Added user impersonation info and exit action

yceruto · yceruto · commit a497d2ac5e5b · 2017-06-02T07:44:06.000-04:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php b/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
@@ -18,6 +18,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\DataCollector\DataCollector;
 use Symfony\Component\HttpKernel\DataCollector\LateDataCollectorInterface;
+use Symfony\Component\Security\Core\Role\SwitchUserRole;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
@@ -68,6 +69,9 @@ public function collect(Request $request, Response $response, \Exception $except
             $this->data = array(
                 'enabled' => false,
                 'authenticated' => false,
+                'impersonated' => false,
+                'impersonator_user' => null,
+                'impersonation_exit_path' => null,
                 'token' => null,
                 'token_class' => null,
                 'logout_url' => null,
@@ -80,6 +84,9 @@ public function collect(Request $request, Response $response, \Exception $except
             $this->data = array(
                 'enabled' => true,
                 'authenticated' => false,
+                'impersonated' => false,
+                'impersonator_user' => null,
+                'impersonated_exit_path' => null,
                 'token' => null,
                 'token_class' => null,
                 'logout_url' => null,
@@ -92,6 +99,14 @@ public function collect(Request $request, Response $response, \Exception $except
             $inheritedRoles = array();
             $assignedRoles = $token->getRoles();
 
+            $impersonatorUser = null;
+            foreach ($assignedRoles as $role) {
+                if ($role instanceof SwitchUserRole) {
+                    $impersonatorUser = $role->getSource()->getUsername();
+                    break;
+                }
+            }
+
             if (null !== $this->roleHierarchy) {
                 $allRoles = $this->roleHierarchy->getReachableRoles($assignedRoles);
                 foreach ($allRoles as $role) {
@@ -113,6 +128,9 @@ public function collect(Request $request, Response $response, \Exception $except
             $this->data = array(
                 'enabled' => true,
                 'authenticated' => $token->isAuthenticated(),
+                'impersonated' => null !== $impersonatorUser,
+                'impersonator_user' => $impersonatorUser,
+                'impersonation_exit_path' => null,
                 'token' => $token,
                 'token_class' => $this->hasVarDumper ? new ClassStub(get_class($token)) : get_class($token),
                 'logout_url' => $logoutUrl,
@@ -156,6 +174,15 @@ public function collect(Request $request, Response $response, \Exception $except
                     'user_checker' => $firewallConfig->getUserChecker(),
                     'listeners' => $firewallConfig->getListeners(),
                 );
+
+                // generate exit impersonation path from current request
+                if ($this->data['impersonated'] && null !== $switchUserConfig = $firewallConfig->getSwitchUser()) {
+                    $exitPath = $request->getRequestUri();
+                    $exitPath .= null === $request->getQueryString() ? '?' : '&';
+                    $exitPath .= urlencode($switchUserConfig['parameter']).'=_exit';
+
+                    $this->data['impersonation_exit_path'] = $exitPath;
+                }
             }
         }
     }
@@ -226,6 +253,36 @@ public function isAuthenticated()
         return $this->data['authenticated'];
     }
 
+    /**
+     * Checks if the user is impersonated or not.
+     *
+     * @return bool true if the user is impersonated, false otherwise
+     */
+    public function isImpersonated()
+    {
+        return $this->data['impersonated'];
+    }
+
+    /**
+     * Returns the impersonation source user.
+     *
+     * @return string The username
+     */
+    public function getImpersonatorUser()
+    {
+        return $this->data['impersonator_user'];
+    }
+
+    /**
+     * Returns the exit impersonation path.
+     *
+     * @return string The URI path
+     */
+    public function getImpersonationExitPath()
+    {
+        return $this->data['impersonation_exit_path'];
+    }
+
     /**
      * Get the class name of the security token.
      *
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -399,6 +399,8 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         if (isset($firewall['switch_user'])) {
             $listenerKeys[] = 'switch_user';
             $listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider));
+
+            $config->replaceArgument(11, $firewall['switch_user']);
         }
 
         // Access listener
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
@@ -136,6 +136,7 @@
             <argument />                   <!-- access_denied_handler -->
             <argument />                   <!-- access_denied_url -->
             <argument type="collection" /> <!-- listeners -->
+            <argument />                   <!-- switch_user -->
         </service>
 
         <service id="security.logout_url_generator" class="Symfony\Component\Security\Http\Logout\LogoutUrlGenerator">
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig b/src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
@@ -16,47 +16,63 @@
     {% endset %}
 
     {% set text %}
-        {% if collector.enabled %}
-            {% if collector.token %}
+        {% if collector.impersonated %}
+            <div class="sf-toolbar-info-group">
                 <div class="sf-toolbar-info-piece">
-                    <b>Logged in as</b>
-                    <span>{{ collector.user }}</span>
+                    <b>Impersonator</b>
+                    <span>{{ collector.impersonatorUser }}</span>
                 </div>
+            </div>
+        {% endif %}
 
-                <div class="sf-toolbar-info-piece">
-                    <b>Authenticated</b>
-                    <span class="sf-toolbar-status sf-toolbar-status-{{ is_authenticated ? 'green' : 'red' }}">{{ is_authenticated ? 'Yes' : 'No' }}</span>
-                </div>
+        <div class="sf-toolbar-info-group">
+            {% if collector.enabled %}
+                {% if collector.token %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Logged in as</b>
+                        <span>{{ collector.user }}</span>
+                    </div>
 
-                <div class="sf-toolbar-info-piece">
-                    <b>Token class</b>
-                    <span>{{ collector.tokenClass|abbr_class }}</span>
-                </div>
-            {% else %}
-                <div class="sf-toolbar-info-piece">
-                    <b>Authenticated</b>
-                    <span class="sf-toolbar-status sf-toolbar-status-red">No</span>
-                </div>
-            {% endif %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Authenticated</b>
+                        <span class="sf-toolbar-status sf-toolbar-status-{{ is_authenticated ? 'green' : 'red' }}">{{ is_authenticated ? 'Yes' : 'No' }}</span>
+                    </div>
 
-            {% if collector.firewall %}
-                <div class="sf-toolbar-info-piece">
-                    <b>Firewall name</b>
-                    <span>{{ collector.firewall.name }}</span>
-                </div>
-            {% endif %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Token class</b>
+                        <span>{{ collector.tokenClass|abbr_class }}</span>
+                    </div>
+                {% else %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Authenticated</b>
+                        <span class="sf-toolbar-status sf-toolbar-status-red">No</span>
+                    </div>
+                {% endif %}
 
-            {% if collector.token and collector.logoutUrl %}
+                {% if collector.firewall %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Firewall name</b>
+                        <span>{{ collector.firewall.name }}</span>
+                    </div>
+                {% endif %}
+
+                {% if collector.token and collector.logoutUrl %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Actions</b>
+                        <span>
+                            <a href="{{ collector.logoutUrl }}">Logout</a>
+                            {% if collector.impersonated and collector.impersonationExitPath %}
+                                | <a href="{{ collector.impersonationExitPath }}">Exit impersonation</a>
+                            {% endif %}
+                        </span>
+                    </div>
+                {% endif %}
+            {% else %}
                 <div class="sf-toolbar-info-piece">
-                    <b>Actions</b>
-                    <span><a href="{{ collector.logoutUrl }}">Logout</a></span>
+                    <span>The security is disabled.</span>
                 </div>
             {% endif %}
-        {% else %}
-            <div class="sf-toolbar-info-piece">
-                <span>The security is disabled.</span>
-            </div>
-        {% endif %}
+        </div>
     {% endset %}
 
     {{ include('@WebProfiler/Profiler/toolbar_item.html.twig', { link: profiler_url, status: color_code }) }}
diff --git a/src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php b/src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php
@@ -27,6 +27,7 @@ final class FirewallConfig
     private $accessDeniedHandler;
     private $accessDeniedUrl;
     private $listeners;
+    private $switchUser;
 
     /**
      * @param string      $name
@@ -40,8 +41,9 @@ final class FirewallConfig
      * @param string|null $accessDeniedHandler
      * @param string|null $accessDeniedUrl
      * @param string[]    $listeners
+     * @param array|null  $switchUser
      */
-    public function __construct($name, $userChecker, $requestMatcher = null, $securityEnabled = true, $stateless = false, $provider = null, $context = null, $entryPoint = null, $accessDeniedHandler = null, $accessDeniedUrl = null, $listeners = array())
+    public function __construct($name, $userChecker, $requestMatcher = null, $securityEnabled = true, $stateless = false, $provider = null, $context = null, $entryPoint = null, $accessDeniedHandler = null, $accessDeniedUrl = null, $listeners = array(), $switchUser = null)
     {
         $this->name = $name;
         $this->userChecker = $userChecker;
@@ -54,6 +56,7 @@ public function __construct($name, $userChecker, $requestMatcher = null, $securi
         $this->accessDeniedHandler = $accessDeniedHandler;
         $this->accessDeniedUrl = $accessDeniedUrl;
         $this->listeners = $listeners;
+        $this->switchUser = $switchUser;
     }
 
     public function getName()
@@ -140,4 +143,12 @@ public function getListeners()
     {
         return $this->listeners;
     }
+
+    /**
+     * @return array|null The switch_user config if enabled, null otherwise
+     */
+    public function getSwitchUser()
+    {
+        return $this->switchUser;
+    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
@@ -19,6 +19,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Role\Role;
 use Symfony\Component\Security\Core\Role\RoleHierarchy;
+use Symfony\Component\Security\Core\Role\SwitchUserRole;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 
 class SecurityDataCollectorTest extends TestCase
@@ -31,6 +32,7 @@ public function testCollectWhenSecurityIsDisabled()
         $this->assertSame('security', $collector->getName());
         $this->assertFalse($collector->isEnabled());
         $this->assertFalse($collector->isAuthenticated());
+        $this->assertFalse($collector->isImpersonated());
         $this->assertNull($collector->getTokenClass());
         $this->assertFalse($collector->supportsRoleHierarchy());
         $this->assertCount(0, $collector->getRoles());
@@ -47,6 +49,7 @@ public function testCollectWhenAuthenticationTokenIsNull()
 
         $this->assertTrue($collector->isEnabled());
         $this->assertFalse($collector->isAuthenticated());
+        $this->assertFalse($collector->isImpersonated());
         $this->assertNull($collector->getTokenClass());
         $this->assertTrue($collector->supportsRoleHierarchy());
         $this->assertCount(0, $collector->getRoles());
@@ -67,13 +70,41 @@ public function testCollectAuthenticationTokenAndRoles(array $roles, array $norm
 
         $this->assertTrue($collector->isEnabled());
         $this->assertTrue($collector->isAuthenticated());
+        $this->assertFalse($collector->isImpersonated());
         $this->assertSame('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $collector->getTokenClass()->getValue());
         $this->assertTrue($collector->supportsRoleHierarchy());
         $this->assertSame($normalizedRoles, $collector->getRoles()->getValue(true));
         $this->assertSame($inheritedRoles, $collector->getInheritedRoles()->getValue(true));
         $this->assertSame('hhamon', $collector->getUser());
     }
 
+    public function testCollectImpersonatedToken()
+    {
+        $adminToken = new UsernamePasswordToken('yceruto', 'P4$$w0rD', 'provider', array('ROLE_ADMIN'));
+
+        $userRoles = array(
+            'ROLE_USER',
+            new SwitchUserRole('ROLE_PREVIOUS_ADMIN', $adminToken),
+        );
+
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken(new UsernamePasswordToken('hhamon', 'P4$$w0rD', 'provider', $userRoles));
+
+        $collector = new SecurityDataCollector($tokenStorage, $this->getRoleHierarchy());
+        $collector->collect($this->getRequest(), $this->getResponse());
+        $collector->lateCollect();
+
+        $this->assertTrue($collector->isEnabled());
+        $this->assertTrue($collector->isAuthenticated());
+        $this->assertTrue($collector->isImpersonated());
+        $this->assertSame('yceruto', $collector->getImpersonatorUser());
+        $this->assertSame('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $collector->getTokenClass()->getValue());
+        $this->assertTrue($collector->supportsRoleHierarchy());
+        $this->assertSame(array('ROLE_USER', 'ROLE_PREVIOUS_ADMIN'), $collector->getRoles()->getValue(true));
+        $this->assertSame(array(), $collector->getInheritedRoles()->getValue(true));
+        $this->assertSame('hhamon', $collector->getUser());
+    }
+
     public function testGetFirewall()
     {
         $firewallConfig = new FirewallConfig('dummy', 'security.request_matcher.dummy', 'security.user_checker.dummy');
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -94,6 +94,10 @@ public function testFirewalls()
                 'security.user.provider.concrete.default',
                 null,
                 'security.authentication.form_entry_point.secure',
+                array(
+                    'parameter' => '_switch_user',
+                    'role' => 'ROLE_ALLOWED_TO_SWITCH',
+                ),
                 null,
                 null,
                 array(
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Security/FirewallConfigTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Security/FirewallConfigTest.php
@@ -29,6 +29,7 @@ public function testGetters()
             'access_denied_url' => 'foo_access_denied_url',
             'access_denied_handler' => 'foo_access_denied_handler',
             'user_checker' => 'foo_user_checker',
+            'switch_user' => array('provider' => null, 'parameter' => '_switch_user', 'role' => 'ROLE_ALLOWED_TO_SWITCH'),
         );
 
         $config = new FirewallConfig(
@@ -42,7 +43,8 @@ public function testGetters()
             $options['entry_point'],
             $options['access_denied_handler'],
             $options['access_denied_url'],
-            $listeners
+            $listeners,
+            $options['switch_user']
         );
 
         $this->assertSame('foo_firewall', $config->getName());
@@ -57,5 +59,6 @@ public function testGetters()
         $this->assertSame($options['user_checker'], $config->getUserChecker());
         $this->assertTrue($config->allowsAnonymous());
         $this->assertSame($listeners, $config->getListeners());
+        $this->assertSame($options['switch_user'], $config->getSwitchUser());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -399,6 +399,8 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a`
`399`	`399`	`if (isset($firewall['switch_user'])) {`
`400`	`400`	`$listenerKeys[] = 'switch_user';`
`401`	`401`	`$listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider));`
	`402`	`+`
	`403`	`+ $config->replaceArgument(11, $firewall['switch_user']);`
`402`	`404`	`}`
`403`	`405`
`404`	`406`	`// Access listener`