Use expression language

Author: dunglas

composer.json

@@ -46,6 +46,7 @@
         "symfony/config": "^3.2",
         "symfony/dependency-injection": "^2.7 || ^3.0",
         "symfony/doctrine-bridge": "^2.8 || ^3.0",
+        "symfony/expression-language": "^2.8 || ^3.0",
         "symfony/phpunit-bridge": "^2.7 || ^3.0",
         "symfony/security": "^2.7 || ^3.0",
         "symfony/templating": "^2.7 || ^3.0",
@@ -59,7 +60,9 @@
         "phpdocumentor/reflection-docblock": "To support extracting metadata from PHPDoc.",
         "psr/cache-implementation": "To use metadata caching.",
         "symfony/cache": "To have metadata caching when using Symfony integration.",
+        "symfony/expression-language": "To use authorization features.",
         "symfony/config": "To load XML configuration files.",
+        "symfony/security": "To use authorization features.",
         "symfony/twig-bundle": "To use the Swagger UI integration."
     },
     "autoload": {

features/authorization/deny.feature

@@ -6,25 +6,69 @@ Feature: Authorization checking
   @createSchema
   Scenario: An anonymous user retrieve a secured resource
     When I add "Accept" header equal to "application/ld+json"
-    And I send a "GET" request to "/secureds"
+    And I send a "GET" request to "/secured_dummies"
     Then the response status code should be 401
 
   Scenario: An authenticated user retrieve a secured resource
     When I add "Accept" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
-    And I send a "GET" request to "/secureds"
+    And I send a "GET" request to "/secured_dummies"
     Then the response status code should be 200
     And the response should be in JSON
 
-  @dropSchema
-  Scenario: Only admins can create a secured resource
+
+  Scenario: A standard user cannot create a secured resource
     When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
-    And I send a "POST" request to "/secureds" with body:
+    And I send a "POST" request to "/secured_dummies" with body:
     """
     {
         "title": "Title",
-        "description": "Description"
+        "description": "Description",
+        "owner": "foo"
     }
     """
     Then the response status code should be 403
+
+  Scenario: An admin can create a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic YWRtaW46a2l0dGVu"
+    And I send a "POST" request to "/secured_dummies" with body:
+    """
+    {
+        "title": "Title",
+        "description": "Description",
+        "owner": "someone"
+    }
+    """
+    Then the response status code should be 201
+
+  Scenario: An admin can create another secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic YWRtaW46a2l0dGVu"
+    And I send a "POST" request to "/secured_dummies" with body:
+    """
+    {
+        "title": "Special Title",
+        "description": "Description",
+        "owner": "dunglas"
+    }
+    """
+    Then the response status code should be 201
+
+  Scenario: An user retrieve cannot retrieve an item he doesn't own
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies/1"
+    Then the response status code should be 403
+    And the response should be in JSON
+
+  @dropSchema
+  Scenario: An user can retrieve an item he owns
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies/2"
+    Then the response status code should be 200

src/Bridge/Doctrine/EventListener/WriteListener.php

@@ -79,7 +79,6 @@ public function onKernelView(GetResponseForControllerResultEvent $event)
     private function getManager(string $resourceClass, $data)
     {
         $objectManager = $this->managerRegistry->getManagerForClass($resourceClass);
-
         if (null === $objectManager || !is_object($data)) {
             return;
         }

src/Bridge/Symfony/Bundle/Resources/config/api.xml

@@ -89,13 +89,6 @@
         <!-- Event listeners -->
 
         <!-- kernel.request priority must be < 8 to be executed after the Firewall -->
-        <service id="api_platform.listener.request.deny_access" class="ApiPlatform\Core\EventListener\DenyAccessListener">
-            <argument type="service" id="api_platform.metadata.resource.metadata_factory" />
-            <argument type="service" id="security.authorization_checker" />
-
-            <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="7" />
-        </service>
-
         <service id="api_platform.listener.request.add_format" class="ApiPlatform\Core\EventListener\AddFormatListener">
             <argument type="service" id="api_platform.negotiator" />
             <argument>%api_platform.formats%</argument>
@@ -118,6 +111,14 @@
             <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="2" />
         </service>
 
+        <!-- This listener must be executed only when the current object is available -->
+        <service id="api_platform.listener.request.deny_access" class="ApiPlatform\Core\EventListener\DenyAccessListener">
+            <argument type="service" id="api_platform.metadata.resource.metadata_factory" />
+            <argument type="service" id="security.authorization_checker" on-invalid="ignore" />
+
+            <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="1" />
+        </service>
+
         <service id="api_platform.listener.view.validate" class="ApiPlatform\Core\Bridge\Symfony\Validator\EventListener\ValidateListener">
             <argument type="service" id="validator" />
             <argument type="service" id="api_platform.metadata.resource.metadata_factory" />

src/EventListener/DenyAccessListener.php

@@ -14,6 +14,7 @@
 use ApiPlatform\Core\Exception\RuntimeException;
 use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
 use ApiPlatform\Core\Util\RequestAttributesExtractor;
+use Symfony\Component\ExpressionLanguage\Expression;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -28,7 +29,7 @@ final class DenyAccessListener
     private $resourceMetadataFactory;
     private $authorizationChecker;
 
-    public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFactory, AuthorizationCheckerInterface $authorizationChecker)
+    public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFactory, AuthorizationCheckerInterface $authorizationChecker = null)
     {
         $this->resourceMetadataFactory = $resourceMetadataFactory;
         $this->authorizationChecker = $authorizationChecker;
@@ -43,8 +44,10 @@ public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFa
      */
     public function onKernelRequest(GetResponseEvent $event)
     {
+        $request = $event->getRequest();
+
         try {
-            $attributes = RequestAttributesExtractor::extractAttributes($event->getRequest());
+            $attributes = RequestAttributesExtractor::extractAttributes($request);
         } catch (RuntimeException $e) {
             return;
         }
@@ -61,8 +64,18 @@ public function onKernelRequest(GetResponseEvent $event)
             return;
         }
 
-        foreach ($isGranted as $attribute) {
-            if ($this->authorizationChecker->isGranted($attribute)) {
+        if (null === $this->authorizationChecker) {
+            throw new \LogicException('The "symfony/security" library must be installed to use the "is_granted" attribute.');
+        }
+
+        if (!class_exists(Expression::class)) {
+            throw new \LogicException('The "symfony/expression-language" library must be installed to use the "is_granted" attribute.');
+        }
+
+        $data = $request->attributes->get('data');
+
+        foreach ($isGranted as $expression) {
+            if ($this->authorizationChecker->isGranted(new Expression($expression), $data)) {
                 return;
             }
         }

tests/EventListener/DenyAccessListenerTest.php

@@ -14,6 +14,8 @@
 use ApiPlatform\Core\EventListener\DenyAccessListener;
 use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
 use ApiPlatform\Core\Metadata\Resource\ResourceMetadata;
+use Prophecy\Argument;
+use Symfony\Component\ExpressionLanguage\Expression;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
@@ -65,19 +67,20 @@ public function testNoIsGrantedAttribute()
 
     public function testIsGranted()
     {
-        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_collection_operation_name' => 'get']);
+        $data = new \stdClass();
+        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_collection_operation_name' => 'get', 'data'=> $data]);
 
         $eventProphecy = $this->prophesize(GetResponseEvent::class);
         $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
         $event = $eventProphecy->reveal();
 
-        $resourceMetadata = new ResourceMetadata(null, null, null, null, null, ['is_granted' => ['ROLE_ADMIN']]);
+        $resourceMetadata = new ResourceMetadata(null, null, null, null, null, ['is_granted' => ['has_role("ROLE_ADMIN")']]);
 
         $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataFactoryInterface::class);
         $resourceMetadataFactoryProphecy->create('Foo')->willReturn($resourceMetadata)->shouldBeCalled();
 
         $authorizationCheckerProphecy = $this->prophesize(AuthorizationCheckerInterface::class);
-        $authorizationCheckerProphecy->isGranted('ROLE_ADMIN')->willReturn(true)->shouldBeCalled();
+        $authorizationCheckerProphecy->isGranted(Argument::type(Expression::class), $data)->willReturn(true)->shouldBeCalled();
 
         $listener = new DenyAccessListener($resourceMetadataFactoryProphecy->reveal(), $authorizationCheckerProphecy->reveal());
         $listener->onKernelRequest($event);
@@ -94,15 +97,35 @@ public function testIsNotGranted()
         $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
         $event = $eventProphecy->reveal();
 
-        $resourceMetadata = new ResourceMetadata(null, null, null, null, null, ['is_granted' => ['ROLE_ADMIN']]);
+        $resourceMetadata = new ResourceMetadata(null, null, null, null, null, ['is_granted' => ['has_role("ROLE_ADMIN")']]);
 
         $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataFactoryInterface::class);
         $resourceMetadataFactoryProphecy->create('Foo')->willReturn($resourceMetadata)->shouldBeCalled();
 
         $authorizationCheckerProphecy = $this->prophesize(AuthorizationCheckerInterface::class);
-        $authorizationCheckerProphecy->isGranted('ROLE_ADMIN')->willReturn(false)->shouldBeCalled();
+        $authorizationCheckerProphecy->isGranted(Argument::type(Expression::class), null)->willReturn(false)->shouldBeCalled();
 
         $listener = new DenyAccessListener($resourceMetadataFactoryProphecy->reveal(), $authorizationCheckerProphecy->reveal());
         $listener->onKernelRequest($event);
     }
+
+    /**
+     * @expectedException \LogicException
+     */
+    public function testAuthorizationCheckerNotAvailable()
+    {
+        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_collection_operation_name' => 'get']);
+
+        $eventProphecy = $this->prophesize(GetResponseEvent::class);
+        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
+        $event = $eventProphecy->reveal();
+
+        $resourceMetadata = new ResourceMetadata(null, null, null, null, null, ['is_granted' => ['has_role("ROLE_ADMIN")']]);
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create('Foo')->willReturn($resourceMetadata)->shouldBeCalled();
+
+        $listener = new DenyAccessListener($resourceMetadataFactoryProphecy->reveal(), null);
+        $listener->onKernelRequest($event);
+    }
 }

tests/Fixtures/TestBundle/Entity/Secured.php renamed to tests/Fixtures/TestBundle/Entity/SecuredDummy.php

@@ -9,7 +9,7 @@
  * file that was distributed with this source code.
  */
 
-namespace Fixtures\TestBundle\Entity;
+namespace ApiPlatform\Core\Tests\Fixtures\TestBundle\Entity;
 
 use ApiPlatform\Core\Annotation\ApiResource;
 use Doctrine\ORM\Mapping as ORM;
@@ -21,18 +21,18 @@
  * @author Kévin Dunglas <[email protected]>
  *
  * @ApiResource(
- *     attributes={"is_granted"={"ROLE_USER"}},
+ *     attributes={"is_granted"={"has_role('ROLE_USER')"}},
  *     collectionOperations={
  *         "get"={"method"="GET"},
- *         "post"={"method"="POST", "is_granted"={"ROLE_ADMIN"}}
+ *         "post"={"method"="POST", "is_granted"={"has_role('ROLE_ADMIN')"}}
  *     },
  *     itemOperations={
- *         "get"={"method"="GET"}
+ *         "get"={"method"="GET", "is_granted"={"has_role('ROLE_USER') and object.getOwner() == user"}}
  *     }
  * )
  * @ORM\Entity
  */
-class Secured
+class SecuredDummy
 {
     /**
      * @var int
@@ -56,7 +56,15 @@ class Secured
      *
      * @ORM\Column
      */
-    private $description;
+    private $description = '';
+
+    /**
+     * @var string The owner
+     *
+     * @ORM\Column
+     * @Assert\NotBlank
+     */
+    private $owner;
 
     /**
      * @return int
@@ -85,4 +93,14 @@ public function setDescription(string $description)
     {
         $this->description = $description;
     }
+
+    public function getOwner(): string
+    {
+        return $this->owner;
+    }
+
+    public function setOwner(string $owner)
+    {
+        $this->owner = $owner;
+    }
 }

tests/Fixtures/app/config/security.yml

@@ -27,7 +27,7 @@ security:
             security: false
 
         default:
-            provider: in_memory
+            provider: chain_provider
             http_basic: ~
             anonymous: ~