bug #8997 [Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role. (pawaclawczyk)

This PR was squashed before being merged into the 2.3 branch (closes #8997). Discussion ---------- [Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role. <table> <tr> <td><b>Q</b></td> <td><b>A</b></td> </tr> <tr> <td>Bug fix?</td> <td>yes</td> </tr> <tr> <td>New feature</td> <td>no</td> </tr> <tr> <td>BC breaks?</td> <td>no</td> </tr> <tr> <td>Deprecations?</td> <td>no</td> </tr> <tr> <td>Tests pass?</td> <td>yes</td> </tr> <tr> <td>Fixed tickets</td> <td>#3085, #8974</td> </tr> <tr> <td>License</td> <td>MIT</td> </tr> <tr> <td>Doc PR</td> <td>n/a</td> </tr> </table> Problem occurs while user is impersonated. Authentication process generates new token and doeas not preserve role ```ROLE_PREVIOUS_ADMIN```. Ex. when parameter ```security.always_authenticate_before_granting``` is enabled. Commits ------- a7baa3b [Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role.
author: Fabien Potencier <fabien.potencier@gmail.com> 2013-12-29 16:53:43 +0100
committer: Fabien Potencier <fabien.potencier@gmail.com> 2013-12-29 16:53:43 +0100
commit: 2edf1f33f7595aec863d3b23147ce389c50a7cf5 (patch)
tree: e963624bc8a248bcbe4d337ca3c31d85e3712043
parent: 64b27936a722b4fc759212882f9481b7dbf9b453 (diff)
parent: 3e020d61729721b526c02c54f8cd6894c8ac9bd4 (diff)
download: symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.zip
symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.tar.gz
symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.tar.bz2
2 files changed, 68 insertions, 2 deletions
diff --git a/Core/Authentication/Provider/UserAuthenticationProvider.php b/Core/Authentication/Provider/UserAuthenticationProvider.php
index 626f50b..18c3e70 100644
--- a/Core/Authentication/Provider/UserAuthenticationProvider.php
+++ b/Core/Authentication/Provider/UserAuthenticationProvider.php
@@ -19,6 +19,7 @@ use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Role\SwitchUserRole;
 
 /**
  * UserProviderInterface retrieves users for UsernamePasswordToken tokens.
@@ -92,7 +93,7 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
             throw $e;
         }
 
-        $authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $user->getRoles());
+        $authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $this->getRoles($user, $token));
         $authenticatedToken->setAttributes($token->getAttributes());
 
         return $authenticatedToken;
@@ -107,6 +108,29 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
     }
 
     /**
+     * Retrieves roles from user and appends SwitchUserRole if original token contained one.
+     *
+     * @param UserInterface  $user  The user
+     * @param TokenInterface $token The token
+     *
+     * @return Role[] The user roles
+     */
+    private function getRoles(UserInterface $user, TokenInterface $token)
+    {
+        $roles = $user->getRoles();
+
+        foreach ($token->getRoles() as $role) {
+            if ($role instanceof SwitchUserRole) {
+                $roles[] = $role;
+
+                break;
+            }
+        }
+
+        return $roles;
+    }
+
+    /**
      * Retrieves the user from an implementation-specific location.
      *
      * @param string                $username The username to retrieve
diff --git a/Tests/Core/Authentication/Provider/UserAuthenticationProviderTest.php b/Tests/Core/Authentication/Provider/UserAuthenticationProviderTest.php
index 1516a5f..22a7e5d 100644
--- a/Tests/Core/Authentication/Provider/UserAuthenticationProviderTest.php
+++ b/Tests/Core/Authentication/Provider/UserAuthenticationProviderTest.php
@@ -13,6 +13,7 @@ namespace Symfony\Component\Security\Tests\Core\Authentication\Provider;
 
 use Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider;
 use Symfony\Component\Security\Core\Role\Role;
+use Symfony\Component\Security\Core\Role\SwitchUserRole;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 
 class UserAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
@@ -172,6 +173,11 @@ class UserAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
               ->will($this->returnValue('foo'))
         ;
 
+        $token->expects($this->once())
+              ->method('getRoles')
+              ->will($this->returnValue(array()))
+        ;
+
         $authToken = $provider->authenticate($token);
 
         $this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $authToken);
@@ -181,9 +187,45 @@ class UserAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
         $this->assertEquals(array('foo' => 'bar'), $authToken->getAttributes(), '->authenticate() copies token attributes');
     }
 
+    public function testAuthenticateWithPreservingRoleSwitchUserRole()
+    {
+        $user = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
+        $user->expects($this->once())
+             ->method('getRoles')
+             ->will($this->returnValue(array('ROLE_FOO')))
+        ;
+
+        $provider = $this->getProvider();
+        $provider->expects($this->once())
+                 ->method('retrieveUser')
+                 ->will($this->returnValue($user))
+        ;
+
+        $token = $this->getSupportedToken();
+        $token->expects($this->once())
+              ->method('getCredentials')
+              ->will($this->returnValue('foo'))
+        ;
+
+        $switchUserRole = new SwitchUserRole('foo', $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface'));
+        $token->expects($this->once())
+              ->method('getRoles')
+              ->will($this->returnValue(array($switchUserRole)))
+        ;
+
+        $authToken = $provider->authenticate($token);
+
+        $this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $authToken);
+        $this->assertSame($user, $authToken->getUser());
+        $this->assertContains(new Role('ROLE_FOO'), $authToken->getRoles(), '', false, false);
+        $this->assertContains($switchUserRole, $authToken->getRoles());
+        $this->assertEquals('foo', $authToken->getCredentials());
+        $this->assertEquals(array('foo' => 'bar'), $authToken->getAttributes(), '->authenticate() copies token attributes');
+    }
+
     protected function getSupportedToken()
     {
-        $mock = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', array('getCredentials', 'getProviderKey'), array(), '', false);
+        $mock = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', array('getCredentials', 'getProviderKey', 'getRoles'), array(), '', false);
         $mock
             ->expects($this->any())
             ->method('getProviderKey')
author	Fabien Potencier <fabien.potencier@gmail.com>	2013-12-29 16:53:43 +0100
committer	Fabien Potencier <fabien.potencier@gmail.com>	2013-12-29 16:53:43 +0100
commit	2edf1f33f7595aec863d3b23147ce389c50a7cf5 (patch)
tree	e963624bc8a248bcbe4d337ca3c31d85e3712043
parent	64b27936a722b4fc759212882f9481b7dbf9b453 (diff)
parent	3e020d61729721b526c02c54f8cd6894c8ac9bd4 (diff)
download	symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.zip symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.tar.gz symfony-security-2edf1f33f7595aec863d3b23147ce389c50a7cf5.tar.bz2