Improve api RBAC to support className definition. Intial cached RBAC class.

Author: skie

src/Rbac/ApiRbac.php

@@ -22,6 +22,7 @@
 use CakeDC\Auth\Rbac\PermissionMatchResult;
 use CakeDC\Auth\Rbac\RbacInterface;
 use CakeDC\Auth\Rbac\Rules\Rule;
+use CakeDC\Auth\Rbac\Rules\RuleRegistry;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Log\LogLevel;
 
@@ -181,6 +182,9 @@ protected function _matchPermission(array $permission, $user, $role, ServerReque
 
             if (is_callable($value)) {
                 $return = (bool)call_user_func($value, $user, $role, $request);
+            } elseif (is_array($value) && isset($value['className'])) {
+                $ruleInstance = RuleRegistry::get($value['className'], $value['options'] ?? []);
+                $return = (bool)$ruleInstance->allowed($user, $role, $request);
             } elseif ($value instanceof Rule) {
                 $return = (bool)$value->allowed($user, $role, $request);
             } elseif ($key === 'bypassAuth' && $value === true) {

src/Rbac/CachedApiRbac.php

@@ -0,0 +1,136 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Copyright 2010 - 2025, Cake Development Corporation (https://www.cakedc.com)
+ *
+ * Licensed under The MIT License
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright Copyright 2010 - 2025, Cake Development Corporation (https://www.cakedc.com)
+ * @license MIT License (http://www.opensource.org/licenses/mit-license.php)
+ */
+
+namespace CakeDC\Api\Rbac;
+
+use Cake\Cache\Cache;
+use Cake\Utility\Hash;
+use CakeDC\Api\Rbac\ApiRbac;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Log\LogLevel;
+
+/**
+ * Class CachedApiRbac
+ *
+ * Cached version of ApiRbac for improved performance.
+ * Builds a permissions map based on service/action and caches it.
+ */
+class CachedApiRbac extends ApiRbac
+{
+    /**
+     * A map of rules
+     *
+     * @var array[] rules array
+     */
+    protected $permissionsMap = [];
+
+    /**
+     * CachedApiRbac constructor.
+     *
+     * @param array $config Class configuration
+     */
+    public function __construct($config = [])
+    {
+        parent::__construct($config);
+        $this->permissionsMap = Cache::remember('api_permissions_map', function () {
+            return $this->buildPermissionsMap();
+        }, '_cakedc_api_auth_');
+    }
+
+    /**
+     * Build permissions map for caching
+     *
+     * @return array
+     */
+    public function buildPermissionsMap()
+    {
+        $asArray = function ($permission, $key, $default = null) {
+            if ($default !== null && !array_key_exists($key, $permission)) {
+                return [$default, '_'];
+            }
+            if (!array_key_exists($key, $permission) || $permission[$key] == false || $permission[$key] == null) {
+                return ['_'];
+            }
+            $item = $permission[$key];
+            if (is_string($item)) {
+                return [$item];
+            }
+            return (array)$item;
+        };
+
+        $map = [];
+        foreach ($this->permissions as $permission) {
+            if (isset($permission['role'])) {
+                $role = $permission['role'];
+            } else {
+                $role = '*';
+            }
+            $roles = (array)$role;
+            foreach ($roles as $role) {
+                $services = $asArray($permission, 'service', '*');
+                foreach ($services as $service) {
+                    $key = $service;
+                    $map[$role][$key][] = $permission;
+                }
+            }
+        }
+
+        return $map;
+    }
+
+    /**
+     * Match against permissions using cached map
+     *
+     * @param array|\ArrayAccess $user current user array
+     * @param \Psr\Http\Message\ServerRequestInterface $request request
+     * @return bool true if there is a match in permissions
+     */
+    public function checkPermissions($user, ServerRequestInterface $request)
+    {
+        $roleField = $this->getConfig('role_field');
+        $defaultRole = $this->getConfig('default_role');
+        $role = Hash::get($user, $roleField, $defaultRole);
+
+        $service = $request->getAttribute('service');
+        if ($service === null) {
+            return false;
+        }
+
+        $serviceName = $service->getName();
+        $keys = [$serviceName, '*'];
+
+        foreach ([$role, '*'] as $checkRole) {
+            if (!array_key_exists($checkRole, $this->permissionsMap)) {
+                continue;
+            }
+            foreach ($keys as $key) {
+                if (!array_key_exists($key, $this->permissionsMap[$checkRole])) {
+                    continue;
+                }
+                $permissions = $this->permissionsMap[$checkRole][$key];
+                foreach ($permissions as $permission) {
+                    $matchResult = $this->_matchPermission($permission, $user, $role, $request);
+                    if ($matchResult !== null) {
+                        if ($this->getConfig('log')) {
+                            $this->log($matchResult->getReason(), LogLevel::DEBUG);
+                        }
+
+                        return $matchResult->isAllowed();
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+}

tests/TestCase/Integration/Service/Action/Auth/JwtLoginActionTest.php

@@ -64,7 +64,6 @@ public function tearDown(): void
     public function testSuccessLogin()
     {
         $this->sendRequest('/auth/jwt_login', 'POST', ['username' => 'user-1', 'password' => '12345']);
-        print_r((string)$this->_response->getBody());
         $result = $this->getJsonResponse();
         $this->assertSuccess($result);
         $this->assertTrue(is_array($result['data']));