[SecurityBundle] Deprecate ACL related code

Robin Chalas · Robin Chalas · commit e3b7dc54243f · 2017-09-26T13:11:38.000+02:00
diff --git a/UPGRADE-3.4.md b/UPGRADE-3.4.md
@@ -264,10 +264,11 @@ SecurityBundle
    `Doctrine\DBAL\Connection`  as first argument. Not passing it is
     deprecated and will throw a `TypeError` in 4.0.
 
- * `SetAclCommand::__construct()` now takes an instance of
-   `Symfony\Component\Security\Acl\Model\MutableAclProviderInterfaceConnection`
-    as first argument. Not passing it is deprecated and will throw a `TypeError`
-    in 4.0.
+ * The `acl:set` command has been deprecated along with the `SetAclCommand` class,
+   both will be removed in 4.0. Install symfony/acl-bundle instead
+
+ * The `init:acl` command has been deprecated along with the `InitAclCommand` class,
+   both will be removed in 4.0. Install symfony/acl-bundle and use `acl:init` instead
 
  * Added `logout_on_user_change` to the firewall options. This config item will
    trigger a logout when the user has changed. Should be set to true to avoid
diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md
@@ -656,12 +656,9 @@ SecurityBundle
 
  * `UserPasswordEncoderCommand` does not extend `ContainerAwareCommand` nor implement `ContainerAwareInterface` anymore.
 
- * `InitAclCommand::__construct()` now requires an instance of
-   `Doctrine\DBAL\Connection`  as first argument.
+ * `InitAclCommand` has been removed. Use `Symfony\Bundle\AclBundle\Command\InitAclCommand` instead
 
- * `SetAclCommand::__construct()` now requires an instance of
-   `Symfony\Component\Security\Acl\Model\MutableAclProviderInterfaceConnection`
-    as first argument.
+ * `SetAclCommand` has been removed. Use `Symfony\Bundle\AclBundle\Command\SetAclCommand` instead
 
  * The firewall option `logout_on_user_change` is now always true, which will
    trigger a logout if the user changes between requests.
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -8,14 +8,11 @@ CHANGELOG
    `VoterInterface` on the class is now deprecated and will be removed in 4.0.
  * [BC BREAK] `FirewallContext::getListeners()` now returns `\Traversable|array`
  * added info about called security listeners in profiler 
- * `InitAclCommand::__construct()` now takes an instance of
-   `Doctrine\DBAL\Connection`  as first argument
- * `SetAclCommand::__construct()` now takes an instance of
-   `Symfony\Component\Security\Acl\Model\MutableAclProviderInterfaceConnection`
-   as first argument
  * Added `logout_on_user_change` to the firewall options. This config item will
    trigger a logout when the user has changed. Should be set to true to avoid
    deprecations in the configuration.
+ * deprecated command `acl:set` along with `SetAclCommand` class
+ * deprecated command `init:acl` along with `InitAclCommand` class
 
 3.3.0
 -----
diff --git a/src/Symfony/Bundle/SecurityBundle/Command/InitAclCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/InitAclCommand.php
@@ -11,9 +11,13 @@
 
 namespace Symfony\Bundle\SecurityBundle\Command;
 
+@trigger_error(sprintf('Class "%s" is deprecated since version 3.4 and will be removed in 4.0. Use Symfony\Bundle\AclBundle\Command\SetAclCommand instead.', SetAclCommand::class), E_USER_DEPRECATED);
+
 use Symfony\Bundle\FrameworkBundle\Command\ContainerAwareCommand;
 use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\ConsoleOutputInterface;
 use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
 use Symfony\Component\Security\Acl\Dbal\Schema;
 use Doctrine\DBAL\Connection;
 use Doctrine\DBAL\Schema\SchemaException;
@@ -23,7 +27,7 @@
  *
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  *
- * @final since version 3.4
+ * @deprecated since version 3.4, to be removed in 4.0. See Symfony\Bundle\AclBundle\Command\SetAclCommand instead.
  */
 class InitAclCommand extends ContainerAwareCommand
 {
@@ -32,15 +36,9 @@ class InitAclCommand extends ContainerAwareCommand
     private $connection;
     private $schema;
 
-    /**
-     * @param Connection $connection
-     * @param Schema     $schema
-     */
     public function __construct($connection = null, Schema $schema = null)
     {
         if (!$connection instanceof Connection) {
-            @trigger_error(sprintf('%s() expects an instance of "%s" as first argument since version 3.4. Not passing it is deprecated and will throw a TypeError in 4.0.', __METHOD__, Connection::class), E_USER_DEPRECATED);
-
             parent::__construct($connection);
 
             return;
@@ -54,8 +52,6 @@ public function __construct($connection = null, Schema $schema = null)
 
     /**
      * {@inheritdoc}
-     *
-     * BC to be removed in 4.0
      */
     public function isEnabled()
     {
@@ -93,7 +89,8 @@ protected function configure()
      */
     protected function execute(InputInterface $input, OutputInterface $output)
     {
-        // BC to be removed in 4.0
+        (new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output))->warning('Command "init:acl" is deprecated since version 3.4 and will be removed from SecurityBundle in 4.0. Install symfony/acl-bundle and use "acl:init" instead.');
+
         if (null === $this->connection) {
             $this->connection = $this->getContainer()->get('security.acl.dbal.connection');
             $this->schema = $this->getContainer()->get('security.acl.dbal.schema');
diff --git a/src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/SetAclCommand.php
@@ -11,11 +11,15 @@
 
 namespace Symfony\Bundle\SecurityBundle\Command;
 
+@trigger_error(sprintf('Class "%s" is deprecated since version 3.4 and will be removed in 4.0. Use Symfony\Bundle\AclBundle\Command\SetAclCommand instead.', SetAclCommand::class), E_USER_DEPRECATED);
+
 use Symfony\Bundle\FrameworkBundle\Command\ContainerAwareCommand;
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\ConsoleOutputInterface;
 use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
 use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
 use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
 use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
@@ -28,7 +32,7 @@
  *
  * @author Kévin Dunglas <kevin@les-tilleuls.coop>
  *
- * @final since version 3.4
+ * @deprecated since version 3.4, to be removed in 4.0. See Symfony\Bundle\AclBundle\Command\SetAclCommand instead.
  */
 class SetAclCommand extends ContainerAwareCommand
 {
@@ -42,8 +46,6 @@ class SetAclCommand extends ContainerAwareCommand
     public function __construct($provider = null)
     {
         if (!$provider instanceof MutableAclProviderInterface) {
-            @trigger_error(sprintf('%s() expects an instance of "%s" as first argument since version 3.4. Not passing it is deprecated and will throw a TypeError in 4.0.', __METHOD__, MutableAclProviderInterface::class), E_USER_DEPRECATED);
-
             parent::__construct($provider);
 
             return;
@@ -56,8 +58,6 @@ public function __construct($provider = null)
 
     /**
      * {@inheritdoc}
-     *
-     * BC to be removed in 4.0
      */
     public function isEnabled()
     {
@@ -117,7 +117,8 @@ protected function configure()
      */
     protected function execute(InputInterface $input, OutputInterface $output)
     {
-        // BC to be removed in 4.0
+        (new SymfonyStyle($input, $output instanceof ConsoleOutputInterface ? $output->getErrorOutput() : $output))->warning('Command "acl:set" is deprecated since version 3.4 and will be removed from SecurityBundle in 4.0. Install symfony/acl-bundle to use this command.');
+
         if (null === $this->provider) {
             $this->provider = $this->getContainer()->get('security.acl.provider');
         }
@@ -192,8 +193,6 @@ protected function execute(InputInterface $input, OutputInterface $output)
     /**
      * Gets the mask builder.
      *
-     * BC to be removed in 4.0
-     *
      * @return MaskBuilder
      */
     protected function getMaskBuilder()
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -121,6 +121,7 @@ private function addAclSection(ArrayNodeDefinition $rootNode)
         $rootNode
             ->children()
                 ->arrayNode('acl')
+                    ->setDeprecated('The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.')
                     ->children()
                         ->scalarNode('connection')
                             ->defaultNull()
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -22,8 +22,6 @@
 
 abstract class CompleteConfigurationTest extends TestCase
 {
-    private static $containerCache = array();
-
     abstract protected function getLoader(ContainerBuilder $container);
 
     abstract protected function getFileExtension();
@@ -38,6 +36,20 @@ public function testRolesHierarchy()
         ), $container->getParameter('security.role_hierarchy.roles'));
     }
 
+    /**
+     * @group legacy
+     * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.
+     */
+    public function testRolesHierarchyWithAcl()
+    {
+        $container = $this->getContainer('container1_with_acl');
+        $this->assertEquals(array(
+            'ROLE_ADMIN' => array('ROLE_USER'),
+            'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'),
+            'ROLE_REMOTE' => array('ROLE_USER', 'ROLE_ADMIN'),
+        ), $container->getParameter('security.role_hierarchy.roles'));
+    }
+
     public function testUserProviders()
     {
         $container = $this->getContainer('container1');
@@ -314,14 +326,22 @@ public function testEncoders()
         )), $container->getDefinition('security.encoder_factory.generic')->getArguments());
     }
 
+    /**
+     * @group legacy
+     * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.
+     */
     public function testAcl()
     {
-        $container = $this->getContainer('container1');
+        $container = $this->getContainer('container1_with_acl');
 
         $this->assertTrue($container->hasDefinition('security.acl.dbal.provider'));
         $this->assertEquals('security.acl.dbal.provider', (string) $container->getAlias('security.acl.provider'));
     }
 
+    /**
+     * @group legacy
+     * @expectedDeprecation The "security.acl" configuration key is deprecated since version 3.4 and will be removed in 4.0. Install symfony/acl-bundle and use the "acl" key instead.
+     */
     public function testCustomAclProvider()
     {
         $container = $this->getContainer('custom_acl_provider');
@@ -421,9 +441,6 @@ protected function getContainer($file)
     {
         $file = $file.'.'.$this->getFileExtension();
 
-        if (isset(self::$containerCache[$file])) {
-            return self::$containerCache[$file];
-        }
         $container = new ContainerBuilder();
         $security = new SecurityExtension();
         $container->registerExtension($security);
@@ -436,6 +453,6 @@ protected function getContainer($file)
         $container->getCompilerPassConfig()->setRemovingPasses(array());
         $container->compile();
 
-        return self::$containerCache[$file] = $container;
+        return $container;
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
@@ -1,7 +1,6 @@
 <?php
 
 $container->loadFromExtension('security', array(
-    'acl' => array(),
     'encoders' => array(
         'JMS\FooBundle\Entity\User1' => 'plaintext',
         'JMS\FooBundle\Entity\User2' => array(
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php
@@ -0,0 +1,102 @@
+<?php
+
+$container->loadFromExtension('security', array(
+    'acl' => array(),
+    'encoders' => array(
+        'JMS\FooBundle\Entity\User1' => 'plaintext',
+        'JMS\FooBundle\Entity\User2' => array(
+            'algorithm' => 'sha1',
+            'encode_as_base64' => false,
+            'iterations' => 5,
+        ),
+        'JMS\FooBundle\Entity\User3' => array(
+            'algorithm' => 'md5',
+        ),
+        'JMS\FooBundle\Entity\User4' => array(
+            'id' => 'security.encoder.foo',
+        ),
+        'JMS\FooBundle\Entity\User5' => array(
+            'algorithm' => 'pbkdf2',
+            'hash_algorithm' => 'sha1',
+            'encode_as_base64' => false,
+            'iterations' => 5,
+            'key_length' => 30,
+        ),
+        'JMS\FooBundle\Entity\User6' => array(
+            'algorithm' => 'bcrypt',
+            'cost' => 15,
+        ),
+    ),
+    'providers' => array(
+        'default' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER'),
+                ),
+            ),
+        ),
+        'digest' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER, ROLE_ADMIN'),
+                ),
+            ),
+        ),
+        'basic' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => 'ROLE_SUPER_ADMIN'),
+                    'bar' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => array('ROLE_USER', 'ROLE_ADMIN')),
+                ),
+            ),
+        ),
+        'service' => array(
+            'id' => 'user.manager',
+        ),
+        'chain' => array(
+            'chain' => array(
+                'providers' => array('service', 'basic'),
+            ),
+        ),
+    ),
+
+    'firewalls' => array(
+        'simple' => array('pattern' => '/login', 'security' => false),
+        'secure' => array('stateless' => true,
+            'http_basic' => true,
+            'http_digest' => array('secret' => 'TheSecret'),
+            'form_login' => true,
+            'anonymous' => true,
+            'switch_user' => true,
+            'x509' => true,
+            'remote_user' => true,
+            'logout' => true,
+            'remember_me' => array('secret' => 'TheSecret'),
+            'user_checker' => null,
+        ),
+        'host' => array(
+            'pattern' => '/test',
+            'host' => 'foo\\.example\\.org',
+            'methods' => array('GET', 'POST'),
+            'anonymous' => true,
+            'http_basic' => true,
+        ),
+        'with_user_checker' => array(
+            'user_checker' => 'app.user_checker',
+            'anonymous' => true,
+            'http_basic' => true,
+        ),
+    ),
+
+    'access_control' => array(
+        array('path' => '/blog/524', 'role' => 'ROLE_USER', 'requires_channel' => 'https', 'methods' => array('get', 'POST')),
+        array('path' => '/blog/.*', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'),
+        array('path' => '/blog/524', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', 'allow_if' => "token.getUsername() matches '/^admin/'"),
+    ),
+
+    'role_hierarchy' => array(
+        'ROLE_ADMIN' => 'ROLE_USER',
+        'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'),
+        'ROLE_REMOTE' => 'ROLE_USER,ROLE_ADMIN',
+    ),
+));
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml
@@ -6,8 +6,6 @@
     xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
 
     <config>
-        <acl />
-
         <encoder class="JMS\FooBundle\Entity\User1" algorithm="plaintext" />
 
         <encoder class="JMS\FooBundle\Entity\User2" algorithm="sha1" encode-as-base64="false" iterations="5" />
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1_with_acl.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1_with_acl.xml
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1_with_acl.yml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1_with_acl.yml
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SetAclCommandTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/SetAclCommandTest.php
