Symfony cumulative ACL isGranted

The default use of Access Control Lists in symfony can be a little awkward. That's because the $securityContext isGranted method performs a cumulative permissions check, while the typical implementations of ACL component isGranted perform a different kind of check. Here is what I mean, let's start with a simple security token.

$em = $this->getContainer()->get('doctrine')->getManager();
$aclManager = $this->getContainer()->get('myapp_user.acl_manager');

 $repository = $em->getRepository('MyAppUserBundle:User');
$user = $repository->find(1);

 $output->writeln(sprintf("user:%d %s", $user->getId(), $user->getUsername() ) );
$token = new UsernamePasswordToken($user, $user->getPassword(), "firewallname", $user->getRoles());
$securityContext = $this->getContainer()->get('security.token_storage');
$authorizationChecker = $this->getContainer()->get('security.authorization_checker'); 
$securityContext->setToken($token);

Then let's print off an ACL record for an example object 

$aclManager = $this->getContainer()->get('myapp_user.acl_manager');
$repository = $em->getRepository('MyAppCoreBundle:Comment');
$entity = $repository->find(1);
$acl = $aclManager->getAcl($entity);

foreach ( $acl->getObjectAces() as $ace ) {
    $output->writeln(sprintf("%s %s\n", $ace->getSecurityIdentity(), $ace->getMask()););
}

We get a fairly straightforward 

RoleSecurityIdentity(ROLE_GROUP_1) 1
RoleSecurityIdentity(ROLE_GROUP_OWNER_1) 128
UserSecurityIdentity(test@labstep.com, LabStep\UserBundle\Entity\User) 128

There is a single user, who has owner permissions over the comment object. There is also some group (GROUP_1), its users can view (1) and its owners can own (128) the comment. Let's confirm that...


$output->writeln((false === $authorizationChecker->isGranted("VIEW", $entity) ? "not granted": "granted"));
$output->writeln((false === $authorizationChecker->isGranted("OWNER", $entity) ? "not granted": "granted"));
granted
granted

Ok, awesome – the user has OWNER (128) permission – so both OWNER and VIEW are granted: duh, of course an owner can view what they own.

Let's use some standard isGranted implementation to check the roles, like the one from here

$securityIdentity = new RoleSecurityIdentity(sprintf("ROLE_GROUP_OWNER_%d", 1));
$output->writeln((false === $aclManager->isGranted("VIEW", $entity, $securityIdentity) ? "not granted": "granted" ));
$output->writeln((false === $aclManager->isGranted("OWNER", $entity, $securityIdentity) ? "not granted": "granted" ));
not granted
granted

The ROLE_GROUP_OWNER_1 is OWNER of this entity but is not granted to VIEW this entity? WTF? Clearly this check is not cumulative – being an owner doesn't equate being able to view the entity. This is very confusing but is nonetheless correct. So what does the authorization checker do under the hood, to provide a different behavior to the $aclManager? 

Well the following file
vendor//symfony/symfony/src/Symfony/Component/Security/Acl/Permission/BasicPermissionMap.php
Provides a mapping that basically means that an owner permission will be transformed into a mask that includes all the masks below OWNER in hierarchy. 

Here is an alternative example of isGranted that gives a more intuitive behavior to the commonly found example

use Symfony\Component\Security\Acl\Permission\BasicPermissionMap; 
 
public function isGranted($mask, $object, $securityIdentities)  {
    $objectIdentity = ObjectIdentity::fromDomainObject($object);
    if (!is_array($securityIdentities)) {
        $securityIdentities = array($securityIdentities);
    }
    // Find all the ACL records
    try {
        $acl = $this->provider->findAcl($objectIdentity, $securityIdentities);
    } catch (AclNotFoundException $e) {
        return false;
    }

    if (!is_int($mask)) {
        $permissionMap = new BasicPermissionMap();
        $masks = $permissionMap->getMasks($mask, null);
    }
    else {
        $masks = arary($mask);
    }

    // Perform the check
    try {
        return $acl->isGranted($masks, $securityIdentities, false);
    } catch (NoAceFoundException $e) {
        return false;
    }
}


Edits: the title was changed - it wasn't really descriptive of the post. Added a missing 'use' statement for the BasicPermissionMap

Comments

Post a Comment

Popular posts from this blog

React.js – edit and delete comments in CommentBox

It appears customary for high-intelligence, high-skills groups of engineers to "roll their own" whenever they have a chance to. Counter-intuitively to most managerial/MBA types out there, re-inventing the wheel can give you... a better wheel. Success is not guaranteed though – but these people may leave sooner rather than later if you don't let them... Having looked at number of JS frameworks (ember, backbone, angular) there was no clear winner. They were all a mess, at least to me. So I approached React.js with no hopes – how much better could it possible be? It turns out, a lot! This post will be an extension of the official React.js tutorial . The tutorial stops at the stage where you can add comments to a dynamic lists, that will grow as you add comments. This falls short of the functionality displayed on facebook: once you add a comment you can edit or delete it, so that's what're going to do. Full disclosure, I only started using React this weekendo so m...
Read more

Example slurm cluster on your laptop (multiple VMs via vagrant)

To anybody who's considering a switch to modern queuing systems, like slurm, this will be an useful guide. Rather than doing a roll out on production nodes, we'll try things out in vagrant. This text assumes you have vagrant installed on your local machine (it's very easy). The ultimate aim will be to setup 2 servers (worker nodes) and one master/controller, and run a simple job on them. There are multiple great guides out there: most of them are out of date, and won't work without some tweaking on Ubuntu 16.04 Xenial. The entirety of the code is hosted at https://github.com/jandom/gromacs-slurm-openmpi-vagrant The README.md file will show you how to set it up, with checks on every step. References https://mussolblog.wordpress.com/2013/07/17/setting-up-a-testing-slurm-cluster/ https://github.com/gabrieleiannetti/slurm_cluster_wiki/wiki/Installing-a-Slurm-Cluster http://philipwfowler.me/2016/04/14/how-to-setup-a-gramble/ https://github.com/dakl/slurm-clus...
Read more

Wrapping openbabel in python - using cython

The previous post showed a contrived example of how one could access the openbabel functionality in python using the boost libraries. There is alternative to boost to wrap around c/c++ code, it's called cython. Here is an example openbabel wrapper, exposing some very simple functionality. Just before diving in, you should know that there already exists a wrapper around openbabel in python (it is called pybel). What I'm showing here doesn't even come close to pybel in terms of usefulness, the idea here is to show a demo of how easy wrapping things in python is. #! /usr/bin/python from ez_setup import use_setuptools use_setuptools() from setuptools import setup, Extension, find_packages from Cython.Distutils import build_ext import sys, os import glob import subprocess as sub def get_include(name="openbabel"): p = sub.Popen('locate %s' % name ,stdout=sub.PIPE,stderr=sub.PIPE, shell=True) output, errors = p.communicate() ...
Read more