[SecurityBundle] UserPasswordEncoderCommand: Improve & simplify the command usage #14032
Conversation
|
@javiereguiluz : May I ask you what you think, at least about the new command output (according to command style guide) ? Ping @inanimatt :) I'm pretty sure my tests aren't relevant, but I'm not used to. I even deleted the encoders specific static tests as I didn't know how to test them since the |
|
@ogizanagi honestly I think we should change everything. The output is very different from what we propose for Symfony commands. Sadly, I also find the text contents displayed by the command very verbose :( |
|
@javiereguiluz : Actually, I think you're right. I believe the command was meant to be used by symfony's newcomers for didactic purposes. Which explains the initial full interactivity and verbosity. Should we keep, remove, or tweak:
|
| @@ -32,10 +35,10 @@ protected function configure() | |||
| { | |||
| $this | |||
| ->setName('security:encode-password') | |||
| ->setDescription('Encode a password.') | |||
| ->setDescription('Encodes a password.') | |||
| ->addArgument('password', InputArgument::OPTIONAL, 'Enter a password') | |||
There was a problem hiding this comment.
We could chnage this description by something like: The raw password to encode
|
Changes have been made. Thanks @javiereguiluz for your precious corrections & samples for the command description and @jrobeson & @inanimatt for having reminded what was said about the Should we at least make the |
|
@javiereguiluz : I didn't expect changing the output that much within this PR, only the behavior, but do you think the following command outputs are more compliant with your console style guide ? (I used the recently merged #14057 , but changes haven't been pushed for now) I'll be glad to change the note about salt generation when using the interactive way if it doesn't please you, but I still think the user should be warn somehow (or explain the confirmation question context). No interaction:No password:
Bcrypt without empty salt option
Bcryp with empty-salt option
Interaction & other encoder
|
|
@ogizanagi wow! I love it! Now that the new console style guide is merged, I was planning to start updating the existing commands, but I'm glad that you already started with this command. My only suggestion: there is no need to add |
|
Changes pushed, then ! I will update the PR description and screenshots. |
|
|
||
| $output->writeln("\n <comment>Encoders are configured by user type in the security.yml file.</comment>"); | ||
| $output->note('The command will take care about generating a salt for you. Be aware that some encoders advise to let them generate their own salt. If you\'re using one of those encoders, please answer \'no\' to the question below. '.PHP_EOL.'Provide the \'empty-salt\' option in order to let the encoder handle the generation itself.'); |
There was a problem hiding this comment.
Very minor point: "The command will generate a salt for you" would be more simple and more correct (otherwise "take care of") 😄
There was a problem hiding this comment.
Thank you. I updated this right now. :)
|
Nice work, @ogizanagi, it's very much improved. And thanks again (and sorry) to @saro0h for the initial work on this. We got there in the end :) |
|
Yes, I feel bad for having changed this much @saro0h's original work 😥 |
|
What should be done about Travis failures in 56604789 and 56604790 ?
error that Travis reported. |
|
ping @fabpot . I think this PR is ready for merging. Let me know if there is anything else to do (squash ?). |
|
👍 indeed the code looks ready to be merged ... but what should we do with the Travis issues? |
|
@javiereguiluz : at least for 3.0 branch and |
|
In some cases deps=high can be ignored. But deps=low should never ever be red before merging anything. |
…ommand usage - Remove the salt option. Always generate a salt. - Provide a short version by setting the default user-class to Symfony\Component\Security\Core\User\User. - Add an empty-salt option in order to let encoders generate their built-in salts (BCryptPasswordEncoder), or for custom encoders requiring no salt.
…out salt generation when using the interactive command
…enerate its built-in salt
…etected without empty-salt option
…with console style guide
|
Thank you @ogizanagi. |
…s methods (ogizanagi) This PR was merged into the 3.0-dev branch. Discussion ---------- [3.0][Console][OutputStyle] Implements verbosity levels methods | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | N/A - Travis build for #14032 | License | MIT Implements the verbosity level methods from `OutputInterface` for the new `OutputStyle` abstract class in 3.0 branch. Fixes Travis builds with `deps=high` env var for #14032 PR and future console style updates. ========= Related to: #14032, #14057, #14138, #14132, #14172, ... Commits ------- a30f507 [Console] [OutputStyle] Implements verbosity methods
|
@ogizanagi tests are failing on 2.7 after the merge, can you please provide a fixing patch asap? |
|
@nicolas-grekas : Sure. But I think the error comes from this commit: e9c7912 |
Overlaps #14017 (might replace or follow it) . Sorry if it is considered as a duplicate, but the debate has evolved, and I think the arguments ordering isn't the best nor single way to improve this command usage anymore.
Thank you @saro0h for having considered the mentioned issues and spent time on it.
Salt option & salt generation
Thanks to @ircmaxell & @inanimatt, we came to the conclusion that the use-cases for the
saltoption/argument are pretty arguable. So I suggest to get rid of it: a salt will always be generated by the command.Generated salt
The generated salt is now in the Table output:
security:encode-password test -nThe "Generated salt" row and the last comment about the salt aren't present if the new
empty-saltoption is provided (see below).New empty-salt option
As some encoders might generate their own built-in salts (like the
BCryptPasswordEncoder) and some custom encoders could do the same (or not require a salt at all), I suggest a new option:empty-salt.This option will not provide any salt to the configured encoder, which will generate its own, then.
With the interactive way, the user will always be asked confirmation for the salt generation if the
empty-saltoption isn't set:security:encode-password passwordbcrypt encoder
As the
BCryptPasswordEncoderis shipped with the security component, and listening to @inanimatt valuable comments in #13988, I introduced a second commit (0cdb546) making an exception for thebcryptencoder, and always set theempty-saltoption with it.We're aware that's not ideal from a OO design perspective, but far better from a DX one. If not desired, I will revert it.
Anyway I think #13988 (comment) and other comments about the
PasswordEncoderAPI and salt generation should be considered for 3.0.A note is added when bcrypt encoder is detected without the
empty-saltoption:security:encode-password password "Custom\Class\Bcrypt\User" -nDefault user-class
The default
user-classis set toSymfony\Component\Security\Core\User\User.I think this makes sense, as in the previous version of the command, the Symfony\Component\Security\Core\User\User was configured in the setAutocompleterValues and set the $value to Symfony\Component\Security\Core\User\User if null.
Asking the question to the user with the interactive command would have been useful only if the user was able to pick one encoder from a choice list.
Arguments order / make arguments options
When we had both
saltanduser-classas arguments, the command looked like:All arguments were optional, for the interactive command purpose (The command asked the user for missing arguments).
But, as they were arguments, we had to provide each of them in the proper order. That meant we couldn't provide a salt without defining the optional user-class.
So I suggested using options instead of arguments for both user-class & salt.
But as the
saltoption/argument is removed, now I don't feel the need for theuser-classto be an option.Indeed, the new command short version will look like the following:
Making the user-class an option IMO isn't a necessity anymore, and will only lengthen the command:
security:encode-password password --user-class="AppBundle\Model\User"Bonus: