[Security] Improve BC-layer to deprecate eraseCredentials methods

Author: nicolas-grekas

UPGRADE-7.3.md

@@ -11,18 +11,37 @@ If you're upgrading from a version below 7.2, follow the [7.2 upgrade guide](UPG
 Ldap
 ----
 
- * Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead
+ * Deprecate `LdapUser::eraseCredentials()` in favor of `__serialize()`
 
 Security
 --------
 
  * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
-   use a dedicated DTO or erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
+   erase credentials e.g. using `__serialize()` instead
 
-SecurityBundle
---------------
+   *Before*
+   ```php
+   public function eraseCredentials(): void
+   {
+   }
+   ```
 
- * Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
+   *After*
+   ```php
+   #[\Deprecated]
+   public function eraseCredentials(): void
+   {
+   }
+
+   // If your eraseCredentials() method was used to empty a "password" property:
+   public function __serialize(): array
+   {
+       $data = (array) $this;
+       unset($data["\0".self::class."\0password"]);
+
+       return $data;
+   }
+   ```
 
 Console
 -------
@@ -131,4 +150,3 @@ VarDumper
 
  * Deprecate `ResourceCaster::castCurl()`, `ResourceCaster::castGd()` and `ResourceCaster::castOpensslX509()`
  * Mark all casters as `@internal`
- * Deprecate the `CompiledClassMetadataFactory` and `CompiledClassMetadataCacheWarmer` classes

src/Symfony/Bridge/Doctrine/Tests/Fixtures/User.php

@@ -45,6 +45,7 @@ public function getUserIdentifier(): string
         return $this->name;
     }
 
+    #[\Deprecated]
     public function eraseCredentials(): void
     {
     }

src/Symfony/Bridge/PhpUnit/Legacy/SymfonyTestsListenerTrait.php

@@ -336,7 +336,7 @@ public static function handleError($type, $msg, $file, $line, $context = [])
 
             return $h ? $h($type, $msg, $file, $line, $context) : false;
         }
-        // If the message is serialized we need to extract the message. This occurs when the error is triggered by
+        // If the message is serialized we need to extract the message. This occurs when the error is triggered
         // by the isolated test path in \Symfony\Bridge\PhpUnit\Legacy\SymfonyTestsListenerTrait::endTest().
         $parsedMsg = @unserialize($msg);
         if (\is_array($parsedMsg)) {

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

@@ -8,7 +8,6 @@ CHANGELOG
  * Add encryption support to `OidcTokenHandler` (JWE)
  * Add `expose_security_errors` config option to display `AccountStatusException`
  * Deprecate the `security.hide_user_not_found` config option in favor of `security.expose_security_errors`
- * Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
 
 7.2
 ---

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LdapFactoryTrait.php

@@ -16,7 +16,6 @@
 use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
-use Symfony\Component\Ldap\Security\EraseLdapUserCredentialsListener;
 use Symfony\Component\Ldap\Security\LdapAuthenticator;
 
 /**
@@ -43,12 +42,6 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             ->addArgument(new Reference('security.ldap_locator'))
         ;
 
-        if (class_exists(EraseLdapUserCredentialsListener::class && !$container->getParameter('security.authentication.manager.erase_credentials'))) {
-            $container->setDefinition('security.listener.'.$key.'.'.$firewallName.'erase_ldap_credentials', new Definition(EraseLdapUserCredentialsListener::class))
-                ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
-            ;
-        }
-
         $ldapAuthenticatorId = 'security.authenticator.'.$key.'.'.$firewallName;
         $definition = $container->setDefinition($ldapAuthenticatorId, new Definition(LdapAuthenticator::class))
             ->setArguments([

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -136,9 +136,6 @@ public function load(array $configs, ContainerBuilder $container): void
 
         // set some global scalars
         $container->setParameter('security.access.denied_url', $config['access_denied_url']);
-        if (true === $config['erase_credentials']) {
-            trigger_deprecation('symfony/security-bundle', '7.3', 'Setting the "security.erase_credentials" config option to true is deprecated and won\'t have any effect in 8.0, set it to false instead and use your own erasing logic if needed.');
-        }
         $container->setParameter('security.authentication.manager.erase_credentials', $config['erase_credentials']);
         $container->setParameter('security.authentication.session_strategy.strategy', $config['session_fixation_strategy']);
 

src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php

@@ -19,6 +19,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticatorManager;
@@ -89,7 +90,7 @@ public function testOnKernelRequestRecordsAuthenticatorsInfo()
         $supportingAuthenticator
             ->expects($this->once())
             ->method('createToken')
-            ->willReturn($this->createMock(TokenInterface::class));
+            ->willReturn(new class extends AbstractToken {});
 
         $notSupportingAuthenticator = $this->createMock(DummyAuthenticator::class);
         $notSupportingAuthenticator
@@ -103,9 +104,7 @@ public function testOnKernelRequestRecordsAuthenticatorsInfo()
             [new TraceableAuthenticator($notSupportingAuthenticator), new TraceableAuthenticator($supportingAuthenticator)],
             $tokenStorage,
             $dispatcher,
-            'main',
-            null,
-            false
+            'main'
         );
 
         $listener = new TraceableAuthenticatorManagerListener(new AuthenticatorManagerListener($authenticatorManager));

src/Symfony/Bundle/SecurityBundle/composer.json

@@ -22,7 +22,6 @@
         "symfony/clock": "^6.4|^7.0",
         "symfony/config": "^6.4|^7.0",
         "symfony/dependency-injection": "^6.4.11|^7.1.4",
-        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/event-dispatcher": "^6.4|^7.0",
         "symfony/http-kernel": "^6.4|^7.0",
         "symfony/http-foundation": "^6.4|^7.0",

src/Symfony/Component/Ldap/CHANGELOG.md

@@ -4,8 +4,7 @@ CHANGELOG
 7.3
 ---
 
- * Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead
- * Add `EraseLdapUserCredentialsListener`
+ * Deprecate `LdapUser::eraseCredentials()` in favor of `__serialize()`
 
 7.2
 ---