[Security] Add strategy resolvers

symfony · fancyweb · Jan 6, 2017 · Jan 6, 2017 · Jan 6, 2017 · Jan 6, 2017
commit 3eafdf2b4ca61e885bf4fce364a4e2fb1ea8eaf5
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddStrategyResolversPass.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddStrategyResolversPass.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+
+class AddStrategyResolversPass implements CompilerPassInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function process(ContainerBuilder $container)
+    {
+        if (!$container->hasDefinition('security.access.decision_manager')) {
+            return;
+        }
+
+        $strategyResolvers = new \SplPriorityQueue();
+        foreach ($container->findTaggedServiceIds('security.strategy_resolver') as $id => $attributes) {
+            $class = $container->getDefinition($id)->getClass();
+            $interface = 'Symfony\Component\Security\Core\Authorization\StrategyResolverInterface';
+            if (!is_subclass_of($class, $interface)) {
+                throw new \InvalidArgumentException(sprintf('Service "%s" must implement interface "%s".', $id, $interface));
+            }
+
+            $priority = isset($attributes[0]['priority']) ? $attributes[0]['priority'] : 0;
+            $strategyResolvers->insert(new Reference($id), $priority);
+        }
+
+        $strategyResolvers = iterator_to_array($strategyResolvers);
+        ksort($strategyResolvers);
+
+        $container->getDefinition('security.access.decision_manager')->replaceArgument(4, array_values($strategyResolvers));
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -84,6 +84,7 @@ public function load(array $configs, ContainerBuilder $container)
             ->addArgument($config['access_decision_manager']['strategy'])
             ->addArgument($config['access_decision_manager']['allow_if_all_abstain'])
             ->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied'])
+            ->addArgument(array());
         ;
         $container->setParameter('security.access.always_authenticate_before_granting', $config['always_authenticate_before_granting']);
         $container->setParameter('security.authentication.hide_user_not_found', $config['hide_user_not_found']);

diff --git a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
@@ -15,6 +15,7 @@
 use Symfony\Component\HttpKernel\Bundle\Bundle;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddSecurityVotersPass;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddStrategyResolversPass;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\FormLoginLdapFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\HttpBasicFactory;
@@ -57,5 +58,6 @@ public function build(ContainerBuilder $container)
         $extension->addUserProviderFactory(new InMemoryFactory());
         $extension->addUserProviderFactory(new LdapFactory());
         $container->addCompilerPass(new AddSecurityVotersPass());
+        $container->addCompilerPass(new AddStrategyResolversPass());
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php b/src/Symfony/Component/Security/Core/Authorization/AccessDecisionManager.php
@@ -27,29 +27,35 @@ class AccessDecisionManager implements AccessDecisionManagerInterface
     const STRATEGY_UNANIMOUS = 'unanimous';
 
     private $voters;
-    private $strategy;
+    private $defaultStrategyMethod;
     private $allowIfAllAbstainDecisions;
     private $allowIfEqualGrantedDeniedDecisions;
 
+    /**
+     * @var array
+     */
+    private $strategyResolvers;
+
     /**
      * Constructor.
      *
-     * @param VoterInterface[] $voters                             An array of VoterInterface instances
-     * @param string           $strategy                           The vote strategy
-     * @param bool             $allowIfAllAbstainDecisions         Whether to grant access if all voters abstained or not
-     * @param bool             $allowIfEqualGrantedDeniedDecisions Whether to grant access if result are equals
+     * @param VoterInterface[]            $voters                             An array of VoterInterface instances
+     * @param string                      $defaultStrategy                    The vote default strategy
+     * @param bool                        $allowIfAllAbstainDecisions         Whether to grant access if all voters abstained or not
+     * @param bool                        $allowIfEqualGrantedDeniedDecisions Whether to grant access if result are equals
+     * @param StrategyResolverInterface[] $strategyResolvers                  An array of StrategyResolver instances
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct(array $voters = array(), $strategy = self::STRATEGY_AFFIRMATIVE, $allowIfAllAbstainDecisions = false, $allowIfEqualGrantedDeniedDecisions = true)
+    public function __construct(array $voters = array(), $defaultStrategy = self::STRATEGY_AFFIRMATIVE, $allowIfAllAbstainDecisions = false, $allowIfEqualGrantedDeniedDecisions = true, array $strategyResolvers = array())
     {
-        $strategyMethod = 'decide'.ucfirst($strategy);
-        if (!is_callable(array($this, $strategyMethod))) {
-            throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.', $strategy));
+        $defaultStrategyMethod = $this->getStrategyMethod($defaultStrategy);
+        if (!is_callable(array($this, $defaultStrategyMethod))) {
+            throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.', $defaultStrategy));
         }
 
         $this->voters = $voters;
-        $this->strategy = $strategyMethod;
+        $this->defaultStrategyMethod = $defaultStrategyMethod;
         $this->allowIfAllAbstainDecisions = (bool) $allowIfAllAbstainDecisions;
         $this->allowIfEqualGrantedDeniedDecisions = (bool) $allowIfEqualGrantedDeniedDecisions;
     }
@@ -69,7 +75,27 @@ public function setVoters(array $voters)
      */
     public function decide(TokenInterface $token, array $attributes, $object = null)
     {
-        return $this->{$this->strategy}($token, $attributes, $object);
+        $strategyMethod = $this->defaultStrategyMethod;
+        /* @var $strategyResolver StrategyResolverInterface */
+        foreach ($this->strategyResolvers as $strategyResolver) {
+            if ($strategyResolver->supports($token, $attributes, $object)) {
+                $resolvedStrategy = $strategyResolver->getStrategy($token, $attributes, $object);
+                if (!is_string($resolvedStrategy)) {
+                    continue;
+                }
+
+                $resolvedStrategyMethod = $this->getStrategyMethod($resolvedStrategy);
+                if (!is_callable(array($this, $resolvedStrategyMethod))) {
+                    continue;
+                }
+
+                $strategyMethod = $resolvedStrategyMethod;
+
+                break;
+            }
+        }
+
+        return $this->{$strategyMethod}($token, $attributes, $object);
     }
 
     /**
@@ -188,4 +214,14 @@ private function decideUnanimous(TokenInterface $token, array $attributes, $obje
 
         return $this->allowIfAllAbstainDecisions;
     }
+
+    /**
+     * @param string $strategy
+     *
+     * @return string
+     */
+    private function getStrategyMethod($strategy)
+    {
+        return 'decide' . ucfirst($strategy);
+    }
 }
diff --git a/src/Symfony/Component/Security/Core/Authorization/StrategyResolverInterface.php b/src/Symfony/Component/Security/Core/Authorization/StrategyResolverInterface.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+interface StrategyResolverInterface
+{
+     * This method must return one of the following constants from the AccessDecisionManager :
+     * STRATEGY_AFFIRMATIVE, STRATEGY_CONSENSUS, or STRATEGY_UNANIMOUS.
+     *
+     * @param TokenInterface $token
+     * @param array $attributes
+     * @param mixed $object
+     *
+     * @return string
+     */
+    public function getStrategy(TokenInterface $token, array $attributes, $object = null);
+
+    /**
+     * @param TokenInterface $token
+     * @param array $attributes
+     * @param null $object
+     *
+     * @return bool
+     */
+    public function supports(TokenInterface $token, array $attributes, $object = null);
+}