bug #8997 [Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role. (pawaclawczyk)

This PR was squashed before being merged into the 2.3 branch (closes #8997).

Discussion
----------

[Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role.

<table>
  <tr>
    <td><b>Q</b></td>
    <td><b>A</b></td>
  </tr>
  <tr>
    <td>Bug fix?</td>
    <td>yes</td>
  </tr>
  <tr>
    <td>New feature</td>
    <td>no</td>
  </tr>
  <tr>
    <td>BC breaks?</td>
    <td>no</td>
  </tr>
  <tr>
    <td>Deprecations?</td>
    <td>no</td>
  </tr>
  <tr>
    <td>Tests pass?</td>
    <td>yes</td>
  </tr>
  <tr>
    <td>Fixed tickets</td>
    <td>#3085, #8974</td>
  </tr>
  <tr>
    <td>License</td>
    <td>MIT</td>
  </tr>
  <tr>
    <td>Doc PR</td>
    <td>n/a</td>
  </tr>
</table>

Problem occurs while user is impersonated. Authentication process generates new token and doeas not preserve role ```ROLE_PREVIOUS_ADMIN```. Ex. when parameter ```security.always_authenticate_before_granting``` is enabled.

Commits
-------

a7baa3b [Security] Fixed problem with losing ROLE_PREVIOUS_ADMIN role.

Author: fabpot

Authentication/Provider/UserAuthenticationProvider.php

@@ -19,6 +19,7 @@
 use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Role\SwitchUserRole;
 
 /**
  * UserProviderInterface retrieves users for UsernamePasswordToken tokens.
@@ -92,7 +93,7 @@ public function authenticate(TokenInterface $token)
             throw $e;
         }
 
-        $authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $user->getRoles());
+        $authenticatedToken = new UsernamePasswordToken($user, $token->getCredentials(), $this->providerKey, $this->getRoles($user, $token));
         $authenticatedToken->setAttributes($token->getAttributes());
 
         return $authenticatedToken;
@@ -106,6 +107,29 @@ public function supports(TokenInterface $token)
         return $token instanceof UsernamePasswordToken && $this->providerKey === $token->getProviderKey();
     }
 
+    /**
+     * Retrieves roles from user and appends SwitchUserRole if original token contained one.
+     *
+     * @param UserInterface  $user  The user
+     * @param TokenInterface $token The token
+     *
+     * @return Role[] The user roles
+     */
+    private function getRoles(UserInterface $user, TokenInterface $token)
+    {
+        $roles = $user->getRoles();
+
+        foreach ($token->getRoles() as $role) {
+            if ($role instanceof SwitchUserRole) {
+                $roles[] = $role;
+
+                break;
+            }
+        }
+
+        return $roles;
+    }
+
     /**
      * Retrieves the user from an implementation-specific location.
      *