Allow excluding disallowed classes based on attribute

Author: morrislaptop

docs/custom-rules.md

@@ -130,6 +130,23 @@ parameters:
 This config would disallow all `pcntl` functions except (an imaginary) `pcntl_foobar()`.
 Please note `exclude` also accepts [`fnmatch`](https://www.php.net/function.fnmatch) patterns so please be careful to not create a contradicting config, and that it can accept both a string and an array of strings.
 
+### Wildcards, except when having an attribute
+
+If there's this one class (or multiple of them) that you'd like to exclude from the set, you can do that with `excludeWithAttribute`:
+
+```neon
+parameters:
+    disallowedClasses:
+        -
+            class: 'App\PrivateModule\*'
+            excludeWithAttribute:
+                - '\App\Support\IsPublic'
+```
+
+This config would disallow all `App\PrivateModule\*` classes except those classes marked with a `#[\App\Support\IsPublic] attribute`.
+
+Please note `excludeWithAttribute` also accepts [`fnmatch`](https://www.php.net/function.fnmatch) patterns, and that it can accept both a string and an array of strings.
+
 ### Wildcards, except when defined in this path
 
 Another option how to limit the set of functions or methods selected by the `function` or `method` directive is a file path in which these are defined which mostly makes sense when a [`fnmatch`](https://www.php.net/function.fnmatch) pattern is used in those directives.

extension.neon

@@ -20,6 +20,7 @@ parametersSchema:
 			?namespace: anyOf(string(), listOf(string())),
 			?class: anyOf(string(), listOf(string())),
 			?exclude: anyOf(string(), listOf(string())),
+			?excludeWithAttribute: anyOf(string(), listOf(string())),
 			?message: string(),
 			?allowIn: listOf(string()),
 			?allowExceptIn: listOf(string()),
@@ -49,6 +50,7 @@ parametersSchema:
 			?namespace: anyOf(string(), listOf(string())),
 			?class: anyOf(string(), listOf(string())),
 			?exclude: anyOf(string(), listOf(string())),
+			?excludeWithAttribute: anyOf(string(), listOf(string())),
 			?message: string(),
 			?allowIn: listOf(string()),
 			?allowExceptIn: listOf(string()),

src/DisallowedNamespace.php

@@ -13,6 +13,9 @@ class DisallowedNamespace implements Disallowed
 	/** @var list<string> */
 	private array $excludes;
 
+	/** @var list<string> */
+	private array $excludeWithAttributes;
+
 	private ?string $message;
 
 	private ?string $errorIdentifier;
@@ -27,6 +30,7 @@ class DisallowedNamespace implements Disallowed
 	/**
 	 * @param string $namespace
 	 * @param list<string> $excludes
+	 * @param list<string> $excludeWithAttributes
 	 * @param string|null $message
 	 * @param AllowedConfig $allowedConfig
 	 * @param string|null $errorIdentifier
@@ -35,6 +39,7 @@ class DisallowedNamespace implements Disallowed
 	public function __construct(
 		string $namespace,
 		array $excludes,
+		array $excludeWithAttributes,
 		?string $message,
 		AllowedConfig $allowedConfig,
 		bool $allowInUse,
@@ -43,6 +48,7 @@ public function __construct(
 	) {
 		$this->namespace = $namespace;
 		$this->excludes = $excludes;
+		$this->excludeWithAttributes = $excludeWithAttributes;
 		$this->message = $message;
 		$this->allowedConfig = $allowedConfig;
 		$this->allowInUse = $allowInUse;
@@ -66,6 +72,15 @@ public function getExcludes(): array
 	}
 
 
+	/**
+	 * @return list<string>
+	 */
+	public function getExcludeWithAttributes(): array
+	{
+		return $this->excludeWithAttributes;
+	}
+
+
 	public function getMessage(): ?string
 	{
 		return $this->message;

src/DisallowedNamespaceFactory.php

@@ -28,7 +28,7 @@ public function __construct(Formatter $formatter, Normalizer $normalizer, Allowe
 
 
 	/**
-	 * @param array<array{namespace?:string|list<string>, class?:string|list<string>, exclude?:string|list<string>, message?:string, allowIn?:list<string>, allowExceptIn?:list<string>, disallowIn?:list<string>, allowInUse?:bool, errorIdentifier?:string, errorTip?:string}> $config
+	 * @param array<array{namespace?:string|list<string>, class?:string|list<string>, exclude?:string|list<string>, excludeWithAttribute?:string|list<string>, message?:string, allowIn?:list<string>, allowExceptIn?:list<string>, disallowIn?:list<string>, allowInUse?:bool, errorIdentifier?:string, errorTip?:string}> $config
 	 * @return list<DisallowedNamespace>
 	 * @throws ShouldNotHappenException
 	 */
@@ -45,12 +45,17 @@ public function createFromConfig(array $config): array
 			foreach ((array)($disallowed['exclude'] ?? []) as $exclude) {
 				$excludes[] = $this->normalizer->normalizeNamespace($exclude);
 			}
+			$excludeWithAttributes = [];
+			foreach ((array)($disallowed['excludeWithAttribute'] ?? []) as $excludeWithAttribute) {
+				$excludeWithAttributes[] = $this->normalizer->normalizeNamespace($excludeWithAttribute);
+			}
 			$namespaces = (array)$namespaces;
 			try {
 				foreach ($namespaces as $namespace) {
 					$disallowedNamespace = new DisallowedNamespace(
 						$this->normalizer->normalizeNamespace($namespace),
 						$excludes,
+						$excludeWithAttributes,
 						$disallowed['message'] ?? null,
 						$this->allowedConfigFactory->getConfig($disallowed),
 						$disallowed['allowInUse'] ?? false,

src/Identifier/Identifier.php

@@ -3,16 +3,28 @@
 
 namespace Spaze\PHPStan\Rules\Disallowed\Identifier;
 
+use PHPStan\BetterReflection\Reflector\Exception\IdentifierNotFound;
+use PHPStan\BetterReflection\Reflector\Reflector;
+
 class Identifier
 {
+	private Reflector $reflector;
+
+
+	public function __construct(Reflector $reflector)
+	{
+		$this->reflector = $reflector;
+	}
+
 
 	/**
 	 * @param string $pattern
 	 * @param string $value
 	 * @param list<string> $excludes
+	 * @param list<string> $excludeWithAttributes
 	 * @return bool
 	 */
-	public function matches(string $pattern, string $value, array $excludes = []): bool
+	public function matches(string $pattern, string $value, array $excludes = [], array $excludeWithAttributes = []): bool
 	{
 		$matches = false;
 		if ($pattern === $value) {
@@ -27,6 +39,21 @@ public function matches(string $pattern, string $value, array $excludes = []): b
 				}
 			}
 		}
+		if ($matches && $excludeWithAttributes) {
+			try {
+				$attributes = array_map(fn($a) => $a->getName(), $this->reflector->reflectClass($value)->getAttributes());
+			} catch (IdentifierNotFound $e) {
+				$attributes = [];
+			}
+
+			foreach ($attributes as $attribute) {
+				foreach ($excludeWithAttributes as $excludeWithAttribute) {
+					if (fnmatch($excludeWithAttribute, $attribute, FNM_NOESCAPE | FNM_CASEFOLD)) {
+						return false;
+					}
+				}
+			}
+		}
 		return $matches;
 	}
 

src/RuleErrors/DisallowedNamespaceRuleErrors.php

@@ -44,7 +44,7 @@ public function getDisallowedMessage(Node $node, NamespaceUsage $namespaceUsage,
 	{
 		foreach ($disallowedNamespaces as $disallowedNamespace) {
 			if (
-				!$this->identifier->matches($disallowedNamespace->getNamespace(), $namespaceUsage->getNamespace(), $disallowedNamespace->getExcludes())
+				!$this->identifier->matches($disallowedNamespace->getNamespace(), $namespaceUsage->getNamespace(), $disallowedNamespace->getExcludes(), $disallowedNamespace->getExcludeWithAttributes())
 				|| $this->allowed->isAllowed($node, $scope, null, $disallowedNamespace)
 				|| ($disallowedNamespace->isAllowInUse() && $namespaceUsage->isUseItem())
 			) {

tests/Usages/NamespaceUsagesExcludeAttributeTest.php

@@ -0,0 +1,52 @@
+<?php
+declare(strict_types = 1);
+
+namespace Spaze\PHPStan\Rules\Disallowed\Usages;
+
+use PHPStan\Rules\Rule;
+use PHPStan\Testing\RuleTestCase;
+use Spaze\PHPStan\Rules\Disallowed\DisallowedNamespaceFactory;
+use Spaze\PHPStan\Rules\Disallowed\RuleErrors\DisallowedNamespaceRuleErrors;
+
+class NamespaceUsagesExcludeAttributeTest extends RuleTestCase
+{
+
+	protected function getRule(): Rule
+	{
+		$container = self::getContainer();
+		return new NamespaceUsages(
+			$container->getByType(DisallowedNamespaceRuleErrors::class),
+			$container->getByType(DisallowedNamespaceFactory::class),
+			$container->getByType(NamespaceUsageFactory::class),
+			[
+				[
+					'namespace' => 'NoBigDeal\*',
+					'message' => 'no private modules',
+					'excludeWithAttribute' => [
+						'\Attributes\*Class',
+					],
+				],
+			]
+		);
+	}
+
+
+	public function testRule(): void
+	{
+		$this->analyse([__DIR__ . '/../src/disallowed/namespaceUsagesExcludeAttribute.php'], [
+			[
+				'Class NoBigDeal\PrivateClass is forbidden, no private modules. [NoBigDeal\PrivateClass matches NoBigDeal\*]',
+				17,
+			],
+		]);
+	}
+
+
+	public static function getAdditionalConfigFiles(): array
+	{
+		return [
+			__DIR__ . '/../../extension.neon',
+		];
+	}
+
+}

tests/src/disallowed/namespaceUsagesExcludeAttribute.php

@@ -0,0 +1,29 @@
+<?php
+declare(strict_types = 1);
+
+namespace NoBigDeal;
+
+use Attributes\AttributeClass;
+
+class Service
+{
+	public function usePublicClass()
+	{
+		return new PublicClass();
+	}
+
+	public function usePrivateClass()
+	{
+		return new PrivateClass();
+	}
+
+}
+
+interface PrivateClass
+{
+}
+
+#[AttributeClass]
+class PublicClass
+{
+}