diff options
| -rw-r--r-- | Acl/Domain/DoctrineAclCache.php | 5 | ||||
| -rw-r--r-- | Core/Tests/Authorization/AccessDecisionManagerTest.php | 42 | ||||
| -rw-r--r-- | Core/Tests/Util/StringUtilsTest.php | 44 | ||||
| -rw-r--r-- | Core/Util/StringUtils.php | 10 |
4 files changed, 96 insertions, 5 deletions
diff --git a/Acl/Domain/DoctrineAclCache.php b/Acl/Domain/DoctrineAclCache.php index 9e14af5..0c69773 100644 --- a/Acl/Domain/DoctrineAclCache.php +++ b/Acl/Domain/DoctrineAclCache.php @@ -12,6 +12,7 @@ namespace Symfony\Component\Security\Acl\Domain; use Doctrine\Common\Cache\Cache; +use Doctrine\Common\Cache\CacheProvider; use Symfony\Component\Security\Acl\Model\AclCacheInterface; use Symfony\Component\Security\Acl\Model\AclInterface; use Symfony\Component\Security\Acl\Model\ObjectIdentityInterface; @@ -55,7 +56,9 @@ class DoctrineAclCache implements AclCacheInterface */ public function clearCache() { - $this->cache->deleteByPrefix($this->prefix); + if ($this->cache instanceof CacheProvider) { + $this->cache->deleteAll(); + } } /** diff --git a/Core/Tests/Authorization/AccessDecisionManagerTest.php b/Core/Tests/Authorization/AccessDecisionManagerTest.php index b0557a3..0db50cf 100644 --- a/Core/Tests/Authorization/AccessDecisionManagerTest.php +++ b/Core/Tests/Authorization/AccessDecisionManagerTest.php @@ -73,6 +73,48 @@ class AccessDecisionManagerTest extends \PHPUnit_Framework_TestCase $this->assertSame($expected, $manager->decide($token, array('ROLE_FOO'))); } + /** + * @dataProvider getStrategiesWith2RolesTests + */ + public function testStrategiesWith2Roles($token, $strategy, $voter, $expected) + { + $manager = new AccessDecisionManager(array($voter), $strategy); + + $this->assertSame($expected, $manager->decide($token, array('ROLE_FOO', 'ROLE_BAR'))); + } + + public function getStrategiesWith2RolesTests() + { + $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface'); + + return array( + array($token, 'affirmative', $this->getVoter(VoterInterface::ACCESS_DENIED), false), + array($token, 'affirmative', $this->getVoter(VoterInterface::ACCESS_GRANTED), true), + + array($token, 'consensus', $this->getVoter(VoterInterface::ACCESS_DENIED), false), + array($token, 'consensus', $this->getVoter(VoterInterface::ACCESS_GRANTED), true), + + array($token, 'unanimous', $this->getVoterFor2Roles($token, VoterInterface::ACCESS_DENIED, VoterInterface::ACCESS_DENIED), false), + array($token, 'unanimous', $this->getVoterFor2Roles($token, VoterInterface::ACCESS_DENIED, VoterInterface::ACCESS_GRANTED), false), + array($token, 'unanimous', $this->getVoterFor2Roles($token, VoterInterface::ACCESS_GRANTED, VoterInterface::ACCESS_DENIED), false), + array($token, 'unanimous', $this->getVoterFor2Roles($token, VoterInterface::ACCESS_GRANTED, VoterInterface::ACCESS_GRANTED), true), + ); + } + + protected function getVoterFor2Roles($token, $vote1, $vote2) + { + $voter = $this->getMock('Symfony\Component\Security\Core\Authorization\Voter\VoterInterface'); + $voter->expects($this->exactly(2)) + ->method('vote') + ->will($this->returnValueMap(array( + array($token, null, array("ROLE_FOO"),$vote1), + array($token, null, array("ROLE_BAR"),$vote2), + ))) + ; + + return $voter; + } + public function getStrategyTests() { return array( diff --git a/Core/Tests/Util/StringUtilsTest.php b/Core/Tests/Util/StringUtilsTest.php index 89da98d..e0366a5 100644 --- a/Core/Tests/Util/StringUtilsTest.php +++ b/Core/Tests/Util/StringUtilsTest.php @@ -13,11 +13,49 @@ namespace Symfony\Component\Security\Core\Tests\Util; use Symfony\Component\Security\Core\Util\StringUtils; +/** + * Data from PHP.net's hash_equals tests + */ class StringUtilsTest extends \PHPUnit_Framework_TestCase { - public function testEquals() + public function dataProviderTrue() + { + return array( + array('same', 'same'), + array('', ''), + array(123, 123), + array(null, ''), + array(null, null), + ); + } + + public function dataProviderFalse() + { + return array( + array('not1same', 'not2same'), + array('short', 'longer'), + array('longer', 'short'), + array('', 'notempty'), + array('notempty', ''), + array(123, 'NaN'), + array('NaN', 123), + array(null, 123), + ); + } + + /** + * @dataProvider dataProviderTrue + */ + public function testEqualsTrue($known, $user) + { + $this->assertTrue(StringUtils::equals($known, $user)); + } + + /** + * @dataProvider dataProviderFalse + */ + public function testEqualsFalse($known, $user) { - $this->assertTrue(StringUtils::equals('password', 'password')); - $this->assertFalse(StringUtils::equals('password', 'foo')); + $this->assertFalse(StringUtils::equals($known, $user)); } } diff --git a/Core/Util/StringUtils.php b/Core/Util/StringUtils.php index 5e13037..acf8e9e 100644 --- a/Core/Util/StringUtils.php +++ b/Core/Util/StringUtils.php @@ -27,6 +27,7 @@ class StringUtils * Compares two strings. * * This method implements a constant-time algorithm to compare strings. + * Regardless of the used implementation, it will leak length information. * * @param string $knownString The string of known length to compare against * @param string $userInput The string that the user can control @@ -35,6 +36,13 @@ class StringUtils */ public static function equals($knownString, $userInput) { + $knownString = (string) $knownString; + $userInput = (string) $userInput; + + if (function_exists('hash_equals')) { + return hash_equals($knownString, $userInput); + } + $knownLen = strlen($knownString); $userLen = strlen($userInput); @@ -45,7 +53,7 @@ class StringUtils $result = $knownLen - $userLen; // Note that we ALWAYS iterate over the user-supplied length - // This is to prevent leaking length information + // This is to mitigate leaking length information for ($i = 0; $i < $userLen; $i++) { $result |= (ord($knownString[$i]) ^ ord($userInput[$i])); } |