bug #45331 [Security] Fix wrong authenticator class in debug logs (chalasr)

fabpot · fabpot · commit 0fc8f7aa9e5e · 2022-02-07T09:27:26.000+01:00
This PR was merged into the 5.4 branch. Discussion ---------- [Security] Fix wrong authenticator class in debug logs | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Before: <img width="1034" alt="Screenshot 2022-02-07 at 02 00 25" src="https://user-images.githubusercontent.com/7502063/152709794-4bc64ae0-caa9-4e28-b60e-6acff8070248.png"> After: <img width="1033" alt="Screenshot 2022-02-07 at 02 01 08" src="https://user-images.githubusercontent.com/7502063/152709801-2c84ed0c-3bce-4bb0-98ee-bad309f29c96.png"> Commits ------- 49352e0 [Security] Fix wrong authenticator class in debug logs
diff --git a/src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php b/src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php
@@ -25,6 +25,7 @@
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\BadgeInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
@@ -151,7 +152,7 @@ private function executeAuthenticators(array $authenticators, Request $request):
             // lazily (after initialization).
             if (false === $authenticator->supports($request)) {
                 if (null !== $this->logger) {
-                    $this->logger->debug('Skipping the "{authenticator}" authenticator as it did not support the request.', ['authenticator' => \get_class($authenticator)]);
+                    $this->logger->debug('Skipping the "{authenticator}" authenticator as it did not support the request.', ['authenticator' => \get_class($authenticator instanceof TraceableAuthenticator ? $authenticator->getAuthenticator() : $authenticator)]);
                 }
 
                 continue;
@@ -160,7 +161,7 @@ private function executeAuthenticators(array $authenticators, Request $request):
             $response = $this->executeAuthenticator($authenticator, $request);
             if (null !== $response) {
                 if (null !== $this->logger) {
-                    $this->logger->debug('The "{authenticator}" authenticator set the response. Any later authenticator will not be called', ['authenticator' => \get_class($authenticator)]);
+                    $this->logger->debug('The "{authenticator}" authenticator set the response. Any later authenticator will not be called', ['authenticator' => \get_class($authenticator instanceof TraceableAuthenticator ? $authenticator->getAuthenticator() : $authenticator)]);
                 }
 
                 return $response;
@@ -210,7 +211,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
             $this->eventDispatcher->dispatch(new AuthenticationSuccessEvent($authenticatedToken), AuthenticationEvents::AUTHENTICATION_SUCCESS);
 
             if (null !== $this->logger) {
-                $this->logger->info('Authenticator successful!', ['token' => $authenticatedToken, 'authenticator' => \get_class($authenticator)]);
+                $this->logger->info('Authenticator successful!', ['token' => $authenticatedToken, 'authenticator' => \get_class($authenticator instanceof TraceableAuthenticator ? $authenticator->getAuthenticator() : $authenticator)]);
             }
         } catch (AuthenticationException $e) {
             // oh no! Authentication failed!
@@ -229,7 +230,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
         }
 
         if (null !== $this->logger) {
-            $this->logger->debug('Authenticator set no success response: request continues.', ['authenticator' => \get_class($authenticator)]);
+            $this->logger->debug('Authenticator set no success response: request continues.', ['authenticator' => \get_class($authenticator instanceof TraceableAuthenticator ? $authenticator->getAuthenticator() : $authenticator)]);
         }
 
         return null;
@@ -262,7 +263,7 @@ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken,
     private function handleAuthenticationFailure(AuthenticationException $authenticationException, Request $request, AuthenticatorInterface $authenticator, ?PassportInterface $passport): ?Response
     {
         if (null !== $this->logger) {
-            $this->logger->info('Authenticator failed.', ['exception' => $authenticationException, 'authenticator' => \get_class($authenticator)]);
+            $this->logger->info('Authenticator failed.', ['exception' => $authenticationException, 'authenticator' => \get_class($authenticator instanceof TraceableAuthenticator ? $authenticator->getAuthenticator() : $authenticator)]);
         }
 
         // Avoid leaking error details in case of invalid user (e.g. user not found or invalid account status)
@@ -273,7 +274,7 @@ private function handleAuthenticationFailure(AuthenticationException $authentica
 
         $response = $authenticator->onAuthenticationFailure($request, $authenticationException);
         if (null !== $response && null !== $this->logger) {
-            $this->logger->debug('The "{authenticator}" authenticator set the failure response.', ['authenticator' => \get_class($authenticator)]);
+            $this->logger->debug('The "{authenticator}" authenticator set the failure response.', ['authenticator' => \get_class($authenticator instanceof TraceableAuthenticator ? $authenticator->getAuthenticator() : $authenticator)]);
         }
 
         $this->eventDispatcher->dispatch($loginFailureEvent = new LoginFailureEvent($authenticationException, $authenticator, $request, $response, $this->firewallName, $passport));
diff --git a/src/Symfony/Component/Security/Http/Authenticator/Debug/TraceableAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/Debug/TraceableAuthenticator.php
@@ -100,6 +100,14 @@ public function isInteractive(): bool
         return $this->authenticator instanceof InteractiveAuthenticatorInterface && $this->authenticator->isInteractive();
     }
 
+    /**
+     * @internal
+     */
+    public function getAuthenticator(): AuthenticatorInterface
+    {
+        return $this->authenticator;
+    }
+
     public function __call($method, $args)
     {
         return $this->authenticator->{$method}(...$args);
diff --git a/src/Symfony/Component/Security/Http/Tests/Authentication/AuthenticatorManagerTest.php b/src/Symfony/Component/Security/Http/Tests/Authentication/AuthenticatorManagerTest.php
@@ -12,6 +12,8 @@
 namespace Symfony\Component\Security\Http\Tests\Authentication;
 
 use PHPUnit\Framework\TestCase;
+use Psr\Log\AbstractLogger;
+use Psr\Log\LoggerInterface;
 use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -22,6 +24,7 @@
 use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Http\Authentication\AuthenticatorManager;
+use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
@@ -310,6 +313,44 @@ public function testAuthenticateRequestHidesInvalidUserExceptions()
         $this->assertSame($this->response, $response);
     }
 
+    public function testLogsUseTheDecoratedAuthenticatorWhenItIsTraceable()
+    {
+        $authenticator = $this->createMock(TestInteractiveAuthenticator::class);
+        $authenticator->expects($this->any())->method('isInteractive')->willReturn(true);
+        $this->request->attributes->set('_security_authenticators', [new TraceableAuthenticator($authenticator)]);
+
+        $authenticator->expects($this->any())->method('authenticate')->willReturn(new SelfValidatingPassport(new UserBadge('wouter', function () { return $this->user; })));
+        $authenticator->expects($this->any())->method('createToken')->willReturn($this->token);
+
+        $this->tokenStorage->expects($this->once())->method('setToken')->with($this->token);
+
+        $authenticator->expects($this->any())
+            ->method('onAuthenticationSuccess')
+            ->with($this->anything(), $this->token, 'main')
+            ->willReturn($this->response);
+
+        $authenticator->expects($this->any())
+            ->method('onAuthenticationSuccess')
+            ->with($this->anything(), $this->token, 'main')
+            ->willReturn($this->response);
+
+        $logger = new class() extends AbstractLogger {
+            public $logContexts = [];
+
+            public function log($level, $message, array $context = []): void
+            {
+                if ($context['authenticator'] ?? false) {
+                    $this->logContexts[] = $context;
+                }
+            }
+        };
+
+        $manager = $this->createManager([$authenticator], 'main', true, [], $logger);
+        $response = $manager->authenticateRequest($this->request);
+        $this->assertSame($this->response, $response);
+        $this->assertStringContainsString('Mock_TestInteractiveAuthenticator', $logger->logContexts[0]['authenticator']);
+    }
+
     private function createAuthenticator($supports = true)
     {
         $authenticator = $this->createMock(TestInteractiveAuthenticator::class);
@@ -318,9 +359,9 @@ private function createAuthenticator($supports = true)
         return $authenticator;
     }
 
-    private function createManager($authenticators, $firewallName = 'main', $eraseCredentials = true, array $requiredBadges = [])
+    private function createManager($authenticators, $firewallName = 'main', $eraseCredentials = true, array $requiredBadges = [], LoggerInterface $logger = null)
     {
-        return new AuthenticatorManager($authenticators, $this->tokenStorage, $this->eventDispatcher, $firewallName, null, $eraseCredentials, true, $requiredBadges);
+        return new AuthenticatorManager($authenticators, $this->tokenStorage, $this->eventDispatcher, $firewallName, $logger, $eraseCredentials, true, $requiredBadges);
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,14 @@ public function isInteractive(): bool`
`100`	`100`	`return $this->authenticator instanceof InteractiveAuthenticatorInterface && $this->authenticator->isInteractive();`
`101`	`101`	`}`
`102`	`102`
	`103`	`+ /**`
	`104`	`+ * @internal`
	`105`	`+ */`
	`106`	`+ public function getAuthenticator(): AuthenticatorInterface`
	`107`	`+ {`
	`108`	`+ return $this->authenticator;`
	`109`	`+ }`
	`110`	`+`
`103`	`111`	`public function __call($method, $args)`
`104`	`112`	`{`
`105`	`113`	`return $this->authenticator->{$method}(...$args);`