symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
Lines changed: 32 additions & 16 deletions b/‎src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php
Lines changed: 32 additions & 16 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSecurityVotersPass.php
Lines changed: 21 additions & 2 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Compiler/AddSecurityVotersPass.php
Lines changed: 21 additions & 2 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Lines changed: 40 additions & 41 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Lines changed: 40 additions & 41 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
Lines changed: 145 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
Lines changed: 145 additions & 0 deletions
@@ -13,6 +13,7 @@
 
 use Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Role\Role;
 use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
 use Symfony\Component\HttpFoundation\Request;
@@ -136,16 +137,31 @@ public function collect(Request $request, Response $response, \Exception $except
 
         // collect voters and access decision manager information
         if ($this->accessDecisionManager instanceof TraceableAccessDecisionManager) {
-            $this->data['access_decision_log'] = $this->accessDecisionManager->getDecisionLog();
-            $this->data['voter_strategy'] = $this->accessDecisionManager->getStrategy();
-
-            foreach ($this->accessDecisionManager->getVoters() as $voter) {
-                $this->data['voters'][] = $this->hasVarDumper ? new ClassStub(get_class($voter)) : get_class($voter);
+            $decisionLog = $this->accessDecisionManager->getDecisionLog();
+
+            // Voter constants
+            $reflectionClass = new \ReflectionClass(VoterInterface::class);
+            // Allows to get the access constant name from the vote log
+            $voterConstants = array_flip($reflectionClass->getConstants());
+
+            $voterDetails = array();
+            foreach ($decisionLog as $key => $log) {
+                $voterDetails[$key] = array();
+                foreach ($log['voterDetails'] as $voterClass => $voterVote) {
+                    $voterDetails[$key][] = array(
+                        'class' => $this->hasVarDumper ? new ClassStub($voterClass) : $voterClass,
+                        'vote' => null === $voterVote ? '-' : ($voterConstants[$voterVote] ?? 'unknown'),
+                    );
+                }
             }
+
+            $this->data['voter_strategy'] = $this->accessDecisionManager->getStrategy();
+            $this->data['voter_details'] = $voterDetails;
+            $this->data['access_decision_log'] = $decisionLog;
         } else {
             $this->data['access_decision_log'] = array();
             $this->data['voter_strategy'] = 'unknown';
-            $this->data['voters'] = array();
+            $this->data['voter_details'] = array();
         }
 
         // collect firewall context information
@@ -305,16 +321,6 @@ public function getLogoutUrl()
         return $this->data['logout_url'];
     }
 
-    /**
-     * Returns the FQCN of the security voters enabled in the application.
-     *
-     * @return string[]
-     */
-    public function getVoters()
-    {
-        return $this->data['voters'];
-    }
-
     /**
      * Returns the strategy configured for the security voters.
      *
@@ -335,6 +341,16 @@ public function getAccessDecisionLog()
         return $this->data['access_decision_log'];
     }
 
+    /**
+     * Returns the log of the votes processed in the access decision manager.
+     *
+     * @return Data|array
+     */
+    public function getVoterDetails(): iterable
+    {
+        return $this->data['voter_details'];
+    }
+
     /**
      * Returns the configuration of the current firewall context.
      *
 
@@ -16,6 +16,8 @@
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
 use Symfony\Component\DependencyInjection\Compiler\PriorityTaggedServiceTrait;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
+use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Core\Authorization\Voter\TraceableVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 
 /**
@@ -41,16 +43,33 @@ public function process(ContainerBuilder $container)
             throw new LogicException('No security voters found. You need to tag at least one with "security.voter".');
         }
 
+        $debug = $container->hasParameter('kernel.debug') && $container->getParameter('kernel.debug');
+
+        $decisionManagerVoters = array();
         foreach ($voters as $voter) {
-            $definition = $container->getDefinition((string) $voter);
+            $voterServiceId = (string) $voter;
+            $definition = $container->getDefinition($voterServiceId);
+
             $class = $container->getParameterBag()->resolveValue($definition->getClass());
 
             if (!is_a($class, VoterInterface::class, true)) {
                 throw new LogicException(sprintf('%s must implement the %s when used as a voter.', $class, VoterInterface::class));
             }
+
+            if ($debug) {
+                // Decorate original voters with TraceableVoter
+                $debugVoterServiceId = 'debug.'.$voterServiceId;
+                $container
+                    ->register($debugVoterServiceId, TraceableVoter::class)
+                    ->setDecoratedService($voterServiceId)
+                    ->addArgument(new Reference($debugVoterServiceId.'.inner'))
+                    ->setPublic(false);
+            }
+
+            $decisionManagerVoters[] = $voter;
         }
 
         $adm = $container->getDefinition('security.access.decision_manager');
-        $adm->replaceArgument(0, new IteratorArgument($voters));
+        $adm->replaceArgument(0, new IteratorArgument($decisionManagerVoters));
     }
 }
@@ -258,8 +258,8 @@
         </div>
     {% endif %}
 
-    {% if collector.voters|default([]) is not empty %}
-        <h2>Security Voters <small>({{ collector.voters|length }})</small></h2>
+    {% if collector.accessDecisionLog|default([]) is not empty %}
+        <h2>Access decision log</h2>
 
         <div class="metrics">
             <div class="metric">
@@ -268,47 +268,22 @@
             </div>
         </div>
 
-        <table class="voters">
-            <thead>
-                <tr>
-                    <th>#</th>
-                    <th>Voter class</th>
-                </tr>
-            </thead>
+        {% for key, decision in collector.accessDecisionLog %}
+            <table class="decision-log">
+                <col style="width: 120px">
+                <col style="width: 25%">
+                <col style="width: 60%">
 
-            <tbody>
-                {% for voter in collector.voters %}
+                <thead>
                     <tr>
-                        <td class="font-normal text-small text-muted nowrap">{{ loop.index }}</td>
-                        <td class="font-normal">{{ profiler_dump(voter) }}</td>
+                        <th>Result</th>
+                        <th>Attributes</th>
+                        <th>Object</th>
                     </tr>
-                {% endfor %}
-            </tbody>
-        </table>
-    {% endif %}
-
-    {% if collector.accessDecisionLog|default([]) is not empty %}
-        <h2>Access decision log</h2>
+                </thead>
 
-        <table class="decision-log">
-            <col style="width: 30px">
-            <col style="width: 120px">
-            <col style="width: 25%">
-            <col style="width: 60%">
-
-            <thead>
-                <tr>
-                    <th>#</th>
-                    <th>Result</th>
-                    <th>Attributes</th>
-                    <th>Object</th>
-                </tr>
-            </thead>
-
-            <tbody>
-                {% for decision in collector.accessDecisionLog %}
+                <tbody>
                     <tr>
-                        <td class="font-normal text-small text-muted nowrap">{{ loop.index }}</td>
                         <td class="font-normal">
                             {{ decision.result
                                 ? '<span class="label status-success same-width">GRANTED</span>'
@@ -331,8 +306,32 @@
                         </td>
                         <td>{{ profiler_dump(decision.seek('object')) }}</td>
                     </tr>
-                {% endfor %}
-            </tbody>
-        </table>
+                </tbody>
+            </table>
+            {% if collector.voterDetails[key] is not empty %}
+                {% set voter_details_id = 'voter-details-' ~ loop.index %}
+                <a class="btn btn-link text-small sf-toggle" data-toggle-selector="#{{ voter_details_id }}" data-toggle-alt-content="Hide voter details">Show voter details</a>
+                <div id="{{ voter_details_id }}" class="sf-toggle-content sf-toggle-hidden">
+                    <table class="voters">
+                        <thead>
+                            <tr>
+                                <th>#</th>
+                                <th>Voter class</th>
+                                <th>Vote result</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                        {% for voter_detail in collector.voterDetails[key] %}
+                            <tr>
+                                <td class="font-normal text-small text-muted nowrap">{{ loop.index }}</td>
+                                <td class="font-normal">{{ profiler_dump(voter_detail['class']) }}</td>
+                                <td class="font-normal">{{ voter_detail['vote'] }}</td>
+                            </tr>
+                        {% endfor %}
+                        </tbody>
+                    </table>
+                </div>
+            {% endif %}
+        {% endfor %}
     {% endif %}
 {% endblock %}
@@ -21,6 +21,9 @@
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Role\Role;
 use Symfony\Component\Security\Core\Role\RoleHierarchy;
 use Symfony\Component\Security\Http\Firewall\ListenerInterface;
@@ -221,6 +224,148 @@ public function testGetListeners()
         $this->addToAssertionCount(1);
     }
 
+    /**
+     * Test that no data is returned when AccessDecisionManager is not a TraceableAccessDecisionManager.
+     */
+    public function testCollectWithAccessDecisionManagerNoTraceable(): void
+    {
+        $accessDecisionManager = $this->getMockBuilder(AccessDecisionManager::class)->getMock();
+        $dataCollector = new SecurityDataCollector(null, null, null, $accessDecisionManager);
+        $dataCollector->collect($this->getRequest(), $this->getResponse());
+
+        $this->assertEmpty($dataCollector->getAccessDecisionLog(), 'getAccessDecisionLog should return an empty value');
+        $this->assertEmpty($dataCollector->getVoterDetails(), 'getVoterDetails should return emptu value');
+        $this->assertEquals($dataCollector->getVoterStrategy(), 'unknown', 'Wrong value for getVoterStrategy');
+    }
+
+    /**
+     * Data provider for testCollectWithTraceableAccessDecisionManager.
+     *
+     * @return array
+     */
+    public function providerCollectWithTraceableAccessDecisionManager(): array
+    {
+        return array(
+            array(
+                AccessDecisionManager::STRATEGY_AFFIRMATIVE,
+                array(array(
+                    'attributes' => array('view'),
+                    'object' => new \stdClass(),
+                    'result' => true,
+                    'voterDetails' => array(
+                        'Voter1' => VoterInterface::ACCESS_ABSTAIN,
+                        'Voter2' => VoterInterface::ACCESS_GRANTED,
+                    ),
+                )),
+                array(array(
+                    array('class' => 'Voter1', 'vote' => 'ACCESS_ABSTAIN'),
+                    array('class' => 'Voter2', 'vote' => 'ACCESS_GRANTED'),
+                )),
+            ),
+            array(
+                AccessDecisionManager::STRATEGY_AFFIRMATIVE,
+                array(array(
+                    'attributes' => array('update'),
+                    'object' => new \stdClass(),
+                    'result' => true,
+                    'voterDetails' => array(
+                        'Voter1' => VoterInterface::ACCESS_GRANTED,
+                        'Voter2' => null,
+                    ),
+                )),
+                array(array(
+                    array('class' => 'Voter1', 'vote' => 'ACCESS_GRANTED'),
+                    array('class' => 'Voter2', 'vote' => '-'),
+                )),
+            ),
+            array(
+                AccessDecisionManager::STRATEGY_CONSENSUS,
+                array(array(
+                    'attributes' => array('update', 'delete'),
+                    'object' => new \stdClass(),
+                    'result' => false,
+                    'voterDetails' => array(
+                        'Voter1' => 'dummy',
+                        'Voter2' => VoterInterface::ACCESS_ABSTAIN,
+                    ),
+                )),
+                array(array(
+                    array('class' => 'Voter1', 'vote' => 'unknown'),
+                    array('class' => 'Voter2', 'vote' => 'ACCESS_ABSTAIN'),
+                )),
+            ),
+            array(
+                AccessDecisionManager::STRATEGY_UNANIMOUS,
+                array(
+                    array(
+                        'attributes' => array('view', 'edit'),
+                        'object' => new \stdClass(),
+                        'result' => false,
+                        'voterDetails' => array(
+                            'Voter1' => VoterInterface::ACCESS_DENIED,
+                            'Voter2' => VoterInterface::ACCESS_GRANTED,
+                        ),
+                    ),
+                    array(
+                        'attributes' => array('update'),
+                        'object' => new \stdClass(),
+                        'result' => true,
+                        'voterDetails' => array(
+                            'Voter1' => VoterInterface::ACCESS_GRANTED,
+                            'Voter2' => VoterInterface::ACCESS_GRANTED,
+                        ),
+                    ),
+                ),
+                array(
+                    array(
+                        array('class' => 'Voter1', 'vote' => 'ACCESS_DENIED'),
+                        array('class' => 'Voter2', 'vote' => 'ACCESS_GRANTED'),
+                    ),
+                    array(
+                        array('class' => 'Voter1', 'vote' => 'ACCESS_GRANTED'),
+                        array('class' => 'Voter2', 'vote' => 'ACCESS_GRANTED'),
+                    ),
+                ),
+            ),
+        );
+    }
+
+    /**
+     * Test the returned data when AccessDecisionManager is a TraceableAccessDecisionManager.
+     *
+     * @param string $strategy             strategy returned by the AccessDecisionManager
+     * @param array  $decisionLog          log of the votes and final decisions from AccessDecisionManager
+     * @param array  $expectedVoterDetails expected vote details returned by the collector
+     *
+     * @dataProvider providerCollectWithTraceableAccessDecisionManager
+     */
+    public function testCollectWithTraceableAccessDecisionManager(string $strategy, array $decisionLog, array $expectedVoterDetails): void
+    {
+        $accessDecisionManager = $this
+            ->getMockBuilder(TraceableAccessDecisionManager::class)
+            ->disableOriginalConstructor()
+            ->setMethods(array('getDecisionLog', 'getStrategy'))
+            ->getMock();
+
+        $accessDecisionManager
+            ->expects($this->any())
+            ->method('getStrategy')
+            ->willReturn($strategy);
+
+        $accessDecisionManager
+            ->expects($this->any())
+            ->method('getDecisionLog')
+            ->willReturn($decisionLog);
+
+        $dataCollector = new SecurityDataCollector(null, null, null, $accessDecisionManager);
+        $dataCollector->collect($this->getRequest(), $this->getResponse());
+
+        $this->assertEquals($dataCollector->getAccessDecisionLog(), $decisionLog, 'Wrong value returned by getAccessDecisionLog');
+
+        $this->assertEquals($dataCollector->getVoterDetails(), $expectedVoterDetails, 'Wrong value returned by getVoterDetails');
+        $this->assertEquals($dataCollector->getVoterStrategy(), $strategy, 'Wrong value returned by getVoterStrategy');
+    }
+
     public function provideRoles()
     {
         return array(