The GalmiXacmlBundle adds support for ABAC (Attribute Based Access Control) based on eXtensible Access Control Markup Language (XACML) Version 3.0 OASIS Standard.
Features include:
- Policies can be stored via Doctrine ORM
- Unit tested
Open a command console, enter your project directory and execute the following command to download the latest stable version of this bundle:
$ composer require galmi/xacmlbundle "dev-master"
This command requires you to have Composer installed globally, as explained in the installation chapter of the Composer documentation.
Then, enable the bundle by adding it to the list of registered bundles
in the app/AppKernel.php
file of your project:
<?php
// app/AppKernel.php
// ...
class AppKernel extends Kernel
{
public function registerBundles()
{
$bundles = array(
// ...
new Galmi\XacmlBundle\GalmiXacmlBundle(),
);
// ...
}
// ...
}
With default configuration it is Permit to all resources and actions if it is not denied.
You must determine Resource for each action. You can add Annotation for your actions.
<?php
namespace AppBundle\Controller;
// ...
use Galmi\XacmlBundle\Annotations\XacmlResource;
class CustomerController extends Controller
{
/**
* @XacmlResource(entity="AppBundle\Entity\Customer", id="id")
*/
public function editAction(Request $request)
{
// ...
}
}
This annotation determine resource class "AppBundle\Entity\Customer" with identifier key "id" in request (_GET, _POST).
Default decision is determine the result of request if rules was not matched. Default value is "Permit". It's mean that user will restrict access to all requests if all rules is not match request. Default decision value allowed "Permit" or "Deny".
# config/parameters.yml
parameters:
galmi_xacml.default_decision: Permit
If you using xml configuration, you can use constant PERMIT or DENY of class Galmi\Xacml\Decision.
<!-- config/services.xml -->
<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services
http://symfony.com/schema/dic/services/services-1.0.xsd">
<parameters>
<parameter key="galmi_xacml.default_decision" type="constant">Galmi\Xacml\Decision::PERMIT</parameter>
</parameters>
</container
If you have multiple top level Policy sets or Policies, Policy Decision Point must determine only one decision "Permit" or "Allow". For this case you can use Combining Algorithm. Default value is "\Galmi\Xacml\CombiningAlgorithmRegistry::FIRST_APPLICABLE" it means that first evaluated Policy set or Policy is the result of PDP.
# config/parameters.yml
parameters:
galmi_xacml.default_combining_algorithm: "first-applicable"
If you using xml configuration, you can use constants of class Galmi\Xacml\CombiningAlgorithmRegistry.
<!-- config/services.xml -->
<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services
http://symfony.com/schema/dic/services/services-1.0.xsd">
<parameters>
<parameter key="galmi_xacml.default_combining_algorithm" type="constant">\Galmi\Xacml\CombiningAlgorithmRegistry::FIRST_APPLICABLE</parameter>
</parameters>
</container