IBX-9337: Fixed failure to serialize field data post symfony/serializer 5.4.40

[Steveb-p]

🎫 Issue	IBX-9337

Related issues:

• ObjectNormalizer doesn't deal with scope of get() functions correctly symfony/symfony#58041

Description:

Due to change introduced in Symfony 5.4.40'ish, our ValueObjects stopped being immediately serializable through ObjectNormalizer default configuration/implementation.

Note

We never encouraged user-developers to use ObjectNormalizer against our built-in objects.

While that should work, it is also very susceptible to any changes in that generic implementation (which is what happened). It also can be source of security issues - as this PR shows in it's tests, where password hash is exposed.

In lieu of us providing normalizers for every possible object in the system, developers should write their own - especially when dealing with sensitive content fields.

This PR adds missing metadata to relevant properties/methods, which in turn causes said ObjectNormalizer to properly skip these when collecting data to normalize.

Warning

Note that in this PR Symfony's Ignore annotation is aliased.

It is extremely important that this import/alias should NOT match any of our existing phpdoc annotations, such as @ignore and similar.

Due to how PhpParser works (from Doctrine Annotations) it will start treating those as if they were that imported statement ⚠️.
This would mean that certain fields would be skipped by ObjectNormalizer even if they should have not. In this case non-aliased import would cause @ignore to be treated as if it was @Ignore.
Alternative is to use serializer.yaml file in bundle resources (it is picked up automatically by the framework, if exists).

Ibexa\Contracts\Core\Repository\Values\ValueObject:
    attributes:
        attribute:
            ignore: true
        properties:
            ignore: true

Known issues

Content objects on their own are technically possible to serialize, but due to our usage of VirtualProxy objects these need to either remain unresolved, or load themselves on demand.

However, this poses an issue when some objects are loaded outside of their normal permission state - specifically during testing, Section objects failed to load due to missing permissions (whether it really was a permission issue I cannot tell, I have not debugged it further other than looking at the exception).

Add following normalizer to application code to force proxies to resolve themselves, or skip them - depending on the code below.

<?php

namespace App\Normalizer;

use Ibexa\Contracts\Core\FieldType\Value;
use Ibexa\Contracts\Core\Repository\Exceptions\UnauthorizedException;
use Ibexa\Contracts\Core\Repository\Values\ContentType\ContentType;
use Ibexa\Contracts\Core\Repository\Values\ContentType\ContentTypeGroup;
use ProxyManager\Proxy\VirtualProxyInterface;
use Symfony\Component\Serializer\Normalizer\CacheableSupportsMethodInterface;
use Symfony\Component\Serializer\Normalizer\NormalizerAwareInterface;
use Symfony\Component\Serializer\Normalizer\NormalizerAwareTrait;
use Symfony\Component\Serializer\Normalizer\NormalizerInterface;

final class VirtualProxyNormalizer implements NormalizerInterface, CacheableSupportsMethodInterface, NormalizerAwareInterface
{
    use NormalizerAwareTrait;

    private bool $initializeProxies = true;

    /**
     * @param VirtualProxyInterface $object
     */
    public function normalize($object, ?string $format = null, array $context = [])
    {

        try {
            if ($object->isProxyInitialized() === false) {
                if (!$this->initializeProxies) {
                    return null;
                }

                $object->initializeProxy();

            }
            return $this->normalizer->normalize($object->getWrappedValueHolderValue(), $format, $context);
        } catch (UnauthorizedException $e) {
            return null;
        }
    }

    private function getAllowedClasses(): array
    {
        return [
            ContentTypeGroup::class,
            ContentType::class,
            Value::class,
        ];
    }

    public function supportsNormalization($data, ?string $format = null): bool
    {
        if (!$data instanceof VirtualProxyInterface) {
            return false;
        }

        foreach ($this->getAllowedClasses() as $class) {
            if ($data instanceof $class) {
                return true;
            }
        }

        return false;
    }

    public function hasCacheableSupportsMethod(): bool
    {
        return true;
    }
}

For QA:

Add a following controller to your application:

<?php

namespace App\Controller;

use Ibexa\Contracts\Core\Repository\ContentService;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\Routing\Annotation\Route;

final class TestController extends AbstractController
{
    private ContentService $contentService;

    public function __construct(ContentService $contentService)
    {
        $this->contentService = $contentService;
    }

    /**
     * @Route("/vtestcontroller/cs-12273b/{contentId}")
     */
    public function cs12273b(int $contentId): JsonResponse
    {
        $content = $this->contentService->loadContent($contentId);
        $name = $content->getField('name');

        return $this->json($name);
    }
}

Visiting address https://<YOUR_LOCAL_INSTANCE>/vtestcontroller/cs-12273b/52 will present you with an error without the change provided in this PR.

You can check that on versions prior to 5.4.40 this was working correctly.

Add to your composer.json file:

    "conflict": {
        "symfony/symfony": "*",
        "symfony/serializer": ">=5.4.40"
    },

and run composer update.

Documentation:

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Steveb-p]

Merged & merged up into main in e8a4b95.