security namespace

spiral-modules · Jan 19, 2016 · ede6cf6 · ede6cf6
1 parent 165dc57
commit ede6cf6
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 63 deletions.
diff --git a/source/Albus/Albus.php b/source/Albus/Albus.php
@@ -30,7 +30,7 @@ class Albus extends Component implements CoreInterface, SingletonInterface
     use BenchmarkTrait, GuardedTrait, TranslatorTrait;
 
     /**
-     * Declaring to IoC to treat Albus as sinleton.
+     * Declaring to IoC to treat Albus as singleton.
      */
     const SINGLETON = self::class;
 
@@ -118,39 +118,16 @@ public function callAction($controller, $action = '', array $parameters = [])
             );
         }
 
-        if (!$this->guard()->allows("albus.{$controller}", compact('action'))) {
+        $permission = "{$this->config->securityNamespace()}.{$controller}";
+
+        if (!$this->guard()->allows($permission, compact('action'))) {
             throw new ControllerException(
                 "Unreachable albus controller '{$controller}'",
                 ControllerException::FORBIDDEN
             );
         }
 
-        $benchmark = $this->benchmark('callAction', $controller . '::' . ($action ?: '~default~'));
-        $scope = $this->container->replace(CoreInterface::class, $this);
-
-        //To let navigation know current controller
-        $this->controller = $controller;
-
-        try {
-            //Initiating controller with all required dependencies
-            $object = $this->container->make(
-                $this->config->controllers()[$controller]
-            );
-
-            if (!$object instanceof ControllerInterface) {
-                throw new ControllerException(
-                    "Invalid '{$controller}', ControllerInterface not implemented.",
-                    ControllerException::NOT_FOUND
-                );
-            }
-
-            return $object->callAction($action, $parameters);
-        } finally {
-            $this->benchmark($benchmark);
-            $this->container->restore($scope);
-
-            $this->controller = '';
-        }
+        return $this->executeController($controller, $action, $parameters);
     }
 
     /**
@@ -210,4 +187,41 @@ protected function createRoute()
     {
         return $this->config->createRoute('albus')->setAlbus($this);
     }
+
+    /**
+     * @param string $controller
+     * @param string $action
+     * @param array  $parameters
+     * @return mixed
+     * @throws ControllerException
+     */
+    protected function executeController($controller, $action, array $parameters)
+    {
+        $benchmark = $this->benchmark('callAction', $controller . '::' . ($action ?: '~default~'));
+        $scope = $this->container->replace(CoreInterface::class, $this);
+
+        //To let navigation know current controller
+        $this->controller = $controller;
+
+        try {
+            //Initiating controller with all required dependencies
+            $object = $this->container->make(
+                $this->config->controllers()[$controller]
+            );
+
+            if (!$object instanceof ControllerInterface) {
+                throw new ControllerException(
+                    "Invalid '{$controller}', ControllerInterface not implemented.",
+                    ControllerException::NOT_FOUND
+                );
+            }
+
+            return $object->callAction($action, $parameters);
+        } finally {
+            $this->benchmark($benchmark);
+            $this->container->restore($scope);
+
+            $this->controller = '';
+        }
+    }
 }
diff --git a/source/Albus/AlbusController.php b/source/Albus/AlbusController.php
diff --git a/source/Albus/Bootloaders/InsecureAlbusBootloader.php b/source/Albus/Bootloaders/InsecureAlbusBootloader.php
@@ -7,6 +7,7 @@
  */
 namespace Spiral\Albus\Bootloaders;
 
+use Spiral\Albus\Configs\AlbusConfig;
 use Spiral\Albus\Security\Rules\InsecureRule;
 use Spiral\Core\Bootloaders\Bootloader;
 use Spiral\Security\Entities\Actors\Guest;
@@ -23,17 +24,26 @@ class InsecureAlbusBootloader extends Bootloader
 
     /**
      * @param PermissionsInterface $permissions
+     * @param AlbusConfig          $config
      */
-    public function boot(PermissionsInterface $permissions)
+    public function boot(PermissionsInterface $permissions, AlbusConfig $config)
     {
         if (!$permissions->hasRole(static::ROLE)) {
             $permissions->addRole(static::ROLE);
         }
 
         //Following rule will raise log message to notify that insecure setting were used
-        $permissions->associate(static::ROLE, 'albus.*', InsecureRule::class);
+        $permissions->associate(
+            static::ROLE,
+            $config->securityNamespace() . '.*',
+            InsecureRule::class
+        );
 
         //Controller specific permissions
-        $permissions->associate(static::ROLE, 'albus.*.*', InsecureRule::class);
+        $permissions->associate(
+            static::ROLE,
+            $config->securityNamespace() . '.*',
+            InsecureRule::class
+        );
     }
 }
diff --git a/source/Albus/Configs/AlbusConfig.php b/source/Albus/Configs/AlbusConfig.php
@@ -20,23 +20,39 @@ class AlbusConfig extends InjectableConfig
      */
     const CONFIG = 'modules/albus';
 
+    /**
+     * Default permissions namespace.
+     */
+    const GUARD_NAMESPACE = 'albus';
+
     /**
      * @var array
      */
     protected $config = [
+        'guardNamespace' => 'albus',
+
         //Default albus controller
-        'controllers' => [],
-        'navigation'  => [],
+        'controllers'    => [],
+        'navigation'     => [],
 
         //Example: albus/users/addresses/1/remove/123
-        'route'       => [
+        'route'          => [
             'middlewares' => [],
             'pattern'     => 'albus[/<controller>[/<action>[/<id>[/<operation>[/<childID>]]]]]',
             'defaults'    => [],
             'matchHost'   => false,
         ]
     ];
 
+    public function securityNamespace()
+    {
+        if (empty($this->config['guardNamespace'])) {
+            return self::GUARD_NAMESPACE;
+        }
+
+        return $this->config['guardNamespace'];
+    }
+
     /**
      * List of allowed albus controllers in a form alias => class.
      *

diff --git a/source/Albus/Controllers/DashboardController.php b/source/Albus/Controllers/DashboardController.php
@@ -7,12 +7,12 @@
  */
 namespace Spiral\Albus\Controllers;
 
-use Spiral\Albus\AlbusController;
+use Spiral\Core\Controller;
 
 /**
  * No guard check in this sample controller.
  */
-class DashboardController extends AlbusController
+class DashboardController extends Controller
 {
     /**
      * @return string

diff --git a/source/AlbusModule.php b/source/AlbusModule.php
@@ -33,11 +33,6 @@ public function register(RegistratorInterface $registrator)
             "   /*{{domain.albus}}*/",
             "]"
         ]);
-
-        //Shared albus permissions and rules
-        $registrator->configure('modules/security', 'libraries', 'spiral/albus', [
-            '\Spiral\Albus\Security\AlbusLibrary::class'
-        ]);
     }
 
     /**

diff --git a/source/config/albus.php b/source/config/albus.php
@@ -7,6 +7,12 @@
  */
 
 return [
+    /*
+     * Every controller access will be checked under following permissions namespace. For example
+     * access to TestController mounted under name "test" will be checked as "albus.test".
+     */
+    'guardNamespace' => 'albus',
+
     /*
      * List of controller classes associated with their alias to be available for albus. No other
      * controllers can be called.