Merge branch '5.4' into 6.0

nicolas-grekas · nicolas-grekas · commit 2ac72302b256 · 2021-08-20T11:11:10.000+02:00
* 5.4:
  [Security] make TokenInterface::getUser() nullable to tell about unauthenticated tokens
  [Messenger] fix compat with Serializer v6
diff --git a/Authentication/AuthenticationTrustResolver.php b/Authentication/AuthenticationTrustResolver.php
@@ -11,7 +11,6 @@
 
 namespace Symfony\Component\Security\Core\Authentication;
 
-use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
@@ -24,30 +23,22 @@ class AuthenticationTrustResolver implements AuthenticationTrustResolverInterfac
 {
     public function isAuthenticated(TokenInterface $token = null): bool
     {
-        return null !== $token && !$token instanceof NullToken;
+        return $token && $token->getUser();
     }
 
     /**
      * {@inheritdoc}
      */
     public function isRememberMe(TokenInterface $token = null)
     {
-        if (null === $token) {
-            return false;
-        }
-
-        return $token instanceof RememberMeToken;
+        return $token && $token instanceof RememberMeToken;
     }
 
     /**
      * {@inheritdoc}
      */
     public function isFullFledged(TokenInterface $token = null)
     {
-        if (null === $token || $token instanceof NullToken) {
-            return false;
-        }
-
-        return !$this->isRememberMe($token);
+        return $this->isAuthenticated($token) && !$this->isRememberMe($token);
     }
 }
diff --git a/Authentication/Token/NullToken.php b/Authentication/Token/NullToken.php
@@ -30,7 +30,7 @@ public function getRoleNames(): array
 
     public function getUser()
     {
-        return '';
+        return null;
     }
 
     public function setUser(UserInterface $user)
diff --git a/Authentication/Token/TokenInterface.php b/Authentication/Token/TokenInterface.php
@@ -40,7 +40,7 @@ public function getRoleNames(): array;
     /**
      * Returns a user representation.
      *
-     * @return UserInterface
+     * @return UserInterface|null
      *
      * @see AbstractToken::setUser()
      */
diff --git a/Authorization/AuthorizationChecker.php b/Authorization/AuthorizationChecker.php
@@ -32,7 +32,7 @@ class AuthorizationChecker implements AuthorizationCheckerInterface
 
     public function __construct(TokenStorageInterface $tokenStorage, AccessDecisionManagerInterface $accessDecisionManager, bool $exceptionOnNoToken = false)
     {
-        if (false !== $exceptionOnNoToken) {
+        if ($exceptionOnNoToken) {
             throw new \LogicException('Argument $exceptionOnNoToken of "%s()" must be set to "false".', __METHOD__);
         }
 
@@ -48,7 +48,11 @@ public function __construct(TokenStorageInterface $tokenStorage, AccessDecisionM
      */
     final public function isGranted(mixed $attribute, mixed $subject = null): bool
     {
-        $token = $this->tokenStorage->getToken() ?? new NullToken();
+        $token = $this->tokenStorage->getToken();
+
+        if (!$token || !$token->getUser()) {
+            $token = new NullToken();
+        }
 
         return $this->accessDecisionManager->decide($token, [$attribute], $subject);
     }
diff --git a/Authorization/Voter/AuthenticatedVoter.php b/Authorization/Voter/AuthenticatedVoter.php
@@ -12,7 +12,6 @@
 namespace Symfony\Component\Security\Core\Authorization\Voter;
 
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
-use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,7 +25,7 @@ CHANGELOG
  * Deprecate setting the `$alwaysAuthenticate` argument to `true` and not setting the
    `$exceptionOnNoToken` argument to `false` of `AuthorizationChecker`
  * Deprecate methods `TokenInterface::isAuthenticated()` and `setAuthenticated`,
-   tokens will always be considered authenticated in 6.0
+   return null from "getUser()" instead when a token is not authenticated
 
 5.3
 ---
diff --git a/Tests/Authentication/AuthenticationTrustResolverTest.php b/Tests/Authentication/AuthenticationTrustResolverTest.php
@@ -25,7 +25,6 @@ public function testIsRememberMe()
         $resolver = new AuthenticationTrustResolver();
 
         $this->assertFalse($resolver->isRememberMe(null));
-        $this->assertFalse($resolver->isRememberMe($this->getToken()));
         $this->assertFalse($resolver->isRememberMe(new FakeCustomToken()));
         $this->assertTrue($resolver->isRememberMe(new RealCustomRememberMeToken()));
         $this->assertTrue($resolver->isRememberMe($this->getRememberMeToken()));
@@ -38,7 +37,6 @@ public function testisFullFledged()
         $this->assertFalse($resolver->isFullFledged(null));
         $this->assertFalse($resolver->isFullFledged($this->getRememberMeToken()));
         $this->assertFalse($resolver->isFullFledged(new RealCustomRememberMeToken()));
-        $this->assertTrue($resolver->isFullFledged($this->getToken()));
         $this->assertTrue($resolver->isFullFledged(new FakeCustomToken()));
     }
 
@@ -50,9 +48,24 @@ public function testIsAuthenticated()
         $this->assertTrue($resolver->isAuthenticated(new FakeCustomToken()));
     }
 
-    protected function getToken()
+    public function testIsRememberMeWithClassAsConstructorButStillExtending()
     {
-        return $this->createMock(TokenInterface::class);
+        $resolver = new AuthenticationTrustResolver();
+
+        $this->assertFalse($resolver->isRememberMe(null));
+        $this->assertFalse($resolver->isRememberMe(new FakeCustomToken()));
+        $this->assertTrue($resolver->isRememberMe($this->getRememberMeToken()));
+        $this->assertTrue($resolver->isRememberMe(new RealCustomRememberMeToken()));
+    }
+
+    public function testisFullFledgedWithClassAsConstructorButStillExtending()
+    {
+        $resolver = new AuthenticationTrustResolver();
+
+        $this->assertFalse($resolver->isFullFledged(null));
+        $this->assertFalse($resolver->isFullFledged($this->getRememberMeToken()));
+        $this->assertFalse($resolver->isFullFledged(new RealCustomRememberMeToken()));
+        $this->assertTrue($resolver->isFullFledged(new FakeCustomToken()));
     }
 
     protected function getRememberMeToken()
@@ -95,6 +108,7 @@ public function getCredentials(): mixed
 
     public function getUser(): UserInterface
     {
+        return new InMemoryUser('wouter', '', ['ROLE_USER']);
     }
 
     public function setUser($user)
diff --git a/Tests/Authorization/Voter/AuthenticatedVoterTest.php b/Tests/Authorization/Voter/AuthenticatedVoterTest.php
@@ -13,11 +13,13 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+use Symfony\Component\Security\Core\User\InMemoryUser;
 
 class AuthenticatedVoterTest extends TestCase
 {
@@ -53,12 +55,27 @@ public function getVoteTests()
 
     protected function getToken($authenticated)
     {
+        $user = new InMemoryUser('wouter', '', ['ROLE_USER']);
+
         if ('fully' === $authenticated) {
-            return $this->createMock(TokenInterface::class);
-        } elseif ('remembered' === $authenticated) {
-            return $this->getMockBuilder(RememberMeToken::class)->setMethods(['setPersistent'])->disableOriginalConstructor()->getMock();
-        } elseif ('impersonated' === $authenticated) {
+            $token = new class() extends AbstractToken {
+                public function getCredentials()
+                {
+                }
+            };
+            $token->setUser($user);
+
+            return $token;
+        }
+
+        if ('remembered' === $authenticated) {
+            return new RememberMeToken($user, 'foo', 'bar');
+        }
+
+        if ('impersonated' === $authenticated) {
             return $this->getMockBuilder(SwitchUserToken::class)->disableOriginalConstructor()->getMock();
         }
+
+        return new NullToken();
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,6 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\Security\Core\Authentication;`
`13`	`13`
`14`		`-use Symfony\Component\Security\Core\Authentication\Token\NullToken;`
`15`	`14`	`use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;`
`16`	`15`	`use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;`
`17`	`16`
`@@ -24,30 +23,22 @@ class AuthenticationTrustResolver implements AuthenticationTrustResolverInterfac`
`24`	`23`	`{`
`25`	`24`	`public function isAuthenticated(TokenInterface $token = null): bool`
`26`	`25`	`{`
`27`		`- return null !== $token && !$token instanceof NullToken;`
	`26`	`+ return $token && $token->getUser();`
`28`	`27`	`}`
`29`	`28`
`30`	`29`	`/**`
`31`	`30`	`* {@inheritdoc}`
`32`	`31`	`*/`
`33`	`32`	`public function isRememberMe(TokenInterface $token = null)`
`34`	`33`	`{`
`35`		`- if (null === $token) {`
`36`		`- return false;`
`37`		`- }`
`38`		`-`
`39`		`- return $token instanceof RememberMeToken;`
	`34`	`+ return $token && $token instanceof RememberMeToken;`
`40`	`35`	`}`
`41`	`36`
`42`	`37`	`/**`
`43`	`38`	`* {@inheritdoc}`
`44`	`39`	`*/`
`45`	`40`	`public function isFullFledged(TokenInterface $token = null)`
`46`	`41`	`{`
`47`		`- if (null === $token \|\| $token instanceof NullToken) {`
`48`		`- return false;`
`49`		`- }`
`50`		`-`
`51`		`- return !$this->isRememberMe($token);`
	`42`	`+ return $this->isAuthenticated($token) && !$this->isRememberMe($token);`
`52`	`43`	`}`
`53`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ public function getRoleNames(): array`
`30`	`30`
`31`	`31`	`public function getUser()`
`32`	`32`	`{`
`33`		`- return '';`
	`33`	`+ return null;`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`public function setUser(UserInterface $user)`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ public function getRoleNames(): array;`
`40`	`40`	`/**`
`41`	`41`	`* Returns a user representation.`
`42`	`42`	`*`
`43`		`- * @return UserInterface`
	`43`	`+ * @return UserInterface\|null`
`44`	`44`	`*`
`45`	`45`	`* @see AbstractToken::setUser()`
`46`	`46`	`*/`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ class AuthorizationChecker implements AuthorizationCheckerInterface`
`32`	`32`
`33`	`33`	`public function __construct(TokenStorageInterface $tokenStorage, AccessDecisionManagerInterface $accessDecisionManager, bool $exceptionOnNoToken = false)`
`34`	`34`	`{`
`35`		`- if (false !== $exceptionOnNoToken) {`
	`35`	`+ if ($exceptionOnNoToken) {`
`36`	`36`	`throw new \LogicException('Argument $exceptionOnNoToken of "%s()" must be set to "false".', __METHOD__);`
`37`	`37`	`}`
`38`	`38`
`@@ -48,7 +48,11 @@ public function __construct(TokenStorageInterface $tokenStorage, AccessDecisionM`
`48`	`48`	`*/`
`49`	`49`	`final public function isGranted(mixed $attribute, mixed $subject = null): bool`
`50`	`50`	`{`
`51`		`- $token = $this->tokenStorage->getToken() ?? new NullToken();`
	`51`	`+ $token = $this->tokenStorage->getToken();`
	`52`	`+`
	`53`	`+ if (!$token \|\| !$token->getUser()) {`
	`54`	`+ $token = new NullToken();`
	`55`	`+ }`
`52`	`56`
`53`	`57`	`return $this->accessDecisionManager->decide($token, [$attribute], $subject);`
`54`	`58`	`}`