[Security] add port in access_control #28061
Conversation
| * @param string|string[]|null $methods | ||
| * @param string|string[]|null $ips | ||
| * @param array $attributes | ||
| * @param string|string[]|null $schemes | ||
| */ | ||
| public function __construct(string $path = null, string $host = null, $methods = null, $ips = null, array $attributes = array(), $schemes = null) | ||
| public function __construct(string $path = null, string $host = null, $port = null, $methods = null, $ips = null, array $attributes = array(), $schemes = null) |
There was a problem hiding this comment.
This is a BC break, you should add the new arguments at the end of the list
| */ | ||
| public function matchPort($port) | ||
| { | ||
| $this->port = (int) $port; |
There was a problem hiding this comment.
(int) null => 0 (in this case the value is not clear)
There was a problem hiding this comment.
We can also use a type hint here.
| @@ -167,6 +184,10 @@ public function matches(Request $request) | |||
| return false; | |||
| } | |||
|
|
|||
| if (0 < $this->port && $request->getPort() !== $this->port) { | |||
|
@chalasr this looks like a useful feature for some people and I can't see any security issue if we introduce this change, but could you please review it? Thanks! |
| * @param string|string[]|null $methods | ||
| * @param string|string[]|null $ips | ||
| * @param array $attributes | ||
| * @param string|string[]|null $schemes | ||
| */ | ||
| public function __construct(string $path = null, string $host = null, $methods = null, $ips = null, array $attributes = array(), $schemes = null) | ||
| public function __construct(string $path = null, string $host = null, $methods = null, $ips = null, array $attributes = array(), $schemes = null, $port = null) |
There was a problem hiding this comment.
Oh yeah, now we can use typehint in this version 👍
| @@ -140,6 +140,7 @@ private function addAccessControlSection(ArrayNodeDefinition $rootNode) | |||
| ->example('^/path to resource/') | |||
| ->end() | |||
| ->scalarNode('host')->defaultNull()->end() | |||
| ->scalarNode('port')->defaultNull()->end() | |||
There was a problem hiding this comment.
we probably don't want to deal with strings here, should be an integerNode() to me
| $methods = isset($firewall['methods']) ? $firewall['methods'] : array(); | ||
| $matcher = $this->createRequestMatcher($container, $pattern, $host, $methods); | ||
| $matcher = $this->createRequestMatcher($container, $pattern, $host, $port, $methods); |
There was a problem hiding this comment.
$firewall['port'] ?? null, removing the assignment above
There was a problem hiding this comment.
Can I do the same things for the rest (host, …) or is it must be in another P.R.?
There was a problem hiding this comment.
I would keep them unchanged to avoid conflicts when merging lower branches up to master
| @@ -668,20 +670,20 @@ private function createExpression($container, $expression) | |||
| return $this->expressions[$id] = new Reference($id); | |||
| } | |||
|
|
|||
| private function createRequestMatcher($container, $path = null, $host = null, $methods = array(), $ip = null, array $attributes = array()) | |||
| private function createRequestMatcher($container, $path = null, $host = null, $port = null, $methods = array(), $ip = null, array $attributes = array()) | |||
| * | ||
| * @param int|null $port The port number to connect to | ||
| */ | ||
| public function matchPort($port) |
There was a problem hiding this comment.
this one should use int $port = null, the existing public methods of this class have been added before php scalar typehints and cannot be changed for BC
| { | ||
| $portInt = (int) $port; | ||
|
|
||
| $this->port = is_numeric($port) || $port == $portInt ? $portInt : null; |
There was a problem hiding this comment.
should just assign $this->port to $port (see my comment above)
| * | ||
| * @param int|null $port The port number to connect to | ||
| */ | ||
| public function matchPort(int $port): void |
There was a problem hiding this comment.
please remove the return type also, we don't use void generally
| @@ -5,6 +5,7 @@ CHANGELOG | |||
| ----- | |||
|
|
|||
| * added `getAcceptableFormats()` for reading acceptable formats based on Accept header | |||
| * added `port` property and `matchPort()` in RequestMatcher | |||
There was a problem hiding this comment.
only the method is relevant here, the property is private
| @@ -245,7 +245,7 @@ public function testAccess() | |||
|
|
|||
| $rules = array(); | |||
| foreach ($container->getDefinition('security.access_map')->getMethodCalls() as $call) { | |||
| if ('add' == $call[0]) { | |||
| if ('add' === $call[0]) { | |||
| @@ -247,7 +248,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a | |||
| $pattern = isset($firewall['pattern']) ? $firewall['pattern'] : null; | |||
| $host = isset($firewall['host']) ? $firewall['host'] : null; | |||
| $methods = isset($firewall['methods']) ? $firewall['methods'] : array(); | |||
| $matcher = $this->createRequestMatcher($container, $pattern, $host, $methods); | |||
| $matcher = $this->createRequestMatcher($container, $pattern, $host, $firewall['port'] ?? null, $methods); | |||
There was a problem hiding this comment.
this looks for a port option on a firewall but it does not exist yet
There was a problem hiding this comment.
If we add the option to firewalls (I think we should but it could be done in another PR, in this case null should be passed here) then it should be covered by tests and mentioned in the CHANGELOG as for access_controls
There was a problem hiding this comment.
So I kept this and I do another P.R. for adding this options to firewall, or I remove all?
Does it finally make sense to put it on for the firewall?
There was a problem hiding this comment.
the check can't be true, let's remove it (pass null) for now and discuss it separately.
All the existing access_control options are also available at the firewall level, I see no reason for not adding this one wrong, ip is not available for firewalls. let's discuss it elsewhere :)
There was a problem hiding this comment.
You should pass null here, the option does not exist.
| $httpRequest = $request = $request = Request::create(''); | ||
| $httpsRequest = $request = $request = Request::create('', 'get', array(), array(), array(), array('HTTPS' => 'on')); | ||
| $httpRequest = Request::create(''); | ||
| $httpsRequest = Request::create('', 'get', array(), array(), array(), array('HTTPS' => 'on')); |
| @@ -442,7 +442,7 @@ public function testCustomAccessDecisionManagerService() | |||
| */ | |||
| public function testAccessDecisionManagerServiceAndStrategyCannotBeUsedAtTheSameTime() | |||
| { | |||
| $container = $this->getContainer('access_decision_manager_service_and_strategy'); | |||
| $this->getContainer('access_decision_manager_service_and_strategy'); | |||
| @@ -5,6 +5,7 @@ CHANGELOG | |||
| ----- | |||
|
|
|||
| * added `getAcceptableFormats()` for reading acceptable formats based on Accept header | |||
| * added `port` property | |||
There was a problem hiding this comment.
that's the inverse actually :) we need to mention the addition of RequestMatcher::matchPort(), not the private port property as it's not exposed
|
@roukmoute What's the state of this PR? |
| @@ -180,6 +181,7 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto | |||
| $firewallNodeBuilder | |||
| ->scalarNode('pattern')->end() | |||
| ->scalarNode('host')->end() | |||
| ->integerNode('port')->defaultNull()->end() | |||
There was a problem hiding this comment.
You should remove this option, we want it only for the access control
| @@ -275,7 +276,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a | |||
| $pattern = isset($firewall['pattern']) ? $firewall['pattern'] : null; | |||
| $host = isset($firewall['host']) ? $firewall['host'] : null; | |||
| $methods = isset($firewall['methods']) ? $firewall['methods'] : array(); | |||
| $matcher = $this->createRequestMatcher($container, $pattern, $host, $methods); | |||
| $matcher = $this->createRequestMatcher($container, $pattern, $host, null, $methods); | |||
There was a problem hiding this comment.
Why is the port always null here? Shouldn't we use the configured value?
There was a problem hiding this comment.
Here it is :)
#28061 (comment)
|
Thank you @roukmoute. |
This PR was squashed before being merged into the 4.2-dev branch (closes #28061). Discussion ---------- [Security] add port in access_control | Q | A | ------------- | --- | Branch? | master for features | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #26071 | License | MIT | Doc PR | symfony/symfony-docs#10359 Add port in access_control __Please Squash this P.R.__ Commits ------- 6413dcb [Security] add port in access_control
Add port in access_control
Please Squash this P.R.