[Security] Implement ADM strategies as dedicated classes

Signed-off-by: Alexander M. Turek <me@derrabus.de>

Author: derrabus

CHANGELOG.md

@@ -16,6 +16,7 @@ CHANGELOG
    factories instead.
  * Deprecate the `always_authenticate_before_granting` option
  * Display the roles of the logged-in user in the Web Debug Toolbar
+ * Add the `security.access_decision_manager.strategy_service` option
 
 5.3
 ---

DependencyInjection/MainConfiguration.php

@@ -18,7 +18,6 @@
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
-use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
@@ -30,6 +29,15 @@
  */
 class MainConfiguration implements ConfigurationInterface
 {
+    /** @internal */
+    public const STRATEGY_AFFIRMATIVE = 'affirmative';
+    /** @internal */
+    public const STRATEGY_CONSENSUS = 'consensus';
+    /** @internal */
+    public const STRATEGY_UNANIMOUS = 'unanimous';
+    /** @internal */
+    public const STRATEGY_PRIORITY = 'priority';
+
     private $factories;
     private $userProviderFactories;
 
@@ -65,14 +73,18 @@ public function getConfigTreeBuilder()
                         return true;
                     }
 
-                    if (!isset($v['access_decision_manager']['strategy']) && !isset($v['access_decision_manager']['service'])) {
+                    if (!isset($v['access_decision_manager']['strategy'])
+                        && !isset($v['access_decision_manager']['service'])
+                        && !isset($v['access_decision_manager']['strategy_service'])
+                        && !isset($v['access_decision_manager']['strategy-service'])
+                    ) {
                         return true;
                     }
 
                     return false;
                 })
                 ->then(function ($v) {
-                    $v['access_decision_manager']['strategy'] = AccessDecisionManager::STRATEGY_AFFIRMATIVE;
+                    $v['access_decision_manager']['strategy'] = self::STRATEGY_AFFIRMATIVE;
 
                     return $v;
                 })
@@ -114,13 +126,22 @@ public function getConfigTreeBuilder()
                             ->values($this->getAccessDecisionStrategies())
                         ->end()
                         ->scalarNode('service')->end()
+                        ->scalarNode('strategy_service')->end()
                         ->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
                         ->booleanNode('allow_if_equal_granted_denied')->defaultTrue()->end()
                     ->end()
                     ->validate()
-                        ->ifTrue(function ($v) { return isset($v['strategy']) && isset($v['service']); })
+                        ->ifTrue(function ($v) { return isset($v['strategy'], $v['service']); })
                         ->thenInvalid('"strategy" and "service" cannot be used together.')
                     ->end()
+                    ->validate()
+                        ->ifTrue(function ($v) { return isset($v['strategy'], $v['strategy_service']); })
+                        ->thenInvalid('"strategy" and "strategy_service" cannot be used together.')
+                    ->end()
+                    ->validate()
+                        ->ifTrue(function ($v) { return isset($v['service'], $v['strategy_service']); })
+                        ->thenInvalid('"service" and "strategy_service" cannot be used together.')
+                    ->end()
                 ->end()
             ->end()
         ;
@@ -507,18 +528,13 @@ private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
         ->end();
     }
 
-    private function getAccessDecisionStrategies()
+    private function getAccessDecisionStrategies(): array
     {
-        $strategies = [
-            AccessDecisionManager::STRATEGY_AFFIRMATIVE,
-            AccessDecisionManager::STRATEGY_CONSENSUS,
-            AccessDecisionManager::STRATEGY_UNANIMOUS,
+        return [
+            self::STRATEGY_AFFIRMATIVE,
+            self::STRATEGY_CONSENSUS,
+            self::STRATEGY_UNANIMOUS,
+            self::STRATEGY_PRIORITY,
         ];
-
-        if (\defined(AccessDecisionManager::class.'::STRATEGY_PRIORITY')) {
-            $strategies[] = AccessDecisionManager::STRATEGY_PRIORITY;
-        }
-
-        return $strategies;
     }
 }

DependencyInjection/SecurityExtension.php

@@ -39,6 +39,10 @@
 use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
+use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\ConsensusStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\PriorityStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\UnanimousStrategy;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
@@ -150,12 +154,18 @@ public function load(array $configs, ContainerBuilder $container)
 
         if (isset($config['access_decision_manager']['service'])) {
             $container->setAlias('security.access.decision_manager', $config['access_decision_manager']['service']);
+        } elseif (isset($config['access_decision_manager']['strategy_service'])) {
+            $container
+                ->getDefinition('security.access.decision_manager')
+                ->addArgument(new Reference($config['access_decision_manager']['strategy_service']));
         } else {
             $container
                 ->getDefinition('security.access.decision_manager')
-                ->addArgument($config['access_decision_manager']['strategy'])
-                ->addArgument($config['access_decision_manager']['allow_if_all_abstain'])
-                ->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied']);
+                ->addArgument($this->createStrategyDefinition(
+                    $config['access_decision_manager']['strategy'],
+                    $config['access_decision_manager']['allow_if_all_abstain'],
+                    $config['access_decision_manager']['allow_if_equal_granted_denied']
+                ));
         }
 
         $container->setParameter('security.access.always_authenticate_before_granting', $config['always_authenticate_before_granting']);
@@ -196,6 +206,25 @@ public function load(array $configs, ContainerBuilder $container)
             ->addTag('security.voter');
     }
 
+    /**
+     * @throws \InvalidArgumentException if the $strategy is invalid
+     */
+    private function createStrategyDefinition(string $strategy, bool $allowIfAllAbstainDecisions, bool $allowIfEqualGrantedDeniedDecisions): Definition
+    {
+        switch ($strategy) {
+            case MainConfiguration::STRATEGY_AFFIRMATIVE:
+                return new Definition(AffirmativeStrategy::class, [$allowIfAllAbstainDecisions]);
+            case MainConfiguration::STRATEGY_CONSENSUS:
+                return new Definition(ConsensusStrategy::class, [$allowIfAllAbstainDecisions, $allowIfEqualGrantedDeniedDecisions]);
+            case MainConfiguration::STRATEGY_UNANIMOUS:
+                return new Definition(UnanimousStrategy::class, [$allowIfAllAbstainDecisions]);
+            case MainConfiguration::STRATEGY_PRIORITY:
+                return new Definition(PriorityStrategy::class, [$allowIfAllAbstainDecisions]);
+        }
+
+        throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.', $strategy));
+    }
+
     private function createRoleHierarchy(array $config, ContainerBuilder $container)
     {
         if (!isset($config['role_hierarchy']) || 0 === \count($config['role_hierarchy'])) {

Resources/config/schema/security-1.0.xsd

@@ -63,6 +63,7 @@
     <xsd:complexType name="access_decision_manager">
         <xsd:attribute name="strategy" type="access_decision_manager_strategy" />
         <xsd:attribute name="service" type="xsd:string" />
+        <xsd:attribute name="strategy-service" type="xsd:string" />
         <xsd:attribute name="allow-if-all-abstain" type="xsd:boolean" />
         <xsd:attribute name="allow-if-equal-granted-denied" type="xsd:boolean" />
     </xsd:complexType>

Tests/DependencyInjection/CompleteConfigurationTest.php

@@ -17,12 +17,14 @@
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
 use Symfony\Component\Security\Http\Authentication\AuthenticatorManager;
@@ -1046,7 +1048,7 @@ public function testDefaultAccessDecisionManagerStrategyIsAffirmative()
     {
         $container = $this->getContainer('access_decision_manager_default_strategy');
 
-        $this->assertSame(AccessDecisionManager::STRATEGY_AFFIRMATIVE, $container->getDefinition('security.access.decision_manager')->getArgument(1), 'Default vote strategy is affirmative');
+        $this->assertEquals((new Definition(AffirmativeStrategy::class, [false])), $container->getDefinition('security.access.decision_manager')->getArgument(1), 'Default vote strategy is affirmative');
     }
 
     public function testCustomAccessDecisionManagerService()
@@ -1069,9 +1071,17 @@ public function testAccessDecisionManagerOptionsAreNotOverriddenByImplicitStrate
 
         $accessDecisionManagerDefinition = $container->getDefinition('security.access.decision_manager');
 
-        $this->assertSame(AccessDecisionManager::STRATEGY_AFFIRMATIVE, $accessDecisionManagerDefinition->getArgument(1));
-        $this->assertTrue($accessDecisionManagerDefinition->getArgument(2));
-        $this->assertFalse($accessDecisionManagerDefinition->getArgument(3));
+        $this->assertEquals((new Definition(AffirmativeStrategy::class, [true])), $accessDecisionManagerDefinition->getArgument(1));
+    }
+
+    public function testAccessDecisionManagerWithStrategyService()
+    {
+        $container = $this->getContainer('access_decision_manager_strategy_service');
+
+        $accessDecisionManagerDefinition = $container->getDefinition('security.access.decision_manager');
+
+        $this->assertEquals(AccessDecisionManager::class, $accessDecisionManagerDefinition->getClass());
+        $this->assertEquals(new Reference('app.custom_access_decision_strategy'), $accessDecisionManagerDefinition->getArgument(1));
     }
 
     public function testFirewallUndefinedUserProvider()

Tests/DependencyInjection/Fixtures/php/access_decision_manager_strategy_service.php

@@ -0,0 +1,20 @@
+<?php
+
+$container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
+    'access_decision_manager' => [
+        'strategy_service' => 'app.custom_access_decision_strategy',
+    ],
+    'providers' => [
+        'default' => [
+            'memory' => [
+                'users' => [
+                    'foo' => ['password' => 'foo', 'roles' => 'ROLE_USER'],
+                ],
+            ],
+        ],
+    ],
+    'firewalls' => [
+        'simple' => ['pattern' => '/login', 'security' => false],
+    ],
+]);

Tests/DependencyInjection/Fixtures/xml/access_decision_manager_strategy_service.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<srv:container xmlns="http://symfony.com/schema/dic/security"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:srv="http://symfony.com/schema/dic/services"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services
+        https://symfony.com/schema/dic/services/services-1.0.xsd
+        http://symfony.com/schema/dic/security
+        https://symfony.com/schema/dic/security/security-1.0.xsd">
+
+    <config enable-authenticator-manager="true">
+        <access-decision-manager strategy-service="app.custom_access_decision_strategy" />
+
+        <provider name="default">
+            <memory>
+                <user identifier="foo" password="foo" roles="ROLE_USER" />
+            </memory>
+        </provider>
+
+        <firewall name="simple" pattern="/login" security="false" />
+    </config>
+</srv:container>

Tests/DependencyInjection/Fixtures/yml/access_decision_manager_strategy_service.yml

@@ -0,0 +1,11 @@
+security:
+    enable_authenticator_manager: true
+    access_decision_manager:
+        strategy_service: app.custom_access_decision_strategy
+    providers:
+        default:
+            memory:
+                users:
+                    foo: { password: foo, roles: ROLE_USER }
+    firewalls:
+        simple: { pattern: /login, security: false }