Skip to content

[Security][Firewall] Passing the newly generated security token to the event during user switching #21951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 26, 2017
Merged

[Security][Firewall] Passing the newly generated security token to the event during user switching #21951

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/Symfony/Component/Security/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ CHANGELOG
3.4.0
-----

* added a `setToken()` method to the `SwitchUserEvent` class to allow to replace the created token while switching users
when custom token generation is required by application.
* Using voters that do not implement the `VoterInterface`is now deprecated in
the `AccessDecisionManager` and this functionality will be removed in 4.0.

Expand Down
18 changes: 17 additions & 1 deletion src/Symfony/Component/Security/Http/Event/SwitchUserEvent.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
namespace Symfony\Component\Security\Http\Event;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\EventDispatcher\Event;

Expand All @@ -24,11 +25,13 @@ class SwitchUserEvent extends Event
{
private $request;
private $targetUser;
private $token;

public function __construct(Request $request, UserInterface $targetUser)
public function __construct(Request $request, UserInterface $targetUser, TokenInterface $token = null)
{
$this->request = $request;
$this->targetUser = $targetUser;
$this->token = $token;
}

/**
Expand All @@ -46,4 +49,17 @@ public function getTargetUser()
{
return $this->targetUser;
}

/**
* @return TokenInterface|null
*/
public function getToken()
{
return $this->token;
}

public function setToken(TokenInterface $token)
{
$this->token = $token;
}
}
7 changes: 5 additions & 2 deletions src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,8 +145,10 @@ private function attemptSwitchUser(Request $request)
$token = new UsernamePasswordToken($user, $user->getPassword(), $this->providerKey, $roles);

if (null !== $this->dispatcher) {
$switchEvent = new SwitchUserEvent($request, $token->getUser());
$switchEvent = new SwitchUserEvent($request, $token->getUser(), $token);
$this->dispatcher->dispatch(SecurityEvents::SWITCH_USER, $switchEvent);
// use the token from the event in case any listeners have replaced it.
$token = $switchEvent->getToken();
}

return $token;
Expand All @@ -169,8 +171,9 @@ private function attemptExitUser(Request $request)

if (null !== $this->dispatcher && $original->getUser() instanceof UserInterface) {
$user = $this->provider->refreshUser($original->getUser());
$switchEvent = new SwitchUserEvent($request, $user);
$switchEvent = new SwitchUserEvent($request, $user, $original);
$this->dispatcher->dispatch(SecurityEvents::SWITCH_USER, $switchEvent);
$original = $switchEvent->getToken();
}

return $original;
Expand Down
39 changes: 39 additions & 0 deletions src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,4 +227,43 @@ public function testSwitchUserKeepsOtherQueryStringParameters()
$this->assertSame('page=3&section=2', $this->request->server->get('QUERY_STRING'));
$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $this->tokenStorage->getToken());
}

public function testSwitchUserWithReplacedToken()
{
$user = new User('username', 'password', array());
$token = new UsernamePasswordToken($user, '', 'provider123', array('ROLE_FOO'));

$user = new User('replaced', 'password', array());
$replacedToken = new UsernamePasswordToken($user, '', 'provider123', array('ROLE_BAR'));

$this->tokenStorage->setToken($token);
$this->request->query->set('_switch_user', 'kuba');

$this->accessDecisionManager->expects($this->any())
->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'))
->will($this->returnValue(true));

$this->userProvider->expects($this->any())
->method('loadUserByUsername')->with('kuba')
->will($this->returnValue($user));

$dispatcher = $this->getMockBuilder('Symfony\Component\EventDispatcher\EventDispatcherInterface')->getMock();
$dispatcher
->expects($this->once())
->method('dispatch')
->with(SecurityEvents::SWITCH_USER,
$this->callback(function (SwitchUserEvent $event) use ($replacedToken, $user) {
if ($user !== $event->getTargetUser()) {
return false;
}
$event->setToken($replacedToken);

return true;
}));

$listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager, null, '_switch_user', 'ROLE_ALLOWED_TO_SWITCH', $dispatcher);
$listener->handle($this->event);

$this->assertSame($replacedToken, $this->tokenStorage->getToken());
}
}