refactor(state): merge parameter and link security

Author: soyuka

src/Metadata/HttpOperation.php

@@ -34,7 +34,7 @@ class HttpOperation extends Operation
      * @param array<int|string, string|string[]>|string|null $formats       {@see https://api-platform.com/docs/core/content-negotiation/#configuring-formats-for-a-specific-resource-or-operation}
      * @param array<int|string, string|string[]>|string|null $inputFormats  {@see https://api-platform.com/docs/core/content-negotiation/#configuring-formats-for-a-specific-resource-or-operation}
      * @param array<int|string, string|string[]>|string|null $outputFormats {@see https://api-platform.com/docs/core/content-negotiation/#configuring-formats-for-a-specific-resource-or-operation}
-     * @param array<string,array{
+     * @param Parameters|array<string,array{
      *     0: string,
      *     1: string
      * }|array{
@@ -344,11 +344,17 @@ public function withOutputFormats($outputFormats = null): static
         return $self;
     }
 
-    public function getUriVariables()
+    /**
+     * @return Parameters|array<string, mixed>
+     */
+    public function getUriVariables(): mixed
     {
         return $this->uriVariables;
     }
 
+    /**
+     * @param Parameters|array<string, mixed> $uriVariables
+     */
     public function withUriVariables($uriVariables): static
     {
         $self = clone $this;

src/Metadata/Link.php

@@ -16,7 +16,7 @@
 use ApiPlatform\OpenApi;
 
 #[\Attribute(\Attribute::TARGET_PROPERTY | \Attribute::TARGET_METHOD | \Attribute::TARGET_PARAMETER)]
-final class Link extends Parameter
+final class Link extends Parameter implements UriVariableParameterInterface
 {
     public function __construct(
         private ?string $parameterName = null,

src/Metadata/Parameter.php

@@ -133,6 +133,12 @@ public function getValue(mixed $default = new ParameterNotFound()): mixed
         return $this->extraProperties['_api_values'] ?? $default;
     }
 
+    /**
+     * Only use this in a parameter provider, the ApiPlatform\State\Provider\ParameterProvider
+     * resets this value to extract the correct value on each request.
+     * It's also possible to set the `_api_query_parameters` request attribute directly and
+     * API Platform will extract the value from there.
+     */
     public function setValue(mixed $value): static
     {
         $this->extraProperties['_api_values'] = $value;

src/Metadata/Parameters.php

@@ -122,6 +122,19 @@ public function has(string $key, string $parameterClass = QueryParameter::class)
         return false;
     }
 
+    /**
+     * @return list<string>
+     */
+    public function keys(): array
+    {
+        $keys = [];
+        foreach ($this->parameters as [$key]) {
+            $keys[] = $key;
+        }
+
+        return $keys;
+    }
+
     public function count(): int
     {
         return \count($this->parameters);

src/Metadata/UriVariableParameterInterface.php

@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Metadata;
+
+/**
+ * @experimental
+ */
+interface UriVariableParameterInterface
+{
+}

src/State/ParameterProvider/IriConverterParameterProvider.php

@@ -0,0 +1,56 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\State\ParameterProvider;
+
+use ApiPlatform\Metadata\IriConverterInterface;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\Metadata\Parameter;
+use ApiPlatform\State\ParameterNotFound;
+use ApiPlatform\State\ParameterProviderInterface;
+
+/**
+ * @experimental
+ *
+ * @author Vincent Amstoutz
+ */
+final readonly class IriConverterParameterProvider implements ParameterProviderInterface
+{
+    public function __construct(
+        private IriConverterInterface $iriConverter,
+    ) {
+    }
+
+    public function provide(Parameter $parameter, array $parameters = [], array $context = []): ?Operation
+    {
+        $operation = $context['operation'] ?? null;
+        if (!($value = $parameter->getValue()) || $value instanceof ParameterNotFound) {
+            return $operation;
+        }
+
+        if (!\is_array($value)) {
+            $value = [$value];
+        }
+
+        $entities = [];
+        foreach ($value as $v) {
+            $entities[] = $this->iriConverter->getResourceFromIri($v, [
+                'fetch_data' => $parameter->getExtraProperties()['fetch_data'] ?? false,
+            ]);
+        }
+
+        $parameter->setValue($entities);
+
+        return $operation;
+    }
+}

src/State/ParameterProvider/ReadLinkParameterProvider.php

@@ -0,0 +1,79 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\State\ParameterProvider;
+
+use ApiPlatform\Metadata\Link;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\Metadata\Parameter;
+use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
+use ApiPlatform\State\Exception\ProviderNotFoundException;
+use ApiPlatform\State\ParameterProviderInterface;
+use ApiPlatform\State\ProviderInterface;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+/**
+ * Checks if the linked resources have security attributes and prepares them for access checking.
+ *
+ * @experimental
+ */
+final class ReadLinkParameterProvider implements ParameterProviderInterface
+{
+    /**
+     * @param ProviderInterface<mixed> $locator
+     */
+    public function __construct(
+        private readonly ProviderInterface $locator,
+        private readonly ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory,
+    ) {
+    }
+
+    public function provide(Parameter $parameter, array $parameters = [], array $context = []): ?Operation
+    {
+        $operation = $context['operation'];
+        $extraProperties = $parameter->getExtraProperties();
+
+        if ($parameter instanceof Link) {
+            $linkClass = $parameter->getFromClass() ?? $parameter->getToClass();
+            $securityObjectName = $parameter->getSecurityObjectName() ?? $parameter->getToProperty() ?? $parameter->getFromProperty();
+        }
+
+        $securityObjectName ??= $parameter->getKey();
+
+        $linkClass ??= $extraProperties['resource_class'] ?? $operation->getClass();
+
+        if (!$linkClass) {
+            return $operation;
+        }
+
+        $linkOperation = $this->resourceMetadataCollectionFactory
+            ->create($linkClass)
+            ->getOperation($operation->getExtraProperties()['parent_uri_template'] ?? $extraProperties['uri_template'] ?? null);
+
+        try {
+            $relation = $this->locator->provide($linkOperation, [$parameter->getKey() => $parameter->getValue()], $context);
+        } catch (ProviderNotFoundException) {
+            $relation = null;
+        }
+
+        $parameter->setValue($relation);
+
+        if (!$relation && true === ($extraProperties['throw_not_found'] ?? true)) {
+            throw new NotFoundHttpException('Relation for link security not found.');
+        }
+
+        $context['request']?->attributes->set($securityObjectName, $relation);
+
+        return $operation;
+    }
+}

src/State/Provider/ParameterProvider.php

@@ -15,9 +15,11 @@
 
 use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
+use ApiPlatform\Metadata\Parameters;
 use ApiPlatform\State\Exception\ParameterNotSupportedException;
 use ApiPlatform\State\Exception\ProviderNotFoundException;
 use ApiPlatform\State\ParameterNotFound;
+use ApiPlatform\State\ParameterProvider\ReadLinkParameterProvider;
 use ApiPlatform\State\ProviderInterface;
 use ApiPlatform\State\Util\ParameterParserTrait;
 use ApiPlatform\State\Util\RequestParser;
@@ -50,25 +52,41 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             $request->attributes->set('_api_header_parameters', $request->headers->all());
         }
 
-        $parameters = $operation->getParameters();
+        if ($request && null === $request->attributes->get('_api_path_parameters')) {
+            $request->attributes->set('_api_path_parameters', $request->attributes->all());
+        }
+
+        $parameters = $operation->getParameters() ?? new Parameters();
 
-        if ($operation instanceof HttpOperation && true === $operation->getStrictQueryParameterValidation()) {
-            $keys = [];
-            foreach ($parameters as $parameter) {
-                $keys[] = $parameter->getKey();
+        if ($operation instanceof HttpOperation) {
+            // TODO: this should return Parameters but its a BC, prepare that change in 4.3
+            foreach ($operation->getUriVariables() ?? [] as $key => $uriVariable) {
+                if ($uriVariable->getSecurity() && !$uriVariable->getProvider()) {
+                    $uriVariable = $uriVariable->withProvider(ReadLinkParameterProvider::class);
+                }
+
+                $parameters->add($key, $uriVariable->withKey($key));
             }
 
-            foreach (array_keys($request->attributes->get('_api_query_parameters')) as $key) {
-                if (!\in_array($key, $keys, true)) {
-                    throw new ParameterNotSupportedException($key);
+            if (true === $operation->getStrictQueryParameterValidation()) {
+                $keys = [];
+                foreach ($parameters as $parameter) {
+                    $keys[] = $parameter->getKey();
+                }
+
+                foreach (array_keys($request->attributes->get('_api_query_parameters')) as $key) {
+                    if (!\in_array($key, $keys, true)) {
+                        throw new ParameterNotSupportedException($key);
+                    }
                 }
             }
         }
 
-        foreach ($parameters ?? [] as $parameter) {
-            $extraProperties = $parameter->getExtraProperties();
-            unset($extraProperties['_api_values']);
-            $parameters->add($parameter->getKey(), $parameter = $parameter->withExtraProperties($extraProperties));
+        foreach ($parameters as $parameter) {
+            // we force API Platform's value extraction, use _api_query_parameters or _api_header_parameters if you need to set a value
+            if (isset($parameter->getExtraProperties()['_api_values'])) {
+                unset($parameter->getExtraProperties()['_api_values']);
+            }
 
             $context = ['operation' => $operation] + $context;
             $values = $this->getParameterValues($parameter, $request, $context);
@@ -78,14 +96,12 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
                 $value = $default;
             }
 
+            $parameter->setValue($value);
+
             if ($value instanceof ParameterNotFound) {
                 continue;
             }
 
-            $parameters->add($parameter->getKey(), $parameter = $parameter->withExtraProperties(
-                $parameter->getExtraProperties() + ['_api_values' => $value]
-            ));
-
             if (null === ($provider = $parameter->getProvider())) {
                 continue;
             }
@@ -111,7 +127,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             }
         }
 
-        if ($parameters) {
+        if (\count($parameters)) {
             $operation = $operation->withParameters($parameters);
         }
         $request?->attributes->set('_api_operation', $operation);

src/State/Provider/SecurityParameterProvider.php

@@ -14,6 +14,7 @@
 namespace ApiPlatform\State\Provider;
 
 use ApiPlatform\Metadata\GraphQl\Operation as GraphQlOperation;
+use ApiPlatform\Metadata\Link;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
 use ApiPlatform\State\ParameterNotFound;
@@ -25,11 +26,18 @@
 /**
  * Loops over parameters to check parameter security.
  * Throws an exception if security is not granted.
+ *
+ * @experimental
+ *
+ * @implements ProviderInterface<object>
  */
 final class SecurityParameterProvider implements ProviderInterface
 {
     use ParameterParserTrait;
 
+    /**
+     * @param ProviderInterface<object> $decorated
+     */
     public function __construct(private readonly ProviderInterface $decorated, private readonly ?ResourceAccessCheckerInterface $resourceAccessChecker = null)
     {
     }
@@ -41,6 +49,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
         $operation = $request?->attributes->get('_api_operation') ?? $operation;
         foreach ($operation->getParameters() ?? [] as $parameter) {
+            $extraProperties = $parameter->getExtraProperties();
             if (null === $security = $parameter->getSecurity()) {
                 continue;
             }
@@ -49,8 +58,32 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
                 continue;
             }
 
-            $securityContext = [$parameter->getKey() => $v, 'object' => $body, 'operation' => $operation];
-            if (!$this->resourceAccessChecker->isGranted($context['resource_class'], $security, $securityContext)) {
+            if ($parameter instanceof Link) {
+                $targetResource = $parameter->getFromClass() ?? $parameter->getToClass() ?? null;
+            }
+
+            $targetResource ??= $extraProperties['resource_class'] ?? $context['resource_class'] ?? null;
+
+            if (!$targetResource) {
+                continue;
+            }
+
+            if ($parameter instanceof Link) {
+                $securityObjectName = $parameter->getSecurityObjectName() ?? $parameter->getToProperty() ?? $parameter->getFromProperty() ?? null;
+            }
+
+            $securityObjectName ??= $parameter->getKey();
+
+            $securityContext = [
+                $parameter->getKey() => $v,
+                'object' => $body,
+                'operation' => $operation,
+                'previous_object' => $request?->attributes->get('previous_data'),
+                'request' => $request,
+                $securityObjectName => $request?->attributes->get($securityObjectName),
+            ];
+
+            if (!$this->resourceAccessChecker->isGranted($targetResource, $security, $securityContext)) {
                 throw $operation instanceof GraphQlOperation ? new AccessDeniedHttpException($parameter->getSecurityMessage() ?? 'Access Denied.') : new AccessDeniedException($parameter->getSecurityMessage() ?? 'Access Denied.');
             }
         }