bug #27452 Avoid migration on stateless firewalls (weaverryan)

fabpot · fabpot · commit f20bfb2b1fb5 · 2018-06-10T12:27:47.000+02:00
This PR was squashed before being merged into the 2.8 branch (closes #27452). Discussion ---------- Avoid migration on stateless firewalls | Q | A | ------------- | --- | Branch? | 2.8 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | Related to #27395 | License | MIT | Doc PR | symfony/symfony-docs#9860 This is a proof-of-concept. Once we agree / are happy, I need to add this to all of the other authentication mechanisms that recently got the session migration code & add tests. Basically, this avoids migrating the session if the firewall is stateless. There were 2 options to do this: A) Make the `SessionAuthenticationStrategy` aware of all stateless firewalls. **This is the current approach** or B) Make each individual authentication listener aware whether or not *its* firewall is stateless. Commits ------- cca73bb564 Avoid migration on stateless firewalls
diff --git a/Guard/GuardAuthenticatorHandler.php b/Guard/GuardAuthenticatorHandler.php
@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
 use Symfony\Component\Security\Http\SecurityEvents;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 
 /**
  * A utility class that does much of the *work* during the guard authentication process.
@@ -32,8 +33,8 @@
 class GuardAuthenticatorHandler
 {
     private $tokenStorage;
-
     private $dispatcher;
+    private $sessionStrategy;
 
     public function __construct(TokenStorageInterface $tokenStorage, EventDispatcherInterface $eventDispatcher = null)
     {
@@ -46,7 +47,7 @@ public function __construct(TokenStorageInterface $tokenStorage, EventDispatcher
      */
     public function authenticateWithToken(TokenInterface $token, Request $request)
     {
-        $this->migrateSession($request);
+        $this->migrateSession($request, $token);
         $this->tokenStorage->setToken($token);
 
         if (null !== $this->dispatcher) {
@@ -129,15 +130,22 @@ public function handleAuthenticationFailure(AuthenticationException $authenticat
         ));
     }
 
-    private function migrateSession(Request $request)
+    /**
+     * Call this method if your authentication token is stored to a session.
+     *
+     * @final since version 2.8
+     */
+    public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyInterface $sessionStrategy)
+    {
+        $this->sessionStrategy = $sessionStrategy;
+    }
+
+    private function migrateSession(Request $request, TokenInterface $token)
     {
-        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
-        // Destroying the old session is broken in php 5.4.0 - 5.4.10
-        // See https://bugs.php.net/63379
-        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
-        $request->getSession()->migrate($destroy);
+        $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/Guard/Tests/GuardAuthenticatorHandlerTest.php b/Guard/Tests/GuardAuthenticatorHandlerTest.php
@@ -25,6 +25,7 @@ class GuardAuthenticatorHandlerTest extends TestCase
     private $dispatcher;
     private $token;
     private $request;
+    private $sessionStrategy;
     private $guardAuthenticator;
 
     public function testAuthenticateWithToken()
@@ -117,12 +118,38 @@ public function getTokenClearingTests()
         return $tests;
     }
 
+    public function testNoFailureIfSessionStrategyNotPassed()
+    {
+        $this->configurePreviousSession();
+
+        $this->tokenStorage->expects($this->once())
+            ->method('setToken')
+            ->with($this->token);
+
+        $handler = new GuardAuthenticatorHandler($this->tokenStorage, $this->dispatcher);
+        $handler->authenticateWithToken($this->token, $this->request);
+    }
+
+    public function testSessionStrategyIsCalled()
+    {
+        $this->configurePreviousSession();
+
+        $this->sessionStrategy->expects($this->once())
+            ->method('onAuthentication')
+            ->with($this->request, $this->token);
+
+        $handler = new GuardAuthenticatorHandler($this->tokenStorage, $this->dispatcher);
+        $handler->setSessionAuthenticationStrategy($this->sessionStrategy);
+        $handler->authenticateWithToken($this->token, $this->request);
+    }
+
     protected function setUp()
     {
         $this->tokenStorage = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface')->getMock();
         $this->dispatcher = $this->getMockBuilder('Symfony\Component\EventDispatcher\EventDispatcherInterface')->getMock();
         $this->token = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock();
         $this->request = new Request(array(), array(), array(), array(), array(), array());
+        $this->sessionStrategy = $this->getMockBuilder('Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface')->getMock();
         $this->guardAuthenticator = $this->getMockBuilder('Symfony\Component\Security\Guard\GuardAuthenticatorInterface')->getMock();
     }
 
@@ -134,4 +161,14 @@ protected function tearDown()
         $this->request = null;
         $this->guardAuthenticator = null;
     }
+
+    private function configurePreviousSession()
+    {
+        $session = $this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock();
+        $session->expects($this->any())
+            ->method('getName')
+            ->willReturn('test_session_name');
+        $this->request->setSession($session);
+        $this->request->cookies->set('test_session_name', 'session_cookie_val');
+    }
 }
diff --git a/Http/Firewall/AbstractPreAuthenticatedListener.php b/Http/Firewall/AbstractPreAuthenticatedListener.php
@@ -14,6 +14,7 @@
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\PreAuthenticatedToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
 use Symfony\Component\Security\Http\SecurityEvents;
@@ -22,6 +23,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 
 /**
  * AbstractPreAuthenticatedListener is the base class for all listener that
@@ -37,6 +39,7 @@ abstract class AbstractPreAuthenticatedListener implements ListenerInterface
     private $authenticationManager;
     private $providerKey;
     private $dispatcher;
+    private $sessionStrategy;
 
     public function __construct(TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, $providerKey, LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null)
     {
@@ -83,7 +86,7 @@ final public function handle(GetResponseEvent $event)
                 $this->logger->info('Pre-authentication successful.', array('token' => (string) $token));
             }
 
-            $this->migrateSession($request);
+            $this->migrateSession($request, $token);
 
             $this->tokenStorage->setToken($token);
 
@@ -96,6 +99,16 @@ final public function handle(GetResponseEvent $event)
         }
     }
 
+    /**
+     * Call this method if your authentication token is stored to a session.
+     *
+     * @final since version 2.8
+     */
+    public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyInterface $sessionStrategy)
+    {
+        $this->sessionStrategy = $sessionStrategy;
+    }
+
     /**
      * Clears a PreAuthenticatedToken for this provider (if present).
      */
@@ -118,15 +131,12 @@ private function clearToken(AuthenticationException $exception)
      */
     abstract protected function getPreAuthenticatedData(Request $request);
 
-    private function migrateSession(Request $request)
+    private function migrateSession(Request $request, TokenInterface $token)
     {
-        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
-        // Destroying the old session is broken in php 5.4.0 - 5.4.10
-        // See https://bugs.php.net/63379
-        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
-        $request->getSession()->migrate($destroy);
+        $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/Http/Firewall/BasicAuthenticationListener.php b/Http/Firewall/BasicAuthenticationListener.php
@@ -14,11 +14,13 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 
 /**
  * BasicAuthenticationListener implements Basic HTTP authentication.
@@ -33,6 +35,7 @@ class BasicAuthenticationListener implements ListenerInterface
     private $authenticationEntryPoint;
     private $logger;
     private $ignoreFailure;
+    private $sessionStrategy;
 
     public function __construct(TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, $providerKey, AuthenticationEntryPointInterface $authenticationEntryPoint, LoggerInterface $logger = null)
     {
@@ -72,7 +75,7 @@ public function handle(GetResponseEvent $event)
         try {
             $token = $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $request->headers->get('PHP_AUTH_PW'), $this->providerKey));
 
-            $this->migrateSession($request);
+            $this->migrateSession($request, $token);
 
             $this->tokenStorage->setToken($token);
         } catch (AuthenticationException $e) {
@@ -93,15 +96,22 @@ public function handle(GetResponseEvent $event)
         }
     }
 
-    private function migrateSession(Request $request)
+    /**
+     * Call this method if your authentication token is stored to a session.
+     *
+     * @final since version 2.8
+     */
+    public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyInterface $sessionStrategy)
+    {
+        $this->sessionStrategy = $sessionStrategy;
+    }
+
+    private function migrateSession(Request $request, TokenInterface $token)
     {
-        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
-        // Destroying the old session is broken in php 5.4.0 - 5.4.10
-        // See https://bugs.php.net/63379
-        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
-        $request->getSession()->migrate($destroy);
+        $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/Http/Firewall/DigestAuthenticationListener.php b/Http/Firewall/DigestAuthenticationListener.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Firewall;
 
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\EntryPoint\DigestAuthenticationEntryPoint;
 use Psr\Log\LoggerInterface;
@@ -23,6 +24,7 @@
 use Symfony\Component\Security\Core\Exception\NonceExpiredException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 
 /**
  * DigestAuthenticationListener implements Digest HTTP authentication.
@@ -36,6 +38,7 @@ class DigestAuthenticationListener implements ListenerInterface
     private $providerKey;
     private $authenticationEntryPoint;
     private $logger;
+    private $sessionStrategy;
 
     public function __construct(TokenStorageInterface $tokenStorage, UserProviderInterface $provider, $providerKey, DigestAuthenticationEntryPoint $authenticationEntryPoint, LoggerInterface $logger = null)
     {
@@ -117,9 +120,20 @@ public function handle(GetResponseEvent $event)
             $this->logger->info('Digest authentication successful.', array('username' => $digestAuth->getUsername(), 'received' => $digestAuth->getResponse()));
         }
 
-        $this->migrateSession($request);
+        $token = new UsernamePasswordToken($user, $user->getPassword(), $this->providerKey);
+        $this->migrateSession($request, $token);
 
-        $this->tokenStorage->setToken(new UsernamePasswordToken($user, $user->getPassword(), $this->providerKey));
+        $this->tokenStorage->setToken($token);
+    }
+
+    /**
+     * Call this method if your authentication token is stored to a session.
+     *
+     * @final since version 2.8
+     */
+    public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyInterface $sessionStrategy)
+    {
+        $this->sessionStrategy = $sessionStrategy;
     }
 
     private function fail(GetResponseEvent $event, Request $request, AuthenticationException $authException)
@@ -136,16 +150,13 @@ private function fail(GetResponseEvent $event, Request $request, AuthenticationE
         $event->setResponse($this->authenticationEntryPoint->start($request, $authException));
     }
 
-    private function migrateSession(Request $request)
+    private function migrateSession(Request $request, TokenInterface $token)
     {
-        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
-        // Destroying the old session is broken in php 5.4.0 - 5.4.10
-        // See https://bugs.php.net/63379
-        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
-        $request->getSession()->migrate($destroy);
+        $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
 
diff --git a/Http/Firewall/SimplePreAuthenticationListener.php b/Http/Firewall/SimplePreAuthenticationListener.php
@@ -19,12 +19,14 @@
 use Symfony\Component\Security\Core\Authentication\SimplePreAuthenticatorInterface;
 use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
 use Symfony\Component\Security\Http\SecurityEvents;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 
 /**
  * SimplePreAuthenticationListener implements simple proxying to an authenticator.
@@ -39,6 +41,7 @@ class SimplePreAuthenticationListener implements ListenerInterface
     private $simpleAuthenticator;
     private $logger;
     private $dispatcher;
+    private $sessionStrategy;
 
     /**
      * @param TokenStorageInterface           $tokenStorage          A TokenStorageInterface instance
@@ -62,6 +65,16 @@ public function __construct(TokenStorageInterface $tokenStorage, AuthenticationM
         $this->dispatcher = $dispatcher;
     }
 
+    /**
+     * Call this method if your authentication token is stored to a session.
+     *
+     * @final since version 2.8
+     */
+    public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyInterface $sessionStrategy)
+    {
+        $this->sessionStrategy = $sessionStrategy;
+    }
+
     /**
      * Handles basic authentication.
      */
@@ -87,7 +100,7 @@ public function handle(GetResponseEvent $event)
 
             $token = $this->authenticationManager->authenticate($token);
 
-            $this->migrateSession($request);
+            $this->migrateSession($request, $token);
 
             $this->tokenStorage->setToken($token);
 
@@ -124,15 +137,12 @@ public function handle(GetResponseEvent $event)
         }
     }
 
-    private function migrateSession(Request $request)
+    private function migrateSession(Request $request, TokenInterface $token)
     {
-        if (!$request->hasSession() || !$request->hasPreviousSession()) {
+        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
-        // Destroying the old session is broken in php 5.4.0 - 5.4.10
-        // See https://bugs.php.net/63379
-        $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411;
-        $request->getSession()->migrate($destroy);
+        $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
