From 2f8651d4ec90cfe2f735d7087b3ecae52a8a8812 Mon Sep 17 00:00:00 2001
From: Igor Timoshenko <igor.timoshenko@i.ua>
Date: Wed, 29 Jul 2020 18:40:37 +0300
Subject: [PATCH] [MonologBridge] Added SwitchUserTokenProcessor to log the
 impersonator

---
 .../Processor/AbstractTokenProcessor.php      | 53 +++++++++++++++++++
 .../Processor/SwitchUserTokenProcessor.php    | 45 ++++++++++++++++
 .../Monolog/Processor/TokenProcessor.php      | 32 +++++------
 .../SwitchUserTokenProcessorTest.php          | 43 +++++++++++++++
 4 files changed, 154 insertions(+), 19 deletions(-)
 create mode 100644 src/Symfony/Bridge/Monolog/Processor/AbstractTokenProcessor.php
 create mode 100644 src/Symfony/Bridge/Monolog/Processor/SwitchUserTokenProcessor.php
 create mode 100644 src/Symfony/Bridge/Monolog/Tests/Processor/SwitchUserTokenProcessorTest.php

diff --git a/src/Symfony/Bridge/Monolog/Processor/AbstractTokenProcessor.php b/src/Symfony/Bridge/Monolog/Processor/AbstractTokenProcessor.php
new file mode 100644
index 0000000000..ed37c94b81
--- /dev/null
+++ b/src/Symfony/Bridge/Monolog/Processor/AbstractTokenProcessor.php
@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bridge\Monolog\Processor;
+
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+/**
+ * The base class for security token processors.
+ *
+ * @author Dany Maillard <danymaillard93b@gmail.com>
+ * @author Igor Timoshenko <igor.timoshenko@i.ua>
+ */
+abstract class AbstractTokenProcessor
+{
+    /**
+     * @var TokenStorageInterface
+     */
+    protected $tokenStorage;
+
+    public function __construct(TokenStorageInterface $tokenStorage)
+    {
+        $this->tokenStorage = $tokenStorage;
+    }
+
+    abstract protected function getKey(): string;
+
+    abstract protected function getToken(): ?TokenInterface;
+
+    public function __invoke(array $record): array
+    {
+        $record['extra'][$this->getKey()] = null;
+
+        if (null !== $token = $this->getToken()) {
+            $record['extra'][$this->getKey()] = [
+                'username' => $token->getUsername(),
+                'authenticated' => $token->isAuthenticated(),
+                'roles' => $token->getRoleNames(),
+            ];
+        }
+
+        return $record;
+    }
+}
diff --git a/src/Symfony/Bridge/Monolog/Processor/SwitchUserTokenProcessor.php b/src/Symfony/Bridge/Monolog/Processor/SwitchUserTokenProcessor.php
new file mode 100644
index 0000000000..76aa7e479d
--- /dev/null
+++ b/src/Symfony/Bridge/Monolog/Processor/SwitchUserTokenProcessor.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bridge\Monolog\Processor;
+
+use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+/**
+ * Adds the original security token to the log entry.
+ *
+ * @author Igor Timoshenko <igor.timoshenko@i.ua>
+ */
+class SwitchUserTokenProcessor extends AbstractTokenProcessor
+{
+    /**
+     * {@inheritdoc}
+     */
+    protected function getKey(): string
+    {
+        return 'impersonator_token';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function getToken(): ?TokenInterface
+    {
+        $token = $this->tokenStorage->getToken();
+
+        if ($token instanceof SwitchUserToken) {
+            return $token->getOriginalToken();
+        }
+
+        return null;
+    }
+}
diff --git a/src/Symfony/Bridge/Monolog/Processor/TokenProcessor.php b/src/Symfony/Bridge/Monolog/Processor/TokenProcessor.php
index 78d8dd3249..7ca212eb29 100644
--- a/src/Symfony/Bridge/Monolog/Processor/TokenProcessor.php
+++ b/src/Symfony/Bridge/Monolog/Processor/TokenProcessor.php
@@ -11,35 +11,29 @@
 
 namespace Symfony\Bridge\Monolog\Processor;
 
-use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
 /**
  * Adds the current security token to the log entry.
  *
  * @author Dany Maillard <danymaillard93b@gmail.com>
+ * @author Igor Timoshenko <igor.timoshenko@i.ua>
  */
-class TokenProcessor
+class TokenProcessor extends AbstractTokenProcessor
 {
-    private $tokenStorage;
-
-    public function __construct(TokenStorageInterface $tokenStorage)
+    /**
+     * {@inheritdoc}
+     */
+    protected function getKey(): string
     {
-        $this->tokenStorage = $tokenStorage;
+        return 'token';
     }
 
-    public function __invoke(array $records)
+    /**
+     * {@inheritdoc}
+     */
+    protected function getToken(): ?TokenInterface
     {
-        $records['extra']['token'] = null;
-        if (null !== $token = $this->tokenStorage->getToken()) {
-            $roles = $token->getRoleNames();
-
-            $records['extra']['token'] = [
-                'username' => $token->getUsername(),
-                'authenticated' => $token->isAuthenticated(),
-                'roles' => $roles,
-            ];
-        }
-
-        return $records;
+        return $this->tokenStorage->getToken();
     }
 }
diff --git a/src/Symfony/Bridge/Monolog/Tests/Processor/SwitchUserTokenProcessorTest.php b/src/Symfony/Bridge/Monolog/Tests/Processor/SwitchUserTokenProcessorTest.php
new file mode 100644
index 0000000000..bdb8489b43
--- /dev/null
+++ b/src/Symfony/Bridge/Monolog/Tests/Processor/SwitchUserTokenProcessorTest.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bridge\Monolog\Tests\Processor;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\Monolog\Processor\SwitchUserTokenProcessor;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+
+/**
+ * Tests the SwitchUserTokenProcessor.
+ *
+ * @author Igor Timoshenko <igor.timoshenko@i.ua>
+ */
+class SwitchUserTokenProcessorTest extends TestCase
+{
+    public function testProcessor()
+    {
+        $originalToken = new UsernamePasswordToken('original_user', 'password', 'provider', ['ROLE_SUPER_ADMIN']);
+        $switchUserToken = new SwitchUserToken('user', 'passsword', 'provider', ['ROLE_USER'], $originalToken);
+        $tokenStorage = $this->getMockBuilder(TokenStorageInterface::class)->getMock();
+        $tokenStorage->method('getToken')->willReturn($switchUserToken);
+
+        $processor = new SwitchUserTokenProcessor($tokenStorage);
+        $record = ['extra' => []];
+        $record = $processor($record);
+
+        $this->assertArrayHasKey('original_token', $record['extra']);
+        $this->assertEquals($originalToken->getUsername(), $record['extra']['original_token']['username']);
+        $this->assertEquals($originalToken->isAuthenticated(), $record['extra']['original_token']['authenticated']);
+        $this->assertEquals(['ROLE_SUPER_ADMIN'], $record['extra']['original_token']['roles']);
+    }
+}