Allow to configure auth access from the resource class

dunglas · dunglas · commit 24cdab23f8dd · 2017-02-08T23:24:15.000+01:00
diff --git a/features/authorization/deny.feature b/features/authorization/deny.feature
@@ -0,0 +1,30 @@
+Feature: Authorization checking
+  In order to use the API
+  As a client software developer
+  I need to be authorized to access a given resource.
+
+  @createSchema
+  Scenario: An anonymous user retrieve a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I send a "GET" request to "/secureds"
+    Then the response status code should be 401
+
+  Scenario: An authenticated user retrieve a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secureds"
+    Then the response status code should be 200
+    And the response should be in JSON
+
+  @dropSchema
+  Scenario: Only admins can create a secured resource
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "POST" request to "/secureds" with body:
+    """
+    {
+        "title": "Title",
+        "description": "Description"
+    }
+    """
+    Then the response status code should be 403
diff --git a/src/Bridge/Symfony/Bundle/Resources/config/api.xml b/src/Bridge/Symfony/Bundle/Resources/config/api.xml
@@ -88,14 +88,21 @@
 
         <!-- Event listeners -->
 
+        <!-- kernel.request priority must be < 8 to be executed after the Firewall -->
+        <service id="api_platform.listener.request.deny_access" class="ApiPlatform\Core\EventListener\DenyAccessListener">
+            <argument type="service" id="api_platform.metadata.resource.metadata_factory" />
+            <argument type="service" id="security.authorization_checker" />
+
+            <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="7" />
+        </service>
+
         <service id="api_platform.listener.request.add_format" class="ApiPlatform\Core\EventListener\AddFormatListener">
             <argument type="service" id="api_platform.negotiator" />
             <argument>%api_platform.formats%</argument>
 
             <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="7" />
         </service>
 
-        <!-- kernel.request priority must be < 8 to be executed after the Firewall -->
         <service id="api_platform.listener.request.read" class="ApiPlatform\Core\EventListener\ReadListener">
             <argument type="service" id="api_platform.collection_data_provider" />
             <argument type="service" id="api_platform.item_data_provider" />
diff --git a/src/EventListener/DenyAccessListener.php b/src/EventListener/DenyAccessListener.php
@@ -0,0 +1,72 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace ApiPlatform\Core\EventListener;
+
+use ApiPlatform\Core\Exception\RuntimeException;
+use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
+use ApiPlatform\Core\Util\RequestAttributesExtractor;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+
+/**
+ * Denies access to the current resource if the logged user doesn't have sufficient permissions.
+ *
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ */
+final class DenyAccessListener
+{
+    private $resourceMetadataFactory;
+    private $authorizationChecker;
+
+    public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFactory, AuthorizationCheckerInterface $authorizationChecker)
+    {
+        $this->resourceMetadataFactory = $resourceMetadataFactory;
+        $this->authorizationChecker = $authorizationChecker;
+    }
+
+    /**
+     * Sets the applicable format to the HttpFoundation Request.
+     *
+     * @param GetResponseEvent $event
+     *
+     * @throws AccessDeniedException
+     */
+    public function onKernelRequest(GetResponseEvent $event)
+    {
+        try {
+            $attributes = RequestAttributesExtractor::extractAttributes($event->getRequest());
+        } catch (RuntimeException $e) {
+            return;
+        }
+
+        $resourceMetadata = $this->resourceMetadataFactory->create($attributes['resource_class']);
+
+        if (isset($attributes['collection_operation_name'])) {
+            $isGranted = $resourceMetadata->getCollectionOperationAttribute($attributes['collection_operation_name'], 'is_granted', null, true);
+        } else {
+            $isGranted = $resourceMetadata->getItemOperationAttribute($attributes['item_operation_name'], 'is_granted', null, true);
+        }
+
+        if (null === $isGranted) {
+            return;
+        }
+
+        foreach ($isGranted as $attribute) {
+            if ($this->authorizationChecker->isGranted($attribute)) {
+                return;
+            }
+        }
+
+        throw new AccessDeniedException();
+    }
+}
diff --git a/tests/Bridge/Symfony/Bundle/DependencyInjection/ApiPlatformExtensionTest.php b/tests/Bridge/Symfony/Bundle/DependencyInjection/ApiPlatformExtensionTest.php
@@ -290,6 +290,7 @@ private function getContainerBuilderProphecy()
             'api_platform.listener.view.respond',
             'api_platform.listener.view.serialize',
             'api_platform.listener.view.validate',
+            'api_platform.listener.request.deny_access',
             'api_platform.metadata.extractor.yaml',
             'api_platform.metadata.extractor.xml',
             'api_platform.metadata.property.metadata_factory.annotation',
diff --git a/tests/EventListener/DenyAccessListenerTest.php b/tests/EventListener/DenyAccessListenerTest.php
@@ -0,0 +1,108 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace ApiPlatform\Core\Tests\EventListener;
+
+use ApiPlatform\Core\EventListener\DenyAccessListener;
+use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
+use ApiPlatform\Core\Metadata\Resource\ResourceMetadata;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+
+/**
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ */
+class DenyAccessListenerTest extends \PHPUnit_Framework_TestCase
+{
+    public function testNoResourceClass()
+    {
+        $request = new Request();
+
+        $eventProphecy = $this->prophesize(GetResponseEvent::class);
+        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
+        $event = $eventProphecy->reveal();
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create()->shouldNotBeCalled();
+        $resourceMetadataFactory = $resourceMetadataFactoryProphecy->reveal();
+
+        $authorizationCheckerProphecy = $this->prophesize(AuthorizationCheckerInterface::class);
+        $authorizationCheckerProphecy->isGranted()->shouldNotBeCalled();
+        $authorizationChecker = $authorizationCheckerProphecy->reveal();
+
+        $listener = new DenyAccessListener($resourceMetadataFactory, $authorizationChecker);
+        $listener->onKernelRequest($event);
+    }
+
+    public function testNoIsGrantedAttribute()
+    {
+        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_collection_operation_name' => 'get']);
+
+        $eventProphecy = $this->prophesize(GetResponseEvent::class);
+        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
+        $event = $eventProphecy->reveal();
+
+        $resourceMetadata = new ResourceMetadata();
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create('Foo')->willReturn($resourceMetadata)->shouldBeCalled();
+
+        $authorizationCheckerProphecy = $this->prophesize(AuthorizationCheckerInterface::class);
+        $authorizationCheckerProphecy->isGranted()->shouldNotBeCalled();
+
+        $listener = new DenyAccessListener($resourceMetadataFactoryProphecy->reveal(), $authorizationCheckerProphecy->reveal());
+        $listener->onKernelRequest($event);
+    }
+
+    public function testIsGranted()
+    {
+        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_collection_operation_name' => 'get']);
+
+        $eventProphecy = $this->prophesize(GetResponseEvent::class);
+        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
+        $event = $eventProphecy->reveal();
+
+        $resourceMetadata = new ResourceMetadata(null, null, null, null, null, ['is_granted' => ['ROLE_ADMIN']]);
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create('Foo')->willReturn($resourceMetadata)->shouldBeCalled();
+
+        $authorizationCheckerProphecy = $this->prophesize(AuthorizationCheckerInterface::class);
+        $authorizationCheckerProphecy->isGranted('ROLE_ADMIN')->willReturn(true)->shouldBeCalled();
+
+        $listener = new DenyAccessListener($resourceMetadataFactoryProphecy->reveal(), $authorizationCheckerProphecy->reveal());
+        $listener->onKernelRequest($event);
+    }
+
+    /**
+     * @expectedException \Symfony\Component\Security\Core\Exception\AccessDeniedException
+     */
+    public function testIsNotGranted()
+    {
+        $request = new Request([], [], ['_api_resource_class' => 'Foo', '_api_collection_operation_name' => 'get']);
+
+        $eventProphecy = $this->prophesize(GetResponseEvent::class);
+        $eventProphecy->getRequest()->willReturn($request)->shouldBeCalled();
+        $event = $eventProphecy->reveal();
+
+        $resourceMetadata = new ResourceMetadata(null, null, null, null, null, ['is_granted' => ['ROLE_ADMIN']]);
+
+        $resourceMetadataFactoryProphecy = $this->prophesize(ResourceMetadataFactoryInterface::class);
+        $resourceMetadataFactoryProphecy->create('Foo')->willReturn($resourceMetadata)->shouldBeCalled();
+
+        $authorizationCheckerProphecy = $this->prophesize(AuthorizationCheckerInterface::class);
+        $authorizationCheckerProphecy->isGranted('ROLE_ADMIN')->willReturn(true)->shouldBeCalled();
+
+        $listener = new DenyAccessListener($resourceMetadataFactoryProphecy->reveal(), $authorizationCheckerProphecy->reveal());
+        $listener->onKernelRequest($event);
+    }
+}
diff --git a/tests/Fixtures/TestBundle/Entity/Secured.php b/tests/Fixtures/TestBundle/Entity/Secured.php
@@ -0,0 +1,88 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Fixtures\TestBundle\Entity;
+
+use ApiPlatform\Core\Annotation\ApiResource;
+use Doctrine\ORM\Mapping as ORM;
+use Symfony\Component\Validator\Constraints as Assert;
+
+/**
+ * Secured resource.
+ *
+ * @author Kévin Dunglas <dunglas@gmail.com>
+ *
+ * @ApiResource(
+ *     attributes={"is_granted"={"ROLE_USER"}},
+ *     collectionOperations={
+ *         "get"={"method"="GET"},
+ *         "post"={"method"="POST", "is_granted"={"ROLE_ADMIN"}}
+ *     },
+ *     itemOperations={
+ *         "get"={"method"="GET"}
+ *     }
+ * )
+ * @ORM\Entity
+ */
+class Secured
+{
+    /**
+     * @var int
+     *
+     * @ORM\Column(type="integer")
+     * @ORM\Id
+     * @ORM\GeneratedValue(strategy="AUTO")
+     */
+    private $id;
+
+    /**
+     * @var string The title
+     *
+     * @ORM\Column
+     * @Assert\NotBlank
+     */
+    private $title;
+
+    /**
+     * @var string The description
+     *
+     * @ORM\Column
+     */
+    private $description;
+
+    /**
+     * @return int
+     */
+    public function getId(): int
+    {
+        return $this->id;
+    }
+
+    public function getTitle(): string
+    {
+        return $this->title;
+    }
+
+    public function setTitle(string $title)
+    {
+        $this->title = $title;
+    }
+
+    public function getDescription()
+    {
+        return $this->description;
+    }
+
+    public function setDescription(string $description)
+    {
+        $this->description = $description;
+    }
+}
diff --git a/tests/Fixtures/app/config/security.yml b/tests/Fixtures/app/config/security.yml
@@ -1,23 +1,34 @@
 security:
     encoders:
-        FOS\UserBundle\Model\UserInterface: plaintext
+        # Don't use plaintext in production!
+        Symfony\Component\Security\Core\User\UserInterface: plaintext
 
     providers:
+        chain_provider:
+            chain:
+                providers: [in_memory, fos_userbundle]
+
+        in_memory:
+            memory:
+                users:
+                    dunglas:
+                        password: kevin
+                        roles: 'ROLE_USER'
+                    admin:
+                        password: kitten
+                        roles: 'ROLE_ADMIN'
+
         fos_userbundle:
             id: fos_user.user_provider.username_email
 
     firewalls:
         dev:
-            pattern:   ^/(_(profiler|wdt|error)|css|images|js)/
-            security:  false
-
-        api:
-            pattern:  ^/
+            pattern: ^/(_(profiler|wdt|error)|css|images|js)/
             security: false
-            stateless: true
-            anonymous: true
 
-        anonymous:
+        default:
+            provider: in_memory
+            http_basic: ~
             anonymous: ~
 
     access_control:
