Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Fix loading user from UserBadge #51104

Merged
merged 1 commit into from Aug 25, 2023
Merged

[Security] Fix loading user from UserBadge #51104

merged 1 commit into from Aug 25, 2023

Conversation

guillaumesmo
Copy link
Contributor

@guillaumesmo guillaumesmo commented Jul 25, 2023
edited

Q A
Branch? 6.3
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #50511
License MIT
Doc PR none

Fixed a breaking change from https://github.com/symfony/symfony/pull/48272/files#diff-de9707bb338188f62878f2ebd42e7a7bf9547f6d0bf07a4fcd9c386c263c601b

@carsonbot carsonbot added this to the 6.3 milestone Jul 25, 2023
@carsonbot
Copy link

Hey!

I see that this is your first PR. That is great! Welcome!

Symfony has a contribution guide which I suggest you to read.

In short:

  • Always add tests
  • Keep backward compatibility (see https://symfony.com/bc).
  • Bug fixes must be submitted against the lowest maintained branch where they apply (see https://symfony.com/releases)
  • Features and deprecations must be submitted against the 6.4 branch.

Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change.

When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor!
If this PR is merged in a lower version branch, it will be merged up to all maintained branches within a few days.

I am going to sit back now and wait for the reviews.

Cheers!

Carsonbot

@guillaumesmo
Copy link
Contributor Author

guillaumesmo commented Jul 25, 2023
edited

The fix is less clean than expected because the new OIDC feature relies on this bug.

The Badge user loader used to have priority over the firewall user provider. This was changed so that the OIDC Badge user loader only kicks in when no user provider is set (not sure how, however).

So the priorities are now as follows:

  1. Provided user loader in the new Badge constructor
  2. Firewall user provider
  3. OIDC user loader

Alternative solutions:

  • add a configuration to oidc to enable the default user loader
  • add a property to UserBadge to indicate the loader must not override the firewall user loader, instead of the callable wrapper

@nicolas-grekas
Copy link
Member

Can you add a test case please?

@vincentchalamon can you have a look please?

@carsonbot carsonbot changed the title Revert breaking change to AccessTokenAuthenticator [Security] Revert breaking change to AccessTokenAuthenticator Jul 26, 2023
vincentchalamon
vincentchalamon suggested changes Jul 27, 2023
View reviewed changes
Copy link
Contributor

@vincentchalamon vincentchalamon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! (and sorry for the bug introduced in my PR)

In addition to my review, can you also add a non-regression functional test on AccessTokenTest please?

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php Show resolved Hide resolved
src/Symfony/Component/Security/Http/Authenticator/FallbackUserLoader.php Show resolved Hide resolved
src/Symfony/Component/Security/Http/Authenticator/FallbackUserLoader.php Outdated Show resolved Hide resolved
@guillaumesmo guillaumesmo changed the title [Security] Revert breaking change to AccessTokenAuthenticator [Security] Fix breaking change to AccessTokenAuthenticator Jul 28, 2023
@OskarStark OskarStark changed the title [Security] Fix breaking change to AccessTokenAuthenticator [Security] Fix BC break to AccessTokenAuthenticator Aug 2, 2023
@guillaumesmo
Copy link
Contributor Author

Hi all, what can I do to move this PR forward?

@nicolas-grekas
Copy link
Member

"BC break" is not a proper description when fixing a regression. It doesn't tell which case is solved.
Can you please figure out something a bit more descriptive?

@guillaumesmo guillaumesmo changed the title [Security] Fix BC break to AccessTokenAuthenticator [Security] Fix loading user from UserBadge Aug 23, 2023
@guillaumesmo
Copy link
Contributor Author

"BC break" is not a proper description when fixing a regression. It doesn't tell which case is solved. Can you please figure out something a bit more descriptive?

Sure, done

wouterj
wouterj approved these changes Aug 24, 2023
View reviewed changes
Copy link
Member

@wouterj wouterj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@fabpot
Copy link
Member

fabpot commented Aug 25, 2023

Thank you @guillaumesmo.

@fabpot fabpot merged commit 0ef6b32 into symfony:6.3 Aug 25, 2023
5 of 9 checks passed
@guillaumesmo guillaumesmo mentioned this pull request Aug 25, 2023
Closed
@stof stof mentioned this pull request Aug 25, 2023
Closed
@fabpot fabpot mentioned this pull request Aug 26, 2023
Merged
This was referenced Sep 11, 2023
Merged
Merged
nicolas-grekas added a commit that referenced this pull request Sep 11, 2023
@nicolas-grekas
minor #51627 [Security] Fix security tests (vtsykun)
49d2527 
This PR was merged into the 6.3 branch.

Discussion
----------

[Security] Fix security tests

| Q             | A
| ------------- | ---
| Branch?       | 6.3
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Follows  #51622
| License       | MIT
| Doc PR        | -

Related to issue #51104, after it security bundle at least requires `symfony/security-http:6.3.4`  to keep the tests is green

Commits
-------

26cff6c Fix security tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wouterj wouterj wouterj approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

@vincentchalamon vincentchalamon Awaiting requested review from vincentchalamon

@derrabus derrabus Awaiting requested review from derrabus

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@guillaumesmo @carsonbot @nicolas-grekas @fabpot @vincentchalamon @wouterj @derrabus