[Security] Allow using expressions with the #[IsGranted] attribute

HypeMC · HypeMC · commit 91dff71b5cfe · 2022-08-01T10:33:27.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddExpressionLanguageProvidersPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddExpressionLanguageProvidersPass.php
@@ -36,6 +36,7 @@ public function process(ContainerBuilder $container)
 
         if (!$container->hasDefinition('cache.system')) {
             $container->removeDefinition('cache.security_expression_language');
+            $container->removeDefinition('cache.security_is_granted_attribute_expression_language');
         }
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -112,6 +112,7 @@ public function load(array $configs, ContainerBuilder $container)
         if (!$container::willBeAvailable('symfony/expression-language', ExpressionLanguage::class, ['symfony/security-bundle'])) {
             $container->removeDefinition('security.expression_language');
             $container->removeDefinition('security.access.expression_voter');
+            $container->removeDefinition('security.is_granted_attribute_expression_language');
         }
 
         // set some global scalars
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
@@ -18,6 +18,7 @@
 use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext;
 use Symfony\Bundle\SecurityBundle\Security\Security;
+use Symfony\Component\ExpressionLanguage\ExpressionLanguage as BaseExpressionLanguage;
 use Symfony\Component\Ldap\Security\LdapUserProvider;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
@@ -275,7 +276,17 @@
             ->tag('kernel.cache_warmer')
 
         ->set('controller.is_granted_attribute_listener', IsGrantedAttributeListener::class)
-            ->args([service('security.authorization_checker')])
+            ->args([
+                service('security.authorization_checker'),
+                service('security.is_granted_attribute_expression_language')->nullOnInvalid(),
+            ])
             ->tag('kernel.event_subscriber')
+
+        ->set('security.is_granted_attribute_expression_language', BaseExpressionLanguage::class)
+            ->args([service('cache.security_is_granted_attribute_expression_language')->nullOnInvalid()])
+
+        ->set('cache.security_is_granted_attribute_expression_language')
+            ->parent('cache.system')
+            ->tag('cache.pool')
     ;
 };
diff --git a/src/Symfony/Component/Security/Http/Attribute/IsGranted.php b/src/Symfony/Component/Security/Http/Attribute/IsGranted.php
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Http\Attribute;
 
+use Symfony\Component\ExpressionLanguage\Expression;
+
 /**
  * @author Ryan Weaver <ryan@knpuniversity.com>
  */
@@ -21,12 +23,12 @@ public function __construct(
         /**
          * Sets the first argument that will be passed to isGranted().
          */
-        public array|string|null $attributes = null,
+        public array|string|Expression|null $attributes = null,
 
         /**
          * Sets the second argument passed to isGranted().
          */
-        public array|string|null $subject = null,
+        public array|string|Expression|null $subject = null,
 
         /**
          * The message of the exception - has a nice default if not set.
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -9,6 +9,7 @@ CHANGELOG
  * Deprecate empty username or password when using when using `JsonLoginAuthenticator`
  * Set custom lifetime for login link
  * Add `$lifetime` parameter to `LoginLinkHandlerInterface::createLoginLink()`
+ * Allow using expressions as `#[IsGranted()]` attribute and subject
 
 6.0
 ---
diff --git a/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php b/src/Symfony/Component/Security/Http/EventListener/IsGrantedAttributeListener.php
@@ -12,6 +12,8 @@
 namespace Symfony\Component\Security\Http\EventListener;
 
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\ExpressionLanguage\Expression;
+use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
 use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\KernelEvents;
@@ -28,7 +30,8 @@
 class IsGrantedAttributeListener implements EventSubscriberInterface
 {
     public function __construct(
-        private AuthorizationCheckerInterface $authChecker,
+        private readonly AuthorizationCheckerInterface $authChecker,
+        private ?ExpressionLanguage $expressionLanguage = null,
     ) {
     }
 
@@ -42,21 +45,15 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event)
         $arguments = $event->getNamedArguments();
 
         foreach ($attributes as $attribute) {
-            $subjectRef = $attribute->subject;
             $subject = null;
 
-            if ($subjectRef) {
+            if ($subjectRef = $attribute->subject) {
                 if (\is_array($subjectRef)) {
-                    foreach ($subjectRef as $ref) {
-                        if (!\array_key_exists($ref, $arguments)) {
-                            throw new RuntimeException(sprintf('Could not find the subject "%s" for the #[IsGranted] attribute. Try adding a "$%s" argument to your controller method.', $ref, $ref));
-                        }
-                        $subject[$ref] = $arguments[$ref];
+                    foreach ($subjectRef as $refKey => $ref) {
+                        $subject[\is_string($refKey) ? $refKey : (string) $ref] = $this->getIsGrantedSubject($ref, $arguments);
                     }
-                } elseif (!\array_key_exists($subjectRef, $arguments)) {
-                    throw new RuntimeException(sprintf('Could not find the subject "%s" for the #[IsGranted] attribute. Try adding a "$%s" argument to your controller method.', $subjectRef, $subjectRef));
                 } else {
-                    $subject = $arguments[$subjectRef];
+                    $subject = $this->getIsGrantedSubject($subjectRef, $arguments);
                 }
             }
 
@@ -81,13 +78,40 @@ public static function getSubscribedEvents(): array
         return [KernelEvents::CONTROLLER_ARGUMENTS => ['onKernelControllerArguments', 10]];
     }
 
+    private function getIsGrantedSubject(string|Expression $subjectRef, array $arguments): mixed
+    {
+        if ($subjectRef instanceof Expression) {
+            $this->expressionLanguage ??= new ExpressionLanguage();
+
+            return $this->expressionLanguage->evaluate($subjectRef, [
+                'args' => $arguments,
+            ]);
+        }
+
+        if (!\array_key_exists($subjectRef, $arguments)) {
+            throw new RuntimeException(sprintf('Could not find the subject "%s" for the #[IsGranted] attribute. Try adding a "$%s" argument to your controller method.', $subjectRef, $subjectRef));
+        }
+
+        return $arguments[$subjectRef];
+    }
+
     private function getIsGrantedString(IsGranted $isGranted): string
     {
-        $attributes = array_map(fn ($attribute) => '"'.$attribute.'"', (array) $isGranted->attributes);
+        $processValues = fn ($values) => array_map(
+            fn ($value) => sprintf($value instanceof Expression ? 'new Expression("%s")' : '"%s"', $value),
+            $values instanceof Expression ? [$values] : (array) $values
+        );
+
+        $attributes = $processValues($isGranted->attributes);
         $argsString = 1 === \count($attributes) ? reset($attributes) : '['.implode(', ', $attributes).']';
 
-        if (null !== $isGranted->subject) {
-            $argsString .= ', "'.implode('", "', (array) $isGranted->subject).'"';
+        if (null !== $subject = $isGranted->subject) {
+            $subject = $processValues($subject);
+            $subject = array_map(
+                fn ($key, $value) => \is_string($key) ? sprintf('"%s" => %s', $key, $value) : $value,
+                array_keys($subject), $subject
+            );
+            $argsString .= ', '.(1 === \count($subject) ? reset($subject) : '['.implode(', ', $subject).']');
         }
 
         return $argsString;
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/IsGrantedAttributeListenerTest.php
@@ -12,11 +12,13 @@
 namespace Symfony\Component\Security\Http\Tests\EventListener;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\ExpressionLanguage\Expression;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Authorization\ExpressionLanguage;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
 use Symfony\Component\Security\Http\Tests\Fixtures\IsGrantedAttributeController;
@@ -42,7 +44,7 @@ public function testAttribute()
         $listener = new IsGrantedAttributeListener($authChecker);
         $listener->onKernelControllerArguments($event);
 
-        $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authChecker->expects($this->once())
             ->method('isGranted')
             ->willReturn(true);
@@ -61,7 +63,7 @@ public function testAttribute()
 
     public function testNothingHappensWithNoConfig()
     {
-        $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authChecker->expects($this->never())
             ->method('isGranted');
 
@@ -79,7 +81,7 @@ public function testNothingHappensWithNoConfig()
 
     public function testIsGrantedCalledCorrectly()
     {
-        $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authChecker->expects($this->once())
             ->method('isGranted')
             ->with('ROLE_ADMIN')
@@ -99,7 +101,7 @@ public function testIsGrantedCalledCorrectly()
 
     public function testIsGrantedSubjectFromArguments()
     {
-        $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authChecker->expects($this->once())
             ->method('isGranted')
             // the subject => arg2name will eventually resolve to the 2nd argument, which has this value
@@ -146,7 +148,7 @@ public function testIsGrantedSubjectFromArgumentsWithArray()
 
     public function testIsGrantedNullSubjectFromArguments()
     {
-        $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authChecker->expects($this->once())
             ->method('isGranted')
             ->with('ROLE_ADMIN', null)
@@ -166,7 +168,7 @@ public function testIsGrantedNullSubjectFromArguments()
 
     public function testIsGrantedArrayWithNullValueSubjectFromArguments()
     {
-        $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authChecker->expects($this->once())
             ->method('isGranted')
             ->with('ROLE_ADMIN', [
@@ -191,7 +193,7 @@ public function testExceptionWhenMissingSubjectAttribute()
     {
         $this->expectException(\RuntimeException::class);
 
-        $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
 
         $event = new ControllerArgumentsEvent(
             $this->createMock(HttpKernelInterface::class),
@@ -208,20 +210,22 @@ public function testExceptionWhenMissingSubjectAttribute()
     /**
      * @dataProvider getAccessDeniedMessageTests
      */
-    public function testAccessDeniedMessages(array $attributes, ?string $subject, string $method, string $expectedMessage)
+    public function testAccessDeniedMessages(array $attributes, string|array|null $subject, string $method, string $expectedMessage)
     {
-        $authChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authChecker->expects($this->any())
             ->method('isGranted')
             ->willReturn(false);
 
+        $expressionLanguage = $this->createMock(ExpressionLanguage::class);
+        $expressionLanguage->expects($this->any())
+            ->method('evaluate')
+            ->willReturn('bar');
+
         // avoid the error of the subject not being found in the request attributes
-        $arguments = [];
-        if (null !== $subject) {
-            $arguments[] = 'bar';
-        }
+        $arguments = array_fill(0, \count((array) $subject), 'bar');
 
-        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener = new IsGrantedAttributeListener($authChecker, $expressionLanguage);
 
         $event = new ControllerArgumentsEvent(
             $this->createMock(HttpKernelInterface::class),
@@ -236,9 +240,9 @@ public function testAccessDeniedMessages(array $attributes, ?string $subject, st
             $this->fail();
         } catch (AccessDeniedException $e) {
             $this->assertSame($expectedMessage, $e->getMessage());
-            $this->assertSame($attributes, $e->getAttributes());
+            $this->assertEquals($attributes, $e->getAttributes());
             if (null !== $subject) {
-                $this->assertSame('bar', $e->getSubject());
+                $this->assertSame($subject, $e->getSubject());
             } else {
                 $this->assertNull($e->getSubject());
             }
@@ -249,7 +253,11 @@ public function getAccessDeniedMessageTests()
     {
         yield [['ROLE_ADMIN'], null, 'admin', 'Access Denied by #[IsGranted("ROLE_ADMIN")] on controller'];
         yield [['ROLE_ADMIN', 'ROLE_USER'], null, 'adminOrUser', 'Access Denied by #[IsGranted(["ROLE_ADMIN", "ROLE_USER"])] on controller'];
-        yield [['ROLE_ADMIN', 'ROLE_USER'], 'product', 'adminOrUserWithSubject', 'Access Denied by #[IsGranted(["ROLE_ADMIN", "ROLE_USER"], "product")] on controller'];
+        yield [['ROLE_ADMIN', 'ROLE_USER'], 'bar', 'adminOrUserWithSubject', 'Access Denied by #[IsGranted(["ROLE_ADMIN", "ROLE_USER"], "product")] on controller'];
+        yield [['ROLE_ADMIN'], ['arg1Name' => 'bar', 'arg2Name' => 'bar'], 'withSubjectArray', 'Access Denied by #[IsGranted("ROLE_ADMIN", ["arg1Name", "arg2Name"])] on controller'];
+        yield [[new Expression('"ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)')], 'bar', 'withExpressionInAttribute', 'Access Denied by #[IsGranted(new Expression(""ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)"), "post")] on controller'];
+        yield [[new Expression('user === subject')], 'bar', 'withExpressionInSubject', 'Access Denied by #[IsGranted(new Expression("user === subject"), new Expression("args["post"].getAuthor()"))] on controller'];
+        yield [[new Expression('user === subject["author"]')], ['author' => 'bar', 'alias' => 'bar'], 'withNestedExpressionInSubject', 'Access Denied by #[IsGranted(new Expression("user === subject["author"]"), ["author" => new Expression("args["post"].getAuthor()"), "alias" => "arg2Name"])] on controller'];
     }
 
     public function testNotFoundHttpException()
@@ -273,4 +281,80 @@ public function testNotFoundHttpException()
         $listener = new IsGrantedAttributeListener($authChecker);
         $listener->onKernelControllerArguments($event);
     }
+
+    public function testIsGrantedwithExpressionInAttribute()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())
+            ->method('isGranted')
+            ->with(new Expression('"ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)'), 'postVal')
+            ->willReturn(true);
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'withExpressionInAttribute'],
+            ['postVal'],
+            new Request(),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public function testIsGrantedwithExpressionInSubject()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())
+            ->method('isGranted')
+            ->with(new Expression('user === subject'), 'author')
+            ->willReturn(true);
+
+        $expressionLanguage = $this->createMock(ExpressionLanguage::class);
+        $expressionLanguage->expects($this->once())
+            ->method('evaluate')
+            ->with(new Expression('args["post"].getAuthor()'), [
+                'args' => ['post' => 'postVal'],
+            ])
+            ->willReturn('author');
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'withExpressionInSubject'],
+            ['postVal'],
+            new Request(),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker, $expressionLanguage);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public function testIsGrantedwithNestedExpressionInSubject()
+    {
+        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
+        $authChecker->expects($this->once())
+            ->method('isGranted')
+            ->with(new Expression('user === subject["author"]'), ['author' => 'author', 'alias' => 'arg2Val'])
+            ->willReturn(true);
+
+        $expressionLanguage = $this->createMock(ExpressionLanguage::class);
+        $expressionLanguage->expects($this->once())
+            ->method('evaluate')
+            ->with(new Expression('args["post"].getAuthor()'), [
+                'args' => ['post' => 'postVal', 'arg2Name' => 'arg2Val'],
+            ])
+            ->willReturn('author');
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsGrantedAttributeMethodsController(), 'withNestedExpressionInSubject'],
+            ['postVal', 'arg2Val'],
+            new Request(),
+            null
+        );
+
+        $listener = new IsGrantedAttributeListener($authChecker, $expressionLanguage);
+        $listener->onKernelControllerArguments($event);
+    }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeMethodsController.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/IsGrantedAttributeMethodsController.php
diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ public function process(ContainerBuilder $container)`
`36`	`36`
`37`	`37`	`if (!$container->hasDefinition('cache.system')) {`
`38`	`38`	`$container->removeDefinition('cache.security_expression_language');`
	`39`	`+ $container->removeDefinition('cache.security_is_granted_attribute_expression_language');`
`39`	`40`	`}`
`40`	`41`	`}`
`41`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -112,6 +112,7 @@ public function load(array $configs, ContainerBuilder $container)`
`112`	`112`	`if (!$container::willBeAvailable('symfony/expression-language', ExpressionLanguage::class, ['symfony/security-bundle'])) {`
`113`	`113`	`$container->removeDefinition('security.expression_language');`
`114`	`114`	`$container->removeDefinition('security.access.expression_voter');`
	`115`	`+ $container->removeDefinition('security.is_granted_attribute_expression_language');`
`115`	`116`	`}`
`116`	`117`
`117`	`118`	`// set some global scalars`