Code Coverage
 
Lines
Functions and Methods
Classes and Traits
Total
0.00% covered (danger)
0.00%
0 / 85
0.00% covered (danger)
0.00%
0 / 9
 CRAP
0.00% covered (danger)
0.00%
0 / 1
SimpleAccess
0.00% covered (danger)
0.00%
0 / 85
0.00% covered (danger)
0.00%
0 / 9
 2756
0.00% covered (danger)
0.00%
0 / 1
 __construct
0.00% covered (danger)
0.00%
0 / 7
0.00% covered (danger)
0.00%
0 / 1
 6
 accessPossible
0.00% covered (danger)
0.00%
0 / 7
0.00% covered (danger)
0.00%
0 / 1
 20
 applyRule
0.00% covered (danger)
0.00%
0 / 24
0.00% covered (danger)
0.00%
0 / 1
 240
 revokeRule
0.00% covered (danger)
0.00%
0 / 30
0.00% covered (danger)
0.00%
0 / 1
 380
 inWhiteList
0.00% covered (danger)
0.00%
0 / 5
0.00% covered (danger)
0.00%
0 / 1
 12
 whiteListExtension
0.00% covered (danger)
0.00%
0 / 2
0.00% covered (danger)
0.00%
0 / 1
 6
 whiteListController
0.00% covered (danger)
0.00%
0 / 4
0.00% covered (danger)
0.00%
0 / 1
 6
 whiteListAction
0.00% covered (danger)
0.00%
0 / 5
0.00% covered (danger)
0.00%
0 / 1
 20
 getAdvancedLogger
0.00% covered (danger)
0.00%
0 / 1
0.00% covered (danger)
0.00%
0 / 1
 2
1<?php
2
3/**
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License
6 * as published by the Free Software Foundation; under version 2
7 * of the License (non-upgradable).
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
17 *
18 * Copyright (c) 2013-2021 (original work) Open Assessment Technologies SA;
19 */
20
21namespace oat\tao\model\accessControl\func\implementation;
22
23use oat\oatbox\user\User;
24use Psr\Log\LoggerInterface;
25use oat\tao\model\user\TaoRoles;
26use oat\generis\model\GenerisRdf;
27use common_ext_ExtensionsManager;
28use oat\tao\helpers\ControllerHelper;
29use oat\oatbox\log\logger\AdvancedLogger;
30use oat\oatbox\service\ConfigurableService;
31use oat\tao\model\accessControl\func\AccessRule;
32use oat\tao\model\accessControl\func\FuncHelper;
33use oat\tao\model\accessControl\func\FuncAccessControl;
34
35/**
36 * Simple ACL Implementation deciding whenever or not to allow access
37 * strictly by the BASE_USER role and a whitelist
38 *
39 * Not to be used in production, since test-takers can access the backoffice
40 *
41 * @author Joel Bout, <joel@taotesting.com>
42 */
43class SimpleAccess extends ConfigurableService implements FuncAccessControl
44{
45    public const WHITELIST_KEY = 'SimpleAclWhitelist';
46
47    /** @var array */
48    private $controllers = [];
49
50    public function __construct($options = [])
51    {
52        parent::__construct($options);
53
54        $data = common_ext_ExtensionsManager::singleton()
55            ->getExtensionById('tao')
56            ->getConfig(self::WHITELIST_KEY);
57
58        if (is_array($data)) {
59            $this->controllers = $data;
60        }
61    }
62
63    /**
64     * {@inheritdoc}
65     */
66    public function accessPossible(User $user, $controller, $action)
67    {
68        foreach ($user->getRoles() as $role) {
69            if ($role === TaoRoles::BASE_USER) {
70                return true;
71            }
72        }
73
74        $inWhiteList = $this->inWhiteList($controller, $action);
75
76        if ($inWhiteList === false) {
77            $this->getAdvancedLogger()->info('Access denied.');
78        }
79
80        return $inWhiteList;
81    }
82
83    public function applyRule(AccessRule $rule)
84    {
85        if ($rule->getRole()->getUri() == GenerisRdf::INSTANCE_ROLE_ANONYMOUS) {
86            $mask = $rule->getMask();
87
88            if (is_string($mask)) {
89                if (strpos($mask, '@') == false) {
90                    $this->whiteListController($mask);
91                } else {
92                    [$controller, $action] = explode('@', $mask, 2);
93                    $this->whiteListAction($controller, $action);
94                }
95            } else {
96                if (isset($mask['ext']) && !isset($mask['mod'])) {
97                    $this->whiteListExtension($mask['ext']);
98                } elseif (isset($mask['ext']) && isset($mask['mod']) && !isset($mask['act'])) {
99                    $this->whiteListController(FuncHelper::getClassName($mask['ext'], $mask['mod']));
100                } elseif (isset($mask['ext']) && isset($mask['mod']) && isset($mask['act'])) {
101                    $this->whiteListAction(FuncHelper::getClassName($mask['ext'], $mask['mod']), $mask['act']);
102                } elseif (isset($mask['controller'])) {
103                    $this->whiteListController($mask['controller']);
104                } elseif (isset($mask['act']) && strpos($mask['act'], '@') !== false) {
105                    [$controller, $action] = explode('@', $mask['act'], 2);
106                    $this->whiteListAction($controller, $action);
107                } else {
108                    $this->getAdvancedLogger()->warning(
109                        sprintf(
110                            'Unrecognised mask keys: %s',
111                            implode(',', array_keys($mask))
112                        )
113                    );
114                }
115            }
116        }
117    }
118
119    public function revokeRule(AccessRule $rule)
120    {
121        if ($rule->getRole()->getUri() === GenerisRdf::INSTANCE_ROLE_ANONYMOUS) {
122            $ext = common_ext_ExtensionsManager::singleton()->getExtensionById('tao');
123
124            $this->controllers = $ext->hasConfig(self::WHITELIST_KEY) ? $ext->getConfig(self::WHITELIST_KEY) : [];
125            $mask = $rule->getMask();
126
127            if (isset($mask['ext']) && !isset($mask['mod'])) {
128                foreach (ControllerHelper::getControllers($mask['ext']) as $controllerClassName) {
129                    unset($this->controllers[$controllerClassName]);
130                }
131            } elseif (isset($mask['ext']) && isset($mask['mod']) && !isset($mask['act'])) {
132                unset($this->controllers[FuncHelper::getClassName($mask['ext'], $mask['mod'])]);
133            } elseif (isset($mask['ext']) && isset($mask['mod']) && isset($mask['act'])) {
134                $controller = FuncHelper::getClassName($mask['ext'], $mask['mod']);
135
136                if (isset($this->controllers[$controller])) {
137                    unset($this->controllers[$controller][$mask['act']]);
138
139                    if (0 === count($this->controllers[$controller])) {
140                        unset($this->controllers[$controller]);
141                    }
142                }
143            } elseif (isset($mask['controller'])) {
144                unset($this->controllers[$mask['controller']]);
145            } elseif (isset($mask['act']) && strpos($mask['act'], '@') !== false) {
146                [$controller, $action] = explode('@', $mask['act'], 2);
147
148                if (isset($this->controllers[$controller])) {
149                    unset($this->controllers[$controller][$action]);
150
151                    if (0 === count($this->controllers[$controller])) {
152                        unset($this->controllers[$controller]);
153                    }
154                }
155            } else {
156                $this->getAdvancedLogger()->warning(
157                    sprintf(
158                        'Unrecognised mask keys: %s',
159                        implode(',', array_keys($mask))
160                    )
161                );
162            }
163
164            $ext->setConfig(self::WHITELIST_KEY, $this->controllers);
165        }
166    }
167
168    private function inWhiteList($controllerName, $action)
169    {
170        return isset($this->controllers[$controllerName])
171            && (
172                !is_array($this->controllers[$controllerName])
173                || isset($this->controllers[$controllerName][$action])
174            );
175    }
176
177    private function whiteListExtension($extensionId)
178    {
179        foreach (ControllerHelper::getControllers($extensionId) as $controllerClassName) {
180            $this->whiteListController($controllerClassName);
181        }
182    }
183
184    private function whiteListController($controller)
185    {
186        $ext = common_ext_ExtensionsManager::singleton()->getExtensionById('tao');
187        // reread controllers to reduce collision risk
188        $this->controllers = $ext->hasConfig(self::WHITELIST_KEY) ? $ext->getConfig(self::WHITELIST_KEY) : [];
189        $this->controllers[$controller] = '*';
190        $ext->setConfig(self::WHITELIST_KEY, $this->controllers);
191    }
192
193    private function whiteListAction($controller, $action)
194    {
195        $ext = common_ext_ExtensionsManager::singleton()->getExtensionById('tao');
196        // reread controllers to reduce collision risk
197        $this->controllers = $ext->hasConfig(self::WHITELIST_KEY) ? $ext->getConfig(self::WHITELIST_KEY) : [];
198
199        if (!isset($this->controllers[$controller]) || is_array($this->controllers[$controller])) {
200            $this->controllers[$controller][$action] = '*';
201        }
202
203        $ext->setConfig(self::WHITELIST_KEY, $this->controllers);
204    }
205
206    private function getAdvancedLogger(): LoggerInterface
207    {
208        return $this->getServiceManager()->getContainer()->get(AdvancedLogger::ACL_SERVICE_ID);
209    }
210}