[FrameworkBundle][Workflow] Add a way to register a guard expression in the configuration

lyrixx · lyrixx · commit dadae1cc33ee · 2017-03-08T20:54:59.000+01:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -333,6 +333,11 @@ private function addWorkflowSection(ArrayNodeDefinition $rootNode)
                                             ->isRequired()
                                             ->cannotBeEmpty()
                                         ->end()
+                                        ->scalarNode('guard')
+                                            ->cannotBeEmpty()
+                                            ->info('An expression to block the transition')
+                                            ->example('is_fully_authenticated() and has_role(\'ROLE_JOURNALIST\') and subject.getTitle() == \'My first article\'')
+                                        ->end()
                                         ->arrayNode('from')
                                             ->beforeNormalization()
                                                 ->ifString()
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -487,6 +487,30 @@ private function registerWorkflowConfiguration(array $workflows, ContainerBuilde
             } elseif (isset($workflow['support_strategy'])) {
                 $registryDefinition->addMethodCall('add', array(new Reference($workflowId), new Reference($workflow['support_strategy'])));
             }
+
+            // Add Guard Listener
+            $guard = new Definition(Workflow\EventListener\GuardListener::class);
+            $configuration = [];
+            foreach ($workflow['transitions'] as $transitionName => $config) {
+                if (!isset($config['guard'])) {
+                    continue;
+                }
+                $eventName = sprintf('workflow.%s.guard.%s', $name, $transitionName);
+                $guard->addTag('kernel.event_listener', array('event' => $eventName, 'method' => 'onTransition'));
+                $configuration[$eventName] = $config['guard'];
+            }
+            if ($configuration) {
+                $guard->setArguments(array(
+                    $configuration,
+                    new Reference('workflow.security.expression_language'),
+                    new Reference('security.token_storage'),
+                    new Reference('security.authorization_checker'),
+                    new Reference('security.authentication.trust_resolver'),
+                    new Reference('security.role_hierarchy'),
+                ));
+
+                $container->setDefinition(sprintf('%s.listener.guard', $workflowId), $guard);
+            }
         }
     }
 
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/workflow.xml b/src/Symfony/Bundle/FrameworkBundle/Resources/config/workflow.xml
@@ -27,5 +27,7 @@
             <argument type="service" id="workflow.registry" />
             <tag name="twig.extension" />
         </service>
+
+        <service id="workflow.security.expression_language" class="Symfony\Component\Workflow\EventListener\ExpressionLanguage" public="false" />
     </services>
 </container>
diff --git a/src/Symfony/Component/Workflow/EventListener/ExpressionLanguage.php b/src/Symfony/Component/Workflow/EventListener/ExpressionLanguage.php
@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Workflow\EventListener;
+
+use Symfony\Component\Security\Core\Authorization\ExpressionLanguage as BaseExpressionLanguage;
+
+/**
+ * Adds some function to the default Symfony Security ExpressionLanguage.
+ *
+ * @author Fabien Potencier <fabien@symfony.com>
+ */
+class ExpressionLanguage extends BaseExpressionLanguage
+{
+    protected function registerFunctions()
+    {
+        parent::registerFunctions();
+
+        $this->register('is_granted', function ($attributes, $object = 'null') {
+            return sprintf('$auth_checker->isGranted(%s, %s)', $attributes, $object);
+        }, function (array $variables, $attributes, $object = null) {
+            return $variables['auth_checker']->isGranted($attributes, $object);
+        });
+    }
+}
diff --git a/src/Symfony/Component/Workflow/EventListener/GuardListener.php b/src/Symfony/Component/Workflow/EventListener/GuardListener.php
@@ -0,0 +1,80 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Workflow\EventListener;
+
+use Symfony\Component\ExpressionLanguage\Expression;
+use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
+use Symfony\Component\Workflow\Event\GuardEvent;
+
+/**
+ * @author Grégoire Pineau <lyrixx@lyrixx.info>
+ */
+class GuardListener
+{
+    private $configuration;
+    private $expressionLanguage;
+    private $tokenStorage;
+    private $authenticationChecker;
+    private $trustResolver;
+    private $roleHierarchy;
+
+    public function __construct($configuration, ExpressionLanguage $expressionLanguage, TokenStorageInterface $tokenStorage, AuthorizationCheckerInterface $authenticationChecker, AuthenticationTrustResolverInterface $trustResolver, RoleHierarchyInterface $roleHierarchy = null)
+    {
+        $this->configuration = $configuration;
+        $this->expressionLanguage = $expressionLanguage;
+        $this->tokenStorage = $tokenStorage;
+        $this->authenticationChecker = $authenticationChecker;
+        $this->trustResolver = $trustResolver;
+        $this->roleHierarchy = $roleHierarchy;
+    }
+
+    public function onTransition(GuardEvent $event, $eventName)
+    {
+        if (!isset($this->configuration[$eventName])) {
+            return;
+        }
+
+        if (!$this->expressionLanguage->evaluate($this->configuration[$eventName], $this->getVariables($event))) {
+            $event->setBlocked(true);
+        }
+    }
+
+    // code should be sync with Symfony\Component\Security\Core\Authorization\Voter\ExpressionVoter
+    private function getVariables(GuardEvent $event)
+    {
+        $token = $this->tokenStorage->getToken();
+
+        if (null !== $this->roleHierarchy) {
+            $roles = $this->roleHierarchy->getReachableRoles($token->getRoles());
+        } else {
+            $roles = $token->getRoles();
+        }
+
+        $variables = array(
+            'token' => $token,
+            'user' => $token->getUser(),
+            'subject' => $event->getSubject(),
+            'roles' => array_map(function ($role) {
+                return $role->getRole();
+            }, $roles),
+            // needed for the is_granted expression function
+            'auth_checker' => $this->authenticationChecker,
+            // needed for the is_* expression function
+            'trust_resolver' => $this->trustResolver,
+        );
+
+        return $variables;
+    }
+}
