Additional check if the context allows trusted computers

It is also required to check if the context allows to bypass the 2FA check if the device is trusted. It is to be used in scenarios when the context resolves the ability to "trust" the device in runtime (say - depending on the client's network). In those cases even if the user has the trusted device - it may be not trusted under this very circumstances.
scheb · Aug 14, 2016 · baaf0ba · baaf0ba
1 parent 17fffbd
commit baaf0ba
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 2 deletions.
diff --git a/Security/TwoFactor/Trusted/TrustedFilter.php b/Security/TwoFactor/Trusted/TrustedFilter.php
@@ -57,13 +57,13 @@ public function beginAuthentication(AuthenticationContextInterface $context)
     {
         $request = $context->getRequest();
         $user = $context->getUser();
+        $context->setUseTrustedOption($this->useTrustedOption);
 
         // Skip two-factor authentication on trusted computers
-        if ($this->useTrustedOption && $this->cookieManager->isTrustedComputer($request, $user)) {
+        if ($context->useTrustedOption() && $this->cookieManager->isTrustedComputer($request, $user)) {
             return;
         }
 
-        $context->setUseTrustedOption($this->useTrustedOption); // Set trusted flag
         $this->authHandler->beginAuthentication($context);
     }
 

diff --git a/Tests/Security/TwoFactor/Trusted/TrustedFilterTest.php b/Tests/Security/TwoFactor/Trusted/TrustedFilterTest.php
@@ -114,12 +114,47 @@ public function beginAuthentication_trustedOptionUsed_checkTrustedCookie()
         $user = $this->getUser();
         $context = $this->getAuthenticationContext();
 
+        $context
+            ->expects($this->once())
+            ->method('useTrustedOption')
+            ->will($this->returnValue(true));
+
         //Mock the TrustedCookieManager
         $this->cookieManager
             ->expects($this->once())
             ->method('isTrustedComputer')
             ->with($request, $user);
 
+        $this->authHandler
+            ->expects($this->once())
+            ->method('beginAuthentication');
+
+        $this->trustedFilter->beginAuthentication($context);
+    }
+
+    /**
+     * @test
+     */
+    public function beginAuthentication_trustedOptionUsedOnlyIfContextAllows()
+    {
+        $request = $this->getRequest();
+        $user = $this->getUser();
+        $context = $this->getAuthenticationContext();
+
+        $context
+            ->expects($this->once())
+            ->method('useTrustedOption')
+            ->will($this->returnValue(false));
+
+        $this->cookieManager
+            ->expects($this->never())
+            ->method('isTrustedComputer')
+            ->with($request, $user);
+
+        $this->authHandler
+            ->expects($this->once())
+            ->method('beginAuthentication');
+
         $this->trustedFilter->beginAuthentication($context);
     }
 
@@ -130,6 +165,11 @@ public function beginAuthentication_isTrustedComputer_notCallAuthenticationHandl
     {
         $context = $this->getAuthenticationContext();
 
+        $context
+            ->expects($this->once())
+            ->method('useTrustedOption')
+            ->will($this->returnValue(true));
+
         //Stub the TrustedCookieManager
         $this->cookieManager
             ->expects($this->any())