Slides of my Zend Framework Day 2014 presentation in Turin (Italy) about ZF2 authentication and authorization.

1. Instant ACLs
with Zend Framework 2
Zend Framework Day – Turin, Italy – 07/02/2014

2. @stefanovalle

3. http://www.mvlabs.it/

4. http://friuli.grusp.org/

5. AUTHENTICATION
AUTHORIZATION
5

7. Two step process

8. Two step process
WHO
WHAT

9. Two step process
WHO
Authentication
“a process that ensures and confirms
a user’s identity”
WHAT
Definitions from http://www.techopedia.com

10. Two step process
WHO
WHAT
Authentication
“a process that ensures and confirms
a user’s identity”
Authorization
“a security mechanism used to determine
user/client privileges or access levels
related to system resources”
Definitions from http://www.techopedia.com

11. 11

12. In ZF2
WHO
Zend/Authentication

13. In ZF2
WHO
Zend/Authentication
Authenticate against:
• DB table
• LDAP
• HTTP
• And more…

14. In ZF2
WHAT
Zend/Permissions/Acl
Zend/Permissions/Rbac

15. In ZF2
WHAT
Zend/Permissions/Acl
Zend/Permissions/Rbac
Role
Permission
Identity
Resource

16. SEEMS TOUGH…

17. JUST AS IT SHOULD!

18. CONSEQUENCES COULD BE UNDERESTIMATED

19. How does ZF2 help?
19

21. ‘NUFF TALK. TIME FOR ACTION…

22. We need to add/edit
conferences through
a restricted area
1ST NEED

24. THE
ADMINISTRATOR
NEEDS TO BE
RECOGNIZED

25. THE
ADMINISTRATOR
NEEDS TO BE
RECOGNIZED
IDENTIFIED

26. HEAD TO OFFICIAL MODULES’ WEBSITE

27. OH, LOOK WHAT WE JUST GOT!

28. Installing and enabling ZfcUser
// composer.json
"require": {
"zf-commons/zfc-user-doctrine-orm": "0.1.*"
}
28

29. Installing and enabling ZfcUser
// composer.json
"require": {
"zf-commons/zfc-user-doctrine-orm": "0.1.*"
}
let’s suppose we use the Doctrine ORM
29

30. Installing and enabling ZfcUser
// composer.json
"require": {
"zf-commons/zfc-user-doctrine-orm": "0.1.*"
}
// config/application.config.php
<?php
return array(
'modules' => array(
// ...
'ZfcBase',
'ZfcUser',
'ZfcUserDoctrineORM',
),
);
30

31. Back to our user…
31

32. How shall we represent him?

33. We need a class
class Systemuser {
private $id;
private $name;
private $city;
private $birthday;
private $username;
private $password;
}

34. With some mandatory fields
class Systemuser {
private $id;
private $name;
private $city;
private $birthday;
private $username;
private $password;
}

35. Implementing an interface
class Systemuser
implements
ZfcUserEntityUserInterface {
private $id;
private $name;
private $city;
private $birthday;
private $username;
private $password;
}

36. Let’s configure ZfcUser
// config/autoload/zfcuser.global.php
/** ZfcUser Configuration */
$settings = array(
/** User Model Entity Class */
'user_entity_class' => 'ApplicationEntitySystemuser',
/** Start configuration for ZfcUserDoctrineORM */
'enable_default_entities' => false,
);
36

37. Yay, here’s our working login form!
37

38. Yay, here’s our working login form!
Available at:
http://myaddress/user/login
38

39. Yay, it works!
39

40. ZfcUser also allows to:
•
•
•
•
•
40
Customize login form
Customize User entity fields
Quickly implement a registration form
Interact with either Zend/DB or Doctrine
out of the box
Do much more stuff…

41. ZfcUser also allows to:
•
•
•
•
•
41
Customize login form
Customize User entity fields
Quickly implement a registration form
Interact with either Zend/DB or Doctrine
out of the box
Do much more stuff…

42. Remember the two steps?
WHO
WHAT

43. Remember the two steps?
WHO
WHAT

44. We need an admin panel!
44

45. We need an admin panel!
Welcome ZfcAdmin!
provides a ready to use /admin route
45

46. hubme.in has an admin panel!

47. hubme.in has an admin panel!

48. Are we done yet?
48

49. What if
a malicious user…

50. What if
a malicious user…

51. What if
a malicious user…
…hits this url:
http://myawesomewebsite/admin/conferences

52. What if
a malicious user…
…hits this url:
http://myawesomewebsite/admin/conferences
accessible to everyone!

53. What if
a malicious user…
…hits this url:
http://myawesomewebsite/admin/conferences
nothing’s protecting
our private area

54. What if
a malicious user…
…hits this url:
http://myawesomewebsite/admin/conferences
nothing’s protecting
our private area
Login form could be
bypassed!

55. No worries!
/*
* On each action
*/
<?php
public function indexAction() {
if (!$this->zfcUserAuthentication()->hasIdentity())
{
return $this->redirect()->toRoute('home');
}
}
55

56. No worries!
/*
* On each action
*/
<?php
public function indexAction() {
if (!$this->zfcUserAuthentication()->hasIdentity())
{
return $this->redirect()->toRoute('home');
}
}
56
in EACH action
of EACH controller

57. WHAAAT?

58. IN EACH ACTION???

59. SOMEONE HELP US!

60. ZENDPERMISSIONSACL

61. Remember? There were two steps…
WHO
WHAT

62. Using Zend/Permissions/Acl
<?php
use ZendPermissionsAclAcl;
use ZendPermissionsAclRoleGenericRole as Role;
use ZendPermissionsAclResourceGenericResource as Resource;
$acl = new Acl();
$acl->addRole(new Role('guest'))
->addRole(new Role('admin'));
$acl->addResource(new
$acl->addResource(new
$acl->addResource(new
$acl->addResource(new
$acl->allow('guest',
$acl->allow('admin',
$acl->allow('admin',
$acl->allow('admin',
62
Resource('someResource'));
Resource('adminarea'));
Resource('adminconferencearea'));
Resource('adminsettingsarea'));
'someResource');
'adminarea');
'adminconferencearea ');
'adminsettingsarea ');

63. Welcome BjyAuthorize!
… a facade for ZendPermissionsAcl
that will ease its usage with modules
and applications …
From https://github.com/bjyoungblood/BjyAuthorize
63

64. Welcome BjyAuthorize!
… a facade for ZendPermissionsAcl
that will ease its usage with modules
and applications …
From https://github.com/bjyoungblood/BjyAuthorize
64

65. OUR EASIER WAY

66. How does it work?
66

67. Standard ZendMvc app workflow
From https://github.com/bjyoungblood/BjyAuthorize
67

68. With BjyAuthorize enabled
From https://github.com/bjyoungblood/BjyAuthorize
68

69. With BjyAuthorize enabled
From https://github.com/bjyoungblood/BjyAuthorize
69

70. With BjyAuthorize enabled
From https://github.com/bjyoungblood/BjyAuthorize
70

71. With BjyAuthorize enabled
+ control over resources
From https://github.com/bjyoungblood/BjyAuthorize
71

72. Installing and enabling BjyAuthorize
// composer.json
"require": {
"bjyoungblood/bjy-authorize": "1.4.*"
}
// config/application.config.php
<?php
return array(
'modules' => array(
// ...
'BjyAuthorize',
),
);
72

73. Configuring BjyAuthorize
// config/autoload/bjyauthorize.global
return array(
'bjyauthorize' => array(
'default_role' => 'guest',
'identity_provider' =>
'BjyAuthorizeProviderIdentityAuthenticationIdentityProvider',
'role_providers' => array(
'BjyAuthorizeProviderRoleConfig' => array(
'guest' => array(),
'admin' => array(),
),
),
), );
73

74. Configuring BjyAuthorize
// config/autoload/bjyauthorize.global
return array(
'bjyauthorize' => array(
A new concept: the Role
'default_role' => 'guest',
'identity_provider' =>
'BjyAuthorizeProviderIdentityAuthenticationIdentityProvider',
'role_providers' => array(
'BjyAuthorizeProviderRoleConfig' => array(
'guest' => array(),
'admin' => array(),
),
),
), );
74

75. Guards on routes
http://myawesomewebsite/
Allowed to all users
75

76. Guards on routes
http://myawesomewebsite/
Allowed to all users
http://myawesomewebsite/admin/...
Restricted area! For admins only
76

77. Guards on controller actions
class ConferencesController {
public function listAction() {
// code...
}
public function manageAction() {
// code...
}
}
77

78. Guards on controller actions
class ConferencesController {
public function listAction() {
// code...
}
Allowed
public function manageAction() {
// code...
}
}
78
to all users

79. Guards on controller actions
class ConferencesController {
public function listAction() {
// code...
}
Allowed
to all users
public function manageAction() {
// code...
}
}
79
Restricted area! For admins only

80. Guards on controller actions
array(
'controller' => 'ZfcAdminControllerAdminController',
'roles' => array('admin')
)
80

81. Where should
guards be placed?
81

82. Inside each module configuration
// module/Conferences/config/module.config.php
return array(
'bjyauthorize' => array(
'guards' => array(
'BjyAuthorizeGuardController' => array(
//...
),
), ),
82

83. Inside each module configuration
// module/Conferences/config/module.config.php
return array(
'bjyauthorize' => array(
Taking advantage of ZF2
configuration merge
'BjyAuthorizeGuardController' => array(
'guards' => array(
//...
),
), ),
83

84. It works!

85. It works!
User could be redirected
to whatever url we want

86. Dude, forgot to tell
ya! …we got 2
fellas!
2ND NEED

87. Two different roles
The reader
87

88. Two different roles
The reader
88

89. Two different roles
The reader
89
The editor

90. Two different roles
Can only view
conference info
The reader
90
Can view
conferences +
create, edit and
delete info
The editor

91. What we want
Only editor should
see these icons

93. Until now…
'bjyauthorize' => array(
// ...
'role_providers' => array(
'BjyAuthorizeProviderRoleConfig' => array(
'guest' => array(),
'admin' => array(),
),
),
)
Static role list
93

94. Until now…
'bjyauthorize' => array(
// ...
'role_providers' => array(
'BjyAuthorizeProviderRoleConfig' => array(
'guest' => array(),
'admin' => array(),
),
),
)
More flexibility wouldn’t hurt…
94

95. BjyAuthorize config changes
// config/autoload/bjyauthorize.global
return array(
'bjyauthorize' => array(
'role_providers' => array(
'BjyAuthorizeProviderRoleObjectRepositoryProvider' => array(
'role_entity_class' => 'ApplicationEntityRole',
'object_manager' => 'doctrine.entity_manager.orm_default', ),
),
), );
From array to class (persisted on db)
95

96. Let’s map the actions

97. New concept: the Resource

98. something

99. something
upon which
someone

100. something
upon which
someone
could perform
an action

101. ENTITY
IDENTITY / ROLE
PRIVILEGE

102. On BjyAuthorize…
'resource_providers' => array(
'BjyAuthorizeProviderResourceConfig' => array(
'Conference' => array(),
),
),
'rule_providers' => array(
'BjyAuthorizeProviderRuleConfig' => array(
'allow' => array(
// allow editors to edit conferences
array(array('editor'), 'Conference', array('edit')),
),
),
102

103. On views…
//Conferences/view/…/index.phtml
<?php if ($this->isAllowed($event, 'edit')) { ?>
<a href="someurl">Remove</a><br />
<a href="someurl">Edit</a>
<?php } ?>
103

104. Views, routes and
controllers are safe
104

105. Views, routes and
controllers are safe
Is this enough?
105

106. Another controller, another action
//Conferences/Controller/AnotherAdminController.php
class AnotherAdminController extends AbstractActionController {
public function someCrazyAction() {
//...
$this->conferenceService->updateConference($myConference);
}
}
What prevents this?
106

107. 107
SERVICE
CONTROLLER
ROUTE
Choose your protection level

108. Conference service
//Conferences/Service/ConferenceService.php
namespace ConferencesService;
class ConferenceService {
public function getConference($id) { ... }
public function getConferenceList($someCriteria) { ... }
public function updateConference($myConf) { ... }
public function deleteConference($myConf) { ... }
}
108

109. Conference service
//Conferences/Service/ConferenceService.php
namespace ConferencesService;
class ConferenceService {
public function getConference($id) { ... }
public function getConferenceList($someCriteria) { ... }
public function updateConference($myConf) { ... }
public function deleteConference($myConf) { ... }
}
Only to allowed users!
109

110. Let’s inject the Authorize class
//Conferences/Service/ConferenceServiceFactory.php
namespace ConferencesService;
class ConferenceServiceFactory implements FactoryInterface {
public function createService(ServiceLocatorInterface $serviceLocator)
{
//...
$authorize = $serviceLocator->get('BjyAuthorizeServiceAuthorize');
return new ConferenceService(..., $authorize);
}
}
110

111. Updated conference service
//Conferences/Service/ConferenceService.php
namespace ConferencesService;
class ConferenceService {
//...
public function updateConference($myConf) {
if (!$this->authorize->isAllowed($myConf, 'edit')) {
throw new UnAuthorizedException();
}
// other code...
} // the same for deleteConference method }
111

112. 112
SERVICE
CONTROLLER
ROUTE
Now our service is secured

113. We’ll outsource the
management of
foreign conferences
3RD NEED

115. Based on their country

116. How database changes
class Systemuser {
//...
private $country;
}
class Conference {
//...
private $country;
}
116

117. Create an Assertion
use ZendPermissionsAclAssertionAssertionInterface;
class CheckUserCountry implements AssertionInterface {
// ...
public function assert(Acl $acl,
RoleInterface $role = null,
ResourceInterface $resource = null,
$privilege = null) {
// ...
}
}
117

118. Create an Assertion
use ZendPermissionsAclAssertionAssertionInterface;
class CheckUserCountry implements AssertionInterface {
// ...
public function assert(Acl $acl,
RoleInterface $role = null,
ResourceInterface $resource = null,
$privilege = null) {
return $resource->getCountry() ==
$this->loggedUser->getCountry();
}
}
118

119. Create an Assertion
use ZendPermissionsAclAssertionAssertionInterface;
class CheckUserCountry implements AssertionInterface {
// ...
Injected through constructor
public function assert(Acl $acl,
RoleInterface $role = null,
ResourceInterface $resource = null,
$privilege = null) {
return $resource->getCountry() ==
$this->loggedUser->getCountry();
}
}
119

120. Create an Assertion
use ZendPermissionsAclAssertionAssertionInterface;
class CheckUserCountry implements AssertionInterface {
// ...
public function assert(Acl $acl,
RoleInterface $role = null,
ResourceInterface $resource = null,
$privilege = null) {
return $resource->getCountry() ==
$this->loggedUser->getCountry();
}
}
120
1 LoC… AWESOME!!

121. Update rule with the new assertion
'rule_providers' => array(
'BjyAuthorizeProviderRuleConfig' => array(
'allow' => array(
// role check through assertion
array(array('editor'),
'Conference',
array('edit'),
'assertion.CheckUserCountry'),
),
),
121

122. The reader
122

123. The reader
The editor
123

124. In the same way we could:
•
•
•
124
Restrict access to user owned
onferences only
or conferences owned by a group the
user is belonging to
…and much more!

125. Cool. How'bout the
admin menu
though?
4TH NEED

126. Navigation menu
126

127. Configure Zend/Navigation
// module/Conferences/config/module.config.php
return array(
'navigation' => array(
'admin' => array(
'conferences' => array(
'label' => 'Conferences',
'route' => 'zfcadmin/conferences',
'resource' => 'Conference',
'privilege' => 'view',
),
),
),
), );
127

128. Configure Zend/Navigation
// module/Settings/config/module.config.php
return array(
'navigation' => array(
'admin' => array(
'settings' => array(
'label' => 'Settings',
'route' => 'zfcadmin/settings',
'resource' => 'Setting',
'privilege' => 'view',
),
),
),
), );
128

129. How menu looks like for admins

130. How menu looks like for other users

131. FINAL NOTES

132. PLUGGABLE COMPONENTS

133. PLUGGABLE COMPONENTS
CLEAN ARCHITECTURE

134. PLUGGABLE COMPONENTS
CLEAN ARCHITECTURE
COMPLEX ACL LOGIC IN A FEW MINUTES

135. Thank you for your attention!
Stefano Valle
@stefanovalle
s.valle@mvassociati.it

136. Questions?
Stefano Valle
@stefanovalle
s.valle@mvassociati.it

137. Photo Credits
From Flickr:
http://www.flickr.com/photos/cbpphotos/8652042987
http://www.flickr.com/photos/disa4ever/9409743179
http://www.flickr.com/photos/ben_salter/6169305845
http://www.flickr.com/photos/elzey/3481161467
http://www.flickr.com/photos/morris278/8022505933
A-Team members’ photos:
http://5gta.com/gta-5-info/gta-5-the-a-team-similarities.html/
http://www.legendarytv.com/the_a-team/the_a-team_lance_legault.asp
http://www.fanpop.com/clubs/the-a-team/images
http://dwightschultz.freeforums.org/dwight-photo-s-t8.html
http://docmanhattan.blogspot.it/2010/10/vita-mort-immortalita-e-miracoli-di-mr.html
http://www.starsky-iom.com/forum/viewtopic.php?f=8&t=58
http://www.thea-teamonline.com/
And others form iStockPhoto
137