feat(symfony): Link security (#5290)

* [Link] Start Link Security

* feat(provider): Auto Resolve Get Operation and Parameters

* chore(CS): fix CS

* feat(tests): Add DenyAccessListener tests

* feat(tests): Add link security behat tests

* fix(test): fix mongodb document configuration

* fix(readlistner): fix error 500 on not existing entity

* feat(linksecurity): expand functionality to cover all combinations of to and from property and add optional object name

* feat(linksecurity): add more tests

* chore: fix cs

* chore: phpstan fix

* fix: Move logic to refactored, now used, classes

* fix: refactor unit tests

* fix: backport for legacy event system as well

* Revert "fix: backport for legacy event system as well"

This reverts commit 16f14c836e19635888e5430a7dff9ecf8280c1d3.

* refactor: Refactor ReadProvider.php and AccessCheckerProvider.php to extract link security into their own providers

* mark providers final, disable feature by default

Author: KDederichs

Bundle/DependencyInjection/ApiPlatformExtension.php

@@ -164,6 +164,7 @@ public function load(array $configs, ContainerBuilder $container): void
         $this->registerSecurityConfiguration($container, $config, $loader);
         $this->registerMakerConfiguration($container, $config, $loader);
         $this->registerArgumentResolverConfiguration($loader);
+        $this->registerLinkSecurityConfiguration($loader, $config);
 
         $container->registerForAutoconfiguration(FilterInterface::class)
             ->addTag('api_platform.filter');
@@ -892,4 +893,11 @@ private function registerInflectorConfiguration(array $config): void
             Inflector::keepLegacyInflector(false);
         }
     }
+
+    private function registerLinkSecurityConfiguration(XmlFileLoader $loader, array $config): void
+    {
+        if ($config['enable_link_security']) {
+            $loader->load('link_security.xml');
+        }
+    }
 }

Bundle/DependencyInjection/Configuration.php

@@ -111,6 +111,7 @@ public function getConfigTreeBuilder(): TreeBuilder
                 ->booleanNode('enable_docs')->defaultTrue()->info('Enable the docs')->end()
                 ->booleanNode('enable_profiler')->defaultTrue()->info('Enable the data collector and the WebProfilerBundle integration.')->end()
                 ->booleanNode('keep_legacy_inflector')->defaultTrue()->info('Keep doctrine/inflector instead of symfony/string to generate plurals for routes.')->end()
+                ->booleanNode('enable_link_security')->defaultFalse()->info('Enable security for Links (sub resources)')->end()
                 ->arrayNode('collection')
                     ->addDefaultsIfNotSet()
                     ->children()

Bundle/Resources/config/link_security.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+           xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+    <services>
+
+        <service id="api_platform.state_provider.read_link" class="ApiPlatform\Symfony\Security\State\LinkedReadProvider" decorates="api_platform.state_provider.read">
+            <argument type="service" id="api_platform.state_provider.read_link.inner" />
+            <argument type="service" id="api_platform.state_provider.locator" />
+            <argument type="service" id="api_platform.metadata.resource.metadata_collection_factory" />
+        </service>
+
+        <service id="api_platform.state_provider.access_checker_linked" class="ApiPlatform\Symfony\Security\State\LinkAccessCheckerProvider" decorates="api_platform.state_provider.read_link">
+            <argument type="service" id="api_platform.state_provider.access_checker_linked.inner" />
+            <argument type="service" id="api_platform.security.resource_access_checker" />
+        </service>
+    </services>
+</container>

Security/State/LinkAccessCheckerProvider.php

@@ -0,0 +1,80 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Symfony\Security\State;
+
+use ApiPlatform\Metadata\HttpOperation;
+use ApiPlatform\Metadata\Link;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProviderInterface;
+use ApiPlatform\Symfony\Security\Exception\AccessDeniedException;
+use ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface;
+
+/**
+ * Checks the individual parts of the linked resource for access rights.
+ *
+ * @experimental
+ */
+final class LinkAccessCheckerProvider implements ProviderInterface
+{
+    public function __construct(
+        private readonly ProviderInterface $decorated,
+        private readonly ResourceAccessCheckerInterface $resourceAccessChecker
+    ) {
+    }
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
+    {
+        $request = ($context['request'] ?? null);
+
+        $data = $this->decorated->provide($operation, $uriVariables, $context);
+
+        if ($operation instanceof HttpOperation && $operation->getUriVariables()) {
+            foreach ($operation->getUriVariables() as $uriVariable) {
+                if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
+                    continue;
+                }
+
+                $targetResource = $uriVariable->getFromClass() ?? $uriVariable->getToClass();
+
+                if (!$targetResource) {
+                    continue;
+                }
+
+                $propertyName = $uriVariable->getToProperty() ?? $uriVariable->getFromProperty();
+                $securityObjectName = $uriVariable->getSecurityObjectName();
+
+                if (!$securityObjectName) {
+                    $securityObjectName = $propertyName;
+                }
+
+                if (!$securityObjectName) {
+                    continue;
+                }
+
+                $resourceAccessCheckerContext = [
+                    'object' => $data,
+                    'previous_object' => $request?->attributes->get('previous_data'),
+                    $securityObjectName => $request?->attributes->get($securityObjectName),
+                    'request' => $request,
+                ];
+
+                if (!$this->resourceAccessChecker->isGranted($targetResource, $uriVariable->getSecurity(), $resourceAccessCheckerContext)) {
+                    throw new AccessDeniedException($uriVariable->getSecurityMessage() ?? 'Access Denied.');
+                }
+            }
+        }
+
+        return $data;
+    }
+}

Security/State/LinkedReadProvider.php

@@ -0,0 +1,91 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Symfony\Security\State;
+
+use ApiPlatform\Exception\InvalidIdentifierException;
+use ApiPlatform\Exception\InvalidUriVariableException;
+use ApiPlatform\Metadata\HttpOperation;
+use ApiPlatform\Metadata\Link;
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
+use ApiPlatform\State\Exception\ProviderNotFoundException;
+use ApiPlatform\State\ProviderInterface;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+/**
+ * Checks if the linked resources have security attributes and prepares them for access checking.
+ *
+ * @experimental
+ */
+final class LinkedReadProvider implements ProviderInterface
+{
+    public function __construct(
+        private readonly ProviderInterface $decorated,
+        private readonly ProviderInterface $locator,
+        private readonly ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory
+    ) {
+    }
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
+    {
+        $data = $this->decorated->provide($operation, $uriVariables, $context);
+
+        if (!$operation instanceof HttpOperation) {
+            return $data;
+        }
+
+        $request = ($context['request'] ?? null);
+
+        if ($operation->getUriVariables()) {
+            foreach ($operation->getUriVariables() as $key => $uriVariable) {
+                if (!$uriVariable instanceof Link || !$uriVariable->getSecurity()) {
+                    continue;
+                }
+
+                $relationClass = $uriVariable->getFromClass() ?? $uriVariable->getToClass();
+
+                if (!$relationClass) {
+                    continue;
+                }
+
+                $parentOperation = $this->resourceMetadataCollectionFactory
+                    ->create($relationClass)
+                    ->getOperation($operation->getExtraProperties()['parent_uri_template'] ?? null);
+                try {
+                    $relation = $this->locator->provide($parentOperation, [$uriVariable->getIdentifiers()[0] => $request?->attributes->all()[$key]], $context);
+                } catch (ProviderNotFoundException) {
+                    $relation = null;
+                }
+
+                if (!$relation) {
+                    throw new NotFoundHttpException('Relation for link security not found.');
+                }
+
+                try {
+                    $securityObjectName = $uriVariable->getSecurityObjectName();
+
+                    if (!$securityObjectName) {
+                        $securityObjectName = $uriVariable->getToProperty() ?? $uriVariable->getFromProperty();
+                    }
+
+                    $request?->attributes->set($securityObjectName, $relation);
+                } catch (InvalidIdentifierException|InvalidUriVariableException $e) {
+                    throw new NotFoundHttpException('Invalid identifier value or configuration.', $e);
+                }
+            }
+        }
+
+        return $data;
+    }
+}