BjyAuthorize 2.0.0 RFC

The current major plan for 2.0.0 is an overhaul of the module with a focus on abstraction, with the goal of supporting both Zend\Permissions\Acl and Zend\Permissions\Rbac.

This issue is aimed at determining the overarching goals, features, and other major changes or refactorings that will involve a major release.

This RFC is open to the public. If there is something you would like to see (or specifically not see) in BjyAuthorize 2.0.0, please comment here.

We will create new issues for items that are accepted or require more discussion.

Interface

The authorization service could be abstracted into following interface:

interface AuthorizationServiceInterface
{
    public function hasResource($resource);
    public function isAuthorized($resource);
}

Which basically means that each authorization service is aware of its own identity roles

Concept

Given following config:

return array(
    'bjyauthorize' => array(
        'authorization_services' => array(
            // ze number is ze priority
            'BjyAuthorize\Service\AclAuthorize' => 1000,
            'BjyAuthorize\Service\RbacAuthorize' => 2000,
        ),

        'BjyAuthorize\Service\AclAuthorize' => array(
            // previous bjyauthorize config
        ),

        'BjyAuthorize\Service\RbacAuthorize' => array(
            // new rbac config
        ),
    ),
);

Two authorization services will be spawned within an AggregateAuthorizationService that is composed of an RbacAuthorize and an AclAuthorize. These two services are put into a priority queue (maybe as event listeners?) and are checked in sequence each time hasResource or isAuthorized are called on the aggregate authorization service.

hi,

added full ZF3 support, dropped ZF2-eventmanager and set min PHP5.6

changed autoloader to PSR-4 added php-nightly in travis

i stuck atm @ hhvm UnitTests, mabye someone can help.

for testing you can add following in your composer.json "kokspflanze/bjy-authorize": "~1.6"

This is my first ever pull request so I hope I've done this right!

Description

I recently started using BjyAuthorize with Doctrine and didn't like the fact that I had to import the schema.sql and then write a layer above that to make it possible to manage the permissions so I decided to make a Roles entity which linked to a User entity. After a bit of thought I thought others might like this too so I wrote it into the module.

Usage

The usage is very simple:

Firstly you need to be using ZfcUserDoctrineORM

Creating the entities

Next you will need to create your User & Role entity classes in your project entity folder.

Your User entity class must implement BjyAuthorize\Provider\Role\ProviderInterface and ZfcUser\Entity\UserInterface

Your Role entity class must implement BjyAuthorize\Acl\HierarchicalRoleInterface

Examples are provided as BjyAuthorize/data/User.php.dist and BjyAuthorized/data/Role.php.dist

Once you have created your entities you can set up the database with the following command

./vendor/bin/doctrine-module orm:schema-tool:create

Configuring ZfcUser and BjyAuthorize

Next in your ZfcUser configuration specify your user entity class for the user_entity_class setting

Then in you bjyauthorize settings include the following 2 options:

// Set to use the DoctrineEntity identity provider
'identity_provider'     => 'BjyAuthorize\Provider\Identity\ZfcUserDoctrineEntity',

// Set to use the DoctrineEntity role provider
'role_providers'        => array(
    'BjyAuthorize\Provider\Role\DoctrineEntity' => array(
        'role_entity_class' => 'FQCN TO YOUR ROLE ENTITY CLASS',
     ),
),

And you're configured and ready to go. All you need to do is make sure your default role is added to the database.

I hope you find this a useful addition, if it is not something you want to accept maybe I should offer it as a separate module?

I am struggling to get BjyAuthorize working with ScnSocialAuth. Both libraries work by themselves fine. But when they are put together, social authentication does not work.

I have been testing this on my ZF2 project and initially I thought it was something I have done wrong in my project. But then I have created a fork of ZendSkeletonApplication and applied the default config to see if it works. But it is the same result.

ZendDb authentication works fine, but Social Auth via facebook fails with "Authentication failed. Please try again."

Here is my forked ZendSkeletonApplication project https://github.com/jeffery/ZendSkeletonApplication (test-scnsocialauth-bjyauthorize branch)

And some additional local configuration files I used to test against ZendDb + facebook: https://gist.github.com/anonymous/7701797 Please update with your own config.

If someone has these modules working together, I would like to know how.

The following is my composer config:

{
    "name": "zendframework/skeleton-application",
    "description": "Skeleton Application for ZF2",
    "license": "BSD-3-Clause",
    "keywords": [
        "framework",
        "zf2"
    ],
    "homepage": "http://framework.zend.com/",
    "minimum-stability": "dev",
    "require": {
        "php": ">=5.3.3",
        "zendframework/zendframework": "2.2.*",
        "bjyoungblood/bjy-authorize": "1.4.*",
        "zf-commons/zfc-user": "0.1.*",
        "socalnick/scn-social-auth": "1.11.*"
    }
}

Hello! The method isAllowed of class BjyAuthorize\Service\Authorize catches the exception (Zend\Permissions\Acl\Exception\InvalidArgumentException) if the role was not found. It's good. If one of the role providers are not able to get a list of roles (for example, the database is not available), it will provide an acceptable behavior. It is very good. The problem is that the previous line ($this->loaded && $this->loaded->__invoke();) is not included in the try / catch. And if the role is not found, it generates the same exception (Zend\Permissions\Acl\Exception\InvalidArgumentException).

Would you move the previous line ($this->loaded && $this->loaded->__invoke();) in the try / catch block ?

P.S: isAllowed ==> load() ==> loadAcl() ==> loadRule()

in loadRule() : (If the role specified in the rules, but the roles provider could not get it) $this->acl->allow() (or $this->acl->deny()) throw Zend\Permissions\Acl\Exception\InvalidArgumentException

I couldn't decide where to open this issue as it concerns both modules, but i finally chose to create it here, sorry :)

Before i explain a bit more what the problem is, here are the different BjyAuthorize configurations i've been using. They all led to the same error. Following @Ocramius advice on IRC, i also commented out both event manager attachments in the Module onBootstrap method (#1 and #2) but it didn't remove the error either.

The error i'm getting is thrown as soon as i have both modules in the modules list in application.config.php (BjyAuthorize or ScnSocialAuth alone works) it says : Request URI has not been set. Please set your correct home route key in the scn-social-auth.local.php config file. It's thrown here in ScnSocialAuth module. It seems that the ZF2 router can't find the home route key anymore.

It's getting to this part of ScnSocialAuth because AuthenticationDoctrineEntityFactory calls zfcuser_auth_service wich starts up the whole authentication chain, including ScnSocialAuth's.

Thanks for your help.

Pinging @SocalNick in case he has any idea.

I'm trying to implement ACL on our site and have been hitting a wall in regards to the guards working perfectly, but even the example rule providers not working correctly.

The issue stems from the following piece of code in Authorize.php

private function getOrCreateService($class, $options)
    {
        if ($this->serviceLocator->has($class)) {
            return $this->serviceLocator->get($class);
        }

        return new $class($options, $this->serviceLocator);
    }

Because the section within the if statement is returning true, it's returning an empty instance of the configuration class. This then causes the load() function to not be able to add the rule.

Now, as a newbie as ZF2, it's entirely possible I'm doing something wrong, but having followed your example and that of others to the letter, I'm thinking it may be a documentation issue (if not an actual bug).

Here's the relevant section from my config file

// Resource providers to be used to load all available resources into Zend\Permissions\Acl\Acl
        // Keys are the provider service names, values are the options to be passed to the provider
        'resource_providers' => array(
            'BjyAuthorize\Provider\Resource\Config' => array(
                'faq' => array(),
            ),
        ),

        // Rule providers to be used to load all available rules into Zend\Permissions\Acl\Acl
        // Keys are the provider service names, values are the options to be passed to the provider
        'rule_providers' => array(
            'BjyAuthorize\Provider\Rule\Config' => array(
                'allow' => array(
                    // allow guests and users (and admins, through inheritance)
                    // the "wear" privilege on the resource "pants"
                    array(array('guest', 'customer'), 'faq', 'add')
                ),

            ),
        ),

        // Guard listeners to be attached to the application event manager
        'guards'                => array(
            'BjyAuthorize\Guard\Controller' => array(
                array('controller' => 'zfcuser', 'roles' => array()),
                array('controller' => 'Application\Controller\Index', 'roles' => array()),

                // Default Action (Grant access to all to be able to use rule_providers
                array('controller' => 'Faq\Controller\Faq', 'roles' => array('guest', 'customer')),
                array('controller' => 'Pages\Controller\Index', 'roles' => array('guest', 'customer')),
                array('controller' => 'Project\Controller\Project', 'roles' => array('guest', 'customer')),
            ),
        ),

In terms of fixing it, I've commented out the if statement and all seems to work as intended (though I assume it has broken other more advanced functionality).

Any ideas?

called in vendor\bjyoungblood\bjy-authorize\src\BjyAuthorize\Service\Authorize.php on line 82 and defined in vendor\bjyoungblood\bjy-authorize\src\BjyAuthorize\Provider\Role\Doctrine.php on line 45

I want to change actions and roles for Controller Guards from my website's admin area. Is there a way to set these guards dynamically via code?

Currently there is a static way to set controller guards in module.config.php file, but I don't see a way to manipulate them from code.

Poking around in BjyAuthorize\Module.php I see $app->getEventManager()->attach($guard). Not sure if this is is, but I presume that what I want to do is possible. But how, what is the syntax for it, and how can I detach guards as well?

@Danielss89 has done a pull request (164) in order to update the schema.sql Now, the documentation isn't up to date and some files haven't been updated accordingly..

My main issue is with the Provider/Identity/ZfcUserZendDb.php in the method getIdentityRoles This method should return a string corresponding of the roleId but now, it returns an int and ZF doesn't know this role (as it receive an id like: 7 instead of a name like 'admin'). My workaround for now is to use this id (i.e. 7) and query the user_role table in order to get the corresponding string (i.e. admin)

how to show current role without ZendDeveloperTools?

ZendDeveloperTools doesn't work for me, and there is close to no information about debugging anything.

my application.config.php

'modules' => array(
        'ZendDeveloperTools',
        'Application',
        'ZfcBase',
        'ZfcUser',
        'BjyAuthorize',
        'ZfcAdmin',
    ),

my zenddevelopertools config:

'enabled' => true,

my bjyauthorize.global.php:

'default_role'          => 'guest',
'guards' => array(
  'BjyAuthorize\Guard\Controller' => array(
     array('controller' => 'Application\Controller\Index', 'roles' => array('guest', 'user', 'admin')),
  ),
),

composer.json

    "require": {
        "php": ">=5.3.3",
        "zendframework/zendframework": "2.2.0",
        "zf-commons/zfc-admin": "dev-master",
        "bjyoungblood/bjy-authorize": "1.3.0",
        "zf-commons/zfc-user": "0.1.2",
        "zendframework/zend-developer-tools": "dev-master"
    }