Add authorization handlers

Author: mevdschee

README.md

@@ -549,6 +549,22 @@ For spatial support there is an extra set of filters that can be applied on geom
 
 These filters are based on OGC standards and so is the WKT specification in which the geometry columns are represented.
 
+### Authorizing tables and columns
+
+By default all tables are reflected. If you want to hide some tables you may add the 'authorization' middleware and define a 'authorization.tableHandler' function that returns 'false' for hidden tables.
+
+    'authorization.tableHandler' => function ($method, $path, $databaseName, $tableName) {
+        return $tableName != 'license_keys';
+    },
+
+The above example will hide the table 'license_keys' in all API input and output.
+
+    'authorization.columnHandler' => function ($method, $path, $databaseName, $tableName, $columnName) {
+        return !($tableName == 'users' && $columnName == 'password');
+    },
+
+The above example will hide the 'password' field from the 'users' table in all API input and output.
+
 ### Sanitizing input
 
 By default all input is accepted and sent to the database. If you want to strip (certain) HTML tags before storing you may add the 'sanitation' middleware and define a 'sanitation.handler' function that returns the adjusted value.

api.php

@@ -530,6 +530,15 @@ public function getTableNames(): array
         return array_keys($this->tableNames);
     }
 
+    public function removeTable(String $tableName): bool
+    {
+        if (!isset($this->tableNames[$tableName])) {
+            return false;
+        }
+        unset($this->tableNames[$tableName]);
+        return true;
+    }
+
     public function serialize()
     {
         return [
@@ -652,6 +661,15 @@ public function getFksTo(String $tableName): array
         return $columns;
     }
 
+    public function removeColumn(String $columnName): bool
+    {
+        if (!isset($this->columns[$columnName])) {
+            return false;
+        }
+        unset($this->columns[$columnName]);
+        return true;
+    }
+
     public function serialize()
     {
         return [
@@ -893,6 +911,17 @@ public function getDatabaseName(): String
     {
         return $this->database->getName();
     }
+
+    public function removeTable(String $tableName): bool
+    {
+        unset($this->tables[$tableName]);
+        return $this->database->removeTable($tableName);
+    }
+
+    public function removeColumn(String $tableName, String $columnName): bool
+    {
+        return $this->getTable($tableName)->removeColumn($columnName);
+    }
 }
 
 // file: src/Tqdev/PhpCrudApi/Controller/CacheController.php
@@ -2774,34 +2803,79 @@ public function __construct(Router $router, Responder $responder, array $propert
         $this->reflection = $reflection;
     }
 
-    private function getJoins($all, $list)
+    private function handleColumns(String $method, String $path, String $databaseName, String $tableName): void
     {
-        $result = array_fill_keys($all, false);
-        foreach ($lists as $items) {
-            foreach (explode(',', $items) as $item) {
-                if (isset($result[$item])) {
-                    $result[$item] = true;
+        $columnHandler = $this->getProperty('columnHandler', '');
+        if ($columnHandler) {
+            $table = $this->reflection->getTable($tableName);
+            foreach ($table->columnNames() as $columnName) {
+                $allowed = call_user_func($columnHandler, $method, $path, $databaseName, $tableName, $columnName);
+                if (!$allowed) {
+                    $this->reflection->removeColumn($tableName, $columnName);
                 }
             }
         }
-        return $result;
+    }
+
+    private function handleTable(String $method, String $path, String $databaseName, String $tableName): void
+    {
+        if (!$this->reflection->hasTable($tableName)) {
+            return;
+        }
+        $tableHandler = $this->getProperty('tableHandler', '');
+        if ($tableHandler) {
+            $allowed = call_user_func($tableHandler, $method, $path, $databaseName, $tableName);
+            if (!$allowed) {
+                $this->reflection->removeTable($tableName);
+            } else {
+                $this->handleColumns($method, $path, $databaseName, $tableName);
+            }
+        }
+    }
+
+    private function handleJoinTables(String $method, String $path, String $databaseName, array $joinParameters): void
+    {
+        $uniqueTableNames = array();
+        foreach ($joinParameters as $joinParameter) {
+            $tableNames = explode(',', trim($joinParameter));
+            foreach ($tableNames as $tableName) {
+                $uniqueTableNames[$tableName] = true;
+            }
+        }
+        foreach (array_keys($uniqueTableNames) as $tableName) {
+            $this->handleTable($method, $path, $databaseName, trim($tableName));
+        }
+    }
+
+    private function handleAllTables(String $method, String $path, String $databaseName): void
+    {
+        $tableNames = $this->reflection->getTableNames();
+        foreach ($tableNames as $tableName) {
+            $this->handleTable($method, $path, $databaseName, $tableName);
+        }
     }
 
     public function handle(Request $request): Response
     {
+        $method = $request->getMethod();
         $path = $request->getPathSegment(1);
-        $tableName = $request->getPathSegment(2);
-        $database = $this->reflection->getDatabase();
-        $handler = $this->getProperty('handler', '');
-        if ($handler !== '' && $path == 'records' && $database->exists($tableName)) {
-            $method = $request->getMethod();
-            $tableNames = $database->getTableNames();
+        $databaseName = $this->reflection->getDatabaseName();
+        if ($path == 'records') {
+            $tableName = $request->getPathSegment(2);
+            $this->handleTable($method, $path, $databaseName, $tableName);
             $params = $request->getParams();
-            $joins = $this->getJoins($tableNames, $params['join']);
-            $allowed = call_user_func($handler, $method, $tableName, $joins);
-            if (!$allowed) {
-                return $this->responder->error(ErrorCode::OPERATION_FORBIDDEN, '');
+            if (isset($params['join'])) {
+                $this->handleJoinTables($method, $path, $databaseName, $params['join']);
+            }
+        } elseif ($path == 'columns') {
+            $tableName = $request->getPathSegment(2);
+            if ($tableName) {
+                $this->handleTable($method, $path, $databaseName, $tableName);
+            } else {
+                $this->handleAllTables($method, $path, $databaseName);
             }
+        } elseif ($path == 'openapi') {
+            $this->handleAllTables($method, $path, $databaseName);
         }
         return $this->next->handle($request);
     }

src/Tqdev/PhpCrudApi/Api.php

@@ -10,6 +10,7 @@
 use Tqdev\PhpCrudApi\Controller\RecordController;
 use Tqdev\PhpCrudApi\Controller\Responder;
 use Tqdev\PhpCrudApi\Database\GenericDB;
+use Tqdev\PhpCrudApi\Middleware\AuthorizationMiddleware;
 use Tqdev\PhpCrudApi\Middleware\CorsMiddleware;
 use Tqdev\PhpCrudApi\Middleware\FirewallMiddleware;
 use Tqdev\PhpCrudApi\Middleware\Router\SimpleRouter;

src/Tqdev/PhpCrudApi/Column/Reflection/ReflectedDatabase.php

@@ -53,6 +53,15 @@ public function getTableNames(): array
         return array_keys($this->tableNames);
     }
 
+    public function removeTable(String $tableName): bool
+    {
+        if (!isset($this->tableNames[$tableName])) {
+            return false;
+        }
+        unset($this->tableNames[$tableName]);
+        return true;
+    }
+
     public function serialize()
     {
         return [

src/Tqdev/PhpCrudApi/Column/Reflection/ReflectedTable.php

@@ -115,6 +115,15 @@ public function getFksTo(String $tableName): array
         return $columns;
     }
 
+    public function removeColumn(String $columnName): bool
+    {
+        if (!isset($this->columns[$columnName])) {
+            return false;
+        }
+        unset($this->columns[$columnName]);
+        return true;
+    }
+
     public function serialize()
     {
         return [

src/Tqdev/PhpCrudApi/Column/ReflectionService.php

@@ -81,4 +81,15 @@ public function getDatabaseName(): String
     {
         return $this->database->getName();
     }
+
+    public function removeTable(String $tableName): bool
+    {
+        unset($this->tables[$tableName]);
+        return $this->database->removeTable($tableName);
+    }
+
+    public function removeColumn(String $tableName, String $columnName): bool
+    {
+        return $this->getTable($tableName)->removeColumn($columnName);
+    }
 }

src/Tqdev/PhpCrudApi/Middleware/AuthorizationMiddleware.php

@@ -5,7 +5,6 @@
 use Tqdev\PhpCrudApi\Controller\Responder;
 use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
 use Tqdev\PhpCrudApi\Middleware\Router\Router;
-use Tqdev\PhpCrudApi\Record\ErrorCode;
 use Tqdev\PhpCrudApi\Request;
 use Tqdev\PhpCrudApi\Response;
 
@@ -19,34 +18,79 @@ public function __construct(Router $router, Responder $responder, array $propert
         $this->reflection = $reflection;
     }
 
-    private function getJoins($all, $list)
+    private function handleColumns(String $method, String $path, String $databaseName, String $tableName): void
     {
-        $result = array_fill_keys($all, false);
-        foreach ($lists as $items) {
-            foreach (explode(',', $items) as $item) {
-                if (isset($result[$item])) {
-                    $result[$item] = true;
+        $columnHandler = $this->getProperty('columnHandler', '');
+        if ($columnHandler) {
+            $table = $this->reflection->getTable($tableName);
+            foreach ($table->columnNames() as $columnName) {
+                $allowed = call_user_func($columnHandler, $method, $path, $databaseName, $tableName, $columnName);
+                if (!$allowed) {
+                    $this->reflection->removeColumn($tableName, $columnName);
                 }
             }
         }
-        return $result;
+    }
+
+    private function handleTable(String $method, String $path, String $databaseName, String $tableName): void
+    {
+        if (!$this->reflection->hasTable($tableName)) {
+            return;
+        }
+        $tableHandler = $this->getProperty('tableHandler', '');
+        if ($tableHandler) {
+            $allowed = call_user_func($tableHandler, $method, $path, $databaseName, $tableName);
+            if (!$allowed) {
+                $this->reflection->removeTable($tableName);
+            } else {
+                $this->handleColumns($method, $path, $databaseName, $tableName);
+            }
+        }
+    }
+
+    private function handleJoinTables(String $method, String $path, String $databaseName, array $joinParameters): void
+    {
+        $uniqueTableNames = array();
+        foreach ($joinParameters as $joinParameter) {
+            $tableNames = explode(',', trim($joinParameter));
+            foreach ($tableNames as $tableName) {
+                $uniqueTableNames[$tableName] = true;
+            }
+        }
+        foreach (array_keys($uniqueTableNames) as $tableName) {
+            $this->handleTable($method, $path, $databaseName, trim($tableName));
+        }
+    }
+
+    private function handleAllTables(String $method, String $path, String $databaseName): void
+    {
+        $tableNames = $this->reflection->getTableNames();
+        foreach ($tableNames as $tableName) {
+            $this->handleTable($method, $path, $databaseName, $tableName);
+        }
     }
 
     public function handle(Request $request): Response
     {
+        $method = $request->getMethod();
         $path = $request->getPathSegment(1);
-        $tableName = $request->getPathSegment(2);
-        $database = $this->reflection->getDatabase();
-        $handler = $this->getProperty('handler', '');
-        if ($handler !== '' && $path == 'records' && $database->exists($tableName)) {
-            $method = $request->getMethod();
-            $tableNames = $database->getTableNames();
+        $databaseName = $this->reflection->getDatabaseName();
+        if ($path == 'records') {
+            $tableName = $request->getPathSegment(2);
+            $this->handleTable($method, $path, $databaseName, $tableName);
             $params = $request->getParams();
-            $joins = $this->getJoins($tableNames, $params['join']);
-            $allowed = call_user_func($handler, $method, $tableName, $joins);
-            if (!$allowed) {
-                return $this->responder->error(ErrorCode::OPERATION_FORBIDDEN, '');
+            if (isset($params['join'])) {
+                $this->handleJoinTables($method, $path, $databaseName, $params['join']);
+            }
+        } elseif ($path == 'columns') {
+            $tableName = $request->getPathSegment(2);
+            if ($tableName) {
+                $this->handleTable($method, $path, $databaseName, $tableName);
+            } else {
+                $this->handleAllTables($method, $path, $databaseName);
             }
+        } elseif ($path == 'openapi') {
+            $this->handleAllTables($method, $path, $databaseName);
         }
         return $this->next->handle($request);
     }

tests/config/base.php

@@ -3,7 +3,13 @@
     'database' => 'php-crud-api',
     'username' => 'php-crud-api',
     'password' => 'php-crud-api',
-    'middlewares' => 'cors,validation,sanitation',
+    'middlewares' => 'cors,authorization,validation,sanitation',
+    'authorization.tableHandler' => function ($method, $path, $databaseName, $tableName) {
+        return !($tableName == 'invisibles');
+    },
+    'authorization.columnHandler' => function ($method, $path, $databaseName, $tableName, $columnName) {
+        return !($columnName == 'invisible');
+    },
     'sanitation.handler' => function ($method, $tableName, $column, $value) {
         return is_string($value) ? strip_tags($value) : $value;
     },

tests/fixtures/blog_mysql.sql

@@ -152,12 +152,22 @@ DROP TABLE IF EXISTS `kunsthåndværk`;
 CREATE TABLE `kunsthåndværk` (
   `id` varchar(36) NOT NULL,
   `Umlauts ä_ö_ü-COUNT` int(11) NOT NULL,
+  `invisible` varchar(36),
   PRIMARY KEY (`id`),
   CONSTRAINT `kunsthåndværk_Umlauts ä_ö_ü-COUNT_fkey` UNIQUE (`Umlauts ä_ö_ü-COUNT`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
 
-INSERT INTO `kunsthåndværk` (`id`, `Umlauts ä_ö_ü-COUNT`) VALUES
-('e42c77c6-06a4-4502-816c-d112c7142e6d', 1);
+INSERT INTO `kunsthåndværk` (`id`, `Umlauts ä_ö_ü-COUNT`, `invisible`) VALUES
+('e42c77c6-06a4-4502-816c-d112c7142e6d', 1, NULL);
+
+DROP TABLE IF EXISTS `invisibles`;
+CREATE TABLE `invisibles` (
+  `id` varchar(36) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+
+INSERT INTO `invisibles` (`id`) VALUES
+('e42c77c6-06a4-4502-816c-d112c7142e6d');
 
 SET foreign_key_checks = 1;