Merge branch '7.4' into 8.0

* 7.4:
  [SecurityBundle] Fix tests on Windows
  use the empty string instead of null as an array offset
  pass the empty string instead of null as key to array_key_exists()
  fix test setup
  [Validator] Review Turkish translations
  [Validator] Review Croatian translations
  [Console] Add #[Input] attribute to support DTOs in commands
  [Security][SecurityBundle] Dump role hierarchy as mermaid chart
  [DependencyInjection] Allow `Class::function(...)` and `global_function(...)` closures in PHP DSL for factories
  [VarExporter] Add support for exporting named closures
  [Validator] Review translations for Polish (pl)
  use the empty string instead of null as an array offset
  Review translations for Chinese (zh_TW)
  [Serializer] Adjust ObjectNormalizerTest for the accessor method changes from #61097
  fix merge
  [Security] Fix `HttpUtils::createRequest()` when the base request is forwarded
  map legacy options to the "sentinel" key when parsing DSNs
  fix setup to actually run Redis Sentinel/Cluster integration tests
  [Routing] Don't rebuild cache when controller action body changes

Author: nicolas-grekas

.github/workflows/integration-tests.yml

@@ -261,6 +261,7 @@ jobs:
           REDIS_SENTINEL_SERVICE: redis_sentinel
           REDIS_REPLICATION_HOSTS: 'localhost:16382 localhost:16381'
           MESSENGER_REDIS_DSN: redis://127.0.0.1:7006/messages
+          MESSENGER_REDIS_SENTINEL_MASTER: redis_sentinel
           MESSENGER_AMQP_DSN: amqp://localhost/%2f/messages
           MESSENGER_SQS_DSN: "sqs://localhost:4566/messages?sslmode=disable&poll_timeout=0.01"
           MESSENGER_SQS_FIFO_QUEUE_DSN: "sqs://localhost:4566/messages.fifo?sslmode=disable&poll_timeout=0.01"

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

@@ -13,6 +13,7 @@ CHANGELOG
 7.4
 ---
 
+ * Add `debug:security:role-hierarchy` command to dump role hierarchy graphs in the Mermaid.js flowchart format
  * Add `Security::getAccessDecision()` and `getAccessDecisionForUser()` helpers
  * Add options to configure a cache pool and storage service for login throttling rate limiters
  * Register alias for argument for password hasher when its key is not a class name:

src/Symfony/Bundle/SecurityBundle/Command/SecurityRoleHierarchyDumpCommand.php

@@ -0,0 +1,94 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Command;
+
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\Security\Core\Dumper\MermaidDirectionEnum;
+use Symfony\Component\Security\Core\Dumper\MermaidDumper;
+use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
+
+/**
+ * Command to dump the role hierarchy as a Mermaid flowchart.
+ *
+ * @author Damien Fernandes <damien.fernandes24@gmail.com>
+ */
+#[AsCommand(name: 'debug:security:role-hierarchy', description: 'Dump the role hierarchy as a Mermaid flowchart')]
+class SecurityRoleHierarchyDumpCommand extends Command
+{
+    public function __construct(
+        private readonly RoleHierarchyInterface $roleHierarchy,
+    ) {
+        parent::__construct();
+    }
+
+    protected function configure(): void
+    {
+        $this
+            ->setDefinition([
+                new InputOption(
+                    'direction',
+                    'd',
+                    InputOption::VALUE_REQUIRED,
+                    'The direction of the flowchart ['.implode('|', $this->getAvailableDirections()).']',
+                    MermaidDirectionEnum::TOP_TO_BOTTOM->value,
+                    $this->getAvailableDirections()
+                ),
+            ])
+            ->setHelp(<<<'USAGE'
+                The <info>%command.name%</info> command dumps the role hierarchy in Mermaid format.
+
+                <info>Mermaid</info>: %command.full_name% > roles.mmd
+                <info>Mermaid with direction</info>: %command.full_name% --direction=BT > roles.mmd
+                USAGE
+            )
+        ;
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $io = new SymfonyStyle($input, $output);
+
+        if (null === $this->roleHierarchy) {
+            $io->getErrorStyle()->writeln('<comment>No role hierarchy is configured.</comment>');
+
+            return Command::SUCCESS;
+        }
+
+        $direction = $input->getOption('direction');
+
+        if (!MermaidDirectionEnum::tryFrom($direction)) {
+            $io->getErrorStyle()->writeln(\sprintf('<error>Invalid direction, available options are "%s"</error>', implode('"', $this->getAvailableDirections())));
+
+            return Command::FAILURE;
+        }
+
+        $dumper = new MermaidDumper();
+        $mermaidOutput = $dumper->dump($this->roleHierarchy, MermaidDirectionEnum::from($direction));
+
+        $output->writeln($mermaidOutput, OutputInterface::OUTPUT_RAW);
+
+        return Command::SUCCESS;
+    }
+
+    /**
+     * @return string[]
+     */
+    private function getAvailableDirections(): array
+    {
+        return array_map(fn ($case) => $case->value, MermaidDirectionEnum::cases());
+    }
+}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -182,6 +182,10 @@ public function load(array $configs, ContainerBuilder $container): void
             $container->getDefinition('security.command.user_password_hash')->replaceArgument(1, array_keys($config['password_hashers']));
         }
 
+        if ($container->hasDefinition('security.role_hierarchy')) {
+            $loader->load('security_role_hierarchy_dump_command.php');
+        }
+
         $container->registerForAutoconfiguration(VoterInterface::class)
             ->addTag('security.voter');
     }

src/Symfony/Bundle/SecurityBundle/Resources/config/security_role_hierarchy_dump_command.php

@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\DependencyInjection\Loader\Configurator;
+
+use Symfony\Bundle\SecurityBundle\Command\SecurityRoleHierarchyDumpCommand;
+
+return static function (ContainerConfigurator $container): void {
+    $container->services()
+        ->set('security.command.role_hierarchy_dump', SecurityRoleHierarchyDumpCommand::class)
+            ->args([
+                service('security.role_hierarchy'),
+            ])
+            ->tag('console.command')
+    ;
+};

src/Symfony/Bundle/SecurityBundle/Tests/Command/SecurityRoleHierarchyDumpCommandTest.php

@@ -0,0 +1,83 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Command;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\SecurityBundle\Command\SecurityRoleHierarchyDumpCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Tester\CommandTester;
+use Symfony\Component\Security\Core\Role\RoleHierarchy;
+
+class SecurityRoleHierarchyDumpCommandTest extends TestCase
+{
+    public function testExecuteWithRoleHierarchy()
+    {
+        $hierarchy = [
+            'ROLE_ADMIN' => ['ROLE_USER'],
+            'ROLE_SUPER_ADMIN' => ['ROLE_ADMIN', 'ROLE_USER'],
+        ];
+
+        $roleHierarchy = new RoleHierarchy($hierarchy);
+        $command = new SecurityRoleHierarchyDumpCommand($roleHierarchy);
+        $commandTester = new CommandTester($command);
+
+        $exitCode = $commandTester->execute([]);
+
+        $this->assertSame(Command::SUCCESS, $exitCode);
+        $output = $commandTester->getDisplay();
+        $expectedOutput = str_replace("\n", \PHP_EOL, <<<EXPECTED
+            graph TB
+                ROLE_ADMIN
+                ROLE_USER
+                ROLE_SUPER_ADMIN
+                ROLE_ADMIN --> ROLE_USER
+                ROLE_SUPER_ADMIN --> ROLE_ADMIN
+                ROLE_SUPER_ADMIN --> ROLE_USER
+
+            EXPECTED);
+
+        $this->assertSame($expectedOutput, $output);
+    }
+
+    public function testExecuteWithCustomDirection()
+    {
+        $hierarchy = [
+            'ROLE_ADMIN' => ['ROLE_USER'],
+        ];
+
+        $roleHierarchy = new RoleHierarchy($hierarchy);
+        $command = new SecurityRoleHierarchyDumpCommand($roleHierarchy);
+        $commandTester = new CommandTester($command);
+
+        $exitCode = $commandTester->execute(['--direction' => 'BT']);
+
+        $this->assertSame(Command::SUCCESS, $exitCode);
+        $output = $commandTester->getDisplay();
+        $this->assertStringContainsString('graph BT', $output);
+    }
+
+    public function testExecuteWithInvalidDirection()
+    {
+        $hierarchy = [
+            'ROLE_ADMIN' => ['ROLE_USER'],
+        ];
+
+        $roleHierarchy = new RoleHierarchy($hierarchy);
+        $command = new SecurityRoleHierarchyDumpCommand($roleHierarchy);
+        $commandTester = new CommandTester($command);
+
+        $exitCode = $commandTester->execute(['--direction' => 'INVALID']);
+
+        $this->assertSame(Command::FAILURE, $exitCode);
+        $this->assertStringContainsString('Invalid direction', $commandTester->getDisplay());
+    }
+}

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php

@@ -141,6 +141,24 @@ public function testSwitchUserNotStatelessOnStatelessFirewall()
         $this->assertTrue($container->getDefinition('security.authentication.switchuser_listener.some_firewall')->getArgument(9));
     }
 
+    public function testRoleHierarchyDumpCommandIsRegisteredWithRoleHierarchy()
+    {
+        $container = $this->getRawContainer();
+        $container->loadFromExtension('security', [
+            'role_hierarchy' => [
+                'ROLE_ADMIN' => ['ROLE_USER'],
+                'ROLE_SUPER_ADMIN' => ['ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'],
+            ],
+            'firewalls' => [
+                'some_firewall' => [
+                ],
+            ],
+        ]);
+        $container->compile();
+
+        $this->assertTrue($container->hasDefinition('security.command.role_hierarchy_dump'));
+    }
+
     public function testPerListenerProvider()
     {
         $container = $this->getRawContainer();

src/Symfony/Component/Cache/Adapter/TagAwareAdapter.php

@@ -378,7 +378,7 @@ private function getTagVersions(array $tagsByKey, bool $persistTags): array
             (self::$saveTags)($this->tags, $newTags);
         }
 
-        while ($now > ($this->knownTagVersions[$tag = array_key_first($this->knownTagVersions)][0] ?? \INF)) {
+        while ($now > ($this->knownTagVersions[$tag = array_key_first($this->knownTagVersions) ?? ''][0] ?? \INF)) {
             unset($this->knownTagVersions[$tag]);
         }
 

src/Symfony/Component/Config/Definition/Builder/ArrayNodeDefinition.php

@@ -345,7 +345,7 @@ public function normalizeKeys(bool $bool): static
 
     public function append(NodeDefinition $node): static
     {
-        $this->children[$node->name] = $node->setParent($this);
+        $this->children[$node->name ?? ''] = $node->setParent($this);
 
         return $this;
     }

src/Symfony/Component/Console/Attribute/Argument.php

@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Console\Attribute;
 
+use Symfony\Component\Console\Attribute\Reflection\ReflectionMember;
 use Symfony\Component\Console\Completion\CompletionInput;
 use Symfony\Component\Console\Completion\Suggestion;
 use Symfony\Component\Console\Exception\InvalidArgumentException;
@@ -19,15 +20,17 @@
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\String\UnicodeString;
 
-#[\Attribute(\Attribute::TARGET_PARAMETER)]
+#[\Attribute(\Attribute::TARGET_PARAMETER | \Attribute::TARGET_PROPERTY)]
 class Argument
 {
     private const ALLOWED_TYPES = ['string', 'bool', 'int', 'float', 'array'];
 
     private string|bool|int|float|array|null $default = null;
     private array|\Closure $suggestedValues;
     private ?int $mode = null;
-    private string $function = '';
+    /**
+     * @var string|class-string<\BackedEnum>
+     */
     private string $typeName = '';
 
     /**
@@ -48,52 +51,45 @@ public function __construct(
     /**
      * @internal
      */
-    public static function tryFrom(\ReflectionParameter $parameter): ?self
+    public static function tryFrom(\ReflectionParameter|\ReflectionProperty $member): ?self
     {
-        /** @var self $self */
-        if (null === $self = ($parameter->getAttributes(self::class, \ReflectionAttribute::IS_INSTANCEOF)[0] ?? null)?->newInstance()) {
-            return null;
-        }
+        $reflection = new ReflectionMember($member);
 
-        if (($function = $parameter->getDeclaringFunction()) instanceof \ReflectionMethod) {
-            $self->function = $function->class.'::'.$function->name;
-        } else {
-            $self->function = $function->name;
+        if (!$self = $reflection->getAttribute(self::class)) {
+            return null;
         }
 
-        $type = $parameter->getType();
-        $name = $parameter->getName();
+        $type = $reflection->getType();
+        $name = $reflection->getName();
 
         if (!$type instanceof \ReflectionNamedType) {
-            throw new LogicException(\sprintf('The parameter "$%s" of "%s()" must have a named type. Untyped, Union or Intersection types are not supported for command arguments.', $name, $self->function));
+            throw new LogicException(\sprintf('The %s "$%s" of "%s" must have a named type. Untyped, Union or Intersection types are not supported for command arguments.', $reflection->getMemberName(), $name, $reflection->getSourceName()));
         }
 
         $self->typeName = $type->getName();
         $isBackedEnum = is_subclass_of($self->typeName, \BackedEnum::class);
 
         if (!\in_array($self->typeName, self::ALLOWED_TYPES, true) && !$isBackedEnum) {
-            throw new LogicException(\sprintf('The type "%s" on parameter "$%s" of "%s()" is not supported as a command argument. Only "%s" types and backed enums are allowed.', $self->typeName, $name, $self->function, implode('", "', self::ALLOWED_TYPES)));
+            throw new LogicException(\sprintf('The type "%s" on %s "$%s" of "%s" is not supported as a command argument. Only "%s" types and backed enums are allowed.', $self->typeName, $reflection->getMemberName(), $name, $reflection->getSourceName(), implode('", "', self::ALLOWED_TYPES)));
         }
 
         if (!$self->name) {
             $self->name = (new UnicodeString($name))->kebab();
         }
 
-        if ($parameter->isDefaultValueAvailable()) {
-            $self->default = $parameter->getDefaultValue() instanceof \BackedEnum ? $parameter->getDefaultValue()->value : $parameter->getDefaultValue();
-        }
+        $self->default = $reflection->hasDefaultValue() ? $reflection->getDefaultValue() : null;
 
-        $self->mode = $parameter->isDefaultValueAvailable() || $parameter->allowsNull() ? InputArgument::OPTIONAL : InputArgument::REQUIRED;
+        $self->mode = ($reflection->hasDefaultValue() || $reflection->isNullable()) ? InputArgument::OPTIONAL : InputArgument::REQUIRED;
         if ('array' === $self->typeName) {
             $self->mode |= InputArgument::IS_ARRAY;
         }
 
-        if (\is_array($self->suggestedValues) && !\is_callable($self->suggestedValues) && 2 === \count($self->suggestedValues) && ($instance = $parameter->getDeclaringFunction()->getClosureThis()) && $instance::class === $self->suggestedValues[0] && \is_callable([$instance, $self->suggestedValues[1]])) {
+        if (\is_array($self->suggestedValues) && !\is_callable($self->suggestedValues) && 2 === \count($self->suggestedValues) && ($instance = $reflection->getSourceThis()) && $instance::class === $self->suggestedValues[0] && \is_callable([$instance, $self->suggestedValues[1]])) {
             $self->suggestedValues = [$instance, $self->suggestedValues[1]];
         }
 
         if ($isBackedEnum && !$self->suggestedValues) {
-            $self->suggestedValues = array_column(($self->typeName)::cases(), 'value');
+            $self->suggestedValues = array_column($self->typeName::cases(), 'value');
         }
 
         return $self;
@@ -117,7 +113,7 @@ public function resolveValue(InputInterface $input): mixed
         $value = $input->getArgument($this->name);
 
         if (is_subclass_of($this->typeName, \BackedEnum::class) && (\is_string($value) || \is_int($value))) {
-            return ($this->typeName)::tryFrom($value) ?? throw InvalidArgumentException::fromEnumValue($this->name, $value, $this->suggestedValues);
+            return $this->typeName::tryFrom($value) ?? throw InvalidArgumentException::fromEnumValue($this->name, $value, $this->suggestedValues);
         }
 
         return $value;