feat(security): Add PHP \Attribute for remaining security annotations

[nickvergessen]

Summary

Allowing the remaining annotations of the security middlewares as Attributes

• Sibling to feat(ratelimit): Add Attributes support to rate limit middleware #37864
• And feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple #36928

TODO

• Add Attribute classes
• Check for attribute OR annotation
• Add Attribute additionally to OCP controllers
• Add unit tests
• Document and deprecate the old syntax feat(developer): Replace annotations with attributes documentation#10206

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required feat(developer): Replace annotations with attributes documentation#10206
• Backports requested where applicable (ex: critical bugfixes)

[github-advanced-security]

Psalm found more than 10 potential problems in the proposed changes. Check the Files changed tab for more details.

[nickvergessen]

Comment for #37039 on merge:

Added:

> # Backend
> 
> * `AuthorizedAdminSetting` controller access restriction can now be enabled using native PHP attributes https://github.com/nextcloud/server/pull/37905  https://docs.nextcloud.com//server/stable/developer_manual/basics/setting.html
> * `CORS` controller restriction can now be enabled using native PHP attributes https://github.com/nextcloud/server/pull/37905  https://docs.nextcloud.com//server/stable/developer_manual/digging_deeper/rest_apis.html
> * `NoAdminRequired` controller access restriction can now be enabled using native PHP attributes https://github.com/nextcloud/server/pull/37905  https://docs.nextcloud.com//server/stable/developer_manual/basics/controllers.html#authentication
> * `NoCSRFRequired` controller functionality can now be enabled using native PHP attributes https://github.com/nextcloud/server/pull/37905  https://docs.nextcloud.com//server/stable/developer_manual/prologue/security.html#cross-site-request-forgery
> * `PasswordConfirmationRequired` controller restriction can now be enabled using native PHP attributes https://github.com/nextcloud/server/pull/37905  https://docs.nextcloud.com//server/stable/developer_manual/digging_deeper/javascript-apis.html#nextcloud-password-confirmation
> * `PublicPage` controller access restriction can now be enabled using native PHP attributes https://github.com/nextcloud/server/pull/37905  https://docs.nextcloud.com//server/stable/developer_manual/basics/controllers.html#authentication
> * `SubAdminRequired` controller access restriction can now be enabled using native PHP attributes https://github.com/nextcloud/server/pull/37905  https://docs.nextcloud.com//server/stable/developer_manual/basics/controllers.html#authentication
> 
> ## Deprecations
> 
> * `@AuthorizedAdminSetting` annotation for controllers is now deprecated in favor of the `#[AuthorizedAdminSetting]` attribute https://docs.nextcloud.com//server/stable/developer_manual/basics/setting.html
> * `@CORS` annotation for controllers is now deprecated in favor of the `#[CORS]` attribute https://docs.nextcloud.com//server/stable/developer_manual/digging_deeper/rest_apis.html
> * `@NoAdminRequired` annotation for controllers is now deprecated in favor of the `#[NoAdminRequired]` attribute https://docs.nextcloud.com//server/stable/developer_manual/basics/controllers.html#authentication
> * `@NoCSRFRequired` annotation for controllers is now deprecated in favor of the `#[NoCSRFRequired]` attribute https://docs.nextcloud.com//server/stable/developer_manual/prologue/security.html#cross-site-request-forgery
> * `@PasswordConfirmationRequired` annotation for controllers is now deprecated in favor of the `#[PasswordConfirmationRequired]` attribute https://docs.nextcloud.com//server/stable/developer_manual/digging_deeper/javascript-apis.html#nextcloud-password-confirmation
> * `@PublicPage` annotation for controllers is now deprecated in favor of the `#[PublicPage]` attribute https://docs.nextcloud.com//server/stable/developer_manual/basics/controllers.html#authentication
> * `@SubAdminRequired` annotation for controllers is now deprecated in favor of the `#[SubAdminRequired]` attribute https://docs.nextcloud.com//server/stable/developer_manual/basics/controllers.html#authentication

[vitormattos]

Only suggestions, not blocking points.

[vitormattos]

Suggested change

[vitormattos]

This will impact a lot of classes but would be good create a followup issue to do this fix return type and others from Middleware abstract class:

Suggested change

	public function afterController($controller, $methodName, Response $response) {
	public function afterController($controller, $methodName, Response $response): void {

[vitormattos]

This method occur 3 times at this PR with the same signature.
Maybe will be good to move to parent class.

[nickvergessen]

This ia only temporary until we drop the annotations and its 2 if statements. I don't really feel like creating an abstract parent class for 4 operational lines

[vitormattos]

At other implements of this method on this PR you used the follow code. Make any difference or only was about wrote more times the same method without doing a copy paste?

Suggested change

	if ($this->reflector->hasAnnotation($annotationName)) {
	if (!empty($reflectionMethod->getAttributes($attributeClass))) {

[nickvergessen]

For AuthorizedAdminSetting we need the values, so i changed it there but then went for an independent approach, so that's why after that attempt some might diverge, but as mentioned above they are just 2 ifs so it doesn't really matter