Merge remote-tracking branch 'origin/master' into upgrade-sf5

src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectRoleEnum.php

@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Authorization;
+
+/**
+ * Role to edit or see the stored object content.
+ */
+enum StoredObjectRoleEnum: string
+{
+    case SEE = 'SEE';
+
+    case EDIT = 'SEE_AND_EDIT';
+}

src/Bundle/ChillDocStoreBundle/Security/Authorization/StoredObjectVoter.php

@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Authorization;
+
+use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Guard\DavTokenAuthenticationEventSubscriber;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * Voter for the content of a stored object.
+ *
+ * This is in use to allow or disallow the edition of the stored object's content.
+ */
+class StoredObjectVoter extends Voter
+{
+    protected function supports($attribute, $subject): bool
+    {
+        return StoredObjectRoleEnum::tryFrom($attribute) instanceof StoredObjectRoleEnum
+            && $subject instanceof StoredObject;
+    }
+
+    protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
+    {
+        /** @var StoredObject $subject */
+        if (
+            !$token->hasAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)
+            || $subject->getUuid()->toString() !== $token->getAttribute(DavTokenAuthenticationEventSubscriber::STORED_OBJECT)
+        ) {
+            return false;
+        }
+
+        if (!$token->hasAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS)) {
+            return false;
+        }
+
+        $askedRole = StoredObjectRoleEnum::from($attribute);
+        $tokenRoleAuthorization =
+            $token->getAttribute(DavTokenAuthenticationEventSubscriber::ACTIONS);
+
+        return match ($askedRole) {
+            StoredObjectRoleEnum::SEE => StoredObjectRoleEnum::EDIT === $tokenRoleAuthorization || StoredObjectRoleEnum::SEE === $tokenRoleAuthorization,
+            StoredObjectRoleEnum::EDIT => StoredObjectRoleEnum::EDIT === $tokenRoleAuthorization
+        };
+    }
+}

src/Bundle/ChillDocStoreBundle/Security/Guard/DavOnUrlTokenExtractor.php

@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Guard;
+
+use Lexik\Bundle\JWTAuthenticationBundle\TokenExtractor\TokenExtractorInterface;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Extract the JWT Token from the segment of the dav endpoints.
+ *
+ * A segment is a separation inside the string, using the character "/".
+ *
+ * For recognizing the JWT, the first segment must be "dav", and the second one must be
+ * the JWT endpoint.
+ */
+final readonly class DavOnUrlTokenExtractor implements TokenExtractorInterface
+{
+    public function __construct(
+        private LoggerInterface $logger,
+    ) {
+    }
+
+    public function extract(Request $request): false|string
+    {
+        $uri = $request->getRequestUri();
+
+        $segments = array_values(
+            array_filter(
+                explode('/', $uri),
+                fn ($item) => '' !== trim($item)
+            )
+        );
+
+        if (2 > count($segments)) {
+            $this->logger->info('not enough segment for parsing URL');
+
+            return false;
+        }
+
+        if ('dav' !== $segments[0]) {
+            $this->logger->info('the first segment of the url must be DAV');
+
+            return false;
+        }
+
+        return $segments[1];
+    }
+}

src/Bundle/ChillDocStoreBundle/Security/Guard/DavTokenAuthenticationEventSubscriber.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Guard;
+
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTAuthenticatedEvent;
+use Lexik\Bundle\JWTAuthenticationBundle\Events;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+/**
+ * Store some data from the JWT's payload inside the token's attributes.
+ */
+class DavTokenAuthenticationEventSubscriber implements EventSubscriberInterface
+{
+    final public const STORED_OBJECT = 'stored_object';
+    final public const ACTIONS = 'stored_objects_actions';
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            Events::JWT_AUTHENTICATED => ['onJWTAuthenticated', 0],
+        ];
+    }
+
+    public function onJWTAuthenticated(JWTAuthenticatedEvent $event): void
+    {
+        $payload = $event->getPayload();
+
+        if (!(array_key_exists('dav', $payload) && 1 === $payload['dav'])) {
+            return;
+        }
+
+        $token = $event->getToken();
+        $token->setAttribute(self::ACTIONS, match ($payload['e']) {
+            0 => StoredObjectRoleEnum::SEE,
+            1 => StoredObjectRoleEnum::EDIT,
+            default => throw new \UnexpectedValueException('unsupported value for e parameter')
+        });
+
+        $token->setAttribute(self::STORED_OBJECT, $payload['so']);
+    }
+}

src/Bundle/ChillDocStoreBundle/Security/Guard/JWTDavTokenProvider.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Guard;
+
+use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
+use Symfony\Component\Security\Core\Security;
+
+/**
+ * Provide a JWT Token which will be valid for viewing or editing a document.
+ */
+final readonly class JWTDavTokenProvider implements JWTDavTokenProviderInterface
+{
+    public function __construct(
+        private JWTTokenManagerInterface $JWTTokenManager,
+        private Security $security,
+    ) {
+    }
+
+    public function createToken(StoredObject $storedObject, StoredObjectRoleEnum $roleEnum): string
+    {
+        return $this->JWTTokenManager->createFromPayload($this->security->getUser(), [
+            'dav' => 1,
+            'e' => match ($roleEnum) {
+                StoredObjectRoleEnum::SEE => 0,
+                StoredObjectRoleEnum::EDIT => 1,
+            },
+            'so' => $storedObject->getUuid(),
+        ]);
+    }
+
+    public function getTokenExpiration(string $tokenString): \DateTimeImmutable
+    {
+        $jwt = $this->JWTTokenManager->parse($tokenString);
+
+        return \DateTimeImmutable::createFromFormat('U', (string) $jwt['exp']);
+    }
+}

src/Bundle/ChillDocStoreBundle/Security/Guard/JWTDavTokenProviderInterface.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Guard;
+
+use Chill\DocStoreBundle\Entity\StoredObject;
+use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
+
+/**
+ * Provide a JWT Token which will be valid for viewing or editing a document.
+ */
+interface JWTDavTokenProviderInterface
+{
+    public function createToken(StoredObject $storedObject, StoredObjectRoleEnum $roleEnum): string;
+
+    public function getTokenExpiration(string $tokenString): \DateTimeImmutable;
+}

src/Bundle/ChillDocStoreBundle/Security/Guard/JWTOnDavUrlAuthenticator.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Security\Guard;
+
+use Lexik\Bundle\JWTAuthenticationBundle\Security\Guard\JWTTokenAuthenticator;
+use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
+use Lexik\Bundle\JWTAuthenticationBundle\TokenExtractor\TokenExtractorInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
+use Symfony\Contracts\Translation\TranslatorInterface;
+
+/**
+ * Alter the base JWTTokenAuthenticator to add the special extractor for dav url endpoints.
+ */
+class JWTOnDavUrlAuthenticator extends JWTTokenAuthenticator
+{
+    public function __construct(
+        JWTTokenManagerInterface $jwtManager,
+        EventDispatcherInterface $dispatcher,
+        TokenExtractorInterface $tokenExtractor,
+        private readonly DavOnUrlTokenExtractor $davOnUrlTokenExtractor,
+        TokenStorageInterface $preAuthenticationTokenStorage,
+        ?TranslatorInterface $translator = null,
+    ) {
+        parent::__construct($jwtManager, $dispatcher, $tokenExtractor, $preAuthenticationTokenStorage, $translator);
+    }
+
+    protected function getTokenExtractor()
+    {
+        return $this->davOnUrlTokenExtractor;
+    }
+}