Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security][Firewall] Passing the newly generated security token to the event during user switching#21951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged

Conversation

klandaika
Copy link
Contributor

@klandaikaklandaika commentedMar 9, 2017
edited
Loading

Event allows listeners to easily switch out the token if custom token updates are required

QA
Branch?master
Bug fix?no
New feature?yes
BC breaks?no
Deprecations?no
Tests pass?yes
Fixed tickets
LicenseMIT
Doc PR

Updated SwitchUserEvent to include the generated security Token. Allows the listeners to replace the token with their own (in case an application has some custom logic for token generation). The SwitchUserListener will now use the token returned by the event, so if token was not changed the self generated token will be used. If token was changed in the event then the new token would get used.

Reasons for this feature

In our current project users can have different Role sets depending on which organization they switch to. OurUser->getRoles() always returns ["ROLE_USER"] and after login user is presented with choice of organizations they want to work in. Based on selected organization roles get updated with then stored token.

Without the change proposed in this PR. The only way we can setup the proper roles during user switch is by replacingsecurity.authentication.switchuser_listener service with our own implementation of the listener.

With the proposed change, we can replace the security token with the one having all the roles we require directly inside our listener forsecurity.switch_user event that gets thrown by Symfony'sSwitchUserListener

@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch 2 times, most recently from0ed7be1 to45e339dCompareMarch 9, 2017 17:56

public function __construct(Request $request, UserInterface $targetUser)
public function __construct(Request $request, UserInterface $targetUser, TokenInterface $token)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

adding a new required argument is a BC break. Instead, you should either make it optional, or rely solely on the setter

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Got it. Made it optional.

@nicolas-grekasnicolas-grekas added this to the3.3 milestoneMar 10, 2017
@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch from45e339d toc1e056aCompareMarch 10, 2017 17:11
@klandaika
Copy link
ContributorAuthor

Would you like me to do anything else in regards to this?

@@ -46,4 +49,20 @@ public function getTargetUser()
{
return $this->targetUser;
}

/**
* @return TokenInterface
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

TokenInterface|null

}

/**
* @param TokenInterface $token
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

this docblock is not needed

@xabbuh
Copy link
Member

Can you also add a test that checks that the token can be replaced?

@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch 4 times, most recently from2e32f4b toc5d89e1CompareApril 19, 2017 16:47
@klandaika
Copy link
ContributorAuthor

Did all that was requested. Please check again.

@nicolas-grekas
Copy link
Member

Moving to milestone 3.4 as 3.3 is about to be closed.

@nicolas-grekasnicolas-grekas modified the milestones:3.4,3.3Apr 28, 2017
@@ -4,6 +4,8 @@ CHANGELOG
3.3.0
-----

* added `TokenInterface` to `\Symfony\Component\Security\Http\Event\SwitchUserEvent` to allow listeners to switch out
the token when custom token generation is required by application.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This must now be done under a new3.4.0 headline

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Updated

@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch 2 times, most recently from429cbed to6fbbf28CompareJune 3, 2017 14:55
@klandaikaklandaika changed the title[Security][Firewall] Passing the newly generated security token to the event during user switchingWIP: [Security][Firewall] Passing the newly generated security token to the event during user switchingJun 3, 2017
@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch 2 times, most recently fromd83e7cc tob32b205CompareJune 5, 2017 20:32
@klandaikaklandaika changed the titleWIP: [Security][Firewall] Passing the newly generated security token to the event during user switching[Security][Firewall] Passing the newly generated security token to the event during user switchingJun 5, 2017
@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch fromeec0683 toee25877CompareJune 26, 2017 15:15
$this->tokenStorage->setToken($token);
$this->request->query->set('_switch_user', 'kuba');

$this->accessDecisionManager->expects($this->once())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

$this->any() (it does not matter how often the method is called)

$this->userProvider->expects($this->once())
->method('loadUserByUsername')->with('kuba')
->will($this->returnValue($user));
$this->userChecker->expects($this->once())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

this doesn't look necessary

Copy link
ContributorAuthor

@klandaikaklandaikaAug 22, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This was done in previous test, figured since accessDecisionManager callscheckPostAuth we should have it mocked to expect to be called.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Removed, from test, but let me know if you want me to put it back.

->method('decide')->with($token, array('ROLE_ALLOWED_TO_SWITCH'))
->will($this->returnValue(true));

$this->userProvider->expects($this->once())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

any()

}));

$listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123',
$this->accessDecisionManager, null, '_switch_user', 'ROLE_ALLOWED_TO_SWITCH', $dispatcher);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

please do not wrap lines here

{
$token = new UsernamePasswordToken('username', '', 'key', array('ROLE_FOO'));
$user = new User('username', 'password', array());
$replacedToken = new UsernamePasswordToken('replaced', '', 'key', array('ROLE_BAR'));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

key should beprovider123 (or the other way around) to be consistent with theSwitchUserListener definition below

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

instead ofreplaced I would pass the createdUser object as the first argument instead


public function testSwitchUserWithReplacedToken()
{
$token = new UsernamePasswordToken('username', '', 'key', array('ROLE_FOO'));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

key should beprovider123 (or the other way around) to be consistent with theSwitchUserListener definition below

public function testSwitchUserWithReplacedToken()
{
$token = new UsernamePasswordToken('username', '', 'key', array('ROLE_FOO'));
$user = new User('username', 'password', array());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

instead ofusername I would pass the below createdUser object as the first argument instead

@@ -13,6 +13,8 @@ CHANGELOG
3.4.0
-----

* added `TokenInterface` to `\Symfony\Component\Security\Http\Event\SwitchUserEvent` to allow listeners to switch out
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think it's more important to document that you can change the token being used by calling thesetToken() method:

  • added asetToken() method to theSwitchUserEvent class to allow to replace the created token while switching users

@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch fromee25877 to364078bCompareAugust 22, 2017 15:32
@chalasrchalasr self-requested a reviewSeptember 2, 2017 13:40
@chalasr
Copy link
Member

Seems legit to me.@klandaika would you mind to rebase this PR against the 3.4 branch?

@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch from364078b to1a8a401CompareSeptember 20, 2017 13:43
@nicolas-grekas
Copy link
Member

ping@chalasr@xabbuh for review

$this->dispatcher->dispatch(SecurityEvents::SWITCH_USER, $switchEvent);
//use the token from the event in case any listeners have replaced it.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

missing space after//

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Fixed

@@ -4,6 +4,8 @@ CHANGELOG
3.4.0
-----

* added a setToken() method to the SwitchUserEvent class to allow to replace the created token while switching users
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

the method and class names should be enclosed with backticks:

* added a`setToken()` method to the`SwitchUserEvent` class to allow to replace the created token while switching users

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Fixed

…witching.Event allows listeners to easily switch out the token if custom token updates are required
@klandaikaklandaikaforce-pushed theinclude-security-token-in-switch-user branch from1a8a401 to4205f1bCompareSeptember 26, 2017 20:05
@chalasrchalasr changed the base branch frommaster to3.4September 26, 2017 20:13
@chalasr
Copy link
Member

Thank you@klandaika.

@chalasrchalasr merged commit4205f1b intosymfony:3.4Sep 26, 2017
chalasr pushed a commit that referenced this pull requestSep 26, 2017
…ity token to the event during user switching (klandaika)This PR was merged into the 3.4 branch.Discussion----------[Security][Firewall] Passing the newly generated security token to the event during user switchingEvent allows listeners to easily switch out the token if custom token updates are required| Q             | A| ------------- | ---| Branch?       | master| Bug fix?      | no| New feature?  | yes| BC breaks?    | no| Deprecations? | no| Tests pass?   | yes| Fixed tickets || License       | MIT| Doc PR        |Updated SwitchUserEvent to include the generated security Token. Allows the listeners to replace the token with their own (in case an application has some custom logic for token generation). The SwitchUserListener will now use the token returned by the event, so if token was not changed the self generated token will be used. If token was changed in the event then the new token would get used.Reasons for this feature--------------------------In our current project users can have different Role sets depending on which organization they switch to. Our `User->getRoles()` always returns ["ROLE_USER"] and after login user is presented with choice of organizations they want to work in. Based on selected organization roles get updated with then stored token.Without the change proposed in this PR. The only way we can setup the proper roles during user switch is by replacing `security.authentication.switchuser_listener` service with our own implementation of the listener.With the proposed change, we can replace the security token with the one having all the roles we require directly inside our listener for `security.switch_user` event that gets thrown by Symfony's `SwitchUserListener`Commits-------4205f1b Passing the newly generated security token to the event during user switching.
This was referencedOct 18, 2017
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@nicolas-grekasnicolas-grekasnicolas-grekas left review comments

@xabbuhxabbuhxabbuh approved these changes

@chalasrchalasrchalasr approved these changes

Assignees
No one assigned
Projects
None yet
Milestone
3.4
Development

Successfully merging this pull request may close these issues.

5 participants
@klandaika@xabbuh@nicolas-grekas@chalasr@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp