Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Show more information in the security profiler #17887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 15 commits into from
Closed

Show more information in the security profiler #17887

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
4f37d7a
Show more information in the security profiler
javiereguiluz Feb 22, 2016
c9bfc30
Try to fix the test issues
javiereguiluz Feb 23, 2016
5e46d23
Minor refactoring
javiereguiluz Feb 23, 2016
879d671
Another refactor to fix tests
javiereguiluz Feb 23, 2016
378db40
Fixed the PHPdoc od the new class
javiereguiluz Feb 25, 2016
9349fdf
Made the changes asked for by reviewers
javiereguiluz Feb 29, 2016
597bc48
Improvements after Iltar's review
javiereguiluz Mar 1, 2016
ca6da19
Fixed fabbot issues
javiereguiluz Mar 1, 2016
e20948e
Fixes and tweaks
javiereguiluz Mar 1, 2016
367f8ea
Improved the string representation of the objects
javiereguiluz Mar 1, 2016
89bc8c0
Display the contents when the object is not a true object
javiereguiluz Mar 1, 2016
97111f3
Made code more robust
javiereguiluz Mar 2, 2016
8b36d15
Take care of the null objects
javiereguiluz Mar 3, 2016
4864976
Fixed a syntax error
javiereguiluz Mar 3, 2016
f3db034
Minor Twig change
javiereguiluz Mar 3, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 53 additions & 4 deletions 57 src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
use Symfony\Component\HttpKernel\DataCollector\DataCollector;
use Symfony\Component\Security\Core\Role\RoleInterface;
use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Symfony\Component\Security\Core\Authorization\DebugAccessDecisionManager;

/**
* SecurityDataCollector.
Expand All @@ -29,19 +31,22 @@ class SecurityDataCollector extends DataCollector
private $tokenStorage;
private $roleHierarchy;
private $logoutUrlGenerator;
private $accessDecisionManager;

/**
* Constructor.
*
* @param TokenStorageInterface|null $tokenStorage
* @param RoleHierarchyInterface|null $roleHierarchy
* @param LogoutUrlGenerator|null $logoutUrlGenerator
* @param TokenStorageInterface|null $tokenStorage
* @param RoleHierarchyInterface|null $roleHierarchy
* @param LogoutUrlGenerator|null $logoutUrlGenerator
* @param AccessDecisionManagerInterface|null $accessDecisionManager
*/
public function __construct(TokenStorageInterface $tokenStorage = null, RoleHierarchyInterface $roleHierarchy = null, LogoutUrlGenerator $logoutUrlGenerator = null)
public function __construct(TokenStorageInterface $tokenStorage = null, RoleHierarchyInterface $roleHierarchy = null, LogoutUrlGenerator $logoutUrlGenerator = null, AccessDecisionManagerInterface $accessDecisionManager = null)
{
$this->tokenStorage = $tokenStorage;
$this->roleHierarchy = $roleHierarchy;
$this->logoutUrlGenerator = $logoutUrlGenerator;
$this->accessDecisionManager = $accessDecisionManager;
}

/**
Expand Down Expand Up @@ -104,6 +109,20 @@ public function collect(Request $request, Response $response, \Exception $except
'supports_role_hierarchy' => null !== $this->roleHierarchy,
);
}

// collect voters and access decision manager information
if ($this->accessDecisionManager instanceof DebugAccessDecisionManager) {
$this->data['access_decision_log'] = $this->accessDecisionManager->getDecisionLog();
$this->data['voter_strategy'] = $this->accessDecisionManager->getStrategy();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both the getDecisionLog() and getStrategy() methods may not exist.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could typehint against the DebugAccessDecisionManager, good to let it crash if you run this incorrectly imo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made this change. Is this what you suggested?

-if (null !== $this->accessDecisionManager) {
+if ($this->accessDecisionManager instance of DebugAccessDecisionManager) {


foreach ($this->accessDecisionManager->getVoters() as $voter) {
$this->data['voters'][] = get_class($voter);
}
} else {
$this->data['access_decision_log'] = array();
$this->data['voter_strategy'] = 'unknown';
$this->data['voters'] = array();
}
}

/**
Expand Down Expand Up @@ -187,6 +206,36 @@ public function getLogoutUrl()
return $this->data['logout_url'];
}

/**
* Returns the FQCN of the security voters enabled in the application.
*
* @return string[]
*/
public function getVoters()
{
return $this->data['voters'];
}

/**
* Returns the strategy configured for the security voters.
*
* @return string
*/
public function getVoterStrategy()
{
return $this->data['voter_strategy'];
}

/**
* Returns the log of the security decisions made by the access decision manager.
*
* @return array
*/
public function getAccessDecisionLog()
{
return $this->data['access_decision_log'];
}

/**
* {@inheritdoc}
*/
Expand Down
4 changes: 4 additions & 0 deletions 4 src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSecurityVotersPass.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,5 +46,9 @@ public function process(ContainerBuilder $container)
}

$container->getDefinition('security.access.decision_manager')->addMethodCall('setVoters', array(array_values($voters)));

if ($container->hasDefinition('debug.security.access.decision_manager')) {
$container->getDefinition('debug.security.access.decision_manager')->addMethodCall('setVoters', array(array_values($voters)));
}
}
}
7 changes: 7 additions & 0 deletions 7 src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,13 @@ public function load(array $configs, ContainerBuilder $container)
$this->aclLoad($config['acl'], $container);
}

if ($container->hasParameter('kernel.debug') && $container->getParameter('kernel.debug')) {
$loader->load('security_debug.xml');

$definition = $container->findDefinition('security.authorization_checker');
$definition->replaceArgument(2, new Reference('debug.security.access.decision_manager'));
}

// add some required classes for compilation
$this->addClassesToCompile(array(
'Symfony\Component\Security\Http\Firewall',
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/Resources/config/collectors.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
<argument type="service" id="security.token_storage" on-invalid="ignore" />
<argument type="service" id="security.role_hierarchy" />
<argument type="service" id="security.logout_url_generator" />
<argument type="service" id="debug.security.access.decision_manager" />
</service>
</services>
</container>
12 changes: 12 additions & 0 deletions 12 src/Symfony/Bundle/SecurityBundle/Resources/config/security_debug.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<?xml version="1.0" ?>

<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">

<services>
<service id="debug.security.access.decision_manager" class="Symfony\Component\Security\Core\Authorization\DebugAccessDecisionManager" decorates="security.access.decision_manager" public="false">
<argument type="service" id="debug.security.access.decision_manager.inner" />
</service>
</services>
</container>
65 changes: 65 additions & 0 deletions 65 src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,4 +119,69 @@
<p>The security component is disabled.</p>
</div>
{% endif %}

{% if collector.voters|default([]) is not empty %}
<h2>Security Voters <small>({{ collector.voters|length }})</small></h2>

<div class="metrics">
<div class="metric">
<span class="value">{{ collector.voterStrategy|default('unknown') }}</span>
<span class="label">Strategy</span>
</div>
</div>

<table class="voters">
<thead>
<tr>
<th>#</th>
<th>Voter class</th>
</tr>
</thead>

<tbody>
{% for voter in collector.voters %}
<tr>
<td class="font-normal text-small text-muted nowrap">{{ loop.index }}</td>
<td class="font-normal">{{ voter }}</td>
</tr>
{% endfor %}
</tbody>
</table>
{% endif %}

{% if collector.accessDecisionLog|default([]) is not empty %}
<h2>Access decision log</h2>

<table class="decision-log">
<col style="width: 30px">
<col style="width: 120px">
<col style="width: 25%">
<col style="width: 60%">

<thead>
<tr>
<th>#</th>
<th>Result</th>
<th>Attributes</th>
<th>Object</th>
</tr>
</thead>

<tbody>
{% for decision in collector.accessDecisionLog %}
<tr>
<td class="font-normal text-small text-muted nowrap">{{ loop.index }}</td>
<td class="font-normal">
{{ decision.result
? '<span class="label status-success same-width">GRANTED</span>'
: '<span class="label status-error same-width">DENIED</span>'
}}
</td>
<td>{{ decision.attributes|length == 1 ? decision.attributes|first : profiler_dump(decision.attributes) }}</td>
<td>{{ profiler_dump(decision.object) }}</td>
</tr>
{% endfor %}
</tbody>
</table>
{% endif %}
{% endblock %}
4 changes: 4 additions & 0 deletions 4 src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/profiler.css.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,10 @@ table tbody ul {
padding: 3px 7px;
white-space: nowrap;
}
.label.same-width {
min-width: 70px;
text-align: center;
}
.label.status-success { background: {{ colors.success|raw }}; color: #FFF; }
.label.status-warning { background: {{ colors.warning|raw }}; color: #FFF; }
.label.status-error { background: {{ colors.error|raw }}; color: #FFF; }
Expand Down
120 changes: 120 additions & 0 deletions 120 src/Symfony/Component/Security/Core/Authorization/DebugAccessDecisionManager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Component\Security\Core\Authorization;

use Doctrine\Common\Util\ClassUtils;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;

/**
* Decorates the original AccessDecisionManager class to log information
* about the security voters and the decisions made by them.
*
* @author Javier Eguiluz <javier.eguiluz@gmail.com>
*
* @internal
*/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This class should probably be marked as being @internal.

class DebugAccessDecisionManager implements AccessDecisionManagerInterface
{
private $manager;
private $strategy;
private $voters;
private $decisionLog = array();

public function __construct(AccessDecisionManager $manager)
{
$this->manager = $manager;

// The strategy is stored in a private property of the decorated service
$reflection = new \ReflectionProperty($manager, 'strategy');
$reflection->setAccessible(true);
$this->strategy = $reflection->getValue($manager);
}

/**
* {@inheritdoc}
*/
public function decide(TokenInterface $token, array $attributes, $object = null)
{
$result = $this->manager->decide($token, $attributes, $object);

$this->decisionLog[] = array(
'attributes' => $attributes,
'object' => $this->getStringRepresentation($object),
'result' => $result,
);

return $result;
}

/**
* {@inheritdoc}
*/
public function setVoters(array $voters)
{
$this->voters = $voters;
}

/**
* @return string
*/
public function getStrategy()
{
// The $strategy property is misleading because it stores the name of its
// method (e.g. 'decideAffirmative') instead of the original strategy name
// (e.g. 'affirmative')
return strtolower(substr($this->strategy, 6));
}

/**
* @return array
*/
public function getVoters()
{
return $this->voters;
}

/**
* @return array
*/
public function getDecisionLog()
{
return $this->decisionLog;
}

/**
* @param mixed $object
*
* @return string
*/
private function getStringRepresentation($object)
{
if (null === $object) {
return 'NULL';
}

if (!is_object($object)) {
return sprintf('%s (%s)', gettype($object), $object);
}

$objectClass = class_exists('Doctrine\Common\Util\ClassUtils') ? ClassUtils::getClass($object) : get_class($object);

if (method_exists($object, 'getId')) {
$objectAsString = sprintf('ID: %s', $object->getId());
} elseif (method_exists($object, '__toString')) {
$objectAsString = (string) $object;
} else {
$objectAsString = sprintf('object hash: %s', spl_object_hash($object));
}

return sprintf('%s (%s)', $objectClass, $objectAsString);
}
}
Morty Proxy This is a proxified and sanitized view of the page, visit original site.