minor symfony#61737 [Lock] do not support sensitive option entries (xabbuh)

nicolas-grekas · nicolas-grekas · commit c2874437e441 · 2025-09-12T15:48:43.000+02:00
This PR was merged into the 7.4 branch. Discussion ---------- [Lock] do not support sensitive option entries | Q | A | ------------- | --- | Branch? | 7.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | | License | MIT Commits ------- b165fb7 do not support sensitive option entries
diff --git a/src/Symfony/Component/Lock/Bridge/DynamoDb/Store/DynamoDbStore.php b/src/Symfony/Component/Lock/Bridge/DynamoDb/Store/DynamoDbStore.php
@@ -36,8 +36,6 @@ class DynamoDbStore implements PersistingStoreInterface
     use ExpiringStoreTrait;
 
     private const DEFAULT_OPTIONS = [
-        'access_key' => null,
-        'secret_key' => null,
         'session_token' => null,
         'endpoint' => null,
         'region' => null,
@@ -60,7 +58,7 @@ class DynamoDbStore implements PersistingStoreInterface
     private int $writeCapacityUnits;
 
     public function __construct(
-        DynamoDbClient|string $clientOrDsn,
+        #[\SensitiveParameter] DynamoDbClient|string $clientOrDsn,
         array $options = [],
         private readonly int $initialTtl = 300,
     ) {
@@ -96,8 +94,8 @@ public function __construct(
 
             $clientConfiguration = [
                 'region' => $options['region'],
-                'accessKeyId' => rawurldecode($params['user'] ?? '') ?: $options['access_key'] ?? self::DEFAULT_OPTIONS['access_key'],
-                'accessKeySecret' => rawurldecode($params['pass'] ?? '') ?: $options['secret_key'] ?? self::DEFAULT_OPTIONS['secret_key'],
+                'accessKeyId' => rawurldecode($params['user'] ?? '') ?: null,
+                'accessKeySecret' => rawurldecode($params['pass'] ?? '') ?: null,
             ];
             if (null !== $options['session_token']) {
                 $clientConfiguration['sessionToken'] = $options['session_token'];
@@ -141,15 +139,15 @@ public function save(Key $key): void
             'Item' => [
                 $this->idAttr => new AttributeValue(['S' => $this->getHashedKey($key)]),
                 $this->tokenAttr => new AttributeValue(['S' => $this->getUniqueToken($key)]),
-                $this->expirationAttr => new AttributeValue(['N' => (string) (\microtime(true) + $this->initialTtl)]),
+                $this->expirationAttr => new AttributeValue(['N' => (string) (microtime(true) + $this->initialTtl)]),
             ],
             'ConditionExpression' => 'attribute_not_exists(#key) OR #expires_at < :now',
             'ExpressionAttributeNames' => [
                 '#key' => $this->idAttr,
                 '#expires_at' => $this->expirationAttr,
             ],
             'ExpressionAttributeValues' => [
-                ':now' => new AttributeValue(['N' => (string) \microtime(true)]),
+                ':now' => new AttributeValue(['N' => (string) microtime(true)]),
             ],
         ]);
 
@@ -196,7 +194,7 @@ public function exists(Key $key): bool
         $item = $existingLock->getItem();
 
         // Item not found at all
-        if ($item === []) {
+        if (!$item) {
             return false;
         }
 
@@ -206,7 +204,7 @@ public function exists(Key $key): bool
         }
 
         // If item is expired, consider it doesn't exist
-        return isset($item[$this->expirationAttr]) && ((float) $item[$this->expirationAttr]->getN()) > \microtime(true);
+        return isset($item[$this->expirationAttr]) && ((float) $item[$this->expirationAttr]->getN()) > microtime(true);
     }
 
     public function putOffExpiration(Key $key, float $ttl): void
@@ -225,7 +223,7 @@ public function putOffExpiration(Key $key, float $ttl): void
                 'Item' => [
                     $this->idAttr => new AttributeValue(['S' => $this->getHashedKey($key)]),
                     $this->tokenAttr => new AttributeValue(['S' => $uniqueToken]),
-                    $this->expirationAttr => new AttributeValue(['N' => (string) (\microtime(true) + $ttl)]),
+                    $this->expirationAttr => new AttributeValue(['N' => (string) (microtime(true) + $ttl)]),
                 ],
                 'ConditionExpression' => 'attribute_exists(#key) AND (#token = :token OR #expires_at <= :now)',
                 'ExpressionAttributeNames' => [
@@ -234,7 +232,7 @@ public function putOffExpiration(Key $key, float $ttl): void
                     '#token' => $this->tokenAttr,
                 ],
                 'ExpressionAttributeValues' => [
-                    ':now' => new AttributeValue(['N' => (string) \microtime(true)]),
+                    ':now' => new AttributeValue(['N' => (string) microtime(true)]),
                     ':token' => new AttributeValue(['S' => $uniqueToken]),
                 ],
             ]));
@@ -248,7 +246,7 @@ public function putOffExpiration(Key $key, float $ttl): void
         $this->checkNotExpired($key);
     }
 
-    public function createTable(): void
+    private function createTable(): void
     {
         $this->client->createTable(new CreateTableInput([
             'TableName' => $this->tableName,
diff --git a/src/Symfony/Component/Lock/Bridge/DynamoDb/Tests/Store/DynamoDbStoreTest.php b/src/Symfony/Component/Lock/Bridge/DynamoDb/Tests/Store/DynamoDbStoreTest.php
@@ -31,38 +31,6 @@ public function testExtraParamsInQuery()
         new DynamoDbStore('dynamodb://default/lock_keys?extra_param=some_value');
     }
 
-    public function testConfigureWithCredentials()
-    {
-        $awsKey = 'some_aws_access_key_value';
-        $awsSecret = 'some_aws_secret_value';
-        $region = 'us-east-1';
-        $this->assertEquals(
-            new DynamoDbStore(new DynamoDbClient(['region' => $region, 'accessKeyId' => $awsKey, 'accessKeySecret' => $awsSecret]), ['table_name' => 'lock_keys']),
-            new DynamoDbStore('dynamodb://default/lock_keys', [
-                'access_key' => $awsKey,
-                'secret_key' => $awsSecret,
-                'region' => $region,
-            ])
-        );
-    }
-
-    public function testConfigureWithTemporaryCredentials()
-    {
-        $awsKey = 'some_aws_access_key_value';
-        $awsSecret = 'some_aws_secret_value';
-        $sessionToken = 'some_aws_sessionToken';
-        $region = 'us-east-1';
-        $this->assertEquals(
-            new DynamoDbStore(new DynamoDbClient(['region' => $region, 'accessKeyId' => $awsKey, 'accessKeySecret' => $awsSecret, 'sessionToken' => $sessionToken]), ['table_name' => 'table']),
-            new DynamoDbStore('dynamodb://default/table', [
-                'access_key' => $awsKey,
-                'secret_key' => $awsSecret,
-                'session_token' => $sessionToken,
-                'region' => $region,
-            ])
-        );
-    }
-
     public function testFromInvalidDsn()
     {
         $this->expectException(\InvalidArgumentException::class);
@@ -91,7 +59,7 @@ public function testDsnPrecedence()
     {
         $this->assertEquals(
             new DynamoDbStore(new DynamoDbClient(['region' => 'us-east-2', 'accessKeyId' => 'key_dsn', 'accessKeySecret' => 'secret_dsn']), ['table_name' => 'table_dsn']),
-            new DynamoDbStore('dynamodb://key_dsn:secret_dsn@default/table_dsn?region=us-east-2', ['region' => 'eu-west-3', 'table_name' => 'table_options', 'access_key' => 'key_option', 'secret_key' => 'secret_option'])
+            new DynamoDbStore('dynamodb://key_dsn:secret_dsn@default/table_dsn?region=us-east-2', ['region' => 'eu-west-3', 'table_name' => 'table_options'])
         );
     }
 
@@ -159,23 +127,23 @@ public function testFromDsnWithTableNameOption()
     public function testFromDsnWithInvalidQueryString()
     {
         $this->expectException(\InvalidArgumentException::class);
-        $this->expectExceptionMessageMatches('|Unknown option found in DSN: \[foo\]\. Allowed options are \[access_key, |');
+        $this->expectExceptionMessageMatches('|Unknown option found in DSN: \[foo\]\. Allowed options are \[session_token, |');
 
         new DynamoDbStore('dynamodb://default?foo=foo');
     }
 
     public function testFromDsnWithInvalidOption()
     {
         $this->expectException(\InvalidArgumentException::class);
-        $this->expectExceptionMessageMatches('|Unknown option found: \[bar\]\. Allowed options are \[access_key, |');
+        $this->expectExceptionMessageMatches('|Unknown option found: \[bar\]\. Allowed options are \[session_token, |');
 
         new DynamoDbStore('dynamodb://default', ['bar' => 'bar']);
     }
 
     public function testFromDsnWithInvalidQueryStringAndOption()
     {
         $this->expectException(\InvalidArgumentException::class);
-        $this->expectExceptionMessageMatches('|Unknown option found: \[bar\]\. Allowed options are \[access_key, |');
+        $this->expectExceptionMessageMatches('|Unknown option found: \[bar\]\. Allowed options are \[session_token, |');
 
         new DynamoDbStore('dynamodb://default?foo=foo', ['bar' => 'bar']);
     }
