[Security][SecurityBundle] User authorization checker

Nate Wiebe · derrabus · commit 312a726ac8b9 · 2024-12-07T14:40:54.000+01:00
diff --git a/Authentication/Token/OfflineTokenInterface.php b/Authentication/Token/OfflineTokenInterface.php
@@ -0,0 +1,21 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Token;
+
+/**
+ * Interface used for marking tokens that do not represent the currently logged-in user.
+ *
+ * @author Nate Wiebe <nate@northern.co>
+ */
+interface OfflineTokenInterface extends TokenInterface
+{
+}
diff --git a/Authentication/Token/UserAuthorizationCheckerToken.php b/Authentication/Token/UserAuthorizationCheckerToken.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Token;
+
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * UserAuthorizationCheckerToken implements a token used for checking authorization.
+ *
+ * @author Nate Wiebe <nate@northern.co>
+ *
+ * @internal
+ */
+final class UserAuthorizationCheckerToken extends AbstractToken implements OfflineTokenInterface
+{
+    public function __construct(UserInterface $user)
+    {
+        parent::__construct($user->getRoles());
+
+        $this->setUser($user);
+    }
+}
diff --git a/Authorization/UserAuthorizationChecker.php b/Authorization/UserAuthorizationChecker.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization;
+
+use Symfony\Component\Security\Core\Authentication\Token\UserAuthorizationCheckerToken;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * @author Nate Wiebe <nate@northern.co>
+ */
+final class UserAuthorizationChecker implements UserAuthorizationCheckerInterface
+{
+    public function __construct(
+        private readonly AccessDecisionManagerInterface $accessDecisionManager,
+    ) {
+    }
+
+    public function userIsGranted(UserInterface $user, mixed $attribute, mixed $subject = null): bool
+    {
+        return $this->accessDecisionManager->decide(new UserAuthorizationCheckerToken($user), [$attribute], $subject);
+    }
+}
diff --git a/Authorization/UserAuthorizationCheckerInterface.php b/Authorization/UserAuthorizationCheckerInterface.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authorization;
+
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * Interface is used to check user authorization without a session.
+ *
+ * @author Nate Wiebe <nate@northern.co>
+ */
+interface UserAuthorizationCheckerInterface
+{
+    /**
+     * Checks if the attribute is granted against the user and optionally supplied subject.
+     *
+     * @param mixed $attribute A single attribute to vote on (can be of any type, string and instance of Expression are supported by the core)
+     */
+    public function userIsGranted(UserInterface $user, mixed $attribute, mixed $subject = null): bool;
+}
diff --git a/Authorization/Voter/AuthenticatedVoter.php b/Authorization/Voter/AuthenticatedVoter.php
@@ -12,8 +12,10 @@
 namespace Symfony\Component\Security\Core\Authorization\Voter;
 
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
+use Symfony\Component\Security\Core\Authentication\Token\OfflineTokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 
 /**
  * AuthenticatedVoter votes if an attribute like IS_AUTHENTICATED_FULLY,
@@ -54,6 +56,10 @@ public function vote(TokenInterface $token, mixed $subject, array $attributes):
                 continue;
             }
 
+            if ($token instanceof OfflineTokenInterface) {
+                throw new InvalidArgumentException('Cannot decide on authentication attributes when an offline token is used.');
+            }
+
             $result = VoterInterface::ACCESS_DENIED;
 
             if (self::IS_AUTHENTICATED_FULLY === $attribute
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,13 @@
 CHANGELOG
 =========
 
+7.3
+---
+
+ * Add `UserAuthorizationChecker::userIsGranted()` to test user authorization without relying on the session.
+   For example, users not currently logged in, or while processing a message from a message queue.
+ * Add `OfflineTokenInterface` to mark tokens that do not represent the currently logged-in user
+
 7.2
 ---
 
diff --git a/Tests/Authentication/Token/UserAuthorizationCheckerTokenTest.php b/Tests/Authentication/Token/UserAuthorizationCheckerTokenTest.php
@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authentication\Token;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\UserAuthorizationCheckerToken;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+
+class UserAuthorizationCheckerTokenTest extends TestCase
+{
+    public function testConstructor()
+    {
+        $token = new UserAuthorizationCheckerToken($user = new InMemoryUser('foo', 'bar', ['ROLE_FOO']));
+        $this->assertSame(['ROLE_FOO'], $token->getRoleNames());
+        $this->assertSame($user, $token->getUser());
+    }
+}
diff --git a/Tests/Authorization/UserAuthorizationCheckerTest.php b/Tests/Authorization/UserAuthorizationCheckerTest.php
@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authorization;
+
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\UserAuthorizationCheckerToken;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authorization\UserAuthorizationChecker;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+
+class UserAuthorizationCheckerTest extends TestCase
+{
+    private AccessDecisionManagerInterface&MockObject $accessDecisionManager;
+    private UserAuthorizationChecker $authorizationChecker;
+
+    protected function setUp(): void
+    {
+        $this->accessDecisionManager = $this->createMock(AccessDecisionManagerInterface::class);
+
+        $this->authorizationChecker = new UserAuthorizationChecker($this->accessDecisionManager);
+    }
+
+    /**
+     * @dataProvider isGrantedProvider
+     */
+    public function testIsGranted(bool $decide, array $roles)
+    {
+        $user = new InMemoryUser('username', 'password', $roles);
+
+        $this->accessDecisionManager
+            ->expects($this->once())
+            ->method('decide')
+            ->with($this->callback(fn (UserAuthorizationCheckerToken $token): bool => $user === $token->getUser()), $this->identicalTo(['ROLE_FOO']))
+            ->willReturn($decide);
+
+        $this->assertSame($decide, $this->authorizationChecker->userIsGranted($user, 'ROLE_FOO'));
+    }
+
+    public static function isGrantedProvider(): array
+    {
+        return [
+            [false, ['ROLE_USER']],
+            [true, ['ROLE_USER', 'ROLE_FOO']],
+        ];
+    }
+
+    public function testIsGrantedWithObjectAttribute()
+    {
+        $attribute = new \stdClass();
+
+        $token = new UserAuthorizationCheckerToken(new InMemoryUser('username', 'password', ['ROLE_USER']));
+
+        $this->accessDecisionManager
+            ->expects($this->once())
+            ->method('decide')
+            ->with($this->isInstanceOf($token::class), $this->identicalTo([$attribute]))
+            ->willReturn(true);
+        $this->assertTrue($this->authorizationChecker->userIsGranted($token->getUser(), $attribute));
+    }
+}
diff --git a/Tests/Authorization/Voter/AuthenticatedVoterTest.php b/Tests/Authorization/Voter/AuthenticatedVoterTest.php
@@ -17,8 +17,10 @@
 use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
+use Symfony\Component\Security\Core\Authentication\Token\UserAuthorizationCheckerToken;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 
 class AuthenticatedVoterTest extends TestCase
@@ -85,6 +87,43 @@ public function testSupportsType()
         $this->assertTrue($voter->supportsType(get_debug_type(new \stdClass())));
     }
 
+    /**
+     * @dataProvider provideOfflineAttributes
+     */
+    public function testOfflineToken($attributes, $expected)
+    {
+        $voter = new AuthenticatedVoter(new AuthenticationTrustResolver());
+
+        $this->assertSame($expected, $voter->vote($this->getToken('offline'), null, $attributes));
+    }
+
+    public static function provideOfflineAttributes()
+    {
+        yield [[AuthenticatedVoter::PUBLIC_ACCESS], VoterInterface::ACCESS_GRANTED];
+        yield [['ROLE_FOO'], VoterInterface::ACCESS_ABSTAIN];
+    }
+
+    /**
+     * @dataProvider provideUnsupportedOfflineAttributes
+     */
+    public function testUnsupportedOfflineToken(string $attribute)
+    {
+        $voter = new AuthenticatedVoter(new AuthenticationTrustResolver());
+
+        $this->expectException(InvalidArgumentException::class);
+
+        $voter->vote($this->getToken('offline'), null, [$attribute]);
+    }
+
+    public static function provideUnsupportedOfflineAttributes()
+    {
+        yield [AuthenticatedVoter::IS_AUTHENTICATED_FULLY];
+        yield [AuthenticatedVoter::IS_AUTHENTICATED_REMEMBERED];
+        yield [AuthenticatedVoter::IS_AUTHENTICATED];
+        yield [AuthenticatedVoter::IS_IMPERSONATOR];
+        yield [AuthenticatedVoter::IS_REMEMBERED];
+    }
+
     protected function getToken($authenticated)
     {
         $user = new InMemoryUser('wouter', '', ['ROLE_USER']);
@@ -108,6 +147,10 @@ public function getCredentials()
             return $this->getMockBuilder(SwitchUserToken::class)->disableOriginalConstructor()->getMock();
         }
 
+        if ('offline' === $authenticated) {
+            return new UserAuthorizationCheckerToken($user);
+        }
+
         return new NullToken();
     }
 }
