deprecated since version 2.8, to be removed in 3.0. Use Symfony\Component\Security\Acl\Util\ClassUtils instead.', E_USER_DEPRECATED); - -/** - * Class related functionality for objects that - * might or might not be proxy objects at the moment. - * - * @deprecated ClassUtils is deprecated since version 2.8, to be removed in 3.0. Use Acl ClassUtils instead. - * - * @author Benjamin Eberlei <kontakt@beberlei.de> - * @author Johannes Schmitt <schmittjoh@gmail.com> - */ -class ClassUtils -{ - /** - * Marker for Proxy class names. - * - * @var string - */ - const MARKER = '__CG__'; - - /** - * Length of the proxy marker. - * - * @var int - */ - const MARKER_LENGTH = 6; - - /** - * This class should not be instantiated. - */ - private function __construct() - { - } - - /** - * Gets the real class name of a class name that could be a proxy. - * - * @param string|object $object - * - * @return string - */ - public static function getRealClass($object) - { - if (class_exists('Symfony\Component\Security\Acl\Util\ClassUtils')) { - return AclClassUtils::getRealClass($object); - } - - // fallback in case security-acl is not installed - $class = is_object($object) ? get_class($object) : $object; - - if (false === $pos = strrpos($class, '\\'.self::MARKER.'\\')) { - return $class; - } - - return substr($class, $pos + self::MARKER_LENGTH + 2); - } -} diff --git a/Core/Util/SecureRandom.php b/Core/Util/SecureRandom.php deleted file mode 100644 index 06ed893..0000000 --- a/Core/Util/SecureRandom.php +++ /dev/null @@ -1,33 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Util; - -@trigger_error('The '.__NAMESPACE__.'\SecureRandom class is deprecated since version 2.8 and will be removed in 3.0. Use the random_bytes() function instead.', E_USER_DEPRECATED); - -/** - * A secure random number generator implementation. - * - * @author Fabien Potencier <fabien@symfony.com> - * @author Johannes M. Schmitt <schmittjoh@gmail.com> - * - * @deprecated since version 2.8, to be removed in 3.0. Use the random_bytes function instead - */ -final class SecureRandom implements SecureRandomInterface -{ - /** - * {@inheritdoc} - */ - public function nextBytes($nbBytes) - { - return random_bytes($nbBytes); - } -} diff --git a/Core/Util/SecureRandomInterface.php b/Core/Util/SecureRandomInterface.php deleted file mode 100644 index df5509b..0000000 --- a/Core/Util/SecureRandomInterface.php +++ /dev/null @@ -1,31 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Util; - -/** - * Interface that needs to be implemented by all secure random number generators. - * - * @author Fabien Potencier <fabien@symfony.com> - * - * @deprecated since version 2.8, to be removed in 3.0. Use the random_bytes function instead - */ -interface SecureRandomInterface -{ - /** - * Generates the specified number of secure random bytes. - * - * @param int $nbBytes - * - * @return string - */ - public function nextBytes($nbBytes); -} diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php deleted file mode 100644 index bb0c8b2..0000000 --- a/Core/Util/StringUtils.php +++ /dev/null @@ -1,70 +0,0 @@ -<?php - -/* - * This file is part of the Symfony package. - * - * (c) Fabien Potencier <fabien@symfony.com> - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Symfony\Component\Security\Core\Util; - -@trigger_error('The '.__NAMESPACE__.'\\StringUtils class is deprecated since version 2.8 and will be removed in 3.0. Use hash_equals() instead.', E_USER_DEPRECATED); - -use Symfony\Polyfill\Util\Binary; - -/** - * String utility functions. - * - * @author Fabien Potencier <fabien@symfony.com> - * - * @deprecated since 2.8, to be removed in 3.0. - */ -class StringUtils -{ - /** - * This class should not be instantiated. - */ - private function __construct() - { - } - - /** - * Compares two strings. - * - * This method implements a constant-time algorithm to compare strings. - * Regardless of the used implementation, it will leak length information. - * - * @param string $knownString The string of known length to compare against - * @param string $userInput The string that the user can control - * - * @return bool true if the two strings are the same, false otherwise - */ - public static function equals($knownString, $userInput) - { - // Avoid making unnecessary duplications of secret data - if (!is_string($knownString)) { - $knownString = (string) $knownString; - } - - if (!is_string($userInput)) { - $userInput = (string) $userInput; - } - - return hash_equals($knownString, $userInput); - } - - /** - * Returns the number of bytes in a string. - * - * @param string $string The string whose length we wish to obtain - * - * @return int - */ - public static function safeStrlen($string) - { - return Binary::strlen($string); - } -} diff --git a/Core/composer.json b/Core/composer.json index 3362971..e2915b0 100644 --- a/Core/composer.json +++ b/Core/composer.json @@ -16,18 +16,16 @@ } ], "require": { - "php": ">=5.3.9", - "symfony/polyfill-php55": "~1.0", + "php": ">=5.5.9", "symfony/polyfill-php56": "~1.0", - "symfony/polyfill-php70": "~1.0", "symfony/polyfill-util": "~1.0" }, "require-dev": { - "symfony/event-dispatcher": "~2.1|~3.0.0", - "symfony/expression-language": "~2.6|~3.0.0", - "symfony/http-foundation": "~2.4|~3.0.0", - "symfony/ldap": "~2.8|~3.0.0", - "symfony/validator": "~2.5,>=2.5.9|~3.0.0", + "symfony/event-dispatcher": "~2.8|~3.0", + "symfony/expression-language": "~2.8|~3.0", + "symfony/http-foundation": "~2.8|~3.0", + "symfony/ldap": "~3.1", + "symfony/validator": "~2.8|~3.0", "psr/log": "~1.0" }, "suggest": { @@ -46,7 +44,7 @@ "minimum-stability": "dev", "extra": { "branch-alias": { - "dev-master": "2.8-dev" + "dev-master": "3.1-dev" } } } |