承接 alichry/laminas-accesscontrol 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

alichry/laminas-accesscontrol

Composer 安装命令:

composer require alichry/laminas-accesscontrol

包简介

Access control for laminas

README 文档

README

Build Status codecov

This module is aimed at providing a simple interface that can run queries againt an access control list pertaining an application's controller or a controller's action as a the target resource. This is should not be used directly, use https://github.com/alichry/laminas-authorization

Interfaces and implementations

The base interface for an AccessControlList is AccessControlListInterface that provides 3 methods:

  • identityHasPermission(identity, permission)
  • identityHasRole(identity, role)
  • getAccessStatus(identity, resourceIdentifier)

An access status, Status, is the result of consulting the underlying ListAdapterInterface and ResourceManagerInterface. Multiple status codes exists:

  • Unauthorized, Status::UNAUTHORIZED: The given identity is not authorized, i.e. does not have specified permission or role for the controller/action.
  • Unauthenticated, Status::UNAUTHENTICATED: The given identity is null and, therefore, is invalid. This implies that the identity "null" is unauthenticated. This is practically a short-circuit between alichry/laminas-authorization and alichry/laminas-accesscontrol since the passed identity is null, and is usually retrieved from an AuthenticationService from laminas/laminas-autthentication.
  • Rejected, Status::REJECTED: If controller/action has "reject all", or inferred policy is "reject all"
  • Public, Status::PUBLIC: Publicly accessible, no need for authentication or authorization
  • Ok, Status::OK: The given identity is authorized but not necessarily authenticated, i.e. given identity does have specified permission or role for the controller/action. This does not imply if the user is authenticated. Checking if authenticated is the purpose of alichry/laminas-authorization

ArrayAccessControlList

ArrayAccessControlList relies on passed list of identities, permissions, roles and controllers access levels to infer access statuses.

There exists 2 modes:

  • Strict, ArrayListAdapter::MODE_STRICT mode: All identities must be defined in the list, a referenced identity that is not defined will result in an exception thrown. A referenced identity role must be also defined in the roles list. Referenced permisions in identity list should be also included in the permission list. An exception will be thrown if an entry is missing.
  • Chill, ArrayListAdapter::MODE_CHILL mode: Some identities can be omitted from the configuration, this will lead ArrayAccessControlList to assume that the omitted identity has no permissions at all. No exception will be thrown if a permission is referenced in the identity list but not in the permission list.

Policies deal with the default access level for missing entries in the resources list

  • Reject: if the target resource is not found, then reject all requests.
  • Authenticate: if the target resource is not found, then assume it requires authentication.
  • Accept: if the target resource is not found, then assume it is publicly accessible.

Example

<?php

use AliChry\Laminas\AccessControl\ArrayAccessControlList as ACL;
use AliChry\Laminas\AccessControl\Lists\ArrayListAdapter as LA;
use AliChry\Laminas\AccessControl\Resource\ResourceIdentifier;

$controllers = [
    TestController::class => ACL::ACCESS_ALL,
    TestAuthController::class => ACL::ACCESS_AUTHENTICATED_ONLY,
    TestMultipleController::class => [
        // methods
        'getAction' => ACL::ACCESS_ALL,
        'disable' => ACL::ACCESS_REJECT_ALL,
        'admin' => ACL::role('admin'),
        'editAction' => ACL::permission('edit')
    ]
];
$identities = [
    'admin@test.com' => [
        'roles' => [
            'admin'
        ],
        'permissions' => []
    ]
];
$roles = [
    'admin' => [
        'special-admin-perm'
    ]
];
$permissions = [
    'special-admin-perm',
    'edit'
];

$acl = new ACL(
    LA::MODE_STRICT,
    ACL::POLICY_REJECT,
    $controllers,
    $identities,
    $roles,
    $permissions
);

$unauthStatus = $acl->getAccessStatus(
    'admin@test.com',
    new ResourceIdentifier(
        TestMultipleController::class,
        'editAction'
    )
);

echo 'Code: ' . $unauthStatus->getCode() . PHP_EOL; // Code: -3 (UNAUTHORIZED)
echo 'Identity: ' . $unauthStatus->getIdentity() . PHP_EOL; // Identity: admin@test.com
echo 'Messages: ' . implode(', ', $unauthStatus->getMessages()) . PHP_EOL; // Identity "admin@test.com" requires perm:edit

$okStatus = $acl->getAccessStatus(
    'admin@test.com',
    new ResourceIdentifier(
        TestMultipleController::class,
        'admin'
    )
);

echo 'Code: ' . $okStatus->getCode() . PHP_EOL; // Code: 1 (OK)
echo 'Identity: ' . $okStatus->getIdentity() . PHP_EOL; // Identity: admin@test.com
echo 'Messages: ' . implode(', ', $okStatus->getMessages()) . PHP_EOL; //

IdentityAccessControlList

IdentityAccessControlList is not concerned with arrays to infer access statuses. It depends on an instance of ResourceManagerInterface and passed identities should be an instance of IdentityInteface.

The passed resource manager will provide the policy (access level) of each resource (controller/action). If a resource requires authentication or authorization, we check by calling the implemented methods hasPermission or hasRole of the passed IdentityInterface instance.

This is helpful in an ORM environment, such as Doctrine ORM. After creating the Identity or User entity type, all is left is also implementing the methods hasRole and hasPermission which can be inferred by consulting other ORM entity types or by providing your custom implementation.

AccessControlList

AccessControlList is a generic ACL that depends on instances of ResourceManager and ListAdapterInterface. Only one implementation of ListAdapterInterface exists, ArrayListAdapter, which is utilized by ArrayAccessControlList

Configuration

You can define access control lists, adapters and resource managers under alichry.access_control.list, alichry.access_control.list_adapter and alicherry.access_control.resource_manager respectively. See config/modules.config.php. Each service entry should consist of name as the key mapped to either a service, typically a FQCN, or an array consisting of the following keys:

  • service: the service that is registered with service manager
  • options: an array that will be passed to the corresponding factory of the referenced service

Please note that the referenced service names should have a registered corresponding factory with the service manager.

The registered services will also be retrievable from the service manager using:

  • alichry.access_control.list.$key
  • alichry.access_control.list_adapter.$key
  • alichry.access_control.resource_manager.$key

This allows you to provide factory build options from the configuration to the corresponding instance factory, and in turn the returned instance will be cached by the service manager.

alichry/laminas-accesscontrol 适用场景与选型建议

alichry/laminas-accesscontrol 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 194 次下载、GitHub Stars 达 0, 最近一次更新时间为 2020 年 06 月 01 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 alichry/laminas-accesscontrol 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 alichry/laminas-accesscontrol 我们能提供哪些服务?
定制开发 / 二次开发

基于 alichry/laminas-accesscontrol 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 194
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 7
  • 依赖项目数: 1
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 1
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2020-06-01