deprecate the Role and SwitchUserRole classes

xabbuh · xabbuh · commit daf09cb28c2e · 2017-11-15T20:36:11.000+01:00
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Core\Authentication\Provider;
 
+use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
@@ -87,7 +88,12 @@ public function authenticate(TokenInterface $token)
             throw $e;
         }
 
-        $authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $this->getRoles($user, $token));
+        if ($token instanceof SwitchUserToken) {
+            $authenticatedToken = new SwitchUserToken($user, $token->getCredentials(), $this->providerKey, $this->getRoles($user, $token), $token->getOriginalToken());
+        } else {
+            $authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $this->getRoles($user, $token));
+        }
+
         $authenticatedToken->setAttributes($token->getAttributes());
 
         return $authenticatedToken;
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/SwitchUserToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/SwitchUserToken.php
@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Token;
+
+/**
+ * Token representing a user who temporarily impersonates another one.
+ *
+ * @author Christian Flothmann <christian.flothmann@sensiolabs.de>
+ */
+class SwitchUserToken extends UsernamePasswordToken
+{
+    private $originalToken;
+
+    /**
+     * @param string|object   $user          The username (like a nickname, email address, etc.), or a UserInterface instance or an object implementing a __toString method
+     * @param mixed           $credentials   This usually is the password of the user
+     * @param string          $providerKey   The provider key
+     * @param (Role|string)[] $roles         An array of roles
+     * @param TokenInterface  $originalToken The token of the user who switched to the current user
+     *
+     * @throws \InvalidArgumentException
+     */
+    public function __construct($user, $credentials, string $providerKey, array $roles = array(), TokenInterface $originalToken)
+    {
+        parent::__construct($user, $credentials, $providerKey, $roles);
+
+        $this->originalToken = $originalToken;
+    }
+
+    public function getOriginalToken(): TokenInterface
+    {
+        return $this->originalToken;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function serialize()
+    {
+        return serialize(array(clone $this->originalToken, parent::serialize()));
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function unserialize($serialized)
+    {
+        list($this->originalToken, $parentStr) = unserialize($serialized);
+
+        parent::unserialize($parentStr);
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/TokenInterface.php b/src/Symfony/Component/Security/Core/Authentication/Token/TokenInterface.php
@@ -33,7 +33,7 @@ public function __toString();
     /**
      * Returns the user roles.
      *
-     * @return Role[] An array of Role instances
+     * @return string[] An array of Role instances
      */
     public function getRoles();
 
diff --git a/src/Symfony/Component/Security/Core/Role/Role.php b/src/Symfony/Component/Security/Core/Role/Role.php
@@ -34,4 +34,9 @@ public function getRole()
     {
         return $this->role;
     }
+
+    public function __toString(): string
+    {
+        return $this->role;
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Role/SwitchUserRole.php b/src/Symfony/Component/Security/Core/Role/SwitchUserRole.php
@@ -18,9 +18,12 @@
  * another one.
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ *
+ * @deprecated since version 4.1, to be removed in 5.0. Use strings as roles instead.
  */
 class SwitchUserRole extends Role
 {
+    private $deprecationTriggered = false;
     private $source;
 
     /**
@@ -29,6 +32,12 @@ class SwitchUserRole extends Role
      */
     public function __construct(string $role, TokenInterface $source)
     {
+        if (func_num_args() < 3 || func_get_arg(2)) {
+            @trigger_error(sprintf('The "%s" class is deprecated since version 4.1 and will be removed in 5.0. Use strings as roles instead.', __CLASS__), E_USER_DEPRECATED);
+
+            $this->deprecationTriggered = true;
+        }
+
         parent::__construct($role);
 
         $this->source = $source;
@@ -41,6 +50,12 @@ public function __construct(string $role, TokenInterface $source)
      */
     public function getSource()
     {
+        if (!$this->deprecationTriggered) {
+            @trigger_error(sprintf('The "%s" class is deprecated since version 4.1 and will be removed in 5.0. Use strings as roles instead.', __CLASS__), E_USER_DEPRECATED);
+
+            $this->deprecationTriggered = true;
+        }
+
         return $this->source;
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
@@ -12,6 +12,8 @@
 namespace Symfony\Component\Security\Core\Tests\Authentication\Provider;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Exception\AccountExpiredException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\CredentialsExpiredException;
@@ -194,6 +196,9 @@ public function testAuthenticate()
         $this->assertEquals(array('foo' => 'bar'), $authToken->getAttributes(), '->authenticate() copies token attributes');
     }
 
+    /**
+     * @group legacy
+     */
     public function testAuthenticateWithPreservingRoleSwitchUserRole()
     {
         $user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();
@@ -230,6 +235,34 @@ public function testAuthenticateWithPreservingRoleSwitchUserRole()
         $this->assertEquals(array('foo' => 'bar'), $authToken->getAttributes(), '->authenticate() copies token attributes');
     }
 
+    public function testAuthenticatePreservesOriginalToken()
+    {
+        $user = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock();
+        $user->expects($this->once())
+             ->method('getRoles')
+             ->will($this->returnValue(array('ROLE_FOO')))
+        ;
+
+        $provider = $this->getProvider();
+        $provider->expects($this->once())
+                 ->method('retrieveUser')
+                 ->will($this->returnValue($user))
+        ;
+
+        $originalToken = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock();
+        $token = new SwitchUserToken($this->getMockBuilder('Symfony\Component\Security\Core\User\UserInterface')->getMock(), 'foo', 'key', array(), $originalToken);
+        $token->setAttributes(array('foo' => 'bar'));
+
+        $authToken = $provider->authenticate($token);
+
+        $this->assertInstanceOf(SwitchUserToken::class, $authToken);
+        $this->assertSame($originalToken, $authToken->getOriginalToken());
+        $this->assertSame($user, $authToken->getUser());
+        $this->assertContains(new Role('ROLE_FOO'), $authToken->getRoles(), '', false, false);
+        $this->assertEquals('foo', $authToken->getCredentials());
+        $this->assertEquals(array('foo' => 'bar'), $authToken->getAttributes(), '->authenticate() copies token attributes');
+    }
+
     protected function getSupportedToken()
     {
         $mock = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken')->setMethods(array('getCredentials', 'getProviderKey', 'getRoles'))->disableOriginalConstructor()->getMock();
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Token/AbstractTokenTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Token/AbstractTokenTest.php
@@ -112,20 +112,6 @@ public function testSerializeWithRoleObjects()
         $this->assertEquals($roles, $user->getRoles());
     }
 
-    public function testSerializeParent()
-    {
-        $user = new TestUser('fabien');
-        $token = new ConcreteToken($user, array('ROLE_FOO'));
-
-        $parentToken = new ConcreteToken($user, array(new SwitchUserRole('ROLE_PREVIOUS', $token)));
-        $uToken = unserialize(serialize($parentToken));
-
-        $this->assertEquals(
-            current($parentToken->getRoles())->getSource()->getUser(),
-            current($uToken->getRoles())->getSource()->getUser()
-        );
-    }
-
     public function testConstructor()
     {
         $token = $this->getToken(array('ROLE_FOO'));
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authentication\Token;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Role\Role;
+
+class SwitchUserTokenTest extends TestCase
+{
+    public function testSerialize()
+    {
+        $originalToken = new UsernamePasswordToken('user', 'foo', 'provider-key', array('ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'));
+        $token = new SwitchUserToken('admin', 'bar', 'provider-key', array('ROLE_USER'), $originalToken);
+
+        $unserializedToken = unserialize(serialize($token));
+
+        $this->assertInstanceOf(SwitchUserToken::class, $unserializedToken);
+        $this->assertSame('admin', $unserializedToken->getUsername());
+        $this->assertSame('bar', $unserializedToken->getCredentials());
+        $this->assertSame('provider-key', $unserializedToken->getProviderKey());
+        $this->assertEquals(array(new Role('ROLE_USER')), $unserializedToken->getRoles());
+
+        $unserializedOriginalToken = $unserializedToken->getOriginalToken();
+
+        $this->assertInstanceOf(UsernamePasswordToken::class, $unserializedOriginalToken);
+        $this->assertSame('user', $unserializedOriginalToken->getUsername());
+        $this->assertSame('foo', $unserializedOriginalToken->getCredentials());
+        $this->assertSame('provider-key', $unserializedOriginalToken->getProviderKey());
+        $this->assertEquals(array(new Role('ROLE_ADMIN'), new Role('ROLE_ALLOWED_TO_SWITCH')), $unserializedOriginalToken->getRoles());
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Tests/Role/SwitchUserRoleTest.php b/src/Symfony/Component/Security/Core/Tests/Role/SwitchUserRoleTest.php
@@ -14,6 +14,9 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
 
+/**
+ * @group legacy
+ */
 class SwitchUserRoleTest extends TestCase
 {
     public function testGetSource()
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Firewall;
 
+use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -22,7 +23,6 @@
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
-use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
@@ -118,7 +118,7 @@ private function attemptSwitchUser(Request $request, $username)
         $token = $this->tokenStorage->getToken();
         $originalToken = $this->getOriginalToken($token);
 
-        if (false !== $originalToken) {
+        if (null !== $originalToken) {
             if ($token->getUsername() === $username) {
                 return $token;
             }
@@ -141,9 +141,9 @@ private function attemptSwitchUser(Request $request, $username)
         $this->userChecker->checkPostAuth($user);
 
         $roles = $user->getRoles();
-        $roles[] = new SwitchUserRole('ROLE_PREVIOUS_ADMIN', $this->tokenStorage->getToken());
+        $roles[] = new SwitchUserRole('ROLE_PREVIOUS_ADMIN', $this->tokenStorage->getToken(), false);
 
-        $token = new UsernamePasswordToken($user, $user->getPassword(), $this->providerKey, $roles);
+        $token = new SwitchUserToken($user, $user->getPassword(), $this->providerKey, $roles, $token);
 
         if (null !== $this->dispatcher) {
             $switchEvent = new SwitchUserEvent($request, $token->getUser(), $token);
@@ -164,7 +164,7 @@ private function attemptSwitchUser(Request $request, $username)
      */
     private function attemptExitUser(Request $request)
     {
-        if (null === ($currentToken = $this->tokenStorage->getToken()) || false === $original = $this->getOriginalToken($currentToken)) {
+        if (null === ($currentToken = $this->tokenStorage->getToken()) || null === $original = $this->getOriginalToken($currentToken)) {
             throw new AuthenticationCredentialsNotFoundException('Could not find original Token object.');
         }
 
@@ -178,19 +178,18 @@ private function attemptExitUser(Request $request)
         return $original;
     }
 
-    /**
-     * Gets the original Token from a switched one.
-     *
-     * @return TokenInterface|false The original TokenInterface instance, false if the current TokenInterface is not switched
-     */
-    private function getOriginalToken(TokenInterface $token)
+    private function getOriginalToken(TokenInterface $token): ?TokenInterface
     {
+        if ($token instanceof SwitchUserToken) {
+            return $token->getOriginalToken();
+        }
+
         foreach ($token->getRoles() as $role) {
             if ($role instanceof SwitchUserRole) {
                 return $role->getSource();
             }
         }
 
-        return false;
+        return null;
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ public function __toString();`
`33`	`33`	`/**`
`34`	`34`	`* Returns the user roles.`
`35`	`35`	`*`
`36`		`- * @return Role[] An array of Role instances`
	`36`	`+ * @return string[] An array of Role instances`
`37`	`37`	`*/`
`38`	`38`	`public function getRoles();`
`39`	`39`
Original file line number	Diff line number	Diff line change
`@@ -34,4 +34,9 @@ public function getRole()`
`34`	`34`	`{`
`35`	`35`	`return $this->role;`
`36`	`36`	`}`
	`37`	`+`
	`38`	`+ public function __toString(): string`
	`39`	`+ {`
	`40`	`+ return $this->role;`
	`41`	`+ }`
`37`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,9 @@`
`14`	`14`	`use PHPUnit\Framework\TestCase;`
`15`	`15`	`use Symfony\Component\Security\Core\Role\SwitchUserRole;`
`16`	`16`
	`17`	`+/**`
	`18`	`+ * @group legacy`
	`19`	`+ */`
`17`	`20`	`class SwitchUserRoleTest extends TestCase`
`18`	`21`	`{`
`19`	`22`	`public function testGetSource()`