[Security] Deprecate UserInterface & TokenInterface's eraseCredentials()

Author: chalasr

CHANGELOG.md

@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+7.3
+---
+
+ * Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead
+ * Add `EraseLdapUserCredentialsListener`
+
 7.2
 ---
 

Security/EraseLdapUserCredentialsListener.php

@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Ldap\Security;
+
+use Psr\Container\ContainerInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Ldap\Exception\InvalidCredentialsException;
+use Symfony\Component\Ldap\Exception\InvalidSearchCredentialsException;
+use Symfony\Component\Ldap\LdapInterface;
+use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Exception\LogicException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
+use Symfony\Component\Security\Http\Event\AuthenticationTokenCreatedEvent;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+
+/**
+ * Erases credentials from LdapUser instances upon successful authentication.
+ *
+ * @author Robin Chalas <robin.chalas@gmail.com>
+ */
+class EraseLdapUserCredentialsListener implements EventSubscriberInterface
+{
+    public function onAuthenticationSuccess(AuthenticationSuccessEvent $event): void
+    {
+        $user = $event->getAuthenticationToken()->getUser();
+
+        if (!$user instanceof LdapUser) {
+            return;
+        }
+
+        $user->setPassword(null);
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [AuthenticationSuccessEvent::class => ['onAuthenticationSuccess', 256]];
+    }
+}

Security/LdapUser.php

@@ -62,6 +62,8 @@ public function getUserIdentifier(): string
 
     public function eraseCredentials(): void
     {
+        trigger_deprecation('symfony/security-core', '7.3', sprintf('The "%s()" method is deprecated and will be removed in 8.0, call "setPassword(null)" instead.', __METHOD__));
+
         $this->password = null;
     }
 
@@ -70,7 +72,7 @@ public function getExtraFields(): array
         return $this->extraFields;
     }
 
-    public function setPassword(#[\SensitiveParameter] string $password): void
+    public function setPassword(#[\SensitiveParameter] ?string $password): void
     {
         $this->password = $password;
     }
@@ -95,4 +97,14 @@ public function isEqualTo(UserInterface $user): bool
 
         return true;
     }
+
+    public function __serialize(): array
+    {
+        return [$this->entry, $this->identifier, null, $this->roles, $this->extraFields];
+    }
+
+    public function __unserialize(array $data): void
+    {
+        [$this->entry, $this->identifier, $this->password, $this->roles, $this->extraFields] = $data;
+    }
 }

Tests/Security/EraseLdapUserCredentialsListenerTest.php

@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Ldap\Tests\Security;
+
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Psr\Container\ContainerInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Ldap\Adapter\CollectionInterface;
+use Symfony\Component\Ldap\Adapter\QueryInterface;
+use Symfony\Component\Ldap\Entry;
+use Symfony\Component\Ldap\Exception\InvalidCredentialsException;
+use Symfony\Component\Ldap\LdapInterface;
+use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
+use Symfony\Component\Ldap\Security\EraseLdapUserCredentialsListener;
+use Symfony\Component\Ldap\Security\LdapBadge;
+use Symfony\Component\Ldap\Security\LdapUser;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Contracts\Service\ServiceLocatorTrait;
+
+class EraseLdapUserCredentialsListenerTest extends TestCase
+{
+    public function testPasswordIsErasedOnAuthenticationSuccess()
+    {
+        $user = new LdapUser(new Entry(''), 'chalasr', 'password');
+        $listener = new EraseLdapUserCredentialsListener();
+
+        $listener->onAuthenticationSuccess(new AuthenticationSuccessEvent(new UsernamePasswordToken($user, 'main')));
+
+        $this->assertSame(null, $user->getPassword());
+    }
+}

composer.json

@@ -18,6 +18,7 @@
     "require": {
         "php": ">=8.2",
         "ext-ldap": "*",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/options-resolver": "^6.4|^7.0"
     },
     "require-dev": {