Skip to content

[Security] Add concept of required passport badges #40486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 8, 2021
Merged

[Security] Add concept of required passport badges #40486

merged 1 commit into from
Apr 8, 2021

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Mar 16, 2021

Q A
Branch? 5.x
Bug fix? no
New feature? yes
Deprecations? n
Tickets Fix #39305
License MIT
Doc PR tbd

A badge on a passport is a critical security element, it determines which security checks are run during authentication. Using the required_badges setting, applications can make sure the expected security checks are run.

@wouterj wouterj requested a review from chalasr as a code owner March 16, 2021 12:44
@wouterj wouterj force-pushed the issue-39305/required-badges branch from 0e2f3bf to a25ab79 Compare March 16, 2021 12:46
stof
stof reviewed Mar 16, 2021
View reviewed changes
Copy link
Member

@stof stof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we need to update the XSD schema for the XML format ?

@wouterj
Copy link
Member Author

wouterj commented Mar 16, 2021

Don't we need to update the XSD schema for the XML format ?

Yes, but we need to do it in 5.2: #40490 (or 5.1 actually, but that's no longer supported)

@stof
Copy link
Member

stof commented Mar 16, 2021

@wouterj you will still need an update in this PR to add the required-badge node in the XSD

@nicolas-grekas nicolas-grekas added this to the 5.x milestone Mar 17, 2021
@wouterj wouterj force-pushed the issue-39305/required-badges branch from a25ab79 to 53d6401 Compare April 2, 2021 22:10
@wouterj wouterj added the Ready label Apr 2, 2021
Nyholm
Nyholm approved these changes Apr 3, 2021
View reviewed changes
Copy link
Member

@Nyholm Nyholm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

Im happy with this.

I have a question though.. What if I register another listener to the CheckPassportEvent and it will run stopPropagation()? Now this event subscriber will never be executed and I wont get any exception. Right?

It is just an observation, it might be out of scope for this PR but I would still ask if there is something we can/should do about this scenario.

@wouterj wouterj force-pushed the issue-39305/required-badges branch from 53d6401 to 44c9856 Compare April 4, 2021 18:44
@wouterj wouterj force-pushed the issue-39305/required-badges branch from 44c9856 to 2a8a101 Compare April 4, 2021 20:14
@wouterj
Copy link
Member Author

wouterj commented Apr 4, 2021

It is just an observation, it might be out of scope for this PR but I would still ask if there is something we can/should do about this scenario.

Thanks for reminding me :) After #40567, we can do this in a much "cleaner" way. PR updated

chalasr
chalasr approved these changes Apr 4, 2021
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. The new config option should probably be mentioned in the SecurityBundle' CHANGELOG file though

@wouterj
[Security] Add concept of required passport badges
01c3bf9 
A badge on a passport is a critical security element, it determines which
security checks are run during authentication. Using the `required_badges`
setting, applications can make sure the expected security checks are run.
@wouterj wouterj force-pushed the issue-39305/required-badges branch from 2a8a101 to 01c3bf9 Compare April 5, 2021 09:07
@Nyholm
Copy link
Member

Nyholm commented Apr 8, 2021

Thank you @wouterj.

@Nyholm Nyholm mentioned this pull request Apr 8, 2021
Closed
@Nyholm Nyholm merged commit 3977d7a into symfony:5.x Apr 8, 2021
@wouterj wouterj deleted the issue-39305/required-badges branch April 8, 2021 09:40
@fabpot fabpot mentioned this pull request Apr 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof left review comments

@ro0NL ro0NL ro0NL left review comments

@Nyholm Nyholm Nyholm approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Feature Ready Security Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.

[Security] Mark badges as required
7 participants
@wouterj @stof @Nyholm @ro0NL @chalasr @nicolas-grekas @carsonbot