symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Command/DebugRolesCommand.php
Lines changed: 162 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Command/DebugRolesCommand.php
Lines changed: 162 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Debug/DebugRoleHierarchy.php
Lines changed: 138 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Debug/DebugRoleHierarchy.php
Lines changed: 138 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/debug_console.php
Lines changed: 6 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/debug_console.php
Lines changed: 6 additions & 0 deletions
@@ -0,0 +1,162 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Command;
+
+use Symfony\Bundle\SecurityBundle\Debug\DebugRoleHierarchy;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
+
+#[AsCommand(name: 'debug:roles', description: 'Display the role hierarchy configuration.')]
+final class DebugRolesCommand extends Command
+{
+    private DebugRoleHierarchy $roleHierarchyDebug;
+
+    public function __construct(RoleHierarchyInterface $roleHierarchy)
+    {
+        $this->roleHierarchyDebug = new DebugRoleHierarchy($roleHierarchy);
+
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this->setHelp(<<<EOF
+This <info>%command.name%</info> command display the current role hierarchy.
+
+    <info>php %command.full_name%</info>
+
+You can pass one or multiple role names to display the effective roles.
+
+    <info>php %command.full_name% ROLE_USER</info>
+
+To get a tree view of the inheritance, use the <info>tree</info> option:
+
+    <info>php %command.full_name% --tree</info>
+    <info>php %command.full_name% ROLE_USER --tree</info>
+
+EOF
+        )
+        ->setDefinition([
+            new InputArgument('roles', InputArgument::OPTIONAL | InputArgument::IS_ARRAY, 'The role(s) to resolve'),
+            new InputOption('tree', 't', InputOption::VALUE_NONE, 'Show the hierarchy in a tree view'),
+        ]);
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        $roles = $input->getArgument('roles');
+
+        if (empty($roles)) {
+            // Full configuration output
+            $io->title('Current role hierarchy configuration:');
+
+            if ($input->getOption('tree')) {
+                $this->outputTree($io, $this->roleHierarchyDebug->getHierarchy());
+            } else {
+                $this->outputMap($io, $this->roleHierarchyDebug->getMap());
+            }
+
+            $io->comment('To show reachable roles for a given role, re-run this command with role names. (e.g. <comment>debug:roles ROLE_USER</comment>)');
+
+            return self::SUCCESS;
+        }
+
+        // Matching roles output
+        $io->title(sprintf('Effective roles for %s:', implode(', ', array_map(fn ($v) => sprintf('<info>%s</info>', $v), $roles))));
+
+        if ($input->getOption('tree')) {
+            $this->outputTree($io, $this->roleHierarchyDebug->getHierarchy($roles));
+        } else {
+            $io->listing($this->roleHierarchyDebug->getReachableRoleNames($roles));
+        }
+
+        return self::SUCCESS;
+    }
+
+    private function outputMap(OutputInterface $output, array $map): void
+    {
+        foreach ($map as $main => $roles) {
+            if ($this->roleHierarchyDebug->isPlaceholder($main)) {
+                $main = $this->stylePlaceholder($main);
+            }
+
+            $output->writeln(sprintf('%s:', $main));
+            foreach ($roles as $r) {
+                $output->writeln(sprintf('  - %s', $r));
+            }
+            $output->writeln('');
+        }
+    }
+
+    private function outputTree(OutputInterface $output, array $tree): void
+    {
+        foreach ($tree as $role => $hierarchy) {
+            $output->writeln($this->generateTree($role, $hierarchy));
+            $output->writeln('');
+        }
+    }
+
+    /**
+     * Generates a tree representation, line by line, in the tree unix style.
+     *
+     * Example output:
+     *
+     *     ROLE_A
+     *     └── ROLE_B
+     *
+     *     ROLE_C
+     *     ├── ROLE_A
+     *     │   └── ROLE_B
+     *     └── ROLE_D
+     */
+    private function generateTree(string $name, array $tree, string $indent = '', bool $last = true, bool $root = true): \Generator
+    {
+        if ($this->roleHierarchyDebug->isPlaceholder($name)) {
+            $name = $this->stylePlaceholder($name);
+        }
+
+        if ($root) {
+            // Yield root node as it is
+            yield $name;
+        } else {
+            // Generate line in the tree:
+            // Line: [indent]├── [name]
+            // Last line: [indent]└── [name]
+            yield sprintf('%s%s%s %s', $indent, $last ? "\u{2514}" : "\u{251c}", str_repeat("\u{2500}", 2), $name);
+
+            // Update indent for next nested:
+            // Append "|   " for a nested tree
+            // Append "    " for last nested tree
+            $indent .= ($last ? ' ' : "\u{2502}").str_repeat(' ', 3);
+        }
+
+        $i = 0;
+        $count = \count($tree);
+        foreach ($tree as $key => $value) {
+            yield from $this->generateTree($key, $value, $indent, $i === $count - 1, false);
+            ++$i;
+        }
+    }
+
+    private function stylePlaceholder(string $role): string
+    {
+        return sprintf('<info>%s</info>', $role);
+    }
+}
@@ -0,0 +1,138 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Debug;
+
+use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
+
+/**
+ * Wraps a RoleHierarchy to access computed map, hierarchy tree and placeholders.
+ *
+ * @author Nicolas Rigaud <squrious@protonmail.com>
+ *
+ * @internal
+ */
+final class DebugRoleHierarchy
+{
+    private array $map = [];
+    private array $hierarchy = [];
+    private array $placeholders = [];
+    private ?\Closure $placeholderMatcher = null;
+
+    public function __construct(private readonly RoleHierarchyInterface $decorated)
+    {
+        if (
+            property_exists($this->decorated, 'map')
+            && property_exists($this->decorated, 'hierarchy')
+            && property_exists($this->decorated, 'rolePlaceholdersPatterns')
+            && method_exists($this->decorated, 'getMatchingPlaceholders')
+        ) {
+            $this->map = (new \ReflectionProperty($this->decorated, 'map'))->getValue($this->decorated);
+            $this->hierarchy = (new \ReflectionProperty($this->decorated, 'hierarchy'))->getValue($this->decorated);
+            $this->placeholders = array_keys((new \ReflectionProperty($this->decorated, 'rolePlaceholdersPatterns'))->getValue($this->decorated));
+            $this->placeholderMatcher = fn (array $roles) => (new \ReflectionMethod($this->decorated, 'getMatchingPlaceholders'))->invoke($this->decorated, $roles);
+        }
+    }
+
+    /**
+     * Get reachable role names from the underlying RoleHierarchy.
+     *
+     * @param string[] $roles
+     *
+     * @return string[]
+     */
+    public function getReachableRoleNames(array $roles): array
+    {
+        return $this->decorated->getReachableRoleNames($roles);
+    }
+
+    /**
+     * Get the hierarchy tree.
+     *
+     * Example output:
+     *
+     *     [
+     *       'ROLE_A' => [
+     *          'ROLE_B' => [],
+     *          'ROLE_C' => [
+     *             'ROLE_D' => []
+     *          ]
+     *       ],
+     *       'ROLE_C' => [
+     *          'ROLE_D' => []
+     *       ]
+     *     ]
+     *
+     * @param string[] $roles Optionally restrict the tree to these roles
+     *
+     * @return array<string,array<string,array>>
+     */
+    public function getHierarchy(array $roles = []): array
+    {
+        $hierarchy = [];
+
+        foreach ($roles ?: array_keys($this->hierarchy) as $role) {
+            $hierarchy += $this->buildHierarchy([$role]);
+        }
+
+        return $hierarchy;
+    }
+
+    /**
+     * Get the computed role map from the underlying RoleHierarchy.
+     *
+     * @return array<string,string[]>
+     */
+    public function getMap(): array
+    {
+        return $this->map;
+    }
+
+    /**
+     * Get registered placeholders in the underlying RoleHierarchy.
+     *
+     * @return string[]
+     */
+    public function getPlaceholders(): array
+    {
+        return $this->placeholders;
+    }
+
+    /**
+     * Return whether a given role is processed as a placeholder by the underlying RoleHierarchy.
+     */
+    public function isPlaceholder(string $role): bool
+    {
+        return \in_array($role, $this->getPlaceholders());
+    }
+
+    private function buildHierarchy(array $roles, array &$visited = []): array
+    {
+        $tree = [];
+        foreach ($roles as $role) {
+            $visited[] = $role;
+
+            $tree[$role] = [];
+
+            // Get placeholders matches
+            $placeholders = array_diff($this->placeholderMatcher?->__invoke([$role]) ?? [], $visited) ?? [];
+            array_push($visited, ...$placeholders);
+            $tree[$role] += $this->buildHierarchy($placeholders, $visited);
+
+            // Get regular inherited roles
+            $inherited = array_diff($this->hierarchy[$role] ?? [], $visited);
+            array_push($visited, ...$inherited);
+            $tree[$role] += $this->buildHierarchy($inherited, $visited);
+        }
+
+        return $tree;
+    }
+}
@@ -12,6 +12,7 @@
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
 use Symfony\Bundle\SecurityBundle\Command\DebugFirewallCommand;
+use Symfony\Bundle\SecurityBundle\Command\DebugRolesCommand;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
@@ -24,5 +25,10 @@
                 false,
             ])
             ->tag('console.command', ['command' => 'debug:firewall'])
+        ->set('security.command.debug_role_hierarchy', DebugRolesCommand::class)
+            ->args([
+                service('security.role_hierarchy'),
+            ])
+            ->tag('console.command', ['command' => 'debug:roles'])
     ;
 };