README

简介

此 Symfony 扩展包在 Symfony 框架中实现了对 PHP ABAC 库 的支持。

这旨在在 Symfony 应用程序中实现一种新的访问控制方式。

这种方法基于策略规则引擎，分析用户和资源属性，而不仅仅是角色。

可以使用角色，将它们视为用户属性。

这种方法的优势在于可以轻松定义规则，检查用户和访问资源的属性以处理访问控制。

<?php

class MarketController extends Controller
{
    public function buyAction($productId) {
        $product = $this->get('product_manager')->getProduct($productId);
        // Call the "craftcamp_abac.security" to check if the user can buy the given product
        $access = $this->get('craftcamp_abac.security')->enforce(
            'product_buying_rule', // the rule name
            $this->getUser(), // The current user
            $product // The resource we want to check for access
        );
        if($access !== true) {
            return new JsonResponse([
                // In case of denied access, the library will return an array of the unmatched attributes slugs
                'rejected_attributes' => $access
            ], 403);
        }
    }
}

安装

使用 composer 将扩展包设置为项目的依赖项

composer require craftcamp/abac-bundle

然后您必须在您的 AppKernel 文件中加载扩展包并配置它

<?php
// app/AppKernel.php
use Symfony\Component\HttpKernel\Kernel;
use Symfony\Component\Config\Loader\LoaderInterface;

class AppKernel extends Kernel
{
    public function registerBundles()
    {
        $bundles = [
            // ...
            new CraftCamp\AbacBundle\CraftCampAbacBundle(),
        ];
        // ...
        return $bundles;
    }
}

#app/config/config.yml
craftcamp_abac:
    configuration_files:
        - app/config/attributes.yml
        - app/config/policy_rules.yml
    cache_options: # optional
        cache_folder: '%kernel.cache_dir%/abac'

文档

请参阅 PHP ABAC 文档

用法

此扩展包创建了一个包含 php-abac 主类的 Symfony 服务。

要检查规则是否生效，您必须在配置文件中定义一个规则，然后检查它。

规则可以检查用户和资源属性，或仅检查用户的属性。

以下是一个配置规则的示例

# policy_rules.yml
# You can set the attributes and the rules definitions in the same file if you want
# Or in multiple files
---
attributes:
    main_user:
        class: PhpAbac\Example\User
        type: user
        fields:
            age:
                name: Age
            parentNationality:
                name: Parents nationality
            hasDrivingLicense:
                name: Driving License
            
    vehicle:
        class: PhpAbac\Example\Vehicle
        type: resource
        fields:
            origin:
                name: Origin
            owner.id:
                name: Owner
            manufactureDate:
                name: Release date
            lastTechnicalReviewDate:
                name: Last technical review
        
    environment:
        service_status:
            name: Service status
            variable_name: SERVICE_STATUS

rules:
    vehicle-homologation:
        attributes:
            main_user.hasDrivingLicense:
                comparison_type: boolean
                comparison: boolAnd
                value: true
            vehicle.lastTechnicalReviewDate:
                comparison_type: datetime
                comparison: isMoreRecentThan
                value: -2Y
            vehicle.manufactureDate:
                comparison_type: datetime
                comparison: isMoreRecentThan
                value: -25Y
            vehicle.owner.id:
                comparison_type: numeric
                comparison: isEqual
                value: dynamic
            vehicle.origin:
                comparison_type: array
                comparison: isIn
                value: ["FR", "DE", "IT", "L", "GB", "P", "ES", "NL", "B"]
            environment.service_status:
                comparison_type: string
                comparison: isEqual
                value: OPEN

然后在您的控制器中

<?php

class VehicleHomologationController extends Controller
{
    public function homologateAction($vehicleId) {
        $vehicle = $this->get('vehicle_manager')->getProduct($vehicleId);
        // Call the "craftcamp_abac.security" to check if the user can homologate the given vehicle
        $access = $this->get('craftcamp_abac.security')->enforce(
            'vehicle-homologation', // the rule name
            $this->getUser(), // The current user
            $vehicle // The resource we want to check for access
        );
        if($access !== true) {
            return new JsonResponse([
                // In case of denied access, the library will return an array of the unmatched attributes slugs
                'rejected_attributes' => $access
            ], 403);
        }
    }
}

自 0.3.0 版起，您可以在控制器中使用自动注入

<?php

use PhpAbac\Abac;

class VehicleHomologationController extends Controller
{
    public function homologateAction(Abac $abac, $vehicleId) {
        $vehicle = $this->get('vehicle_manager')->getProduct($vehicleId);

        $access = $abac->enforce(
            'vehicle-homologation', // the rule name
            $this->getUser(), // The current user
            $vehicle // The resource we want to check for access
        );
        if($access !== true) {
            return new JsonResponse([
                // In case of denied access, the library will return an array of the unmatched attributes slugs
                'rejected_attributes' => $access
            ], 403);
        }
    }
}

覆盖组件

自动注入的 Abac 服务，您可以通过重新配置其别名来替换其任何依赖项。

例如，如果您想实现自己的 CacheManager，只需实施以下配置

# services.yaml
services:
    App\Cache\MyCacheManager:
        public: true
        autowire: true

    PhpAbac\Manager\CacheManagerInterface: '@App\Cache\MyCacheManager'

当然，您的组件必须实现相关的接口。

可覆盖的接口包括

• PhpAbac\Configuration\ConfigurationInterface
• PhpAbac\Manager\PolicyRuleManagerInterface
• PhpAbac\Manager\AttributeManagerInterface
• PhpAbac\Manager\ComparisonManagerInterface
• PhpAbac\Manager\CacheManagerInterface