feat(linksecurity): expand functionality to cover all combinations of to and from property and add optional object name

KDederichs · KDederichs · commit 81113bc2bc8b · 2023-01-14T16:15:34.000+01:00
diff --git a/features/authorization/deny.feature b/features/authorization/deny.feature
@@ -215,23 +215,50 @@ Feature: Authorization checking
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
-    And I send a "GET" request to "/secured_dummies/40000/related"
+    And I send a "GET" request to "/secured_dummies/40000/to_from"
     Then the response status code should be 404
 
   Scenario: An user can get related linked dummies for an secured dummy they own
     Given there are 1 SecuredDummy objects owned by dunglas with related dummies
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
-    And I send a "GET" request to "/secured_dummies/4/related"
+    And I send a "GET" request to "/secured_dummies/4/to_from"
     Then the response status code should be 200
     And the response should contain "securedDummy"
     And the JSON node "hydra:member[0].id" should be equal to 1"
 
+  Scenario: I define a custom name of the security object
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies/4/with_name"
+    Then the response status code should be 200
+    And the response should contain "securedDummy"
+    And the JSON node "hydra:member[0].id" should be equal to 1"
+
+  Scenario: I define a from from link
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/related_linked_dummies/1/from_from"
+    Then the response status code should be 200
+    And the response should contain "id"
+    And the JSON node "hydra:member[0].id" should be equal to 4"
+
+  Scenario: I define multiple links with security
+    When I add "Accept" header equal to "application/ld+json"
+    And I add "Content-Type" header equal to "application/ld+json"
+    And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
+    And I send a "GET" request to "/secured_dummies/4/related/1"
+    Then the response status code should be 200
+    And the response should contain "id"
+    And the JSON node "hydra:member[0].id" should be equal to 1"
+
   Scenario: An user can not get related linked dummies for an secured dummy they do not own
     Given there are 1 SecuredDummy objects owned by someone with related dummies
     When I add "Accept" header equal to "application/ld+json"
     And I add "Content-Type" header equal to "application/ld+json"
     And I add "Authorization" header equal to "Basic ZHVuZ2xhczprZXZpbg=="
-    And I send a "GET" request to "/secured_dummies/5/related"
+    And I send a "GET" request to "/secured_dummies/5/to_from"
     Then the response status code should be 403
diff --git a/src/Metadata/Link.php b/src/Metadata/Link.php
@@ -16,7 +16,7 @@
 #[\Attribute(\Attribute::TARGET_PROPERTY | \Attribute::TARGET_METHOD | \Attribute::TARGET_PARAMETER)]
 final class Link
 {
-    public function __construct(private ?string $parameterName = null, private ?string $fromProperty = null, private ?string $toProperty = null, private ?string $fromClass = null, private ?string $toClass = null, private ?array $identifiers = null, private ?bool $compositeIdentifier = null, private ?string $expandedValue = null, private ?string $security = null, private ?string $securityMessage = null)
+    public function __construct(private ?string $parameterName = null, private ?string $fromProperty = null, private ?string $toProperty = null, private ?string $fromClass = null, private ?string $toClass = null, private ?array $identifiers = null, private ?bool $compositeIdentifier = null, private ?string $expandedValue = null, private ?string $security = null, private ?string $securityMessage = null, private ?string $securityObjectName = null)
     {
         // For the inverse property shortcut
         if ($this->parameterName && class_exists($this->parameterName)) {
@@ -154,6 +154,19 @@ public function withSecurityMessage(?string $securityMessage): self
         return $self;
     }
 
+    public function getSecurityObjectName(): ?string
+    {
+        return $this->securityObjectName;
+    }
+
+    public function withSecurityObjectName(?string $securityObjectName): self
+    {
+        $self = clone $this;
+        $self->securityObjectName = $securityObjectName;
+
+        return $self;
+    }
+
     public function withLink(self $link): self
     {
         $self = clone $this;
@@ -198,6 +211,10 @@ public function withLink(self $link): self
             $self->securityMessage = $securityMessage;
         }
 
+        if (!$self->getSecurityObjectName() && ($securityObjectName = $link->getSecurityObjectName())) {
+            $self->securityObjectName = $securityObjectName;
+        }
+
         return $self;
     }
 }
diff --git a/src/Symfony/EventListener/DenyAccessListener.php b/src/Symfony/EventListener/DenyAccessListener.php
@@ -101,7 +101,13 @@ private function checkSecurity(Request $request, string $attribute, array $extra
                     continue;
                 }
 
-                if (!$this->resourceAccessChecker->isGranted($uriVariable->getFromClass(), $uriVariable->getSecurity(), $extraVariables)) {
+                $targetResource = $uriVariable->getFromClass() ?? $uriVariable->getToClass();
+
+                if (!$targetResource) {
+                    continue;
+                }
+
+                if (!$this->resourceAccessChecker->isGranted($targetResource, $uriVariable->getSecurity(), $extraVariables)) {
                     throw new AccessDeniedException($uriVariable->getSecurityMessage() ?? 'Access Denied.');
                 }
             }
diff --git a/src/Symfony/EventListener/ReadListener.php b/src/Symfony/EventListener/ReadListener.php
@@ -110,13 +110,28 @@ public function onKernelRequest(RequestEvent $event): void
                 if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
                     continue;
                 }
-                $relationClass = $uriVariable->getFromClass();
+                $relationClass = $uriVariable->getFromClass() ?? $uriVariable->getToClass();
+
+                if (!$relationClass) {
+                    continue;
+                }
+
                 try {
                     $tmp = $this->provider->provide($this->resourceMetadataCollectionFactory->create($relationClass)->getOperation(null, false, true), [$uriVariable->getIdentifiers()[0] => $parameters[$key]], $context);
                     if (null === $tmp) {
                         throw new NotFoundHttpException('Not Found');
                     }
-                    $request->attributes->set($uriVariable->getToProperty(), $tmp);
+                    $securityObjectName = $uriVariable->getSecurityObjectName();
+
+                    if (!$securityObjectName) {
+                        $securityObjectName = $uriVariable->getToProperty() ?? $uriVariable->getFromProperty();
+                    }
+
+                    if (!$securityObjectName) {
+                        continue;
+                    }
+
+                    $request->attributes->set($securityObjectName, $tmp);
                 } catch (InvalidIdentifierException|InvalidUriVariableException $e) {
                     throw new NotFoundHttpException('Invalid identifier value or configuration.', $e);
                 }
diff --git a/tests/Fixtures/TestBundle/Document/RelatedLinkedDummy.php b/tests/Fixtures/TestBundle/Document/RelatedLinkedDummy.php
@@ -21,12 +21,27 @@
 
 #[ApiResource()]
 #[ApiResource(
-    uriTemplate: '/secured_dummies/{securedDummyId}/related',
+    uriTemplate: '/secured_dummies/{securedDummyId}/to_from',
     operations: [new GetCollection()],
     uriVariables: [
         'securedDummyId' => new Link(toProperty: 'securedDummy', fromClass: SecuredDummy::class, security: "is_granted('ROLE_USER') and securedDummy.getOwner() == user"),
     ]
 )]
+#[ApiResource(
+    uriTemplate: '/secured_dummies/{securedDummyId}/with_name',
+    operations: [new GetCollection()],
+    uriVariables: [
+        'securedDummyId' => new Link(toProperty: 'securedDummy', fromClass: SecuredDummy::class, security: "is_granted('ROLE_USER') and testObj.getOwner() == user", securityObjectName: 'testObj'),
+    ]
+)]
+#[ApiResource(
+    uriTemplate: '/secured_dummies/{securedDummyId}/related/{id}',
+    operations: [new GetCollection()],
+    uriVariables: [
+        'securedDummyId' => new Link(toProperty: 'securedDummy', fromClass: SecuredDummy::class, security: "is_granted('ROLE_USER') and securedDummy.getOwner() == user"),
+        'id' => new Link(fromClass: RelatedLinkedDummy::class, security: "is_granted('ROLE_USER') and testObj.getSecuredDummy().getOwner() == user", securityObjectName: 'testObj'),
+    ]
+)]
 #[ODM\Document]
 class RelatedLinkedDummy
 {
diff --git a/tests/Fixtures/TestBundle/Document/SecuredDummy.php b/tests/Fixtures/TestBundle/Document/SecuredDummy.php
@@ -20,6 +20,7 @@
 use ApiPlatform\Metadata\GraphQl\Mutation;
 use ApiPlatform\Metadata\GraphQl\Query;
 use ApiPlatform\Metadata\GraphQl\QueryCollection;
+use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -34,6 +35,13 @@
  * @author Alan Poulain <contact@alanpoulain.eu>
  */
 #[ApiResource(operations: [new Get(security: 'is_granted(\'ROLE_USER\') and object.getOwner() == user'), new Put(securityPostDenormalize: 'is_granted(\'ROLE_USER\') and previous_object.getOwner() == user'), new GetCollection(security: 'is_granted(\'ROLE_USER\') or is_granted(\'ROLE_ADMIN\')'), new GetCollection(uriTemplate: 'custom_data_provider_generator', security: 'is_granted(\'ROLE_USER\')'), new Post(security: 'is_granted(\'ROLE_ADMIN\')')], graphQlOperations: [new Query(name: 'item_query', security: 'is_granted(\'ROLE_ADMIN\') or (is_granted(\'ROLE_USER\') and object.getOwner() == user)'), new QueryCollection(name: 'collection_query', security: 'is_granted(\'ROLE_ADMIN\')'), new Mutation(name: 'delete'), new Mutation(name: 'update', securityPostDenormalize: 'is_granted(\'ROLE_USER\') and previous_object.getOwner() ==  user'), new Mutation(name: 'create', security: 'is_granted(\'ROLE_ADMIN\')', securityMessage: 'Only admins can create a secured dummy.')], security: 'is_granted(\'ROLE_USER\')')]
+#[ApiResource(
+    uriTemplate: '/related_linked_dummies/{relatedDummyId}/from_from',
+    operations: [new GetCollection()],
+    uriVariables: [
+        'relatedDummyId' => new Link(fromProperty: 'securedDummy', fromClass: RelatedLinkedDummy::class, security: "is_granted('ROLE_USER') and relatedDummy.getSecuredDummy().getOwner() == user", securityObjectName: 'relatedDummy'),
+    ]
+)]
 #[ODM\Document]
 class SecuredDummy
 {
diff --git a/tests/Fixtures/TestBundle/Entity/RelatedLinkedDummy.php b/tests/Fixtures/TestBundle/Entity/RelatedLinkedDummy.php
@@ -21,12 +21,27 @@
 
 #[ApiResource()]
 #[ApiResource(
-    uriTemplate: '/secured_dummies/{securedDummyId}/related',
+    uriTemplate: '/secured_dummies/{securedDummyId}/to_from',
     operations: [new GetCollection()],
     uriVariables: [
         'securedDummyId' => new Link(toProperty: 'securedDummy', fromClass: SecuredDummy::class, security: "is_granted('ROLE_USER') and securedDummy.getOwner() == user"),
     ]
 )]
+#[ApiResource(
+    uriTemplate: '/secured_dummies/{securedDummyId}/with_name',
+    operations: [new GetCollection()],
+    uriVariables: [
+        'securedDummyId' => new Link(toProperty: 'securedDummy', fromClass: SecuredDummy::class, security: "is_granted('ROLE_USER') and testObj.getOwner() == user", securityObjectName: 'testObj'),
+    ]
+)]
+#[ApiResource(
+    uriTemplate: '/secured_dummies/{securedDummyId}/related/{id}',
+    operations: [new GetCollection()],
+    uriVariables: [
+        'securedDummyId' => new Link(toProperty: 'securedDummy', fromClass: SecuredDummy::class, security: "is_granted('ROLE_USER') and securedDummy.getOwner() == user"),
+        'id' => new Link(fromClass: RelatedLinkedDummy::class, security: "is_granted('ROLE_USER') and testObj.getSecuredDummy().getOwner() == user", securityObjectName: 'testObj'),
+    ]
+)]
 #[Entity]
 class RelatedLinkedDummy
 {
diff --git a/tests/Fixtures/TestBundle/Entity/SecuredDummy.php b/tests/Fixtures/TestBundle/Entity/SecuredDummy.php
@@ -20,6 +20,7 @@
 use ApiPlatform\Metadata\GraphQl\Mutation;
 use ApiPlatform\Metadata\GraphQl\Query;
 use ApiPlatform\Metadata\GraphQl\QueryCollection;
+use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Post;
 use ApiPlatform\Metadata\Put;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -33,6 +34,13 @@
  * @author Kévin Dunglas <dunglas@gmail.com>
  */
 #[ApiResource(operations: [new Get(security: 'is_granted(\'ROLE_USER\') and object.getOwner() == user'), new Put(securityPostDenormalize: 'is_granted(\'ROLE_USER\') and previous_object.getOwner() == user'), new GetCollection(security: 'is_granted(\'ROLE_USER\') or is_granted(\'ROLE_ADMIN\')'), new GetCollection(uriTemplate: 'custom_data_provider_generator', security: 'is_granted(\'ROLE_USER\')'), new Post(security: 'is_granted(\'ROLE_ADMIN\')')], graphQlOperations: [new Query(name: 'item_query', security: 'is_granted(\'ROLE_ADMIN\') or (is_granted(\'ROLE_USER\') and object.getOwner() == user)'), new QueryCollection(name: 'collection_query', security: 'is_granted(\'ROLE_ADMIN\')'), new Mutation(name: 'delete'), new Mutation(name: 'update', securityPostDenormalize: 'is_granted(\'ROLE_USER\') and previous_object.getOwner() == user'), new Mutation(name: 'create', security: 'is_granted(\'ROLE_ADMIN\')', securityMessage: 'Only admins can create a secured dummy.')], security: 'is_granted(\'ROLE_USER\')')]
+#[ApiResource(
+    uriTemplate: '/related_linked_dummies/{relatedDummyId}/from_from',
+    operations: [new GetCollection()],
+    uriVariables: [
+        'relatedDummyId' => new Link(fromProperty: 'securedDummy', fromClass: RelatedLinkedDummy::class, security: "is_granted('ROLE_USER') and relatedDummy.getSecuredDummy().getOwner() == user", securityObjectName: 'relatedDummy'),
+    ]
+)]
 #[ORM\Entity]
 class SecuredDummy
 {

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`#[\Attribute(\Attribute::TARGET_PROPERTY \| \Attribute::TARGET_METHOD \| \Attribute::TARGET_PARAMETER)]`
`17`	`17`	`final class Link`
`18`	`18`	`{`
`19`		`- public function __construct(private ?string $parameterName = null, private ?string $fromProperty = null, private ?string $toProperty = null, private ?string $fromClass = null, private ?string $toClass = null, private ?array $identifiers = null, private ?bool $compositeIdentifier = null, private ?string $expandedValue = null, private ?string $security = null, private ?string $securityMessage = null)`
	`19`	`+ public function __construct(private ?string $parameterName = null, private ?string $fromProperty = null, private ?string $toProperty = null, private ?string $fromClass = null, private ?string $toClass = null, private ?array $identifiers = null, private ?bool $compositeIdentifier = null, private ?string $expandedValue = null, private ?string $security = null, private ?string $securityMessage = null, private ?string $securityObjectName = null)`
`20`	`20`	`{`
`21`	`21`	`// For the inverse property shortcut`
`22`	`22`	`if ($this->parameterName && class_exists($this->parameterName)) {`
`@@ -154,6 +154,19 @@ public function withSecurityMessage(?string $securityMessage): self`
`154`	`154`	`return $self;`
`155`	`155`	`}`
`156`	`156`
	`157`	`+ public function getSecurityObjectName(): ?string`
	`158`	`+ {`
	`159`	`+ return $this->securityObjectName;`
	`160`	`+ }`
	`161`	`+`
	`162`	`+ public function withSecurityObjectName(?string $securityObjectName): self`
	`163`	`+ {`
	`164`	`+ $self = clone $this;`
	`165`	`+ $self->securityObjectName = $securityObjectName;`
	`166`	`+`
	`167`	`+ return $self;`
	`168`	`+ }`
	`169`	`+`
`157`	`170`	`public function withLink(self $link): self`
`158`	`171`	`{`
`159`	`172`	`$self = clone $this;`
`@@ -198,6 +211,10 @@ public function withLink(self $link): self`
`198`	`211`	`$self->securityMessage = $securityMessage;`
`199`	`212`	`}`
`200`	`213`
	`214`	`+ if (!$self->getSecurityObjectName() && ($securityObjectName = $link->getSecurityObjectName())) {`
	`215`	`+ $self->securityObjectName = $securityObjectName;`
	`216`	`+ }`
	`217`	`+`
`201`	`218`	`return $self;`
`202`	`219`	`}`
`203`	`220`	`}`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,13 @@ private function checkSecurity(Request $request, string $attribute, array $extra`
`101`	`101`	`continue;`
`102`	`102`	`}`
`103`	`103`
`104`		`- if (!$this->resourceAccessChecker->isGranted($uriVariable->getFromClass(), $uriVariable->getSecurity(), $extraVariables)) {`
	`104`	`+ $targetResource = $uriVariable->getFromClass() ?? $uriVariable->getToClass();`
	`105`	`+`
	`106`	`+ if (!$targetResource) {`
	`107`	`+ continue;`
	`108`	`+ }`
	`109`	`+`
	`110`	`+ if (!$this->resourceAccessChecker->isGranted($targetResource, $uriVariable->getSecurity(), $extraVariables)) {`
`105`	`111`	`throw new AccessDeniedException($uriVariable->getSecurityMessage() ?? 'Access Denied.');`
`106`	`112`	`}`
`107`	`113`	`}`