Thanks to visit codestin.com
Credit goes to github.com

Skip to content

SecurityBundle configuration via environment variables #28051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zerkms opened this issue Jul 24, 2018 · 13 comments
Closed

SecurityBundle configuration via environment variables #28051

zerkms opened this issue Jul 24, 2018 · 13 comments
Labels
Help wanted Issues and PRs which are looking for volunteers to complete them. SecurityBundle

Comments

@zerkms
Copy link
Contributor

zerkms commented Jul 24, 2018
edited
Loading

Symfony version(s) affected: 4.1

Description

Security bundle configuration does not resolve environment variables (at least cookie_secure)

How to reproduce

framework:
    session:
        cookie_secure: '%env(bool:APP_SECURE)%'

This config looks good, whereas Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSessionDomainConstraintPass does not take it into account and uses $sessionOptions['cookie_secure'] as-is, which holds the env_b5fff47290c287c9_bool_APP_SECURE_93dabfcdbc8f9f7829f1a29cd3d2d083 value.

Possible Solution

Instead of YAML use the following ugly php-based configuration (or its variations)

<?php

$envSecure = getenv('APP_SECURE');
if ($envSecure === false) {
    $envSecure = true;
} else {
    $envSecure = filter_var($envSecure, FILTER_VALIDATE_BOOLEAN, ['flags' => FILTER_NULL_ON_FAILURE]);

    if ($envSecure === null) {
        $envSecure = true;
    }
}

$container->loadFromExtension('framework', [
    'session' => [
        'cookie_secure' => $envSecure,
    ],
]);

Additional context
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Jul 28, 2018
edited
Loading

The unresolved value is normal at this stage: these placeholders are resolved later on, when the container is dumped. The solution you suggest doesn't work as one would expect: it generates a compiled container that will hold the static value that was set a compile time, while the very nature of env vars is to be configurable at run time with a call to getenv() or similar.
What's the real world issue you're facing?

@zerkms
Copy link
Contributor Author

zerkms commented Jul 28, 2018
edited
Loading

What's the real world issue you're facing?

inability to set framework.session.cookie_secure via environment variables.

env_b5fff47290c287c9_bool_APP_SECURE_93dabfcdbc8f9f7829f1a29cd3d2d083 - this value in the empty($sessionOptions['cookie_secure'] predicate is always false, since it's not empty.

The solution you suggest doesn't work as one would expect

at least it respects the actual values.

@ro0NL
Copy link
Contributor

ro0NL commented Jul 29, 2018

Maybe we can move the logic to runtime for this case?

symfony/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSessionDomainConstraintPass.php

Lines 33 to 37 in f834c92

$sessionOptions = $container->getParameter('session.storage.options');
$domainRegexp = empty($sessionOptions['cookie_domain']) ? '%s' : sprintf('(?:%%s|(?:.+\.)?%s)', preg_quote(trim($sessionOptions['cookie_domain'], '.')));
$domainRegexp = (empty($sessionOptions['cookie_secure']) ? 'https?://' : 'https://').$domainRegexp;
$container->findDefinition('security.http_utils')->addArgument(sprintf('{^%s$}i', $domainRegexp));

@ro0NL ro0NL mentioned this issue Aug 24, 2018
Merged
@nicolas-grekas
Copy link
Member

We would definitely need a runtime check to allow using an env var here.
PR welcome @zerkms

@nicolas-grekas nicolas-grekas added the Help wanted Issues and PRs which are looking for volunteers to complete them. label Sep 7, 2018
@gonzalovilaseca
Copy link
Contributor

@zerkms Are you working on this? I can pick it up if you're busy

@zerkms
Copy link
Contributor Author

zerkms commented Sep 30, 2018

@gonzalovilaseca I'm moving a house and expecting a newborn in couple weeks - I definitely won't be able to do any opensource soon :-D

@gonzalovilaseca
Copy link
Contributor

@zerkms For a looooong time :-)

@gonzalovilaseca
Copy link
Contributor

gonzalovilaseca commented Sep 30, 2018
edited
Loading

I've done this: https://github.com/symfony/symfony/compare/master...gonzalovilaseca:gv-28051?expand=1

But I'm getting The parameter "env_0ad3efce154cc146_bool_APP_SECURE_94c20e3f9fd8679095faf3a5596de9e3" must be defined. @nicolas-grekas any ideas?

@nicolas-grekas
Copy link
Member

Now that cookies can be auto-secure, is this really worth it? That'd add complexity we'd have to justify...
See #28446, #28447 and related.

@gonzalovilaseca
Copy link
Contributor

The compiled container has return $this->privates['security.http_utils'] = new \Symfony\Component\Security\Http\HttpUtils($a, $a, $this->getParameter('env_0ad3efce154cc146_bool_APP_SECURE_94c20e3f9fd8679095faf3a5596de9e3'), $this->getParameter('%s'));
Should it be APP_SECURE instead of env_0ad3efce154cc146_bool_APP_SECURE_94c20e3f9fd8679095faf3a5596de9e3?

@gonzalovilaseca
Copy link
Contributor

Oh, I just picked it up because it had the help wanted label, I'm not planning on using it..let me know if it's not needed and will move to another issue.

@zerkms
Copy link
Contributor Author

zerkms commented Sep 30, 2018

Now that cookies can be auto-secure, is this really worth it?

I've personally seen applications that should have had authentication done via https and the rest of the application accessed through http.

@gonzalovilaseca gonzalovilaseca mentioned this issue Sep 30, 2018
Closed
@gonzalovilaseca
Copy link
Contributor

I had the code almost done, so I've created the PR, if it doesn't go ahead it can always be closed: #28651

@fabpot fabpot closed this as completed Mar 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Help wanted Issues and PRs which are looking for volunteers to complete them. SecurityBundle
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fabpot @nicolas-grekas @zerkms @ro0NL @xabbuh @gonzalovilaseca