amtgard / ork-iam
Amtgard ORK IAM
Requires
- php: ^8.3
- ext-json: *
- amtgard/builder-traits: ^2.0
- amtgard/phpunit-extensions: ^1.0
- monolog/monolog: ^3.7
Requires (Dev)
- phake/phake: ^4.5
- phpunit/phpunit: ^11.3
README
IAM Implementation for ORNs
Design
Installation
composer require amtgard/ork-iam
Requirements:
- PHP ^8.3
- ext-json
For local development:
composer install
Introduction
ORK IAM is a policy document system that allows for testing claims
against requirements
. claims
may be bundled into policies
. If any claim in a policy is accepted by the requirement on a given object, then the policy is accepted by the requirement; otherwise, it is rejected.
A claim and a policy are not self-enforcing, in the sense that any validly constructed claim can be compared to a requirement; it is up to the system making the comparison to validate that the given claim originated from a trusted source.
A typical method of doing this would be a cryptographic signature of the policy from the trusted source, or a cryptographic signature of an envelope containing the policy, such as embedding the policy in a JWT.
Usage
Basic example showing how to parse an ORN into a Claim, define a Requirement, and evaluate it. Also shows simple Resource
usage.
Single Claim
<?php require __DIR__ . '/vendor/autoload.php'; use Amtgard\IAM\ClaimFactory; use Amtgard\IAM\ORN\Definitions\AttendanceRequirement; use Amtgard\IAM\ORN\Definitions\AttendanceClaim; use Amtgard\IAM\OrkService; use Amtgard\IAM\Resource; // Create a Claim instance from an ORN string $claim = ClaimFactory::createOrn('Attendance:*::::::ORK/AddAttendance'); // => AttendanceClaim // Define a Requirement for Attendance on the same ORN pattern $requirement = new AttendanceRequirement(OrkService::Attendance, 'Attendance:1:2:3:4:5:6:ORK/AddAttendance'); // Evaluate permission if ($requirement->allows($claim)) { // The claim satisfies the requirement }
Policy
$claim1 = new OrkClaim(OrkService::ORK, "ORK:1:::::*"); $claim2 = new OrkClaim(OrkService::ORK, "ORK:2:::::*"); $claim3 = new OrkClaim(OrkService::ORK, "ORK::3::::*"); $claim4 = new OrkClaim(OrkService::ORK, "ORK:::::4:*"); $policy = new Policy([$claim1, $claim2, $claim3, $claim4]); $requirement = new OrkRequirement(OrkService::ORK, "ORK:1:7:8:9:10:ORK/AddKingdom"); if ($policy->grants($requirement)) { // Policy satisfies the requirement }
Supported Services
The following services are supported (from src/OrkService.php
):
ORK Services
- ORK
- Configuration
- Mundane
- Attendance
- Kingdom
- Park
- Unit
- Game
- Event
- EventInstance
- Awards
- Audit
- Cache
- Tenant
- Officer
- Recommendations
- Tournament
Planned Applications
- Idp
- Documents
- Forums
- Media
- Errata
Testing
Run the test suite:
vendor/bin/phpunit