[Security] Allow custom user identifier for X509 authenticator

Spomky · fabpot · commit 9624fb576d72 · 2022-12-18T10:58:44.000+01:00
diff --git a/Authenticator/X509Authenticator.php b/Authenticator/X509Authenticator.php
@@ -30,13 +30,15 @@ class X509Authenticator extends AbstractPreAuthenticatedAuthenticator
 {
     private string $userKey;
     private string $credentialsKey;
+    private string $credentialUserIdentifier;
 
-    public function __construct(UserProviderInterface $userProvider, TokenStorageInterface $tokenStorage, string $firewallName, string $userKey = 'SSL_CLIENT_S_DN_Email', string $credentialsKey = 'SSL_CLIENT_S_DN', LoggerInterface $logger = null)
+    public function __construct(UserProviderInterface $userProvider, TokenStorageInterface $tokenStorage, string $firewallName, string $userKey = 'SSL_CLIENT_S_DN_Email', string $credentialsKey = 'SSL_CLIENT_S_DN', LoggerInterface $logger = null, string $credentialUserIdentifier = 'emailAddress')
     {
         parent::__construct($userProvider, $tokenStorage, $firewallName, $logger);
 
         $this->userKey = $userKey;
         $this->credentialsKey = $credentialsKey;
+        $this->credentialUserIdentifier = $credentialUserIdentifier;
     }
 
     protected function extractUsername(Request $request): string
@@ -46,13 +48,13 @@ protected function extractUsername(Request $request): string
             $username = $request->server->get($this->userKey);
         } elseif (
             $request->server->has($this->credentialsKey)
-            && preg_match('#emailAddress=([^,/@]++@[^,/]++)#', $request->server->get($this->credentialsKey), $matches)
+            && preg_match('#'.preg_quote($this->credentialUserIdentifier, '#').'=([^,/]++)#', $request->server->get($this->credentialsKey), $matches)
         ) {
-            $username = $matches[1];
+            $username = trim($matches[1]);
         }
 
         if (null === $username) {
-            throw new BadCredentialsException(sprintf('SSL credentials not found: %s, %s', $this->userKey, $this->credentialsKey));
+            throw new BadCredentialsException(sprintf('SSL credentials not found: "%s", "%s".', $this->userKey, $this->credentialsKey));
         }
 
         return $username;
diff --git a/Tests/Authenticator/X509AuthenticatorTest.php b/Tests/Authenticator/X509AuthenticatorTest.php
@@ -120,6 +120,35 @@ public function testAuthenticationCustomCredentialsKey()
         $this->assertEquals('cert@example.com', $passport->getUser()->getUserIdentifier());
     }
 
+    /**
+     * @dataProvider provideServerVarsUserIdentifier
+     */
+    public function testAuthenticationCustomCredentialsUserIdentifier($username, $credentials)
+    {
+        $authenticator = new X509Authenticator($this->userProvider, new TokenStorage(), 'main', 'SSL_CLIENT_S_DN_Email', 'SSL_CLIENT_S_DN', null, 'CN');
+
+        $request = $this->createRequest([
+            'SSL_CLIENT_S_DN' => $credentials,
+        ]);
+        $this->assertTrue($authenticator->supports($request));
+
+        $this->userProvider->createUser(new InMemoryUser($username, null));
+
+        $passport = $authenticator->authenticate($request);
+        $this->assertEquals($username, $passport->getUser()->getUserIdentifier());
+    }
+
+    public static function provideServerVarsUserIdentifier()
+    {
+        yield ['Sample certificate DN', 'CN=Sample certificate DN/emailAddress=cert@example.com'];
+        yield ['Sample certificate DN', 'CN=Sample certificate DN/emailAddress=cert+something@example.com'];
+        yield ['Sample certificate DN', 'CN=Sample certificate DN,emailAddress=cert@example.com'];
+        yield ['Sample certificate DN', 'CN=Sample certificate DN,emailAddress=cert+something@example.com'];
+        yield ['Sample certificate DN', 'emailAddress=cert+something@example.com,CN=Sample certificate DN'];
+        yield ['Firstname.Lastname', 'emailAddress=firstname.lastname@mycompany.co.uk,CN=Firstname.Lastname,OU=london,OU=company design and engineering,OU=Issuer London,OU=Roaming,OU=Interactive,OU=Users,OU=Standard,OU=Business,DC=england,DC=core,DC=company,DC=co,DC=uk'];
+        yield ['user1', 'C=FR, O=My Organization, CN=user1, emailAddress=user1@myorg.fr'];
+    }
+
     private function createRequest(array $server)
     {
         return new Request([], [], [], [], [], $server);

Original file line number	Diff line number	Diff line change
`@@ -30,13 +30,15 @@ class X509Authenticator extends AbstractPreAuthenticatedAuthenticator`
`30`	`30`	`{`
`31`	`31`	`private string $userKey;`
`32`	`32`	`private string $credentialsKey;`
	`33`	`+ private string $credentialUserIdentifier;`
`33`	`34`
`34`		`- public function __construct(UserProviderInterface $userProvider, TokenStorageInterface $tokenStorage, string $firewallName, string $userKey = 'SSL_CLIENT_S_DN_Email', string $credentialsKey = 'SSL_CLIENT_S_DN', LoggerInterface $logger = null)`
	`35`	`+ public function __construct(UserProviderInterface $userProvider, TokenStorageInterface $tokenStorage, string $firewallName, string $userKey = 'SSL_CLIENT_S_DN_Email', string $credentialsKey = 'SSL_CLIENT_S_DN', LoggerInterface $logger = null, string $credentialUserIdentifier = 'emailAddress')`
`35`	`36`	`{`
`36`	`37`	`parent::__construct($userProvider, $tokenStorage, $firewallName, $logger);`
`37`	`38`
`38`	`39`	`$this->userKey = $userKey;`
`39`	`40`	`$this->credentialsKey = $credentialsKey;`
	`41`	`+ $this->credentialUserIdentifier = $credentialUserIdentifier;`
`40`	`42`	`}`
`41`	`43`
`42`	`44`	`protected function extractUsername(Request $request): string`
`@@ -46,13 +48,13 @@ protected function extractUsername(Request $request): string`
`46`	`48`	`$username = $request->server->get($this->userKey);`
`47`	`49`	`} elseif (`
`48`	`50`	`$request->server->has($this->credentialsKey)`
`49`		`- && preg_match('#emailAddress=([^,/@]++@[^,/]++)#', $request->server->get($this->credentialsKey), $matches)`
	`51`	`+ && preg_match('#'.preg_quote($this->credentialUserIdentifier, '#').'=([^,/]++)#', $request->server->get($this->credentialsKey), $matches)`
`50`	`52`	`) {`
`51`		`- $username = $matches[1];`
	`53`	`+ $username = trim($matches[1]);`
`52`	`54`	`}`
`53`	`55`
`54`	`56`	`if (null === $username) {`
`55`		`- throw new BadCredentialsException(sprintf('SSL credentials not found: %s, %s', $this->userKey, $this->credentialsKey));`
	`57`	`+ throw new BadCredentialsException(sprintf('SSL credentials not found: "%s", "%s".', $this->userKey, $this->credentialsKey));`
`56`	`58`	`}`
`57`	`59`
`58`	`60`	`return $username;`