feature #39213 [Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator (wouterj)

fabpot · fabpot · commit ffd365bb5e29 · 2020-11-30T06:47:07.000+01:00
This PR was squashed before being merged into the 5.2 branch. Discussion ---------- [Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator | Q | A | ------------- | --- | Branch? | 5.2 (hopefully? sorry to keep pushing the barrier here) | Bug fix? | no | New feature? | yes (sort of) | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - These are 2 suggestions we found while implementing `make:auth` for the new system (symfony/maker-bundle#736): Impact on a custom login form authenticator ([as generated by the new maker](https://github.com/symfony/maker-bundle/pull/736/files#diff-528164b6c24778d5e81fa3819b0552f0e68a9fea33c7d3446a012f3da7d0af60)): * **Automatically add `PasswordUpgradeBadge`** if there is a user password with valid password credentials. ```diff // ... return new Passport( new UserBadge($userIdentifier), new PasswordCredentials($password), [ - new PasswordUpgradeBadge($password), new CsrfTokenBadge('authenticate', $csrf), ] ) ``` Note that this does not automatically migrate all passwords: it still relies on `PasswordUpgraderInterface` to be implemented on the user loader/provider. * **Add default implementation of `AbstractFormLoginAuthenticator::support()`** ```diff - public function supports(Request $request): ?bool - { - return self::LOGIN_ROUTE === $request->attributes->get('_route') - && $request->isMethod('POST'); - } ``` cc @weaverryan @jrushlow Commits ------- 27450c0 [Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator
diff --git a/src/Symfony/Component/Security/Http/Authenticator/AbstractLoginFormAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/AbstractLoginFormAuthenticator.php
@@ -32,6 +32,20 @@ abstract class AbstractLoginFormAuthenticator extends AbstractAuthenticator impl
      */
     abstract protected function getLoginUrl(Request $request): string;
 
+    /**
+     * {@inheritdoc}
+     *
+     * Override to change the request conditions that have to be
+     * matched in order to handle the login form submit.
+     *
+     * This default implementation handles all POST requests to the
+     * login path (@see getLoginUrl()).
+     */
+    public function supports(Request $request): bool
+    {
+        return $request->isMethod('POST') && $this->getLoginUrl($request) === $request->getPathInfo();
+    }
+
     /**
      * Override to change what happens after a bad username/password is submitted.
      */
diff --git a/src/Symfony/Component/Security/Http/EventListener/CheckCredentialsListener.php b/src/Symfony/Component/Security/Http/EventListener/CheckCredentialsListener.php
@@ -14,6 +14,7 @@
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\CustomCredentials;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\Authenticator\Passport\UserPassportInterface;
@@ -65,6 +66,10 @@ public function checkPassport(CheckPassportEvent $event): void
 
             $badge->markResolved();
 
+            if (!$passport->hasBadge(PasswordUpgradeBadge::class)) {
+                $passport->addBadge(new PasswordUpgradeBadge($presentedPassword));
+            }
+
             return;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/CheckCredentialsListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/CheckCredentialsListenerTest.php
@@ -17,6 +17,7 @@
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\CustomCredentials;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
@@ -113,6 +114,54 @@ public function testNoCredentialsBadgeProvided()
         $this->listener->checkPassport($event);
     }
 
+    public function testAddsPasswordUpgradeBadge()
+    {
+        $encoder = $this->createMock(PasswordEncoderInterface::class);
+        $encoder->expects($this->any())->method('isPasswordValid')->with('encoded-password', 'ThePa$$word')->willReturn(true);
+
+        $this->encoderFactory->expects($this->any())->method('getEncoder')->with($this->identicalTo($this->user))->willReturn($encoder);
+
+        $passport = new Passport(new UserBadge('wouter', function () { return $this->user; }), new PasswordCredentials('ThePa$$word'));
+        $this->listener->checkPassport($this->createEvent($passport));
+
+        $this->assertTrue($passport->hasBadge(PasswordUpgradeBadge::class));
+        $this->assertEquals('ThePa$$word', $passport->getBadge(PasswordUpgradeBadge::class)->getAndErasePlaintextPassword());
+    }
+
+    public function testAddsNoPasswordUpgradeBadgeIfItAlreadyExists()
+    {
+        $encoder = $this->createMock(PasswordEncoderInterface::class);
+        $encoder->expects($this->any())->method('isPasswordValid')->with('encoded-password', 'ThePa$$word')->willReturn(true);
+
+        $this->encoderFactory->expects($this->any())->method('getEncoder')->with($this->identicalTo($this->user))->willReturn($encoder);
+
+        $passport = $this->getMockBuilder(Passport::class)
+            ->setMethods(['addBadge'])
+            ->setConstructorArgs([new UserBadge('wouter', function () { return $this->user; }), new PasswordCredentials('ThePa$$word'), [new PasswordUpgradeBadge('ThePa$$word')]])
+            ->getMock();
+
+        $passport->expects($this->never())->method('addBadge')->with($this->isInstanceOf(PasswordUpgradeBadge::class));
+
+        $this->listener->checkPassport($this->createEvent($passport));
+    }
+
+    public function testAddsNoPasswordUpgradeBadgeIfPasswordIsInvalid()
+    {
+        $encoder = $this->createMock(PasswordEncoderInterface::class);
+        $encoder->expects($this->any())->method('isPasswordValid')->with('encoded-password', 'ThePa$$word')->willReturn(false);
+
+        $this->encoderFactory->expects($this->any())->method('getEncoder')->with($this->identicalTo($this->user))->willReturn($encoder);
+
+        $passport = $this->getMockBuilder(Passport::class)
+            ->setMethods(['addBadge'])
+            ->setConstructorArgs([new UserBadge('wouter', function () { return $this->user; }), new PasswordCredentials('ThePa$$word'), [new PasswordUpgradeBadge('ThePa$$word')]])
+            ->getMock();
+
+        $passport->expects($this->never())->method('addBadge')->with($this->isInstanceOf(PasswordUpgradeBadge::class));
+
+        $this->listener->checkPassport($this->createEvent($passport));
+    }
+
     private function createEvent($passport)
     {
         return new CheckPassportEvent($this->createMock(AuthenticatorInterface::class), $passport);
