-
-
Notifications
You must be signed in to change notification settings - Fork 867
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(state): add security to parameters (#6435)
* fix(state): add security to parameters * chore(state): fix style
- Loading branch information
1 parent
74986cb
commit 0b985ae
Showing
7 changed files
with
207 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the API Platform project. | ||
* | ||
* (c) Kévin Dunglas <dunglas@gmail.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
declare(strict_types=1); | ||
|
||
namespace ApiPlatform\State\Provider; | ||
|
||
use ApiPlatform\Metadata\GraphQl\Operation as GraphQlOperation; | ||
use ApiPlatform\Metadata\Operation; | ||
use ApiPlatform\Metadata\ResourceAccessCheckerInterface; | ||
use ApiPlatform\State\ProviderInterface; | ||
use ApiPlatform\State\Util\ParameterParserTrait; | ||
use ApiPlatform\Symfony\Security\Exception\AccessDeniedException; | ||
use Symfony\Component\HttpFoundation\Request; | ||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; | ||
|
||
/** | ||
* Loops over parameters to check parameter security. | ||
* Throws an exception if security is not granted. | ||
*/ | ||
final class SecurityParameterProvider implements ProviderInterface | ||
{ | ||
use ParameterParserTrait; | ||
|
||
public function __construct(private readonly ?ProviderInterface $decorated = null, private readonly ?ResourceAccessCheckerInterface $resourceAccessChecker = null) | ||
{ | ||
} | ||
|
||
public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null | ||
{ | ||
if (!($request = $context['request']) instanceof Request) { | ||
return $this->decorated->provide($operation, $uriVariables, $context); | ||
} | ||
|
||
/** @var Operation $apiOperation */ | ||
$apiOperation = $request->attributes->get('_api_operation'); | ||
|
||
foreach ($apiOperation->getParameters() ?? [] as $parameter) { | ||
if (null === $security = $parameter->getSecurity()) { | ||
continue; | ||
} | ||
|
||
$key = $this->getParameterFlattenKey($parameter->getKey(), $this->extractParameterValues($parameter, $request, $context)); | ||
$apiValues = $parameter->getExtraProperties()['_api_values'] ?? []; | ||
if (!isset($apiValues[$key])) { | ||
continue; | ||
} | ||
$value = $apiValues[$key]; | ||
|
||
if (!$this->resourceAccessChecker->isGranted($context['resource_class'], $security, [$key => $value])) { | ||
throw $operation instanceof GraphQlOperation ? new AccessDeniedHttpException($parameter->getSecurityMessage() ?? 'Access Denied.') : new AccessDeniedException($parameter->getSecurityMessage() ?? 'Access Denied.'); | ||
} | ||
} | ||
|
||
return $this->decorated->provide($operation, $uriVariables, $context); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 35 additions & 0 deletions
35
tests/Fixtures/TestBundle/ApiResource/WithSecurityParameter.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the API Platform project. | ||
* | ||
* (c) Kévin Dunglas <dunglas@gmail.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
declare(strict_types=1); | ||
|
||
namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource; | ||
|
||
use ApiPlatform\Metadata\GetCollection; | ||
use ApiPlatform\Metadata\HeaderParameter; | ||
use ApiPlatform\Metadata\QueryParameter; | ||
|
||
#[GetCollection( | ||
uriTemplate: 'with_security_parameters_collection{._format}', | ||
parameters: [ | ||
'name' => new QueryParameter(security: 'is_granted("ROLE_ADMIN")'), | ||
'auth' => new HeaderParameter(security: '"secured" == auth[0]'), | ||
'secret' => new QueryParameter(security: '"secured" == secret'), | ||
], | ||
provider: [self::class, 'collectionProvider'], | ||
)] | ||
class WithSecurityParameter | ||
{ | ||
public static function collectionProvider() | ||
{ | ||
return [new self()]; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the API Platform project. | ||
* | ||
* (c) Kévin Dunglas <dunglas@gmail.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
declare(strict_types=1); | ||
|
||
namespace ApiPlatform\Tests\Functional\Parameters; | ||
|
||
use ApiPlatform\Symfony\Bundle\Test\ApiTestCase; | ||
use Symfony\Component\HttpFoundation\Response; | ||
use Symfony\Component\Security\Core\User\InMemoryUser; | ||
|
||
class SecurityTests extends ApiTestCase | ||
{ | ||
public function dataUserAuthorization(): iterable | ||
{ | ||
yield [['ROLE_ADMIN'], Response::HTTP_OK]; | ||
yield [['ROLE_USER'], Response::HTTP_FORBIDDEN]; | ||
} | ||
|
||
/** @dataProvider dataUserAuthorization */ | ||
public function testUserAuthorization(array $roles, int $expectedStatusCode): void | ||
{ | ||
$client = self::createClient(); | ||
$client->loginUser(new InMemoryUser('emmanuel', 'password', $roles)); | ||
|
||
$client->request('GET', 'with_security_parameters_collection?name=foo'); | ||
$this->assertResponseStatusCodeSame($expectedStatusCode); | ||
} | ||
|
||
public function testNoValueParameter(): void | ||
{ | ||
$client = self::createClient(); | ||
$client->loginUser(new InMemoryUser('emmanuel', 'password', ['ROLE_ADMIN'])); | ||
|
||
$client->request('GET', 'with_security_parameters_collection?name'); | ||
$this->assertResponseIsSuccessful(); | ||
} | ||
|
||
public function dataSecurityValues(): iterable | ||
{ | ||
yield ['secured', Response::HTTP_OK]; | ||
yield ['not_the_expected_parameter_value', Response::HTTP_UNAUTHORIZED]; | ||
} | ||
|
||
/** @dataProvider dataSecurityValues */ | ||
public function testSecurityHeaderValues(string $parameterValue, int $expectedStatusCode): void | ||
{ | ||
self::createClient()->request('GET', 'with_security_parameters_collection', [ | ||
'headers' => [ | ||
'auth' => $parameterValue, | ||
], | ||
]); | ||
$this->assertResponseStatusCodeSame($expectedStatusCode); | ||
} | ||
|
||
/** @dataProvider dataSecurityValues */ | ||
public function testSecurityQueryValues(string $parameterValue, int $expectedStatusCode): void | ||
{ | ||
self::createClient()->request('GET', sprintf('with_security_parameters_collection?secret=%s', $parameterValue)); | ||
$this->assertResponseStatusCodeSame($expectedStatusCode); | ||
} | ||
} |