[2.x] ACL Proof of concept

app/Models/ClientApplication.php

@@ -2,6 +2,7 @@
 
 namespace App\Models;
 
+use App\Models\Traits\ArnDefaultsTrait;
 use Illuminate\Auth\Authenticatable;
 use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract;
 use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
@@ -12,17 +13,20 @@
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Foundation\Auth\Access\Authorizable;
 use Laravel\Sanctum\HasApiTokens;
+use RenokiCo\Acl\Concerns\HasPolicies;
+use RenokiCo\Acl\Contracts\RuledByPolicies;
 
 /**
  * @mixin IdeHelperClientApplication
  */
-class ClientApplication extends Model implements AuthorizableContract, AuthenticatableContract
+class ClientApplication extends Model implements AuthorizableContract, AuthenticatableContract, RuledByPolicies
 {
     use HasFactory;
     use HasApiTokens;
     use Authorizable;
     use HasUlidField;
     use Authenticatable;
+    use HasPolicies;
 
     public function getRememberTokenName()
     {
@@ -52,4 +56,14 @@ public function Jobs(): HasMany
     {
         return $this->hasMany(PrintJob::class, 'client_application_id');
     }
+
+    public function resolveArnAccountId()
+    {
+        return $this->Team->ulid;
+    }
+
+    public function resolveArnRegion()
+    {
+        return 'local';
+    }
 }

app/Models/Printer.php

@@ -2,18 +2,28 @@
 
 namespace App\Models;
 
+use App\Models\Traits\ArnDefaultsTrait;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Illuminate\Database\Eloquent\Relations\BelongsToMany;
 use Illuminate\Database\Eloquent\Relations\HasMany;
+use RenokiCo\Acl\Concerns\HasArn;
+use RenokiCo\Acl\Concerns\HasStaticArn;
+use RenokiCo\Acl\Contracts\Arnable;
 
 /**
  * @mixin IdeHelperPrinter
  */
-class Printer extends Model
+class Printer extends Model implements Arnable
 {
+    use HasArn, ArnDefaultsTrait {
+        ArnDefaultsTrait::arnPartition insteadof HasArn;
+        ArnDefaultsTrait::arnService insteadof HasArn;
+        ArnDefaultsTrait::arnRegion insteadof HasArn;
+    }
+
     use HasFactory;
     use HasUlidField;
 
@@ -61,4 +71,14 @@ public function scopeForType(Builder $query, string $type)
                 ->orWhereJsonContains('raw_languages_supported', '*');
         });
     }
+
+    public function arnResourceAccountId()
+    {
+        return $this->Server->Team->ulid;
+    }
+
+    public function arnResourceId()
+    {
+        return $this->ulid;
+    }
 }

app/Models/Traits/ArnDefaultsTrait.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Models\Traits;
+
+trait ArnDefaultsTrait
+{
+    /**
+     * This is the partition used for this application.
+     * It is a good practice to change this between projects.
+     * Can be treated as a namespace, unique for each of your apps.
+     *
+     * @return string|int
+     */
+    public static function arnPartition()
+    {
+        return 'webprint';
+    }
+
+    /**
+     * This is the service used under the application. You can group
+     * multiple regions with accounts and resources under a single service.
+     *
+     * @return string|int
+     */
+    public static function arnService()
+    {
+        return 'server';
+    }
+
+    /**
+     * If your application is globally distributed, change this
+     * field each time to differentiate between services belonging
+     * to other regions.
+     *
+     * @return string|int
+     */
+    public static function arnRegion()
+    {
+        return strtolower(config('app.env'));
+    }
+}

composer.json

@@ -18,6 +18,7 @@
         "league/uri": "^6.8",
         "livewire/livewire": "^2.5",
         "monicahq/laravel-cloudflare": "^3.3",
+        "renoki-co/acl": "^0.4.0",
         "spatie/laravel-settings": "^2.6"
     },
     "require-dev": {

tests/Feature/AclPlaygroundTest.php

@@ -0,0 +1,67 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\ClientApplication;
+use App\Models\Printer;
+use App\Models\PrintServer;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Foundation\Testing\WithFaker;
+use Laravel\Sanctum\Sanctum;
+use RenokiCo\Acl\Acl;
+use RenokiCo\Acl\Statement;
+use Tests\TestCase;
+
+class AclPlaygroundTest extends TestCase
+{
+    use RefreshDatabase;
+
+    /**
+     * A basic feature test example.
+     *
+     * @return void
+     */
+    public function test_example()
+    {
+        /** @var ClientApplication $client */
+        $client = ClientApplication::factory()->create();
+
+        $server = PrintServer::factory()
+            ->recycle($client->Team)
+            ->create();
+
+        $printers = Printer::factory()
+            ->active()
+            ->for($server, 'Server')
+            ->count(3)
+            ->create();
+
+        $policy = Acl::createPolicy([
+            Statement::make(
+                effect: 'Allow',
+                action: 'printer:Print',
+                resource: [
+                    'arn:webprint:server:testing:'.$client->Team->ulid.':printer/*',
+                ],
+            ),
+            Statement::make(
+                effect: 'Deny',
+                action: 'printer:Print',
+                resource: [
+                    'arn:webprint:server:testing:'.$client->Team->ulid.':printer/'.$printers[1]->ulid,
+                ],
+            ),
+        ]);
+
+//        dd(
+//            Printer::resourceIdAgnosticArn($client),
+//            json_encode($policy->toArray(), JSON_PRETTY_PRINT),
+//        );
+
+        $client->loadPolicies($policy);
+
+        $this->assertTrue($client->isAllowedTo('printer:Print', $printers[0]));
+        $this->assertFalse($client->isAllowedTo('printer:Print', $printers[1]));
+        $this->assertTrue($client->isAllowedTo('printer:Print', $printers[2]));
+    }
+}