Skip to content

[Security] Fixed SwitchUserListener when exiting an impersonation with AnonymousToken #18425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 5, 2016
Merged

[Security] Fixed SwitchUserListener when exiting an impersonation with AnonymousToken #18425

merged 1 commit into from
Apr 5, 2016

Conversation

lyrixx
Copy link
Member

@lyrixx lyrixx commented Apr 3, 2016

Q A
Branch? 2.3
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets -
License MIT
Doc PR -

If you configure a firewall with switch user with role: IS_AUTHENTICATED_ANONYMOUSLY it's impossible to exit the
impersonation because the next line $this->provider->refreshUser($original->getUser()) will fail. It fails because RefreshUser
expects an instance of UserInterface and here it's a string.

Therefore, it does not make sense to refresh an Anonymous Token, right ?

xabbuh
xabbuh reviewed Apr 4, 2016
View reviewed changes
src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -162,7 +163,7 @@ private function attemptExitUser(Request $request)
throw new AuthenticationCredentialsNotFoundException('Could not find original Token object.');
}

if (null !== $this->dispatcher) {
if (null !== $this->dispatcher && !$original instanceof AnonymousToken) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to check if $original->getUser is an instance of the UserInterface to also support custom tokens that might return something else.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are right. I updated the code and added some tests.

@nicolas-grekas
Copy link
Member

👍

xabbuh
xabbuh reviewed Apr 4, 2016
View reviewed changes
src/Symfony/Component/Security/Tests/Http/Firewall/SwitchUserListenerTest.php
@@ -149,6 +149,54 @@ public function testExitUserDispatchesEventWithRefreshedUser()
$listener->handle($this->event);
}

public function testExitUserDontDispatchesEventWithStringUser()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

testExitUserDoesNotDispatchEventWithStringUser

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@xabbuh thanks & fixed.

@javiereguiluz javiereguiluz changed the title [Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken [Security] Fixed SwitchUserListener when exiting an impersonation with AnonymousToken Apr 4, 2016
@stof
Copy link
Member

stof commented Apr 4, 2016

@lyrixx are you really allowing anonymous users to impersonate users ? This looks weird.

But the fix is indeed valid

@lyrixx
Copy link
Member Author

lyrixx commented Apr 4, 2016

@stof Yes I do that. It's an awesome idea for demo app (you may see it on thursday).
With very few line of code, you can add simple login / logout feature for some hardcoded users.

security:
    role_hierarchy:
        ROLE_ADMIN: [ROLE_WRITTER, ROLE_SPELLCHECKER, ROLE_JOURNALIST]
    encoders:
        Symfony\Component\Security\Core\User\User: plaintext

    providers:
        in_memory:
            memory:
                users:
                    alice: { password: password, roles: ROLE_WRITTER }
                    spellchecker: { password: password , roles: ROLE_SPELLCHECKER }
                    journalist: { password: password , roles: ROLE_JOURNALIST }
                    admin: { password: password , roles: ROLE_ADMIN }

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            anonymous: true
            logout: true
            switch_user:
                role: IS_AUTHENTICATED_ANONYMOUSLY

@lyrixx
[Security] Fixed SwitchUserListener when exiting an impersonication w…
59fea72 
…ith AnonymousToken

If you configure a firewall with switch user with `role: IS_AUTHENTICATED_ANONYMOUSLY` it's impossible to exit the
impersonation because the next line `$this->provider->refreshUser($original->getUser())` will fail. It fails because `RefreshUser`
expects an instance of `UserInterface` and here it's a string.

Therefore, it does not make sense to refresh an Anonymous Token, right ?
@fabpot
Copy link
Member

fabpot commented Apr 5, 2016

Thank you @lyrixx.

@fabpot fabpot merged commit 59fea72 into symfony:2.3 Apr 5, 2016
fabpot added a commit that referenced this pull request Apr 5, 2016
@fabpot
bug #18425 [Security] Fixed SwitchUserListener when exiting an impers…
5b6da77 
…onation with AnonymousToken (lyrixx)

This PR was merged into the 2.3 branch.

Discussion
----------

[Security] Fixed SwitchUserListener when exiting an impersonation with AnonymousToken

| Q             | A
| ------------- | ---
| Branch?       | 2.3
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

If you configure a firewall with switch user with `role: IS_AUTHENTICATED_ANONYMOUSLY` it's impossible to exit the
impersonation because the next line `$this->provider->refreshUser($original->getUser())` will fail. It fails because `RefreshUser`
expects an instance of `UserInterface` and here it's a string.

Therefore, it does not make sense to refresh an Anonymous Token, right ?

Commits
-------

59fea72 [Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken
@lyrixx lyrixx deleted the patch-1 branch April 5, 2016 18:54
This was referenced Apr 29, 2016
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@lyrixx @nicolas-grekas @stof @fabpot @xabbuh @javiereguiluz @carsonbot