README

介绍

此Symfony Bundle在Symfony框架中实现了对PHP ABAC库的支持。

这旨在在Symfony应用中实现一种新的访问控制方式。

此方法基于策略规则引擎，分析用户和资源属性，而不仅仅是角色。

可以使用角色，将其视为用户属性。

此方法的优点是，可以轻松定义规则，检查用户和访问资源的属性来处理访问控制。

<?php

class MarketController extends Controller
{
    public function buyAction($productId) {
        $product = $this->get('product_manager')->getProduct($productId);
        // Call the "craftcamp_abac.security" to check if the user can buy the given product
        $access = $this->get('craftcamp_abac.security')->enforce(
            'product_buying_rule', // the rule name
            $this->getUser(), // The current user
            $product // The resource we want to check for access
        );
        if($access !== true) {
            return new JsonResponse([
                // In case of denied access, the library will return an array of the unmatched attributes slugs
                'rejected_attributes' => $access
            ], 403);
        }
    }
}

安装

使用composer将bundle设置为您的项目依赖

composer require craftcamp/abac-bundle

然后，您必须在您的AppKernel文件中加载此bundle并对其进行配置

<?php
// app/AppKernel.php
use Symfony\Component\HttpKernel\Kernel;
use Symfony\Component\Config\Loader\LoaderInterface;

class AppKernel extends Kernel
{
    public function registerBundles()
    {
        $bundles = [
            // ...
            new CraftCamp\AbacBundle\CraftCampAbacBundle(),
        ];
        // ...
        return $bundles;
    }
}

#app/config/config.yml
craftcamp_abac:
    configuration_files:
        - app/config/attributes.yml
        - app/config/policy_rules.yml
    cache_options: # optional
        cache_folder: '%kernel.cache_dir%/abac'

文档

请参阅PHP ABAC文档

用法

此bundle创建了一个具有php-abac主类的Symfony服务。

要检查是否强制执行了规则，您必须在配置文件中定义一个规则，然后检查它。

规则可以检查用户和资源属性，也可以只检查用户的。

这是一个配置规则的示例

# policy_rules.yml
# You can set the attributes and the rules definitions in the same file if you want
# Or in multiple files
---
attributes:
    main_user:
        class: PhpAbac\Example\User
        type: user
        fields:
            age:
                name: Age
            parentNationality:
                name: Parents nationality
            hasDrivingLicense:
                name: Driving License
            
    vehicle:
        class: PhpAbac\Example\Vehicle
        type: resource
        fields:
            origin:
                name: Origin
            owner.id:
                name: Owner
            manufactureDate:
                name: Release date
            lastTechnicalReviewDate:
                name: Last technical review
        
    environment:
        service_status:
            name: Service status
            variable_name: SERVICE_STATUS

rules:
    vehicle-homologation:
        attributes:
            main_user.hasDrivingLicense:
                comparison_type: boolean
                comparison: boolAnd
                value: true
            vehicle.lastTechnicalReviewDate:
                comparison_type: datetime
                comparison: isMoreRecentThan
                value: -2Y
            vehicle.manufactureDate:
                comparison_type: datetime
                comparison: isMoreRecentThan
                value: -25Y
            vehicle.owner.id:
                comparison_type: numeric
                comparison: isEqual
                value: dynamic
            vehicle.origin:
                comparison_type: array
                comparison: isIn
                value: ["FR", "DE", "IT", "L", "GB", "P", "ES", "NL", "B"]
            environment.service_status:
                comparison_type: string
                comparison: isEqual
                value: OPEN

然后在您的控制器中

<?php

class VehicleHomologationController extends Controller
{
    public function homologateAction($vehicleId) {
        $vehicle = $this->get('vehicle_manager')->getProduct($vehicleId);
        // Call the "craftcamp_abac.security" to check if the user can homologate the given vehicle
        $access = $this->get('craftcamp_abac.security')->enforce(
            'vehicle-homologation', // the rule name
            $this->getUser(), // The current user
            $vehicle // The resource we want to check for access
        );
        if($access !== true) {
            return new JsonResponse([
                // In case of denied access, the library will return an array of the unmatched attributes slugs
                'rejected_attributes' => $access
            ], 403);
        }
    }
}

从0.3.0版本开始，您可以在控制器中使用自动注入

<?php

use PhpAbac\Abac;

class VehicleHomologationController extends Controller
{
    public function homologateAction(Abac $abac, $vehicleId) {
        $vehicle = $this->get('vehicle_manager')->getProduct($vehicleId);

        $access = $abac->enforce(
            'vehicle-homologation', // the rule name
            $this->getUser(), // The current user
            $vehicle // The resource we want to check for access
        );
        if($access !== true) {
            return new JsonResponse([
                // In case of denied access, the library will return an array of the unmatched attributes slugs
                'rejected_attributes' => $access
            ], 403);
        }
    }
}

覆盖组件

自动注入的Abac服务，您可以通过重新配置它们的别名来替换其任何依赖项。

例如，如果您想实现自己的CacheManager，您只需实现以下配置

# services.yaml
services:
    App\Cache\MyCacheManager:
        public: true
        autowire: true

    PhpAbac\Manager\CacheManagerInterface: '@App\Cache\MyCacheManager'

当然，您的组件必须实现相关接口。

可覆盖的接口有

• PhpAbac\Configuration\ConfigurationInterface
• PhpAbac\Manager\PolicyRuleManagerInterface
• PhpAbac\Manager\AttributeManagerInterface
• PhpAbac\Manager\ComparisonManagerInterface
• PhpAbac\Manager\CacheManagerInterface