Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] add port in access_control#28061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
fabpot merged 1 commit intosymfony:masterfromroukmoute:security_add_port
Oct 10, 2018
Merged

[Security] add port in access_control#28061

fabpot merged 1 commit intosymfony:masterfromroukmoute:security_add_port
Oct 10, 2018

Conversation

@roukmoute
Copy link
Contributor

@roukmouteroukmoute commentedJul 25, 2018
edited
Loading

QA
Branch?master for features
Bug fix?no
New feature?yes
BC breaks?no
Deprecations?no
Tests pass?yes
Fixed tickets#26071
LicenseMIT
Doc PRsymfony/symfony-docs#10359

Add port in access_control

Please Squash this P.R.

* @param string|string[]|null $schemes
*/
publicfunction__construct(string$path =null,string$host =null,$methods =null,$ips =null,array$attributes =array(),$schemes =null)
publicfunction__construct(string$path =null,string$host =null,$port =null,$methods =null,$ips =null,array$attributes =array(),$schemes =null)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This is a BC break, you should add the new arguments at the end of the list

roukmoute and OskarStark reacted with thumbs up emoji
*/
publicfunctionmatchPort($port)
{
$this->port = (int)$port;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

(int) null => 0 (in this case the value is not clear)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We can also use a type hint here.

returnfalse;
}

if (0 <$this->port &&$request->getPort() !==$this->port) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

we need to ignorenull here

@javiereguiluz
Copy link
Member

@chalasr this looks like a useful feature for some people and I can't see any security issue if we introduce this change, but could you please review it? Thanks!

@chalasrchalasr changed the titleSecurity add port[Security] add port in access_controlSep 18, 2018
* @param string|string[]|null $schemes
*/
publicfunction__construct(string$path =null,string$host =null,$methods =null,$ips =null,array$attributes =array(),$schemes =null)
publicfunction__construct(string$path =null,string$host =null,$methods =null,$ips =null,array$attributes =array(),$schemes =null,$port =null)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

should beint $port = null

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Oh yeah, now we can use typehint in this version 👍

->example('^/path to resource/')
->end()
->scalarNode('host')->defaultNull()->end()
->scalarNode('port')->defaultNull()->end()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

we probably don't want to deal with strings here, should be anintegerNode() to me

$port =isset($firewall['port']) ?$firewall['port'] :null;
$methods =isset($firewall['methods']) ?$firewall['methods'] :array();
$matcher =$this->createRequestMatcher($container,$pattern,$host,$methods);
$matcher =$this->createRequestMatcher($container,$pattern,$host,$port,$methods);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

$firewall['port'] ?? null, removing the assignment above

Copy link
ContributorAuthor

@roukmouteroukmouteSep 18, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Can I do the same things for the rest (host, …) or is it must be in another P.R.?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I would keep them unchanged to avoid conflicts when merging lower branches up to master

roukmoute reacted with thumbs up emoji
}

privatefunctioncreateRequestMatcher($container,$path =null,$host =null,$methods =array(),$ip =null,array$attributes =array())
privatefunctioncreateRequestMatcher($container,$path =null,$host =null,$port =null,$methods =array(),$ip =null,array$attributes =array())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

int $port = null

*
* @param int|null $port The port number to connect to
*/
publicfunctionmatchPort($port)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

this one should useint $port = null, the existing public methods of this class have been added before php scalar typehints and cannot be changed for BC

{
$portInt = (int)$port;

$this->port =is_numeric($port) ||$port ==$portInt ?$portInt :null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

should just assign$this->port to$port (see my comment above)

*
* @param int|null $port The port number to connect to
*/
publicfunctionmatchPort(int$port):void
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

missing= null :) (see tests)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

please remove the return type also, we don't usevoid generally

-----

* added`getAcceptableFormats()` for reading acceptable formats based on Accept header
* added`port` property and`matchPort()` in RequestMatcher
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

only the method is relevant here, the property is private

$rules =array();
foreach ($container->getDefinition('security.access_map')->getMethodCalls()as$call) {
if ('add' ==$call[0]) {
if ('add' ===$call[0]) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

this one should be reverted

$host =isset($firewall['host']) ?$firewall['host'] :null;
$methods =isset($firewall['methods']) ?$firewall['methods'] :array();
$matcher =$this->createRequestMatcher($container,$pattern,$host,$methods);
$matcher =$this->createRequestMatcher($container,$pattern,$host,$firewall['port'] ??null,$methods);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

this looks for aport option on a firewall but it does not exist yet

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

If we add the option to firewalls (I think we should but it could be done in another PR, in this casenull should be passed here) then it should be covered by tests and mentioned in the CHANGELOG as for access_controls

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

So I kept this and I do another P.R. for adding this options to firewall, or I remove all?
Does it finally make sense to put it on for the firewall?

Copy link
Member

@chalasrchalasrSep 19, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

the check can't be true, let's remove it (passnull) for now and discuss it separately.
All the existing access_control options are also available at the firewall level, I see no reason for not adding this one wrong,ip is not available for firewalls. let's discuss it elsewhere :)

roukmoute reacted with thumbs up emoji
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Done

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

You should pass null here, the option does not exist.

$httpRequest =$request =$request =Request::create('');
$httpsRequest =$request =$request =Request::create('','get',array(),array(),array(),array('HTTPS' =>'on'));
$httpRequest = Request::create('');
$httpsRequest = Request::create('','get',array(),array(),array(),array('HTTPS' =>'on'));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

please revert this :)

publicfunctiontestAccessDecisionManagerServiceAndStrategyCannotBeUsedAtTheSameTime()
{
$container =$this->getContainer('access_decision_manager_service_and_strategy');
$this->getContainer('access_decision_manager_service_and_strategy');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

to revert

-----

* added`getAcceptableFormats()` for reading acceptable formats based on Accept header
* added`port` property
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

that's the inverse actually :) we need to mention the addition ofRequestMatcher::matchPort(), not the privateport property as it's not exposed

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Oups sorry…

@chalasr
Copy link
Member

@roukmoute What's the state of this PR?
I see that you finally added theport option to firewalls as well, no objection from me but it should be covered by tests as for access controls.
Please tell us when it's ready to review or if you need some help :)

$firewallNodeBuilder
->scalarNode('pattern')->end()
->scalarNode('host')->end()
->integerNode('port')->defaultNull()->end()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

You should remove this option, we want it only for the access control

$host =isset($firewall['host']) ?$firewall['host'] :null;
$methods =isset($firewall['methods']) ?$firewall['methods'] :array();
$matcher =$this->createRequestMatcher($container,$pattern,$host,$methods);
$matcher =$this->createRequestMatcher($container,$pattern,$host,null,$methods);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Why is the port alwaysnull here? Shouldn't we use the configured value?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Here it is :)
#28061 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

thanks :)

Copy link
Member

@fabpotfabpot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I don't really get the use case, but ok.

@fabpot
Copy link
Member

Thank you@roukmoute.

roukmoute reacted with hooray emoji

@fabpotfabpot merged commit6413dcb intosymfony:masterOct 10, 2018
fabpot added a commit that referenced this pull requestOct 10, 2018
This PR was squashed before being merged into the 4.2-dev branch (closes#28061).Discussion----------[Security] add port in access_control| Q             | A| ------------- | ---| Branch?       | master for features| Bug fix?      | no| New feature?  | yes| BC breaks?    | no| Deprecations? | no| Tests pass?   | yes| Fixed tickets |#26071| License       | MIT| Doc PR        |symfony/symfony-docs#10359Add port in access_control__Please Squash this P.R.__Commits-------6413dcb [Security] add port in access_control
@roukmouteroukmoute deleted the security_add_port branchOctober 10, 2018 12:14
@nicolas-grekasnicolas-grekas modified the milestones:next,4.2Nov 1, 2018
This was referencedNov 3, 2018
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@lyrixxlyrixxlyrixx left review comments

@fabpotfabpotfabpot approved these changes

@xabbuhxabbuhxabbuh approved these changes

@chalasrchalasrchalasr approved these changes

+1 more reviewer

@ronfroyronfroyronfroy left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Projects

None yet

Milestone

4.2

Development

Successfully merging this pull request may close these issues.

9 participants

@roukmoute@javiereguiluz@chalasr@fabpot@lyrixx@xabbuh@ronfroy@nicolas-grekas@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp