public function testRolesAclAdditivity()
{
$r1 = new \AJXP_Role("role1");
$r2 = new \AJXP_Role("role2");
$r1->setAcl("repository_id", "");
$r2->setAcl("repository_id", "w");
$r3 = $r2->override($r1);
$this->assertEquals("w", $r3->getAcl("repository_id"));
$r1->setAcl("repository_id", "r");
$r2->setAcl("repository_id", "w");
$r3 = $r2->override($r1);
$this->assertEquals("w", $r3->getAcl("repository_id"));
$r1->setAcl("repository_id", "r");
$r2->setAcl("repository_id", "");
$r3 = $r2->override($r1);
$this->assertEquals("r", $r3->getAcl("repository_id"));
$r1->setAcl("repository_id", "r");
$r2->setAcl("repository_id", AJXP_VALUE_CLEAR);
$r3 = $r2->override($r1);
$this->assertEquals("", $r3->getAcl("repository_id"));
}
public function testRolesStorage()
{
$r = new \AJXP_Role("phpunit_temporary_role");
$r->setAcl(0, "rw");
\AuthService::updateRole($r);
$r1 = \AuthService::getRole("phpunit_temporary_role");
$this->assertTrue(is_a($r1, "AJXP_Role"));
$this->assertEquals("rw", $r1->getAcl(0));
\AuthService::deleteRole("phpunit_temporary_role");
$r2 = \AuthService::getRole("phpunit_temporary_role");
$this->assertFalse($r2);
}
/**
* @param AJXP_Role $role
* @return AJXP_Role
*/
public function override(AJXP_Role $role)
{
$newRole = new AJXP_Role($role->getId());
$roleAcl = $role->listAcls();
$newAcls = $this->array_merge_recursive2($roleAcl, $this->listAcls());
foreach ($newAcls as $repoId => $rightString) {
//if($rightString == AJXP_VALUE_CLEAR) continue;
if (empty($rightString) && !empty($roleAcl[$repoId])) {
$rightString = $roleAcl[$repoId];
}
$newRole->setAcl($repoId, $rightString);
}
$roleParameters = $role->listParameters(true);
$newParams = $this->array_merge_recursive2($roleParameters, $this->listParameters(true));
foreach ($newParams as $repoId => $data) {
foreach ($data as $pluginId => $param) {
foreach ($param as $parameterName => $parameterValue) {
if ($parameterValue === true || $parameterValue === false) {
$newRole->setParameterValue($pluginId, $parameterName, $parameterValue, $repoId);
continue;
}
if ($parameterValue == AJXP_VALUE_CLEAR) {
continue;
}
if ($parameterValue === "" && !empty($roleParameters[$repoId][$pluginId][$parameterName])) {
$parameterValue = $newParams[$repoId][$pluginId][$parameterName];
}
$newRole->setParameterValue($pluginId, $parameterName, $parameterValue, $repoId);
}
}
}
$newActions = $this->array_merge_recursive2($role->listActionsStates(), $this->listActionsStates());
foreach ($newActions as $repoId => $data) {
foreach ($data as $pluginId => $action) {
foreach ($action as $actionName => $actionState) {
$newRole->setActionState($pluginId, $actionName, $repoId, $actionState);
}
}
}
$roleMasks = $role->listMasks();
$allKeys = array_merge(array_keys($this->masks), array_keys($roleMasks));
foreach ($allKeys as $repoId) {
if (isset($roleMasks[$repoId]) && isset($this->masks[$repoId])) {
$newRole->setMask($repoId, $roleMasks[$repoId]->override($this->masks[$repoId]));
} else {
if (isset($roleMasks[$repoId])) {
$newRole->setMask($repoId, $roleMasks[$repoId]);
} else {
$newRole->setMask($repoId, $this->masks[$repoId]);
}
}
}
return $newRole;
}
/**
* Specific operations to perform at boot time
* @static
* @param array $START_PARAMETERS A HashTable of parameters to send back to the client
* @return void
*/
public static function bootSequence(&$START_PARAMETERS)
{
if (AJXP_Utils::detectApplicationFirstRun()) {
return;
}
if (file_exists(AJXP_CACHE_DIR . "/admin_counted")) {
return;
}
$rootRole = AuthService::getRole("ROOT_ROLE", false);
if ($rootRole === false) {
$rootRole = new AJXP_Role("ROOT_ROLE");
$rootRole->setLabel("Root Role");
$rootRole->setAutoApplies(array("standard", "admin"));
$dashId = "";
foreach (ConfService::getRepositoriesList("all") as $repositoryId => $repoObject) {
if ($repoObject->isTemplate) {
continue;
}
if ($repoObject->getAccessType() == "ajxp_user") {
$dashId = $repositoryId;
}
$gp = $repoObject->getGroupPath();
if (empty($gp) || $gp == "/") {
if ($repoObject->getDefaultRight() != "") {
$rootRole->setAcl($repositoryId, $repoObject->getDefaultRight());
}
}
}
if (!empty($dashId)) {
$rootRole->setParameterValue("core.conf", "DEFAULT_START_REPOSITORY", $dashId);
}
$paramNodes = AJXP_PluginsService::searchAllManifests("//server_settings/param[@scope]", "node", false, false, true);
if (is_array($paramNodes) && count($paramNodes)) {
foreach ($paramNodes as $xmlNode) {
$default = $xmlNode->getAttribute("default");
if (empty($default)) {
continue;
}
$parentNode = $xmlNode->parentNode->parentNode;
$pluginId = $parentNode->getAttribute("id");
if (empty($pluginId)) {
$pluginId = $parentNode->nodeName . "." . $parentNode->getAttribute("name");
}
$rootRole->setParameterValue($pluginId, $xmlNode->getAttribute("name"), $default);
}
}
AuthService::updateRole($rootRole);
}
$miniRole = AuthService::getRole("MINISITE", false);
if ($miniRole === false) {
$rootRole = new AJXP_Role("MINISITE");
$rootRole->setLabel("Minisite Users");
$actions = array("access.fs" => array("ajxp_link", "chmod", "purge"), "meta.watch" => array("toggle_watch"), "conf.serial" => array("get_bookmarks"), "conf.sql" => array("get_bookmarks"), "index.lucene" => array("index"), "action.share" => array("share"), "gui.ajax" => array("bookmark"), "auth.serial" => array("pass_change"), "auth.sql" => array("pass_change"));
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_SHARED, false);
}
}
AuthService::updateRole($rootRole);
}
$miniRole = AuthService::getRole("MINISITE_NODOWNLOAD", false);
if ($miniRole === false) {
$rootRole = new AJXP_Role("MINISITE_NODOWNLOAD");
$rootRole->setLabel("Minisite Users - No Download");
$actions = array("access.fs" => array("download", "download_chunk", "prepare_chunk_dl", "download_all"));
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_SHARED, false);
}
}
AuthService::updateRole($rootRole);
}
$miniRole = AuthService::getRole("GUEST", false);
if ($miniRole === false) {
$rootRole = new AJXP_Role("GUEST");
$rootRole->setLabel("Guest user role");
$actions = array("access.fs" => array("purge"), "meta.watch" => array("toggle_watch"), "index.lucene" => array("index"));
$rootRole->setAutoApplies(array("guest"));
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_ALL);
}
}
AuthService::updateRole($rootRole);
}
$adminCount = AuthService::countAdminUsers();
if ($adminCount == 0) {
$authDriver = ConfService::getAuthDriverImpl();
$adminPass = ADMIN_PASSWORD;
if ($authDriver->getOption("TRANSMIT_CLEAR_PASS") !== true) {
$adminPass = md5(ADMIN_PASSWORD);
}
AuthService::createUser("admin", $adminPass, true);
if (ADMIN_PASSWORD == INITIAL_ADMIN_PASSWORD) {
$userObject = ConfService::getConfStorageImpl()->createUserObject("admin");
$userObject->setAdmin(true);
AuthService::updateAdminRights($userObject);
if (AuthService::changePasswordEnabled()) {
$userObject->setLock("pass_change");
}
$userObject->save("superuser");
$START_PARAMETERS["ALERT"] .= "Warning! User 'admin' was created with the initial password '" . INITIAL_ADMIN_PASSWORD . "'. \\nPlease log in as admin and change the password now!";
}
AuthService::updateUser($userObject);
} else {
if ($adminCount == -1) {
// Here we may come from a previous version! Check the "admin" user and set its right as admin.
$confStorage = ConfService::getConfStorageImpl();
$adminUser = $confStorage->createUserObject("admin");
$adminUser->setAdmin(true);
$adminUser->save("superuser");
$START_PARAMETERS["ALERT"] .= "There is an admin user, but without admin right. Now any user can have the administration rights, \\n your 'admin' user was set with the admin rights. Please check that this suits your security configuration.";
}
}
file_put_contents(AJXP_CACHE_DIR . "/admin_counted", "true");
}
/**
* @param AJXP_Role $role
* @return AJXP_Role
*/
public function override(AJXP_Role $role)
{
$newRole = new AJXP_Role($role->getId());
$newAcls = $this->array_merge_recursive2($role->listAcls(), $this->listAcls());
foreach ($newAcls as $repoId => $rightString) {
if ($rightString == AJXP_VALUE_CLEAR) {
continue;
}
$newRole->setAcl($repoId, $rightString);
}
$newParams = $this->array_merge_recursive2($role->listParameters(true), $this->listParameters(true));
foreach ($newParams as $repoId => $data) {
foreach ($data as $pluginId => $param) {
foreach ($param as $parameterName => $parameterValue) {
if ($parameterValue === true || $parameterValue === false) {
$newRole->setParameterValue($pluginId, $parameterName, $parameterValue, $repoId);
continue;
}
if ($parameterValue == AJXP_VALUE_CLEAR) {
continue;
}
$newRole->setParameterValue($pluginId, $parameterName, $parameterValue, $repoId);
}
}
}
$newActions = $this->array_merge_recursive2($role->listActionsStates(), $this->listActionsStates());
foreach ($newActions as $repoId => $data) {
foreach ($data as $pluginId => $action) {
foreach ($action as $actionName => $actionState) {
$newRole->setActionState($pluginId, $actionName, $repoId, $actionState);
}
}
}
return $newRole;
}