134 lines
5.1 KiB
PHP
134 lines
5.1 KiB
PHP
<?php
|
|
|
|
namespace MintyPHP\Service\Access;
|
|
|
|
use MintyPHP\App\Module\ModuleRegistry;
|
|
use MintyPHP\Service\Tenant\TenantScopeService;
|
|
|
|
class AccessPolicyFactory
|
|
{
|
|
private ?UserAuthorizationPolicy $userAuthorizationPolicy = null;
|
|
private ?RoleAuthorizationPolicy $roleAuthorizationPolicy = null;
|
|
private ?PermissionAuthorizationPolicy $permissionAuthorizationPolicy = null;
|
|
private ?OperationsAuthorizationPolicy $operationsAuthorizationPolicy = null;
|
|
private ?SettingsAuthorizationPolicy $settingsAuthorizationPolicy = null;
|
|
private ?TenantAuthorizationPolicy $tenantAuthorizationPolicy = null;
|
|
private ?DepartmentAuthorizationPolicy $departmentAuthorizationPolicy = null;
|
|
private ?AuthorizationService $authorizationService = null;
|
|
|
|
public function __construct(
|
|
private readonly PermissionService $permissionService,
|
|
private readonly TenantScopeService $tenantScopeService,
|
|
private readonly ?ModuleRegistry $moduleRegistry = null
|
|
) {
|
|
}
|
|
|
|
public function createUserAuthorizationPolicy(): UserAuthorizationPolicy
|
|
{
|
|
return $this->userAuthorizationPolicy ??= new UserAuthorizationPolicy(
|
|
$this->permissionService,
|
|
$this->tenantScopeService
|
|
);
|
|
}
|
|
|
|
public function createRoleAuthorizationPolicy(): RoleAuthorizationPolicy
|
|
{
|
|
return $this->roleAuthorizationPolicy ??= new RoleAuthorizationPolicy($this->permissionService);
|
|
}
|
|
|
|
public function createPermissionAuthorizationPolicy(): PermissionAuthorizationPolicy
|
|
{
|
|
return $this->permissionAuthorizationPolicy ??= new PermissionAuthorizationPolicy($this->permissionService);
|
|
}
|
|
|
|
public function createOperationsAuthorizationPolicy(): OperationsAuthorizationPolicy
|
|
{
|
|
return $this->operationsAuthorizationPolicy ??= new OperationsAuthorizationPolicy($this->permissionService);
|
|
}
|
|
|
|
public function createSettingsAuthorizationPolicy(): SettingsAuthorizationPolicy
|
|
{
|
|
return $this->settingsAuthorizationPolicy ??= new SettingsAuthorizationPolicy($this->permissionService);
|
|
}
|
|
|
|
public function createTenantAuthorizationPolicy(): TenantAuthorizationPolicy
|
|
{
|
|
return $this->tenantAuthorizationPolicy ??= new TenantAuthorizationPolicy(
|
|
$this->permissionService,
|
|
$this->tenantScopeService
|
|
);
|
|
}
|
|
|
|
public function createDepartmentAuthorizationPolicy(): DepartmentAuthorizationPolicy
|
|
{
|
|
return $this->departmentAuthorizationPolicy ??= new DepartmentAuthorizationPolicy(
|
|
$this->permissionService,
|
|
$this->tenantScopeService
|
|
);
|
|
}
|
|
|
|
// Assembles all policies into a single AuthorizationService.
|
|
// Core policies are registered first; module-contributed policies are appended.
|
|
// Each ability maps to exactly one policy via supports() — first match wins.
|
|
public function createAuthorizationService(): AuthorizationService
|
|
{
|
|
if ($this->authorizationService !== null) {
|
|
return $this->authorizationService;
|
|
}
|
|
|
|
$policies = [
|
|
$this->createUserAuthorizationPolicy(),
|
|
$this->createRoleAuthorizationPolicy(),
|
|
$this->createPermissionAuthorizationPolicy(),
|
|
$this->createOperationsAuthorizationPolicy(),
|
|
$this->createSettingsAuthorizationPolicy(),
|
|
$this->createTenantAuthorizationPolicy(),
|
|
$this->createDepartmentAuthorizationPolicy(),
|
|
];
|
|
|
|
// Append module-contributed authorization policies.
|
|
if ($this->moduleRegistry !== null) {
|
|
try {
|
|
foreach ($this->moduleRegistry->getAuthorizationPolicies() as $policyClass) {
|
|
if (!is_string($policyClass) || trim($policyClass) === '') {
|
|
continue;
|
|
}
|
|
$policy = $this->instantiateModulePolicy($policyClass);
|
|
if ($policy instanceof AuthorizationPolicyInterface) {
|
|
$policies[] = $policy;
|
|
}
|
|
}
|
|
} catch (\Throwable) {
|
|
// fail-open: no module registry available in this context
|
|
}
|
|
}
|
|
|
|
return $this->authorizationService = new AuthorizationService($policies);
|
|
}
|
|
|
|
private function instantiateModulePolicy(string $policyClass): ?AuthorizationPolicyInterface
|
|
{
|
|
if (!class_exists($policyClass)) {
|
|
return null;
|
|
}
|
|
|
|
try {
|
|
$reflection = new \ReflectionClass($policyClass);
|
|
$constructor = $reflection->getConstructor();
|
|
if ($constructor === null || $constructor->getNumberOfRequiredParameters() === 0) {
|
|
$instance = $reflection->newInstance();
|
|
return $instance instanceof AuthorizationPolicyInterface ? $instance : null;
|
|
}
|
|
|
|
if ($constructor->getNumberOfRequiredParameters() === 1) {
|
|
$instance = $reflection->newInstance($this->permissionService);
|
|
return $instance instanceof AuthorizationPolicyInterface ? $instance : null;
|
|
}
|
|
} catch (\Throwable) {
|
|
return null;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
}
|