Add the access policy API

Some things worth mentioning:

1. I needed a fast memory cache and the one freely available continuously serializes/unserializes its data whenever its used. As permissions are asked for often during a request, I decided to use the MemoryCache class also used by jsonapi. The only downside is that that class has no factory like all the other ones and so I added it here. I'll ping @catch and let him decide what to do with this (or guide me on a good alternative)
2. I've made the "drupal" scope the default in the applies() check, but in the CalculatedPermissions* classes you still need to pass "drupal" as the scope and identifier. Should we also somehow make these default to "drupal" to make it easier for people to use in combination with core? If so, suggestions welcome.
3. I'll convert the unit tests I had in Flexible Permissions ASAP and add them here, but I've run out of time for the day.
4. I think it makes more sense to have applies() also be taken into account for the alter phase, will add that ASAP too

Last test is choking on $cache_static->set(Argument::cetera())->willReturn(NULL); as the set method has a void return type. There is a workaround like this: $cache_static->set(Argument::cetera())->will(function(){}); as per https://github.com/phpspec/prophecy/issues/280.

However, newer versions of prophecy shouldn't have this issue as it got fixed here: https://github.com/phpspec/prophecy/pull/398

Added a commit that removes any mention of willReturn and can add in the will workaround if they go red. Hopefully, we are on a recent enough prophecy version and do not need the workaround.

Two more things I want to try:

• Change AccessPolicyChain into AccessPolicyProcessor and remove the notion of it being chainable. Also do not implement AccessPolicyInterface anymore
• Change CalculatedPermissionsItem to default to Drupal scope and identifier by turning order of parameters into:
  1. permissions
  2. isAdmin (optional)
  3. scope (optional)
  4. identifier (optional)

Re #6 I've looked into your module and the whole idea of building access policies using a UI is incompatible with this API-first approach. The goal here is to build an API that both core and contrib can use and then allow contrib to build any UI on top of that.

Your module comes with plugins that make assumptions about the types of access policies, limiting what can be done with it unless you introduce more plugins. This work comes with tagged services that translate an access policy into a set of permissions that can then be handed out on a particular level: core, Group, Domain, Commerce Stores, ...

Secondly, evaluating access policies during runtime is unsafe because we'd still be caching things with user.permissions even though your permissions may vary based on what access policies apply during your current and next request. The API presented here prevents that by introducing a one-time build phase and then caching your processed permissions using cache contexts. This way, it's still safe to use the user.permissions cache context because we know that your access does not change between requests unless you no longer match your policies' criteria (e.g. you lose a user role).

I will add documentation and an example on how to use this, so that should help in evaluating whether you could leverage it in your module.

Thanks for the reviews so far!

Updated the IS to document the new API a bit.

As the commit says: I made the scope and identifier 'drupal' the default across the board now. So core code should look cleaner. Should still go green and I consider this the final version, aside from obvious discussions regarding naming etc.

But functionally this is feature complete.

Actually working on one minor change: Add the account as a parameter to the alter function. Will post an update with that functionality soon.

Thanks so much for the review! Updated the IS a bit and will write a change record when I have more time.

Added a CR. It mainly copies the IS from this issue, but I've changed the language and intro a bit so that we can also have a CR for the implementation issue that merely focuses on the changes to the permission checker and the 2 core access policies.

https://www.drupal.org/node/3385551

Suggested documentation is linked from the meta issue: #3381453: [policy/docs, no patch] Document the new access policy API

Thanks for the review @mmxr576!

My main takeaway is that we could improve the DX surrounding the exception and cache , but I would like to wait for core maintainers to sign off before I go through the trouble (as I'm on the DA's budget here).

Your other suggestions I would mark as personal taste and I tried to stick as close to what core already does as possible (hard-coding cache tag, not mentioning Drupal or Core in a base class, ...)

I'll try to go over your comments on Gitlab and see which ones I can reply to. I again want to iterate that I can't currently spend time on your suggestions regarding the exceptions and additional custom cache layer as I'm on a budget and I don't want to use it up by getting sidetracked without core committers voicing support for these topics.

Having said that, marker interfaces are kind of an anti-pattern as they use empty contracts (interfaces) to project meaning. I'd rather not go down that route as we're better off writing dedicated exceptions for each scenario then; something I also wanted to avoid by simply having a more generic exception.

I ended up reviewing all but one comment as, while I was looking at them, it became clear that we should not use a custom cache nor prefix our base classes with Drupal. The only thing that I left up for discussion is what we should do with the exceptions, but as I stated above I am not a fan of marker interfaces so I'll leave that one up for core maintainers to decide.

Also removing needs change record tag as we have a draft ready.

Yeah and thanks for the reviews, I really appreciate it.

Re #29, thanks @larowlan. I've tried to solve as many things as possible and added some explanations left and right. I've not marked things as resolved when I felt you might still have feedback on my answers.

@larowlan I had to change your code from:
return array_reduce($this->items, fn($carry, $scope_items) => [...$carry, ...$scope_items], []);

to:
return array_reduce($this->items, fn($carry, $scope_items) => [...$carry, ...array_values($scope_items)], []);

As the original would keep keys and keys can potentially be strings here, leading to overriding of elements rather than adding them all to one big array. The latter takes care of that problem by calling array_values() first.

Also, not entirely sold on the readability of the above versus:

    $item_sets = [];
    foreach ($this->items as $scope_items) {
      $item_sets[] = array_values($scope_items);
    }
    return array_merge(...$item_sets);

Thanks for chiming in! I'll change it to the foreach then.

Important topic brought up in the sibling issue: #3376846-21: Implement the new access policy API

Summarized quote:

However, this means we allow unsaved user's permissions to be calculated and the question is whether that is something we should allow. ... Should we update AccessPolicyProcessor to throw an exception or something if $account->id() is NULL?

One more discussion I'd like to have before the names are set in stone. We currently have:

• Drupal\Core\Session\(Refinable)CalculatedPermissions(Interface) -> Stores all permissions from calculatePermissions and alterPermissions
• Drupal\Core\Session\CalculatedPermissionsItem(Interface) -> A single value object within the above, matching a specific scope-identifier pair
• calculatePermissions and alterPermissions methods on access policies

If you don't mind having short names, we could also rename these to:

• Drupal\Core\Session\(Refinable)Permissions(Interface)
• Drupal\Core\Session\PermissionsItem(Interface)
• buildPermissions and alterPermissions methods, as the docs talk about build phase and alter phase

The shorter class names are a bit less verbose, but at the same time less explicit than the original ones. So this comes down to preference.

Yeah me too, it's just something I wanted to bring up proactively rather than have people ask about it after the fact :)

Thanks for the review! I dropped the constructor docs and moved the user ID check outside of the loop (good suggestion). I've also updated the inline docs regarding the account switcher to mention that we only switch when the accounts don't match.

In the implementation issue I was able to drop a few more constructor docs.

The only unresolved thread I can still see is @larowlan's proposed refactoring of early returning cache hits, which I implemented. I merely kept that one unresolved for Lee to flag as resolved as I left a comment there:

I adjusted the code, but we now have some minor code duplication: When we retrieve from the DB cache, we run the same code to set it to the static cache as we do at the very end. Namely: wrapping it in an immutable object and adding the same comment to explain why we do so.

Aside from that all threads show up as resolved on my end.

Awesome! So is it safe to assume that this is now considered "ready"? Asking so I can give Alex Moreno an update regarding the sponsorship. Also unassigning myself then as there seems to be nothing left to do.

Answered all comments. Hopefully the one about VariationCache is satisfactory. I felt it would be a bit overkill to explain how API A works in the context of API B's implementation of A.

Also thanks @ndf for your kind words!

Just discussed the newly introduced factory with @catch and until we can come up with a better solution I'm going to go with a manually instantiated VariationCache object instead. This due to the fact that VariationCacheFactory only supports bins that can be instantiated by CacheFactory and MemoryCache should have no factory because it's not a true cache bin.

So we're not adding a factory for MemoryCache and I'll adjust the MR. Probably on Monday as I'm off tomorrow.

Setting to NW, will update, ping @catch for approval and then set back to RTBC.

Didn't want to keep people waiting 3 days. If @catch approves of the new approach then we can remove the CR I wrote here: https://www.drupal.org/node/3402104

Will also merge in the Implement issue to see if things break there or not. They shouldn't, but theory and practice don't always agree.

Tests in pipelines are now failing on seemingly random frontend stuff. I fixed the obvious services.yml file mistakes (that's what you get for trying to get something in before your long weekend), but I think everything is fine now. I pressed the "rerun" button on the failing FE tests.

Also, it's really hard to find what failed in the GitLab UI compared to the old test results we'd see on DO itself. Any tips?

Ah, all green again. Cya on Monday :D

Hmm, with the cache factory approach all tests in the follow-up "implement" issue go green. With this new approach without a factory, UserPermissionsTest::testUserPermissionChanges() goes red. So maybe cache tags aren't being cleared the way they should be with this approach?

Yeah just confirmed that tests go green with:

  cache.access_policy_memory:
    class: Drupal\Core\Cache\MemoryCache\MemoryCache
    tags:
      - { name: cache.bin }

But red with:

  cache.access_policy_memory:
    class: Drupal\Core\Cache\MemoryCache\MemoryCache
    tags:
      - { name: cache_tags_invalidator }

So there is a difference somewhere. Will have to figure that one out.

Found it!

UiHelperTrait::submitForm() and UiHelperTrait::drupalGet() both call $this->refreshVariables();, but if we look into that:

protected function refreshVariables() {
    // Clear the tag cache.
    \Drupal::service('cache_tags.invalidator')->resetChecksums();
    foreach (Cache::getBins() as $backend) {
      if (is_callable([$backend, 'reset'])) {
        $backend->reset();
      }
    }

    \Drupal::service('config.factory')->reset();
    \Drupal::service('state')->resetCache();
  }

It's clearly only resetting cache.bin tagged services, which is why we are seeing this testfail. If I manually add in this line:

\Drupal::service('cache.access_policy_memory')->reset();

Then the tests go green again.

So it's purely a test fail because refreshVariables() doesn't pick up on cache tag invalidators that also support a reset() method.

With the above confirmed and @catch's earlier approval we can set this issue back to RTBC and we'll have to work around what I found here in the Implement issue.

Awesome!

Thanks to everyone who helped review and move this forward.