minor #14670 [Security] TokenBasedRememberMeServices test to show why encoding username is required (MacDada)

fabpot · fabpot · commit b3d032613d74 · 2015-05-21T06:29:49.000+02:00
This PR was squashed before being merged into the 2.3 branch (closes #14670).

Discussion
----------

[Security] TokenBasedRememberMeServices test to show why encoding username is required

| Q             | A
| ------------- | ---
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #14577
| License       | MIT
| Doc PR        | no

241538d shows that it's not actually tested, 257b796 reimplements it with test.

I can remove the POC commit if it's not needed.

Commits
-------

63a9736 [Security] TokenBasedRememberMeServices test to show why encoding username is required
diff --git a/Http/RememberMe/TokenBasedRememberMeServices.php b/Http/RememberMe/TokenBasedRememberMeServices.php
@@ -123,6 +123,8 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt
      */
     protected function generateCookieValue($class, $username, $expires, $password)
     {
+        // $username is encoded because it might contain COOKIE_DELIMITER,
+        // we assume other values don't
         return $this->encodeCookie(array(
             $class,
             base64_encode($username),
diff --git a/Tests/Http/RememberMe/TokenBasedRememberMeServicesTest.php b/Tests/Http/RememberMe/TokenBasedRememberMeServicesTest.php
@@ -105,7 +105,12 @@ public function testAutoLoginDoesNotAcceptAnExpiredCookie()
         $this->assertTrue($request->attributes->get(RememberMeServicesInterface::COOKIE_ATTR_NAME)->isCleared());
     }
 
-    public function testAutoLogin()
+    /**
+     * @dataProvider provideUsernamesForAutoLogin
+     *
+     * @param string $username
+     */
+    public function testAutoLogin($username)
     {
         $user = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
         $user
@@ -123,13 +128,13 @@ public function testAutoLogin()
         $userProvider
             ->expects($this->once())
             ->method('loadUserByUsername')
-            ->with($this->equalTo('foouser'))
+            ->with($this->equalTo($username))
             ->will($this->returnValue($user))
         ;
 
         $service = $this->getService($userProvider, array('name' => 'foo', 'always_remember_me' => true, 'lifetime' => 3600));
         $request = new Request();
-        $request->cookies->set('foo', $this->getCookie('fooclass', 'foouser', time() + 3600, 'foopass'));
+        $request->cookies->set('foo', $this->getCookie('fooclass', $username, time() + 3600, 'foopass'));
 
         $returnedToken = $service->autoLogin($request);
 
@@ -138,6 +143,14 @@ public function testAutoLogin()
         $this->assertEquals('fookey', $returnedToken->getKey());
     }
 
+    public function provideUsernamesForAutoLogin()
+    {
+        return array(
+            array('foouser', 'Simple username'),
+            array('foo'.TokenBasedRememberMeServices::COOKIE_DELIMITER.'user', 'Username might contain the delimiter'),
+        );
+    }
+
     public function testLogout()
     {
         $service = $this->getService(null, array('name' => 'foo', 'path' => null, 'domain' => null));

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,8 @@ protected function onLoginSuccess(Request $request, Response $response, TokenInt`
`123`	`123`	`*/`
`124`	`124`	`protected function generateCookieValue($class, $username, $expires, $password)`
`125`	`125`	`{`
	`126`	`+ // $username is encoded because it might contain COOKIE_DELIMITER,`
	`127`	`+ // we assume other values don't`
`126`	`128`	`return $this->encodeCookie(array(`
`127`	`129`	`$class,`
`128`	`130`	`base64_encode($username),`