TalkPHP - Building an Apache-like Access Control List (ACL)

I was in two minds as to whether or not to release this as a script or an article, so I'm going to do both just in case people need any assistance with various sections of the code. However, I'm only going to be explaining areas which I feel need to be explained as all the rest can be found elsewhere, either on TalkPHP, or in the common-sense area of your brain.

We're going to be constructing an Apache-like, in fact we're going to be emulating the Apache ACL in its entirety. Although you could quite easily use Apache, this allows you to see how it's all done and even extend onto it to allow temporary bans which expire after a certain amount of time - if you were that way inclined.

The configuration file which we will accept will look like the following:

Code:

Order Deny, Allow

Deny from 127.0.0.1

Allow from All

As I'm only going to cover segments of the code, I will be linking out to articles which deal with that specific part so that you can read further on the subject.

The first article I'm going to link out to is the singleton article. The reasoning behind this is that I can't think of any scenario where you require more than once instance, seeing as how our construct parses the configuration document and then uses a member function to check whether or not the particular user in question is allowed access.

Exceptions will be prevalent throughout the script which you can read more about in the exceptions article. This will allow us to use a try and catch block on the front-end to see whether or not everything went smoothly with the parsing.

We will be using regular expressions to initially parse the configuration file into basic segments. The regex we will be using is as follows:

php Code:

preg_match('~(?P<command>[^\s]+)\s*\w*\s+(?P<options>.*)~', $szLine, $aMatches);

This will essentially parse every line in our configuration file and give us both the command and the options set for that command. All the options will be returned as a whole which we will later split up depending on their content.

Once we've got all the data required, the next thing is to list all the various scenarios - albeit I've picked all the scenarios which would mean a banned user and so if none of those match, then we assume the user is allowed to access the website. I came up with the following:

The user's IP is in deny when order is deny, allow;
Deny is set to ALL and user's IP address is not in allow when order is deny, allow;
User's IP is not in allow and deny is set to ALL when order is allow, deny;
User's IP is in deny and allow is set to ALL when order is allow, deny;
User's IP is in deny and not in allow when order is allow, deny.

That's about all there is to the script. To use the script we need to get the object's instance first which can be done by calling the getInstance function which is defined as a static function:

php Code:

public static function getInstance()
{
    if(empty(self::$m_pInstance))
    {
        self::$m_pInstance = new TalkPHP_ACL();
    }
    
    return self::$m_pInstance;
}

This returns the instance to the variable which we are wanting to hold that particular object, and as we're using exceptions throughout the script the try and catch block is present to attempt to catch and output any exceptions:

php Code:

try
{
    $pACL = TalkPHP_ACL::getInstance();
}
catch(Exception $pEx)
{
    die($pEx->getMessage());
}

If there are no exceptions returned from the class then we can go ahead and check if the current user has accessed based on their IP address:

php Code:

if(!$pACL->hasAccess())
{
    die('You have been banned from this website.');
}

And that's all there is to the ACL script. Without further ado you may download the script from the following location. Hopefully the article has also cleared up any uncertainties you had about the script itself.