Fixing guard authentication + session migration

The original setter was put onto the wrong class. The handler is a bit more difficult, as there is one handler only. So, we need to pass in a statelessFirewalls array so we know whether or not to migrate the session
symfony · weaverryan · Jun 11, 2018 · Jun 12, 2018 · Jun 12, 2018 · Jun 12, 2018
commit cd73af26d416612113dfa3df2930c7cf419f5ac3
diff --git a/...Bundle/SecurityBundle/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php b/...Bundle/SecurityBundle/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php
@@ -77,7 +77,6 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
        $listener = $container->setDefinition($listenerId, new DefinitionDecorator('security.authentication.listener.guard'));
        $listener->replaceArgument(2, $id);
        $listener->replaceArgument(3, $authenticatorReferences);
-        $listener->addMethodCall('setSessionAuthenticationStrategy', array(new Reference('security.authentication.session_strategy.'.$id)));

        // determine the entryPointId to use
        $entryPointId = $this->determineEntryPoint($defaultEntryPoint, $config);

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -39,6 +39,7 @@ class SecurityExtension extends Extension
    private $factories = array();
    private $userProviderFactories = array();
    private $expressionLanguage;
+    private $statelessFirewallKeys = array();

    public function __construct()
    {
@@ -89,6 +90,9 @@ public function load(array $configs, ContainerBuilder $container)
        $this->createAuthorization($config, $container);
        $this->createRoleHierarchy($config, $container);

+        $container->getDefinition('security.authentication.guard_handler')
+            ->replaceArgument(2, $this->statelessFirewallKeys);
+
        if ($config['encoders']) {
            $this->createEncoders($config['encoders'], $container);
        }
@@ -287,6 +291,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
            $listeners[] = new Reference($this->createContextListener($container, $contextKey));
            $sessionStrategyId = 'security.authentication.session_strategy';
        } else {
+            $this->statelessFirewallKeys[] = $id;
            $sessionStrategyId = 'security.authentication.session_strategy_noop';
        }
        $container->setAlias(new Alias('security.authentication.session_strategy.'.$id, false), $sessionStrategyId);

diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/guard.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/guard.xml
@@ -10,6 +10,10 @@
            >
            <argument type="service" id="security.token_storage" />
            <argument type="service" id="event_dispatcher" on-invalid="null" />
+            <argument /> <!-- stateless firewall keys -->
+            <call method="setSessionAuthenticationStrategy">
+                <argument type="service" id="security.authentication.session_strategy" />
+            </call>
        </service>

        <!-- See GuardAuthenticationFactory -->

diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
@@ -119,6 +119,33 @@ public function testDisableRoleHierarchyVoter()
        $this->assertFalse($container->hasDefinition('security.access.role_hierarchy_voter'));
    }

+    public function testGuardHandlerIsPassedStatelessFirewalls()
+    {
+        $container = $this->getRawContainer();
+
+        $container->loadFromExtension('security', array(
+            'providers' => array(
+                'default' => array('id' => 'foo'),
+            ),
+
+            'firewalls' => array(
+                'some_firewall' => array(
+                    'pattern' => '^/admin',
+                    'http_basic' => null,
+                ),
+                'stateless_firewall' => array(
+                    'pattern' => '/.*',
+                    'stateless' => true,
+                    'http_basic' => null,
+                ),
+            ),
+        ));
+
+        $container->compile();
+        $definition = $container->getDefinition('security.authentication.guard_handler');
+        $this->assertSame(array('stateless_firewall'), $definition->getArgument(2));
+    }
+
    protected function getRawContainer()
    {
        $container = new ContainerBuilder();

diff --git a/src/Symfony/Component/Security/Guard/Firewall/GuardAuthenticationListener.php b/src/Symfony/Component/Security/Guard/Firewall/GuardAuthenticationListener.php
@@ -117,7 +117,7 @@ private function executeGuardAuthenticator($uniqueGuardKey, GuardAuthenticatorIn
            }

            // sets the token on the token storage, etc
-            $this->guardHandler->authenticateWithToken($token, $request);
+            $this->guardHandler->authenticateWithToken($token, $request, $this->providerKey);
        } catch (AuthenticationException $e) {
            // oh no! Authentication failed!


diff --git a/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php b/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
@@ -35,19 +35,26 @@ class GuardAuthenticatorHandler
    private $tokenStorage;
    private $dispatcher;
    private $sessionStrategy;
+    private $statelessProviderKeys;

-    public function __construct(TokenStorageInterface $tokenStorage, EventDispatcherInterface $eventDispatcher = null)
+    /**
+     * @param TokenStorageInterface         $tokenStorage
+     * @param EventDispatcherInterface|null $eventDispatcher
+     * @param array                         $statelessProviderKeys An array of provider/firewall keys that are "stateless" and so do not need the session migrated on success
+     */
+    public function __construct(TokenStorageInterface $tokenStorage, EventDispatcherInterface $eventDispatcher = null, array $statelessProviderKeys = array())
    {
        $this->tokenStorage = $tokenStorage;
        $this->dispatcher = $eventDispatcher;
+        $this->statelessProviderKeys = $statelessProviderKeys;
    }

    /**
     * Authenticates the given token in the system.
     */
-    public function authenticateWithToken(TokenInterface $token, Request $request)
+    public function authenticateWithToken(TokenInterface $token, Request $request, $providerKey = null)
    {
-        $this->migrateSession($request, $token);
+        $this->migrateSession($request, $token, $providerKey);
        $this->tokenStorage->setToken($token);

        if (null !== $this->dispatcher) {
@@ -98,7 +105,7 @@ public function authenticateUserAndHandleSuccess(UserInterface $user, Request $r
        // create an authenticated token for the User
        $token = $authenticator->createAuthenticatedToken($user, $providerKey);
        // authenticate this in the system
-        $this->authenticateWithToken($token, $request);
+        $this->authenticateWithToken($token, $request, $providerKey);

        // return the success metric
        return $this->handleAuthenticationSuccess($token, $request, $authenticator, $providerKey);
@@ -140,9 +147,9 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn
        $this->sessionStrategy = $sessionStrategy;
    }

-    private function migrateSession(Request $request, TokenInterface $token)
+    private function migrateSession(Request $request, TokenInterface $token, $providerKey)
    {
-        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
+        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession() || in_array($providerKey, $this->statelessProviderKeys)) {
            return;
        }


diff --git a/src/Symfony/Component/Security/Guard/Tests/GuardAuthenticatorHandlerTest.php b/src/Symfony/Component/Security/Guard/Tests/GuardAuthenticatorHandlerTest.php
@@ -143,6 +143,18 @@ public function testSessionStrategyIsCalled()
        $handler->authenticateWithToken($this->token, $this->request);
    }

+    public function testSessionStrategyIsNotCalledWhenStateless()
+    {
+        $this->configurePreviousSession();
+
+        $this->sessionStrategy->expects($this->never())
+            ->method('onAuthentication');
+
+        $handler = new GuardAuthenticatorHandler($this->tokenStorage, $this->dispatcher, array('some_provider_key'));
+        $handler->setSessionAuthenticationStrategy($this->sessionStrategy);
+        $handler->authenticateWithToken($this->token, $this->request, 'some_provider_key');
+    }
+
    protected function setUp()
    {
        $this->tokenStorage = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface')->getMock();
-Original file line number
+Diff line change
@@ -35,19 +35,26 @@ class GuardAuthenticatorHandler
         private $tokenStorage;
         private $dispatcher;
         private $sessionStrategy;
+        private $statelessProviderKeys;
-        public function __construct(TokenStorageInterface $tokenStorage, EventDispatcherInterface $eventDispatcher = null)
+        /**
+         * @param TokenStorageInterface         $tokenStorage
+         * @param EventDispatcherInterface|null $eventDispatcher
             Copy link

  
      
    
  

  
      

  
  Member


      

  

  
    
      

      
            nicolas-grekas
  

      

      

      


        Jun 12, 2018


      
    

  


        
      
  
  
  
    

    There was a problem hiding this comment.


  

 
  
    

    Choose a reason for hiding this comment

    
      The reason will be displayed to describe this comment to others. Learn more.
    

    
      
      


  


  
    
      We're ok with partial docblocks, so these 2 above lines can be removed.
    
  
  


    

        
      
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
      
  
    
    
      
        
            
    All reactions
+         * @param array                         $statelessProviderKeys An array of provider/firewall keys that are "stateless" and so do not need the session migrated on success
+         */
+        public function __construct(TokenStorageInterface $tokenStorage, EventDispatcherInterface $eventDispatcher = null, array $statelessProviderKeys = array())
         {
             $this->tokenStorage = $tokenStorage;
             $this->dispatcher = $eventDispatcher;
+            $this->statelessProviderKeys = $statelessProviderKeys;
         }
         /**
          * Authenticates the given token in the system.
          */
-        public function authenticateWithToken(TokenInterface $token, Request $request)
+        public function authenticateWithToken(TokenInterface $token, Request $request, $providerKey = null)
             Copy link

  
      
    
  

  
      

  
  Member


      

  

  
    
      

      
            chalasr
  

      

      

      


        Jun 11, 2018


      
    

  


        
      
  
  
  
    

    There was a problem hiding this comment.


  

 
  
    

    Choose a reason for hiding this comment

    
      The reason will be displayed to describe this comment to others. Learn more.
    

    
      
      


  


  
    
      even optional, this would break a child (signature mismatch). func_get_arg() should be used here :)
    
  
  


    

        
      
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
      
  
    
    
      
        
            
    All reactions
         {
-            $this->migrateSession($request, $token);
+            $this->migrateSession($request, $token, $providerKey);
             $this->tokenStorage->setToken($token);
             if (null !== $this->dispatcher) {
@@ -98,7 +105,7 @@ public function authenticateUserAndHandleSuccess(UserInterface $user, Request $r
             // create an authenticated token for the User
             $token = $authenticator->createAuthenticatedToken($user, $providerKey);
             // authenticate this in the system
-            $this->authenticateWithToken($token, $request);
+            $this->authenticateWithToken($token, $request, $providerKey);
             // return the success metric
             return $this->handleAuthenticationSuccess($token, $request, $authenticator, $providerKey);
@@ -140,9 +147,9 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn
             $this->sessionStrategy = $sessionStrategy;
         }
-        private function migrateSession(Request $request, TokenInterface $token)
+        private function migrateSession(Request $request, TokenInterface $token, $providerKey)
         {
-            if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
+            if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession() || in_array($providerKey, $this->statelessProviderKeys)) {
             Copy link

  
      
    
  

  
      

  
  Member


      

  

  
    
      

      
            nicolas-grekas
  

      

      

      


        Jun 12, 2018


      
    

  


        
      
  
  
  
    

    There was a problem hiding this comment.


  

 
  
    

    Choose a reason for hiding this comment

    
      The reason will be displayed to describe this comment to others. Learn more.
    

    
      
      


  


  
    
      \in_array(..., true)
    
  
  


    

        
      
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
      
  
    
    
      
        
            
    All reactions
                 return;
             }
-          Expand Down