8000 feature #24260 [Security] Add impersonation support for stateless aut… · symfony/symfony@b1e2d21 · GitHub
[go: up one dir, main page]
Skip to content

Commit b1e2d21

Browse files
fabpotfabpot
committed
feature #24260 [Security] Add impersonation support for stateless authentication (chalasr)
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Add impersonation support for stateless authentication | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | https://github.com/lafourchette/SwitchUserStatelessBundle/issues/10#issuecomment-330434589 | License | MIT | Doc PR | n/a The `switch_user` listener triggers a redirection in case of success and thus does not play well with stateless authentication which is common nowadays (as opposed to other listeners like the [exception one](https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php#L187..#L189)). This adds a new `stateless` option to the `switch_user` listener, if set to true then no redirection is triggered during user switching. This will avoid the need for [lafourchette/SwitchUserStatelessBundle](https://github.com/lafourchette/SwitchUserStatelessBundle) which just duplicated the symfony SwitchUserListener (with config factory) at a given state to avoid the 2 LOC which are causing the redirection. The bundle is not actively maintained and the listener it provides is out of date due to the missing upstream additions and bug fixes (see https://github.com/lafourchette/SwitchUserStatelessBundle/issues/10). Commits ------- e7a5803 [Security] Add user impersonation support for stateless authentication
2 parents 09afa64 + e7a5803 commit b1e2d21

24 files changed

+120
-20
lines changed

UPGRADE-3.4.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -316,6 +316,9 @@ SecurityBundle
316316

317317
* Deprecated the HTTP digest authentication: `HttpDigestFactory` will be removed in 4.0.
318318
Use another authentication system like `http_basic` instead.
319+
320+
* Deprecated setting the `switch_user.stateless` option to false when the firewall is `stateless`.
321+
Setting it to false will have no effect in 4.0.
319322

320323
Translation
321324
-----------

UPGRADE-4.0.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -693,6 +693,8 @@ SecurityBundle
693693

694694
* Removed the HTTP digest authentication system. The `HttpDigestFactory` class
695695
has been removed. Use another authentication system like `http_basic` instead.
696+
697+
* The `switch_user.stateless` option is now always true if the firewall is stateless.
696698

697699
Serializer
698700
----------

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ CHANGELOG
1717
* deprecated command `acl:set` along with `SetAclCommand` class
1818
* deprecated command `init:acl` along with `InitAclCommand` class
1919
* Added support for the new Argon2i password encoder
20+
* added `stateless` option to the `switch_user` listener
2021

2122
3.3.0
2223
-----

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -304,6 +304,7 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
304304
->scalarNode('provider')->end()
305305
->scalarNode('parameter')->defaultValue('_switch_user')->end()
306306
->scalarNode('role')->defaultValue('ROLE_ALLOWED_TO_SWITCH')->end()
307+
->booleanNode('stateless')->defaultValue(false)->end()
307308
->end()
308309
->end()
309310
;

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -456,7 +456,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
456456
// Switch user listener
457457
if (isset($firewall['switch_user'])) {
458458
$listenerKeys[] = 'switch_user';
459-
$listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider));
459+
$listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider, $firewall['stateless']));
460460
}
461461

462462
// Access listener
@@ -699,17 +699,23 @@ private function createExceptionListener($container, $config, $id, $defaultEntry
699699
return $exceptionListenerId;
700700
}
701701

702-
private function createSwitchUserListener($container, $id, $config, $defaultProvider)
702+
private function createSwitchUserListener($container, $id, $config, $defaultProvider, $stateless)
703703
{
704704
$userProvider = isset($config['provider']) ? $this->getUserProviderId($config['provider']) : $defaultProvider;
705705

706+
// in 4.0, ignore the `switch_user.stateless` key if $stateless is `true`
707+
if ($stateless && false === $config['stateless']) {
708+
@trigger_error(sprintf('Firewall "%s" is configured as "stateless" but the "switch_user.stateless" key is set to false. Both should have the same value, the firewall\'s "stateless" value will be used as default value for the "switch_user.stateless" key in 4.0.', $id), E_USER_DEPRECATED);
709+
}
710+
706711
$switchUserListenerId = 'security.authentication.switchuser_listener.'.$id;
707712
$listener = $container->setDefinition($switchUserListenerId, new ChildDefinition('security.authentication.switchuser_listener'));
708713
$listener->replaceArgument(1, new Reference($userProvider));
709714
$listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
710715
$listener->replaceArgument(3, $id);
711716
$listener->replaceArgument(6, $config['parameter']);
712717
$listener->replaceArgument(7, $config['role']);
718+
$listener->replaceArgument(9, $config['stateless']);
713719

714720
return $switchUserListenerId;
715721
}

src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -241,6 +241,7 @@
241241 10BC0
<argument>_switch_user</argument>
242242
<argument>ROLE_ALLOWED_TO_SWITCH</argument>
243243
<argument type="service" id="event_dispatcher" on-invalid="null"/>
244+
<argument>false</argument> <!-- Stateless -->
244245
</service>
245246

246247
<service id="security.access_listener" class="Symfony\Component\Security\Http\Firewall\AccessListener">

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ public function testFirewalls()
130130
array(
131131
'parameter' => '_switch_user',
132132
'role' => 'ROLE_ALLOWED_TO_SWITCH',
133+
'stateless' => true,
133134
),
134135
),
135136
array(
@@ -256,6 +257,7 @@ public function testFirewallsWithDigest()
256257
array(
257258
'parameter' => '_switch_user',
258259
'role' => 'ROLE_ALLOWED_TO_SWITCH',
260+
'stateless' => true,
259261
),
260262
),
261263
array(

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@
6565
'http_basic' => true,
6666
'form_login' => true,
6767
'anonymous' => true,
68-
'switch_user' => true,
68+
'switch_user' => array('stateless' => true),
6969
'x509' => true,
7070
'remote_user' => true,
7171
'logout' => true,

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@
6767
'http_digest' => array('secret' => 'TheSecret'),
6868
'form_login' => true,
6969
'anonymous' => true,
70-
'switch_user' => true,
70+
'switch_user' => array('stateless' => true),
7171
'x509' => true,
7272
'remote_user' => true,
7373
'logout' => true,

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_digest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@
6767
'http_digest' => array('secret' => 'TheSecret'),
6868
'form_login' => true,
6969
'anonymous' => true,
70-
'switch_user' => true,
70+
'switch_user' => array('stateless' => true),
7171
'x509' => true,
7272
'remote_user' => true,
7373
'logout' => true,

0 commit comments

Comments
 (0)
0