Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
75.58% |
65 / 86 |
|
61.54% |
8 / 13 |
CRAP | |
0.00% |
0 / 1 |
ActionAccessControl | |
75.58% |
65 / 86 |
|
61.54% |
8 / 13 |
43.10 | |
0.00% |
0 / 1 |
addPermissions | |
83.33% |
10 / 12 |
|
0.00% |
0 / 1 |
5.12 | |||
removePermissions | |
100.00% |
11 / 11 |
|
100.00% |
1 / 1 |
7 | |||
contextHasReadAccess | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
contextHasWriteAccess | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
contextHasGrantAccess | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
hasReadAccess | |
0.00% |
0 / 6 |
|
0.00% |
0 / 1 |
2 | |||
hasWriteAccess | |
0.00% |
0 / 6 |
|
0.00% |
0 / 1 |
2 | |||
hasGrantAccess | |
0.00% |
0 / 6 |
|
0.00% |
0 / 1 |
2 | |||
hasAccess | |
100.00% |
18 / 18 |
|
100.00% |
1 / 1 |
5 | |||
getPermissions | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
4 | |||
getUserRoles | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
getUser | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
getAdvancedLogger | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 |
1 | <?php |
2 | |
3 | /** |
4 | * This program is free software; you can redistribute it and/or |
5 | * modify it under the terms of the GNU General Public License |
6 | * as published by the Free Software Foundation; under version 2 |
7 | * of the License (non-upgradable). |
8 | * |
9 | * This program is distributed in the hope that it will be useful, |
10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
12 | * GNU General Public License for more details. |
13 | * |
14 | * You should have received a copy of the GNU General Public License |
15 | * along with this program; if not, write to the Free Software |
16 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
17 | * |
18 | * Copyright (c) 2021 (original work) Open Assessment Technologies SA; |
19 | */ |
20 | |
21 | declare(strict_types=1); |
22 | |
23 | namespace oat\tao\model\accessControl; |
24 | |
25 | use oat\oatbox\user\User; |
26 | use Psr\Log\LoggerInterface; |
27 | use oat\oatbox\log\logger\AdvancedLogger; |
28 | use oat\oatbox\service\ConfigurableService; |
29 | use oat\tao\model\Context\ContextInterface; |
30 | use common_session_SessionManager as SessionManager; |
31 | |
32 | class ActionAccessControl extends ConfigurableService |
33 | { |
34 | public const SERVICE_ID = 'tao/ActionAccessControl'; |
35 | |
36 | /** |
37 | * @example [ |
38 | * 'controller' => [ |
39 | * 'action1' => [ |
40 | * 'role1' => 'READ', |
41 | * 'role2' => 'WRITE, |
42 | * ], |
43 | * ], |
44 | * ] |
45 | */ |
46 | public const OPTION_PERMISSIONS = 'permissions'; |
47 | |
48 | public const DENY = 'DENY'; |
49 | public const READ = 'READ'; |
50 | public const WRITE = 'WRITE'; |
51 | public const GRANT = 'GRANT'; |
52 | |
53 | /** |
54 | * @example $permissionsToAdd = [ |
55 | * 'controller' => [ |
56 | * 'action1' => [ |
57 | * 'role1' => 'READ', |
58 | * 'role2' => 'WRITE, |
59 | * ], |
60 | * ], |
61 | * ] |
62 | */ |
63 | public function addPermissions(array $permissionsToAdd = []): void |
64 | { |
65 | $permissions = $this->getOption(self::OPTION_PERMISSIONS, []); |
66 | |
67 | foreach ($permissionsToAdd as $controller => $actions) { |
68 | if (empty($permissions[$controller])) { |
69 | $permissions[$controller] = $actions; |
70 | |
71 | continue; |
72 | } |
73 | |
74 | foreach ($actions as $action => $rolePermissions) { |
75 | if (empty($permissions[$controller][$action])) { |
76 | $permissions[$controller][$action] = $rolePermissions; |
77 | |
78 | continue; |
79 | } |
80 | |
81 | $actionPermissions = $permissions[$controller][$action] ?? []; |
82 | $permissions[$controller][$action] = array_merge($actionPermissions, $rolePermissions); |
83 | } |
84 | } |
85 | |
86 | $this->setOption(self::OPTION_PERMISSIONS, $permissions); |
87 | } |
88 | |
89 | /** |
90 | * @example $permissionsToRemove = [ |
91 | * 'controller' => [ |
92 | * 'action1' => [ |
93 | * 'role1', |
94 | * 'role2', |
95 | * ], |
96 | * ], |
97 | * ] |
98 | */ |
99 | public function removePermissions(array $permissionsToRemove = []): void |
100 | { |
101 | $permissions = $this->getOption(self::OPTION_PERMISSIONS, []); |
102 | |
103 | foreach ($permissionsToRemove as $controller => $actions) { |
104 | foreach ($actions as $action => $roles) { |
105 | foreach ($roles as $role => $rolePermissions) { |
106 | $index = !is_numeric($role) ? $role : $rolePermissions; |
107 | unset($permissions[$controller][$action][$index]); |
108 | } |
109 | |
110 | if (empty($permissions[$controller][$action])) { |
111 | unset($permissions[$controller][$action]); |
112 | } |
113 | } |
114 | |
115 | if (empty($permissions[$controller])) { |
116 | unset($permissions[$controller]); |
117 | } |
118 | } |
119 | |
120 | $this->setOption(self::OPTION_PERMISSIONS, $permissions); |
121 | } |
122 | |
123 | public function contextHasReadAccess(ContextInterface $context): bool |
124 | { |
125 | return $this->hasAccess( |
126 | [self::READ, self::WRITE, self::GRANT], |
127 | $context->getParameter(Context::PARAM_CONTROLLER), |
128 | $context->getParameter(Context::PARAM_ACTION), |
129 | $context->getParameter(Context::PARAM_USER) |
130 | ); |
131 | } |
132 | |
133 | public function contextHasWriteAccess(ContextInterface $context): bool |
134 | { |
135 | return $this->hasAccess( |
136 | [self::WRITE, self::GRANT], |
137 | $context->getParameter(Context::PARAM_CONTROLLER), |
138 | $context->getParameter(Context::PARAM_ACTION), |
139 | $context->getParameter(Context::PARAM_USER) |
140 | ); |
141 | } |
142 | |
143 | public function contextHasGrantAccess(ContextInterface $context): bool |
144 | { |
145 | return $this->hasAccess( |
146 | [self::GRANT], |
147 | $context->getParameter(Context::PARAM_CONTROLLER), |
148 | $context->getParameter(Context::PARAM_ACTION), |
149 | $context->getParameter(Context::PARAM_USER) |
150 | ); |
151 | } |
152 | |
153 | /** |
154 | * @deprecated Use $this->contextHasReadAccess() |
155 | */ |
156 | public function hasReadAccess(string $controller, string $action, ?User $user = null): bool |
157 | { |
158 | $context = new Context([ |
159 | Context::PARAM_CONTROLLER => $controller, |
160 | Context::PARAM_ACTION => $action, |
161 | Context::PARAM_USER => $user, |
162 | ]); |
163 | |
164 | return $this->contextHasReadAccess($context); |
165 | } |
166 | |
167 | /** |
168 | * @deprecated Use $this->contextHasWriteAccess() |
169 | */ |
170 | public function hasWriteAccess(string $controller, string $action, ?User $user = null): bool |
171 | { |
172 | $context = new Context([ |
173 | Context::PARAM_CONTROLLER => $controller, |
174 | Context::PARAM_ACTION => $action, |
175 | Context::PARAM_USER => $user, |
176 | ]); |
177 | |
178 | return $this->contextHasWriteAccess($context); |
179 | } |
180 | |
181 | /** |
182 | * @deprecated Use $this->contextHasGrantAccess() |
183 | */ |
184 | public function hasGrantAccess(string $controller, string $action, ?User $user = null): bool |
185 | { |
186 | $context = new Context([ |
187 | Context::PARAM_CONTROLLER => $controller, |
188 | Context::PARAM_ACTION => $action, |
189 | Context::PARAM_USER => $user, |
190 | ]); |
191 | |
192 | return $this->contextHasGrantAccess($context); |
193 | } |
194 | |
195 | private function hasAccess(array $allowedPermissions, string $controller, string $action, ?User $user = null): bool |
196 | { |
197 | $roleIsListed = false; |
198 | $userRoles = $this->getUserRoles($user); |
199 | $permissions = $this->getPermissions($controller, $action); |
200 | |
201 | foreach ($permissions as $role => $permission) { |
202 | if (in_array($role, $userRoles, true)) { |
203 | if (in_array($permission, $allowedPermissions, true)) { |
204 | return true; |
205 | } |
206 | |
207 | $roleIsListed = true; |
208 | } |
209 | } |
210 | |
211 | if ($roleIsListed) { |
212 | $this->getAdvancedLogger()->warning( |
213 | 'User does not have enough permissions for this action', |
214 | [ |
215 | 'action' => sprintf('"%s::%s"', $controller, $action), |
216 | 'actionPermissions' => $permissions, |
217 | 'allowedPermissions' => $allowedPermissions, |
218 | ] |
219 | ); |
220 | } |
221 | |
222 | return !$roleIsListed; |
223 | } |
224 | |
225 | private function getPermissions(?string $controller = null, ?string $action = null): array |
226 | { |
227 | $permissions = $this->getOption(self::OPTION_PERMISSIONS, []); |
228 | |
229 | if (!empty($permissions) && $controller !== null) { |
230 | $permissions = $permissions[$controller] ?? []; |
231 | |
232 | if ($action !== null) { |
233 | $permissions = $permissions[$action] ?? []; |
234 | } |
235 | } |
236 | |
237 | return $permissions; |
238 | } |
239 | |
240 | private function getUserRoles(?User $user = null): array |
241 | { |
242 | return ($user ?? $this->getUser())->getRoles(); |
243 | } |
244 | |
245 | private function getUser(): User |
246 | { |
247 | return SessionManager::getSession()->getUser(); |
248 | } |
249 | |
250 | private function getAdvancedLogger(): LoggerInterface |
251 | { |
252 | return $this->getServiceManager()->getContainer()->get(AdvancedLogger::ACL_SERVICE_ID); |
253 | } |
254 | } |