[SecurityBundle] Make security schema deterministic #57493
Conversation
|
Uh-oh, this sounds like a really tricky situation. Breaking changes on an LTS version is a no-go, but we have to fix this somehow. While searching for |
|
I clarified the PR description: BC break would impact users configuring custom user providers and/or authenticators using XML, while the issue will impact users configuring security using XML (meaning e.g.
For completeness, I thought about two others solutions which would keep BC (in a sub-optimal way):
|
|
If there is no other choice than this BC break, then at least it happens at compile time so that it's going to be easy to spot, isn't it? |
carsonbot
changed the title
|
I clarified that the two other solutions I thought of (removing types from the XSD or disabling XML validation) would keep BC, so maybe they should be preferred? If not, the simplest fix is to add a namespace to custom providers/authenticators, like <provider name="default">
- <my-provider />
+ <custom:my-provider xmlns:custom="my.custom.namespace" />
</provider>Thanks to + xmlns:custom="my.custom.namespace"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/security
- https://symfony.com/schema/dic/security/security-1.0.xsd">
+ https://symfony.com/schema/dic/security/security-1.0.xsd
+ my.custom.namespace
+ /path/to/my.xsd
<config>
<provider name="default">
- <my-provider />
+ <custom:my-provider />
</provider>
</config>
</srv:container>Don’t really know how to advertise this; I guess the upgrade guide and a blog post would be a good start. Surely there have been similar cases in the past? |
|
Given that any bundle can register extra settings for the security-bundle configuration (it has an extension config) and we were not requiring a custom namespace until now (and they probably never documented using one), I don't think we can require one (especially not in a patch version of an old LTS) |
|
I'm leaning towards going for "remove all provider and authenticator types from the XSD". This means we'll loose validation and autocompletion of build-in user provider configuration, but it is not a BC break. Then, maybe we can find a nice upgrade path to reintroduce this in Symfony 8 (e.g. first deprecating custom user providers/authenticators without namespace?). |
|
note that we don't loose all validation. We loose the XSD-based validation, but we still process the config with the Configuration class. |
|
In fact if we’re going to disable validation, we can make our XSD valid as well. That way there is no BC break and users are free to make their config valid or not. Updated the PR this way. It would be even better to check for validation errors related to custom providers/authenticators (and trigger a deprecation?) but I’m not sure it is possible yet. |
|
I don't think disabling XML validation in the XmlFileLoader is a good idea (this won't be only for the SecurityBundle configuration but for any configuration). And I don't think the answer about IDEs is right: they would report any configuration for third-party providers as invalid, which will confuse developers. This would also make it even more likely to have outdated XSD files for our bundle configuration schemas as they would not be validated anymore (which would also lead to bad IDE support for them if they are based on XSD files). |
Only as long as they stay invalid. Once we offer the possibility to namespace them, developers should update them so that they aren’t invalid anymore. But this means we must support these invalid. If we can detect these cases when validating, we could allow them and trigger a deprecation or something to tell the user to update its config (for now I managed to detect invalid providers from the exception message, but not authenticators yet). Would that be a viable solution? |
|
@MatTheCat you disabled validation for all XML configuration affecting all bundles of the ecosystem. |
|
@stof yes this is the PR actual state while I’m investigating how to implement the idea I presented. |
|
Okay I re-enabled Symfony’s XML validation while allowing invalid providers/authenticators; these will only trigger a deprecation. Not sure this is the best way and it’s missing tests, but do you agree with this solution? |
src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php
Outdated
Show resolved
Hide resolved
|
Ubuntu will join impacted systems on October 10 when 24.10 is released. |
MatTheCat
force-pushed
the
ticket_57463
branch
from
a075601 to
ead681a
Compare
|
Will add some |
MatTheCat
force-pushed
the
ticket_57463
branch
7 times, most recently
from
dd2c047 to
038825f
Compare
|
Hm not sure what to do because there are changes both in Should I make |
|
Just for testing or in general? In this case a conflict rule could help, or do I miss sth? |
|
This PR’s SecurityBundle changes require the DependencyInjection’s (but not the other way around), so I would need a way to force this dependency to be up-to-date, even though those changes are not part of any version yet (I think high and low-deps failures are related) 🤔 |
|
Bumping the min version of the |
But here the required changes are not part of any release yet; how can I bump the min version to “this PR”? |
|
use the next patch release version (i.e. |
src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php
Outdated
Show resolved
Hide resolved
|
Thank you @MatTheCat. |
We just updated to 5.4.42 but 3 days ago symfony put out 5.4.43 - seems silly to upgrade but not to the one that is the latest when we tag The key PR is symfony/symfony#57493 And I note that it seems like a sleeper bug depending on server config- ie symfony/symfony#57493 (comment) "Ubuntu will join impacted systems on October 10 when 24.10 is released." The final summary says there are no deprecations but this comment symfony/symfony#57493 (comment) suggests there might be I don't really know if we have security bundles but it seems like this fixes a bug that occurs when libxml libraries are used but it adds a deprecation. Also our composer-installing instances will be getting this fix so it will be less confusing to patch the tarball composer update -W symfony/* Gathering patches for root package. Loading composer repositories with package information Updating dependencies Lock file operations: 0 installs, 3 updates, 0 removals - Upgrading symfony/dependency-injection (v5.4.42 => v5.4.43) - Upgrading symfony/finder (v5.4.42 => v5.4.43) - Upgrading symfony/var-dumper (v5.4.42 => v5.4.43)
Currently you cannot put a namespace on custom providers/authenticators because the
XmlFileLoaderwill ignore every element whose namespace is not its parent’s. This means the only way to configure e.g. SymfonyConnect’s provider isThis requires providers and authenticators
xsd:any’snamespaceto be##any, which is no longer possible with libxml ≥ 2.12 (already available on Alpine 3.20 and Arch Linux e.g.) because it will report their content model as non-determinist.As a result, any XML security config will fail to be loaded once libxml is updated.
Fixing this issue requires to change
xsd:anys’namespaceto##otherso that content models become deterministic.A side-effect is that any custom providers/authenticators XML configuration will become invalid.
To avoid a BC break this PR allows such errors to occur. A deprecation will have to be triggered on 7.2 for users to namespace their custom providers/authenticators elements, e.g.
Because custom providers/authenticators’
processContentsislaxthere won’t be any validation if the namespace has no schema. If it has, it will be better to provide it:<srv:container xmlns="http://symfony.com/schema/dic/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:srv="http://symfony.com/schema/dic/services" + xmlns:custom="whatever" xsi:schemaLocation="http://symfony.com/schema/dic/services https://symfony.com/schema/dic/services/services-1.0.xsd http://symfony.com/schema/dic/security https://symfony.com/schema/dic/security/security-1.0.xsd + whatever the/schema.xsd"> <config> <provider name="symfony_connect"> - <connect_memory xmlns="whatever"> - <user username="whatever">ROLE_ADMIN</custom:user> - </connect_memory> + <custom:connect_memory> + <custom:user username="whatever">ROLE_ADMIN</custom:user> + </custom:connect_memory> </provider> </srv:container>