Merge branch '5.4' into 6.0

* 5.4:
  Be more precise about the required Composer version
  [Security] Implement ADM strategies as dedicated classes
  Bump Symfony version to 5.3.11
  Update VERSION for 5.3.10
  Update CHANGELOG for 5.3.10

Author: derrabus

UPGRADE-5.4.md

@@ -159,3 +159,6 @@ Security
        }
    }
    ```
+ * Deprecate passing the strategy as string to `AccessDecisionManager`,
+   pass an instance of `AccessDecisionStrategyInterface` instead
+ * Flag `AccessDecisionManager` as `@final`

UPGRADE-6.0.md

@@ -402,6 +402,8 @@ Security
        }
    }
    ```
+ * `AccessDecisionManager` does not accept strings as strategy anymore,
+   pass an instance of `AccessDecisionStrategyInterface` instead
 
 SecurityBundle
 --------------

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php

@@ -235,7 +235,7 @@ class FrameworkExtension extends Extension
     public function load(array $configs, ContainerBuilder $container)
     {
         if (!class_exists(InstalledVersions::class)) {
-            trigger_deprecation('symfony/framework-bundle', '5.4', 'Configuring Symfony without the Composer Runtime API is deprecated. Consider upgrading to Composer 2.');
+            trigger_deprecation('symfony/framework-bundle', '5.4', 'Configuring Symfony without the Composer Runtime API is deprecated. Consider upgrading to Composer 2.1 or later.');
         }
 
         $loader = new PhpFileLoader($container, new FileLocator(\dirname(__DIR__).'/Resources/config'));

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

@@ -29,6 +29,7 @@ CHANGELOG
    factories instead.
  * Deprecate the `always_authenticate_before_granting` option
  * Display the roles of the logged-in user in the Web Debug Toolbar
+ * Add the `security.access_decision_manager.strategy_service` option
 
 
 5.3

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

@@ -17,7 +17,6 @@
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
 use Symfony\Component\Config\Definition\ConfigurationInterface;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
-use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
 
@@ -28,6 +27,15 @@
  */
 class MainConfiguration implements ConfigurationInterface
 {
+    /** @internal */
+    public const STRATEGY_AFFIRMATIVE = 'affirmative';
+    /** @internal */
+    public const STRATEGY_CONSENSUS = 'consensus';
+    /** @internal */
+    public const STRATEGY_UNANIMOUS = 'unanimous';
+    /** @internal */
+    public const STRATEGY_PRIORITY = 'priority';
+
     private $factories;
     private $userProviderFactories;
 
@@ -55,14 +63,18 @@ public function getConfigTreeBuilder(): TreeBuilder
                         return true;
                     }
 
-                    if (!isset($v['access_decision_manager']['strategy']) && !isset($v['access_decision_manager']['service'])) {
+                    if (!isset($v['access_decision_manager']['strategy'])
+                        && !isset($v['access_decision_manager']['service'])
+                        && !isset($v['access_decision_manager']['strategy_service'])
+                        && !isset($v['access_decision_manager']['strategy-service'])
+                    ) {
                         return true;
                     }
 
                     return false;
                 })
                 ->then(function ($v) {
-                    $v['access_decision_manager']['strategy'] = AccessDecisionManager::STRATEGY_AFFIRMATIVE;
+                    $v['access_decision_manager']['strategy'] = self::STRATEGY_AFFIRMATIVE;
 
                     return $v;
                 })
@@ -83,13 +95,22 @@ public function getConfigTreeBuilder(): TreeBuilder
                             ->values($this->getAccessDecisionStrategies())
                         ->end()
                         ->scalarNode('service')->end()
+                        ->scalarNode('strategy_service')->end()
                         ->booleanNode('allow_if_all_abstain')->defaultFalse()->end()
                         ->booleanNode('allow_if_equal_granted_denied')->defaultTrue()->end()
                     ->end()
                     ->validate()
-                        ->ifTrue(function ($v) { return isset($v['strategy']) && isset($v['service']); })
+                        ->ifTrue(function ($v) { return isset($v['strategy'], $v['service']); })
                         ->thenInvalid('"strategy" and "service" cannot be used together.')
                     ->end()
+                    ->validate()
+                        ->ifTrue(function ($v) { return isset($v['strategy'], $v['strategy_service']); })
+                        ->thenInvalid('"strategy" and "strategy_service" cannot be used together.')
+                    ->end()
+                    ->validate()
+                        ->ifTrue(function ($v) { return isset($v['service'], $v['strategy_service']); })
+                        ->thenInvalid('"service" and "strategy_service" cannot be used together.')
+                    ->end()
                 ->end()
             ->end()
         ;
@@ -416,18 +437,13 @@ private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
         ->end();
     }
 
-    private function getAccessDecisionStrategies()
+    private function getAccessDecisionStrategies(): array
     {
-        $strategies = [
-            AccessDecisionManager::STRATEGY_AFFIRMATIVE,
-            AccessDecisionManager::STRATEGY_CONSENSUS,
-            AccessDecisionManager::STRATEGY_UNANIMOUS,
+        return [
+            self::STRATEGY_AFFIRMATIVE,
+            self::STRATEGY_CONSENSUS,
+            self::STRATEGY_UNANIMOUS,
+            self::STRATEGY_PRIORITY,
         ];
-
-        if (\defined(AccessDecisionManager::class.'::STRATEGY_PRIORITY')) {
-            $strategies[] = AccessDecisionManager::STRATEGY_PRIORITY;
-        }
-
-        return $strategies;
     }
 }

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -38,6 +38,10 @@
 use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
+use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\ConsensusStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\PriorityStrategy;
+use Symfony\Component\Security\Core\Authorization\Strategy\UnanimousStrategy;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\User\ChainUserProvider;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -73,7 +77,7 @@ public function prepend(ContainerBuilder $container)
     public function load(array $configs, ContainerBuilder $container)
     {
         if (!class_exists(InstalledVersions::class)) {
-            trigger_deprecation('symfony/security-bundle', '5.4', 'Configuring Symfony without the Composer Runtime API is deprecated. Consider upgrading to Composer 2.');
+            trigger_deprecation('symfony/security-bundle', '5.4', 'Configuring Symfony without the Composer Runtime API is deprecated. Consider upgrading to Composer 2.1 or later.');
         }
 
         if (!array_filter($configs)) {
@@ -119,12 +123,18 @@ public function load(array $configs, ContainerBuilder $container)
 
         if (isset($config['access_decision_manager']['service'])) {
             $container->setAlias('security.access.decision_manager', $config['access_decision_manager']['service']);
+        } elseif (isset($config['access_decision_manager']['strategy_service'])) {
+            $container
+                ->getDefinition('security.access.decision_manager')
+                ->addArgument(new Reference($config['access_decision_manager']['strategy_service']));
         } else {
             $container
                 ->getDefinition('security.access.decision_manager')
-                ->addArgument($config['access_decision_manager']['strategy'])
-                ->addArgument($config['access_decision_manager']['allow_if_all_abstain'])
-                ->addArgument($config['access_decision_manager']['allow_if_equal_granted_denied']);
+                ->addArgument($this->createStrategyDefinition(
+                    $config['access_decision_manager']['strategy'],
+                    $config['access_decision_manager']['allow_if_all_abstain'],
+                    $config['access_decision_manager']['allow_if_equal_granted_denied']
+                ));
         }
 
         $container->setParameter('security.authentication.hide_user_not_found', $config['hide_user_not_found']);
@@ -156,6 +166,25 @@ public function load(array $configs, ContainerBuilder $container)
         $container->getDefinition('security.authorization_checker')->setArgument(3, false);
     }
 
+    /**
+     * @throws \InvalidArgumentException if the $strategy is invalid
+     */
+    private function createStrategyDefinition(string $strategy, bool $allowIfAllAbstainDecisions, bool $allowIfEqualGrantedDeniedDecisions): Definition
+    {
+        switch ($strategy) {
+            case MainConfiguration::STRATEGY_AFFIRMATIVE:
+                return new Definition(AffirmativeStrategy::class, [$allowIfAllAbstainDecisions]);
+            case MainConfiguration::STRATEGY_CONSENSUS:
+                return new Definition(ConsensusStrategy::class, [$allowIfAllAbstainDecisions, $allowIfEqualGrantedDeniedDecisions]);
+            case MainConfiguration::STRATEGY_UNANIMOUS:
+                return new Definition(UnanimousStrategy::class, [$allowIfAllAbstainDecisions]);
+            case MainConfiguration::STRATEGY_PRIORITY:
+                return new Definition(PriorityStrategy::class, [$allowIfAllAbstainDecisions]);
+        }
+
+        throw new \InvalidArgumentException(sprintf('The strategy "%s" is not supported.', $strategy));
+    }
+
     private function createRoleHierarchy(array $config, ContainerBuilder $container)
     {
         if (!isset($config['role_hierarchy']) || 0 === \count($config['role_hierarchy'])) {

src/Symfony/Bundle/SecurityBundle/Resources/config/schema/security-1.0.xsd

@@ -55,6 +55,7 @@
     <xsd:complexType name="access_decision_manager">
         <xsd:attribute name="strategy" type="access_decision_manager_strategy" />
         <xsd:attribute name="service" type="xsd:string" />
+        <xsd:attribute name="strategy-service" type="xsd:string" />
         <xsd:attribute name="allow-if-all-abstain" type="xsd:boolean" />
         <xsd:attribute name="allow-if-equal-granted-denied" type="xsd:boolean" />
     </xsd:complexType>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php

@@ -17,12 +17,14 @@
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\SodiumPasswordHasher;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\Strategy\AffirmativeStrategy;
 use Symfony\Component\Security\Http\Authentication\AuthenticatorManager;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
@@ -605,7 +607,7 @@ public function testDefaultAccessDecisionManagerStrategyIsAffirmative()
     {
         $container = $this->getContainer('access_decision_manager_default_strategy');
 
-        $this->assertSame(AccessDecisionManager::STRATEGY_AFFIRMATIVE, $container->getDefinition('security.access.decision_manager')->getArgument(1), 'Default vote strategy is affirmative');
+        $this->assertEquals((new Definition(AffirmativeStrategy::class, [false])), $container->getDefinition('security.access.decision_manager')->getArgument(1), 'Default vote strategy is affirmative');
     }
 
     public function testCustomAccessDecisionManagerService()
@@ -628,9 +630,17 @@ public function testAccessDecisionManagerOptionsAreNotOverriddenByImplicitStrate
 
         $accessDecisionManagerDefinition = $container->getDefinition('security.access.decision_manager');
 
-        $this->assertSame(AccessDecisionManager::STRATEGY_AFFIRMATIVE, $accessDecisionManagerDefinition->getArgument(1));
-        $this->assertTrue($accessDecisionManagerDefinition->getArgument(2));
-        $this->assertFalse($accessDecisionManagerDefinition->getArgument(3));
+        $this->assertEquals((new Definition(AffirmativeStrategy::class, [true])), $accessDecisionManagerDefinition->getArgument(1));
+    }
+
+    public function testAccessDecisionManagerWithStrategyService()
+    {
+        $container = $this->getContainer('access_decision_manager_strategy_service');
+
+        $accessDecisionManagerDefinition = $container->getDefinition('security.access.decision_manager');
+
+        $this->assertEquals(AccessDecisionManager::class, $accessDecisionManagerDefinition->getClass());
+        $this->assertEquals(new Reference('app.custom_access_decision_strategy'), $accessDecisionManagerDefinition->getArgument(1));
     }
 
     public function testFirewallUndefinedUserProvider()

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_strategy_service.php

@@ -0,0 +1,20 @@
+<?php
+
+$container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
+    'access_decision_manager' => [
+        'strategy_service' => 'app.custom_access_decision_strategy',
+    ],
+    'providers' => [
+        'default' => [
+            'memory' => [
+                'users' => [
+                    'foo' => ['password' => 'foo', 'roles' => 'ROLE_USER'],
+                ],
+            ],
+        ],
+    ],
+    'firewalls' => [
+        'simple' => ['pattern' => '/login', 'security' => false],
+    ],
+]);

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_strategy_service.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<srv:container xmlns="http://symfony.com/schema/dic/security"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:srv="http://symfony.com/schema/dic/services"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services
+        https://symfony.com/schema/dic/services/services-1.0.xsd
+        http://symfony.com/schema/dic/security
+        https://symfony.com/schema/dic/security/security-1.0.xsd">
+
+    <config enable-authenticator-manager="true">
+        <access-decision-manager strategy-service="app.custom_access_decision_strategy" />
+
+        <provider name="default">
+            <memory>
+                <user identifier="foo" password="foo" roles="ROLE_USER" />
+            </memory>
+        </provider>
+
+        <firewall name="simple" pattern="/login" security="false" />
+    </config>
+</srv:container>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/access_decision_manager_strategy_service.yml

@@ -0,0 +1,11 @@
+security:
+    enable_authenticator_manager: true
+    access_decision_manager:
+        strategy_service: app.custom_access_decision_strategy
+    providers:
+        default:
+            memory:
+                users:
+                    foo: { password: foo, roles: ROLE_USER }
+    firewalls:
+        simple: { pattern: /login, security: false }

src/Symfony/Bundle/TwigBundle/DependencyInjection/TwigExtension.php

@@ -37,7 +37,7 @@ class TwigExtension extends Extension
     public function load(array $configs, ContainerBuilder $container)
     {
         if (!class_exists(InstalledVersions::class)) {
-            trigger_deprecation('symfony/twig-bundle', '5.4', 'Configuring Symfony without the Composer Runtime API is deprecated. Consider upgrading to Composer 2.');
+            trigger_deprecation('symfony/twig-bundle', '5.4', 'Configuring Symfony without the Composer Runtime API is deprecated. Consider upgrading to Composer 2.1 or later.');
         }
 
         $loader = new PhpFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));