Permalink
Browse files

feature #24388 [Security] Look at headers for switch_user username (c…

…halasr)

This PR was merged into the 3.4 branch.

Discussion
----------

[Security] Look at headers for switch_user username

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #24260
| License       | MIT
| Doc PR        | n/a

Allowing `switch_user.parameter` config node to be a header name.
It's supported by SwitchUserStatelessBundle and I think it makes sense.
Forgotten in #24260 so targets 3.4 but not a blocker.

Commits
-------

3c80195 [Security] Look at headers for switch user username parameter
  • Loading branch information...
fabpot committed Oct 5, 2017
2 parents 75daa6a + 3c80195 commit 0c8043a7d6aa01470ec5420aa2a5b9f680856e46
@@ -54,7 +54,7 @@ public function testSwitchedUserExit()
public function testSwitchUserStateless()
{
$client = $this->createClient(array('test_case' => 'JsonLogin', 'root_config' => 'switchuser_stateless.yml'));
$client->request('POST', '/chk', array('_switch_user' => 'dunglas'), array(), array('CONTENT_TYPE' => 'application/json'), '{"user": {"login": "user_can_switch", "password": "test"}}');
$client->request('POST', '/chk', array(), array(), array('HTTP_X_SWITCH_USER' => 'dunglas', 'CONTENT_TYPE' => 'application/json'), '{"user": {"login": "user_can_switch", "password": "test"}}');
$response = $client->getResponse();
$this->assertInstanceOf(JsonResponse::class, $response);
@@ -10,4 +10,5 @@ security:
firewalls:
main:
switch_user:
parameter: X-Switch-User
stateless: true
@@ -79,16 +79,17 @@ public function __construct(TokenStorageInterface $tokenStorage, UserProviderInt
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
$username = $request->get($this->usernameParameter) ?: $request->headers->get($this->usernameParameter);
if (!$request->get($this->usernameParameter)) {
if (!$username) {
return;
}
if (self::EXIT_VALUE === $request->get($this->usernameParameter)) {
if (self::EXIT_VALUE === $username) {
$this->tokenStorage->setToken($this->attemptExitUser($request));
} else {
try {
$this->tokenStorage->setToken($this->attemptSwitchUser($request));
$this->tokenStorage->setToken($this->attemptSwitchUser($request, $username));
} catch (AuthenticationException $e) {
throw new \LogicException(sprintf('Switch User failed: "%s"', $e->getMessage()));
}
@@ -106,20 +107,21 @@ public function handle(GetResponseEvent $event)
/**
* Attempts to switch to another user.
*
* @param Request $request A Request instance
* @param Request $request A Request instance
* @param string $username
*
* @return TokenInterface|null The new TokenInterface if successfully switched, null otherwise
*
* @throws \LogicException
* @throws AccessDeniedException
*/
private function attemptSwitchUser(Request $request)
private function attemptSwitchUser(Request $request, $username)
{
$token = $this->tokenStorage->getToken();
$originalToken = $this->getOriginalToken($token);
if (false !== $originalToken) {
if ($token->getUsername() === $request->get($this->usernameParameter)) {
if ($token->getUsername() === $username) {
return $token;
}
@@ -133,8 +135,6 @@ private function attemptSwitchUser(Request $request)
throw $exception;
}
$username = $request->get($this->usernameParameter);
if (null !== $this->logger) {
$this->logger->info('Attempting to switch to user.', array('username' => $username));
}

0 comments on commit 0c8043a

Please sign in to comment.