metaclassing/php7-laravel5-enterpriseauth

为企业Laravel 5.5+应用程序提供身份验证、授权和计费。

维护者

详细信息

github.com/PHPAutomation/PHP7-Laravel5-EnterpriseAuth

源代码

安装: 408

依赖项: 0

建议者: 0

安全性: 0

星标: 4

关注者: 3

分支: 1

dev-master 2021-06-02 18:26 UTC

Requires

LGPL-3.0-or-later 3db03ee7284513c8511956a9d64a5d8899d4a5e1

  • metaclassing <metaclassing.woop@secureobscure.com>

This package is auto-updated.

Last update: 2024-08-29 04:54:20 UTC

README

Build Status Style-CI Scrutinizer Code Quality

安装前

确保您没有任何悬而未决的迁移,这假设您是从全新的Laravel 5.5项目安装的

composer create-project --prefer-dist laravel/laravel laravel55 "5.5.*"
cd laravel55
# EDIT YOUR .ENV FILE for things like database connection creds etc.
php artisan migrate
# make sure your permissions are correct so the app works
chown -R www-data .

安装

添加Azure Active Directory OAUTH所需的环境变量

AZURE_AD_TENANT="MyAwesomeAzureADTenant"
AZURE_AD_CLIENT_ID="1234abcd-12ab-34cd-56ef-123456abcdef"
AZURE_AD_CLIENT_SECRET="123456789abcdef123456789abcdef\123456789abc="
AZURE_AD_CALLBACK_URL="https://myapp.mycompany.com/login/microsoft/callback"
# ^--- this is the library callback for session based auth. you could use /ui/ for a single-page-app

这是一个开发包,您最低的稳定性必须支持此功能

composer config minimum-stability dev
composer config prefer-stable true
composer require metaclassing/php7-laravel5-enterpriseauth

发布配置并覆盖任何默认值

# Metaclassing\EnterpriseAuth is this library
php artisan vendor:publish --provider="Metaclassing\EnterpriseAuth\ServiceProvider" --force
php artisan migrate

# JWT Authentication lib - currently running dev branch for 5.5 support
#php artisan vendor:publish --provider="Tymon\JWTAuth\Providers\LaravelServiceProvider"
#php artisan jwt:secret

# Bouncer Authorization lib
php artisan vendor:publish --tag="bouncer.migrations"
php artisan migrate

# OwenIt Auditing
php artisan vendor:publish --provider="OwenIt\Auditing\AuditingServiceProvider"
php artisan auditing:install
php artisan migrate

# L5-Swagger api documentation
php artisan l5-swagger:generate

请确保您的权限是正确的!

chown -R www-data .

Bouncer基于组的授权

默认情况下,当用户进行身份验证时,他们的组信息将填充到bouncer角色列表中,使用组显示名称属性。基于模型类型或实例快速授予角色(组)的权限的快捷方式

// ROLES (group display name in AD)
$roles = [
             'Enterprise.Architecture',
             'IMTelecom',
         ];

// TYPES of things (all instances)
$types = [
             App\Thing::class,
             App\OtherThing::class,
         ];

// PERMISSIONS the role can do to the type of thing, this goes in your controller
$tasks = [
             "create",
             "read",
             "update",
             "delete",
             "suckit",
         ];

// Let those roles/groups do tasks to things.
foreach($roles as $role) {
    foreach($types as $type) {
        foreach($tasks as $task) {
            Bouncer::allow($role)->to($task, $type);
        }
    }
}

如果您想对类型X的特定实例进行操作,而不是所有实例

// TYPES of things (all instances)
$stuff = [
             \App\Thing::find(2),
             \App\OtherThing::find(16),
         ];

// Let those roles/groups do tasks to SPECIFIC INSTANCES of things.
foreach($roles as $role) {
    foreach($stuff as $thing) {
        foreach($tasks as $task) {
            Bouncer::allow($role)->to($task, $thing);
        }
   }
}

在您的控制器中,您需要确保用户已通过身份验证,然后检查他们是否有对typeOfModel::class或$instanceOfModel的'permission'权限

    public function myHttpControllerRandomApiFunction(Request $request)
    {
        // authenticate the user
        $user = auth()->user();

        // permission check on specific $thing
        $thing = \App\Crud::find(123);
        if ($user->cant('suckit', $thing)) {
            return response()->json(['error' => 'user cant suck this'], 401);
        }

        // permission check on all things of typeOfModel
        if ($user->cant('suckit', \App\CrudModel::class)) {
            return response()->json(['error' => 'user cant suck this'], 401);
        }

        // suck it.
        $thing->suck('it');

        // send some response
        return response()->json($roles);
    }

Cookie厚浏览器客户端使用

要使用Azure AD SSO,您只需将用户指向(可配置的)/login/microsoft路由进行登录。一旦用户登录,他们将被重定向到主页(也可配置)。

登录后,您可以像往常一样访问基本的Laravel认证用户

auth()->user();

Azure AD应用程序注册

  1. 转到https://apps.dev.microsoft.com并创建一个新的应用程序。
  2. 创建一个新的应用程序密钥(生成密码)并将其与app-id一起保存到您的.env文件中
  3. 创建一个新的Web平台,以下为重定向URL
  4. 如果需要,设置注销URL:https://myapp.mycompany.com/logout
  5. 如果您正在执行应用程序到应用程序的身份验证,您可能需要一个Web API平台。默认的access_as_user作用域对于您授权的任何客户端应用程序都很好
  6. 默认的用户权限user.read是好的,不要更改任何内容
  7. 如果您想查看用户组信息,则需要添加应用程序权限directory.read.all(仅管理员)权限
  8. 要获得所需的授权,请让您的Azure AD管理员访问https://myapp.mycompany.com/login/microsoft/adminconsent并点击“确定”。
  9. 不要忘记保存所有内容。