Consider core-provided plugin registry and discovery alternatives

[bjeavons]

A module reviewer suggested that Security Review could use core's plugin API system instead of custom - currently extending Drupal\security_review\Check and implementing hook_security_review_checks().

Drupal core provides a couple mechanisms that Security Review could switch to using in order to be more consistent with core and other modules. This issue is for evaluating those mechanisms and the value they might provide over current implementation.

1. Service tags https://www.drupal.org/node/2239393
2. Plugins API (via annotations) https://www.drupal.org/developing/api/8/plugins

(todo, expand descriptions and pro/cons)

[viktb]

(incomplete)

Service tags

Short description

This method uses service tags for collecting similar services. It needs a collector service, and multiple services that are tagged with a specific tag.

Pros

• Easy to implement in Security Review.
• Easiest dependency injection for checks.

Cons

• Checks have to be services.
  • Checks are not really services (service definition).
  • Check information stored in 2 files (.services.yml and the check's PHP).
• Doesn't provide real value over the current API.

[viktb]

(incomplete)

Plugins API (annotation based)

Short description

Plugins are much like PHP native interfaces with a little extra: the plugin system can discover every implementation of an interface (the default is magic namespacing), deals with metadata (by default this is provided by annotations) and provides a factory for the plugin classes. (why plugins?)

Pros

• The common way of providing extensibility in D8
• Check dependencies could be defined in annotations
• Check identifiers in annotations
  • 4 or 5 less functions to override for the developer
• One check = one file
• Easier to document than Service tags
• Own factory allows for real dependency injection

Cons

• More complex than Service tags or current implementation

[viktb]

Both methods break the current API of course, and require modifying the documentation. Plugins API needs a big rewrite of parts of the module, but the result would be a really good DX.

[dsnopek]

Made an issue on D.o: https://www.drupal.org/node/2623148