bug #30347 [Security] Change FormAuthenticator if condition (PReimers)

This PR was squashed before being merged into the 3.4 branch (closes #30347). Discussion ---------- [Security] Change FormAuthenticator if condition | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #30341 | License | MIT | Doc PR | - I changed the if condition in `SimpleFormAuthenticationListener` and `UsernamePasswordFormAuthenticationListener` based on the solution provided by @nikic in issue #30341 #OpenSourceFriday Commits ------- 67ae121b2e [Security] Change FormAuthenticator if condition
2019-02-23 15:32:41 +01:00 · 2019-02-23 15:32:41 +01:00 · 1aac865da7
parent 173b5eaf8c 67ae121b2e
commit 1aac865da7
3 changed files with 84 additions and 3 deletions
--- a/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
@ -107,7 +107,7 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
        }

-        if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
+        if (!\is_string($username) && (!\is_object($username) || !\method_exists($username, '__toString'))) {
            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
        }

--- a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
@ -85,7 +85,7 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL
            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
        }

-        if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
+        if (!\is_string($username) && (!\is_object($username) || !\method_exists($username, '__toString'))) {
            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
        }

--- a/src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php
@ -81,7 +81,7 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
     * @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
     * @expectedExceptionMessage The key "_username" must be a string, "array" given.
     */
-    public function testHandleNonStringUsername($postOnly)
+    public function testHandleNonStringUsernameWithArray($postOnly)
    {
        $request = Request::create('/login_check', 'POST', ['_username' => []]);
        $request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
@ -99,6 +99,79 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
        $listener->handle($event);
    }

+    /**
+     * @dataProvider postOnlyDataProvider
+     * @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
+     * @expectedExceptionMessage The key "_username" must be a string, "integer" given.
+     */
+    public function testHandleNonStringUsernameWithInt($postOnly)
+    {
+        $request = Request::create('/login_check', 'POST', ['_username' => 42]);
+        $request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
+        $listener = new UsernamePasswordFormAuthenticationListener(
+            new TokenStorage(),
+            $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
+            new SessionAuthenticationStrategy(SessionAuthenticationStrategy::NONE),
+            $httpUtils = new HttpUtils(),
+            'foo',
+            new DefaultAuthenticationSuccessHandler($httpUtils),
+            new DefaultAuthenticationFailureHandler($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $httpUtils),
+            ['require_previous_session' => false, 'post_only' => $postOnly]
+        );
+        $event = new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
+        $listener->handle($event);
+    }
+
+    /**
+     * @dataProvider postOnlyDataProvider
+     * @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
+     * @expectedExceptionMessage The key "_username" must be a string, "object" given.
+     */
+    public function testHandleNonStringUsernameWithObject($postOnly)
+    {
+        $request = Request::create('/login_check', 'POST', ['_username' => new \stdClass()]);
+        $request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
+        $listener = new UsernamePasswordFormAuthenticationListener(
+            new TokenStorage(),
+            $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
+            new SessionAuthenticationStrategy(SessionAuthenticationStrategy::NONE),
+            $httpUtils = new HttpUtils(),
+            'foo',
+            new DefaultAuthenticationSuccessHandler($httpUtils),
+            new DefaultAuthenticationFailureHandler($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $httpUtils),
+            ['require_previous_session' => false, 'post_only' => $postOnly]
+        );
+        $event = new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
+        $listener->handle($event);
+    }
+
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringUsernameWith__toString($postOnly)
+    {
+        $usernameClass = $this->getMockBuilder(DummyUserClass::class)->getMock();
+        $usernameClass
+            ->expects($this->atLeastOnce())
+            ->method('__toString')
+            ->will($this->returnValue('someUsername'));
+
+        $request = Request::create('/login_check', 'POST', ['_username' => $usernameClass]);
+        $request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
+        $listener = new UsernamePasswordFormAuthenticationListener(
+            new TokenStorage(),
+            $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
+            new SessionAuthenticationStrategy(SessionAuthenticationStrategy::NONE),
+            $httpUtils = new HttpUtils(),
+            'foo',
+            new DefaultAuthenticationSuccessHandler($httpUtils),
+            new DefaultAuthenticationFailureHandler($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $httpUtils),
+            ['require_previous_session' => false, 'post_only' => $postOnly]
+        );
+        $event = new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
+        $listener->handle($event);
+    }
+
    public function postOnlyDataProvider()
    {
        return [
@ -115,3 +188,11 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
        ];
    }
 }
+
+class DummyUserClass
+{
+    public function __toString()
+    {
+        return '';
+    }
+}