Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
75.58% |
65 / 86 |
|
61.54% |
8 / 13 |
CRAP | |
0.00% |
0 / 1 |
| ActionAccessControl | |
75.58% |
65 / 86 |
|
61.54% |
8 / 13 |
43.10 | |
0.00% |
0 / 1 |
| addPermissions | |
83.33% |
10 / 12 |
|
0.00% |
0 / 1 |
5.12 | |||
| removePermissions | |
100.00% |
11 / 11 |
|
100.00% |
1 / 1 |
7 | |||
| contextHasReadAccess | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
| contextHasWriteAccess | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
| contextHasGrantAccess | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
| hasReadAccess | |
0.00% |
0 / 6 |
|
0.00% |
0 / 1 |
2 | |||
| hasWriteAccess | |
0.00% |
0 / 6 |
|
0.00% |
0 / 1 |
2 | |||
| hasGrantAccess | |
0.00% |
0 / 6 |
|
0.00% |
0 / 1 |
2 | |||
| hasAccess | |
100.00% |
18 / 18 |
|
100.00% |
1 / 1 |
5 | |||
| getPermissions | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
4 | |||
| getUserRoles | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| getUser | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
| getAdvancedLogger | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * This program is free software; you can redistribute it and/or |
| 5 | * modify it under the terms of the GNU General Public License |
| 6 | * as published by the Free Software Foundation; under version 2 |
| 7 | * of the License (non-upgradable). |
| 8 | * |
| 9 | * This program is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | * GNU General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU General Public License |
| 15 | * along with this program; if not, write to the Free Software |
| 16 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
| 17 | * |
| 18 | * Copyright (c) 2021 (original work) Open Assessment Technologies SA; |
| 19 | */ |
| 20 | |
| 21 | declare(strict_types=1); |
| 22 | |
| 23 | namespace oat\tao\model\accessControl; |
| 24 | |
| 25 | use oat\oatbox\user\User; |
| 26 | use Psr\Log\LoggerInterface; |
| 27 | use oat\oatbox\log\logger\AdvancedLogger; |
| 28 | use oat\oatbox\service\ConfigurableService; |
| 29 | use oat\tao\model\Context\ContextInterface; |
| 30 | use common_session_SessionManager as SessionManager; |
| 31 | |
| 32 | class ActionAccessControl extends ConfigurableService |
| 33 | { |
| 34 | public const SERVICE_ID = 'tao/ActionAccessControl'; |
| 35 | |
| 36 | /** |
| 37 | * @example [ |
| 38 | * 'controller' => [ |
| 39 | * 'action1' => [ |
| 40 | * 'role1' => 'READ', |
| 41 | * 'role2' => 'WRITE, |
| 42 | * ], |
| 43 | * ], |
| 44 | * ] |
| 45 | */ |
| 46 | public const OPTION_PERMISSIONS = 'permissions'; |
| 47 | |
| 48 | public const DENY = 'DENY'; |
| 49 | public const READ = 'READ'; |
| 50 | public const WRITE = 'WRITE'; |
| 51 | public const GRANT = 'GRANT'; |
| 52 | |
| 53 | /** |
| 54 | * @example $permissionsToAdd = [ |
| 55 | * 'controller' => [ |
| 56 | * 'action1' => [ |
| 57 | * 'role1' => 'READ', |
| 58 | * 'role2' => 'WRITE, |
| 59 | * ], |
| 60 | * ], |
| 61 | * ] |
| 62 | */ |
| 63 | public function addPermissions(array $permissionsToAdd = []): void |
| 64 | { |
| 65 | $permissions = $this->getOption(self::OPTION_PERMISSIONS, []); |
| 66 | |
| 67 | foreach ($permissionsToAdd as $controller => $actions) { |
| 68 | if (empty($permissions[$controller])) { |
| 69 | $permissions[$controller] = $actions; |
| 70 | |
| 71 | continue; |
| 72 | } |
| 73 | |
| 74 | foreach ($actions as $action => $rolePermissions) { |
| 75 | if (empty($permissions[$controller][$action])) { |
| 76 | $permissions[$controller][$action] = $rolePermissions; |
| 77 | |
| 78 | continue; |
| 79 | } |
| 80 | |
| 81 | $actionPermissions = $permissions[$controller][$action] ?? []; |
| 82 | $permissions[$controller][$action] = array_merge($actionPermissions, $rolePermissions); |
| 83 | } |
| 84 | } |
| 85 | |
| 86 | $this->setOption(self::OPTION_PERMISSIONS, $permissions); |
| 87 | } |
| 88 | |
| 89 | /** |
| 90 | * @example $permissionsToRemove = [ |
| 91 | * 'controller' => [ |
| 92 | * 'action1' => [ |
| 93 | * 'role1', |
| 94 | * 'role2', |
| 95 | * ], |
| 96 | * ], |
| 97 | * ] |
| 98 | */ |
| 99 | public function removePermissions(array $permissionsToRemove = []): void |
| 100 | { |
| 101 | $permissions = $this->getOption(self::OPTION_PERMISSIONS, []); |
| 102 | |
| 103 | foreach ($permissionsToRemove as $controller => $actions) { |
| 104 | foreach ($actions as $action => $roles) { |
| 105 | foreach ($roles as $role => $rolePermissions) { |
| 106 | $index = !is_numeric($role) ? $role : $rolePermissions; |
| 107 | unset($permissions[$controller][$action][$index]); |
| 108 | } |
| 109 | |
| 110 | if (empty($permissions[$controller][$action])) { |
| 111 | unset($permissions[$controller][$action]); |
| 112 | } |
| 113 | } |
| 114 | |
| 115 | if (empty($permissions[$controller])) { |
| 116 | unset($permissions[$controller]); |
| 117 | } |
| 118 | } |
| 119 | |
| 120 | $this->setOption(self::OPTION_PERMISSIONS, $permissions); |
| 121 | } |
| 122 | |
| 123 | public function contextHasReadAccess(ContextInterface $context): bool |
| 124 | { |
| 125 | return $this->hasAccess( |
| 126 | [self::READ, self::WRITE, self::GRANT], |
| 127 | $context->getParameter(Context::PARAM_CONTROLLER), |
| 128 | $context->getParameter(Context::PARAM_ACTION), |
| 129 | $context->getParameter(Context::PARAM_USER) |
| 130 | ); |
| 131 | } |
| 132 | |
| 133 | public function contextHasWriteAccess(ContextInterface $context): bool |
| 134 | { |
| 135 | return $this->hasAccess( |
| 136 | [self::WRITE, self::GRANT], |
| 137 | $context->getParameter(Context::PARAM_CONTROLLER), |
| 138 | $context->getParameter(Context::PARAM_ACTION), |
| 139 | $context->getParameter(Context::PARAM_USER) |
| 140 | ); |
| 141 | } |
| 142 | |
| 143 | public function contextHasGrantAccess(ContextInterface $context): bool |
| 144 | { |
| 145 | return $this->hasAccess( |
| 146 | [self::GRANT], |
| 147 | $context->getParameter(Context::PARAM_CONTROLLER), |
| 148 | $context->getParameter(Context::PARAM_ACTION), |
| 149 | $context->getParameter(Context::PARAM_USER) |
| 150 | ); |
| 151 | } |
| 152 | |
| 153 | /** |
| 154 | * @deprecated Use $this->contextHasReadAccess() |
| 155 | */ |
| 156 | public function hasReadAccess(string $controller, string $action, ?User $user = null): bool |
| 157 | { |
| 158 | $context = new Context([ |
| 159 | Context::PARAM_CONTROLLER => $controller, |
| 160 | Context::PARAM_ACTION => $action, |
| 161 | Context::PARAM_USER => $user, |
| 162 | ]); |
| 163 | |
| 164 | return $this->contextHasReadAccess($context); |
| 165 | } |
| 166 | |
| 167 | /** |
| 168 | * @deprecated Use $this->contextHasWriteAccess() |
| 169 | */ |
| 170 | public function hasWriteAccess(string $controller, string $action, ?User $user = null): bool |
| 171 | { |
| 172 | $context = new Context([ |
| 173 | Context::PARAM_CONTROLLER => $controller, |
| 174 | Context::PARAM_ACTION => $action, |
| 175 | Context::PARAM_USER => $user, |
| 176 | ]); |
| 177 | |
| 178 | return $this->contextHasWriteAccess($context); |
| 179 | } |
| 180 | |
| 181 | /** |
| 182 | * @deprecated Use $this->contextHasGrantAccess() |
| 183 | */ |
| 184 | public function hasGrantAccess(string $controller, string $action, ?User $user = null): bool |
| 185 | { |
| 186 | $context = new Context([ |
| 187 | Context::PARAM_CONTROLLER => $controller, |
| 188 | Context::PARAM_ACTION => $action, |
| 189 | Context::PARAM_USER => $user, |
| 190 | ]); |
| 191 | |
| 192 | return $this->contextHasGrantAccess($context); |
| 193 | } |
| 194 | |
| 195 | private function hasAccess(array $allowedPermissions, string $controller, string $action, ?User $user = null): bool |
| 196 | { |
| 197 | $roleIsListed = false; |
| 198 | $userRoles = $this->getUserRoles($user); |
| 199 | $permissions = $this->getPermissions($controller, $action); |
| 200 | |
| 201 | foreach ($permissions as $role => $permission) { |
| 202 | if (in_array($role, $userRoles, true)) { |
| 203 | if (in_array($permission, $allowedPermissions, true)) { |
| 204 | return true; |
| 205 | } |
| 206 | |
| 207 | $roleIsListed = true; |
| 208 | } |
| 209 | } |
| 210 | |
| 211 | if ($roleIsListed) { |
| 212 | $this->getAdvancedLogger()->warning( |
| 213 | 'User does not have enough permissions for this action', |
| 214 | [ |
| 215 | 'action' => sprintf('"%s::%s"', $controller, $action), |
| 216 | 'actionPermissions' => $permissions, |
| 217 | 'allowedPermissions' => $allowedPermissions, |
| 218 | ] |
| 219 | ); |
| 220 | } |
| 221 | |
| 222 | return !$roleIsListed; |
| 223 | } |
| 224 | |
| 225 | private function getPermissions(?string $controller = null, ?string $action = null): array |
| 226 | { |
| 227 | $permissions = $this->getOption(self::OPTION_PERMISSIONS, []); |
| 228 | |
| 229 | if (!empty($permissions) && $controller !== null) { |
| 230 | $permissions = $permissions[$controller] ?? []; |
| 231 | |
| 232 | if ($action !== null) { |
| 233 | $permissions = $permissions[$action] ?? []; |
| 234 | } |
| 235 | } |
| 236 | |
| 237 | return $permissions; |
| 238 | } |
| 239 | |
| 240 | private function getUserRoles(?User $user = null): array |
| 241 | { |
| 242 | return ($user ?? $this->getUser())->getRoles(); |
| 243 | } |
| 244 | |
| 245 | private function getUser(): User |
| 246 | { |
| 247 | return SessionManager::getSession()->getUser(); |
| 248 | } |
| 249 | |
| 250 | private function getAdvancedLogger(): LoggerInterface |
| 251 | { |
| 252 | return $this->getServiceManager()->getContainer()->get(AdvancedLogger::ACL_SERVICE_ID); |
| 253 | } |
| 254 | } |