added a global secret setting to configure CSRF, the temporary storag…

…e, and possibly more
symfony · Apr 28, 2011 · e72f1a9 · e72f1a9
1 parent 2291af4
commit e72f1a9
Show file tree

Hide file tree

Showing 13 changed files with 29 additions and 15 deletions.
diff --git a/UPDATE.md b/UPDATE.md
@@ -9,6 +9,20 @@ timeline closely anyway.
 PR12 to beta1
 -------------
 
+* The CSRF secret configuration has been moved to a mandatory global `secret`
+  setting (as the secret is now used for everything and not just CSRF):
+
+    Before:
+
+        framework:
+            csrf_protection:
+                secret: S3cr3t
+
+    After:
+
+        framework:
+            secret: S3cr3t
+
 * The `File::getWebPath()` and `File::rename()` methods have been removed, as
   well as the `framework.document_root` configuration setting.
 

diff --git a/src/Symfony/Bundle/AsseticBundle/Tests/Resources/config/config.yml b/src/Symfony/Bundle/AsseticBundle/Tests/Resources/config/config.yml
@@ -1,9 +1,9 @@
 framework:
     charset:       UTF-8
     error_handler: null
+    secret: xxxxxxxxxx
     csrf_protection:
         enabled: true
-        secret: xxxxxxxxxx
     router:        { resource: "%kernel.root_dir%/config/routing.yml" }
     validation:    { enabled: true, annotations: true }
     templating:    { engines: ['twig', 'php'] }

diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -39,6 +39,7 @@ public function getConfigTreeBuilder()
             ->children()
                 ->scalarNode('cache_warmer')->defaultValue(!$this->debug)->end()
                 ->scalarNode('charset')->end()
+                ->scalarNode('secret')->isRequired()->end()
                 ->scalarNode('error_handler')->end()
                 ->scalarNode('exception_controller')->defaultValue('Symfony\\Bundle\\FrameworkBundle\\Controller\\ExceptionController::showAction')->end()
                 ->scalarNode('ide')->defaultNull()->end()
@@ -69,7 +70,6 @@ private function addCsrfProtectionSection(ArrayNodeDefinition $rootNode)
                     ->children()
                         ->booleanNode('enabled')->defaultTrue()->end()
                         ->scalarNode('field_name')->defaultValue('_token')->end()
-                        ->scalarNode('secret')->defaultValue('secret')->end()
                     ->end()
                 ->end()
             ->end()

diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -65,6 +65,8 @@ public function load(array $configs, ContainerBuilder $container)
             $container->setParameter('kernel.charset', $config['charset']);
         }
 
+        $container->setParameter('kernel.secret', $config['secret']);
+
         if (isset($config['error_handler'])) {
             if (false === $config['error_handler']) {
                 $container->getDefinition('error_handler')->setMethodCalls(array());
@@ -157,8 +159,6 @@ public function load(array $configs, ContainerBuilder $container)
      */
     private function registerCsrfProtectionConfiguration(array $config, ContainerBuilder $container)
     {
-        $container->getDefinition('form.csrf_provider')->replaceArgument(1, $config['secret']);
-
         // FIXME: those are not used
         $container->setParameter('form.csrf_protection.field_name', $config['field_name']);
         $container->setParameter('form.csrf_protection.enabled', $config['enabled']);

diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/form.xml b/src/Symfony/Bundle/FrameworkBundle/Resources/config/form.xml
@@ -9,9 +9,7 @@
         <parameter key="form.factory.class">Symfony\Component\Form\FormFactory</parameter>
         <parameter key="form.type_guesser.validator.class">Symfony\Component\Form\Extension\Validator\ValidatorTypeGuesser</parameter>
         <parameter key="form.csrf_provider.class">Symfony\Component\Form\Extension\Csrf\CsrfProvider\SessionCsrfProvider</parameter>
-
         <parameter key="file.temporary_storage.class">Symfony\Component\HttpFoundation\File\SessionBasedTemporaryStorage</parameter>
-        <parameter key="file.temporary_storage.secret">abcdef</parameter>
     </parameters>
 
     <services>
@@ -56,13 +54,13 @@
         <!-- CsrfProvider -->
         <service id="form.csrf_provider" class="%form.csrf_provider.class%">
             <argument type="service" id="session" />
-            <argument /> <!-- secret -->
+            <argument>%kernel.secret%</argument>
         </service>
 
         <!-- TemporaryStorage - where should we put this? -->
         <service id="file.temporary_storage" class="%file.temporary_storage.class%">
             <argument type="service" id="session" />
-            <argument>%file.temporary_storage.secret%</argument>
+            <argument>%kernel.secret%</argument>
             <argument>%kernel.cache_dir%/upload</argument>
         </service>
 

diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd b/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
@@ -24,6 +24,7 @@
         <xsd:attribute name="error-handler" type="xsd:string" />
         <xsd:attribute name="exception-controller" type="xsd:string" />
         <xsd:attribute name="ide" type="xsd:string" />
+        <xsd:attribute name="secret" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:simpleType name="cache_warmer">
@@ -37,7 +38,6 @@
     <xsd:complexType name="csrf_protection">
         <xsd:attribute name="enabled" type="xsd:boolean" />
         <xsd:attribute name="field-name" type="xsd:string" />
-        <xsd:attribute name="secret" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="esi">

diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php
@@ -1,10 +1,10 @@
 <?php
 
 $container->loadFromExtension('framework', array(
+    'secret' => 's3cr3t',
     'csrf_protection' => array(
         'enabled'    => true,
         'field_name' => '_csrf',
-        'secret'     => 's3cr3t',
     ),
     'esi' => array(
         'enabled' => true,

diff --git a/.../Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/validation_annotations.php b/.../Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/validation_annotations.php
@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('framework', array(
+    'secret' => 's3cr3t',
     'validation' => array(
         'enabled'     => true,
         'annotations' => array(

diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
@@ -6,8 +6,8 @@
     xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
                         http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
 
-    <framework:config>
-        <framework:csrf-protection enabled="true" field-name="_csrf" secret="s3cr3t" />
+    <framework:config secret="s3cr3t">
+        <framework:csrf-protection enabled="true" field-name="_csrf" />
         <framework:esi enabled="true" />
         <framework:profiler only-exceptions="true" />
         <framework:router cache-warmer="true" resource="%kernel.root_dir%/config/routing.xml" type="xml" />

diff --git a/.../Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/validation_annotations.xml b/.../Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/validation_annotations.xml
@@ -6,7 +6,7 @@
     xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
                         http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
 
-    <framework:config>
+    <framework:config secret="s3cr3t">
         <framework:validation enabled="true" annotations="true">
             <framework:namespace prefix="app">Application\Validator\Constraints\</framework:namespace>
         </framework:validation>

diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml
@@ -1,8 +1,8 @@
 framework:
+    secret: s3cr3t
     csrf_protection:
         enabled:    true
         field_name: _csrf
-        secret:     s3cr3t
     esi:
         enabled: true
     profiler:

diff --git a/.../Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/validation_annotations.yml b/.../Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/validation_annotations.yml
@@ -1,4 +1,5 @@
 framework:
+    secret: s3cr3t
     validation:
         enabled:     true
         annotations:

diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
@@ -27,7 +27,7 @@ public function testCsrfProtection()
         $this->assertTrue($container->getParameter('form.csrf_protection.enabled'));
         $this->assertEquals('_csrf', $container->getParameter('form.csrf_protection.field_name'));
         $arguments = $container->findDefinition('form.csrf_provider')->getArguments();
-        $this->assertEquals('s3cr3t', $arguments[1]);
+        $this->assertEquals('s3cr3t', $container->getParameterBag()->resolveValue($arguments[1]));
     }
 
     public function testEsi()