[Security/Core] Adds ImpersonatedUserTokenInterface to deal with cross-firewall impersonation #36674
Conversation
alterphp
changed the title
|
If I understand #36603 correctly, you could solve the whole problem by letting your |
My need is to add a specific role in order to inform the user she is under impersonation mode => display something visible enough to warn her. I don't understand I could achieve by comparing an AdminUser and a FrontUser for example. |
|
My understanding from reading #36603 was that adding the custom role led to the user being logged out because it was seen has having changed. So if that's the case you could prevent the user from being treated as changed by implementing |
|
Ok. Authentication prevents from same user change (affected roles have changed, it has been disabled, ...). It does not check if we move from one user to another user. |
|
I am sorry, but I do not understand what you mean with your last comment. |
|
Please don't use roles to check if impersonation is the case. The You should create your own voter and check for a specific token instance. See for instance the implementation of |
The additional role is not used for authentication nor authorization, only to detect impersonation at the view level. It is a bad use ? I'm just trying to move the constraint of strictly using @wouterj In a more simplier way, I'd like to use the existing AuthenticatedVoter (so removing ROLE_PREVIOUS_ADMIN and checking IS_IMPERSONATOR instead) but it strictly requires |
|
I've removed the part using former |
IMO the authenticator is supposed to check if the user has changed, but it is currently comparing user roles with token roles (as described in #35941). The problem is that if you if you create a |
| @@ -35,7 +35,7 @@ public function __construct($user, $credentials, string $providerKey, array $rol | |||
| $this->originalToken = $originalToken; | |||
| } | |||
|
|
|||
| public function getOriginalToken(): TokenInterface | |||
| public function getOriginalToken(): ?TokenInterface | |||
There was a problem hiding this comment.
I don't understand why getOriginalToken() should be able to return null. How would you end the impersonation if you don't know the original token that you need to switch back to?
There was a problem hiding this comment.
No need for switch back when impersonating in a different firewall. AdminUser is still logged as itself in the admin context, but also logged as impersonated user in the other firewall.
AFAIK it's impossible to access the original token (of admin context) from the front context. And I think it's useless in a cross-firewall context. Switching back is relevant in a single firewall context because authentication only handles one token at a time.
I want to check the impersonation status to display a warning, not to provide a switch back link.
There was a problem hiding this comment.
My point is that the SwitchUserListener relies on the SwitchUserToken to return the original token and not null here. As soon as we allow the original token to be null people will end up in situations where that's the case and thus break the built-in feature. We shouldn't make it easier than necessary to shoot yourself in the foot.
I would rather like to see two questions answered before considering introducing this interface: Do you really need two different firewalls? And if so, why is it an actual issue to store the original token?
There was a problem hiding this comment.
My point is that the
SwitchUserListenerrelies on theSwitchUserTokento return the original token and notnullhere. As soon as we allow the original token to benullpeople will end up in situations where that's the case and thus break the built-in feature. We shouldn't make it easier than necessary to shoot yourself in the foot.
IMO, SwitchUserListener should only handle existing SwitchUserToken case, not all impersonation cases. So maybe the interface would benefit being renamed to ImpersonatedTokenInterface.
Do you really need two different firewalls?
I think it's possible to merge my firewalls into one. But, from a security point of view, why providing security splitted firewalls if we need to merge them into one ? I prefer having one firewall per application context instead of relying on roles to split contexts access. IMO, roles are great for fine access definitions inside a context, not really for granting admin/extranet/front contexts.
And if so, why is it an actual issue to store the original token?
(AFAIK) It's not always possible, and a non-sense across multiple firewalls. Original token is only required for the "switch back" feature, because only one token may be taken in account in a single firewall. Within multiple firewalls context, each firewall handles its dedicated token.
There was a problem hiding this comment.
Anyway, thanks for your time trying to decrypt my need/intention ;-)
I think the check of different roles is intentional, but this should be confirmed by the core team. |
It could be intentional, but it's is a BC break, so that change should provide an upgrade path triggering a deprecation error. |
alterphp
changed the title
|
Re-reading the whole thread, I don't think this is something that should be part of core. Closing. Thanks for proposing. |
Basic
switch_userbrought by security (and documented in https://symfony.com/doc/current/security/impersonating_user.html) is very useful and works well when backoffice and front share the same firewall (exactly, same firewall context).If you don't want, or can't, make them share the same firewall, you have to implement your own switch user feature. And if you do, you cannot
add an additional role like ROLE_PREVIOUS_ADMINcheck IS_IMPERSONATOR with existing voter because it strictly requiresSwitchUserTokeninstance that has a mandatory$originalTokenproperty that is not suitable in a cross-firewall context..That's why I suggest using a new ImpersonatedUserTokenInterface that allows not to provide the original token.