Difference between revisions of "ARK2"

From ARK
Jump to: navigation, search
(Security)
Line 1: Line 1:
 
This page details the progress on development of ARK 2.0
 
This page details the progress on development of ARK 2.0
  
== Code Repository ==
+
== Aims ==
  
Development of ARK 2.0 is occurring in the open on GitHub https://github.com/lparchaeology/ark2
+
The primary aims of ARK2 are:
 +
*
 +
*
 +
*
 +
 
 +
== Design ==
 +
 
 +
High level design decisions for ARK2.
  
== Supported Platforms ==
+
=== Supported Platforms ===
  
 
ARK will only actively support platforms that are actively supported by their maintainers. ARK may work on earlier versions but this is not guaranteed.
 
ARK will only actively support platforms that are actively supported by their maintainers. ARK may work on earlier versions but this is not guaranteed.
Line 13: Line 20:
 
* PostgreSQL and SQLite may be considered later (most likely using a proper ORM abstraction library)
 
* PostgreSQL and SQLite may be considered later (most likely using a proper ORM abstraction library)
  
== Standards ==
+
=== Standards ===
  
 
The [http://www.php-fig.org/psr/ PHP-FIG standards]  will be applied where-ever possible.
 
The [http://www.php-fig.org/psr/ PHP-FIG standards]  will be applied where-ever possible.
Line 34: Line 41:
 
* All new OO code will be under src/ and not php/ (this will also clearly separate new code from old)
 
* All new OO code will be under src/ and not php/ (this will also clearly separate new code from old)
  
== Framework ==
+
=== Framework ===
  
 
It is proposed to implement a new RESTful Request/Response framework using a Front Controller model and token-based security, based on external components adhering to the [http://www.php-fig.org/psr/ PHP-FIG] standards. This will reduce the amount of code maintained internally, update the code-base to modern web-app design principals, and provide a degree of future-proofing. Choosing a full framework at this point would force refactoring all of the model and view code at the same time, but by initially building our own light-weight controller framework using PSR-compliant components we can migrate the model and view later. Once all parts are migrated, a full framework could be considered if required.
 
It is proposed to implement a new RESTful Request/Response framework using a Front Controller model and token-based security, based on external components adhering to the [http://www.php-fig.org/psr/ PHP-FIG] standards. This will reduce the amount of code maintained internally, update the code-base to modern web-app design principals, and provide a degree of future-proofing. Choosing a full framework at this point would force refactoring all of the model and view code at the same time, but by initially building our own light-weight controller framework using PSR-compliant components we can migrate the model and view later. Once all parts are migrated, a full framework could be considered if required.
Line 49: Line 56:
 
Besides the core HTTP and Routing modules, the Security, Translations, Forms, Validation, and Console components should be considered.
 
Besides the core HTTP and Routing modules, the Security, Translations, Forms, Validation, and Console components should be considered.
  
== Security ==
+
=== Security ===
  
 
ARK currently uses PEAR LiveUser for user authentication and authorisation, but this hasn't been updated since 2010. It is a security risk, and also lacks many features like federated login. The ARK API currently uses plain text user and password in the request URL which is insecure. ARK2 will require a new security solution, especially for the API calls from client apps.
 
ARK currently uses PEAR LiveUser for user authentication and authorisation, but this hasn't been updated since 2010. It is a security risk, and also lacks many features like federated login. The ARK API currently uses plain text user and password in the request URL which is insecure. ARK2 will require a new security solution, especially for the API calls from client apps.
Line 76: Line 83:
 
Alternatives such as Sentinal which provides all the required features in a single integrated component would require choosing a different component ecosystem, such as Laravel.
 
Alternatives such as Sentinal which provides all the required features in a single integrated component would require choosing a different component ecosystem, such as Laravel.
  
== Database Abstraction ==
+
=== Database Abstraction ===
  
 
Currently, PDO is used to directly access only MySQL databases, and DB access statements are widely spread and manually assembled. Adding support for other databases such as Postgres or SQLite would require considerable work (while PDO abstracts the connection, it doesn't abstract the SQL dialect). Longer term, full OO code and framework use will require the use of an ORM layer to map relational data to objects, but this would make for a longer migration process.
 
Currently, PDO is used to directly access only MySQL databases, and DB access statements are widely spread and manually assembled. Adding support for other databases such as Postgres or SQLite would require considerable work (while PDO abstracts the connection, it doesn't abstract the SQL dialect). Longer term, full OO code and framework use will require the use of an ORM layer to map relational data to objects, but this would make for a longer migration process.
Line 91: Line 98:
 
* All new table creation and data seeding to use DAL
 
* All new table creation and data seeding to use DAL
  
== Configuration ==
+
== Changes ==
 +
 
 +
Details of changes made in ARK2.
 +
 
 +
=== Code Repository ===
 +
 
 +
Development of ARK 2.0 is occurring in the open on GitHub https://github.com/lparchaeology/ark2
 +
 
 +
=== Configuration ===
  
 
Significant changes to the configuration of ARK are being made to move from PHP file based configuration to database based configuration. This section will document these changes.
 
Significant changes to the configuration of ARK are being made to move from PHP file based configuration to database based configuration. This section will document these changes.
Line 103: Line 118:
 
* settings.php has moved from config/ to php/settings/ and no longer requires user editing, all settings are now held in the database and should be configured per the instructions
 
* settings.php has moved from config/ to php/settings/ and no longer requires user editing, all settings are now held in the database and should be configured per the instructions
  
== Database ==
+
=== Database ===
  
 
* Configuration has been moved to the database
 
* Configuration has been moved to the database
Line 114: Line 129:
 
* All DB functions have been moved into db_functions.php and use the new DB routines so they no longer create SQL themselves
 
* All DB functions have been moved into db_functions.php and use the new DB routines so they no longer create SQL themselves
  
== Changes ==
+
=== Globals ===
 
 
Other significant changes are documented here.
 
 
 
 
 
* A number of config global variables have been renamed for consistency
 
** Any var ending in _dir is an absolute filesystem directory path
 
** Any var ending in _path is a URL path relative to the hostname and always starts with a '/'
 
** Neither var ever ends in a separator
 
** $ark_server_path -> $ark_root_dir
 
** $ark_dir -> $ark_root_path and no longer ends in a /
 
** $registered_files_host -> $registered_files_path
 
** $phMagickDir -> $phmagick_file
 
** ark_web_maptemp_dir -> ark_maptemp_path
 
** $ark_lib_dir and $ark_lib_path point to the library folder
 
** $skins_dir and $skins_path point to the skins folder
 
** $skin_dir and $skin_path point to the current skin folder
 
 
 
 
 
* A number of config global variables have been renamed for clarity
 
** $mode -> $search_mode
 
** $ftx_mode -> $search_ftx_mode
 
  
 +
Globals are being progressively removed and replaced where possible by access to config objects.
  
* A number of config global variables have been deleted as they are not used:
+
A number of config global variables have been renamed for consistency
** $default_year
+
* Any var ending in _dir is an absolute filesystem directory path
** $conf_non_search_words
+
* Any var ending in _path is a URL path relative to the hostname and always starts with a '/'
** $conf_langs
+
* Neither var ever ends in a separator
** $loaded_map_modules
+
* $ark_server_path -> $ark_root_dir
** $default_output_mode
+
* $ark_dir -> $ark_root_path and no longer ends in a /
 +
* $registered_files_host -> $registered_files_path
 +
* $phMagickDir -> $phmagick_file
 +
* ark_web_maptemp_dir -> ark_maptemp_path
 +
* $ark_lib_dir and $ark_lib_path point to the library folder
 +
* $skins_dir and $skins_path point to the skins folder
 +
* $skin_dir and $skin_path point to the current skin folder
  
 +
A number of config global variables have been renamed for clarity
 +
* $mode -> $search_mode
 +
* $ftx_mode -> $search_ftx_mode
  
* The logging globals have been changed
+
A number of config global variables have been deleted as they are not used:
** $log, $conf_log_add, $conf_log_edt, $conf_log_del are deleted
+
* $default_year
** $log_ins, $log_upd and $log_del are used instead
+
* $conf_non_search_words
 +
* $conf_langs
 +
* $loaded_map_modules
 +
* $default_output_mode
  
 +
The logging globals have been changed
 +
* $log, $conf_log_add, $conf_log_edt, $conf_log_del are deleted
 +
* $log_ins, $log_upd and $log_del are used instead
  
* The $fs_path_sep and $fs_slash have been removed, use PATH_SEPARATOR and DIRECTORY_SEPARATOR constants instead.
+
A number of globls have been replaced by PHP5 constants
 +
* $fs_path_sep has been replaced with PATH_SEPARATOR
 +
* $fs_slash has been replaced with DIRECTORY_SEPARATOR

Revision as of 13:52, 7 May 2016

This page details the progress on development of ARK 2.0

Aims

The primary aims of ARK2 are:

Design

High level design decisions for ARK2.

Supported Platforms

ARK will only actively support platforms that are actively supported by their maintainers. ARK may work on earlier versions but this is not guaranteed.

  • PHP: A minimum of v5.6 will be supported (5.6 is in Security Support, 5.7 in active support, see http://php.net/supported-versions.php), v7 will be supported.
  • MySQL/MariaDB v5.5 (lowest supported MySQL)
  • PostgreSQL and SQLite may be considered later (most likely using a proper ORM abstraction library)

Standards

The PHP-FIG standards will be applied where-ever possible.

  • PSR-1 and PSR-2 Coding Standards
  • PSR-3 Logging Interface for interchangeable logging objects
  • PSR-4 Auto-Loading Standard
  • PSR-7 HTTP Message Interface for interchangeable Request/Response objects

PSR-3 and PSR-7 allow mixing and matching of component libraries from different vendors, and supports future-proofing by allowing switching between libraries with minimal code changes.

PSR-4 will be used for packaging, namespace and auto-loading of OO code. A good series of articles explaining PSR-4 and modern development and packaging in general can be found at the following:

In consequence:

  • Composer will be required for dependency management and OO class auto-loading
  • All new external libraries will be installed by Composer under vendor/ and not libs/
  • All new OO classes will be namespaced under LPArchaeology\ARK\
  • All new OO code will be under src/ and not php/ (this will also clearly separate new code from old)

Framework

It is proposed to implement a new RESTful Request/Response framework using a Front Controller model and token-based security, based on external components adhering to the PHP-FIG standards. This will reduce the amount of code maintained internally, update the code-base to modern web-app design principals, and provide a degree of future-proofing. Choosing a full framework at this point would force refactoring all of the model and view code at the same time, but by initially building our own light-weight controller framework using PSR-compliant components we can migrate the model and view later. Once all parts are migrated, a full framework could be considered if required.

  • Symphony components will be used to build the framework (alternative Slim?)

Read the following for further info:

The ARK root folder will contain only the index.php file which will act as a dispatcher, receiving all Requests, matching the Route and dispatching them to the correct Controller. Each ARK page type and the api will have a Controller to read the model and construct the view before returning the Response. This will allow future flexibility for new request formats while still being able to support persistent legacy links. It will also allow for database config and user auth driven routing, e.g. one install may only expose the RESTful API, while others may only expose read-only pages.

Besides the core HTTP and Routing modules, the Security, Translations, Forms, Validation, and Console components should be considered.

Security

ARK currently uses PEAR LiveUser for user authentication and authorisation, but this hasn't been updated since 2010. It is a security risk, and also lacks many features like federated login. The ARK API currently uses plain text user and password in the request URL which is insecure. ARK2 will require a new security solution, especially for the API calls from client apps.

Requirements

  • User Authentication
    • Token-based
    • Local user database for stand-alone/internal use
    • Via OAuth and OpenID authentication services (Google, Facebook, etc)
  • User Authorisation
    • Role-Based Access Control (RBAC) model based on Users/Roles/Permissions
  • API authentication via token and secure login
  • Anonymous/Unauthenticated User access as optional Role for both Web and API
  • A migration path from LiveUser must be provided.

Any solution chosen will work best when integrated with the other framework components chosen and should be implemented in parallel as it is highly dependent on the Request/Response/Routing/Session components used.

The Symfony Framework provides a very powerful Security component, but not a simple all-in-one solution meeting our requirements. Combining a number of external components may be able to meet our requirements, at the cost of more custom code required.

  • Use Symfony\Security\Guard to manage the Authentication process
  • Use League\OAuth2-Client or Opauth or HWIOAuthBundle for external OAuth2 authentication
  • Use League\OAuth2-Server or FOSOAuthServerBundle for OAuth2 server for API
  • Use Sylius\RBAC or FOSUserBundle for User/Role management

The combination of HWIOAuthBundle / FOSOAuthServerBundle / FOSUserBundle is widely supported and more 'native' to Symfony, but requires the use of the full framework, bundles, Doctrine ORM, and YAML-based config. The alternatives are built as stand-alone interoperable PSR components and will provide greater future flexibility and a gentler migration path, but will require more work to integrate.

Alternatives such as Sentinal which provides all the required features in a single integrated component would require choosing a different component ecosystem, such as Laravel.

Database Abstraction

Currently, PDO is used to directly access only MySQL databases, and DB access statements are widely spread and manually assembled. Adding support for other databases such as Postgres or SQLite would require considerable work (while PDO abstracts the connection, it doesn't abstract the SQL dialect). Longer term, full OO code and framework use will require the use of an ORM layer to map relational data to objects, but this would make for a longer migration process.

An interim step would be to make use of a Database Abstraction Layer that would abstract away the differences in SQL. These libraries usually also provide Query Builders, Data Seeding, and Schema Creation and Migration tools. Most are built on PDO and can seamlessly integrate with legacy code to make for an easier migration path.

Most frameworks implement a DAL, or use one of the major ORM's that also implement a DAL. The choice will largely be dictated by the framework components chosen, if Symfony is used then Doctrine DBAL would be the best choice.

Migration process:

  • Move all PDO / SQL type calls into a set of common utilities in db_functions, i.e. insert, update, etc, that take arrays of fields and values, etc
  • Change all db functions to use new common utilities
  • Move all db functions into db_functions
  • Migrate new common utilities to chosen DAL
  • All new table creation and data seeding to use DAL

Changes

Details of changes made in ARK2.

Code Repository

Development of ARK 2.0 is occurring in the open on GitHub https://github.com/lparchaeology/ark2

Configuration

Significant changes to the configuration of ARK are being made to move from PHP file based configuration to database based configuration. This section will document these changes.

  • The config/ folder will contain all user-editable php files required, all other config will be in the database
  • The env_settings.php file is replaced by server.php and paths.php
  • server.php contains the settings for the database connection and root server path and should be the only file requiring editing for a default ARK install
  • paths.php contains the settings for the server file paths and should not need editing
  • To set-up an ARK, copy the config folder from php/arkdb/config to teh root folder and edit as required
  • preflight_checks.php now defaults to off, so needs to be enabled before running, and then deleted form config afterwards
  • settings.php has moved from config/ to php/settings/ and no longer requires user editing, all settings are now held in the database and should be configured per the instructions

Database

  • Configuration has been moved to the database
  • A new ADO class wrapping PDO has been created to provide all database access for the new OO config classes
  • db_functions.php has been cleaned up to move repeated code into new routines:
    • dbTimestamp() returns a timestamp
    • dbRunAddQuery() inserts a single row into a table
    • dbUpdateSingleIdRow() updates a single ID table row
    • dbUpdateAllRows() updates all rows matching a given key
  • All DB functions have been moved into db_functions.php and use the new DB routines so they no longer create SQL themselves

Globals

Globals are being progressively removed and replaced where possible by access to config objects.

A number of config global variables have been renamed for consistency

  • Any var ending in _dir is an absolute filesystem directory path
  • Any var ending in _path is a URL path relative to the hostname and always starts with a '/'
  • Neither var ever ends in a separator
  • $ark_server_path -> $ark_root_dir
  • $ark_dir -> $ark_root_path and no longer ends in a /
  • $registered_files_host -> $registered_files_path
  • $phMagickDir -> $phmagick_file
  • ark_web_maptemp_dir -> ark_maptemp_path
  • $ark_lib_dir and $ark_lib_path point to the library folder
  • $skins_dir and $skins_path point to the skins folder
  • $skin_dir and $skin_path point to the current skin folder

A number of config global variables have been renamed for clarity

  • $mode -> $search_mode
  • $ftx_mode -> $search_ftx_mode

A number of config global variables have been deleted as they are not used:

  • $default_year
  • $conf_non_search_words
  • $conf_langs
  • $loaded_map_modules
  • $default_output_mode

The logging globals have been changed

  • $log, $conf_log_add, $conf_log_edt, $conf_log_del are deleted
  • $log_ins, $log_upd and $log_del are used instead

A number of globls have been replaced by PHP5 constants

  • $fs_path_sep has been replaced with PATH_SEPARATOR
  • $fs_slash has been replaced with DIRECTORY_SEPARATOR