8000 [Security] Add impersonation support for stateless authentication by chalasr · Pull Request #24260 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] Add impersonation support for stateless authentication #24260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 30, 2017
Merged

[Security] Add impersonation support for stateless authentication #24260

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
[Security] Add user impersonation support for stateless authentication
  • Loading branch information
Robin Chalas committed Sep 30, 2017
commit e7a5803e2ed6ade6d39d83f0b768aa2d67783eea
3 changes: 3 additions & 0 deletions UPGRADE-3.4.md
View file
Open in desktop
8000
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,9 @@ SecurityBundle

* Deprecated the HTTP digest authentication: `HttpDigestFactory` will be removed in 4.0.
Use another authentication system like `http_basic` instead.

* Deprecated setting the `switch_user.stateless` option to false when the firewall is `stateless`.
Setting it to false will have no effect in 4.0.

Translation
-----------
Expand Down
2 changes: 2 additions & 0 deletions UPGRADE-4.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -693,6 +693,8 @@ SecurityBundle

* Removed the HTTP digest authentication system. The `HttpDigestFactory` class
has been removed. Use another authentication system like `http_basic` instead.

* The `switch_user.stateless` option is now always true if the firewall is stateless.

Serializer
----------
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ CHANGELOG
* deprecated command `acl:set` along with `SetAclCommand` class
* deprecated command `init:acl` along with `InitAclCommand` class
* Added support for the new Argon2i password encoder
* added `stateless` option to the `switch_user` listener

3.3.0
-----
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,7 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
->scalarNode('provider')->end()
->scalarNode('parameter')->defaultValue('_switch_user')->end()
->scalarNode('role')->defaultValue('ROLE_ALLOWED_TO_SWITCH')->end()
->booleanNode('stateless')->defaultValue(false)->end()
->end()
->end()
;
Expand Down
10 changes: 8 additions & 2 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
// Swi 6D40 tch user listener
if (isset($firewall['switch_user'])) {
$listenerKeys[] = 'switch_user';
$listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider));
$listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider, $firewall['stateless']));
}

// Access listener
Expand Down Expand Up @@ -699,17 +699,23 @@ private function createExceptionListener($container, $config, $id, $defaultEntry
return $exceptionListenerId;
}

private function createSwitchUserListener($container, $id, $config, $defaultProvider)
private function createSwitchUserListener($container, $id, $config, $defaultProvider, $stateless)
{
$userProvider = isset($config['provider']) ? $this->getUserProviderId($config['provider']) : $defaultProvider;

// in 4.0, ignore the `switch_user.stateless` key if $stateless is `true`
if ($stateless && false === $config['stateless']) {
@trigger_error(sprintf('Firewall "%s" is configured as "stateless" but the "switch_user.stateless" key is set to false. Both should have the same value, the firewall\'s "stateless" value will be used as default value for the "switch_user.stateless" key in 4.0.', $id), E_USER_DEPRECATED);
}

$switchUserListenerId = 'security.authentication.switchuser_listener.'.$id;
$listener = $container->setDefinition($switchUserListenerId, new ChildDefinition('security.authentication.switchuser_listener'));
$listener->replaceArgument(1, new Reference($userProvider));
$listener->replaceArgument(2, new Reference('security.user_checker.'.$id));
$listener->replaceArgument(3, $id);
$listener->replaceArgument(6, $config['parameter']);
$listener->replaceArgument(7, $config['role']);
$listener->replaceArgument(9, $config['stateless']);

return $switchUserListenerId;
}
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,7 @@
<argument>_switch_user</argument>
<argument>ROLE_ALLOWED_TO_SWITCH</argument>
<argument type="service" id="event_dispatcher" on-invalid="null"/>
<argument>false</argument> <!-- Stateless -->
</service>

<service id="security.access_listener" class="Symfony\Component\Security\Http\Firewall\AccessListener">
Expand Down
2 changes: 2 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ public function testFirewalls()
array(
'parameter' => '_switch_user',
'role' => 'ROLE_ALLOWED_TO_SWITCH',
'stateless' => true,
),
),
array(
Expand Down Expand Up @@ -256,6 +257,7 @@ public function testFirewallsWithDigest()
array(
'parameter' => '_switch_user',
'role' => 'ROLE_ALLOWED_TO_SWITCH',
'stateless' => true,
),
),
array(
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
'http_basic' => true,
'form_login' => true,
'anonymous' => true,
'switch_user' => true,
'switch_user' => array('stateless' => true),
'x509' => true,
'remote_user' => true,
'logout' => true,
Expand Down
2 changes: 1 addition & 1 deletion ...fony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_acl.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
'http_digest' => array('secret' => 'TheSecret'),
'form_login' => true,
'anonymous' => true,
'switch_user' => true,
'switch_user' => array('stateless' => true),
'x509' => true,
'remote_user' => true,
'logout' => true,
Expand Down
2 changes: 1 addition & 1 deletion ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_digest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
'http_digest' => array('secret' => 'TheSecret'),
'form_login' => true,
'anonymous' => true,
'switch_user' => true,
'switch_user' => array('stateless' => true),
'x509' => true,
'remote_user' => true,
'logout' => true,
Expand Down
2 changes: 1 addition & 1 deletion ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/no_custom_user_checker.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
'http_basic' => true,
'form_login' => true,
'anonymous' => true,
'switch_user' => true,
'switch_user' => array('stateless' => true),
'x509' => true,
'remote_user' => true,
'logout' => true,
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
<http-basic />
<form-login />
<anonymous />
<switch-user />
<switch-user stateless="true" />
<x509 />
<remote-user />
<user-checker />
Expand Down
2 changes: 1 addition & 1 deletion ...fony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1_with_acl.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@
<http-digest secret="TheSecret" />
<form-login />
<anonymous />
<switch-user />
<switch-user stateless="true" />
<x509 />
<remote-user />
<user-checker />
Expand Down
2 changes: 1 addition & 1 deletion ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1_with_digest.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@
<http-digest secret="TheSecret" />
<form-login />
<anonymous />
<switch-user />
<switch-user stateless="true" />
<x509 />
<remote-user />
<user-checker />
Expand Down
2 changes: 1 addition & 1 deletion ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/no_custom_user_checker.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
<http-basic />
<form-login />
<anonymous />
<switch-user />
<switch-user stateless="true" />
<x509 />
<remote-user />
<user-checker />
Expand Down
3 changes: 2 additions & 1 deletion src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@ security:
http_basic: true
form_login: true
anonymous: true
switch_user: true
switch_user:
stateless: true
x509: true
remote_user: true
logout: true
Expand Down
3 changes: 2 additions & 1 deletion ...fony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1_with_acl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ security:
secret: TheSecret
form_login: true
anonymous: true
switch_user: true
switch_user:
stateless: true
x509: true
remote_user: true
logout: true
Expand Down
3 changes: 2 additions & 1 deletion ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1_with_digest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up < 10000 /td> @@ -50,7 +50,8 @@ security:
secret: TheSecret
form_login: true
anonymous: true
switch_user: true
switch_user:
stateless: true
x509: true
remote_user: true
logout: true
Expand Down
3 changes: 2 additions & 1 deletion ...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/no_custom_user_checker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ security:
http_basic: true
form_login: true
anonymous: true
switch_user: true
switch_user:
stateless: true
x509: true
remote_user: true
logout: true
Expand Down
26 changes: 26 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,32 @@ public function testDeprecationForUserLogout()
$container->compile();
}

/**
* @group legacy
* @expectedDeprecation Firewall "some_firewall" is configured as "stateless" but the "switch_user.stateless" key is set to false. Both should have the same value, the firewall's "stateless" value will be used as default value for the "switch_user.stateless" key in 4.0.
*/
public function testSwitchUserNotStatelessOnStatelessFirewall()
{
$container = $this->getRawContainer();

$container->loadFromExtension('security', array(
'providers' => array(
'default' => array('id' => 'foo'),
),

'firewalls' => array(
'some_firewall' => array(
'stateless' => true,
'http_basic' => null,
'switch_user' => array('stateless' => false),
'logout_on_user_change' => true,
),
),
));

$container->compile();
}

protected function getRawContainer()
{
$container = new ContainerBuilder();
Expand Down
13 changes: 13 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/Functional/SwitchUserTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

namespace Symfony\Bundle\SecurityBundle\Tests\Functional;

use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\Security\Http\Firewall\SwitchUserListener;

class SwitchUserTest extends WebTestCase
Expand Down Expand Up @@ -50,6 +51,18 @@ public function testSwitchedUserExit()
$this->assertEquals('user_can_switch', $client->getProfile()->getCollector('security')->getUser());
}

public function testSwitchUserStateless()
{
$client = $this->createClient(array('test_case' => 'JsonLogin', 'root_config' => 'switchuser_stateless.yml'));
$client->request('POST', '/chk', array('_switch_user' => 'dunglas'), array(), array('CONTENT_TYPE' => 'application/json'), '{"user": {"login": "user_can_switch", "password": "test"}}');
$response = $client->getResponse();

$this->assertInstanceOf(JsonResponse::class, $response);
$this->assertSame(200, $response->getStatusCode());
$this->assertSame(array('message' => 'Welcome @dunglas!'), json_decode($response->getContent(), true));
$this->assertSame('dunglas', $client->getProfile()->getCollector('security')->getUser());
}

public function getTestParameters()
{
return array(
Expand Down
13 changes: 13 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/JsonLogin/switchuser_stateless.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
imports:
- { resource: ./config.yml }

security:
providers:
in_memory:
memory:
users:
user_can_switch: { password: test, roles: [ROLE_USER, ROLE_ALLOWED_TO_SWITCH] }
firewalls:
main:
switch_user:
stateless: true
15 changes: 9 additions & 6 deletions src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,9 @@ class SwitchUserListener implements ListenerInterface
private $role;
private $logger;
private $dispatcher;
private $stateless;

public function __construct(TokenStorageInterface $tokenStorage, UserProviderInterface $provider, UserCheckerInterface $userChecker, $providerKey, AccessDecisionManagerInterface $accessDecisionManager, LoggerInterface $logger = null, $usernameParameter = '_switch_user', $role = 'ROLE_ALLOWED_TO_SWITCH', EventDispatcherInterface $dispatcher = null)
public function __construct(TokenStorageInterface $tokenStorage, UserProviderInterface $provider, UserCheckerInterface $userChecker, $providerKey, AccessDecisionManagerInterface $accessDecisionManager, LoggerInterface $logger = null, $usernameParameter = '_switch_user', $role = 'ROLE_ALLOWED_TO_SWITCH', EventDispatcherInterface $dispatcher = null, $stateless = false)
{
if (empty($providerKey)) {
throw new \InvalidArgumentException('$providerKey must not be empty.');
Expand All @@ -65,6 +66,7 @@ public function __construct(TokenStorageInterface $tokenStorage, UserProviderInt
$this->role = $role;
$this->logger = $logger;
$this->dispatcher = $dispatcher;
$this->stateless = $stateless;
}

/**
Expand Down Expand Up @@ -92,12 +94,13 @@ public function handle(GetResponseEvent $event)
}
}

$request->query->remove($this->usernameParameter);
$request->server->set('QUERY_STRING', http_build_query($request->query->all()));
if (!$this->stateless) {
$request->query->remove($this->usernameParameter);
$request->server->set('QUERY_STRING', http_build_query($request->query->all()));
$response = new RedirectResponse($request->getUri(), 302);

$response = new RedirectResponse($request->getUri(), 302);

$event->setResponse($response);
$event->setResponse($response);
}
}

/**
Expand Down
25 changes: 25 additions & 0 deletions src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,4 +266,29 @@ public function testSwitchUserWithReplacedToken()

$this->assertSame($replacedToken, $this->tokenStorage->getToken());
}

public function testSwitchUserStateless()
{
$token = new UsernamePasswordToken('username', '', 'key', array('ROLE_FOO'));
$user = new User('username', 'password', array());

$this->tokenStorage->setToken($token);
$this->request->query->set('_switch_user', 'kuba');

$this->accessDecisionManager->expects($this->once())
->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'))
->will($this->returnValue(true));

$this->userProvider->expects($this->once())
->method('loadUserByUsername')->with('kuba')
->will($this->returnValue($user));
$this->userChecker->expects($this->once())
->method('checkPostAuth')->with($user);

$listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager, null, '_switch_user', 'ROLE_ALLOWED_TO_SWITCH', null, true);
$listener->handle($this->event);

$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
$this->assertFalse($this->event->hasResponse());
}
}
0