feat: add support for security_post_validation (#4392)

Author: lyrixx

CHANGELOG.md

@@ -42,6 +42,7 @@
 * DataProvider: new `ApiPlatform\State\ProviderInterface` that replaces DataProviders (#4351)
 * DataPersister: new `ApiPlatform\State\ProcessorInterface` that replaces DataPersisters (#4351)
 * A new configuration is available to keep old services (IriConverter, IdentifiersExtractor and OpenApiFactory) `metadata_backward_compatibility_layer` (defaults to false) (#4351)
+* Add support for `security_post_validation` attribute
 
 ## 2.6.5
 

src/Core/Annotation/ApiResource.php

@@ -63,6 +63,8 @@
  *     @Attribute("securityMessage", type="string"),
  *     @Attribute("securityPostDenormalize", type="string"),
  *     @Attribute("securityPostDenormalizeMessage", type="string"),
+ *     @Attribute("securityPostValidation", type="string"),
+ *     @Attribute("securityPostValidationMessage", type="string"),
  *     @Attribute("shortName", type="string"),
  *     @Attribute("stateless", type="bool"),
  *     @Attribute("subresourceOperations", type="array"),
@@ -167,6 +169,8 @@ final class ApiResource
      * @param string       $securityMessage                 https://api-platform.com/docs/core/security/#configuring-the-access-control-error-message
      * @param string       $securityPostDenormalize         https://api-platform.com/docs/core/security/#executing-access-control-rules-after-denormalization
      * @param string       $securityPostDenormalizeMessage  https://api-platform.com/docs/core/security/#configuring-the-access-control-error-message
+     * @param string       $securityPostValidation          https://api-platform.com/docs/core/security/#executing-access-control-rules-after-validation
+     * @param string       $securityPostValidationMessage   https://api-platform.com/docs/core/security/#configuring-the-access-control-error-message
      * @param bool         $stateless
      * @param string       $sunset                          https://api-platform.com/docs/core/deprecations/#setting-the-sunset-http-header-to-indicate-when-a-resource-or-an-operation-will-be-removed
      * @param array        $swaggerContext                  https://api-platform.com/docs/core/openapi/#using-the-openapi-and-swagger-contexts
@@ -218,6 +222,8 @@ public function __construct(
         ?string $securityMessage = null,
         ?string $securityPostDenormalize = null,
         ?string $securityPostDenormalizeMessage = null,
+        ?string $securityPostValidation = null,
+        ?string $securityPostValidationMessage = null,
         ?bool $stateless = null,
         ?string $sunset = null,
         ?array $swaggerContext = null,

src/Core/Bridge/Symfony/Bundle/Resources/config/graphql.xml

@@ -38,6 +38,7 @@
             <argument type="service" id="api_platform.graphql.resolver.stage.validate" />
             <argument type="service" id="api_platform.graphql.mutation_resolver_locator" />
             <argument type="service" id="api_platform.metadata.resource.metadata_collection_factory" />
+            <argument type="service" id="api_platform.graphql.resolver.stage.security_post_validation" />
         </service>
 
         <service id="api_platform.graphql.resolver.factory.item_subscription" class="ApiPlatform\GraphQl\Resolver\Factory\ItemSubscriptionResolverFactory" public="false">
@@ -70,6 +71,11 @@
             <argument type="service" id="api_platform.security.resource_access_checker" on-invalid="ignore" />
         </service>
 
+        <service id="api_platform.graphql.resolver.stage.security_post_validation" class="ApiPlatform\GraphQl\Resolver\Stage\SecurityPostValidationStage" public="false">
+            <argument type="service" id="api_platform.metadata.resource.metadata_collection_factory" />
+            <argument type="service" id="api_platform.security.resource_access_checker" on-invalid="ignore" />
+        </service>
+
         <service id="api_platform.graphql.resolver.stage.serialize" class="ApiPlatform\GraphQl\Resolver\Stage\SerializeStage" public="false">
             <argument type="service" id="api_platform.metadata.resource.metadata_collection_factory" />
             <argument type="service" id="serializer" />

src/Core/Bridge/Symfony/Bundle/Resources/config/security.xml

@@ -24,6 +24,8 @@
             <tag name="kernel.event_listener" event="kernel.request" method="onSecurity" priority="3" />
             <!-- This method must be executed only when the current object is available, after deserialization -->
             <tag name="kernel.event_listener" event="kernel.request" method="onSecurityPostDenormalize" priority="1" />
+            <!-- This method must be executed only when the current object is available, after validation -->
+            <tag name="kernel.event_listener" event="kernel.view" method="onSecurityPostValidation" priority="63" />
         </service>
 
         <service id="api_platform.security.expression_language_provider" class="ApiPlatform\Core\Security\Core\Authorization\ExpressionLanguageProvider" public="false">

src/Core/Security/EventListener/DenyAccessListener.php

@@ -22,6 +22,7 @@
 use ApiPlatform\Util\OperationRequestInitiatorTrait;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\Event\ViewEvent;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
@@ -85,6 +86,14 @@ public function onSecurityPostDenormalize(RequestEvent $event): void
         ]);
     }
 
+    public function onSecurityPostValidation(ViewEvent $event): void
+    {
+        $request = $event->getRequest();
+        $this->checkSecurity($request, 'security_post_validation', false, [
+            'previous_object' => $request->attributes->get('previous_data'),
+        ]);
+    }
+
     /**
      * @throws AccessDeniedException
      */

src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php

@@ -19,6 +19,7 @@
 use ApiPlatform\GraphQl\Resolver\Stage\DeserializeStageInterface;
 use ApiPlatform\GraphQl\Resolver\Stage\ReadStageInterface;
 use ApiPlatform\GraphQl\Resolver\Stage\SecurityPostDenormalizeStageInterface;
+use ApiPlatform\GraphQl\Resolver\Stage\SecurityPostValidationStageInterface;
 use ApiPlatform\GraphQl\Resolver\Stage\SecurityStageInterface;
 use ApiPlatform\GraphQl\Resolver\Stage\SerializeStageInterface;
 use ApiPlatform\GraphQl\Resolver\Stage\ValidateStageInterface;
@@ -49,8 +50,9 @@ final class ItemMutationResolverFactory implements ResolverFactoryInterface
     private $validateStage;
     private $mutationResolverLocator;
     private $resourceMetadataCollectionFactory;
+    private $securityPostValidationStage;
 
-    public function __construct(ReadStageInterface $readStage, SecurityStageInterface $securityStage, SecurityPostDenormalizeStageInterface $securityPostDenormalizeStage, SerializeStageInterface $serializeStage, DeserializeStageInterface $deserializeStage, WriteStageInterface $writeStage, ValidateStageInterface $validateStage, ContainerInterface $mutationResolverLocator, ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory)
+    public function __construct(ReadStageInterface $readStage, SecurityStageInterface $securityStage, SecurityPostDenormalizeStageInterface $securityPostDenormalizeStage, SerializeStageInterface $serializeStage, DeserializeStageInterface $deserializeStage, WriteStageInterface $writeStage, ValidateStageInterface $validateStage, ContainerInterface $mutationResolverLocator, ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory, SecurityPostValidationStageInterface $securityPostValidationStage)
     {
         $this->readStage = $readStage;
         $this->securityStage = $securityStage;
@@ -61,6 +63,7 @@ public function __construct(ReadStageInterface $readStage, SecurityStageInterfac
         $this->validateStage = $validateStage;
         $this->mutationResolverLocator = $mutationResolverLocator;
         $this->resourceMetadataCollectionFactory = $resourceMetadataCollectionFactory;
+        $this->securityPostValidationStage = $securityPostValidationStage;
     }
 
     public function __invoke(?string $resourceClass = null, ?string $rootClass = null, ?string $operationName = null): callable
@@ -120,6 +123,13 @@ public function __invoke(?string $resourceClass = null, ?string $rootClass = nul
             if (null !== $item) {
                 ($this->validateStage)($item, $resourceClass, $operationName, $resolverContext);
 
+                ($this->securityPostValidationStage)($resourceClass, $operationName, $resolverContext + [
+                    'extra_variables' => [
+                        'object' => $item,
+                        'previous_object' => $previousItem,
+                    ],
+                ]);
+
                 $persistResult = ($this->writeStage)($item, $resourceClass, $operationName, $resolverContext);
             }
 

src/GraphQl/Resolver/Stage/SecurityPostValidationStage.php

@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\GraphQl\Resolver\Stage;
+
+use ApiPlatform\Core\Security\ResourceAccessCheckerInterface;
+use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+/**
+ * Security post validation stage of GraphQL resolvers.
+ *
+ * @experimental
+ *
+ * @author Vincent Chalamon <[email protected]>
+ * @author Grégoire Pineau <[email protected]>
+ */
+final class SecurityPostValidationStage implements SecurityPostValidationStageInterface
+{
+    private $resourceMetadataCollectionFactory;
+    private $resourceAccessChecker;
+
+    public function __construct(ResourceMetadataCollectionFactoryInterface $resourceMetadataCollectionFactory, ?ResourceAccessCheckerInterface $resourceAccessChecker)
+    {
+        $this->resourceMetadataCollectionFactory = $resourceMetadataCollectionFactory;
+        $this->resourceAccessChecker = $resourceAccessChecker;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function __invoke(string $resourceClass, string $operationName, array $context): void
+    {
+        $resourceMetadataCollection = $this->resourceMetadataCollectionFactory->create($resourceClass);
+        $operation = $resourceMetadataCollection->getGraphQlOperation($operationName);
+        $isGranted = $operation->getSecurityPostValidation();
+
+        if (null !== $isGranted && null === $this->resourceAccessChecker) {
+            throw new \LogicException('Cannot check security expression when SecurityBundle is not installed. Try running "composer require symfony/security-bundle".');
+        }
+
+        if (null === $isGranted || $this->resourceAccessChecker->isGranted($resourceClass, (string) $isGranted, $context['extra_variables'])) {
+            return;
+        }
+
+        throw new AccessDeniedHttpException($operation->getSecurityPostValidationMessage() ?? 'Access Denied.');
+    }
+}

src/GraphQl/Resolver/Stage/SecurityPostValidationStageInterface.php

@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\GraphQl\Resolver\Stage;
+
+use GraphQL\Error\Error;
+
+/**
+ * Security post validation stage of GraphQL resolvers.
+ *
+ * @experimental
+ *
+ * @author Vincent Chalamon <[email protected]>
+ * @author Grégoire Pineau <[email protected]>
+ */
+interface SecurityPostValidationStageInterface
+{
+    /**
+     * @throws Error
+     */
+    public function __invoke(string $resourceClass, string $operationName, array $context): void;
+}

src/Metadata/ApiResource.php

@@ -105,6 +105,8 @@ final class ApiResource
     private $securityMessage;
     private $securityPostDenormalize;
     private $securityPostDenormalizeMessage;
+    private $securityPostValidation;
+    private $securityPostValidationMessage;
     private $compositeIdentifier;
     private $exceptionToStatus;
     private $queryParameterValidationEnabled;
@@ -151,6 +153,8 @@ final class ApiResource
      * @param string|null       $securityMessage                https://api-platform.com/docs/core/security/#configuring-the-access-control-error-message
      * @param string|null       $securityPostDenormalize        https://api-platform.com/docs/core/security/#executing-access-control-rules-after-denormalization
      * @param string|null       $securityPostDenormalizeMessage https://api-platform.com/docs/core/security/#configuring-the-access-control-error-message
+     * @param string            $securityPostValidation         https://api-platform.com/docs/core/security/#executing-access-control-rules-after-validtion
+     * @param string            $securityPostValidationMessage  https://api-platform.com/docs/core/security/#configuring-the-access-control-error-message
      */
     public function __construct(
         ?string $uriTemplate = null,
@@ -207,6 +211,8 @@ public function __construct(
         ?string $securityMessage = null,
         ?string $securityPostDenormalize = null,
         ?string $securityPostDenormalizeMessage = null,
+        ?string $securityPostValidation = null,
+        ?string $securityPostValidationMessage = null,
         ?bool $compositeIdentifier = null,
         ?array $exceptionToStatus = null,
         ?bool $queryParameterValidationEnabled = null,
@@ -267,6 +273,8 @@ public function __construct(
         $this->securityMessage = $securityMessage;
         $this->securityPostDenormalize = $securityPostDenormalize;
         $this->securityPostDenormalizeMessage = $securityPostDenormalizeMessage;
+        $this->securityPostValidation = $securityPostValidation;
+        $this->securityPostValidationMessage = $securityPostValidationMessage;
         $this->compositeIdentifier = $compositeIdentifier;
         $this->exceptionToStatus = $exceptionToStatus;
         $this->queryParameterValidationEnabled = $queryParameterValidationEnabled;
@@ -1012,6 +1020,32 @@ public function withSecurityPostDenormalizeMessage(string $securityPostDenormali
         return $self;
     }
 
+    public function getSecurityPostValidation(): ?string
+    {
+        return $this->securityPostValidation;
+    }
+
+    public function withSecurityPostValidation(?string $securityPostValidation = null): self
+    {
+        $self = clone $this;
+        $self->securityPostValidation = $securityPostValidation;
+
+        return $self;
+    }
+
+    public function getSecurityPostValidationMessage(): ?string
+    {
+        return $this->securityPostValidationMessage;
+    }
+
+    public function withSecurityPostValidationMessage(?string $securityPostValidationMessage = null): self
+    {
+        $self = clone $this;
+        $self->securityPostValidationMessage = $securityPostValidationMessage;
+
+        return $self;
+    }
+
     public function getCompositeIdentifier(): ?bool
     {
         return $this->compositeIdentifier;

src/Metadata/GraphQl/Operation.php

@@ -42,6 +42,8 @@ class Operation
     protected $securityMessage;
     protected $securityPostDenormalize;
     protected $securityPostDenormalizeMessage;
+    protected $securityPostValidation;
+    protected $securityPostValidationMessage;
     protected $deprecationReason;
     /**
      * @var string[]
@@ -96,6 +98,8 @@ class Operation
      * @param string            $securityMessage
      * @param string            $securityPostDenormalize
      * @param string            $securityPostDenormalizeMessage
+     * @param string            $securityPostValidation
+     * @param string            $securityPostValidationMessage
      * @param string            $deprecationReason
      * @param string[]          $filters
      * @param bool|string|array $mercure
@@ -131,6 +135,8 @@ public function __construct(
         ?string $securityMessage = null,
         ?string $securityPostDenormalize = null,
         ?string $securityPostDenormalizeMessage = null,
+        ?string $securityPostValidation = null,
+        ?string $securityPostValidationMessage = null,
         ?string $deprecationReason = null,
         ?array $filters = null,
         ?array $validationContext = null,
@@ -174,6 +180,8 @@ public function __construct(
         $this->securityMessage = $securityMessage;
         $this->securityPostDenormalize = $securityPostDenormalize;
         $this->securityPostDenormalizeMessage = $securityPostDenormalizeMessage;
+        $this->securityPostValidation = $securityPostValidation;
+        $this->securityPostValidationMessage = $securityPostValidationMessage;
         $this->deprecationReason = $deprecationReason;
         $this->filters = $filters;
         $this->validationContext = $validationContext;
@@ -499,6 +507,32 @@ public function withSecurityPostDenormalizeMessage(?string $securityPostDenormal
         return $self;
     }
 
+    public function getSecurityPostValidation(): ?string
+    {
+        return $this->securityPostValidation;
+    }
+
+    public function withSecurityPostValidation(?string $securityPostValidation = null): self
+    {
+        $self = clone $this;
+        $self->securityPostValidation = $securityPostValidation;
+
+        return $self;
+    }
+
+    public function getSecurityPostValidationMessage(): ?string
+    {
+        return $this->securityPostValidationMessage;
+    }
+
+    public function withSecurityPostValidationMessage(?string $securityPostValidationMessage = null): self
+    {
+        $self = clone $this;
+        $self->securityPostValidationMessage = $securityPostValidationMessage;
+
+        return $self;
+    }
+
     public function getDeprecationReason(): ?string
     {
         return $this->deprecationReason;

tests/Core/Annotation/ApiResourceTest.php

@@ -39,6 +39,8 @@ public function testConstruct()
             'securityMessage' => 'You are not foo.',
             'securityPostDenormalize' => 'is_granted("ROLE_BAR")',
             'securityPostDenormalizeMessage' => 'You are not bar.',
+            'securityPostValidation' => 'is_granted("ROLE_FOO")',
+            'securityPostValidationMessage' => 'You are not foo.',
             'attributes' => ['foo' => 'bar', 'validation_groups' => ['baz', 'qux'], 'cache_headers' => ['max_age' => 0, 'shared_max_age' => 0, 'vary' => ['Custom-Vary-1', 'Custom-Vary-2']]],
             'collectionOperations' => ['bar' => ['foo']],
             'denormalizationContext' => ['groups' => ['foo']],
@@ -87,6 +89,8 @@ public function testConstruct()
             'security_message' => 'You are not foo.',
             'security_post_denormalize' => 'is_granted("ROLE_BAR")',
             'security_post_denormalize_message' => 'You are not bar.',
+            'security_post_validation' => 'is_granted("ROLE_FOO")',
+            'security_post_validation_message' => 'You are not foo.',
             'denormalization_context' => ['groups' => ['foo']],
             'fetch_partial' => true,
             'foo' => 'bar',
@@ -129,6 +133,8 @@ public function testConstructAttribute()
     securityMessage:  'You are not foo.',
     securityPostDenormalize:  'is_granted("ROLE_BAR")',
     securityPostDenormalizeMessage:  'You are not bar.',
+    securityPostValidation:  'is_granted("ROLE_FOO")',
+    securityPostValidationMessage:  'You are not foo.',
     attributes:  ['foo' => 'bar', 'validation_groups' => ['baz', 'qux'], 'cache_headers' => ['max_age' => 0, 'shared_max_age' => 0, 'vary' => ['Custom-Vary-1', 'Custom-Vary-2']]],
     collectionOperations:  ['bar' => ['foo']],
     denormalizationContext:  ['groups' => ['foo']],
@@ -187,6 +193,8 @@ public function testConstructAttribute()
             'security_message' => 'You are not foo.',
             'security_post_denormalize' => 'is_granted("ROLE_BAR")',
             'security_post_denormalize_message' => 'You are not bar.',
+            'security_post_validation' => 'is_granted("ROLE_FOO")',
+            'security_post_validation_message' => 'You are not foo.',
             'denormalization_context' => ['groups' => ['foo']],
             'fetch_partial' => true,
             'foo' => 'bar',