[Security] added support for updated \"distinguished name\" format in x509 authentication

Robert Kopera · fabpot · commit bdbac2c6e666 · 2019-06-04T09:01:11.000+02:00
diff --git a/src/Symfony/Component/Security/Http/Firewall/X509AuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/X509AuthenticationListener.php
@@ -44,7 +44,10 @@ protected function getPreAuthenticatedData(Request $request)
         $user = null;
         if ($request->server->has($this->userKey)) {
             $user = $request->server->get($this->userKey);
-        } elseif ($request->server->has($this->credentialKey) && preg_match('#/emailAddress=(.+\@.+\..+)(/|$)#', $request->server->get($this->credentialKey), $matches)) {
+        } elseif (
+            $request->server->has($this->credentialKey)
+            && preg_match('#emailAddress=(.+\@.+\.[^,/]+)($|,|/)#', $request->server->get($this->credentialKey), $matches)
+        ) {
             $user = $matches[1];
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/X509AuthenticationListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/X509AuthenticationListenerTest.php
@@ -56,9 +56,8 @@ public static function dataProviderGetPreAuthenticatedData()
     /**
      * @dataProvider dataProviderGetPreAuthenticatedDataNoUser
      */
-    public function testGetPreAuthenticatedDataNoUser($emailAddress)
+    public function testGetPreAuthenticatedDataNoUser($emailAddress, $credentials)
     {
-        $credentials = 'CN=Sample certificate DN/emailAddress='.$emailAddress;
         $request = new Request([], [], [], [], [], ['SSL_CLIENT_S_DN' => $credentials]);
 
         $tokenStorage = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface')->getMock();
@@ -76,10 +75,12 @@ public function testGetPreAuthenticatedDataNoUser($emailAddress)
 
     public static function dataProviderGetPreAuthenticatedDataNoUser()
     {
-        return [
-            'basicEmailAddress' => ['cert@example.com'],
-            'emailAddressWithPlusSign' => ['cert+something@example.com'],
-        ];
+        yield ['cert@example.com', 'CN=Sample certificate DN/emailAddress=cert@example.com'];
+        yield ['cert+something@example.com', 'CN=Sample certificate DN/emailAddress=cert+something@example.com'];
+        yield ['cert@example.com', 'CN=Sample certificate DN,emailAddress=cert@example.com'];
+        yield ['cert+something@example.com', 'CN=Sample certificate DN,emailAddress=cert+something@example.com'];
+        yield ['cert+something@example.com', 'emailAddress=cert+something@example.com,CN=Sample certificate DN'];
+        yield ['cert+something@example.com', 'emailAddress=cert+something@example.com'];
     }
 
     /**

-Original file line number
+Diff line change
     /**
      * @dataProvider dataProviderGetPreAuthenticatedDataNoUser
      */
 -    public function testGetPreAuthenticatedDataNoUser($emailAddress)
 +    public function testGetPreAuthenticatedDataNoUser($emailAddress, $credentials)
+    {
 -        $credentials = 'CN=Sample certificate DN/emailAddress='.$emailAddress;
         $request = new Request([], [], [], [], [], ['SSL_CLIENT_S_DN' => $credentials]);
         $tokenStorage = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface')->getMock();
     public static function dataProviderGetPreAuthenticatedDataNoUser()
+    {
 -        return [
 -            'basicEmailAddress' => ['[email protected]'],
 -            'emailAddressWithPlusSign' => ['[email protected]'],
 -        ];
 +        yield ['[email protected]', 'CN=Sample certificate DN/[email protected]'];
 +        yield ['[email protected]', 'CN=Sample certificate DN/[email protected]'];
 +        yield ['[email protected]', 'CN=Sample certificate DN,[email protected]'];
 +        yield ['[email protected]', 'CN=Sample certificate DN,[email protected]'];
 +        yield ['[email protected]', '[email protected],CN=Sample certificate DN'];
 +        yield ['[email protected]', '[email protected]'];
+    }
     /**