[Security] Deprecate UserInterface & TokenInterface's eraseCredentials()

Author: chalasr

UPGRADE-7.3.md

@@ -6,7 +6,23 @@ backward compatibility breaks. Minor backward compatibility breaks are prefixed
 `[BC BREAK]`, make sure your code is compatible with these entries before upgrading.
 Read more about this in the [Symfony documentation](https://symfony.com/doc/7.3/setup/upgrade_minor.html).
 
-If you're upgrading from a version below 7.1, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.
+If you're upgrading from a version below 7.2, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.
+
+Ldap
+----
+
+ * Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead
+
+Security
+--------
+
+ * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
+   use a dedicated DTO or erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
+
+SecurityBundle
+--------------
+
+ * Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
 
 Console
 -------
@@ -109,3 +125,4 @@ VarDumper
 
  * Deprecate `ResourceCaster::castCurl()`, `ResourceCaster::castGd()` and `ResourceCaster::castOpensslX509()`
  * Mark all casters as `@internal`
+ * Deprecate the `CompiledClassMetadataFactory` and `CompiledClassMetadataCacheWarmer` classes

src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/CacheAttributeListener/config.yml

@@ -10,6 +10,7 @@ services:
         public: true
 
 security:
+    erase_credentials: false
     providers:
         main:
             memory:

src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/Security/config.yml

@@ -8,6 +8,7 @@ services:
             - container.service_subscriber
 
 security:
+    erase_credentials: false
     providers:
         main:
             memory:

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

@@ -6,6 +6,7 @@ CHANGELOG
 
  * Add `Security::isGrantedForUser()` to test user authorization without relying on the session. For example, users not currently logged in, or while processing a message from a message queue
  * Add encryption support to `OidcTokenHandler` (JWE)
+ * Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
 
 7.2
 ---

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LdapFactoryTrait.php

@@ -16,6 +16,7 @@
 use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
+use Symfony\Component\Ldap\Security\EraseLdapUserCredentialsListener;
 use Symfony\Component\Ldap\Security\LdapAuthenticator;
 
 /**
@@ -42,6 +43,12 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             ->addArgument(new Reference('security.ldap_locator'))
         ;
 
+        if (class_exists(EraseLdapUserCredentialsListener::class && !$container->getParameter('security.authentication.manager.erase_credentials'))) {
+            $container->setDefinition('security.listener.'.$key.'.'.$firewallName.'erase_ldap_credentials', new Definition(EraseLdapUserCredentialsListener::class))
+                ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
+            ;
+        }
+
         $ldapAuthenticatorId = 'security.authenticator.'.$key.'.'.$firewallName;
         $definition = $container->setDefinition($ldapAuthenticatorId, new Definition(LdapAuthenticator::class))
             ->setArguments([

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -135,6 +135,9 @@ public function load(array $configs, ContainerBuilder $container): void
 
         // set some global scalars
         $container->setParameter('security.access.denied_url', $config['access_denied_url']);
+        if (true === $config['erase_credentials']) {
+            trigger_deprecation('symfony/security-bundle', '7.3', 'Setting the "security.erase_credentials" config option to true is deprecated and won\'t have any effect in 8.0, set it to false instead and use your own erasing logic if needed.');
+        }
         $container->setParameter('security.authentication.manager.erase_credentials', $config['erase_credentials']);
         $container->setParameter('security.authentication.session_strategy.strategy', $config['session_fixation_strategy']);
 

src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php

@@ -103,7 +103,9 @@ public function testOnKernelRequestRecordsAuthenticatorsInfo()
             [new TraceableAuthenticator($notSupportingAuthenticator), new TraceableAuthenticator($supportingAuthenticator)],
             $tokenStorage,
             $dispatcher,
-            'main'
+            'main',
+            null,
+            false
         );
 
         $listener = new TraceableAuthenticatorManagerListener(new AuthenticatorManagerListener($authenticatorManager));

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php

@@ -139,6 +139,7 @@ private function createContainer($sessionStorageOptions)
 
         $config = [
             'security' => [
+                'erase_credentials' => false,
                 'providers' => ['some_provider' => ['id' => 'foo']],
                 'firewalls' => ['some_firewall' => ['security' => false]],
             ],

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/MakeFirewallsEventDispatcherTraceablePassTest.php

@@ -34,6 +34,7 @@ protected function setUp(): void
 
         $this->container->registerExtension(new SecurityExtension());
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);
 

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPassTest.php

@@ -56,6 +56,7 @@ protected function setUp(): void
     public function testEventIsPropagated(string $configuredEvent, string $registeredEvent)
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);
 
@@ -89,6 +90,7 @@ public static function providePropagatedEvents(): array
     public function testRegisterCustomListener()
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);
 
@@ -109,6 +111,7 @@ public function testRegisterCustomListener()
     public function testRegisterCustomSubscriber()
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);
 
@@ -128,6 +131,7 @@ public function testRegisterCustomSubscriber()
     public function testMultipleFirewalls()
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true], 'api' => ['pattern' => '/api', 'http_basic' => true]],
         ]);
 
@@ -157,6 +161,7 @@ public function testMultipleFirewalls()
     public function testListenerAlreadySpecific()
     {
         $this->container->loadFromExtension('security', [
+            'erase_credentials' => false,
             'firewalls' => ['main' => ['pattern' => '/', 'http_basic' => true]],
         ]);