bug #34218 [Security] Fix SwitchUserToken wrongly deauthenticated (chalasr)

fabpot · fabpot · commit 08a218c79fdc · 2019-11-03T13:01:14.000+01:00
This PR was merged into the 4.4 branch. Discussion ---------- [Security] Fix SwitchUserToken wrongly deauthenticated | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #34202 | License | MIT | Doc PR | - Commits ------- e47b31c [Security] Fix SwitchUserToken wrongly deauthenticated
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
@@ -318,9 +318,12 @@ private function hasUserChanged(UserInterface $user): bool
         }
 
         $userRoles = array_map('strval', (array) $user->getRoles());
-        $rolesChanged = \count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()));
 
-        if ($rolesChanged) {
+        if ($this instanceof SwitchUserToken) {
+            $userRoles[] = 'ROLE_PREVIOUS_ADMIN';
+        }
+
+        if (\count($userRoles) !== \count($this->getRoleNames()) || \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()))) {
             return true;
         }
 
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Token/SwitchUserTokenTest.php
@@ -14,6 +14,7 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 class SwitchUserTokenTest extends TestCase
 {
@@ -38,4 +39,38 @@ public function testSerialize()
         $this->assertSame('provider-key', $unserializedOriginalToken->getProviderKey());
         $this->assertEquals(['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'], $unserializedOriginalToken->getRoleNames());
     }
+
+    public function testSetUserDoesNotDeauthenticate()
+    {
+        $impersonated = new class() implements UserInterface {
+            public function getUsername()
+            {
+                return 'impersonated';
+            }
+
+            public function getPassword()
+            {
+                return null;
+            }
+
+            public function eraseCredentials()
+            {
+            }
+
+            public function getRoles()
+            {
+                return ['ROLE_USER'];
+            }
+
+            public function getSalt()
+            {
+                return null;
+            }
+        };
+
+        $originalToken = new UsernamePasswordToken('impersonator', 'foo', 'provider-key', ['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH']);
+        $token = new SwitchUserToken($impersonated, 'bar', 'provider-key', ['ROLE_USER', 'ROLE_PREVIOUS_ADMIN'], $originalToken);
+        $token->setUser($impersonated);
+        $this->assertTrue($token->isAuthenticated());
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -318,9 +318,12 @@ private function hasUserChanged(UserInterface $user): bool`
`318`	`318`	`}`
`319`	`319`
`320`	`320`	`$userRoles = array_map('strval', (array) $user->getRoles());`
`321`		`- $rolesChanged = \count($userRoles) !== \count($this->getRoleNames()) \|\| \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()));`
`322`	`321`
`323`		`- if ($rolesChanged) {`
	`322`	`+ if ($this instanceof SwitchUserToken) {`
	`323`	`+ $userRoles[] = 'ROLE_PREVIOUS_ADMIN';`
	`324`	`+ }`
	`325`	`+`
	`326`	`+ if (\count($userRoles) !== \count($this->getRoleNames()) \|\| \count($userRoles) !== \count(array_intersect($userRoles, $this->getRoleNames()))) {`
`324`	`327`	`return true;`
`325`	`328`	`}`
`326`	`329`