bug #19218 [Security][Guard] check if session exist before using it (…

…pasdeloup)

This PR was squashed before being merged into the 2.8 branch (closes #19218).

Discussion
----------

[Security][Guard] check if session exist before using it

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #18958
| License       | MIT
| Doc PR        | -

As stated by @Shekhovtsovy when the Guard component is used without the Symfony full stack (for instance in Laravel), $request->getSession() may be null.

An additionnal PR will be needed for 3.1 but it may be better to check this one before.

Commits
-------

a3f7510 [Security][Guard] check if session exist before using it

src/Symfony/Component/Security/Guard/Authenticator/AbstractFormLoginAuthenticator.php

@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Guard\Authenticator;
 
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -52,7 +53,10 @@ abstract protected function getDefaultSuccessRedirectUrl();
      */
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
     {
-        $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
+        if ($request->getSession() instanceof SessionInterface) {
+            $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
+        }
+
         $url = $this->getLoginUrl();
 
         return new RedirectResponse($url);
@@ -69,9 +73,13 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
      */
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
     {
+        $targetPath = null;
+
         // if the user hit a secure page and start() was called, this was
         // the URL they were on, and probably where you want to redirect to
-        $targetPath = $request->getSession()->get('_security.'.$providerKey.'.target_path');
+        if ($request->getSession() instanceof SessionInterface) {
+            $targetPath = $request->getSession()->get('_security.'.$providerKey.'.target_path');
+        }
 
         if (!$targetPath) {
             $targetPath = $this->getDefaultSuccessRedirectUrl();

src/Symfony/Component/Security/Guard/Tests/Authenticator/FormLoginAuthenticatorTest.php

@@ -0,0 +1,212 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Guard\Tests\Authenticator;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator;
+
+/**
+ * @author Jean Pasdeloup <jpasdeloup@sedona.fr>
+ */
+class FormLoginAuthenticatorTest extends \PHPUnit_Framework_TestCase
+{
+    private $requestWithoutSession;
+    private $requestWithSession;
+    private $authenticator;
+
+    const LOGIN_URL = 'http://login';
+    const DEFAULT_SUCCESS_URL = 'http://defaultsuccess';
+    const CUSTOM_SUCCESS_URL = 'http://customsuccess';
+
+    public function testAuthenticationFailureWithoutSession()
+    {
+        $failureResponse = $this->authenticator->onAuthenticationFailure($this->requestWithoutSession, new AuthenticationException());
+
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\RedirectResponse', $failureResponse);
+        $this->assertEquals(self::LOGIN_URL, $failureResponse->getTargetUrl());
+    }
+
+    public function testAuthenticationFailureWithSession()
+    {
+        $this->requestWithSession->getSession()
+            ->expects($this->once())
+            ->method('set');
+
+        $failureResponse = $this->authenticator->onAuthenticationFailure($this->requestWithSession, new AuthenticationException());
+
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\RedirectResponse', $failureResponse);
+        $this->assertEquals(self::LOGIN_URL, $failureResponse->getTargetUrl());
+    }
+
+    public function testAuthenticationSuccessWithoutSession()
+    {
+        $token = $this->getMockBuilder('Symfony\\Component\\Security\\Core\\Authentication\\Token\\TokenInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $redirectResponse = $this->authenticator->onAuthenticationSuccess($this->requestWithoutSession, $token, 'providerkey');
+
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\RedirectResponse', $redirectResponse);
+        $this->assertEquals(self::DEFAULT_SUCCESS_URL, $redirectResponse->getTargetUrl());
+    }
+
+    public function testAuthenticationSuccessWithSessionButEmpty()
+    {
+        $token = $this->getMockBuilder('Symfony\\Component\\Security\\Core\\Authentication\\Token\\TokenInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->requestWithSession->getSession()
+            ->expects($this->once())
+            ->method('get')
+            ->will($this->returnValue(null));
+
+        $redirectResponse = $this->authenticator->onAuthenticationSuccess($this->requestWithSession, $token, 'providerkey');
+
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\RedirectResponse', $redirectResponse);
+        $this->assertEquals(self::DEFAULT_SUCCESS_URL, $redirectResponse->getTargetUrl());
+    }
+
+    public function testAuthenticationSuccessWithSessionAndTarget()
+    {
+        $token = $this->getMockBuilder('Symfony\\Component\\Security\\Core\\Authentication\\Token\\TokenInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->requestWithSession->getSession()
+            ->expects($this->once())
+            ->method('get')
+            ->will($this->returnValue(self::CUSTOM_SUCCESS_URL));
+
+        $redirectResponse = $this->authenticator->onAuthenticationSuccess($this->requestWithSession, $token, 'providerkey');
+
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\RedirectResponse', $redirectResponse);
+        $this->assertEquals(self::CUSTOM_SUCCESS_URL, $redirectResponse->getTargetUrl());
+    }
+
+    public function testRememberMe()
+    {
+        $doSupport = $this->authenticator->supportsRememberMe();
+
+        $this->assertTrue($doSupport);
+    }
+
+    public function testStartWithoutSession()
+    {
+        $failureResponse = $this->authenticator->start($this->requestWithoutSession, new AuthenticationException());
+
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\RedirectResponse', $failureResponse);
+        $this->assertEquals(self::LOGIN_URL, $failureResponse->getTargetUrl());
+    }
+
+    public function testStartWithSession()
+    {
+        $failureResponse = $this->authenticator->start($this->requestWithSession, new AuthenticationException());
+
+        $this->assertInstanceOf('Symfony\\Component\\HttpFoundation\\RedirectResponse', $failureResponse);
+        $this->assertEquals(self::LOGIN_URL, $failureResponse->getTargetUrl());
+    }
+
+    protected function setUp()
+    {
+        $this->requestWithoutSession = new Request(array(), array(), array(), array(), array(), array());
+        $this->requestWithSession = new Request(array(), array(), array(), array(), array(), array());
+
+        $session = $this->getMockBuilder('Symfony\\Component\\HttpFoundation\\Session\\SessionInterface')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->requestWithSession->setSession($session);
+
+        $this->authenticator = new TestFormLoginAuthenticator();
+        $this->authenticator
+            ->setLoginUrl(self::LOGIN_URL)
+            ->setDefaultSuccessRedirectUrl(self::DEFAULT_SUCCESS_URL)
+        ;
+    }
+
+    protected function tearDown()
+    {
+        $this->request = null;
+        $this->requestWithSession = null;
+    }
+}
+
+class TestFormLoginAuthenticator extends AbstractFormLoginAuthenticator
+{
+    private $loginUrl;
+    private $defaultSuccessRedirectUrl;
+
+    /**
+     * @param mixed $defaultSuccessRedirectUrl
+     *
+     * @return TestFormLoginAuthenticator
+     */
+    public function setDefaultSuccessRedirectUrl($defaultSuccessRedirectUrl)
+    {
+        $this->defaultSuccessRedirectUrl = $defaultSuccessRedirectUrl;
+
+        return $this;
+    }
+
+    /**
+     * @param mixed $loginUrl
+     *
+     * @return TestFormLoginAuthenticator
+     */
+    public function setLoginUrl($loginUrl)
+    {
+        $this->loginUrl = $loginUrl;
+
+        return $this;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function getLoginUrl()
+    {
+        return $this->loginUrl;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function getDefaultSuccessRedirectUrl()
+    {
+        return $this->defaultSuccessRedirectUrl;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getCredentials(Request $request)
+    {
+        return 'credentials';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getUser($credentials, UserProviderInterface $userProvider)
+    {
+        return $userProvider->loadUserByUsername($credentials);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function checkCredentials($credentials, UserInterface $user)
+    {
+        return true;
+    }
+}