[Security] Add ability for voters to explain their vote

nicolas-grekas · nicolas-grekas · commit 5d6d6ee4ab3e · 2025-02-14T17:13:39.000+01:00
diff --git a/EventListener/IsGrantedAttributeListener.php b/EventListener/IsGrantedAttributeListener.php
@@ -18,6 +18,7 @@
 use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\RuntimeException;
@@ -58,19 +59,21 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo
                     $subject = $this->getIsGrantedSubject($subjectRef, $request, $arguments);
                 }
             }
+            $accessDecision = new AccessDecision();
 
-            if (!$this->authChecker->isGranted($attribute->attribute, $subject)) {
-                $message = $attribute->message ?: \sprintf('Access Denied by #[IsGranted(%s)] on controller', $this->getIsGrantedString($attribute));
+            if (!$accessDecision->isGranted = $this->authChecker->isGranted($attribute->attribute, $subject, $accessDecision)) {
+                $message = $attribute->message ?: $accessDecision->getMessage();
 
                 if ($statusCode = $attribute->statusCode) {
                     throw new HttpException($statusCode, $message, code: $attribute->exceptionCode ?? 0);
                 }
 
-                $accessDeniedException = new AccessDeniedException($message, code: $attribute->exceptionCode ?? 403);
-                $accessDeniedException->setAttributes($attribute->attribute);
-                $accessDeniedException->setSubject($subject);
+                $e = new AccessDeniedException($message, code: $attribute->exceptionCode ?? 403);
+                $e->setAttributes($attribute->attribute);
+                $e->setSubject($subject);
+                $e->setAccessDecision($accessDecision);
 
-                throw $accessDeniedException;
+                throw $e;
             }
         }
     }
@@ -97,23 +100,4 @@ private function getIsGrantedSubject(string|Expression $subjectRef, Request $req
 
         return $arguments[$subjectRef];
     }
-
-    private function getIsGrantedString(IsGranted $isGranted): string
-    {
-        $processValue = fn ($value) => \sprintf($value instanceof Expression ? 'new Expression("%s")' : '"%s"', $value);
-
-        $argsString = $processValue($isGranted->attribute);
-
-        if (null !== $subject = $isGranted->subject) {
-            $subject = !\is_array($subject) ? $processValue($subject) : array_map(function ($key, $value) use ($processValue) {
-                $value = $processValue($value);
-
-                return \is_string($key) ? \sprintf('"%s" => %s', $key, $value) : $value;
-            }, array_keys($subject), $subject);
-
-            $argsString .= ', '.(!\is_array($subject) ? $subject : '['.implode(', ', $subject).']');
-        }
-
-        return $argsString;
-    }
 }
diff --git a/Firewall/AccessListener.php b/Firewall/AccessListener.php
@@ -15,6 +15,7 @@
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -72,19 +73,16 @@ public function authenticate(RequestEvent $event): void
         }
 
         $token = $this->tokenStorage->getToken() ?? new NullToken();
+        $accessDecision = new AccessDecision();
 
-        if (!$this->accessDecisionManager->decide($token, $attributes, $request, true)) {
-            throw $this->createAccessDeniedException($request, $attributes);
-        }
-    }
+        if (!$accessDecision->isGranted = $this->accessDecisionManager->decide($token, $attributes, $request, $accessDecision, true)) {
+            $e = new AccessDeniedException($accessDecision->getMessage());
+            $e->setAttributes($attributes);
+            $e->setSubject($request);
+            $e->setAccessDecision($accessDecision);
 
-    private function createAccessDeniedException(Request $request, array $attributes): AccessDeniedException
-    {
-        $exception = new AccessDeniedException();
-        $exception->setAttributes($attributes);
-        $exception->setSubject($request);
-
-        return $exception;
+            throw $e;
+        }
     }
 
     public static function getPriority(): int
diff --git a/Firewall/SwitchUserListener.php b/Firewall/SwitchUserListener.php
@@ -19,6 +19,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
@@ -153,12 +154,14 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
 
             throw $e;
         }
+        $accessDecision = new AccessDecision();
 
-        if (false === $this->accessDecisionManager->decide($token, [$this->role], $user)) {
-            $exception = new AccessDeniedException();
-            $exception->setAttributes($this->role);
+        if (!$accessDecision->isGranted = $this->accessDecisionManager->decide($token, [$this->role], $user, $accessDecision)) {
+            $e = new AccessDeniedException($accessDecision->getMessage());
+            $e->setAttributes($this->role);
+            $e->setAccessDecision($accessDecision);
 
-            throw $exception;
+            throw $e;
         }
 
         $this->logger?->info('Attempting to switch to user.', ['username' => $username]);
diff --git a/Tests/EventListener/IsGrantedAttributeListenerTest.php b/Tests/EventListener/IsGrantedAttributeListenerTest.php
@@ -13,12 +13,20 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\ExpressionLanguage\Expression;
-use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\AuthorizationChecker;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Authorization\ExpressionLanguage;
+use Symfony\Component\Security\Core\Authorization\Voter\ExpressionVoter;
+use Symfony\Component\Security\Core\Authorization\Voter\RoleVoter;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
 use Symfony\Component\Security\Http\Tests\Fixtures\IsGrantedAttributeController;
@@ -213,10 +221,23 @@ public function testExceptionWhenMissingSubjectAttribute()
      */
     public function testAccessDeniedMessages(string|Expression $attribute, string|array|null $subject, string $method, int $numOfArguments, string $expectedMessage)
     {
-        $authChecker = $this->createMock(AuthorizationCheckerInterface::class);
-        $authChecker->expects($this->any())
-            ->method('isGranted')
-            ->willReturn(false);
+        $authChecker = new AuthorizationChecker(new TokenStorage(), new AccessDecisionManager((function () use (&$authChecker) {
+            yield new ExpressionVoter(new ExpressionLanguage(), null, $authChecker);
+            yield new RoleVoter();
+            yield new class() extends Voter {
+                protected function supports(string $attribute, mixed $subject): bool
+                {
+                    return 'POST_VIEW' === $attribute;
+                }
+
+                protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
+                {
+                    $vote->reasons[] = 'Because I can 😈.';
+
+                    return false;
+                }
+            };
+        })()));
 
         $expressionLanguage = $this->createMock(ExpressionLanguage::class);
         $expressionLanguage->expects($this->any())
@@ -252,12 +273,12 @@ public function testAccessDeniedMessages(string|Expression $attribute, string|ar
 
     public static function getAccessDeniedMessageTests()
     {
-        yield ['ROLE_ADMIN', null, 'admin', 0, 'Access Denied by #[IsGranted("ROLE_ADMIN")] on controller'];
-        yield ['ROLE_ADMIN', 'bar', 'withSubject', 2, 'Access Denied by #[IsGranted("ROLE_ADMIN", "arg2Name")] on controller'];
-        yield ['ROLE_ADMIN', ['arg1Name' => 'bar', 'arg2Name' => 'bar'], 'withSubjectArray', 2, 'Access Denied by #[IsGranted("ROLE_ADMIN", ["arg1Name", "arg2Name"])] on controller'];
-        yield [new Expression('"ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)'), 'bar', 'withExpressionInAttribute', 1, 'Access Denied by #[IsGranted(new Expression(""ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)"), "post")] on controller'];
-        yield [new Expression('user === subject'), 'bar', 'withExpressionInSubject', 1, 'Access Denied by #[IsGranted(new Expression("user === subject"), new Expression("args["post"].getAuthor()"))] on controller'];
-        yield [new Expression('user === subject["author"]'), ['author' => 'bar', 'alias' => 'bar'], 'withNestedExpressionInSubject', 2, 'Access Denied by #[IsGranted(new Expression("user === subject["author"]"), ["author" => new Expression("args["post"].getAuthor()"), "alias" => "arg2Name"])] on controller'];
+        yield ['ROLE_ADMIN', null, 'admin', 0, 'Access Denied. The user doesn\'t have ROLE_ADMIN.'];
+        yield ['ROLE_ADMIN', 'bar', 'withSubject', 2, 'Access Denied. The user doesn\'t have ROLE_ADMIN.'];
+        yield ['ROLE_ADMIN', ['arg1Name' => 'bar', 'arg2Name' => 'bar'], 'withSubjectArray', 2, 'Access Denied. The user doesn\'t have ROLE_ADMIN.'];
+        yield [new Expression('"ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)'), 'bar', 'withExpressionInAttribute', 1, 'Access Denied. Because I can 😈. Expression ("ROLE_ADMIN" in role_names or is_granted("POST_VIEW", subject)) is false.'];
+        yield [new Expression('user === subject'), 'bar', 'withExpressionInSubject', 1, 'Access Denied. Expression (user === subject) is false.'];
+        yield [new Expression('user === subject["author"]'), ['author' => 'bar', 'alias' => 'bar'], 'withNestedExpressionInSubject', 2, 'Access Denied. Expression (user === subject["author"]) is false.'];
     }
 
     public function testNotFoundHttpException()
diff --git a/Tests/Firewall/AccessListenerTest.php b/Tests/Firewall/AccessListenerTest.php
@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\AccessDecision;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -235,7 +236,7 @@ public function testHandleMWithultipleAttributesShouldBeHandledAsAnd()
         $accessDecisionManager
             ->expects($this->once())
             ->method('decide')
-            ->with($this->equalTo($authenticatedToken), $this->equalTo(['foo' => 'bar', 'bar' => 'baz']), $this->equalTo($request), true)
+            ->with($this->equalTo($authenticatedToken), $this->equalTo(['foo' => 'bar', 'bar' => 'baz']), $this->equalTo($request), new AccessDecision(), true)
             ->willReturn(true)
         ;
 
