Skip to content

[Security][SecurityBundle] Implement ADM strategies as dedicated classes #42177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 29, 2021
Merged

[Security][SecurityBundle] Implement ADM strategies as dedicated classes #42177

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions UPGRADE-5.4.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,3 +159,6 @@ Security
}
}
```
* Deprecate passing the strategy as string to `AccessDecisionManager`,
pass an instance of `AccessDecisionStrategyInterface` instead
* Flag `AccessDecisionManager` as `@final`
2 changes: 2 additions & 0 deletions UPGRADE-6.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,6 +394,8 @@ Security
}
}
```
* `AccessDecisionManager` does not accept strings as strategy anymore,
pass an instance of `AccessDecisionStrategyInterface` instead

SecurityBundle
--------------
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ CHANGELOG
factories instead.
* Deprecate the `always_authenticate_before_granting` option
* Display the roles of the logged-in user in the Web Debug Toolbar
* Add the `security.access_decision_manager.strategy_service` option

5.3
---
Expand Down
46 changes: 31 additions & 15 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
use Symfony\Component\Config\Definition\Builder\TreeBuilder;
use Symfony\Component\Config\Definition\ConfigurationInterface;
use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
use Symfony\Component\Security\Http\Event\LogoutEvent;
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
Expand All @@ -30,6 +29,15 @@
*/
class MainConfiguration implements ConfigurationInterface
{
/** @internal */
public const STRATEGY_AFFIRMATIVE = 'affirmative';
/** @internal */
public const STRATEGY_CONSENSUS = 'consensus';
/** @internal */
public const STRATEGY_UNANIMOUS = 'unanimous';
/** @internal */
public const STRATEGY_PRIORITY = 'priority';

private $factories;
private $userProviderFactories;

Expand Down Expand Up @@ -65,14 +73,18 @@ public function getConfigTreeBuilder()
return true;
}

if (!isset($v['access_decision_manager']['strategy']) && !isset($v['access_decision_manager']['service'])) {
if (!isset($v['access_decision_manager']['strategy'])
&& !isset($v['access_decision_manager']['service'])
&& !isset($v['access_decision_manager']['strategy_service'])
&& !isset($v['access_decision_manager']['strategy-service'])
) {
return true;
}

return false;
})
->then(function ($v) {
$v['access_decision_manager']['strategy'] = AccessDecisionManager::STRATEGY_AFFIRMATIVE;
$v['access_decision_manager']['strategy'] = self::STRATEGY_AFFIRMATIVE;

return $v;
})
Expand Down Expand Up @@ -114,13 +126,22 @@ public function getConfigTreeBuilder()
->values($this->getAccessDecisionStrategies())
->end()
->scalarNode('service')->end()
->scalarNode('strategy_service')->end()
->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
->booleanNode('allow_if_equal_granted_denied')->defaultTrue()->end()
->end()
->validate()
->ifTrue(function ($v) { return isset($v['strategy']) && isset($v['service']); })
->ifTrue(function ($v) { return isset($v['strategy'], $v['service']); })
->thenInvalid('"strategy" and "service" cannot be used together.')
->end()
->validate()
->ifTrue(function ($v) { return isset($v['strategy'], $v['strategy_service']); })
->thenInvalid('"strategy" and "strategy_service" cannot be used together.')
->end()
->validate()
->ifTrue(function ($v) { return isset($v['service'], $v['strategy_service']); })
->thenInvalid('"service" and "strategy_service" cannot be used together.')
->end()
->end()
->end()
;
Expand Down Expand Up @@ -507,18 +528,13 @@ private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
->end();
}

private function getAccessDecisionStrategies()
private function getAccessDecisionStrategies(): array
{
$strategies = [
AccessDecisionManager::STRATEGY_AFFIRMATIVE,
AccessDecisionManager::STRATEGY_CONSENSUS,
AccessDecisionManager::STRATEGY_UNANIMOUS,
return [
self::STRATEGY_AFFIRMATIVE,
self::STRATEGY_CONSENSUS,
self::STRATEGY_UNANIMOUS,
self::STRATEGY_PRIORITY,
];

if (\defined(AccessDecisionManager::class.'::STRATEGY_PRIORITY')) {
$strategies[] = AccessDecisionManager::STRATEGY_PRIORITY;
}

return $strategies;
}
}
35 changes: 32 additions & 3 deletions src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@
use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
use Symfony\Component\Security\Core\Authorization\Strategy\ConsensusStrategy;
use Symfony\Component\Security\Core\Authorization\Strategy\PriorityStrategy;
use Symfony\Component\Security\Core\Authorization\Strategy\UnanimousStrategy;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
Expand Down Expand Up @@ -150,12 +154,18 @@ public function load(array $configs, ContainerBuilder $container)

if (isset($config['access_decision_manager']['service'])) {
$container->setAlias('security.access.decision_manager', $config['access_decision_manager']['service']);
} elseif (isset($config['access_decision_manager']['strategy_service'])) {
$container
->getDefinition('security.access.decision_manager')
->addArgument(new Reference($config['access_decision_manager']['strategy_service']));
} else {
$container
->getDefinition('security.access.decision_manager')
->addArgument($config['access_decision_manager']['strategy'])
->addArgument($config['access_decision_manager']['allow_if_all_abstain'])
->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied']);
->addArgument($this->createStrategyDefinition(
$config['access_decision_manager']['strategy'],
$config['access_decision_manager']['allow_if_all_abstain'],
$config['access_decision_manager']['allow_if_equal_granted_denied']
));
}

$container->setParameter('security.access.always_authenticate_before_granting', $config['always_authenticate_before_granting']);
Expand Down Expand Up @@ -196,6 +206,25 @@ public function load(array $configs, ContainerBuilder $container)
->addTag('security.voter');
}

/**
* @throws \InvalidArgumentException if the $strategy is invalid
*/
private function createStrategyDefinition(string $strategy, bool $allowIfAllAbstainDecisions, bool $allowIfEqualGrantedDeniedDecisions): Definition
{
switch ($strategy) {
case MainConfiguration::STRATEGY_AFFIRMATIVE:
return new Definition(AffirmativeStrategy::class, [$allowIfAllAbstainDecisions]);
case MainConfiguration::STRATEGY_CONSENSUS:
return new Definition(ConsensusStrategy::class, [$allowIfAllAbstainDecisions, $allowIfEqualGrantedDeniedDecisions]);
case MainConfiguration::STRATEGY_UNANIMOUS:
return new Definition(UnanimousStrategy::class, [$allowIfAllAbstainDecisions]);
case MainConfiguration::STRATEGY_PRIORITY:
return new Definition(PriorityStrategy::class, [$allowIfAllAbstainDecisions]);
}

throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.', $strategy));
}

private function createRoleHierarchy(array $config, ContainerBuilder $container)
{
if (!isset($config['role_hierarchy']) || 0 === \count($config['role_hierarchy'])) {
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/Resources/config/schema/security-1.0.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
<xsd:complexType name="access_decision_manager">
<xsd:attribute name="strategy" type="access_decision_manager_strategy" />
<xsd:attribute name="service" type="xsd:string" />
<xsd:attribute name="strategy-service" type="xsd:string" />
<xsd:attribute name="allow-if-all-abstain" type="xsd:boolean" />
<xsd:attribute name="allow-if-equal-granted-denied" type="xsd:boolean" />
</xsd:complexType>
Expand Down
18 changes: 14 additions & 4 deletions src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,14 @@
use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Definition;
use Symfony\Component\DependencyInjection\Reference;
use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
use Symfony\Component\Security\Http\Authentication\AuthenticatorManager;
Expand Down Expand Up @@ -1046,7 +1048,7 @@ public function testDefaultAccessDecisionManagerStrategyIsAffirmative()
{
$container = $this->getContainer('access_decision_manager_default_strategy');

$this->assertSame(AccessDecisionManager::STRATEGY_AFFIRMATIVE, $container->getDefinition('security.access.decision_manager')->getArgument(1), 'Default vote strategy is affirmative');
$this->assertEquals((new Definition(AffirmativeStrategy::class, [false])), $container->getDefinition('security.access.decision_manager')->getArgument(1), 'Default vote strategy is affirmative');
}

public function testCustomAccessDecisionManagerService()
Expand All @@ -1069,9 +1071,17 @@ public function testAccessDecisionManagerOptionsAreNotOverriddenByImplicitStrate

$accessDecisionManagerDefinition = $container->getDefinition('security.access.decision_manager');

$this->assertSame(AccessDecisionManager::STRATEGY_AFFIRMATIVE, $accessDecisionManagerDefinition->getArgument(1));
$this->assertTrue($accessDecisionManagerDefinition->getArgument(2));
$this->assertFalse($accessDecisionManagerDefinition->getArgument(3));
$this->assertEquals((new Definition(AffirmativeStrategy::class, [true])), $accessDecisionManagerDefinition->getArgument(1));
}

public function testAccessDecisionManagerWithStrategyService()
{
$container = $this->getContainer('access_decision_manager_strategy_service');

$accessDecisionManagerDefinition = $container->getDefinition('security.access.decision_manager');

$this->assertEquals(AccessDecisionManager::class, $accessDecisionManagerDefinition->getClass());
$this->assertEquals(new Reference('app.custom_access_decision_strategy'), $accessDecisionManagerDefinition->getArgument(1));
}

public function testFirewallUndefinedUserProvider()
Expand Down
20 changes: 20 additions & 0 deletions ...undle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_strategy_service.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
<?php

$container->loadFromExtension('security', [
'enable_authenticator_manager' => true,
'access_decision_manager' => [
'strategy_service' => 'app.custom_access_decision_strategy',
],
'providers' => [
'default' => [
'memory' => [
'users' => [
'foo' => ['password' => 'foo', 'roles' => 'ROLE_USER'],
],
],
],
],
'firewalls' => [
'simple' => ['pattern' => '/login', 'security' => false],
],
]);
21 changes: 21 additions & 0 deletions ...undle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_strategy_service.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:srv="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config enable-authenticator-manager="true">
<access-decision-manager strategy-service="app.custom_access_decision_strategy" />

<provider name="default">
<memory>
<user identifier="foo" password="foo" roles="ROLE_USER" />
</memory>
</provider>

<firewall name="simple" pattern="/login" security="false" />
</config>
</srv:container>
11 changes: 11 additions & 0 deletions ...undle/Tests/DependencyInjection/Fixtures/yml/access_decision_manager_strategy_service.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
security:
enable_authenticator_manager: true
access_decision_manager:
strategy_service: app.custom_access_decision_strategy
providers:
default:
memory:
users:
foo: { password: foo, roles: ROLE_USER }
firewalls:
simple: { pattern: /login, security: false }
Loading