symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
+57Lines changed: 57 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
+57Lines changed: 57 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
+5-3Lines changed: 5 additions & 3 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
+5-3Lines changed: 5 additions & 3 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
+1Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml
+1Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
+48-32Lines changed: 48 additions & 32 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
+48-32Lines changed: 48 additions & 32 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php
+12-1Lines changed: 12 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php
+12-1Lines changed: 12 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
+31Lines changed: 31 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
+31Lines changed: 31 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
+1Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
+1Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Security/FirewallConfigTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Tests/Security/FirewallConfigTest.php
+3Lines changed: 3 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Security/FirewallConfigTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Tests/Security/FirewallConfigTest.php
+3Lines changed: 3 additions & 0 deletions
@@ -18,6 +18,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\DataCollector\DataCollector;
 use Symfony\Component\HttpKernel\DataCollector\LateDataCollectorInterface;
+use Symfony\Component\Security\Core\Role\SwitchUserRole;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
@@ -68,6 +69,9 @@ public function collect(Request $request, Response $response, \Exception $except
             $this->data = array(
                 'enabled' => false,
                 'authenticated' => false,
+                'impersonated' => false,
+                'impersonated_source_user' => null,
+                'impersonated_exit_path' => null,
                 'token' => null,
                 'token_class' => null,
                 'logout_url' => null,
@@ -80,6 +84,9 @@ public function collect(Request $request, Response $response, \Exception $except
             $this->data = array(
                 'enabled' => true,
                 'authenticated' => false,
+                'impersonated' => false,
+                'impersonated_source_user' => null,
+                'impersonated_exit_path' => null,
                 'token' => null,
                 'token_class' => null,
                 'logout_url' => null,
@@ -92,6 +99,14 @@ public function collect(Request $request, Response $response, \Exception $except
             $inheritedRoles = array();
             $assignedRoles = $token->getRoles();
 
+            $impersonatedSourceUser = null;
+            foreach ($assignedRoles as $role) {
+                if ($role instanceof SwitchUserRole) {
+                    $impersonatedSourceUser = $role->getSource()->getUsername();
+                    break;
+                }
+            }
+
             if (null !== $this->roleHierarchy) {
                 $allRoles = $this->roleHierarchy->getReachableRoles($assignedRoles);
                 foreach ($allRoles as $role) {
@@ -113,6 +128,9 @@ public function collect(Request $request, Response $response, \Exception $except
             $this->data = array(
                 'enabled' => true,
                 'authenticated' => $token->isAuthenticated(),
+                'impersonated' => null !== $impersonatedSourceUser,
+                'impersonated_source_user' => $impersonatedSourceUser,
+                'impersonated_exit_path' => null,
                 'token' => $token,
                 'token_class' => $this->hasVarDumper ? new ClassStub(get_class($token)) : get_class($token),
                 'logout_url' => $logoutUrl,
@@ -156,6 +174,15 @@ public function collect(Request $request, Response $response, \Exception $except
                     'user_checker' => $firewallConfig->getUserChecker(),
                     'listeners' => $firewallConfig->getListeners(),
                 );
+
+                // generate exit impersonation path from current request
+                if ($this->data['impersonated'] && null !== $switchUserConfig = $firewallConfig->getSwitchUser()) {
+                    $exitPath = $request->getRequestUri();
+                    $exitPath .= false === strpos($exitPath, '?') ? '?' : '&';
+                    $exitPath .= $switchUserConfig['parameter'].'=_exit';
+
+                    $this->data['impersonated_exit_path'] = $exitPath;
+                }
             }
         }
     }
@@ -226,6 +253,36 @@ public function isAuthenticated()
         return $this->data['authenticated'];
     }
 
+    /**
+     * Checks if the user is impersonated or not.
+     *
+     * @return bool true if the user is impersonated, false otherwise
+     */
+    public function isImpersonated()
+    {
+        return $this->data['impersonated'];
+    }
+
+    /**
+     * Returns the impersonation source user.
+     *
+     * @return string The username
+     */
+    public function getImpersonatedSourceUser()
+    {
+        return $this->data['impersonated_source_user'];
+    }
+
+    /**
+     * Returns the exit impersonation path.
+     *
+     * @return string The URI path
+     */
+    public function getImpersonatedExitPath()
+    {
+        return $this->data['impersonated_exit_path'];
+    }
+
     /**
      * Get the class name of the security token.
      *
 
@@ -399,6 +399,8 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         if (isset($firewall['switch_user'])) {
             $listenerKeys[] = 'switch_user';
             $listeners[] = new Reference($this->createSwitchUserListener($container, $id, $firewall['switch_user'], $defaultProvider));
+
+            $config->replaceArgument(8, $firewall['switch_user']);
         }
 
         // Access listener
@@ -407,8 +409,8 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         // Exception listener
         $exceptionListener = new Reference($this->createExceptionListener($container, $firewall, $id, $configuredEntryPoint ?: $defaultEntryPoint, $firewall['stateless']));
 
-        $config->replaceArgument(8, isset($firewall['access_denied_handler']) ? $firewall['access_denied_handler'] : null);
-        $config->replaceArgument(9, isset($firewall['access_denied_url']) ? $firewall['access_denied_url'] : null);
+        $config->replaceArgument(9, isset($firewall['access_denied_handler']) ? $firewall['access_denied_handler'] : null);
+        $config->replaceArgument(10, isset($firewall['access_denied_url']) ? $firewall['access_denied_url'] : null);
 
         $container->setAlias('security.user_checker.'.$id, new Alias($firewall['user_checker'], false));
 
@@ -425,7 +427,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
             $listenerKeys[] = 'anonymous';
         }
 
-        $config->replaceArgument(10, $listenerKeys);
+        $config->replaceArgument(11, $listenerKeys);
 
         return array($matcher, $listeners, $exceptionListener);
     }
 
@@ -133,6 +133,7 @@
             <argument />                   <!-- provider -->
             <argument />                   <!-- context -->
             <argument />                   <!-- entry_point -->
+            <argument />                   <!-- switch_user -->
             <argument />                   <!-- access_denied_handler -->
             <argument />                   <!-- access_denied_url -->
             <argument type="collection" /> <!-- listeners -->
 
@@ -16,47 +16,63 @@
     {% endset %}
 
     {% set text %}
-        {% if collector.enabled %}
-            {% if collector.token %}
+        {% if collector.impersonated %}
+            <div class="sf-toolbar-info-group">
                 <div class="sf-toolbar-info-piece">
-                    <b>Logged in as</b>
-                    <span>{{ collector.user }}</span>
+                    <b>Impersonating as</b>
+                    <span>{{ collector.impersonatedSourceUser }}</span>
                 </div>
+            </div>
+        {% endif %}
 
-                <div class="sf-toolbar-info-piece">
-                    <b>Authenticated</b>
-                    <span class="sf-toolbar-status sf-toolbar-status-{{ is_authenticated ? 'green' : 'red' }}">{{ is_authenticated ? 'Yes' : 'No' }}</span>
-                </div>
+        <div class="sf-toolbar-info-group">
+            {% if collector.enabled %}
+                {% if collector.token %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Logged in as</b>
+                        <span>{{ collector.user }}</span>
+                    </div>
 
-                <div class="sf-toolbar-info-piece">
-                    <b>Token class</b>
-                    <span>{{ collector.tokenClass|abbr_class }}</span>
-                </div>
-            {% else %}
-                <div class="sf-toolbar-info-piece">
-                    <b>Authenticated</b>
-                    <span class="sf-toolbar-status sf-toolbar-status-red">No</span>
-                </div>
-            {% endif %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Authenticated</b>
+                        <span class="sf-toolbar-status sf-toolbar-status-{{ is_authenticated ? 'green' : 'red' }}">{{ is_authenticated ? 'Yes' : 'No' }}</span>
+                    </div>
 
-            {% if collector.firewall %}
-                <div class="sf-toolbar-info-piece">
-                    <b>Firewall name</b>
-                    <span>{{ collector.firewall.name }}</span>
-                </div>
-            {% endif %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Token class</b>
+                        <span>{{ collector.tokenClass|abbr_class }}</span>
+                    </div>
+                {% else %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Authenticated</b>
+                        <span class="sf-toolbar-status sf-toolbar-status-red">No</span>
+                    </div>
+                {% endif %}
 
-            {% if collector.token and collector.logoutUrl %}
+                {% if collector.firewall %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Firewall name</b>
+                        <span>{{ collector.firewall.name }}</span>
+                    </div>
+                {% endif %}
+
+                {% if collector.token and collector.logoutUrl %}
+                    <div class="sf-toolbar-info-piece">
+                        <b>Actions</b>
+                        <span>
+                            <a href="{{ collector.logoutUrl }}">Logout</a>
+                            {% if collector.impersonated and collector.impersonatedExitPath %}
+                                | <a href="{{ collector.impersonatedExitPath }}">Exit impersonation</a>
+                            {% endif %}
+                        </span>
+                    </div>
+                {% endif %}
+            {% else %}
                 <div class="sf-toolbar-info-piece">
-                    <b>Actions</b>
-                    <span><a href="{{ collector.logoutUrl }}">Logout</a></span>
+                    <span>The security is disabled.</span>
                 </div>
             {% endif %}
-        {% else %}
-            <div class="sf-toolbar-info-piece">
-                <span>The security is disabled.</span>
-            </div>
-        {% endif %}
+        </div>
     {% endset %}
 
     {{ include('@WebProfiler/Profiler/toolbar_item.html.twig', { link: profiler_url, status: color_code }) }}
 
@@ -24,6 +24,7 @@ final class FirewallConfig
     private $provider;
     private $context;
     private $entryPoint;
+    private $switchUser;
     private $accessDeniedHandler;
     private $accessDeniedUrl;
     private $listeners;
@@ -37,11 +38,12 @@ final class FirewallConfig
      * @param string|null $provider
      * @param string|null $context
      * @param string|null $entryPoint
+     * @param array|null  $switchUser
      * @param string|null $accessDeniedHandler
      * @param string|null $accessDeniedUrl
      * @param string[]    $listeners
      */
-    public function __construct($name, $userChecker, $requestMatcher = null, $securityEnabled = true, $stateless = false, $provider = null, $context = null, $entryPoint = null, $accessDeniedHandler = null, $accessDeniedUrl = null, $listeners = array())
+    public function __construct($name, $userChecker, $requestMatcher = null, $securityEnabled = true, $stateless = false, $provider = null, $context = null, $entryPoint = null, $switchUser = null, $accessDeniedHandler = null, $accessDeniedUrl = null, $listeners = array())
     {
         $this->name = $name;
         $this->userChecker = $userChecker;
@@ -51,6 +53,7 @@ public function __construct($name, $userChecker, $requestMatcher = null, $securi
         $this->provider = $provider;
         $this->context = $context;
         $this->entryPoint = $entryPoint;
+        $this->switchUser = $switchUser;
         $this->accessDeniedHandler = $accessDeniedHandler;
         $this->accessDeniedUrl = $accessDeniedUrl;
         $this->listeners = $listeners;
@@ -109,6 +112,14 @@ public function getEntryPoint()
         return $this->entryPoint;
     }
 
+    /**
+     * @return array|null The switch_user config if enabled, null otherwise
+     */
+    public function getSwitchUser()
+    {
+        return $this->switchUser;
+    }
+
     /**
      * @return string The user_checker service id
      */
 
@@ -19,6 +19,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Role\Role;
 use Symfony\Component\Security\Core\Role\RoleHierarchy;
+use Symfony\Component\Security\Core\Role\SwitchUserRole;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 
 class SecurityDataCollectorTest extends TestCase
@@ -31,6 +32,7 @@ public function testCollectWhenSecurityIsDisabled()
         $this->assertSame('security', $collector->getName());
         $this->assertFalse($collector->isEnabled());
         $this->assertFalse($collector->isAuthenticated());
+        $this->assertFalse($collector->isImpersonated());
         $this->assertNull($collector->getTokenClass());
         $this->assertFalse($collector->supportsRoleHierarchy());
         $this->assertCount(0, $collector->getRoles());
@@ -47,6 +49,7 @@ public function testCollectWhenAuthenticationTokenIsNull()
 
         $this->assertTrue($collector->isEnabled());
         $this->assertFalse($collector->isAuthenticated());
+        $this->assertFalse($collector->isImpersonated());
         $this->assertNull($collector->getTokenClass());
         $this->assertTrue($collector->supportsRoleHierarchy());
         $this->assertCount(0, $collector->getRoles());
@@ -67,13 +70,41 @@ public function testCollectAuthenticationTokenAndRoles(array $roles, array $norm
 
         $this->assertTrue($collector->isEnabled());
         $this->assertTrue($collector->isAuthenticated());
+        $this->assertFalse($collector->isImpersonated());
         $this->assertSame('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $collector->getTokenClass()->getValue());
         $this->assertTrue($collector->supportsRoleHierarchy());
         $this->assertSame($normalizedRoles, $collector->getRoles()->getValue(true));
         $this->assertSame($inheritedRoles, $collector->getInheritedRoles()->getValue(true));
         $this->assertSame('hhamon', $collector->getUser());
     }
 
+    public function testCollectImpersonatedToken()
+    {
+        $adminToken = new UsernamePasswordToken('yceruto', 'P4$$w0rD', 'provider', array('ROLE_ADMIN'));
+
+        $userRoles = array(
+            'ROLE_USER',
+            new SwitchUserRole('ROLE_PREVIOUS_ADMIN', $adminToken),
+        );
+
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken(new UsernamePasswordToken('hhamon', 'P4$$w0rD', 'provider', $userRoles));
+
+        $collector = new SecurityDataCollector($tokenStorage, $this->getRoleHierarchy());
+        $collector->collect($this->getRequest(), $this->getResponse());
+        $collector->lateCollect();
+
+        $this->assertTrue($collector->isEnabled());
+        $this->assertTrue($collector->isAuthenticated());
+        $this->assertTrue($collector->isImpersonated());
+        $this->assertSame('yceruto', $collector->getImpersonatedSourceUser());
+        $this->assertSame('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $collector->getTokenClass()->getValue());
+        $this->assertTrue($collector->supportsRoleHierarchy());
+        $this->assertSame(array('ROLE_USER', 'ROLE_PREVIOUS_ADMIN'), $collector->getRoles()->getValue(true));
+        $this->assertSame(array(), $collector->getInheritedRoles()->getValue(true));
+        $this->assertSame('hhamon', $collector->getUser());
+    }
+
     public function testGetFirewall()
     {
         $firewallConfig = new FirewallConfig('dummy', 'security.request_matcher.dummy', 'security.user_checker.dummy');
 
@@ -94,6 +94,7 @@ public function testFirewalls()
                 'security.user.provider.concrete.default',
                 null,
                 'security.authentication.form_entry_point.secure',
+                array('parameter' => '_switch_user', 'role' => 'ROLE_ALLOWED_TO_SWITCH'),
                 null,
                 null,
                 array(
 
@@ -26,6 +26,7 @@ public function testGetters()
             'provider' => 'foo_provider',
             'context' => 'foo_context',
             'entry_point' => 'foo_entry_point',
+            'switch_user' => array('provider' => null, 'parameter' => '_switch_user', 'role' => 'ROLE_ALLOWED_TO_SWITCH'),
             'access_denied_url' => 'foo_access_denied_url',
             'access_denied_handler' => 'foo_access_denied_handler',
             'user_checker' => 'foo_user_checker',
@@ -40,6 +41,7 @@ public function testGetters()
             $options['provider'],
             $options['context'],
             $options['entry_point'],
+            $options['switch_user'],
             $options['access_denied_handler'],
             $options['access_denied_url'],
             $listeners
@@ -52,6 +54,7 @@ public function testGetters()
         $this->assertSame($options['provider'], $config->getProvider());
         $this->assertSame($options['context'], $config->getContext());
         $this->assertSame($options['entry_point'], $config->getEntryPoint());
+        $this->assertSame($options['switch_user'], $config->getSwitchUser());
         $this->assertSame($options['access_denied_handler'], $config->getAccessDeniedHandler());
         $this->assertSame($options['access_denied_url'], $config->getAccessDeniedUrl());
         $this->assertSame($options['user_checker'], $config->getUserChecker());