feat: Integrate Laravel's built-in authorization Gates (#73)

Dobmod · web-flow · commit 11ffe28750f2 · 2024-08-07T23:18:59.000+08:00
- Integrate Laravel's built-in authorization Gates (#70) - Added guidance for Gates in README.md
diff --git a/README.md b/README.md
@@ -277,6 +277,19 @@ Route::group(['middleware' => ['http_request']], function () {
 });
 ```
 
+### Using Gates
+
+You can use Laravel Gates to check if a user has a permission, provided that you have set an existing user instance as the currently authenticated user.
+
+```php
+$user->can('articles,read');
+// For multiple enforcers
+$user->can('articles,read', 'second');
+// The methods cant, cannot, canAny, etc. also work
+```
+
+If you require custom Laravel Gates, you can disable the automatic registration by setting `enabled_register_at_gates` to `false` in the lauthz file. After that, you can use `Gates::before` or `Gates::after` in your ServiceProvider to register custom Gates. See [Gates](https://laravel.com/docs/11.x/authorization#gates) for more details.
+
 ### Multiple enforcers
 
 If you need multiple permission controls in your project, you can configure multiple enforcers.
diff --git a/config/lauthz.php b/config/lauthz.php
@@ -6,6 +6,14 @@
      */
     'default' => 'basic',
 
+    /*
+     * Lauthz Localizer
+     */
+    'localizer' => [
+        // changes whether enforcer will register at gates.
+        'enabled_register_at_gates' => true
+    ],
+
     'basic' => [
         /*
         * Casbin model setting.
diff --git a/src/EnforcerLocalizer.php b/src/EnforcerLocalizer.php
@@ -0,0 +1,61 @@
+<?php
+
+namespace Lauthz;
+
+use Illuminate\Contracts\Auth\Access\Authorizable;
+use Illuminate\Contracts\Auth\Access\Gate;
+use Lauthz\Facades\Enforcer;
+
+class EnforcerLocalizer
+{
+    /**
+     * The application instance.
+     *
+     * @var \Illuminate\Foundation\Application
+     */
+    protected $app;
+
+    /**
+     * Create a new localizer instance.
+     *
+     * @param \Illuminate\Foundation\Application $app
+     */
+    public function __construct($app)
+    {
+        $this->app = $app;
+    }
+
+    /**
+     * Register the localizer based on the configuration.
+     */
+    public function register()
+    {
+        if ($this->app->config->get('lauthz.localizer.enabled_register_at_gates')) {
+            $this->registerAtGate();
+        }
+    }
+
+    /**
+     * Register the localizer at the gate.
+     */
+    protected function registerAtGate()
+    {
+        $this->app->make(Gate::class)->before(function (Authorizable $user, string $ability, array $guards) {
+            /** @var \Illuminate\Contracts\Auth\Authenticatable $user */
+            $identifier = $user->getAuthIdentifier();
+            if (method_exists($user, 'getAuthzIdentifier')) {
+                /** @var \Lauthz\Tests\Models\User $user */
+                $identifier = $user->getAuthzIdentifier();
+            }
+            $identifier = strval($identifier);
+            $ability = explode(',', $ability);
+            if (empty($guards)) {
+                return Enforcer::enforce($identifier, ...$ability);
+            }
+
+            foreach ($guards as $guard) {
+                return Enforcer::guard($guard)->enforce($identifier, ...$ability);
+            }
+        });
+    }
+}
diff --git a/src/LauthzServiceProvider.php b/src/LauthzServiceProvider.php
@@ -3,6 +3,7 @@
 namespace Lauthz;
 
 use Illuminate\Support\ServiceProvider;
+use Lauthz\EnforcerLocalizer;
 use Lauthz\Loaders\ModelLoaderManager;
 use Lauthz\Models\Rule;
 use Lauthz\Observers\RuleObserver;
@@ -31,6 +32,8 @@ public function boot()
         $this->mergeConfigFrom(__DIR__ . '/../config/lauthz.php', 'lauthz');
 
         $this->bootObserver();
+
+        $this->registerLocalizer();
     }
 
     /**
@@ -55,5 +58,19 @@ public function register()
         $this->app->singleton(ModelLoaderManager::class, function ($app) {
             return new ModelLoaderManager($app);
         });
+
+        $this->app->singleton(EnforcerLocalizer::class, function ($app) {
+            return new EnforcerLocalizer($app);
+        });
+    }
+
+    /**
+     * Register a gate that allows users to use Laravel's built-in Gate to call Enforcer.
+     *
+     * @return void
+     */
+    protected function registerLocalizer()
+    {
+        $this->app->make(EnforcerLocalizer::class)->register();
     }
 }
diff --git a/src/Middlewares/EnforcerMiddleware.php b/src/Middlewares/EnforcerMiddleware.php
@@ -31,6 +31,7 @@ public function handle($request, Closure $next, ...$args)
         $user = Auth::user();
         $identifier = $user->getAuthIdentifier();
         if (method_exists($user, 'getAuthzIdentifier')) {
+            /** @var \Lauthz\Tests\Models\User $user */
             $identifier = $user->getAuthzIdentifier();
         }
         $identifier = strval($identifier);
diff --git a/tests/DatabaseAdapterTest.php b/tests/DatabaseAdapterTest.php
@@ -2,10 +2,10 @@
 
 namespace Lauthz\Tests;
 
-use Enforcer;
 use Illuminate\Foundation\Testing\DatabaseMigrations;
 use Casbin\Persist\Adapters\Filter;
 use Casbin\Exceptions\InvalidFilterTypeException;
+use Lauthz\Facades\Enforcer;
 
 class DatabaseAdapterTest extends TestCase
 {
diff --git a/tests/EnforcerCustomLocalizerTest.php b/tests/EnforcerCustomLocalizerTest.php
@@ -0,0 +1,40 @@
+<?php
+
+use Illuminate\Contracts\Auth\Access\Gate;
+use Illuminate\Foundation\Testing\DatabaseMigrations;
+use Lauthz\Tests\TestCase;
+
+class EnforcerCustomLocalizerTest extends TestCase
+{
+    use DatabaseMigrations;
+
+    public function testCustomRegisterAtGatesBefore()
+    {
+        $user = $this->user("alice");
+        $this->assertFalse($user->can('data3,read'));
+
+        app(Gate::class)->before(function () {
+            return true;
+        });
+
+        $this->assertTrue($user->can('data3,read'));
+    }
+
+    public function testCustomRegisterAtGatesDefine()
+    {
+        $user = $this->user("alice");
+        $this->assertFalse($user->can('data3,read'));
+
+        app(Gate::class)->define('data3,read', function () {
+            return true;
+        });
+
+        $this->assertTrue($user->can('data3,read'));
+    }
+
+    public function initConfig()
+    {
+        parent::initConfig();
+        $this->app['config']->set('lauthz.localizer.enabled_register_at_gates', false);
+    }
+}
diff --git a/tests/EnforcerLocalizerTest.php b/tests/EnforcerLocalizerTest.php
@@ -0,0 +1,69 @@
+<?php
+
+use Illuminate\Contracts\Auth\Access\Gate;
+use Illuminate\Foundation\Testing\DatabaseMigrations;
+use Lauthz\Facades\Enforcer;
+use Lauthz\Tests\TestCase;
+
+class EnforcerLocalizerTest extends TestCase
+{
+    use DatabaseMigrations;
+
+    public function testRegisterAtGates()
+    {
+        $user = $this->user('alice');
+        $this->assertTrue($user->can('data1,read'));
+        $this->assertFalse($user->can('data1,write'));
+        $this->assertFalse($user->cannot('data2,read'));
+
+        Enforcer::guard('second')->addPolicy('alice', 'data1', 'read');
+        $this->assertTrue($user->can('data1,read', 'second'));
+        $this->assertFalse($user->can('data3,read', 'second'));
+    }
+
+    public function testNotLogin()
+    {
+        $this->assertFalse(app(Gate::class)->allows('data1,read'));
+        $this->assertTrue(app(Gate::class)->forUser($this->user('alice'))->allows('data1,read'));
+        $this->assertFalse(app(Gate::class)->forUser($this->user('bob'))->allows('data1,read'));
+    }
+
+    public function testAfterLogin()
+    {
+        $this->login('alice');
+        $this->assertTrue(app(Gate::class)->allows('data1,read'));
+        $this->assertTrue(app(Gate::class)->allows('data2,read'));
+        $this->assertTrue(app(Gate::class)->allows('data2,write'));
+
+        $this->login('bob');
+        $this->assertFalse(app(Gate::class)->allows('data1,read'));
+        $this->assertTrue(app(Gate::class)->allows('data2,write'));
+    }
+
+    public function initConfig()
+    {
+        parent::initConfig();
+        $this->app['config']->set('lauthz.second.model.config_type', 'text');
+        $this->app['config']->set(
+            'lauthz.second.model.config_text',
+            $this->getModelText()
+        );
+    }
+
+    protected function getModelText(): string
+    {
+        return <<<EOT
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
+EOT;
+    }
+}
diff --git a/tests/TestCase.php b/tests/TestCase.php
@@ -27,9 +27,9 @@ public function createApplication()
         });
 
         $this->app->make(Kernel::class)->bootstrap();
+        $this->initConfig();
 
         $this->app->register(\Lauthz\LauthzServiceProvider::class);
-        $this->initConfig();
 
         $this->artisan('vendor:publish', ['--provider' => 'Lauthz\LauthzServiceProvider']);
         $this->artisan('migrate', ['--force' => true]);

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ public function handle($request, Closure $next, ...$args)`
`31`	`31`	`$user = Auth::user();`
`32`	`32`	`$identifier = $user->getAuthIdentifier();`
`33`	`33`	`if (method_exists($user, 'getAuthzIdentifier')) {`
	`34`	`+ /** @var \Lauthz\Tests\Models\User $user */`
`34`	`35`	`$identifier = $user->getAuthzIdentifier();`
`35`	`36`	`}`
`36`	`37`	`$identifier = strval($identifier);`
Original file line number	Diff line number	Diff line change
`@@ -2,10 +2,10 @@`
`2`	`2`
`3`	`3`	`namespace Lauthz\Tests;`
`4`	`4`
`5`		`-use Enforcer;`
`6`	`5`	`use Illuminate\Foundation\Testing\DatabaseMigrations;`
`7`	`6`	`use Casbin\Persist\Adapters\Filter;`
`8`	`7`	`use Casbin\Exceptions\InvalidFilterTypeException;`
	`8`	`+use Lauthz\Facades\Enforcer;`
`9`	`9`
`10`	`10`	`class DatabaseAdapterTest extends TestCase`
`11`	`11`	`{`