NotificationsYou must be signed in to change notification settings
Fork9.7k
Star30.8k

Commit2ee4f02

committed

[Security] Make statefull pages NOT turn responses private when the token is not used

1 parenta31f4aa commit2ee4f02Copy full SHA for 2ee4f02

File tree

21 files changed

+317

-54

lines changed

src/Symfony
- Bridge/Monolog
  - Processor
    - TokenProcessor.php
  - Tests/Processor
    - TokenProcessorTest.php
  - composer.json
- Bundle/SecurityBundle
  - DataCollector
    - SecurityDataCollector.php
  - Resources/config
    - security.xml
  - Tests/DataCollector
    - SecurityDataCollectorTest.php
- Component
  - HttpFoundation/Session
    - Session.php
  - Security
    - Core
      - Authentication/Token/Storage
        UsageTrackingTokenStorage.php
        UsageTrackingTokenStorageInterface.php
      - Tests/Authentication/Token/Storage
        UsageTrackingTokenStorageTest.php
    - Http

21 files changed

+317

-54

lines changed

`‎src/Symfony/Bridge/Monolog/Processor/TokenProcessor.php‎`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,8 @@`
`12`	`12`	`namespaceSymfony\Bridge\Monolog\Processor;`
`13`	`13`
`14`	`14`	`useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;`
	`15`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage;`
	`16`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorageInterface;`
`15`	`17`
`16`	`18`	`/**`
`17`	`19`	`* Adds the current security token to the log entry.`
`@@ -24,13 +26,13 @@ class TokenProcessor implements ProcessorInterface`
`24`	`26`
`25`	`27`	`publicfunction__construct(TokenStorageInterface$tokenStorage)`
`26`	`28`	`{`
`27`		`-$this->tokenStorage =$tokenStorage;`
	`29`	`+$this->tokenStorage =$tokenStorageinstanceof UsageTrackingTokenStorageInterface ?$tokenStorage :newUsageTrackingTokenStorage($tokenStorage);`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`publicfunction__invoke(array$records)`
`31`	`33`	`{`
`32`	`34`	`$records['extra']['token'] =null;`
`33`		`-if (null !==$token =$this->tokenStorage->getToken()) {`
	`35`	`+if (null !==$token =$this->tokenStorage->getToken(false)) {`
`34`	`36`	`$records['extra']['token'] =array(`
`35`	`37`	`'username' =>$token->getUsername(),`
`36`	`38`	`'authenticated' =>$token->isAuthenticated(),`

`‎src/Symfony/Bridge/Monolog/Tests/Processor/TokenProcessorTest.php‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`
`14`	`14`	`usePHPUnit\Framework\TestCase;`
`15`	`15`	`useSymfony\Bridge\Monolog\Processor\TokenProcessor;`
`16`		`-useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;`
	`16`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorageInterface;`
`17`	`17`	`useSymfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;`
`18`	`18`
`19`	`19`	`/**`
`@@ -26,8 +26,8 @@ class TokenProcessorTest extends TestCase`
`26`	`26`	`publicfunctiontestProcessor()`
`27`	`27`	`{`
`28`	`28`	`$token =newUsernamePasswordToken('user','password','provider',array('ROLE_USER'));`
`29`		`-$tokenStorage =$this->getMockBuilder(TokenStorageInterface::class)->getMock();`
`30`		`-$tokenStorage->method('getToken')->willReturn($token);`
	`29`	`+$tokenStorage =$this->getMockBuilder(UsageTrackingTokenStorageInterface::class)->getMock();`
	`30`	`+$tokenStorage->method('getToken')->with(false)->willReturn($token);`
`31`	`31`
`32`	`32`	`$processor =newTokenProcessor($tokenStorage);`
`33`	`33`	`$record =array('extra' =>array());`

`‎src/Symfony/Bridge/Monolog/composer.json‎`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -24,11 +24,12 @@`
`24`	`24`	`"require-dev": {`
`25`	`25`	`"symfony/console":"~3.4\|~4.0",`
`26`	`26`	`"symfony/event-dispatcher":"~3.4\|~4.0",`
`27`		`-"symfony/security-core":"~3.4\|~4.0",`
	`27`	`+"symfony/security-core":"~4.2",`
`28`	`28`	`"symfony/var-dumper":"~3.4\|~4.0"`
`29`	`29`	`},`
`30`	`30`	`"conflict": {`
`31`		`-"symfony/http-foundation":"<3.4"`
	`31`	`+"symfony/http-foundation":"<3.4",`
	`32`	`+"symfony/security-core":"<4.2"`
`32`	`33`	`},`
`33`	`34`	`"suggest": {`
`34`	`35`	`"symfony/http-kernel":"For using the debugging handlers together with the response life cycle of the HTTP kernel.",`

`‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php‎`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@`
`18`	`18`	`useSymfony\Component\HttpKernel\DataCollector\DataCollector;`
`19`	`19`	`useSymfony\Component\HttpKernel\DataCollector\LateDataCollectorInterface;`
`20`	`20`	`useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;`
	`21`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage;`
	`22`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorageInterface;`
`21`	`23`	`useSymfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;`
`22`	`24`	`useSymfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;`
`23`	`25`	`useSymfony\Component\Security\Core\Role\Role;`
`@@ -44,7 +46,7 @@ class SecurityDataCollector extends DataCollector implements LateDataCollectorIn`
`44`	`46`
`45`	`47`	`publicfunction__construct(TokenStorageInterface$tokenStorage =null,RoleHierarchyInterface$roleHierarchy =null,LogoutUrlGenerator$logoutUrlGenerator =null,AccessDecisionManagerInterface$accessDecisionManager =null,FirewallMapInterface$firewallMap =null,TraceableFirewallListener$firewall =null)`
`46`	`48`	`{`
`47`		`-$this->tokenStorage =$tokenStorage;`
	`49`	`+$this->tokenStorage =null ===$tokenStorage \|\|$tokenStorageinstanceof UsageTrackingTokenStorageInterface ?$tokenStorage :newUsageTrackingTokenStorage($tokenStorage);`
`48`	`50`	`$this->roleHierarchy =$roleHierarchy;`
`49`	`51`	`$this->logoutUrlGenerator =$logoutUrlGenerator;`
`50`	`52`	`$this->accessDecisionManager =$accessDecisionManager;`
`@@ -73,7 +75,7 @@ public function collect(Request $request, Response $response, \Exception $except`
`73`	`75`	`'inherited_roles' =>array(),`
`74`	`76`	`'supports_role_hierarchy' =>null !==$this->roleHierarchy,`
`75`	`77`	`);`
`76`		`- }elseif (null ===$token =$this->tokenStorage->getToken()) {`
	`78`	`+ }elseif (null ===$token =$this->tokenStorage->getToken(false)) {`
`77`	`79`	`$this->data =array(`
`78`	`80`	`'enabled' =>true,`
`79`	`81`	`'authenticated' =>false,`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml‎`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -21,10 +21,11 @@`
`21`	`21`	`</service>`
`22`	`22`	`<serviceid="Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface"alias="security.authorization_checker" />`
`23`	`23`
`24`		`- <serviceid="security.token_storage"class="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage"public="true">`
	`24`	`+ <serviceid="security.token_storage"class="Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage"public="true">`
`25`	`25`	`<tagname="kernel.reset"method="setToken" />`
`26`	`26`	`</service>`
`27`	`27`	`<serviceid="Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface"alias="security.token_storage" />`
	`28`	`+ <serviceid="Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorageInterface"alias="security.token_storage" />`
`28`	`29`
`29`	`30`	`<serviceid="security.helper"class="Symfony\Component\Security\Core\Security">`
`30`	`31`	`<argumenttype="service_locator">`

`‎src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php‎`

Lines changed: 7 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`useSymfony\Component\EventDispatcher\EventDispatcher;`
`20`	`20`	`useSymfony\Component\HttpKernel\Event\GetResponseEvent;`
`21`	`21`	`useSymfony\Component\HttpKernel\HttpKernelInterface;`
`22`		`-useSymfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;`
	`22`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage;`
`23`	`23`	`useSymfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;`
`24`	`24`	`useSymfony\Component\Security\Core\Role\Role;`
`25`	`25`	`useSymfony\Component\Security\Core\Role\RoleHierarchy;`
`@@ -51,7 +51,8 @@ public function testCollectWhenSecurityIsDisabled()`
`51`	`51`
`52`	`52`	`publicfunctiontestCollectWhenAuthenticationTokenIsNull()`
`53`	`53`	`{`
`54`		`-$tokenStorage =newTokenStorage();`
	`54`	`+$tokenStorage =newUsageTrackingTokenStorage();`
	`55`	`+$tokenStorage->setToken(null, \Closure::fromCallable(array($this,'fail')));`
`55`	`56`	`$collector =newSecurityDataCollector($tokenStorage,$this->getRoleHierarchy());`
`56`	`57`	`$collector->collect($this->getRequest(),$this->getResponse());`
`57`	`58`
`@@ -71,8 +72,8 @@ public function testCollectWhenAuthenticationTokenIsNull()`
`71`	`72`	`/** @dataProvider provideRoles */`
`72`	`73`	`publicfunctiontestCollectAuthenticationTokenAndRoles(array$roles,array$normalizedRoles,array$inheritedRoles)`
`73`	`74`	`{`
`74`		`-$tokenStorage =newTokenStorage();`
`75`		`-$tokenStorage->setToken(newUsernamePasswordToken('hhamon','P4$$w0rD','provider',$roles));`
	`75`	`+$tokenStorage =newUsageTrackingTokenStorage();`
	`76`	`+$tokenStorage->setToken(newUsernamePasswordToken('hhamon','P4$$w0rD','provider',$roles), \Closure::fromCallable(array($this,'fail')));`
`76`	`77`
`77`	`78`	`$collector =newSecurityDataCollector($tokenStorage,$this->getRoleHierarchy());`
`78`	`79`	`$collector->collect($this->getRequest(),$this->getResponse());`
`@@ -99,8 +100,8 @@ public function testCollectImpersonatedToken()`
`99`	`100`	`newSwitchUserRole('ROLE_PREVIOUS_ADMIN',$adminToken),`
`100`	`101`	`);`
`101`	`102`
`102`		`-$tokenStorage =newTokenStorage();`
`103`		`-$tokenStorage->setToken(newUsernamePasswordToken('hhamon','P4$$w0rD','provider',$userRoles));`
	`103`	`+$tokenStorage =newUsageTrackingTokenStorage();`
	`104`	`+$tokenStorage->setToken(newUsernamePasswordToken('hhamon','P4$$w0rD','provider',$userRoles), \Closure::fromCallable(array($this,'fail')));`
`104`	`105`
`105`	`106`	`$collector =newSecurityDataCollector($tokenStorage,$this->getRoleHierarchy());`
`106`	`107`	`$collector->collect($this->getRequest(),$this->getResponse());`

`‎src/Symfony/Component/HttpFoundation/Session/Session.php‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,7 @@ public function count()`
`146`	`146`	`*`
`147`	`147`	`* @internal`
`148`	`148`	`*/`
`149`		`-publicfunctiongetUsageIndex()`
	`149`	`+publicfunction&getUsageIndex()`
`150`	`150`	`{`
`151`	`151`	`return$this->usageIndex;`
`152`	`152`	`}`

`‎src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php‎`

Lines changed: 51 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,51 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+/*`
	`4`	`+ * This file is part of the Symfony package.`
	`5`	`+ *`
	`6`	`+ * (c) Fabien Potencier <fabien@symfony.com>`
	`7`	`+ *`
	`8`	`+ * For the full copyright and license information, please view the LICENSE`
	`9`	`+ * file that was distributed with this source code.`
	`10`	`+ */`
	`11`	`+`
	`12`	`+namespaceSymfony\Component\Security\Core\Authentication\Token\Storage;`
	`13`	`+`
	`14`	`+useSymfony\Component\Security\Core\Authentication\Token\TokenInterface;`
	`15`	`+`
	`16`	`+/**`
	`17`	`+ * A token storage that optionally calls a closure when the token is accessed.`
	`18`	`+ *`
	`19`	`+ * @author Nicolas Grekas <p@tchwork.com>`
	`20`	`+ */`
	`21`	`+class UsageTrackingTokenStorageimplements UsageTrackingTokenStorageInterface`
	`22`	`+{`
	`23`	`+private$storage;`
	`24`	`+private$usageTracker;`
	`25`	`+`
	`26`	`+publicfunction__construct(TokenStorageInterface$storage =null)`
	`27`	`+ {`
	`28`	`+$this->storage =$storage ??newTokenStorage();`
	`29`	`+ }`
	`30`	`+`
	`31`	`+/**`
	`32`	`+ * {@inheritdoc}`
	`33`	`+ */`
	`34`	`+publicfunctiongetToken(bool$trackUsage =true): ?TokenInterface`
	`35`	`+ {`
	`36`	`+if ($trackUsage &&$usageTracker =$this->usageTracker) {`
	`37`	`+$usageTracker();`
	`38`	`+ }`
	`39`	`+`
	`40`	`+return$this->storage->getToken();`
	`41`	`+ }`
	`42`	`+`
	`43`	`+/**`
	`44`	`+ * {@inheritdoc}`
	`45`	`+ */`
	`46`	`+publicfunctionsetToken(TokenInterface$token =null,\Closure$usageTracker =null):void`
	`47`	`+ {`
	`48`	`+$this->usageTracker =$usageTracker;`
	`49`	`+$this->storage->setToken($token);`
	`50`	`+ }`
	`51`	`+}`

`‎src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorageInterface.php‎`

Lines changed: 32 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,32 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+/*`
	`4`	`+ * This file is part of the Symfony package.`
	`5`	`+ *`
	`6`	`+ * (c) Fabien Potencier <fabien@symfony.com>`
	`7`	`+ *`
	`8`	`+ * For the full copyright and license information, please view the LICENSE`
	`9`	`+ * file that was distributed with this source code.`
	`10`	`+ */`
	`11`	`+`
	`12`	`+namespaceSymfony\Component\Security\Core\Authentication\Token\Storage;`
	`13`	`+`
	`14`	`+useSymfony\Component\Security\Core\Authentication\Token\TokenInterface;`
	`15`	`+`
	`16`	`+/**`
	`17`	`+ * A token storage that optionally calls a closure when the token is accessed.`
	`18`	`+ *`
	`19`	`+ * @author Nicolas Grekas <p@tchwork.com>`
	`20`	`+ */`
	`21`	`+interface UsageTrackingTokenStorageInterfaceextends TokenStorageInterface`
	`22`	`+{`
	`23`	`+/**`
	`24`	`+ * {@inheritdoc}`
	`25`	`+ */`
	`26`	`+publicfunctiongetToken(bool$trackUsage =true): ?TokenInterface;`
	`27`	`+`
	`28`	`+/**`
	`29`	`+ * {@inheritdoc}`
	`30`	`+ */`
	`31`	`+publicfunctionsetToken(TokenInterface$token =null,\Closure$usageTracker =null):void;`
	`32`	`+}`

`‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php‎`

Lines changed: 43 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,43 @@`
	`1`	`+<?php`
	`2`	`+`
	`3`	`+/*`
	`4`	`+ * This file is part of the Symfony package.`
	`5`	`+ *`
	`6`	`+ * (c) Fabien Potencier <fabien@symfony.com>`
	`7`	`+ *`
	`8`	`+ * For the full copyright and license information, please view the LICENSE`
	`9`	`+ * file that was distributed with this source code.`
	`10`	`+ */`
	`11`	`+`
	`12`	`+namespaceSymfony\Component\Security\Core\Tests\Authentication\Token\Storage;`
	`13`	`+`
	`14`	`+usePHPUnit\Framework\TestCase;`
	`15`	`+useSymfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage;`
	`16`	`+`
	`17`	`+class UsageTrackingTokenStorageTestextends TestCase`
	`18`	`+{`
	`19`	`+publicfunctiontestGetSetToken()`
	`20`	`+ {`
	`21`	`+$counter =0;`
	`22`	`+$usageTracker =function ()use (&$counter) { ++$counter; };`
	`23`	`+`
	`24`	`+$tokenStorage =newUsageTrackingTokenStorage();`
	`25`	`+$this->assertNull($tokenStorage->getToken());`
	`26`	`+$token =$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock();`
	`27`	`+`
	`28`	`+$tokenStorage->setToken($token);`
	`29`	`+$this->assertSame($token,$tokenStorage->getToken());`
	`30`	`+`
	`31`	`+$tokenStorage->setToken($token,$usageTracker);`
	`32`	`+$this->assertSame($token,$tokenStorage->getToken(false));`
	`33`	`+$this->assertSame(0,$counter);`
	`34`	`+$this->assertSame($token,$tokenStorage->getToken());`
	`35`	`+$this->assertSame(1,$counter);`
	`36`	`+`
	`37`	`+$tokenStorage->setToken(null,$usageTracker);`
	`38`	`+$this->assertNull($tokenStorage->getToken(false));`
	`39`	`+$this->assertSame(1,$counter);`
	`40`	`+$this->assertNull($tokenStorage->getToken());`
	`41`	`+$this->assertSame(2,$counter);`
	`42`	`+ }`
	`43`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit2ee4f02

File tree

21 files changed

21 files changed

`‎src/Symfony/Bridge/Monolog/Processor/TokenProcessor.php‎`

`‎src/Symfony/Bridge/Monolog/Tests/Processor/TokenProcessorTest.php‎`

`‎src/Symfony/Bridge/Monolog/composer.json‎`

`‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php‎`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml‎`

`‎src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php‎`

`‎src/Symfony/Component/HttpFoundation/Session/Session.php‎`

`‎src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorage.php‎`

`‎src/Symfony/Component/Security/Core/Authentication/Token/Storage/UsageTrackingTokenStorageInterface.php‎`

`‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php‎`

0 commit comments