Add Access Control component with strategies and voters

Introduce the new Access Control component in Symfony, providing core access decision-making and voting mechanisms. This includes support for affirmative, unanimous, and consensus strategies, along with role-based and expression-based voters. Tests and examples included to validate behavior.
symfony · Spomky · Jan 13, 2025 · Jan 13, 2025 · Jan 14, 2025 · Jan 13, 2025
commit aec8f2c810a4cb2067dac6281fd5176a1a81e813
diff --git a/composer.json b/composer.json
@@ -58,6 +58,7 @@
         "symfony/polyfill-uuid": "^1.15"
     },
     "replace": {
+        "symfony/access-control": "self.version",
         "symfony/asset": "self.version",
         "symfony/asset-mapper": "self.version",
         "symfony/browser-kit": "self.version",

diff --git a/src/Symfony/Component/AccessControl/.gitattributes b/src/Symfony/Component/AccessControl/.gitattributes
@@ -0,0 +1,3 @@
+/Tests export-ignore
+/phpunit.xml.dist export-ignore
+/.git* export-ignore
diff --git a/src/Symfony/Component/AccessControl/.gitignore b/src/Symfony/Component/AccessControl/.gitignore
@@ -0,0 +1,4 @@
+vendor/
+composer.lock
+phpunit.xml
+Tests/Fixtures/var/
diff --git a/src/Symfony/Component/AccessControl/AccessControlManager.php b/src/Symfony/Component/AccessControl/AccessControlManager.php
@@ -0,0 +1,112 @@
+<?php
+
+namespace Symfony\Component\AccessControl;
+
+use Symfony\Component\AccessControl\Event\AccessDecisionEvent;
+use Symfony\Component\AccessControl\Event\VoteEvent;
+use Symfony\Component\AccessControl\Exception\InvalidStrategyException;
+use Symfony\Component\AccessControl\Strategy\AffirmativeStrategy;
+use Symfony\Component\AccessControl\Strategy\StrategyInterface;
+use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
+
+/**
+ * @experimental
+ */
+class AccessControlManager implements AccessControlManagerInterface
+{
+    private readonly string $defaultStrategy;
+
+    /**
+     * @var array<string, StrategyInterface>
+     */
+    private readonly array $strategies;
+
+    /**
+     * @var array<string, array<array-key, bool>>
+     */
+    private array $votersCacheAttributes = [];
+    /**
+     * @var array<string, array<array-key, bool>>
+     */
+    private mixed $votersCacheSubject = [];
+
+    /**
+     * @param iterable<StrategyInterface> $strategies
+     * @param iterable<VoterInterface> $voters
+     */
+    public function __construct(
+        iterable $strategies,
+        private readonly iterable $voters,
+        ?string $defaultStrategy = null,
+        private readonly ?EventDispatcherInterface $dispatcher = null
+    ) {
+        $namedStrategies = [];
+        foreach ($strategies as $strategy) {
+            $namedStrategies[$strategy->getName()] = $strategy;
+        }
+        if (\count($namedStrategies) === 0) {
+            $namedStrategies['affirmative'] = new AffirmativeStrategy();
+            $defaultStrategy = 'affirmative';
+        }
+        if ($defaultStrategy === null) {
+            $defaultStrategy = array_key_first($namedStrategies);
+            assert($defaultStrategy !== null, 'The default strategy cannot be null.');
+        }
+        $this->defaultStrategy = $defaultStrategy;
+        $this->strategies = $namedStrategies;
+    }
+
+    public function decide(AccessRequest $accessRequest, ?string $strategy = null): AccessDecision
+    {
+        $strategy = $strategy ?? $this->defaultStrategy;
+        if (!isset($this->strategies[$strategy])) {
+            throw new InvalidStrategyException(sprintf('Strategy "%s" is not registered. Valid strategies are: %s', $strategy, implode(', ', array_keys($this->strategies))));
+        }
+        $votes = [];
+        foreach ($this->getVoters($accessRequest) as $voter) {
+            $vote = $voter->vote($accessRequest);
+            $votes[] = $vote;
+            $this->dispatcher?->dispatch(new VoteEvent($voter, $accessRequest, $vote));
+        }
+
+        $accessDecision = $this->strategies[$strategy]->evaluate($accessRequest, $votes);
+        if ($accessDecision->decision !== DecisionVote::ACCESS_ABSTAIN) {
+            $this->dispatcher?->dispatch(new AccessDecisionEvent($accessRequest, $accessDecision));
+            return $accessDecision;
+        }
+
+        $accessDecision = AccessDecision::deny($accessRequest, $votes, $accessDecision->reason);
+        if ($accessRequest->allowIfAllAbstainOrTie) {
+            $accessDecision = AccessDecision::grant($accessRequest, $votes, $accessDecision->reason);
+        }
+
+        $this->dispatcher?->dispatch(new AccessDecisionEvent($accessRequest, $accessDecision));
+
+        return $accessDecision;
+    }
+
+    /**
+     * @return iterable<VoterInterface>
+     */
+    private function getVoters(AccessRequest $accessRequest): iterable
+    {
+        $keyAttribute = \is_object($accessRequest->attribute) ? $accessRequest->attribute::class : get_debug_type($accessRequest->attribute);
+        $keySubject = \is_object($accessRequest->subject) ? $accessRequest->subject::class : get_debug_type($accessRequest->subject);
+        foreach ($this->voters as $key => $voter) {
+            if (!isset($this->votersCacheAttributes[$keyAttribute][$key])) {
+                $this->votersCacheAttributes[$keyAttribute][$key] = $voter->supportsAttribute($accessRequest->attribute);
+            }
+            if (!$this->votersCacheAttributes[$keyAttribute][$key]) {
+                continue;
+            }
+
+            if (!isset($this->votersCacheSubject[$keySubject][$key])) {
+                $this->votersCacheSubject[$keySubject][$key] = $voter->supportsSubject($accessRequest->subject);
+            }
+            if (!$this->votersCacheSubject[$keySubject][$key]) {
+                continue;
+            }
+            yield $voter;
+        }
+    }
+}
diff --git a/src/Symfony/Component/AccessControl/AccessControlManagerInterface.php b/src/Symfony/Component/AccessControl/AccessControlManagerInterface.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Symfony\Component\AccessControl;
+
+/**
+ * @experimental
+ */
+interface AccessControlManagerInterface
+{
+    public function decide(AccessRequest $accessRequest, ?string $strategy = null): AccessDecision;
+}
diff --git a/src/Symfony/Component/AccessControl/AccessDecision.php b/src/Symfony/Component/AccessControl/AccessDecision.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace Symfony\Component\AccessControl;
+
+/**
+ * @experimental
+ */
+readonly class AccessDecision
+{
+    /**
+     * @param iterable<VoterOutcome> $votes
+     */
+    public function __construct(
+        public AccessRequest $accessRequest,
+        public DecisionVote  $decision,
+        public iterable      $votes,
+        public ?string       $reason = null,
+    ) {
+    }
+
+    /**
+     * @param iterable<VoterOutcome> $votes
+     */
+    public static function grant(AccessRequest $accessRequest, iterable $votes, ?string $reason = null): self
+    {
+        return new self($accessRequest, DecisionVote::ACCESS_GRANTED, $votes, $reason);
+    }
+
+    /**
+     * @param iterable<VoterOutcome> $votes
+     */
+    public static function deny(AccessRequest $accessRequest, iterable $votes, ?string $reason = null): self
+    {
+        return new self($accessRequest, DecisionVote::ACCESS_DENIED, $votes, $reason);
+    }
+
+    public static function abstain(AccessRequest $accessRequest, iterable $votes, ?string $reason = null): self
+    {
+        return new self($accessRequest, DecisionVote::ACCESS_ABSTAIN, $votes, $reason);
+    }
+}
diff --git a/src/Symfony/Component/AccessControl/AccessRequest.php b/src/Symfony/Component/AccessControl/AccessRequest.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Symfony\Component\AccessControl;
+
+use Symfony\Component\ExpressionLanguage\Expression;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
+/**
+ * @experimental
+ */
+readonly class AccessRequest
+{
+    /**
+     * @param array<array-key, mixed> $metadata
+     */
+    public function __construct(
+        public mixed $attribute,
+        public mixed  $subject = null,
+        public array $metadata = [],
+        public bool $allowIfAllAbstainOrTie = false,
+    ) {
+    }
+}
diff --git a/src/Symfony/Component/AccessControl/Attribute/AccessPolicy.php b/src/Symfony/Component/AccessControl/Attribute/AccessPolicy.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\AccessControl\Attribute;
+
+/**
+ * @experimental
+ */
+#[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
+readonly class AccessPolicy
+{
+    /**
+     * @param array<array-key, mixed> $
+     */
+    public function __construct(
+        public mixed $attribute,
+        public mixed $subject = null,
+        public ?string $strategy = null,
+        public array $metadata = [],
+        public bool $allowIfAllAbstain = false,
+        public string $message = 'Access Denied.',
+        public ?int $statusCode = null,
+        public ?int $exceptionCode = null,
+    ) {
+    }
+}
diff --git a/src/Symfony/Component/AccessControl/Attribute/All.php b/src/Symfony/Component/AccessControl/Attribute/All.php
@@ -0,0 +1,30 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\AccessControl\Attribute;
+
+/**
+ * @experimental
+ */
+#[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
+readonly class All
+{
+    /**
+     * @param list<AccessPolicy> $accessPolicies
+     */
+    public function __construct(
+        public array $accessPolicies,
+        public string $message = 'Access Denied.',
+        public ?int $statusCode = null,
+        public ?int $exceptionCode = null,
+    ) {
+    }
+}
diff --git a/src/Symfony/Component/AccessControl/Attribute/AtLeastOneOf.php b/src/Symfony/Component/AccessControl/Attribute/AtLeastOneOf.php
@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\AccessControl\Attribute;
+
+/**
+ * @experimental
+ */
+#[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
+readonly class AtLeastOneOf
+{
+    /**
+     * @param list<AccessPolicy> $accessPolicies
+     */
+    public function __construct(
+        public array $accessPolicies,
+    ) {
+    }
+}
diff --git a/src/Symfony/Component/AccessControl/CHANGELOG.md b/src/Symfony/Component/AccessControl/CHANGELOG.md
@@ -0,0 +1,7 @@
+CHANGELOG
+=========
+
+7.3
+---
+
+ * Add the component as experimental
diff --git a/src/Symfony/Component/AccessControl/DecisionVote.php b/src/Symfony/Component/AccessControl/DecisionVote.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Symfony\Component\AccessControl;
+
+/**
+ * @experimental
+ */
+enum DecisionVote: string
+{
+    case ACCESS_GRANTED = 'ACCESS_GRANTED';
+    case ACCESS_DENIED= 'ACCESS_DENIED';
+    case ACCESS_ABSTAIN= 'ACCESS_ABSTAIN';
+}
diff --git a/src/Symfony/Component/AccessControl/Event/AccessDecisionEvent.php b/src/Symfony/Component/AccessControl/Event/AccessDecisionEvent.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace Symfony\Component\AccessControl\Event;
+
+use Symfony\Component\AccessControl\AccessRequest;
+use Symfony\Component\AccessControl\AccessDecision;
+use Symfony\Component\AccessControl\VoterOutcome;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+use Symfony\Contracts\EventDispatcher\Event;
+
+/**
+ * @experimental
+ */
+final class AccessDecisionEvent extends Event
+{
+    public function __construct(
+        public readonly AccessRequest  $accessRequest,
+        public readonly AccessDecision $accessDecision
+    ) {
+    }
+}
diff --git a/src/Symfony/Component/AccessControl/Event/VoteEvent.php b/src/Symfony/Component/AccessControl/Event/VoteEvent.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace Symfony\Component\AccessControl\Event;
+
+use Symfony\Component\AccessControl\AccessRequest;
+use Symfony\Component\AccessControl\VoterInterface;
+use Symfony\Component\AccessControl\VoterOutcome;
+use Symfony\Contracts\EventDispatcher\Event;
+
+/**
+ * @experimental
+ */
+final class VoteEvent extends Event
+{
+    public function __construct(
+        public readonly VoterInterface $voter,
+        public readonly AccessRequest  $accessRequest,
+        public readonly VoterOutcome   $voterOutcome
+    ) {
+    }
+}
diff --git a/src/Symfony/Component/AccessControl/Exception/InvalidStrategyException.php b/src/Symfony/Component/AccessControl/Exception/InvalidStrategyException.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Symfony\Component\AccessControl\Exception;
+
+/**
+ * @experimental
+ */
+class InvalidStrategyException extends \RuntimeException
+{
+
+}