[DX][SecurityBundle] Introduce a FirewallConfig class accessible from FirewallContext #19398
Conversation
chalasr
changed the title
chalasr
force-pushed
the
firewall_service
branch
7 times, most recently
from
4a51436 to
3cb9d6c
Compare
| <argument type="service" id="security.token_storage" on-invalid="null" /> | ||
| </service> | ||
|
|
||
| <service id="security.firewall.map.firewall" class="Symfony\Bundle\SecurityBundle\Security\Firewall" abstract="true"> |
There was a problem hiding this comment.
Hope someone have a better id for this.
chalasr
force-pushed
the
firewall_service
branch
from
3cb9d6c to
83fc3a4
Compare
|
Status: Needs work |
chalasr
changed the title
chalasr
force-pushed
the
firewall_service
branch
5 times, most recently
from
3d64dd4 to
0dc120b
Compare
chalasr
changed the title
chalasr
force-pushed
the
firewall_service
branch
4 times, most recently
from
b7d84be to
033d970
Compare
|
Status: needs review |
| $this->exceptionListener = $exceptionListener; | ||
|
|
||
| if (null === $config) { | ||
| @trigger_error(sprintf('"%s()" expects an instance of "%s" as third argument since version 3.2 and will throw an exception in 4.0 if not provided.', __METHOD__, FirewallConfig::class), E_USER_DEPRECATED); |
There was a problem hiding this comment.
Yeah I got what the message means, but why making it mandatory?
Is there a good reason to break BC here, this value object does not bring any logic, so keeping a default null in 4.0 does not look wrong to me, although I don't have any strong feeling about this :)
There was a problem hiding this comment.
@HeahDude Sorry, I got it now.
There is no "good" reason to break BC here. But in the other hand, I can't find a good one to have FirewallContext::$config being null, as we shouldn't be able to get an instance of FirewallContext without configuring a firewall (it is already documented as "a wrapper around the current firewall configuration" 😄 ).
Also as you pointed out, this deprecation is not mandatory, I stay ready to remove it if your point comes to be shared.
There was a problem hiding this comment.
The thing is that the firewall is not depending on this config class for being configured, it can simply live without it. This "aware" interface is more about sharing by exposing, and I guess it was not designed this way before because the less you expose in security the more it's safe, you've noticed that yourself with the listeners config. So this class does not really add any value unless it comes to be collected and displayed (i.e in the profiler).
Also, by removing null as default you should expect a php error instead of an exception unless you throw it yourself in 4.0, meaning keeping the if too to perform the check.
So actually the message should be something like "%s()" expects an instance of "%s" as third argument since version 3.2 and will trigger an error in 4.0.
There was a problem hiding this comment.
I got your point. Nothing depends on this argument, so there is no class that can't live without it. I will remove the deprecation.
There was a problem hiding this comment.
I won't be as much categorical, because it would mean any code relying on getting the firewall config from the FirewallContext::getConfig() method will have to keep checking the returned value is not null.
We use this method in the profiler, but as some issues were opened mentioning the use cases of getting the firewall name on their own side for their app, it means end users will use this path to retrieve the firewall name from the configuration.
So, if we can avoid this extra check in 4.0, why not doing it ? The FirewallContext class is almost tied to the SecurityBundle anyway. It's unlikely to be extended nor used anywhere else than in the security extension. So, IMHO, making this argument mandatory won't matter.
There was a problem hiding this comment.
What @ogizanagi say is what I was trying to express, being not sure of what's the most important.
The FirewallConfig class is not used anywhere at the moment, excepted the work done in the profiler, that checks for the existence of the object for a matter of flexibility and consistency with other collected security-related data. But, the FirewallContext class being accessible through a public service, the primary goal of this PR is to make end users / third party / built-in tools or bundles able to use, expose and share the configuration of the configured firewalls. It can be helpful from a authentication listener to behave differently depending on this config for instance. In these edge cases, even they are not so many, I think it would be a pity to involve checking the existence of this object just for avoiding a (not that impacting) BC break in the future.
So I'm repeating myself but If a FirewallContext is accessible, its configuration should be too (as its service name ends with the firewall name), IMHO without having to worry about whether this one is defined or not (doing it already for the FirewallContext service itself).
I will keep it as is for now, staying ready to change it if a maintainer is opposed to this change.
I have much to learn about that kind of stuff so thanks for the discussion.
There was a problem hiding this comment.
Deprecation message corrected, good catch @HeahDude
chalasr
force-pushed
the
firewall_service
branch
2 times, most recently
from
ab17be0 to
4aa2242
Compare
|
Could we take a decision on this one? The value object added is mostly intended to be consumed by the profiler data collector (see #19490) as other existing ones and btw solve the issue of being able to get informations of the current firewall, adding some value to the |
chalasr
force-pushed
the
firewall_service
branch
from
4aa2242 to
f13bdda
Compare
| private function createFirewall(ContainerBuilder $container, $id, $firewall, &$authenticationProviders, $providerIds) | ||
| private function createFirewall(ContainerBuilder $container, $id, $firewall, &$authenticationProviders, $providerIds, $configId) | ||
| { | ||
| // FirewallConfig |
| namespace Symfony\Bundle\SecurityBundle\Security; | ||
|
|
||
| /** | ||
| * Object representation of a firewall configuration. |
There was a problem hiding this comment.
I think it can be removed as it does not add anything we don't already know :)
| private $listeners; | ||
|
|
||
| /** | ||
| * Constructor. |
There was a problem hiding this comment.
Removed the whole docblock, getters should be enough as this is built internally
| } | ||
|
|
||
| /** | ||
| * Returns whether the security is enabled or not. |
There was a problem hiding this comment.
Any comment that is the straightforward translation of the method name can be removed.
There was a problem hiding this comment.
These ones are from the base PR #19398. Let me know if I should close it for doing all in this one, otherwise the second commit is what this PR adds.
chalasr
force-pushed
the
firewall_service
branch
2 times, most recently
from
ecc5e12 to
87e402d
Compare
chalasr
force-pushed
the
firewall_service
branch
4 times, most recently
from
d261970 to
c647985
Compare
| if (null === $config) { | ||
| @trigger_error(sprintf('"%s()" expects an instance of "%s" as third argument since version 3.2 and will trigger an error in 4.0 if not provided.', __METHOD__, FirewallConfig::class), E_USER_DEPRECATED); | ||
|
|
||
| return; |
There was a problem hiding this comment.
I would return this return statement here.
There was a problem hiding this comment.
I would remove this return statement :)
chalasr
force-pushed
the
firewall_service
branch
from
c647985 to
fc0b374
Compare
| use Symfony\Component\Security\Http\FirewallMapInterface; | ||
| use Symfony\Component\HttpFoundation\Request; | ||
| use Symfony\Component\DependencyInjection\ContainerInterface; | ||
| use Symfony\Component\Security\Http\FirewallMapInterface; |
There was a problem hiding this comment.
This should be move up like it was before.
Add a FirewallConfig object, pass it to the FirewallContext Add FirewallContextTest & FirewallConfigTest Populate FirewallConfig definition from SecurityExtension Add missing anonymous listener in FirewallConfig::listenerConfigs Add a functional test Fabbot fixes Fix security option value Add ContextAwareFirewallMapInterface Remove bool casts from getters CS/Spelling Fixes Remove FirewallConfig::listenerConfigs in favor of FirewallConfig::listeners; Add FirewallConfig::allowAnonymous() Add allowAnonymous()/isSecurityEnabled, update comments Fabbot fixes Fix deprecation message Remove interface CS Fixes
chalasr
force-pushed
the
firewall_service
branch
from
fc0b374 to
52d25ed
Compare
|
👍 |
|
Thank you @chalasr. |
…accessible from FirewallContext (chalasr) This PR was merged into the 3.2-dev branch. Discussion ---------- [DX][SecurityBundle] Introduce a FirewallConfig class accessible from FirewallContext | Q | A | | --- | --- | | Branch? | master | | Bug fix? | no | | New feature? | yes | | BC breaks? | no | | Deprecations? | yes but it should not have any impact in userland | | Tests pass? | yes | | Fixed tickets | #15294 | | License | MIT | | Doc PR | todo | With this, the `FirewallContext` class now has a `getConfig()` method returning a `FirewallConfig` object representing the firewall configuration. Also this adds a `getContext()` method to the `FirewallMap` class of the `SecurityBundle`, to be able to retrieve the current context. In a next time, this could be useful to display some firewall related informations to the Profiler, as pointed out in #15294. Also, it can be useful to be able to access the current firewall configuration from an AuthenticationListener, especially for third party bundles (I can develop on demand). Commits ------- 52d25ed Introduce a FirewallConfig class
…r (chalasr) This PR was merged into the 3.2-dev branch. Discussion ---------- [SecurityBundle] Integrate current firewall in Profiler | Q | A | | --- | --- | | Branch? | master | | Bug fix? | no | | New feature? | yes | | BC breaks? | no | | Deprecations? | no | | Tests pass? | yes | | Fixed tickets | n/a | | License | MIT | Based on #19398. This integrates current firewall information into the Profiler. **Toolbar**  **Panel**  Examples: <details> <summary> Show config</summary> ``` yaml main: pattern: ^/ anonymous: false stateless: true provider: in_memory access_denied_url: /access_denied http_basic: ~ ``` </details>  <details> <summary> Show config</summary> ``` yaml main: pattern: ^/ anonymous: true stateless: false provider: in_memory context: dummy access_denied_url: /access_denied http_basic: ~ ``` </details>  <details> <summary> Show config</summary> ``` yaml api: pattern: ^/ security: false ``` </details>  Commits ------- 75e208e Integrate current firewall in profiler
This PR was merged into the 3.2-dev branch. Discussion ---------- [Security] improve some firewall config comments | Q | A | ------------- | --- | Branch? | master | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #19398 | License | MIT | Doc PR | Commits ------- cb6c703 [Security] improve some firewall config comments
…chalasr) This PR was merged into the 3.3-dev branch. Discussion ---------- [SecurityBundle] Rename FirewallContext#getContext() | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | n/a As pointed out in #19398 (comment), the name of this method is misleading. Because a public service using this class is created for each defined firewall, I suggest to change it to `FirewallContext#getListeners()`, deprecating the current `getContext()` for removing it in 4.0. Commits ------- ee66b49 [SecurityBundle] Rename FirewallContext#getContext()
5 participants
With this, the
FirewallContextclass now has agetConfig()method returning aFirewallConfigobject representing the firewall configuration.Also this adds a
getFirewallConfig()method to theFirewallMapclass of theSecurityBundle.In a next time, this could be useful to display some firewall related informations to the Profiler, as pointed out in #15294.
Also, it can be useful to be able to access the current firewall configuration from an AuthenticationListener, especially for third party bundles (I can develop on demand).