CakeDC Blog

TIPS, INSIGHTS AND THE LATEST FROM THE EXPERTS BEHIND CAKEPHP

Building an RBAC based application in CakePHP (1/2)

This is the first post of a small series covering how to setup, organize and implement an RBAC based authorization system in CakePHP using the CakeDC/Auth Plugin. We'll cover the basic concepts, setup and implementation of the basic permission rules in part 1.

What does RBAC mean in this context?

We'll use RBAC as "Role Base Access Control", meaning your app will be using the following concepts to define who can access what:

  • "Who" is an existing user, mainly identified as his role in the system, such as an "admin" or "writer", etc.
  • "What" is a specific action in your application, identified as the associated routing params, for example ['controller' => 'Posts', 'action' => 'add'].
  • A permission in this context would be a link between who, and what.

Why not ACL?

ACL is a really good choice when your answer is 'yes' to any of the following questions:

  • Do we need to let users create new roles on the fly?
  • Do we need the roles to inherit permissions (tree structure)?
  • Do we need to assign permissions NOT based on controller actions? For example CRUD based permissions, checked on the model layer for each operation on a given row.

If your answer is yes, you should consider using cakephp/acl. It provides a very powerful, reliable and flexible way to configure your permissions, but with greater power comes a bigger maintenance burden, that is keeping the acl data in your tables. Specially if you have several environments to maintain, you'll need to write migrations to populate your acl tables, then create import/export scripts and utilities to reproduce permission issues from live environments, and so on. Not an impossible task, but could increase the complexity of your project in a significant way...

Setting up CakeDC/Auth

There are other plugins you could use, but this one will cover everything you'll need, so let's go.

CakeDC/Auth usually comes installed from within CakeDC/Users (a complete solution covering many more features) but today we'll set it up alone.

composer require cakedc/auth

bin/cake plugin load CakeDC/Auth

And last, but not least, add the RBAC Auth to the list of Authorize objects. Here is a working configuration based on the blog tutorial.

We'll be using the blog tutorial described in the book as an example application Change AppController.php Auth related configuration to:

$this->loadComponent('Auth', [
    'authorize' => ['CakeDC/Auth.SimpleRbac'],
    'loginRedirect' => [
        'controller' => 'Articles',
        'action' => 'index'
    ],
    'logoutRedirect' => [
        'controller' => 'Pages',
        'action' => 'display',
        'home'
    ]
]);

With this change, we'll be using only the rules defined in config/permissions.php file. If this file is not present, default permissions will be in place. Default permissions will grant access to admin role to all actions. To override permissions, you can copy the default permissions to your project and fix the rules:

cp vendor/cakedc/auth/config/permissions.php config/

Then edit this file and check the provided examples and defaults.

Using CakeDC/Auth

The core of the RBAC system is the ability to define permission rules that will match one given role with the actions granted. Rules are defined in an array, but you can extend the AbstractProvider class to retrieve the rules from somewhere else (database?). By default, nothing will be granted. Rules are evaluated top to bottom. The first rule matched will stop the evaluation, and the authentication result will be provided by the value of the allowed key. Note we can use a callback to implement complex rules, or encapsulate the rules into classes that we could reuse across projects, like the Owner rule class provided.

This is an example rule

[
    'role' => '*',
    'plugin' => 'CakeDC/Users',
    'controller' => 'Users',
    'action' => ['profile', 'logout'],
],

We could read this rule as follows: "For any role, we grant access to actions 'profile' and 'logout' in the Users controller in plugin CakeDC/Users". Note default allowed value is true, we can use an array, or a string to determine the role, plugin, controller and action. We can also use * in the value to match anything or use * at the start of the key to match anything but the values, for example

'*controller' => 'Users',

would match all the controllers but 'Users'.

Simple Rules

As our first objective, we are going to grant access to all the index and view pages, using the rule

[
    'role' => '*',
    'controller' => '*',
    'action' => ['index', 'view'],
],

Stay tuned for the second post, where we'll deal with complex rules, rule classes and implementation tips for complex applications...

Latest articles

CakeFest 2019 Recap

Here we are, a couple weeks out of CakeFest 2019. What an experience in Japan!  We didn’t really know what to expect when we decided to finally make the trip to host in Tokyo. We were given great welcoming from the PHP community, and each person we met left us with wonderful memories. Another welcoming surprise was the low price of food, and delicious ramen. Our team definitely utilized all of the free time we had.            Let’s talk about the event, and the workshops. Jorge Gonzalez, Jose Rodriquez, and Mark Story definitely delivered in the knowledge department. The participation was fantastic, although the class size was smaller than in other years. We’ve had a lot of requests for their slides, so those are included in the link below ⬇️ One thing that was different this year, is that we had different venues for the workshops and conference. This makes it difficult for the team, with transferring our equipment in such a busy city (shout out to the quick responding taxi services).  We did try the metro when we had less baggage, and got up close and personal with the locals. Speaking of venues, we cannot thank DMM.com and SmartNews enough. We are still dreaming of an office like DMM’s with live plants growing up the walls and a complete installed watering system.  These venues were overly accommodating, making this one of the best conferences we’ve had.          If you are a PHPer or specifically working with CakePHP, the speakers topics were overflowing with useful information. Like Yuki Kanazawa’s tips for a smooth upgrade to CakePHP 3, or Tadahisa Motooka’s ideas about database replication. Kazuki Higashiguchi helped talk us through painful testing of code, and Sho Ito walked us through an initial OSS with CakePHP. We had such a great lineup this year, and we cannot wait to have some speakers return. Other great talks included David Yell, Daniel Voyce, Jose Gonzalez, and Wim Godden, and superstar core members Mark Story and Jose Rodriguez.  We even had to be confronted with details about life after CakePHP (GASP!) from Andrej Griniuk.    Unfortunately, no event can be executed without some roadblocks, and we aren’t exempt. We had a couple late cancellations (understandable) from speakers, but definitely made up the time with chats and lightning talks. There was so much information exerted during the short 2 days, that we all probably needed and extra day to take notes. Luckily, we did that for you. All of the slides included during CakeFest are available at the link below as well.    So, would we come back and host in Japan again? YES! We hope to do so sooner rather than later. Are there some things we will change on our end? Yes, again.  We hoped for higher numbers for workshops, as the information given is invaluable. We hope that in the future, all conference attendees will take advantage of those sessions as well. You can stay up to date with all things CakeFest at CakeFest.org - we are actually working on adding a history feature to reference past events.      We could not have done all of this without the amazing sponsors we had this year:    Cake Development Corporation  Shizen Energy  Base  Lancers  DMM JetBrains ConneHito  Marks Software SmartNews  ESM   Follow our speakers on Twitter:   Yuki Kanazawa - @yakitori009  Mark Story - @mark_story Jose Rodriguez - @jose_zap Jorge Gonzalez - @steinkelz Tadahisa Motooka - @t_motooka Kazuki Higashiguchi -  @hgsgtk Sho Ito - @itosho David Yell - @Yelldavid Daniel Voyce - @voycey_web Jose Gonzalez - @savant Wim Godden - @wimgtr Andrej Griniuk - @andrej_gr   CLICK HERE to view the CakeFest 2019 workshop and speaker slides.   Now, we want to hear from you! If you attended, what did you think about CakeFest Japan? What did you enjoy the most/least? If you did not attend: what has held you back from joining us? Let us know - email: community@cakephp.org.

How To: CakePHP, CakeDC Users and Amazon Cognito

Long time ago, in 2010, CakeDC Users plugin for CakePHP was released for CakePHP 1.3. Almost nine years has passed and the initial code has changed dramatically, offering new and exciting features. In 2011 the team released the first version to be compatible with the new CakePHP 2.0. At this moment we focused in keeping the same features and only adding support for the new version of the framework. When CakePHP 3.0 arrived in 2015 we decided to refactor Users plugin completely, making it easier to use but also adding terrific features out of the box like:

  • Social login with most popular providers
  • RBAC permissions
  • Superuser
  • And much more..
It continued evolving and today we will show how to use the latest provider we have added to the social login feature in the plugin, Amazon Cognito. Let’s talk first about it. We'll use Amazon Cognito basically as an Oauth 2.0 Server. It'll let you manage your user groups and users. It provides a simple interface to sign up, sign-in and also use many social providers like Facebook, Google and Amazon. It also allows using SAML 2.0 providers and they promise it may scale to millions of users. You can also fully customize form and buttons. Best of all, it is free for the first 50,000 logins. Let's start configuring Amazon Cognito in AWS Panel. We must first create a user pool. You could have different user pools and each of them having an exclusive set of features.     Now we need to customize our new pool adding a pool name, etc. We can use default settings for testing purposes. If you want to customize fields you should then go through steps.     Once we check everything is okay we can click on Create Pool.     Now, it's time to setup App Clients. If you are familiar with OAuth and another services it is like creating a Facebook or Twitter App.     And then click on Add an app client.  Just add a name and save.   Remember to write down your client ID and client secret because they will be needed later to configure Users plugin. The next step is to setup app client settings. We need to configure:
  • Callback url: set it to /auth/cognito if you want to use plugin defaults.
  • The flow to Authorization code grant and the scopes you must select at least email and openid. You can select profile in case you want to get all the user information from cognito.
      Finally we need to configure a domain name for the user pool. Use a custom domain or a subdomain from Cognito.     Now that we are ready with Cognito setup, let’s easily create a new CakePHP app, to connect with Amazon Cognito. First, we need a new CakePHP app: composer create-project --prefer-dist cakephp/app users-app Remember to create a new empty database. Now we can go to users-app folder and run: composer require cakedc/users After CakeDC Users plugin is installed, we need to install Oauth 2 Cognito provider package: composer require cakedc/oauth2-cognito CakeDC Users plugin configuration is pretty easy: $this->addPlugin('CakeDC/Users'); public function pluginBootstrap() { parent::pluginBootstrap(); Configure::load('users'); } return [ 'Users.Social.login' =--> true, 'OAuth.providers.cognito.options.clientId' => 'CLIENT_ID', 'OAuth.providers.cognito.options.clientSecret' => 'CLIENT_SECRET', 'OAuth.providers.cognito.options.cognitoDomain' => 'DOMAIN', 'OAuth.providers.cognito.options.region' => 'REGION', ];
  • Load the Users Plugin bin/cake plugin load CakeDC/Users
  • If you prefer to do this manually, add this line at the end of your src/Application.php bootstrap() method
  • Add the following line into AppController::initialize() method $this->loadComponent('CakeDC/Users.UsersAuth');
  • Add the following code to your src/Application.php pluginBootstrap() method to ensure we override the plugin defaults
  • Add the file config/users.php with your specific configuration, including
In case you used a custom domain for you user pool, you can replace cognitoDomain option by using hostedDomain option (including protocol): 'OAuth.providers.cognito.options.hostedDomain' => 'YOUR DOMAIN', Scope option defaults to email openid . If you selected another scopes, you may want to add them as well: 'OAuth.providers.cognito.options.scope' => 'email openid profile', Finally we just need to go to /login.     and click on Sign in with Cognito. If everything is setup correctly you should see the following screen:   You can previously create a user in AWS panel or just click signup on that screen. After login you will be redirected to homepage in CakePHP App. As you can see, the setup for both Cognito and App are simple if you use default settings. However after testing defaults, you can start customizing forms, fields, adding third party apps. You have no limits.  

Last words

We create and maintain many open source plugins as well as contribute to the CakePHP Community as part of our open source work in CakeDC. While developing this provider, we've also published a generic Oauth2 Amazon Cognito repository. Reference  

Boost CakePHP using RoadRunner Plugin

https://github.com/CakeDC/cakephp-roadrunner was just released! Some time ago we developed a bridge for the PHP Process Manager, and now we've integrated with another alternative, a fast, go based, PHP application server (see https://github.com/spiral/roadrunner) Using this approach, and configuring nginx + roadrunner + cakephp, we're getting ~1500 requests per second for a typical index operation (including database access), and over 2200 (!) requests per second using a cached resultset. Here's what you need to do:

  • composer require cakedc/cakephp-roadrunner
  • Download roadrunner binary and place the file in your filesystem, for example under /usr/local/bin/rr
  • Create a RoadRunner worker file, or use the example worker provided
cp vendor/cakedc/cakephp-roadrunner/worker/cakephp-worker.php . cp vendor/cakedc/cakephp-roadrunner/worker/.rr.json . Note the configuration is stored in .rr.json file, check all possible keys here https://github.com/spiral/roadrunner/wiki/Configuration
  • Start the server, either using your own configuration or the sample configuration provided in the plugin
/usr/local/bin/rr serve   Check plugin details here > https://github.com/CakeDC/cakephp-roadrunner

Last words

Please let us know if you use it, we are always improving our plugins - And happy to get issues and pull requests for our open source plugins. As part of our open source work in CakeDC, we maintain many open source plugins as well as contribute to the CakePHP Community.

We Bake with CakePHP