feature #22048 [Security] deprecate the Role and SwitchUserRole classes (xabbuh)

This PR was merged into the 4.3-dev branch.

Discussion
----------

[Security] deprecate the Role and SwitchUserRole classes

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | yes
| Tests pass?   | yes
| Fixed tickets | #20824
| License       | MIT
| Doc PR        | symfony/symfony-docs#11047

In #20801, we deprecated the `RoleInterface`. The next logical step would be to also deprecate the `Role` class. However, we currently have the `SwitchUserRole` class (a sub-class of `Role`) that acts as an indicator to check whether or not the authenticated user switched to another user.

This PR proposes an alternative solution to the usage of the special `SwitchUserRole` class by storing the original token inside the `UsernamePasswordToken`. This PR is not complete, but rather acts as a proof of concept of how we could get rid of the `Role` and the `SwitchUserRole` classes.

Please share your opinions whether you think this is a valid approach and I will be happy to finalise the PR.

Commits
-------

d7aaa615b9 deprecate the Role and SwitchUserRole classes

Author: fabpot

EventListener/GuardListener.php

@@ -14,6 +14,8 @@
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\Role\Role;
+use Symfony\Component\Security\Core\Role\RoleHierarchy;
 use Symfony\Component\Security\Core\Role\RoleHierarchyInterface;
 use Symfony\Component\Validator\Validator\ValidatorInterface;
 use Symfony\Component\Workflow\Event\GuardEvent;
@@ -80,19 +82,23 @@ private function getVariables(GuardEvent $event): array
             throw new InvalidTokenConfigurationException(sprintf('There are no tokens available for workflow %s.', $event->getWorkflowName()));
         }
 
-        if (null !== $this->roleHierarchy) {
-            $roles = $this->roleHierarchy->getReachableRoles($token->getRoles());
+        if (method_exists($token, 'getRoleNames')) {
+            $roles = $token->getRoleNames();
         } else {
-            $roles = $token->getRoles();
+            $roles = array_map(function (Role $role) { return $role->getRole(); }, $token->getRoles(false));
+        }
+
+        if ($this->roleHierarchy instanceof RoleHierarchy) {
+            $roles = $this->roleHierarchy->getReachableRoleNames($roles);
+        } elseif (null !== $this->roleHierarchy) {
+            $roles = $this->roleHierarchy->getReachableRoles($token->getRoles(false));
         }
 
         $variables = [
             'token' => $token,
             'user' => $token->getUser(),
             'subject' => $event->getSubject(),
-            'roles' => array_map(function ($role) {
-                return $role->getRole();
-            }, $roles),
+            'roles' => $roles,
             // needed for the is_granted expression function
             'auth_checker' => $this->authorizationChecker,
             // needed for the is_* expression function

Tests/EventListener/GuardListenerTest.php

@@ -6,6 +6,7 @@
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
 use Symfony\Component\Security\Core\Role\Role;
 use Symfony\Component\Validator\Validator\ValidatorInterface;
@@ -35,8 +36,7 @@ protected function setUp()
             ],
         ];
         $expressionLanguage = new ExpressionLanguage();
-        $token = $this->getMockBuilder(TokenInterface::class)->getMock();
-        $token->expects($this->any())->method('getRoles')->willReturn([new Role('ROLE_USER')]);
+        $token = new UsernamePasswordToken('username', 'credentials', 'provider', ['ROLE_USER']);
         $tokenStorage = $this->getMockBuilder(TokenStorageInterface::class)->getMock();
         $tokenStorage->expects($this->any())->method('getToken')->willReturn($token);
         $this->authenticationChecker = $this->getMockBuilder(AuthorizationCheckerInterface::class)->getMock();