From 6a885a19ef798e68a7fe053be9e1029313e8a1b1 Mon Sep 17 00:00:00 2001
From: Krystian Duma <git@krystian.duma.sh>
Date: Thu, 22 Dec 2022 00:43:51 +0100
Subject: [PATCH] ACL Proof of concept

---
 app/Models/ClientApplication.php       | 16 +++++-
 app/Models/Printer.php                 | 22 ++++++++-
 app/Models/Traits/ArnDefaultsTrait.php | 41 ++++++++++++++++
 composer.json                          |  1 +
 composer.lock                          | 67 +++++++++++++++++++++++++-
 tests/Feature/AclPlaygroundTest.php    | 67 ++++++++++++++++++++++++++
 6 files changed, 211 insertions(+), 3 deletions(-)
 create mode 100644 app/Models/Traits/ArnDefaultsTrait.php
 create mode 100755 tests/Feature/AclPlaygroundTest.php

diff --git a/app/Models/ClientApplication.php b/app/Models/ClientApplication.php
index 9600190..66e8f4c 100644
--- a/app/Models/ClientApplication.php
+++ b/app/Models/ClientApplication.php
@@ -2,6 +2,7 @@
 
 namespace App\Models;
 
+use App\Models\Traits\ArnDefaultsTrait;
 use Illuminate\Auth\Authenticatable;
 use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract;
 use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
@@ -12,17 +13,20 @@
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Foundation\Auth\Access\Authorizable;
 use Laravel\Sanctum\HasApiTokens;
+use RenokiCo\Acl\Concerns\HasPolicies;
+use RenokiCo\Acl\Contracts\RuledByPolicies;
 
 /**
  * @mixin IdeHelperClientApplication
  */
-class ClientApplication extends Model implements AuthorizableContract, AuthenticatableContract
+class ClientApplication extends Model implements AuthorizableContract, AuthenticatableContract, RuledByPolicies
 {
     use HasFactory;
     use HasApiTokens;
     use Authorizable;
     use HasUlidField;
     use Authenticatable;
+    use HasPolicies;
 
     public function getRememberTokenName()
     {
@@ -52,4 +56,14 @@ public function Jobs(): HasMany
     {
         return $this->hasMany(PrintJob::class, 'client_application_id');
     }
+
+    public function resolveArnAccountId()
+    {
+        return $this->Team->ulid;
+    }
+
+    public function resolveArnRegion()
+    {
+        return 'local';
+    }
 }
diff --git a/app/Models/Printer.php b/app/Models/Printer.php
index 8334bbb..fef8750 100644
--- a/app/Models/Printer.php
+++ b/app/Models/Printer.php
@@ -2,18 +2,28 @@
 
 namespace App\Models;
 
+use App\Models\Traits\ArnDefaultsTrait;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Relations\BelongsToMany;
 use Illuminate\Database\Eloquent\Relations\HasMany;
+use RenokiCo\Acl\Concerns\HasArn;
+use RenokiCo\Acl\Concerns\HasStaticArn;
+use RenokiCo\Acl\Contracts\Arnable;
 
 /**
  * @mixin IdeHelperPrinter
  */
-class Printer extends Model
+class Printer extends Model implements Arnable
 {
+    use HasArn, ArnDefaultsTrait {
+        ArnDefaultsTrait::arnPartition insteadof HasArn;
+        ArnDefaultsTrait::arnService insteadof HasArn;
+        ArnDefaultsTrait::arnRegion insteadof HasArn;
+    }
+
     use HasFactory;
     use HasUlidField;
 
@@ -61,4 +71,14 @@ public function scopeForType(Builder $query, string $type)
                 ->orWhereJsonContains('raw_languages_supported', '*');
         });
     }
+
+    public function arnResourceAccountId()
+    {
+        return $this->Server->Team->ulid;
+    }
+
+    public function arnResourceId()
+    {
+        return $this->ulid;
+    }
 }
diff --git a/app/Models/Traits/ArnDefaultsTrait.php b/app/Models/Traits/ArnDefaultsTrait.php
new file mode 100644
index 0000000..15b59bb
--- /dev/null
+++ b/app/Models/Traits/ArnDefaultsTrait.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Models\Traits;
+
+trait ArnDefaultsTrait
+{
+    /**
+     * This is the partition used for this application.
+     * It is a good practice to change this between projects.
+     * Can be treated as a namespace, unique for each of your apps.
+     *
+     * @return string|int
+     */
+    public static function arnPartition()
+    {
+        return 'webprint';
+    }
+
+    /**
+     * This is the service used under the application. You can group
+     * multiple regions with accounts and resources under a single service.
+     *
+     * @return string|int
+     */
+    public static function arnService()
+    {
+        return 'server';
+    }
+
+    /**
+     * If your application is globally distributed, change this
+     * field each time to differentiate between services belonging
+     * to other regions.
+     *
+     * @return string|int
+     */
+    public static function arnRegion()
+    {
+        return strtolower(config('app.env'));
+    }
+}
diff --git a/composer.json b/composer.json
index 74949b8..a5d1231 100755
--- a/composer.json
+++ b/composer.json
@@ -18,6 +18,7 @@
         "league/uri": "^6.8",
         "livewire/livewire": "^2.5",
         "monicahq/laravel-cloudflare": "^3.3",
+        "renoki-co/acl": "^0.4.0",
         "spatie/laravel-settings": "^2.6"
     },
     "require-dev": {
diff --git a/composer.lock b/composer.lock
index ee6daaf..7ae8244 100755
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "edb0145dd1f046d5516ccb6b8fd4bded",
+    "content-hash": "c3f77d68a1fe62a05f5cfb9dd31da5f0",
     "packages": [
         {
             "name": "aeon-php/calendar",
@@ -4301,6 +4301,71 @@
             ],
             "time": "2022-11-05T23:03:38+00:00"
         },
+        {
+            "name": "renoki-co/acl",
+            "version": "0.4.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/renoki-co/acl.git",
+                "reference": "8fa065dc23b6913860535feaa315f054a3a5fbc8"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/renoki-co/acl/zipball/8fa065dc23b6913860535feaa315f054a3a5fbc8",
+                "reference": "8fa065dc23b6913860535feaa315f054a3a5fbc8",
+                "shasum": ""
+            },
+            "require": {
+                "illuminate/support": "^9.35",
+                "php": "^8.0"
+            },
+            "require-dev": {
+                "orchestra/testbench": "^7.14",
+                "orchestra/testbench-core": "^7.14",
+                "phpunit/phpunit": "^9.5.21",
+                "vimeo/psalm": "4.24.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "RenokiCo\\Acl\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "Apache-2.0"
+            ],
+            "authors": [
+                {
+                    "name": "Alex Renoki",
+                    "homepage": "https://github.com/rennokki",
+                    "role": "Developer"
+                }
+            ],
+            "description": "Simple, JSON-based, AWS IAM-style ACL for PHP applications, leveraging granular permissions in your applications with strong declarations.",
+            "homepage": "https://github.com/renoki-co/acl",
+            "keywords": [
+                "access",
+                "acl",
+                "arn",
+                "aws",
+                "control",
+                "iam",
+                "permissions",
+                "php"
+            ],
+            "support": {
+                "issues": "https://github.com/renoki-co/acl/issues",
+                "source": "https://github.com/renoki-co/acl/tree/0.4.0"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/rennokki",
+                    "type": "github"
+                }
+            ],
+            "time": "2022-12-16T07:20:14+00:00"
+        },
         {
             "name": "spatie/laravel-settings",
             "version": "2.6.0",
diff --git a/tests/Feature/AclPlaygroundTest.php b/tests/Feature/AclPlaygroundTest.php
new file mode 100755
index 0000000..75f872b
--- /dev/null
+++ b/tests/Feature/AclPlaygroundTest.php
@@ -0,0 +1,67 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\ClientApplication;
+use App\Models\Printer;
+use App\Models\PrintServer;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Foundation\Testing\WithFaker;
+use Laravel\Sanctum\Sanctum;
+use RenokiCo\Acl\Acl;
+use RenokiCo\Acl\Statement;
+use Tests\TestCase;
+
+class AclPlaygroundTest extends TestCase
+{
+    use RefreshDatabase;
+
+    /**
+     * A basic feature test example.
+     *
+     * @return void
+     */
+    public function test_example()
+    {
+        /** @var ClientApplication $client */
+        $client = ClientApplication::factory()->create();
+
+        $server = PrintServer::factory()
+            ->recycle($client->Team)
+            ->create();
+
+        $printers = Printer::factory()
+            ->active()
+            ->for($server, 'Server')
+            ->count(3)
+            ->create();
+
+        $policy = Acl::createPolicy([
+            Statement::make(
+                effect: 'Allow',
+                action: 'printer:Print',
+                resource: [
+                    'arn:webprint:server:testing:'.$client->Team->ulid.':printer/*',
+                ],
+            ),
+            Statement::make(
+                effect: 'Deny',
+                action: 'printer:Print',
+                resource: [
+                    'arn:webprint:server:testing:'.$client->Team->ulid.':printer/'.$printers[1]->ulid,
+                ],
+            ),
+        ]);
+
+//        dd(
+//            Printer::resourceIdAgnosticArn($client),
+//            json_encode($policy->toArray(), JSON_PRETTY_PRINT),
+//        );
+
+        $client->loadPolicies($policy);
+
+        $this->assertTrue($client->isAllowedTo('printer:Print', $printers[0]));
+        $this->assertFalse($client->isAllowedTo('printer:Print', $printers[1]));
+        $this->assertTrue($client->isAllowedTo('printer:Print', $printers[2]));
+    }
+}