feature #42423 [Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials (wouterj)

fabpot · fabpot · commit 4cd41e236cf4 · 2021-08-13T18:23:16.000+02:00
This PR was squashed before being merged into the 5.4 branch.

Discussion
----------

[Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | yes
| Tickets       | Ref #41613, #34909
| License       | MIT
| Doc PR        | -

This is a continuation of `@xabbuh`'s experiment in #34909 and `@chalasr`'s work in #42050. This hopefully is the last cleanup of `TokenInterface`:

* As tokens now always represent an authenticated user (and no longer e.g. the "username" input of the form), we can finally remove the weird `string|\Stringable` union from `Token::getUser()` and other helper methods and require a user to be an instance of `UserInterface`.
* For the same reason, we can also deprecate token credentials. I didn't deprecate `Token::eraseCredentials()` as this is still used to remove credentials from `UserInterface`.
* Meanwhile, this also deprecated the `AnonymousToken`, which we forgot in 5.3. This token is not used anymore in the new system (anonymous does no longer exists). This was also the only token in core that didn't fulfill the `UserInterface` requirement for authenticated tokens.

Commits
-------

44b843a355 [Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials
diff --git a/Tests/DataCollector/SecurityDataCollectorTest.php b/Tests/DataCollector/SecurityDataCollectorTest.php
@@ -29,6 +29,7 @@
 use Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Role\RoleHierarchy;
+use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
@@ -78,7 +79,7 @@ public function testCollectWhenAuthenticationTokenIsNull()
     public function testCollectAuthenticationTokenAndRoles(array $roles, array $normalizedRoles, array $inheritedRoles)
     {
         $tokenStorage = new TokenStorage();
-        $tokenStorage->setToken(new UsernamePasswordToken('hhamon', 'P4$$w0rD', 'provider', $roles));
+        $tokenStorage->setToken(new UsernamePasswordToken(new InMemoryUser('hhamon', 'P4$$w0rD', $roles), 'provider', $roles));
 
         $collector = new SecurityDataCollector($tokenStorage, $this->getRoleHierarchy(), null, null, null, null, true);
         $collector->collect(new Request(), new Response());
@@ -99,10 +100,10 @@ public function testCollectAuthenticationTokenAndRoles(array $roles, array $norm
 
     public function testCollectSwitchUserToken()
     {
-        $adminToken = new UsernamePasswordToken('yceruto', 'P4$$w0rD', 'provider', ['ROLE_ADMIN']);
+        $adminToken = new UsernamePasswordToken(new InMemoryUser('yceruto', 'P4$$w0rD', ['ROLE_ADMIN']), 'provider', ['ROLE_ADMIN']);
 
         $tokenStorage = new TokenStorage();
-        $tokenStorage->setToken(new SwitchUserToken('hhamon', 'P4$$w0rD', 'provider', ['ROLE_USER', 'ROLE_PREVIOUS_ADMIN'], $adminToken));
+        $tokenStorage->setToken(new SwitchUserToken(new InMemoryUser('hhamon', 'P4$$w0rD', ['ROLE_USER', 'ROLE_PREVIOUS_ADMIN']), 'provider', ['ROLE_USER', 'ROLE_PREVIOUS_ADMIN'], $adminToken));
 
         $collector = new SecurityDataCollector($tokenStorage, $this->getRoleHierarchy(), null, null, null, null, true);
         $collector->collect(new Request(), new Response());
diff --git a/Tests/Functional/MissingUserProviderTest.php b/Tests/Functional/MissingUserProviderTest.php
@@ -28,6 +28,9 @@ public function testUserProviderIsNeeded()
         ]);
     }
 
+    /**
+     * @group legacy
+     */
     public function testLegacyUserProviderIsNeeded()
     {
         $client = $this->createClient(['test_case' => 'MissingUserProvider', 'root_config' => 'config.yml', 'debug' => true]);
diff --git a/Tests/Functional/SecurityTest.php b/Tests/Functional/SecurityTest.php
@@ -27,7 +27,7 @@ public function testServiceIsFunctional()
 
         // put a token into the storage so the final calls can function
         $user = new InMemoryUser('foo', 'pass');
-        $token = new UsernamePasswordToken($user, '', 'provider', ['ROLE_USER']);
+        $token = new UsernamePasswordToken($user, 'provider', ['ROLE_USER']);
         $container->get('functional.test.security.token_storage')->setToken($token);
 
         $security = $container->get('functional_test.security.helper');
@@ -105,7 +105,7 @@ public function testLegacyServiceIsFunctional()
 
         // put a token into the storage so the final calls can function
         $user = new InMemoryUser('foo', 'pass');
-        $token = new UsernamePasswordToken($user, '', 'provider', ['ROLE_USER']);
+        $token = new UsernamePasswordToken($user, 'provider', ['ROLE_USER']);
         $container->get('functional.test.security.token_storage')->setToken($token);
 
         $security = $container->get('functional_test.security.helper');

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,9 @@ public function testUserProviderIsNeeded()`
`28`	`28`	`]);`
`29`	`29`	`}`
`30`	`30`
	`31`	`+ /**`
	`32`	`+ * @group legacy`
	`33`	`+ */`
`31`	`34`	`public function testLegacyUserProviderIsNeeded()`
`32`	`35`	`{`
`33`	`36`	`$client = $this->createClient(['test_case' => 'MissingUserProvider', 'root_config' => 'config.yml', 'debug' => true]);`