8000 feature #10698 [Security] Added a REMOTE_USER based listener to secur… · symfony/symfony@0050b8d · GitHub
[go: up one dir, main page]
Skip to content

Commit 0050b8d

Browse files
fabpotfabpot
committed
feature #10698 [Security] Added a REMOTE_USER based listener to security firewalls (Maxime Douailin)
This PR was squashed before being merged into the 2.6-dev branch (closes #10698). Discussion ---------- [Security] Added a REMOTE_USER based listener to security firewalls | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | / | License | MIT | Doc PR | symfony/symfony-docs#3912 TODO - [x] submit changes to the documentation I've seen myself implementing a few times a REMOTE_USER based authentication listener, as a large part of security modules for Apache (Kerberos, CAS, and more) are providing the username via an environment variable. So I thought this could benefit the whole community if directly included in the framework. It is very similar to the X509AuthenticationListener, and basing the RemoteUserAuthenticationListener on the AbstractPreAuthenticatedListener is relevant and very convenient. Using the X509AuthenticationListener could be possible, but it is confusing to use it directly when your authentication is not certificate based. Please let me know if I need to update anything. Regards Commits ------- a2872f2 [Security] Added a REMOTE_USER based listener to security firewalls
2 parents 1fb8f88 + a2872f2 commit 0050b8d

File tree

9 files changed

+223
-0
lines changed

9 files changed

+223
-0
lines changed

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RemoteUserFactory.php

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
13+
14+
use Symfony\Component\Config\Definition\Builder\NodeDefinition;
15+
16+
use Symfony\Component\DependencyInjection\DefinitionDecorator;
17+
18+
use Symfony\Component\DependencyInjection\ContainerBuilder;
19+
use Symfony\Component\DependencyInjection\Reference;
20+
21+
/**
22+
* RemoteUserFactory creates services for REMOTE_USER based authentication.
23+
*
24+
* @author Fabien Potencier <fabien@symfony.com>
25+
* @author Maxime Douailin <maxime.douailin@gmail.com>
26+
*/
27+
class RemoteUserFactory implements SecurityFactoryInterface
28+
{
29+
public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
30+
{
31+
$providerId = 'security.authentication.provider.pre_authenticated.'.$id;
32+
$container
33+
->setDefinition($providerId, new DefinitionDecorator('security.authentication.provider.pre_authenticated'))
34+
->replaceArgument(0, new Reference($userProvider))
35+
->addArgument($id)
36+
;
37+
38+
$listenerId = 'security.authentication.listener.remote_user.'.$id;
39+
$listener = $container->setDefinition($listenerId, new DefinitionDecorator('security.authentication.listener.remote_user'));
40+
$listener->replaceArgument(2, $id);
41+
$listener->replaceArgument(3, $config['user']);
42+
43+
return array($providerId, $listenerId, $defaultEntryPoint);
44+
}
45+
46+
public function getPosition()
47+
{
48+
return 'pre_auth';
49+
}
50+
51+
public function getKey()
52+
{
53+
return 'remote-user';
54+
}
55+
56+
public function addConfiguration(NodeDefinition $node)
57+
{
58+
$node
59+
->children()
60+
->scalarNode('provider')->end()
61+
->scalarNode('user')->defaultValue('REMOTE_USER')->end()
62+
->end()
63+
;
64+
}
65+
}

src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@
2424

2525
<parameter key="security.authentication.listener.x509.class">Symfony\Component\Security\Http\Firewall\X509AuthenticationListener</parameter>
2626

27+
<parameter key="security.authentication.listener.remote_user.class">Symfony\Component\Security\Http\Firewall\RemoteUserAuthenticationListener</parameter>
28+
2729
<parameter key="security.authentication.listener.anonymous.class">Symfony\Component\Security\Http\Firewall\AnonymousAuthenticationListener</parameter>
2830

2931
<parameter key="security.authentication.switchuser_listener.class">Symfony\Component\Security\Http\Firewall\SwitchUserListener</parameter>
@@ -173,6 +175,16 @@
173175
<argument type="service" id="event_dispatcher" on-invalid="null"/>
174176
</service>
175177

178+
<service id="security.authentication.listener.remote_user" class="%security.authentication.listener.remote_user.class%" public="false" abstract="true">
179+
<tag name="monolog.logger" channel="security" />
180+
<argument type="service" id="security.context" />
181+
<argument type="service" id="security.authentication.manager" />
182+
<argument /> <!-- Provider-shared Key -->
183+
<argument /> <!-- REMOTE_USER server env var -->
184+
<argument type="service" id="logger" on-invalid="null" />
185+
<argument type="service" id="event_dispatcher" on-invalid="null"/>
186+
</service>
187+
176188
<service id="security.authentication.listener.basic" class="%security.authentication.listener.basic.class%" public="false" abstract="true">
177189
<tag name="monolog.logger" channel="security" />
178190
<argument type="service" id="security.context" />

src/Symfony/Bundle/SecurityBundle/SecurityBundle.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\HttpDigestFactory;
2020
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RememberMeFactory;
2121
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\X509Factory;
22+
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RemoteUserFactory;
2223
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SimplePreAuthenticationFactory;
2324
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SimpleFormFactory;
2425
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\InMemoryFactory;
@@ -40,6 +41,7 @@ public function build(ContainerBuilder $container)
4041
$extension->addSecurityListenerFactory(new HttpDigestFactory());
4142
$extension->addSecurityListenerFactory(new RememberMeFactory());
4243
$extension->addSecurityListenerFactory(new X509Factory());
44+
$extension->addSecurityListenerFactory(new RemoteUserFactory());
4345
$extension->addSecurityListenerFactory(new SimplePreAuthenticationFactory());
4446
$extension->addSecurityListenerFactory(new SimpleFormFactory());
4547

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,7 @@ public function testFirewalls()
7878
'security.channel_listener',
7979
'security.logout_listener.secure',
8080
'security.authentication.listener.x509.secure',
81+
'security.authentication.listener.remote_user.secure',
8182
'security.authentication.listener.form.secure',
8283
'security.authentication.listener.basic.secure',
8384
'security.authentication.listener.digest.secure',

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@
6969
'anonymous' => true,
7070
'switch_user' => true,
7171
'x509' => true,
72+
'remote_user' => true,
7273
'logout' => true,
7374
'remember_me' => array('key' => 'TheKey'),
7475
),

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@
5454
<anonymous />
5555
<switch-user />
5656
<x509 />
57+
<remote-user />
5758
<logout />
5859
<remember-me key="TheyKey"/>
5960
</firewall>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ security:
5252
anonymous: true
5353
switch_user: true
5454
x509: true
55+
remote_user: true
5556
logout: true
5657
remember_me:
5758
key: TheKey

src/Symfony/Component/Security/Http/Firewall/RemoteUserAuthenticationListener.php

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Component\Security\Http\Firewall;
13+
14+
use Symfony\Component\Security\Core\SecurityContextInterface;
15+
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
16+
use Psr\Log\LoggerInterface;
17+
use Symfony\Component\HttpFoundation\Request;
18+
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
19+
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
20+
21+
/**
22+
* REMOTE_USER authentication listener.
23+
*
24+
* @author Fabien Potencier <fabien@symfony.com>
25+
* @author Maxime Douailin <maxime.douailin@gmail.com>
26+
*/
27+
class RemoteUserAuthenticationListener extends AbstractPreAuthenticatedListener
28+
{
29+
private $userKey;
30+
31+
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, $providerKey, $userKey = 'REMOTE_USER', LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null)
32+
{
33+
parent::__construct($securityContext, $authenticationManager, $providerKey, $logger, $dispatcher);
34+
35+
$this->userKey = $userKey;
36+
}
37+
38+
/**
39+
* {@inheritdoc}
40+
*/
41+
protected function getPreAuthenticatedData(Request $request)
42+
{
43+
if (!$request->server->has($this->userKey)) {
44+
throw new BadCredentialsException(sprintf('User key was not found: %s', $this->userKey));
45+
}
46+
47+
return array($request->server->get($this->userKey), null);
48+
}
49+
}

src/Symfony/Component/Security/Http/Tests/Firewall/RemoteUserAuthenticationListenerTest.php

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Component\Security\Http\Tests\Firewall;
13+
14+
use Symfony\Component\HttpFoundation\Request;
15+
use Symfony\Component\Security\Http\Firewall\RemoteUserAuthenticationListener;
16+
17+
class RemoteUserAuthenticationListenerTest extends \PHPUnit_Framework_TestCase
18+
{
19+
public function testGetPreAuthenticatedData()
20+
{
21+
$serverVars = array(
22+
'REMOTE_USER' => 'TheUser'
23+
);
24+
25+
$request = new Request(array(), array(), array(), array(), array(), $serverVars);
26+
27+
$context = $this->getMock('Symfony\Component\Security\Core\SecurityContextInterface');
28+
29+
$authenticationManager = $this->getMock('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface');
30+
31+
$listener = new RemoteUserAuthenticationListener(
32+
$context,
33+
$authenticationManager,
34+
'TheProviderKey'
35+
);
36+
37+
$method = new \ReflectionMethod($listener, 'getPreAuthenticatedData');
38+
$method->setAccessible(true);
39+
40+
$result = $method->invokeArgs($listener, array($request));
41+
$this->assertSame($result, array('TheUser', null));
42+
}
43+
44+
/**
45+
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
46+
*/
47+
public function testGetPreAuthenticatedDataNoUser()
48+
{
49+
$request = new Request(array(), array(), array(), array(), array(), array());
50+
51+
$context = $this->getMock('Symfony\Component\Security\Core\SecurityContextInterface');
52+
53+
$authenticationManager = $this->getMock('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface');
54+
55+
$listener = new RemoteUserAuthenticationListener(
56+
$context,
57+
$authenticationManager,
58+
'TheProviderKey'
59+
);
60+
61+
$method = new \ReflectionMethod($listener, 'getPreAuthenticatedData');
62+
$method->setAccessible(true);
63+
64+
$result = $method->invokeArgs($listener, array($request));
65+
}
66+
67+
public function testGetPreAuthenticatedDataWithDifferentKeys()
68+
{
69+
$userCredentials = array('TheUser', null);
70+
71+
$request = new Request(array(), array(), array(), array(), array(), array(
72+
'TheUserKey' => 'TheUser'
73+
));
74+
$context = $this->getMock('Symfony\Component\Security\Core\SecurityContextInterface');
75+
76+
$authenticationManager = $this->getMock('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface');
77+
78+
$listener = new RemoteUserAuthenticationListener(
79+
$context,
80+
$authenticationManager,
81+
'TheProviderKey',
82+
'TheUserKey'
83+
);
84+
85+
$method = new \ReflectionMethod($listener, 'getPreAuthenticatedData');
86+
$method->setAccessible(true);
87+
88+
$result = $method->invokeArgs($listener, array($request));
89+
$this->assertSame($result, $userCredentials);
90+
}
91+
}

0 commit comments

Comments
 (0)
0