Deprecat service "session"

jderusse · jderusse · commit 6584d0640535 · 2020-10-19T23:42:23.000+02:00
diff --git a/UPGRADE-5.2.md b/UPGRADE-5.2.md
@@ -16,6 +16,7 @@ FrameworkBundle
    used to be added by default to the seed, which is not the case anymore. This allows sharing caches between
    apps or different environments.
  * Deprecated the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
+ * Deprecated the `session` service and the `SessionInterface` alias, use the `Request::getSession()` or the new `RequestStack::getSession()` methods instead.
 
 Form
 ----
@@ -125,3 +126,4 @@ Security
    `AbstractRememberMeServices::$firewallName`, the old property will be removed
    in 6.0.
 
+ * The `$session` constructor argument of `SessionTokenStorage` has been deprecated and replaced by the `$requestStack` one which expects an `RequestStack`.
diff --git a/UPGRADE-6.0.md b/UPGRADE-6.0.md
@@ -59,6 +59,7 @@ FrameworkBundle
  * The `form.factory`, `form.type.file`, `translator`, `security.csrf.token_manager`, `serializer`,
    `cache_clearer`, `filesystem` and `validator` services are now private.
  * Removed the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
+ * Removed the `session` service and the `SessionInterface` alias, use the `Request::getSession()` or the new `RequestStack::getSession()` methods instead.
 
 HttpFoundation
 --------------
@@ -151,6 +152,7 @@ Security
    in `PreAuthenticatedToken`, `RememberMeToken`, `SwitchUserToken`, `UsernamePasswordToken`,
    `DefaultAuthenticationSuccessHandler`.
  * Removed the `AbstractRememberMeServices::$providerKey` property in favor of `AbstractRememberMeServices::$firewallName`
+ * The `$session` constructor argument of `SessionTokenStorage` has been replaced by the `$requestStack` one which expects an `RequestStack`  instead.
 
 TwigBundle
 ----------
diff --git a/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md b/src/Symfony/Bundle/FrameworkBundle/CHANGELOG.md
@@ -15,6 +15,7 @@ CHANGELOG
  * added `assertFormValue()` and `assertNoFormValue()` in `WebTestCase`
  * Added "--as-tree=3" option to `translation:update` command to dump messages as a tree-like structure. The given value defines the level where to switch to inline YAML
  * Deprecated the `lock.RESOURCE_NAME` and `lock.RESOURCE_NAME.store` services and the `lock`, `LockInterface`, `lock.store` and `PersistingStoreInterface` aliases, use `lock.RESOURCE_NAME.factory`, `lock.factory` or `LockFactory` instead.
+ * Deprecated the `session` service and the `SessionInterface` alias, use the `Request::getSession()` or the new `RequestStack::getSession()` methods instead.
 
 5.1.0
 -----
diff --git a/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php b/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php
@@ -92,7 +92,7 @@ public static function getSubscribedServices()
             'request_stack' => '?'.RequestStack::class,
             'http_kernel' => '?'.HttpKernelInterface::class,
             'serializer' => '?'.SerializerInterface::class,
-            'session' => '?'.SessionInterface::class,
+            'session' => '?sessionDeprecatedDoNotUse',
             'security.authorization_checker' => '?'.AuthorizationCheckerInterface::class,
             'twig' => '?'.Environment::class,
             'doctrine' => '?'.ManagerRegistry::class,
@@ -199,11 +199,19 @@ protected function file($file, string $fileName = null, string $disposition = Re
      */
     protected function addFlash(string $type, $message): void
     {
-        if (!$this->container->has('session')) {
+        // BC for symfony/http-foundation < 5.2
+        if (method_exists($requestStack = $this->container->get('request_stack'), 'getSession')) {
+            $session = $requestStack->getSession();
+        } elseif ((null !== $request = $requestStack->getCurrentRequest()) && $request->hasSession()) {
+            $session = $request->getSession();
+        } else {
+            $session = null;
+        }
+        if (null === $session) {
             throw new \LogicException('You can not use the addFlash method if sessions are disabled. Enable them in "config/packages/framework.yaml".');
         }
 
-        $this->container->get('session')->getFlashBag()->add($type, $message);
+        $session->getFlashBag()->add($type, $message);
     }
 
     /**
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/SessionPass.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/SessionPass.php
@@ -22,16 +22,29 @@ class SessionPass implements CompilerPassInterface
 {
     public function process(ContainerBuilder $container)
     {
-        if (!$container->hasDefinition('session')) {
+        if (!$container->has('session')) {
             return;
         }
 
+        // BC layer: When user overrides the `session` service it's not an alias anymore.
+        if ($container->hasDefinition('session')) {
+            $definition = $container->getDefinition('session');
+            $definition->setDeprecated('symfony/framework-bundle', '5.2', 'The "%service_id%" service is deprecated, use "$requestStack->getSession()" instead.');
+
+            // Given `session` is not an alias to `.session.do-not-use` anymore,
+            // we make `.session.do-not-use` an alias of `session`.
+            $container->removeDefinition('.session.do-not-use');
+            $container->setAlias('.session.do-not-use', 'session');
+        } else {
+            $definition = $container->getDefinition('.session.do-not-use');
+        }
+
         $bags = [
             'session.flash_bag' => $container->hasDefinition('session.flash_bag') ? $container->getDefinition('session.flash_bag') : null,
             'session.attribute_bag' => $container->hasDefinition('session.attribute_bag') ? $container->getDefinition('session.attribute_bag') : null,
         ];
 
-        foreach ($container->getDefinition('session')->getArguments() as $v) {
+        foreach ($definition->getArguments() as $v) {
             if (!$v instanceof Reference || !isset($bags[$bag = (string) $v]) || !\is_array($factory = $bags[$bag]->getFactory())) {
                 continue;
             }
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -135,6 +135,7 @@
 use Symfony\Component\Routing\Loader\AnnotationFileLoader;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;
 use Symfony\Component\Serializer\Encoder\DecoderInterface;
 use Symfony\Component\Serializer\Encoder\EncoderInterface;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
@@ -1531,6 +1532,12 @@ private function registerSecurityCsrfConfiguration(array $config, ContainerBuild
         // Enable services for CSRF protection (even without forms)
         $loader->load('security_csrf.php');
 
+        // BC for symfony/security-core < 5.2
+        if (!(new \ReflectionClass(SessionTokenStorage::class))->hasMethod('getSession')) {
+            $container->getDefinition('security.csrf.token_storage')
+                ->setArgument(0, new Reference('session'));
+        }
+
         if (!class_exists(CsrfExtension::class)) {
             $container->removeDefinition('twig.extension.security_csrf');
         }
diff --git a/src/Symfony/Bundle/FrameworkBundle/KernelBrowser.php b/src/Symfony/Bundle/FrameworkBundle/KernelBrowser.php
@@ -18,6 +18,8 @@
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
 use Symfony\Component\HttpKernel\HttpKernelBrowser;
 use Symfony\Component\HttpKernel\KernelInterface;
 use Symfony\Component\HttpKernel\Profiler\Profile as HttpProfile;
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.php
@@ -27,7 +27,7 @@
         ->alias(TokenGeneratorInterface::class, 'security.csrf.token_generator')
 
         ->set('security.csrf.token_storage', SessionTokenStorage::class)
-            ->args([service('session')])
+            ->args([service('request_stack')])
 
         ->alias(TokenStorageInterface::class, 'security.csrf.token_storage')
 
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/session.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/session.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
+use Symfony\Bundle\FrameworkBundle\Session\DeprecatedSessionFactory;
 use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBag;
 use Symfony\Component\HttpFoundation\Session\Flash\FlashBag;
 use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface;
@@ -33,15 +34,20 @@
     $container->parameters()->set('session.metadata.storage_key', '_sf2_meta');
 
     $container->services()
-        ->set('session', Session::class)
-            ->public()
+        ->set('.session.do-not-use', Session::class) // to be removed in 6.0
             ->args([
                 service('session.storage'),
                 null, // AttributeBagInterface
                 null, // FlashBagInterface
                 [service('session_listener'), 'onSessionUsage'],
             ])
-        ->alias(SessionInterface::class, 'session')
+        ->set('sessionDeprecatedDoNotUse', SessionInterface::class) // to be removed in 6.0
+            ->factory([inline_service(DeprecatedSessionFactory::class)->args([service('request_stack')]), 'getSession'])
+        ->alias('session', '.session.do-not-use')
+            ->public()
+            ->deprecate('symfony/framework-bundle', '5.2', 'The "%alias_id%" alias is deprecated, use "$requestStack->getSession()" instead.')
+        ->alias(SessionInterface::class, '.session.do-not-use')
+            ->deprecate('symfony/framework-bundle', '5.2', 'The "%alias_id%" alias is deprecated, use "$requestStack->getSession()" instead.')
         ->alias(SessionStorageInterface::class, 'session.storage')
         ->alias(\SessionHandlerInterface::class, 'session.handler')
 
@@ -65,12 +71,12 @@
             ])
 
         ->set('session.flash_bag', FlashBag::class)
-            ->factory([service('session'), 'getFlashBag'])
+            ->factory([service('.session.do-not-use'), 'getFlashBag'])
             ->deprecate('symfony/framework-bundle', '5.1', 'The "%service_id%" service is deprecated, use "$session->getFlashBag()" instead.')
         ->alias(FlashBagInterface::class, 'session.flash_bag')
 
         ->set('session.attribute_bag', AttributeBag::class)
-            ->factory([service('session'), 'getBag'])
+            ->factory([service('.session.do-not-use'), 'getBag'])
             ->args(['attributes'])
             ->deprecate('symfony/framework-bundle', '5.1', 'The "%service_id%" service is deprecated, use "$session->getAttributeBag()" instead.')
 
@@ -94,8 +100,8 @@
         ->set('session_listener', SessionListener::class)
             ->args([
                 service_locator([
-                    'session' => service('session')->ignoreOnInvalid(),
-                    'initialized_session' => service('session')->ignoreOnUninitialized(),
+                    'session' => service('.session.do-not-use')->ignoreOnInvalid(),
+                    'initialized_session' => service('.session.do-not-use')->ignoreOnUninitialized(),
                     'logger' => service('logger')->ignoreOnInvalid(),
                     'session_collector' => service('data_collector.request.session_collector')->ignoreOnInvalid(),
                 ]),
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/test.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/test.php
@@ -16,6 +16,8 @@
 use Symfony\Component\BrowserKit\CookieJar;
 use Symfony\Component\BrowserKit\History;
 use Symfony\Component\DependencyInjection\ServiceLocator;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage;
 use Symfony\Component\HttpKernel\EventListener\TestSessionListener;
 
 return static function (ContainerConfigurator $container) {
@@ -38,7 +40,7 @@
         ->set('test.session.listener', TestSessionListener::class)
             ->args([
                 service_locator([
-                    'session' => service('session')->ignoreOnInvalid(),
+                    'session' => service('.session.do-not-use')->ignoreOnInvalid(),
                 ]),
             ])
             ->tag('kernel.event_subscriber')
diff --git a/src/Symfony/Bundle/FrameworkBundle/Session/DeprecatedSessionFactory.php b/src/Symfony/Bundle/FrameworkBundle/Session/DeprecatedSessionFactory.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\FrameworkBundle\Session;
+
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
+
+/**
+ * Provides session and trigger deprecation.
+ * Used by service that should trigger deprecation when accessed by user
+ *
+ * @author Jérémy Derussé <jeremy@derusse.com>
+ * @internal to be removed in 6.0
+ */
+class DeprecatedSessionFactory
+{
+    private $requestStack;
+
+    public function __construct(RequestStack $requestStack)
+    {
+        $this->requestStack = $requestStack;
+    }
+
+    public function getSession(): ?SessionInterface
+    {
+        trigger_deprecation('symfony/framework-bundle', '5.1', 'The "session" service is deprecated, use "$requestStack->getSession()" instead.');
+
+        // BC for symfony/http-foundation < 5.2
+        if (method_exists($this->requestStack, 'getSession')) {
+            return $this->requestStack->getSession();
+        }
+        if ((null !== $request = $this->requestStack->getCurrentRequest()) && $request->hasSession()) {
+            return $request->getSession();
+        }
+
+        return null;
+    }
+}
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/Controller/AbstractControllerTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/Controller/AbstractControllerTest.php
@@ -50,7 +50,7 @@ public function testSubscribedServices()
             'request_stack' => '?Symfony\\Component\\HttpFoundation\\RequestStack',
             'http_kernel' => '?Symfony\\Component\\HttpKernel\\HttpKernelInterface',
             'serializer' => '?Symfony\\Component\\Serializer\\SerializerInterface',
-            'session' => '?Symfony\\Component\\HttpFoundation\\Session\\SessionInterface',
+            'session' => '?sessionDeprecatedDoNotUse',
             'security.authorization_checker' => '?Symfony\\Component\\Security\\Core\\Authorization\\AuthorizationCheckerInterface',
             'twig' => '?Twig\\Environment',
             'doctrine' => '?Doctrine\\Persistence\\ManagerRegistry',
@@ -433,11 +433,14 @@ public function testRedirectToRoute()
     public function testAddFlash()
     {
         $flashBag = new FlashBag();
-        $session = $this->getMockBuilder('Symfony\Component\HttpFoundation\Session\Session')->getMock();
+        $session = $this->getMockBuilder('\sessionDeprecatedDoNotUse')->getMock();
         $session->expects($this->once())->method('getFlashBag')->willReturn($flashBag);
+        $requestStack = $this->getMockBuilder(RequestStack::class)->getMock();
+        $requestStack->expects($this->once())->method('getSession')->willReturn($session);
 
         $container = new Container();
         $container->set('session', $session);
+        $container->set('request_stack', $requestStack);
 
         $controller = $this->createController();
         $controller->setContainer($container);
@@ -558,3 +561,7 @@ public function testAddLink()
         $this->assertContains($link2, $links);
     }
 }
+
+if (!\class_exists('\sessionDeprecatedDoNotUse')) {
+    eval ('class sessionDeprecatedDoNotUse extends \Symfony\Component\HttpFoundation\Session\Session {}');
+}
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
@@ -517,7 +517,7 @@ public function testSession()
     {
         $container = $this->createContainerFromFile('full');
 
-        $this->assertTrue($container->hasDefinition('session'), '->registerSessionConfiguration() loads session.xml');
+        $this->assertTrue($container->hasAlias('session'), '->registerSessionConfiguration() loads session.xml');
         $this->assertEquals('fr', $container->getParameter('kernel.default_locale'));
         $this->assertEquals('session.storage.native', (string) $container->getAlias('session.storage'));
         $this->assertEquals('session.handler.native_file', (string) $container->getAlias('session.handler'));
@@ -543,7 +543,7 @@ public function testNullSessionHandler()
     {
         $container = $this->createContainerFromFile('session');
 
-        $this->assertTrue($container->hasDefinition('session'), '->registerSessionConfiguration() loads session.xml');
+        $this->assertTrue($container->hasAlias('session'), '->registerSessionConfiguration() loads session.xml');
         $this->assertNull($container->getDefinition('session.storage.native')->getArgument(1));
         $this->assertNull($container->getDefinition('session.storage.php_bridge')->getArgument(0));
         $this->assertSame('session.handler.native_file', (string) $container->getAlias('session.handler'));
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterTokenUsageTrackingPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/RegisterTokenUsageTrackingPass.php
@@ -41,7 +41,7 @@ public function process(ContainerBuilder $container)
             TokenStorageInterface::class => new BoundArgument(new Reference('security.untracked_token_storage'), false),
         ]);
 
-        if (!$container->has('session')) {
+        if (!$container->has('session.storage')) {
             $container->setAlias('security.token_storage', 'security.untracked_token_storage')->setPublic(true);
             $container->getDefinition('security.untracked_token_storage')->addTag('kernel.reset', ['method' => 'reset']);
         } elseif ($container->hasDefinition('security.context_listener')) {
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/SessionPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/SessionPass.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+
+/**
+ * Replace deprecated `session` service in "security.token_storage"
+ * when UsageTrackingTokenStorage is able to fetch Session from RequestStack.
+ *
+ * @author jérémy Derussé <jeremy@derusse.com>
+ *
+ * @internal to be removed in 6.0
+ */
+class SessionPass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container)
+    {
+        if (!$container->hasDefinition('security.token_storage')) {
+            return;
+        }
+
+        $definition = $container->getDefinition('security.token_storage');
+        if ((new \ReflectionClass($definition->getClass()))->hasMethod('getSession')) {
+            return;
+        }
+
+        $locator = $definition->getArgument(1);
+        $values = $locator->getValues();
+        unset($values['request_stack']);
+        $values['session'] = new Reference('session');
+        $locator->setValues($values);
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
@@ -74,7 +74,7 @@
             ->args([
                 service('security.untracked_token_storage'),
                 service_locator([
-                    'session' => service('session'),
+                    'request_stack' => service('request_stack'),
                 ]),
             ])
             ->tag('kernel.reset', ['method' => 'disableUsageTracking'])
diff --git a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
@@ -18,6 +18,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterGlobalSecurityEventListenersPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterLdapLocatorPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\RegisterTokenUsageTrackingPass;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\SessionPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\SortFirewallListenersPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AnonymousFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\CustomAuthenticatorFactory;
@@ -81,6 +82,7 @@ public function build(ContainerBuilder $container)
         $container->addCompilerPass(new RegisterGlobalSecurityEventListenersPass(), PassConfig::TYPE_BEFORE_REMOVING, -200);
         // execute after ResolveChildDefinitionsPass optimization pass, to ensure class names are set
         $container->addCompilerPass(new SortFirewallListenersPass(), PassConfig::TYPE_BEFORE_REMOVING);
+        $container->addCompilerPass(new SessionPass());
 
         $container->addCompilerPass(new AddEventAliasesPass(array_merge(
             AuthenticationEvents::ALIASES,
diff --git a/src/Symfony/Component/HttpFoundation/CHANGELOG.md b/src/Symfony/Component/HttpFoundation/CHANGELOG.md
diff --git a/src/Symfony/Component/HttpFoundation/RequestStack.php b/src/Symfony/Component/HttpFoundation/RequestStack.php
diff --git a/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php b/src/Symfony/Component/HttpKernel/EventListener/AbstractSessionListener.php
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php b/src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php
diff --git a/src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php b/src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php
