Hide sensitive information with SensitiveParameter attribute

GromNaN · fabpot · commit 063690ed748e · 2022-07-11T08:49:17.000+02:00
diff --git a/Adapter/ConnectionInterface.php b/Adapter/ConnectionInterface.php
@@ -32,5 +32,5 @@ public function isBound(): bool;
      * @throws ConnectionTimeoutException  When the connection can't be created because of an LDAP_TIMEOUT error
      * @throws InvalidCredentialsException When the connection can't be created because of an LDAP_INVALID_CREDENTIALS error
      */
-    public function bind(string $dn = null, string $password = null);
+    public function bind(string $dn = null, #[\SensitiveParameter] string $password = null);
 }
diff --git a/Adapter/ExtLdap/Connection.php b/Adapter/ExtLdap/Connection.php
@@ -69,7 +69,7 @@ public function isBound(): bool
      *
      * @param string $password WARNING: When the LDAP server allows unauthenticated binds, a blank $password will always be valid
      */
-    public function bind(string $dn = null, string $password = null)
+    public function bind(string $dn = null, #[\SensitiveParameter] string $password = null)
     {
         if (!$this->connection) {
             $this->connect();
diff --git a/Ldap.php b/Ldap.php
@@ -32,7 +32,7 @@ public function __construct(AdapterInterface $adapter)
     /**
      * {@inheritdoc}
      */
-    public function bind(string $dn = null, string $password = null)
+    public function bind(string $dn = null, #[\SensitiveParameter] string $password = null)
     {
         $this->adapter->getConnection()->bind($dn, $password);
     }
diff --git a/LdapInterface.php b/LdapInterface.php
@@ -30,7 +30,7 @@ interface LdapInterface
      *
      * @throws ConnectionException if dn / password could not be bound
      */
-    public function bind(string $dn = null, string $password = null);
+    public function bind(string $dn = null, #[\SensitiveParameter] string $password = null);
 
     /**
      * Queries a ldap server for entries matching the given criteria.
diff --git a/Security/LdapUser.php b/Security/LdapUser.php
@@ -29,7 +29,7 @@ class LdapUser implements UserInterface, PasswordAuthenticatedUserInterface, Equ
     private array $roles;
     private array $extraFields;
 
-    public function __construct(Entry $entry, string $username, ?string $password, array $roles = [], array $extraFields = [])
+    public function __construct(Entry $entry, string $username, #[\SensitiveParameter] ?string $password, array $roles = [], array $extraFields = [])
     {
         if (!$username) {
             throw new \InvalidArgumentException('The username cannot be empty.');
@@ -97,7 +97,7 @@ public function getExtraFields(): array
         return $this->extraFields;
     }
 
-    public function setPassword(string $password)
+    public function setPassword(#[\SensitiveParameter] string $password)
     {
         $this->password = $password;
     }
diff --git a/Security/LdapUserProvider.php b/Security/LdapUserProvider.php
@@ -43,7 +43,7 @@ class LdapUserProvider implements UserProviderInterface, PasswordUpgraderInterfa
     private ?string $passwordAttribute;
     private array $extraFields;
 
-    public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null, array $extraFields = [])
+    public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, #[\SensitiveParameter] string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null, array $extraFields = [])
     {
         if (null === $uidKey) {
             $uidKey = 'sAMAccountName';

Original file line number	Diff line number	Diff line change
`@@ -32,5 +32,5 @@ public function isBound(): bool;`
`32`	`32`	`* @throws ConnectionTimeoutException When the connection can't be created because of an LDAP_TIMEOUT error`
`33`	`33`	`* @throws InvalidCredentialsException When the connection can't be created because of an LDAP_INVALID_CREDENTIALS error`
`34`	`34`	`*/`
`35`		`- public function bind(string $dn = null, string $password = null);`
	`35`	`+ public function bind(string $dn = null, #[\SensitiveParameter] string $password = null);`
`36`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public function isBound(): bool`
`69`	`69`	`*`
`70`	`70`	`* @param string $password WARNING: When the LDAP server allows unauthenticated binds, a blank $password will always be valid`
`71`	`71`	`*/`
`72`		`- public function bind(string $dn = null, string $password = null)`
	`72`	`+ public function bind(string $dn = null, #[\SensitiveParameter] string $password = null)`
`73`	`73`	`{`
`74`	`74`	`if (!$this->connection) {`
`75`	`75`	`$this->connect();`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ public function __construct(AdapterInterface $adapter)`
`32`	`32`	`/**`
`33`	`33`	`* {@inheritdoc}`
`34`	`34`	`*/`
`35`		`- public function bind(string $dn = null, string $password = null)`
	`35`	`+ public function bind(string $dn = null, #[\SensitiveParameter] string $password = null)`
`36`	`36`	`{`
`37`	`37`	`$this->adapter->getConnection()->bind($dn, $password);`
`38`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ interface LdapInterface`
`30`	`30`	`*`
`31`	`31`	`* @throws ConnectionException if dn / password could not be bound`
`32`	`32`	`*/`
`33`		`- public function bind(string $dn = null, string $password = null);`
	`33`	`+ public function bind(string $dn = null, #[\SensitiveParameter] string $password = null);`
`34`	`34`
`35`	`35`	`/**`
`36`	`36`	`* Queries a ldap server for entries matching the given criteria.`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ class LdapUser implements UserInterface, PasswordAuthenticatedUserInterface, Equ`
`29`	`29`	`private array $roles;`
`30`	`30`	`private array $extraFields;`
`31`	`31`
`32`		`- public function __construct(Entry $entry, string $username, ?string $password, array $roles = [], array $extraFields = [])`
	`32`	`+ public function __construct(Entry $entry, string $username, #[\SensitiveParameter] ?string $password, array $roles = [], array $extraFields = [])`
`33`	`33`	`{`
`34`	`34`	`if (!$username) {`
`35`	`35`	`throw new \InvalidArgumentException('The username cannot be empty.');`
`@@ -97,7 +97,7 @@ public function getExtraFields(): array`
`97`	`97`	`return $this->extraFields;`
`98`	`98`	`}`
`99`	`99`
`100`		`- public function setPassword(string $password)`
	`100`	`+ public function setPassword(#[\SensitiveParameter] string $password)`
`101`	`101`	`{`
`102`	`102`	`$this->password = $password;`
`103`	`103`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ class LdapUserProvider implements UserProviderInterface, PasswordUpgraderInterfa`
`43`	`43`	`private ?string $passwordAttribute;`
`44`	`44`	`private array $extraFields;`
`45`	`45`
`46`		`- public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null, array $extraFields = [])`
	`46`	`+ public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, #[\SensitiveParameter] string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null, array $extraFields = [])`
`47`	`47`	`{`
`48`	`48`	`if (null === $uidKey) {`
`49`	`49`	`$uidKey = 'sAMAccountName';`