Add PHP and YAML adapters for ACL and Allow config

Introduces AbstractAclAdapter and AbstractAllowAdapter holding the
section-processing logic shared across all adapters. INI adapters now
extend the base classes; new PhpAclAdapter, PhpAllowAdapter,
YamlAclAdapter and YamlAllowAdapter only implement the file parsing
step.

YAML adapters require symfony/yaml, declared as a suggest dependency
and used for tests via require-dev.

Author: dereuromark

composer.json

@@ -35,7 +35,11 @@
 		"cakephp/debug_kit": "^5.0.1",
 		"composer/semver": "^3.0",
 		"fig-r/psr2r-sniffer": "dev-master",
-		"phpunit/phpunit": "^11.5 || ^12.1 || ^13.0"
+		"phpunit/phpunit": "^11.5 || ^12.1 || ^13.0",
+		"symfony/yaml": "^6.4 || ^7.0"
+	},
+	"suggest": {
+		"symfony/yaml": "Required when using the YAML ACL/Allow adapters (^6.4 || ^7.0)."
 	},
 	"minimum-stability": "stable",
 	"prefer-stable": true,

docs/AuthenticationAdapter.md

@@ -1,6 +1,27 @@
 ### Authentication Adapters
 For adapters to define allow/deny (public/protected) per controller action.
 
+#### Built-in adapters
+
+| Adapter | Class | Default file | Notes |
+|---------|-------|--------------|-------|
+| INI     | `TinyAuth\Auth\AllowAdapter\IniAllowAdapter` | `auth_allow.ini` | Default. Zero dependencies. |
+| PHP     | `TinyAuth\Auth\AllowAdapter\PhpAllowAdapter` | `auth_allow.php` | Returns a plain `return [...]` array. Zero dependencies. |
+| YAML    | `TinyAuth\Auth\AllowAdapter\YamlAllowAdapter` | `auth_allow.yml` | Requires `symfony/yaml` (`composer require symfony/yaml`). |
+
+Switch the adapter via the `allowAdapter` configuration key, e.g.:
+
+```php
+'TinyAuth' => [
+    'allowAdapter' => \TinyAuth\Auth\AllowAdapter\PhpAllowAdapter::class,
+    'allowFile' => 'auth_allow.php',
+],
+```
+
+The PHP/YAML files use the same section/value shape as the INI variant — top-level keys are `Plugin.Prefix/Controller` identifiers and values are comma-separated action lists.
+
+#### Custom adapters
+
 Implement the AllowAdapterInterface and make sure your `getAllow()` method returns an array like so:
 ```php
     // normal controller

docs/AuthorizationAdapter.md

@@ -1,6 +1,27 @@
 ### Authorization Adapters
 For RBAC ACL adapters.
 
+#### Built-in adapters
+
+| Adapter | Class | Default file | Notes |
+|---------|-------|--------------|-------|
+| INI     | `TinyAuth\Auth\AclAdapter\IniAclAdapter` | `auth_acl.ini` | Default. Zero dependencies. |
+| PHP     | `TinyAuth\Auth\AclAdapter\PhpAclAdapter` | `auth_acl.php` | Returns a plain `return [...]` array. Zero dependencies. |
+| YAML    | `TinyAuth\Auth\AclAdapter\YamlAclAdapter` | `auth_acl.yml` | Requires `symfony/yaml` (`composer require symfony/yaml`). |
+
+Switch the adapter via the `aclAdapter` configuration key, e.g.:
+
+```php
+'TinyAuth' => [
+    'aclAdapter' => \TinyAuth\Auth\AclAdapter\YamlAclAdapter::class,
+    'aclFile' => 'auth_acl.yml',
+],
+```
+
+The PHP/YAML files use the same section/key/value shape as the INI variant — top-level keys are `Plugin.Prefix/Controller` identifiers and each section maps action names (or comma-separated action lists) to comma-separated role lists.
+
+#### Custom adapters
+
 Implement the AclAdapterInterface and make sure your `getAcl()` method returns an array like so:
 ```php
     // normal controller

src/Auth/AclAdapter/AbstractAclAdapter.php

@@ -0,0 +1,108 @@
+<?php
+
+namespace TinyAuth\Auth\AclAdapter;
+
+use Cake\Core\Configure;
+use TinyAuth\Utility\Utility;
+
+abstract class AbstractAclAdapter implements AclAdapterInterface {
+
+	/**
+	 * Loads the raw section => data array from the underlying config source.
+	 *
+	 * The returned shape matches `parse_ini_file($path, true)` — top-level keys are
+	 * section identifiers (e.g. `Tags`, `Plugin.Admin/Tags`) and each value is a
+	 * `actions => roles` map.
+	 *
+	 * @param array<string, mixed> $config Current TinyAuth configuration values.
+	 * @return array<string, array<string, string>>
+	 */
+	abstract protected function parseConfig(array $config): array;
+
+	/**
+	 * @param array $availableRoles A list of available user roles.
+	 * @param array<string, mixed> $config Current TinyAuth configuration values.
+	 * @return array
+	 */
+	public function getAcl(array $availableRoles, array $config): array {
+		$sections = $this->parseConfig($config);
+
+		$acl = [];
+		foreach ($sections as $key => $array) {
+			$acl[$key] = Utility::deconstructIniKey($key);
+			if (Configure::read('debug')) {
+				$acl[$key]['map'] = $array;
+			}
+			$acl[$key]['deny'] = [];
+			$acl[$key]['allow'] = [];
+
+			foreach ($array as $actions => $roles) {
+				$roles = explode(',', $roles);
+				$actions = explode(',', $actions);
+
+				$deniedRoles = [];
+				foreach ($roles as $roleId => $role) {
+					$role = trim($role);
+					if (!$role) {
+						continue;
+					}
+					$denied = mb_substr($role, 0, 1) === '!';
+					if ($denied) {
+						$role = mb_substr($role, 1);
+						if (!array_key_exists($role, $availableRoles)) {
+							unset($roles[$roleId]);
+
+							continue;
+						}
+
+						unset($roles[$roleId]);
+						$deniedRoles[] = $role;
+
+						continue;
+					}
+
+					if (!array_key_exists($role, $availableRoles) && $role !== '*') {
+						unset($roles[$roleId]);
+
+						continue;
+					}
+					if ($role === '*') {
+						unset($roles[$roleId]);
+						$roles = array_merge($roles, array_keys($availableRoles));
+					}
+				}
+
+				foreach ($actions as $action) {
+					$action = trim($action);
+					if (!$action) {
+						continue;
+					}
+
+					foreach ($roles as $role) {
+						$role = trim($role);
+						if (!$role) {
+							continue;
+						}
+						$roleName = strtolower($role);
+
+						$newRole = $availableRoles[$roleName];
+						$acl[$key]['allow'][$action][$roleName] = $newRole;
+					}
+					foreach ($deniedRoles as $role) {
+						$role = trim($role);
+						if (!$role) {
+							continue;
+						}
+						$roleName = strtolower($role);
+
+						$newRole = $availableRoles[$roleName];
+						$acl[$key]['deny'][$action][$roleName] = $newRole;
+					}
+				}
+			}
+		}
+
+		return $acl;
+	}
+
+}

src/Auth/AclAdapter/IniAclAdapter.php

@@ -2,99 +2,16 @@
 
 namespace TinyAuth\Auth\AclAdapter;
 
-use Cake\Core\Configure;
 use TinyAuth\Utility\Utility;
 
-class IniAclAdapter implements AclAdapterInterface {
+class IniAclAdapter extends AbstractAclAdapter {
 
 	/**
-	 * {@inheritDoc}
-	 *
-	 * @return array
+	 * @param array<string, mixed> $config Current TinyAuth configuration values.
+	 * @return array<string, array<string, string>>
 	 */
-	public function getAcl(array $availableRoles, array $config): array {
-		$iniArray = Utility::parseFiles($config['filePath'], $config['file']);
-
-		$acl = [];
-		foreach ($iniArray as $key => $array) {
-			$acl[$key] = Utility::deconstructIniKey($key);
-			if (Configure::read('debug')) {
-				$acl[$key]['map'] = $array;
-			}
-			$acl[$key]['deny'] = [];
-			$acl[$key]['allow'] = [];
-
-			foreach ($array as $actions => $roles) {
-				// Get all roles used in the current INI section
-				$roles = explode(',', $roles);
-				$actions = explode(',', $actions);
-
-				$deniedRoles = [];
-				foreach ($roles as $roleId => $role) {
-					$role = trim($role);
-					if (!$role) {
-						continue;
-					}
-					$denied = mb_substr($role, 0, 1) === '!';
-					if ($denied) {
-						$role = mb_substr($role, 1);
-						if (!array_key_exists($role, $availableRoles)) {
-							unset($roles[$roleId]);
-
-							continue;
-						}
-
-						unset($roles[$roleId]);
-						$deniedRoles[] = $role;
-
-						continue;
-					}
-
-					// Prevent undefined roles appearing in the iniMap
-					if (!array_key_exists($role, $availableRoles) && $role !== '*') {
-						unset($roles[$roleId]);
-
-						continue;
-					}
-					if ($role === '*') {
-						unset($roles[$roleId]);
-						$roles = array_merge($roles, array_keys($availableRoles));
-					}
-				}
-
-				foreach ($actions as $action) {
-					$action = trim($action);
-					if (!$action) {
-						continue;
-					}
-
-					foreach ($roles as $role) {
-						$role = trim($role);
-						if (!$role) {
-							continue;
-						}
-						$roleName = strtolower($role);
-
-						// Lookup role id by name in roles array
-						$newRole = $availableRoles[$roleName];
-						$acl[$key]['allow'][$action][$roleName] = $newRole;
-					}
-					foreach ($deniedRoles as $role) {
-						$role = trim($role);
-						if (!$role) {
-							continue;
-						}
-						$roleName = strtolower($role);
-
-						// Lookup role id by name in roles array
-						$newRole = $availableRoles[$roleName];
-						$acl[$key]['deny'][$action][$roleName] = $newRole;
-					}
-				}
-			}
-		}
-
-		return $acl;
+	protected function parseConfig(array $config): array {
+		return Utility::parseFiles($config['filePath'], $config['file']);
 	}
 
 }

src/Auth/AclAdapter/PhpAclAdapter.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace TinyAuth\Auth\AclAdapter;
+
+use Cake\Core\Exception\CakeException;
+
+class PhpAclAdapter extends AbstractAclAdapter {
+
+	/**
+	 * @param array<string, mixed> $config Current TinyAuth configuration values.
+	 * @throws \Cake\Core\Exception\CakeException
+	 * @return array<string, array<string, string>>
+	 */
+	protected function parseConfig(array $config): array {
+		$paths = $config['filePath'] ?? null;
+		if ($paths === null) {
+			$paths = ROOT . DS . 'config' . DS;
+		}
+
+		$list = [];
+		foreach ((array)$paths as $path) {
+			$file = $path . $config['file'];
+			if (!file_exists($file)) {
+				throw new CakeException(sprintf('Missing TinyAuth config file (%s)', $file));
+			}
+
+			$data = include $file;
+			if (!is_array($data)) {
+				throw new CakeException(sprintf('Invalid TinyAuth config file (%s)', $file));
+			}
+
+			$list += $data;
+		}
+
+		return $list;
+	}
+
+}

src/Auth/AclAdapter/YamlAclAdapter.php

@@ -0,0 +1,45 @@
+<?php
+
+namespace TinyAuth\Auth\AclAdapter;
+
+use Cake\Core\Exception\CakeException;
+use Symfony\Component\Yaml\Yaml;
+
+class YamlAclAdapter extends AbstractAclAdapter {
+
+	/**
+	 * @param array<string, mixed> $config Current TinyAuth configuration values.
+	 * @throws \Cake\Core\Exception\CakeException
+	 * @return array<string, array<string, string>>
+	 */
+	protected function parseConfig(array $config): array {
+		if (!class_exists(Yaml::class)) {
+			throw new CakeException(
+				'YamlAclAdapter requires symfony/yaml. Install via: composer require symfony/yaml',
+			);
+		}
+
+		$paths = $config['filePath'] ?? null;
+		if ($paths === null) {
+			$paths = ROOT . DS . 'config' . DS;
+		}
+
+		$list = [];
+		foreach ((array)$paths as $path) {
+			$file = $path . $config['file'];
+			if (!file_exists($file)) {
+				throw new CakeException(sprintf('Missing TinyAuth config file (%s)', $file));
+			}
+
+			$data = Yaml::parseFile($file);
+			if (!is_array($data)) {
+				throw new CakeException(sprintf('Invalid TinyAuth config file (%s)', $file));
+			}
+
+			$list += $data;
+		}
+
+		return $list;
+	}
+
+}