[Security] Handle placeholders in role hierarchy

squrious · squrious · commit ae44f5081d97 · 2023-10-17T11:29:11.000+02:00
diff --git a/src/Symfony/Component/Security/Core/CHANGELOG.md b/src/Symfony/Component/Security/Core/CHANGELOG.md
@@ -4,6 +4,7 @@ CHANGELOG
 6.4
 ---
 
+ * Allow using wildcards as placeholders in `RoleHierarchy` map's keys
  * Make `PersistentToken` immutable
  * Deprecate accepting only `DateTime` for `TokenProviderInterface::updateToken()`, use `DateTimeInterface` instead
 
diff --git a/src/Symfony/Component/Security/Core/Role/RoleHierarchy.php b/src/Symfony/Component/Security/Core/Role/RoleHierarchy.php
@@ -19,6 +19,14 @@
 class RoleHierarchy implements RoleHierarchyInterface
 {
     private array $hierarchy;
+
+    /**
+     * Map role placeholders with their regex pattern.
+     *
+     * @var array<string,string>
+     */
+    private array $rolePlaceholdersPatterns;
+
     /** @var array<string, list<string>> */
     protected $map;
 
@@ -34,19 +42,7 @@ public function __construct(array $hierarchy)
 
     public function getReachableRoleNames(array $roles): array
     {
-        $reachableRoles = $roles;
-
-        foreach ($roles as $role) {
-            if (!isset($this->map[$role])) {
-                continue;
-            }
-
-            foreach ($this->map[$role] as $r) {
-                $reachableRoles[] = $r;
-            }
-        }
-
-        return array_values(array_unique($reachableRoles));
+        return $this->resolveReachableRoleNames($roles);
     }
 
     /**
@@ -55,6 +51,8 @@ public function getReachableRoleNames(array $roles): array
     protected function buildRoleMap()
     {
         $this->map = [];
+        $this->rolePlaceholdersPatterns = [];
+
         foreach ($this->hierarchy as $main => $roles) {
             $this->map[$main] = $roles;
             $visited = [];
@@ -76,6 +74,49 @@ protected function buildRoleMap()
             }
 
             $this->map[$main] = array_unique($this->map[$main]);
+
+            if (str_contains($main, '*')) {
+                $this->rolePlaceholdersPatterns[$main] = sprintf('/%s/', strtr($main, ['*' => '[^\*]+']));
+            }
         }
     }
+
+    private function resolveReachableRoleNames(array $roles, array &$visitedPlaceholders = []): array
+    {
+        $reachableRoles = $roles;
+
+        foreach ($roles as $role) {
+            if (!isset($this->map[$role])) {
+                continue;
+            }
+
+            foreach ($this->map[$role] as $r) {
+                $reachableRoles[] = $r;
+            }
+        }
+
+        $placeholderRoles = array_diff($this->getMatchingPlaceholders($reachableRoles), $visitedPlaceholders);
+        if (!empty($placeholderRoles)) {
+            array_push($visitedPlaceholders, ...$placeholderRoles);
+            $resolvedPlaceholderRoles = $this->resolveReachableRoleNames($placeholderRoles, $visitedPlaceholders);
+            foreach (array_diff($resolvedPlaceholderRoles, $placeholderRoles) as $r) {
+                $reachableRoles[] = $r;
+            }
+        }
+
+        return array_values(array_unique($reachableRoles));
+    }
+
+    private function getMatchingPlaceholders(array $roles): array
+    {
+        $resolved = [];
+
+        foreach ($this->rolePlaceholdersPatterns as $placeholder => $pattern) {
+            if (!\in_array($placeholder, $resolved) && \count(preg_grep($pattern, $roles) ?? null)) {
+                $resolved[] = $placeholder;
+            }
+        }
+
+        return $resolved;
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleHierarchyVoterTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/RoleHierarchyVoterTest.php
@@ -22,7 +22,11 @@ class RoleHierarchyVoterTest extends RoleVoterTest
      */
     public function testVoteUsingTokenThatReturnsRoleNames($roles, $attributes, $expected)
     {
-        $voter = new RoleHierarchyVoter(new RoleHierarchy(['ROLE_FOO' => ['ROLE_FOOBAR']]));
+        $voter = new RoleHierarchyVoter(new RoleHierarchy([
+            'ROLE_FOO' => ['ROLE_FOOBAR'],
+            'ROLE_FOO_*' => ['ROLE_BAR_A', 'ROLE_FOO'],
+            'ROLE_BAR_*' => ['ROLE_BAZ'],
+        ]));
 
         $this->assertSame($expected, $voter->vote($this->getTokenWithRoleNames($roles), null, $attributes));
     }
@@ -31,6 +35,9 @@ public static function getVoteTests()
     {
         return array_merge(parent::getVoteTests(), [
             [['ROLE_FOO'], ['ROLE_FOOBAR'], VoterInterface::ACCESS_GRANTED],
+            [['ROLE_FOO_A'], ['ROLE_BAR_A'], VoterInterface::ACCESS_GRANTED], // ROLE_FOO_A => ROLE_FOO_* => ROLE_BAR_A
+            [['ROLE_FOO_A'], ['ROLE_FOOBAR'], VoterInterface::ACCESS_GRANTED], // ROLE_FOO_A => ROLE_FOO_* => ROLE_FOO => ROLE_FOOBAR
+            [['ROLE_FOO_A'], ['ROLE_BAZ'], VoterInterface::ACCESS_GRANTED], // ROLE_FOO_A => ROLE_FOO_* => ROLE_BAR_A => ROLE_BAR_* => ROLE_BAZ
         ]);
     }
 
diff --git a/src/Symfony/Component/Security/Core/Tests/Role/RoleHierarchyTest.php b/src/Symfony/Component/Security/Core/Tests/Role/RoleHierarchyTest.php
@@ -30,4 +30,44 @@ public function testGetReachableRoleNames()
         $this->assertEquals(['ROLE_SUPER_ADMIN', 'ROLE_ADMIN', 'ROLE_FOO', 'ROLE_USER'], $role->getReachableRoleNames(['ROLE_SUPER_ADMIN']));
         $this->assertEquals(['ROLE_SUPER_ADMIN', 'ROLE_ADMIN', 'ROLE_FOO', 'ROLE_USER'], $role->getReachableRoleNames(['ROLE_SUPER_ADMIN', 'ROLE_SUPER_ADMIN']));
     }
+
+    public function testGetReachableRoleNamesWithPlaceholders()
+    {
+        $role = new RoleHierarchy([
+            'ROLE_BAZ_*' => ['ROLE_USER'],
+            'ROLE_FOO_*' => ['ROLE_BAZ_FOO'],
+            'ROLE_BAR_*' => ['ROLE_BAZ_BAR'],
+        ]);
+
+        $this->assertEquals(['ROLE_BAZ_A', 'ROLE_USER'], $role->getReachableRoleNames(['ROLE_BAZ_A']));
+        $this->assertEquals(['ROLE_FOO_A', 'ROLE_BAZ_FOO', 'ROLE_USER'], $role->getReachableRoleNames(['ROLE_FOO_A']));
+
+        // Multiple roles matching the same placeholder
+        $this->assertEquals(['ROLE_FOO_A', 'ROLE_FOO_B', 'ROLE_BAZ_FOO', 'ROLE_USER'], $role->getReachableRoleNames(['ROLE_FOO_A', 'ROLE_FOO_B']));
+
+        // Multiple roles matching multiple placeholders
+        $this->assertEquals(['ROLE_FOO_A', 'ROLE_BAR_A', 'ROLE_BAZ_FOO', 'ROLE_BAZ_BAR', 'ROLE_USER'], $role->getReachableRoleNames(['ROLE_FOO_A', 'ROLE_BAR_A']));
+    }
+
+    public function testGetReachableRoleNamesWithRecursivePlaceholders()
+    {
+        $role = new RoleHierarchy([
+            'ROLE_FOO_*' => ['ROLE_BAR_BAZ'],
+            'ROLE_BAR_*' => ['ROLE_FOO_BAZ'],
+            'ROLE_QUX_*' => ['ROLE_QUX_BAZ'],
+        ]);
+
+        // ROLE_FOO_* expanded once
+        $this->assertEquals(['ROLE_FOO_A', 'ROLE_BAR_BAZ', 'ROLE_FOO_BAZ'], $role->getReachableRoleNames(['ROLE_FOO_A']));
+
+        // ROLE_FOO_* expanded once even with multiple ROLE_FOO_* input roles
+        $this->assertEquals(['ROLE_FOO_A', 'ROLE_FOO_B', 'ROLE_BAR_BAZ', 'ROLE_FOO_BAZ'], $role->getReachableRoleNames(['ROLE_FOO_A', 'ROLE_FOO_B']));
+
+        // ROLE_BAR_* expanded once with ROLE_FOO_A => ROLE_FOO_* => ROLE_BAR_BAZ => ROLE_BAR_* => ROLE_FOO_BAZ
+        $this->assertEquals(['ROLE_FOO_A', 'ROLE_BAR_A', 'ROLE_BAR_BAZ', 'ROLE_FOO_BAZ'], $role->getReachableRoleNames(['ROLE_FOO_A', 'ROLE_BAR_A']));
+
+        // Self matching placeholder
+        $this->assertEquals(['ROLE_QUX_A', 'ROLE_QUX_BAZ'], $role->getReachableRoleNames(['ROLE_QUX_A']));
+        $this->assertEquals(['ROLE_QUX_BAZ'], $role->getReachableRoleNames(['ROLE_QUX_BAZ']));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,11 @@ class RoleHierarchyVoterTest extends RoleVoterTest`
`22`	`22`	`*/`
`23`	`23`	`public function testVoteUsingTokenThatReturnsRoleNames($roles, $attributes, $expected)`
`24`	`24`	`{`
`25`		`- $voter = new RoleHierarchyVoter(new RoleHierarchy(['ROLE_FOO' => ['ROLE_FOOBAR']]));`
	`25`	`+ $voter = new RoleHierarchyVoter(new RoleHierarchy([`
	`26`	`+ 'ROLE_FOO' => ['ROLE_FOOBAR'],`
	`27`	`+ 'ROLE_FOO_*' => ['ROLE_BAR_A', 'ROLE_FOO'],`
	`28`	`+ 'ROLE_BAR_*' => ['ROLE_BAZ'],`
	`29`	`+ ]));`
`26`	`30`
`27`	`31`	`$this->assertSame($expected, $voter->vote($this->getTokenWithRoleNames($roles), null, $attributes));`
`28`	`32`	`}`
`@@ -31,6 +35,9 @@ public static function getVoteTests()`
`31`	`35`	`{`
`32`	`36`	`return array_merge(parent::getVoteTests(), [`
`33`	`37`	`[['ROLE_FOO'], ['ROLE_FOOBAR'], VoterInterface::ACCESS_GRANTED],`
	`38`	`+ [['ROLE_FOO_A'], ['ROLE_BAR_A'], VoterInterface::ACCESS_GRANTED], // ROLE_FOO_A => ROLE_FOO_* => ROLE_BAR_A`
	`39`	`+ [['ROLE_FOO_A'], ['ROLE_FOOBAR'], VoterInterface::ACCESS_GRANTED], // ROLE_FOO_A => ROLE_FOO_* => ROLE_FOO => ROLE_FOOBAR`
	`40`	`+ [['ROLE_FOO_A'], ['ROLE_BAZ'], VoterInterface::ACCESS_GRANTED], // ROLE_FOO_A => ROLE_FOO_* => ROLE_BAR_A => ROLE_BAR_* => ROLE_BAZ`
`34`	`41`	`]);`
`35`	`42`	`}`
`36`	`43`