[Security] Deprecate the old authentication mechanisms

symfony · fabpot · May 19, 2021 · May 9, 2021 · May 18, 2021 · 0bb3964a2d32ee5b354c1ed6a9e6a1c61e585a28
commit 0bb3964a2d32ee5b354c1ed6a9e6a1c61e585a28
diff --git a/UPGRADE-5.3.md b/UPGRADE-5.3.md
@@ -205,6 +205,15 @@ Security
  * Deprecate all classes in the `Core\Encoder\`  sub-namespace, use the `PasswordHasher` component instead
  * Deprecated voters that do not return a valid decision when calling the `vote` method
  * [BC break] Add optional array argument `$badges` to `UserAuthenticatorInterface::authenticateUser()`
+ * Deprecate `AuthenticationManagerInterface`, `AuthenticationProviderManager`, `AnonymousAuthenticationProvider`,
+   `AuthenticationProviderInterface`, `DaoAuthenticationProvider`, `LdapBindAuthenticationProvider`,
+   `PreAuthenticatedAuthenticationProvider`, `RememberMeAuthenticationProvider`, `UserAuthenticationProvider` and
+   `AuthenticationFailureEvent` from security-core, use the new authenticator system instead
+ * Deprecate `AbstractAuthenticationListener`, `AbstractPreAuthenticatedListener`, `AnonymousAuthenticationListener`,
+   `BasicAuthenticationListener`, `RememberMeListener`, `RemoteUserAuthenticationListener`,
+   `UsernamePasswordFormAuthenticationListener`, `UsernamePasswordJsonAuthenticationListener` and `X509AuthenticationListener`
+   from security-http, use the new authenticator system instead
+ * Deprecate the Guard component, use the new authenticator system instead
 
 SecurityBundle
 --------------
@@ -218,6 +227,10 @@ SecurityBundle
  * Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
    use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
  * Deprecate the public `security.authorization_checker` and `security.token_storage` services to private
+ * Not setting the `enable_authenticator_manager` config option to `true` is deprecated
+ * Deprecate the `security.authentication.provider.*` services, use the new authenticator system instead
+ * Deprecate the `security.authentication.listener.*` services, use the new authenticator system instead
+ * Deprecate the Guard component integration, use the new authenticator system instead
 
 Serializer
 ----------

diff --git a/UPGRADE-6.0.md b/UPGRADE-6.0.md
@@ -293,6 +293,15 @@ Security
    `DefaultAuthenticationSuccessHandler`.
  * Removed the `AbstractRememberMeServices::$providerKey` property in favor of `AbstractRememberMeServices::$firewallName`
  * `AccessDecisionManager` now throw an exception when a voter does not return a valid decision.
+ * Remove `AuthenticationManagerInterface`, `AuthenticationProviderManager`, `AnonymousAuthenticationProvider`,
+   `AuthenticationProviderInterface`, `DaoAuthenticationProvider`, `LdapBindAuthenticationProvider`,
+   `PreAuthenticatedAuthenticationProvider`, `RememberMeAuthenticationProvider`, `UserAuthenticationProvider` and
+   `AuthenticationFailureEvent` from security-core, use the new authenticator system instead
+ * Remove `AbstractAuthenticationListener`, `AbstractPreAuthenticatedListener`, `AnonymousAuthenticationListener`,
+   `BasicAuthenticationListener`, `RememberMeListener`, `RemoteUserAuthenticationListener`,
+   `UsernamePasswordFormAuthenticationListener`, `UsernamePasswordJsonAuthenticationListener` and `X509AuthenticationListener`
+   from security-http, use the new authenticator system instead
+ * Remove the Guard component, use the new authenticator system instead
 
 SecurityBundle
 --------------
@@ -304,6 +313,10 @@ SecurityBundle
  * Remove the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
    use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
  * The `security.authorization_checker` and `security.token_storage` services are now private
+ * Not setting the `enable_authenticator_manager` option to `true` now throws an exception
+ * Remove the `security.authentication.provider.*` services, use the new authenticator system instead
+ * Remove the `security.authentication.listener.*` services, use the new authenticator system instead
+ * Remove the Guard component integration, use the new authenticator system instead
 
 Serializer
 ----------

diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/Security/config.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/Security/config.yml
@@ -8,6 +8,8 @@ services:
             - container.service_subscriber
 
 security:
+    enable_authenticator_manager: true
+
     providers:
         main:
             memory:
@@ -30,3 +32,6 @@ security:
             form_login:
                 check_path: /custom/login/check
             provider: custom
+
+    access_control:
+        - { path: '^/main/user_profile$', roles: IS_AUTHENTICATED_FULLY }
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -17,6 +17,10 @@ CHANGELOG
  * Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
    use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
  * Deprecate the public `security.authorization_checker` and `security.token_storage` services to private
+ * Not setting the `enable_authenticator_manager` config option to `true` is deprecated
+ * Deprecate the `security.authentication.provider.*` services, use the new authenticator system instead
+ * Deprecate the `security.authentication.listener.*` services, use the new authenticator system instead
+ * Deprecate the Guard component integration, use the new authenticator system instead
 
 5.2.0
 -----

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousFactory.php
@@ -21,6 +21,8 @@
  * @author Wouter de Jong <wouter@wouterj.nl>
  *
  * @internal
+ *
+ * @deprecated since Symfony 5.3, use the new authenticator system instead
  */
 class AnonymousFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
 {

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -130,6 +130,8 @@ public function load(array $configs, ContainerBuilder $container)
             $container->getDefinition('security.authorization_checker')->setArgument(4, false);
             $container->getDefinition('security.authorization_checker')->setArgument(5, false);
         } else {
+            trigger_deprecation('symfony/security-bundle', '5.3', 'Not setting the "security.enable_authenticator_manager" config option to true is deprecated.');
+
             $loader->load('security_legacy.php');
         }
 

diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php
@@ -24,8 +24,10 @@
                 abstract_arg('stateless firewall keys'),
             ])
             ->call('setSessionAuthenticationStrategy', [service('security.authentication.session_strategy')])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->alias(GuardAuthenticatorHandler::class, 'security.authentication.guard_handler')
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%alias_id%" alias is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.guard', GuardAuthenticationProvider::class)
             ->abstract()
@@ -36,6 +38,7 @@
                 abstract_arg('User Checker'),
                 service('security.password_hasher'),
             ])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.guard', GuardAuthenticationListener::class)
             ->abstract()
@@ -48,5 +51,6 @@
                 param('security.authentication.hide_user_not_found'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
     ;
 };
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php
@@ -62,6 +62,7 @@
 
         ->set('security.authentication.manager', NoopAuthenticationManager::class)
         ->alias(AuthenticationManagerInterface::class, 'security.authentication.manager')
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%a
10000
lias_id%" alias is deprecated, use the new authenticator system instead.')
 
         ->set('security.firewall.authenticator', AuthenticatorManagerListener::class)
             ->abstract()

diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_login_link.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_login_link.php
@@ -73,6 +73,6 @@
                 service('doctrine'),
                 abstract_arg('user entity class name'),
             ])
-
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
     ;
 };
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php
@@ -49,9 +49,11 @@
                 service('security.authentication.manager'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.anonymous', AnonymousAuthenticationProvider::class)
             ->args([abstract_arg('Key')])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.retry_entry_point', RetryAuthenticationEntryPoint::class)
             ->args([
@@ -161,6 +163,7 @@
         ->set('security.authentication.listener.form', UsernamePasswordFormAuthenticationListener::class)
             ->parent('security.authentication.listener.abstract')
             ->abstract()
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.x509', X509AuthenticationListener::class)
             ->abstract()
@@ -174,6 +177,7 @@
                 service('event_dispatcher')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.json', UsernamePasswordJsonAuthenticationListener::class)
             ->abstract()
@@ -191,6 +195,7 @@
             ])
             ->call('setTranslator', [service('translator')->ignoreOnInvalid()])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.remote_user', RemoteUserAuthenticationListener::class)
             ->abstract()
@@ -203,6 +208,7 @@
                 service('event_dispatcher')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.basic', BasicAuthenticationListener::class)
             ->abstract()
@@ -214,6 +220,7 @@
                 service('logger')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.dao', DaoAuthenticationProvider::class)
             ->abstract()
@@ -224,6 +231,7 @@
                 service('security.password_hasher_factory'),
                 param('security.authentication.hide_user_not_found'),
             ])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.ldap_bind', LdapBindAuthenticationProvider::class)
             ->abstract()
@@ -237,13 +245,15 @@
                 abstract_arg('search dn'),
                 abstract_arg('search password'),
             ])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.pre_authenticated', PreAuthenticatedAuthenticationProvider::class)
             ->abstract()
             ->args([
                 abstract_arg('User Provider'),
                 abstract_arg('UserChecker'),
             ])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.exception_listener', ExceptionListener::class)
             ->abstract()

diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.php
@@ -32,10 +32,12 @@
                 service('security.authentication.session_strategy'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.rememberme', RememberMeAuthenticationProvider::class)
             ->abstract()
             ->args([abstract_arg('User Checker')])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.rememberme.token.provider.in_memory', InMemoryTokenProvider::class)
 

diff --git a/.../SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php b/.../SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php
@@ -139,6 +139,7 @@ private function createContainer($sessionStorageOptions)
 
         $config = [
             'security' => [
+                'enable_authenticator_manager' => true,
                 'providers' => ['some_provider' => ['id' => 'foo']],
                 'firewalls' => ['some_firewall' => ['security' => false]],
             ],

diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -127,6 +127,127 @@ public function testFirewalls()
         $configs[0][2] = strtolower($configs[0][2]);
         $configs[2][2] = strtolower($configs[2][2]);
 
+        $this->assertEquals([
+            [
+                'simple',
+                'security.user_checker',
+                '.security.request_matcher.xmi9dcw',
+                false,
+                false,
+                '',
+                '',
+                '',
+                '',
+                '',
+                [],
+                null,
+            ],
+            [
+                'secure',
+                'security.user_checker',
+                null,
+                true,
+                true,
+                'security.user.provider.concrete.default',
+                null,
+                'security.authenticator.form_login.secure',
+                null,
+                null,
+                [
+                    'switch_user',
+                    'x509',
+                    'remote_user',
+                    'form_login',
+                    'http_basic',
+                    'remember_me',
+                ],
+                [
+                    'parameter' => '_switch_user',
+                    'role' => 'ROLE_ALLOWED_TO_SWITCH',
+                ],
+            ],
+            [
+                'host',
+                'security.user_checker',
+                '.security.request_matcher.iw4hyjb',
+                true,
+                false,
+                'security.user.provider.concrete.default',
+                'host',
+                'security.authenticator.http_basic.host',
+                null,
+                null,
+                [
+                    'http_basic',
+                ],
+                null,
+            ],
+            [
+                'with_user_checker',
+                'app.user_checker',
+                null,
+                true,
+                false,
+                'security.user.provider.concrete.default',
+                'with_user_checker',
+                'security.authenticator.http_basic.with_user_checker',
+                null,
+                null,
+                [
+                    'http_basic',
+                ],
+                null,
+            ],
+        ], $configs);
+
+        $this->assertEquals([
+            [],
+            [
+                'security.channel_listener',
+                'security.firewall.authenticator.secure',
+                'security.authentication.switchuser_listener.secure',
+                'security.access_listener',
+            ],
+            [
+                'security.channel_listener',
+                'security.context_listener.0',
+                'security.firewall.authenticator.host',
+                'security.access_listener',
+            ],
+            [
+                'security.channel_listener',
+                'security.context_listener.1',
+                'security.firewall.authenticator.with_user_checker',
+                'security.access_listener',
+            ],
+        ], $listeners);
+
+        $this->assertFalse($container->hasAlias('Symfony\Component\Security\Core\User\UserCheckerInterface', 'No user checker alias is registered when custom user checker services are registered'));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyFirewalls()
+    {
+        $container = $this->getContainer('legacy_container1');
+        $arguments = $container->getDefinition('security.firewall.map')->getArguments();
+        $listeners = [];
+        $configs = [];
+        foreach (array_keys($arguments[1]->getValues()) as $contextId) {
+            $contextDef = $container->getDefinition($contextId);
+            $arguments = $contextDef->getArguments();
+            $listeners[] = array_map('strval', $arguments[0]->getValues());
+
+            $configDef = $container->getDefinition((string) $arguments[3]);
+            $configs[] = array_values($configDef->getArguments());
+        }
+
+        // the IDs of the services are case sensitive or insensitive depending on
+        // the Symfony version. Transform them to lowercase to simplify tests.
+        $configs[0][2] = strtolower($configs[0][2]);
+        $configs[2][2] = strtolower($configs[2][2]);
+
         $this->assertEquals([
             [
                 'simple',
@@ -881,15 +1002,21 @@ public function testHashersWithBCrypt()
         ]], $container->getDefinition('security.password_hasher_factory')->getArguments());
     }
 
-    public function testRememberMeThrowExceptionsDefault()
+    /**
+     * @group legacy
+     */
+    public function testLegacyRememberMeThrowExceptionsDefault()
     {
-        $container = $this->getContainer('container1');
+        $container = $this->getContainer('legacy_container1');
         $this->assertTrue($container->getDefinition('security.authentication.listener.rememberme.secure')->getArgument(5));
     }
 
-    public function testRememberMeThrowExceptions()
+    /**
+     * @group legacy
+     */
+    public function testLegacyRememberMeThrowExceptions()
     {
-        $container = $this->getContainer('remember_me_options');
+        $container = $this->getContainer('legacy_remember_me_options');
         $service = $container->getDefinition('security.authentication.listener.rememberme.main');
         $this->assertEquals('security.authentication.rememberme.services.persistent.main', $service->getArgument(1));
         $this->assertFalse($service->getArgument(5));

diff --git a/...ndle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_customized_config.php b/...ndle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_customized_config.php
@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'access_decision_manager' => [
         'allow_if_all_abstain' => true,
         'allow_if_equal_granted_denied' => false,