feature #22048 [Security] deprecate the Role and SwitchUserRole classes (xabbuh)

fabpot · fabpot · commit 623d9648805c · 2019-02-25T17:04:33.000+01:00
This PR was merged into the 4.3-dev branch. Discussion ---------- [Security] deprecate the Role and SwitchUserRole classes | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | BC breaks? | no | Deprecations? | yes | Tests pass? | yes | Fixed tickets | #20824 | License | MIT | Doc PR | symfony/symfony-docs#11047 In #20801, we deprecated the `RoleInterface`. The next logical step would be to also deprecate the `Role` class. However, we currently have the `SwitchUserRole` class (a sub-class of `Role`) that acts as an indicator to check whether or not the authenticated user switched to another user. This PR proposes an alternative solution to the usage of the special `SwitchUserRole` class by storing the original token inside the `UsernamePasswordToken`. This PR is not complete, but rather acts as a proof of concept of how we could get rid of the `Role` and the `SwitchUserRole` classes. Please share your opinions whether you think this is a valid approach and I will be happy to finalise the PR. Commits ------- d7aaa615b9 deprecate the Role and SwitchUserRole classes
diff --git a/DataCollector/SecurityDataCollector.php b/DataCollector/SecurityDataCollector.php
@@ -18,10 +18,12 @@
 use Symfony\Component\HttpKernel\DataCollector\DataCollector;
 use Symfony\Component\HttpKernel\DataCollector\LateDataCollectorInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
 use Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter;
 use Symfony\Component\Security\Core\Role\Role;
+use Symfony\Component\Security\Core\Role\RoleHierarchy;
 use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
 use Symfony\Component\Security\Http\Firewall\SwitchUserListener;
@@ -91,18 +93,32 @@ public function collect(Request $request, Response $response, \Exception $except
             ];
         } else {
             $inheritedRoles = [];
-            $assignedRoles = $token->getRoles();
+
+            if (method_exists($token, 'getRoleNames')) {
+                $assignedRoles = $token->getRoleNames();
+            } else {
+                $assignedRoles = array_map(function (Role $role) { return $role->getRole(); }, $token->getRoles(false));
+            }
 
             $impersonatorUser = null;
-            foreach ($assignedRoles as $role) {
-                if ($role instanceof SwitchUserRole) {
-                    $impersonatorUser = $role->getSource()->getUsername();
-                    break;
+            if ($token instanceof SwitchUserToken) {
+                $impersonatorUser = $token->getOriginalToken()->getUsername();
+            } else {
+                foreach ($token->getRoles(false) as $role) {
+                    if ($role instanceof SwitchUserRole) {
+                        $impersonatorUser = $role->getSource()->getUsername();
+                        break;
+                    }
                 }
             }
 
             if (null !== $this->roleHierarchy) {
-                $allRoles = $this->roleHierarchy->getReachableRoles($assignedRoles);
+                if ($this->roleHierarchy instanceof RoleHierarchy) {
+                    $allRoles = $this->roleHierarchy->getReachableRoleNames($assignedRoles);
+                } else {
+                    $allRoles = array_map(function (Role $role) { return (string) $role; }, $this->roleHierarchy->getReachableRoles($token->getRoles(false)));
+                }
+
                 foreach ($allRoles as $role) {
                     if (!\in_array($role, $assignedRoles, true)) {
                         $inheritedRoles[] = $role;
@@ -129,8 +145,8 @@ public function collect(Request $request, Response $response, \Exception $except
                 'token_class' => $this->hasVarDumper ? new ClassStub(\get_class($token)) : \get_class($token),
                 'logout_url' => $logoutUrl,
                 'user' => $token->getUsername(),
-                'roles' => array_map(function (Role $role) { return $role->getRole(); }, $assignedRoles),
-                'inherited_roles' => array_unique(array_map(function (Role $role) { return $role->getRole(); }, $inheritedRoles)),
+                'roles' => $assignedRoles,
+                'inherited_roles' => array_unique($inheritedRoles),
                 'supports_role_hierarchy' => null !== $this->roleHierarchy,
             ];
         }
diff --git a/Resources/config/security.xml b/Resources/config/security.xml
@@ -98,6 +98,7 @@
             <argument>%security.role_hierarchy.roles%</argument>
         </service>
         <service id="Symfony\Component\Security\Core\Role\RoleHierarchyInterface" alias="security.role_hierarchy" />
+        <service id="Symfony\Component\Security\Core\Role\RoleHierarchy" alias="security.role_hierarchy" />
 
 
         <!-- Security Voters -->
diff --git a/Tests/DataCollector/SecurityDataCollectorTest.php b/Tests/DataCollector/SecurityDataCollectorTest.php
@@ -18,9 +18,12 @@
 use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
+use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
 use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
@@ -38,7 +41,7 @@ class SecurityDataCollectorTest extends TestCase
     public function testCollectWhenSecurityIsDisabled()
     {
         $collector = new SecurityDataCollector();
-        $collector->collect($this->getRequest(), $this->getResponse());
+        $collector->collect(new Request(), new Response());
 
         $this->assertSame('security', $collector->getName());
         $this->assertFalse($collector->isEnabled());
@@ -58,7 +61,7 @@ public function testCollectWhenAuthenticationTokenIsNull()
     {
         $tokenStorage = new TokenStorage();
         $collector = new SecurityDataCollector($tokenStorage, $this->getRoleHierarchy());
-        $collector->collect($this->getRequest(), $this->getResponse());
+        $collector->collect(new Request(), new Response());
 
         $this->assertTrue($collector->isEnabled());
         $this->assertFalse($collector->isAuthenticated());
@@ -80,7 +83,7 @@ public function testCollectAuthenticationTokenAndRoles(array $roles, array $norm
         $tokenStorage->setToken(new UsernamePasswordToken('hhamon', 'P4$$w0rD', 'provider', $roles));
 
         $collector = new SecurityDataCollector($tokenStorage, $this->getRoleHierarchy());
-        $collector->collect($this->getRequest(), $this->getResponse());
+        $collector->collect(new Request(), new Response());
         $collector->lateCollect();
 
         $this->assertTrue($collector->isEnabled());
@@ -95,6 +98,9 @@ public function testCollectAuthenticationTokenAndRoles(array $roles, array $norm
         $this->assertSame('hhamon', $collector->getUser());
     }
 
+    /**
+     * @group legacy
+     */
     public function testCollectImpersonatedToken()
     {
         $adminToken = new UsernamePasswordToken('yceruto', 'P4$$w0rD', 'provider', ['ROLE_ADMIN']);
@@ -108,7 +114,7 @@ public function testCollectImpersonatedToken()
         $tokenStorage->setToken(new UsernamePasswordToken('hhamon', 'P4$$w0rD', 'provider', $userRoles));
 
         $collector = new SecurityDataCollector($tokenStorage, $this->getRoleHierarchy());
-        $collector->collect($this->getRequest(), $this->getResponse());
+        $collector->collect(new Request(), new Response());
         $collector->lateCollect();
 
         $this->assertTrue($collector->isEnabled());
@@ -122,10 +128,32 @@ public function testCollectImpersonatedToken()
         $this->assertSame('hhamon', $collector->getUser());
     }
 
+    public function testCollectSwitchUserToken()
+    {
+        $adminToken = new UsernamePasswordToken('yceruto', 'P4$$w0rD', 'provider', ['ROLE_ADMIN']);
+
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken(new SwitchUserToken('hhamon', 'P4$$w0rD', 'provider', ['ROLE_USER', 'ROLE_PREVIOUS_ADMIN'], $adminToken));
+
+        $collector = new SecurityDataCollector($tokenStorage, $this->getRoleHierarchy());
+        $collector->collect(new Request(), new Response());
+        $collector->lateCollect();
+
+        $this->assertTrue($collector->isEnabled());
+        $this->assertTrue($collector->isAuthenticated());
+        $this->assertTrue($collector->isImpersonated());
+        $this->assertSame('yceruto', $collector->getImpersonatorUser());
+        $this->assertSame(SwitchUserToken::class, $collector->getTokenClass()->getValue());
+        $this->assertTrue($collector->supportsRoleHierarchy());
+        $this->assertSame(['ROLE_USER', 'ROLE_PREVIOUS_ADMIN'], $collector->getRoles()->getValue(true));
+        $this->assertSame([], $collector->getInheritedRoles()->getValue(true));
+        $this->assertSame('hhamon', $collector->getUser());
+    }
+
     public function testGetFirewall()
     {
         $firewallConfig = new FirewallConfig('dummy', 'security.request_matcher.dummy', 'security.user_checker.dummy');
-        $request = $this->getRequest();
+        $request = new Request();
 
         $firewallMap = $this
             ->getMockBuilder(FirewallMap::class)
@@ -138,7 +166,7 @@ public function testGetFirewall()
             ->willReturn($firewallConfig);
 
         $collector = new SecurityDataCollector(null, null, null, null, $firewallMap, new TraceableFirewallListener($firewallMap, new EventDispatcher(), new LogoutUrlGenerator()));
-        $collector->collect($request, $this->getResponse());
+        $collector->collect($request, new Response());
         $collector->lateCollect();
         $collected = $collector->getFirewall();
 
@@ -158,8 +186,8 @@ public function testGetFirewall()
 
     public function testGetFirewallReturnsNull()
     {
-        $request = $this->getRequest();
-        $response = $this->getResponse();
+        $request = new Request();
+        $response = new Response();
 
         // Don't inject any firewall map
         $collector = new SecurityDataCollector();
@@ -192,9 +220,9 @@ public function testGetFirewallReturnsNull()
      */
     public function testGetListeners()
     {
-        $request = $this->getRequest();
+        $request = new Request();
         $event = new GetResponseEvent($this->getMockBuilder(HttpKernelInterface::class)->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
-        $event->setResponse($response = $this->getResponse());
+        $event->setResponse($response = new Response());
         $listener = $this->getMockBuilder(ListenerInterface::class)->getMock();
         $listener
             ->expects($this->once())
@@ -345,7 +373,7 @@ public function testCollectDecisionLog(string $strategy, array $decisionLog, arr
             ->willReturn($decisionLog);
 
         $dataCollector = new SecurityDataCollector(null, null, null, $accessDecisionManager);
-        $dataCollector->collect($this->getRequest(), $this->getResponse());
+        $dataCollector->collect(new Request(), new Response());
 
         $this->assertEquals($dataCollector->getAccessDecisionLog(), $expectedDecisionLog, 'Wrong value returned by getAccessDecisionLog');
 
@@ -367,7 +395,7 @@ public function provideRoles()
                 [],
             ],
             [
-                [new Role('ROLE_USER')],
+                [new Role('ROLE_USER', false)],
                 ['ROLE_USER'],
                 [],
             ],
@@ -378,7 +406,7 @@ public function provideRoles()
                 ['ROLE_USER', 'ROLE_ALLOWED_TO_SWITCH'],
             ],
             [
-                [new Role('ROLE_ADMIN')],
+                [new Role('ROLE_ADMIN', false)],
                 ['ROLE_ADMIN'],
                 ['ROLE_USER', 'ROLE_ALLOWED_TO_SWITCH'],
             ],
@@ -397,20 +425,4 @@ private function getRoleHierarchy()
             'ROLE_OPERATOR' => ['ROLE_USER'],
         ]);
     }
-
-    private function getRequest()
-    {
-        return $this
-            ->getMockBuilder('Symfony\Component\HttpFoundation\Request')
-            ->disableOriginalConstructor()
-            ->getMock();
-    }
-
-    private function getResponse()
-    {
-        return $this
-            ->getMockBuilder('Symfony\Component\HttpFoundation\Response')
-            ->disableOriginalConstructor()
-            ->getMock();
-    }
 }
diff --git a/composer.json b/composer.json
@@ -21,7 +21,7 @@
         "symfony/config": "^4.2",
         "symfony/dependency-injection": "^4.2",
         "symfony/http-kernel": "^4.1",
-        "symfony/security-core": "~4.2",
+        "symfony/security-core": "~4.3",
         "symfony/security-csrf": "~4.2",
         "symfony/security-guard": "~4.2",
         "symfony/security-http": "~4.2"
