search

ZF-Commons / zfc-rbac

Role-based access control module to provide additional features on top of Zend\Permissions\Rbac
BSD 3-Clause "New" or "Revised" License
181 stars 111 forks source link

Server does not respond when using guards #159

Closed SteveFortune closed 10 years ago

SteveFortune commented 10 years ago

I've been struggling with this issue for a few days now and I can't seem to figure out whats going on.

I'm building a simple REST service as a proof of concept, mainly to test a few PHP libraries out: zfc_rbac, along with this OAuth 2 library to authenticate requests.

When I try to use either Route or Controller Guards in my module zfc_rbac config, my application hangs for a few seconds then responds with no data and a status code of 0.

I have my config set up like so:

'zfc_rbac' => array(

            // This is my custom provider that pulls a User entity implementing IdentityInterface based on an access token
    'identity_provider' => 'Application\Rbac\IdentityProvider\OAuth2IdentityProvider',

        // I get the same issue with or without this line
    'guest_role' => 'public',

    'guards' => array(

                    // If I comment this k=>v out it starts responding normally again 
        'ZfcRbac\Guard\ControllerGuard' => array(

            array(
                'controller' => 'Application\Controller\Article',
                'actions' => array(
                    'create',
                    'update',
                    'delete',
                ),
                'roles' => array(
                    'member',
                ),
            ),
        ),

    ),

    'protection_policy' => \ZfcRbac\Guard\GuardInterface::POLICY_ALLOW,

    'role_provider' => array(

        'ZfcRbac\Role\InMemoryRoleProvider' => array(

            'admin' => array(

                'children' => array(

                    'member',

                ),
                'permissions' => array(

                    'user.edit',
                    'user.delete',
                    'user.approve',
                ),
            ),

            'member' => array(

                'permissions' => array(

                    'article.edit',
                    'article.delete',
                    'article.create',

                    'category.edit',
                    'category.delete',
                    'category.create',

                ),

            ),

        ),

    ),

    'unauthorized_strategy' => array(
        'template' => 'error/403'
    ),

),

Simply removing the Guard config takes it back to functioning properly again.

I've registered an UnauthorizedStrategy in my module's onBoostrap method and when I have used the AuthorizationService and thrown an UnauthorizedException in my service classes the app responds appropriately by giving a 403.

The app is running over localhost using MAMP and is located in a subfolder, i.e. http://localhost/<subfolder>/public/<routes> and I haven't tried running it on a remote development server yet.

I even resorted to manually setting breakpoints in the ZfcRbac source to try and track the issue down with no luck.

bakura10 commented 10 years ago

First: are you using current stable version (1.0.3) or dev-master (future v2 in a few days). If you are using stable I urge you to use dev master as v1 is conceptually broken.

Let me know which version you use so I can provide better help :)

Envoyé de mon iPhone

Le 9 janv. 2014 à 01:44, Steve Fortune notifications@github.com a écrit :

I've been struggling with this issue for a few days now and I can't seem to figure out whats going on.

I'm building a simple REST service as a proof of concept, mainly to test a few PHP libraries out: zfc_rbac, along with this OAuth 2 library to authenticate requests.

When I try to use either Route or Controller Guards in my module zfc_rbac config, my application hangs for a few seconds then responds with no data and a status code of 0.

I have my config set up like so:

'zfc_rbac' => array(

        // This is my custom provider that pulls a User entity implementing IdentityInterface based on an access token
'identity_provider' => 'Application\Rbac\IdentityProvider\OAuth2IdentityProvider',

    // I get the same issue with or without this line
'guest_role' => 'public',

'guards' => array(

                // If I comment this k=>v out it starts responding normally again 
    'ZfcRbac\Guard\ControllerGuard' => array(

        array(
            'controller' => 'Application\Controller\Article',
            'actions' => array(
                'create',
                'update',
                'delete',
            ),
            'roles' => array(
                'member',
            ),
        ),
    ),

),

'protection_policy' => \ZfcRbac\Guard\GuardInterface::POLICY_ALLOW,

'role_provider' => array(

    'ZfcRbac\Role\InMemoryRoleProvider' => array(

        'admin' => array(

            'children' => array(

                'member',

            ),
            'permissions' => array(

                'user.edit',
                'user.delete',
                'user.approve',
            ),
        ),

        'member' => array(

            'permissions' => array(

                'article.edit',
                'article.delete',
                'article.create',

                'category.edit',
                'category.delete',
                'category.create',

            ),

        ),

    ),

),

'unauthorized_strategy' => array(
    'template' => 'error/403'
),

), Simply removing the Guard config takes it back to functioning properly again.

I've registered an UnauthorizedStrategy in my module's onBoostrap method and when I have used the AuthorizationService and thrown an UnauthorizedException in my service classes the app responds appropriately by giving a 403.

The app is running over localhost using MAMP and is located in a subfolder, i.e. http://localhost//public/ and I haven't tried running it on a remote development server yet.

I even resorted to manually setting breakpoints in the ZfcRbac source to try and track the issue down with no luck.

— Reply to this email directly or view it on GitHub.

SteveFortune commented 10 years ago

Thanks !

I'm using dev-master.

bakura10 commented 10 years ago

It's a bit hard to say where the problem comes from. It could come from your identity provider. Did you check if it appropriately returns the right Identity? Does your identity has any roles that you didn't specified in your config (like a "guest" role) ? In your case, your guest role is called "public". If no identity is found, ZfcRbac will automatically try to fetch the role called "public" from your provider, but you didn't provide any value for it. This may be an issue.

SteveFortune commented 10 years ago

At the moment my identity provider implements ZfcRbac/Identity/IdentityProviderInterface. It returns a User object from getIdentity that implements ZfcRbac/Identity/IdentityInterfacecorrectly (I've tested this out), or returns null if there is no identity present for the request (i.e. an invalid no no access token).

I got the impression from the comments for ZfcRbac/Identity/IdentityProviderInterface that getIdentity should return null if there was no Identity present. Is that correct?

bakura10 commented 10 years ago

Yes, if you return null, ZfcRbac automatically uses the guest role (which is in your case called "public"). Try to add an empty role with no permissions called "public".

SteveFortune commented 10 years ago

Gotcha, will give it a go asap and post the results. Thanks for your help :)

SteveFortune commented 10 years ago

Ive tried defining a 'public' role both with and without any permissions and it diesnt make any difference.

bakura10 commented 10 years ago

Mmmhhhh we'll need a bit more code then, it's hard to spot a problem right now.

bakura10 commented 10 years ago

You can also try my OAuth2 module (https://github.com/zf-fr/zfr-oauth2-server-module)

Do you still have this issue?

SteveFortune commented 10 years ago

I havent had a chance to work on it lately - I just settled for checking user permissions in my model services in the end, as described in the cookbook. That looks like a cool module though.

Ill give a go over the next week or so and let you know if it makes a difference to the issue with the guards.

Ill also try using guards on a remote dev server to determine whether its an issue with my local environment.

Thanks for your help!

spiffyjr commented 10 years ago

There's also https://github.com/zfcampus/zf-oauth2 which you can try.

bakura10 commented 10 years ago

This is based on the library he already used :). Its just a wrapper.

I've made a completely new oauth implementation for doctrine ;)

Envoyé de mon iPhone

Le 20 janv. 2014 à 04:45, Kyle Spraggs notifications@github.com a écrit :

There's also https://github.com/zfcampus/zf-oauth2 which you can try.

— Reply to this email directly or view it on GitHub.

SteveFortune commented 10 years ago

@bakura10, have you tried your OAuth2 library with zfc-rbac?

bakura10 commented 10 years ago

Not yet :).

danizord commented 10 years ago

@SteveFortune still having issues?

SteveFortune commented 10 years ago

@danizord @bakura10, still haven't had a chance to work on it lately. I've actually got a sprint next week over which my job is to implement access control with zfc-rbac so I'll let you know.

Out of interest, has anyone been able to recreate this issue?

danizord commented 10 years ago

I don't

bakura10 commented 10 years ago

Me neither. I'm closing for now. If you still have this issue please reopen the issue :).

SteveFortune commented 10 years ago

OK will do. Thanks for your help!