[Security] Implement ADM strategies as dedicated classes

Signed-off-by: Alexander M. Turek <me@derrabus.de>

Author: derrabus

Authorization/AccessDecisionManager.php

@@ -12,6 +12,11 @@
 namespace Symfony\Component\Security\Core\Authorization;
 
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Strategy\AccessDecisionStrategyInterface;
+use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\ConsensusStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\PriorityStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\UnanimousStrategy;
 use Symfony\Component\Security\Core\Authorization\Voter\CacheableVoterInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
@@ -21,40 +26,62 @@
  * that use decision voters.
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ *
+ * @final since Symfony 5.4
  */
 class AccessDecisionManager implements AccessDecisionManagerInterface
 {
+    /**
+     * @deprecated use {@see AffirmativeStrategy} instead
+     */
     public const STRATEGY_AFFIRMATIVE = 'affirmative';
+
+    /**
+     * @deprecated use {@see ConsensusStrategy} instead
+     */
     public const STRATEGY_CONSENSUS = 'consensus';
+
+    /**
+     * @deprecated use {@see UnanimousStrategy} instead
+     */
     public const STRATEGY_UNANIMOUS = 'unanimous';
+
+    /**
+     * @deprecated use {@see PriorityStrategy} instead
+     */
     public const STRATEGY_PRIORITY = 'priority';
 
+    private const VALID_VOTES = [
+        VoterInterface::ACCESS_GRANTED => true,
+        VoterInterface::ACCESS_DENIED => true,
+        VoterInterface::ACCESS_ABSTAIN => true,
+    ];
+
     private $voters;
     private $votersCacheAttributes;
     private $votersCacheObject;
     private $strategy;
-    private $allowIfAllAbstainDecisions;
-    private $allowIfEqualGrantedDeniedDecisions;
 
     /**
-     * @param iterable|VoterInterface[] $voters                             An array or an iterator of VoterInterface instances
-     * @param string                    $strategy                           The vote strategy
-     * @param bool                      $allowIfAllAbstainDecisions         Whether to grant access if all voters abstained or not
-     * @param bool                      $allowIfEqualGrantedDeniedDecisions Whether to grant access if result are equals
+     * @param iterable<mixed, VoterInterface>      $voters   An array or an iterator of VoterInterface instances
+     * @param AccessDecisionStrategyInterface|null $strategy The vote strategy
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct(iterable $voters = [], string $strategy = self::STRATEGY_AFFIRMATIVE, bool $allowIfAllAbstainDecisions = false, bool $allowIfEqualGrantedDeniedDecisions = true)
+    public function __construct(iterable $voters = [], /* AccessDecisionStrategyInterface */ $strategy = null)
     {
-        $strategyMethod = 'decide'.ucfirst($strategy);
-        if ('' === $strategy || !\is_callable([$this, $strategyMethod])) {
-            throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.', $strategy));
+        $this->voters = $voters;
+        if (\is_string($strategy)) {
+            trigger_deprecation('symfony/security-core', '5.4', 'Passing the access decision strategy as a string is deprecated, pass an instance of "%s" instead.', AccessDecisionStrategyInterface::class);
+            $allowIfAllAbstainDecisions = 3 <= \func_num_args() && func_get_arg(2);
+            $allowIfEqualGrantedDeniedDecisions = 4 > \func_num_args() || func_get_arg(3);
+
+            $strategy = $this->createStrategy($strategy, $allowIfAllAbstainDecisions, $allowIfEqualGrantedDeniedDecisions);
+        } elseif (null !== $strategy && !$strategy instanceof AccessDecisionStrategyInterface) {
+            throw new \TypeError(sprintf('"%s": Parameter #2 ($strategy) is expected to be an instance of "%s" or null, "%s" given.', __METHOD__, AccessDecisionStrategyInterface::class, get_debug_type($strategy)));
         }
 
-        $this->voters = $voters;
-        $this->strategy = $strategyMethod;
-        $this->allowIfAllAbstainDecisions = $allowIfAllAbstainDecisions;
-        $this->allowIfEqualGrantedDeniedDecisions = $allowIfEqualGrantedDeniedDecisions;
+        $this->strategy = $strategy ?? new AffirmativeStrategy();
     }
 
     /**
@@ -71,145 +98,50 @@ public function decide(TokenInterface $token, array $attributes, $object = null/
             throw new InvalidArgumentException(sprintf('Passing more than one Security attribute to "%s()" is not supported.', __METHOD__));
         }
 
-        return $this->{$this->strategy}($token, $attributes, $object);
+        return $this->strategy->decide(
+            $this->collectResults($token, $attributes, $object)
+        );
     }
 
     /**
-     * Grants access if any voter returns an affirmative response.
+     * @param mixed $object
      *
-     * If all voters abstained from voting, the decision will be based on the
-     * allowIfAllAbstainDecisions property value (defaults to false).
+     * @return \Traversable<int, int>
      */
-    private function decideAffirmative(TokenInterface $token, array $attributes, $object = null): bool
+    private function collectResults(TokenInterface $token, array $attributes, $object): \Traversable
     {
-        $deny = 0;
         foreach ($this->getVoters($attributes, $object) as $voter) {
             $result = $voter->vote($token, $object, $attributes);
-
-            if (VoterInterface::ACCESS_GRANTED === $result) {
-                return true;
-            }
-
-            if (VoterInterface::ACCESS_DENIED === $result) {
-                ++$deny;
-            } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {
+            if (!\is_int($result) || !(self::VALID_VOTES[$result] ?? false)) {
                 trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
             }
-        }
 
-        if ($deny > 0) {
-            return false;
+            yield $result;
         }
-
-        return $this->allowIfAllAbstainDecisions;
     }
 
     /**
-     * Grants access if there is consensus of granted against denied responses.
-     *
-     * Consensus means majority-rule (ignoring abstains) rather than unanimous
-     * agreement (ignoring abstains). If you require unanimity, see
-     * UnanimousBased.
-     *
-     * If there were an equal number of grant and deny votes, the decision will
-     * be based on the allowIfEqualGrantedDeniedDecisions property value
-     * (defaults to true).
-     *
-     * If all voters abstained from voting, the decision will be based on the
-     * allowIfAllAbstainDecisions property value (defaults to false).
+     * @throws \InvalidArgumentException if the $strategy is invalid
      */
-    private function decideConsensus(TokenInterface $token, array $attributes, $object = null): bool
+    private function createStrategy(string $strategy, bool $allowIfAllAbstainDecisions, bool $allowIfEqualGrantedDeniedDecisions): AccessDecisionStrategyInterface
     {
-        $grant = 0;
-        $deny = 0;
-        foreach ($this->getVoters($attributes, $object) as $voter) {
-            $result = $voter->vote($token, $object, $attributes);
-
-            if (VoterInterface::ACCESS_GRANTED === $result) {
-                ++$grant;
-            } elseif (VoterInterface::ACCESS_DENIED === $result) {
-                ++$deny;
-            } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {
-                trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
-            }
-        }
-
-        if ($grant > $deny) {
-            return true;
-        }
-
-        if ($deny > $grant) {
-            return false;
+        switch ($strategy) {
+            case self::STRATEGY_AFFIRMATIVE:
+                return new AffirmativeStrategy($allowIfAllAbstainDecisions);
+            case self::STRATEGY_CONSENSUS:
+                return new ConsensusStrategy($allowIfAllAbstainDecisions, $allowIfEqualGrantedDeniedDecisions);
+            case self::STRATEGY_UNANIMOUS:
+                return new UnanimousStrategy($allowIfAllAbstainDecisions);
+            case self::STRATEGY_PRIORITY:
+                return new PriorityStrategy($allowIfAllAbstainDecisions);
         }
 
-        if ($grant > 0) {
-            return $this->allowIfEqualGrantedDeniedDecisions;
-        }
-
-        return $this->allowIfAllAbstainDecisions;
-    }
-
-    /**
-     * Grants access if only grant (or abstain) votes were received.
-     *
-     * If all voters abstained from voting, the decision will be based on the
-     * allowIfAllAbstainDecisions property value (defaults to false).
-     */
-    private function decideUnanimous(TokenInterface $token, array $attributes, $object = null): bool
-    {
-        $grant = 0;
-        foreach ($this->getVoters($attributes, $object) as $voter) {
-            foreach ($attributes as $attribute) {
-                $result = $voter->vote($token, $object, [$attribute]);
-
-                if (VoterInterface::ACCESS_DENIED === $result) {
-                    return false;
-                }
-
-                if (VoterInterface::ACCESS_GRANTED === $result) {
-                    ++$grant;
-                } elseif (VoterInterface::ACCESS_ABSTAIN !== $result) {
-                    trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
-                }
-            }
-        }
-
-        // no deny votes
-        if ($grant > 0) {
-            return true;
-        }
-
-        return $this->allowIfAllAbstainDecisions;
+        throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.', $strategy));
     }
 
     /**
-     * Grant or deny access depending on the first voter that does not abstain.
-     * The priority of voters can be used to overrule a decision.
-     *
-     * If all voters abstained from voting, the decision will be based on the
-     * allowIfAllAbstainDecisions property value (defaults to false).
+     * @return iterable<mixed, VoterInterface>
      */
-    private function decidePriority(TokenInterface $token, array $attributes, $object = null)
-    {
-        foreach ($this->getVoters($attributes, $object) as $voter) {
-            $result = $voter->vote($token, $object, $attributes);
-
-            if (VoterInterface::ACCESS_GRANTED === $result) {
-                return true;
-            }
-
-            if (VoterInterface::ACCESS_DENIED === $result) {
-                return false;
-            }
-
-            if (VoterInterface::ACCESS_ABSTAIN !== $result) {
-                trigger_deprecation('symfony/security-core', '5.3', 'Returning "%s" in "%s::vote()" is deprecated, return one of "%s" constants: "ACCESS_GRANTED", "ACCESS_DENIED" or "ACCESS_ABSTAIN".', var_export($result, true), get_debug_type($voter), VoterInterface::class);
-            }
-        }
-
-        return $this->allowIfAllAbstainDecisions;
-    }
-
     private function getVoters(array $attributes, $object = null): iterable
     {
         $keyAttributes = [];

Authorization/Strategy/AccessDecisionStrategyInterface.php

@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization\Strategy;
+
+/**
+ * A strategy for turning a stream of votes into a final decision.
+ *
+ * @author Alexander M. Turek <me@derrabus.de>
+ */
+interface AccessDecisionStrategyInterface
+{
+    /**
+     * @param \Traversable<int> $results
+     */
+    public function decide(\Traversable $results): bool;
+}

Authorization/Strategy/AffirmativeStrategy.php

@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization\Strategy;
+
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+
+/**
+ * Grants access if any voter returns an affirmative response.
+ *
+ * If all voters abstained from voting, the decision will be based on the
+ * allowIfAllAbstainDecisions property value (defaults to false).
+ *
+ * @author Fabien Potencier <fabien@symfony.com>
+ * @author Alexander M. Turek <me@derrabus.de>
+ */
+final class AffirmativeStrategy implements AccessDecisionStrategyInterface, \Stringable
+{
+    /**
+     * @var bool
+     */
+    private $allowIfAllAbstainDecisions;
+
+    public function __construct(bool $allowIfAllAbstainDecisions = false)
+    {
+        $this->allowIfAllAbstainDecisions = $allowIfAllAbstainDecisions;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function decide(\Traversable $results): bool
+    {
+        $deny = 0;
+        foreach ($results as $result) {
+            if (VoterInterface::ACCESS_GRANTED === $result) {
+                return true;
+            }
+
+            if (VoterInterface::ACCESS_DENIED === $result) {
+                ++$deny;
+            }
+        }
+
+        if ($deny > 0) {
+            return false;
+        }
+
+        return $this->allowIfAllAbstainDecisions;
+    }
+
+    public function __toString(): string
+    {
+        return 'affirmative';
+    }
+}