/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof Process) {
throw new EyeInvalidArgumentException('$object must be a Process.');
}
$objectEyeosUser = null;
try {
$objectLoginContext = $object->getLoginContext();
if ($objectLoginContext !== null) {
$objectEyeosUser = $objectLoginContext->getEyeosUser();
}
} catch (EyeNullPointerException $e) {
}
// The process has no eyeos user associated to it: access granted
if ($objectEyeosUser === null) {
return true;
}
if (in_array('kill', $permission->getActions())) {
foreach ($context->getSubject()->getPrincipals() as $principal) {
if ($principal instanceof AbstractEyeosUser && $principal->getId() == $objectEyeosUser->getId()) {
return true;
}
}
throw new EyeAccessControlException('Cannot kill process "' . $object->getName() . '"[' . $object->getPid() . '](' . $objectEyeosUser->getName() . ') as ' . $context->getEyeosUser()->getName() . ': not the owner.');
}
return true;
}
public function processRequest(MMapRequest $request, MMapResponse $response)
{
ob_start('mb_output_handler');
MMapManager::startSession();
MMapManager::checkSessionExpiration();
$username = $request->issetPOST('username') ? $request->getPOST('username') : '';
$password = $request->issetPOST('password') ? $request->getPOST('password') : '';
$loginPage = $request->issetPOST('loginPage') ? $request->getPOST('loginPage') : '';
$subject = new Subject();
$loginContext = new LoginContext('eyeos-login', $subject);
$cred = new EyeosPasswordCredential();
$cred->setUsername($username);
$cred->setPassword($password, true);
$subject->getPrivateCredentials()->append($cred);
try {
$loginContext->login();
$memoryManager = MemoryManager::getInstance();
Kernel::enterSystemMode();
$memoryManager->set('isExternLogin', 1);
$memoryManager->set('username', $username);
$memoryManager->set('password', $password);
$memoryManager->set('loginPage', $loginPage);
Kernel::exitSystemMode();
header("Location: index.php");
} catch (Exception $e) {
header("Location:" . $loginPage . "?errorLogin=1");
}
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof EyeWorkgroupFile && !$object instanceof EyeWorkgroupConfFile) {
throw new EyeInvalidArgumentException('$object must be an EyeWorkgroupFile or EyeWorkgroupConfFile.');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
$workgroup = $object->getWorkgroup();
// The current user is the owner of the workgroup => access granted
if ($workgroup->getOwnerId() == $eyeosUser->getId()) {
return true;
}
// Retrieve the role of the current user inside the workgroup (if member)
$assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
$assignation->setUserId($eyeosUser->getId());
$assignation->setWorkgroupId($workgroup->getId());
$assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation));
if ($assignation === false || $assignation->getStatus() == WorkgroupConstants::STATUS_INVITED) {
throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (not member of the workgroup).');
}
$refPermissionActions = array();
// Check access to a workgroup:// file
if ($object instanceof EyeWorkgroupFile) {
// The workgroup has its activity locked => write access denied
if (in_array('write', $permission->getActions()) && $workgroup->getStatus() & AbstractEyeosWorkgroup::STATUS_ACTIVITY_LOCKED) {
throw new EyeAccessControlException('Access denied to the specified file: the activity of the workgroup ' . $workgroup->getName() . ' is currently locked.');
}
switch ($assignation->getRole()) {
case WorkgroupConstants::ROLE_ADMIN:
return true;
case WorkgroupConstants::ROLE_EDITOR:
$refPermissionActions = array('read', 'write');
break;
case WorkgroupConstants::ROLE_VIEWER:
$refPermissionActions = array('read');
break;
}
} elseif ($object instanceof EyeWorkgroupConfFile) {
switch ($assignation->getRole()) {
case WorkgroupConstants::ROLE_ADMIN:
return true;
default:
$refPermissionActions = array('read');
break;
}
} else {
$this->failureException = new EyeHandlerFailureException('Unknown $object class.');
return false;
}
$refPermission = new VirtualFilePermission('', $refPermissionActions);
if ($refPermission->implies($permission)) {
return true;
}
throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
}
/**
*
*/
public function __invoke()
{
$loggedIn = $this->loginContext->currentUser();
if (!$loggedIn) {
$this->redirector->redirect(303, '/');
return false;
}
return true;
}
/**
* Executed once before each test method.
*/
public function setUp()
{
if (self::$InitProcessToRestore === null) {
self::$InitProcessToRestore = ProcManager::getInstance()->getCurrentProcess();
}
$this->fixture_file1_path = USERS_PATH . '/john/' . USERS_FILES_DIR . '/myHomeFile.ext';
$this->fixture_metafile1_path = USERS_PATH . '/john/' . USERS_METAFILES_DIR . '/' . USERS_FILES_DIR . '/myHomeFile.ext.xml';
$this->fixture_file2_path = EYEOS_TESTS_TMP_PATH . '/mySysFile.ext';
$this->fixture_dir1_path = USERS_PATH . '/john/' . USERS_FILES_DIR . '/myHomeDir';
$this->fixture_dir2_path = EYEOS_TESTS_TMP_PATH . '/mySysDir';
$this->group = UMManager::getGroupByName(SERVICE_UM_DEFAULTUSERSGROUP);
if (!self::$AliceCreated) {
try {
//create group "wonderland"
$wonderland = UMManager::getInstance()->getNewGroupInstance();
$wonderland->setName('wonderland');
UMManager::getInstance()->createGroup($wonderland);
} catch (EyeGroupAlreadyExistsException $e) {
}
try {
//create user "alice"
$alice = UMManager::getInstance()->getNewUserInstance();
$alice->setName('alice');
$alice->setPassword('alice', true);
$alice->setPrimaryGroupId($wonderland->getId());
UMManager::getInstance()->createUser($alice);
} catch (EyeUserAlreadyExistsException $e) {
}
self::$AliceCreated = true;
}
AdvancedPathLib::rmdirs(USERS_PATH . '/john/' . USERS_FILES_DIR, true);
AdvancedPathLib::rmdirs(USERS_PATH . '/john/' . USERS_METAFILES_DIR, true);
if (!is_dir(EYEOS_TESTS_TMP_PATH)) {
mkdir(EYEOS_TESTS_TMP_PATH, 0777, true);
}
AdvancedPathLib::rmdirs(EYEOS_TESTS_TMP_PATH, true);
$this->fixture_file1 = FSI::getFile('home://~john/myHomeFile.ext');
file_put_contents($this->fixture_file1_path, 'some content');
$this->fixture_file2 = FSI::getFile('sys:///tests/tmp/mySysFile.ext');
file_put_contents($this->fixture_file2_path, 'some other content');
$this->fixture_dir1 = FSI::getFile('home://~john/myHomeDir');
if (!is_dir($this->fixture_dir1_path)) {
mkdir($this->fixture_dir1_path);
}
$this->fixture_dir2 = FSI::getFile('sys:///tests/tmp/mySysDir');
if (!is_dir($this->fixture_dir2_path)) {
mkdir($this->fixture_dir2_path);
}
$proc = new Process('example');
$loginContext = new LoginContext('example', new Subject());
$loginContext->getSubject()->getPrivateCredentials()->append(new EyeosPasswordCredential('john', 'john'));
$loginContext->login();
$proc->setLoginContext($loginContext);
ProcManager::getInstance()->execute($proc);
self::$MyProcPid = $proc->getPid();
}
public function processRequest(MMapRequest $request, MMapResponse $response)
{
$oauth_verifier = null;
$oauth_token = null;
if ($request->issetGET('oauth_verifier')) {
$oauth_verifier = $request->getGET('oauth_verifier');
}
if ($request->issetGET('oauth_token')) {
$oauth_token = $request->getGET('oauth_token');
}
if ($oauth_verifier && $oauth_token) {
$response->getHeaders()->append('Content-type: text/html');
$body = '<html>
<div id="logo_eyeos" style="margin: 0 auto;width:350"> <img src="eyeos/extern/images/logo-eyeos.jpg"/></div>
<div style="margin: 0 auto;width:350;text-align:center"><span style="font-family:Verdana;font-size:20px;">Successful authentication.<br>Back to Eyeos.</span></div>
</html>';
$response->getHeaders()->append('Content-Length: ' . strlen($body));
$response->getHeaders()->append('Accept-Ranges: bytes');
$response->getHeaders()->append('X-Pad: avoid browser bug');
$response->getHeaders()->append('Cache-Control: ');
$response->getHeaders()->append('pragma: ');
$response->setBody($body);
try {
$userRoot = UMManager::getInstance()->getUserByName('root');
} catch (EyeNoSuchUserException $e) {
throw new EyeFailedLoginException('Unknown user root"' . '". Cannot proceed to login.', 0, $e);
}
$subject = new Subject();
$loginContext = new LoginContext('eyeos-login', $subject);
$cred = new EyeosPasswordCredential();
$cred->setUsername('root');
$cred->setPassword($userRoot->getPassword(), false);
$subject->getPrivateCredentials()->append($cred);
$loginContext->login();
Kernel::enterSystemMode();
$appProcess = new Process('stacksync');
$appProcess->setPid('31338');
$mem = MemoryManager::getInstance();
$processTable = $mem->get('processTable', array());
$processTable[31338] = $appProcess;
$mem->set('processTable', $processTable);
$appProcess->setLoginContext($loginContext);
ProcManager::getInstance()->setCurrentProcess($appProcess);
kernel::exitSystemMode();
$token = new stdClass();
$token->oauth_verifier = $oauth_verifier;
$token->oauth_token = $oauth_token;
$group = UMManager::getInstance()->getGroupByName('users');
$users = UMManager::getInstance()->getAllUsersFromGroup($group);
foreach ($users as $user) {
$NetSyncMessage = new NetSyncMessage('cloud', 'token', $user->getId(), $token);
NetSyncController::getInstance()->send($NetSyncMessage);
}
}
}
/**
* Test the login() method without any configured login module.
*
* @return void
*/
public function testLoginSuccessfullWithoutAnyLoginModule()
{
// prepare the mocks for the login context
$subjectMock = $this->getMock('AppserverIo\\Psr\\Security\\Auth\\Subject');
$callbackHandlerMock = $this->getMock('AppserverIo\\Psr\\Security\\Auth\\Callback\\CallbackHandlerInterface');
$configurationMock = $this->getMock('AppserverIo\\Psr\\Security\\Auth\\Login\\SecurityDomainConfigurationInterface');
// initialize a new test instance
$loginContext = new LoginContext($subjectMock, $callbackHandlerMock, $configurationMock);
// test the login() method
$this->assertNull($loginContext->login());
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
$contextGroupsNames = array();
foreach ($context->getSubject()->getPrincipals() as $principal) {
if ($principal instanceof EyeosGroup) {
$contextGroupsNames[] = $principal->getName();
}
}
foreach ($this->groups as $refGroup) {
if (!in_array($refGroup, $contextGroupsNames, true)) {
throw new EyeAccessControlException('The specified action requires privileges of group "' . $refGroup . '".');
}
}
return true;
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
if ($object->getId() == $eyeosUser->getId()) {
$refPermissions = new SimplePermission('', array('update', 'delete'));
if ($refPermissions->implies($permission)) {
return true;
}
}
throw new EyeAccessControlException('Access denied to UM (actions: ' . $permission->getActionsAsString() . ')');
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof VirtualFileMetaData) {
throw new EyeInvalidArgumentException('$object must be a VirtualFileMetaData.');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
foreach ($permission->getActions() as $action) {
if ($action == 'delete') {
// DELETE metadata requires WRITE access to the file
$fileObject = $permission->getRelatedObject();
if ($fileObject === null) {
throw new EyeNullPointerException('$permission->getRelatedObject()');
}
$fileObject->checkWritePermission();
} else {
if ($action == 'write') {
// Retrieve old metadata (and original owner)
$oldMetaData = $permission->getOriginalMetaData();
if ($oldMetaData === null) {
throw new EyeNullPointerException('$permission->getOriginalMetaData()');
}
$ownerName = $oldMetaData->get(EyeosAbstractVirtualFile::METADATA_KEY_OWNER);
// Compare new and old meta
// $updatedKeys = array_keys(array_diff($object->getAll(), $oldMetaData->getAll()));
// Updating the following value means that we have write access on the file
// $publicKeys = array(EyeosAbstractVirtualFile::METADATA_KEY_MODIFICATIONTIME);
// if ($updatedKeys == $publicKeys) {
$fileObject = $permission->getRelatedObject();
if ($fileObject === null) {
throw new EyeNullPointerException('$permission->getRelatedObject()');
}
$fileObject->checkWritePermission();
// }
// // Some more sensitive values have been updated: only the owner has this right
// else if ($eyeosUser->getName() != $ownerName) {
// throw new EyeAccessControlException('Only the owner of the file (' . $ownerName . ') can write metadata to it.');
// }
}
}
}
return true;
}
public function processRequest(MMapRequest $request, MMapResponse $response)
{
ob_start('mb_output_handler');
$return = null;
$dataManager = DataManager::getInstance();
$POST = $request->getPOST();
$params = array();
if (isset($POST['params'])) {
$params = $dataManager->doInput($POST['params']);
} else {
if ($request->issetGET('params')) {
$params = $request->getGET('params');
}
}
//login in the system and get a valid login context
$subject = new Subject();
$loginContext = new LoginContext('eyeos-login', $subject);
$cred = new EyeosPasswordCredential();
$cred->setUsername($_REQUEST['username']);
$cred->setPassword($_REQUEST['password'], true);
$subject->getPrivateCredentials()->append($cred);
$loginContext->login();
//now create fake process called api
Kernel::enterSystemMode();
$appProcess = new Process('api');
$appProcess->setPid('31337');
$mem = MemoryManager::getInstance();
$processTable = $mem->get('processTable', array());
$processTable[31337] = $appProcess;
$mem->set('processTable', $processTable);
$appProcess->setLoginContext($loginContext);
ProcManager::getInstance()->setCurrentProcess($appProcess);
kernel::exitSystemMode();
$return = call_user_func_array(array('EyeosApplicationExecutable', '__callModule'), array($request->getPOST('module'), $request->getPOST('name'), $params));
//try to force mime type. If there is a previous mime type defined at application level
//this have no effect
if (!headers_sent()) {
$response->getHeaders()->append('Content-type:text/plain');
}
if ($response->getBodyRenderer() === null && $response->getBody() == '') {
$response->setBodyRenderer(new DataManagerBodyRenderer($return));
}
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof EyeosPrincipalGroupAssignation) {
throw new EyeInvalidArgumentException('$object must be a EyeosPrincipalGroupAssignation.');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
try {
$principal = UMManager::getInstance()->getPrincipalById($object->getPrincipalId());
} catch (EyeNoSuchPrincipalException $e) {
$actions = $permission->getActions();
if (in_array('removefromgroup', $actions)) {
// The principal we want to remove from the group is not found
// => we can delete assignation safely, whoever we are
return true;
}
}
$group = UMManager::getInstance()->getPrincipalById($object->getGroupId());
// Special processing for workgroup/master group assignations
if ($principal instanceof IWorkgroup) {
foreach ($permission->getActions() as $action) {
switch ($action) {
case 'addtogroup':
if (!$context->getSubject()->getPrincipals()->contains($group)) {
throw new EyeAccessControlException('Cannot add workgroup "' . $principal->getName() . '" to group ' . $group->getName() . ': insufficient permissions.)');
}
break;
case 'removefromgroup':
if ($principal->getOwnerId() != $eyeosUser->getId()) {
throw new EyeAccessControlException('Cannot remove workgroup "' . $principal->getName() . '" from group ' . $group->getName() . ': insufficient permissions.)');
}
break;
}
}
return true;
}
throw new EyeAccessControlException('Access denied to UM assignation (actions: ' . $permission->getActionsAsString() . ')');
}
/**
* @param array $params(0 => username, 1 => password)
*/
public static function login($params)
{
$username = $params[0];
$password = $params[1];
$currentProcess = ProcManager::getInstance()->getCurrentProcess();
$currentLoginContextName = $currentProcess->getLoginContext()->getName();
$subject = new Subject();
$newLoginContext = new LoginContext($currentLoginContextName, $subject);
$cred = new EyeosPasswordCredential($username, $password);
$subject->getPrivateCredentials()->append($cred);
try {
$newLoginContext->login();
} catch (EyeLoginException $e) {
return false;
}
//login succeeded, we can replace our current login context by the new one
//which will be used by the target application to run
ProcManager::getInstance()->setProcessLoginContext($currentProcess->getPid(), $newLoginContext);
return true;
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof PrincipalMetaData) {
throw new EyeInvalidArgumentException('$object must be a PrincipalMetaData.');
}
if (!$permission instanceof MetaDataPermission) {
throw new EyeInvalidArgumentException('$permission must be a MetaDataPermission.');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
$reqActions = $permission->getActions();
if (in_array('delete', $reqActions) || in_array('write', $reqActions)) {
if ($eyeosUser != $permission->getRelatedObject()) {
throw new EyeAccessControlException('Only the owner of the metadata can write or delete them.');
}
}
return true;
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof WorkgroupMetaData) {
throw new EyeInvalidArgumentException('$object must be a PrincipalMetaData.');
}
if (!$permission instanceof MetaDataPermission) {
throw new EyeInvalidArgumentException('$permission must be a MetaDataPermission.');
}
$reqActions = $permission->getActions();
// WRITE and DELETE require special privileges (owner or admin)
if (in_array('delete', $reqActions) || in_array('write', $reqActions)) {
$workgroup = $permission->getRelatedObject();
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
// The current user is not the owner, search for the assignation to find his role
if ($workgroup->getOwnerId() != $eyeosUser->getId()) {
// First of all, is the current user member of the workgroup?
if (!$context->getSubject()->getPrincipals()->contains($workgroup)) {
throw new EyeAccessControlException('Access denied to the metadata of workgroup "' . $workgroup->getName() . '": not a member.');
}
$assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
$assignation->setUserId($eyeosUser->getId());
$assignation->setWorkgroupId($workgroup->getId());
$assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation));
if ($assignation === false) {
throw new EyeUnexpectedValueException('Wrong assignation.');
}
if ($assignation->getRole() != WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied: Only the owner or the admin of the workgroup can write or delete specified resource.');
}
}
}
return true;
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof VirtualFileMetaData) {
throw new EyeInvalidArgumentException('$object must be a VirtualFileMetaData.');
}
// This handler is only for workgroup files, so check that we are dealing with metadata of that kind
$fileObject = $permission->getRelatedObject();
if ($fileObject === null || !$fileObject instanceof EyeWorkgroupFile) {
$this->failureException = new EyeHandlerFailureException('Can only work with metadata of workgroup files.');
return false;
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
$UM = UMManager::getInstance();
$workgroup = $fileObject->getWorkgroup();
// Retrieve current user / file's workgroup assignation
$assignation = $UM->getNewUserWorkgroupAssignationInstance();
$assignation->setUserId($eyeosUser->getId());
$assignation->setWorkgroupId($workgroup->getId());
$assignation = current($UM->getAllUserWorkgroupAssignations($assignation));
// No assignation found => user is not member of the group
if ($assignation === false) {
throw new EyeAccessControlException('Only members of workgroup "' . $workgroup . '" can access workgroup files.');
}
// Owner and admins have *all* permissions
if ($assignation->getRole() === WorkgroupConstants::ROLE_OWNER || $assignation->getRole() === WorkgroupConstants::ROLE_ADMIN || $assignation->getRole() === WorkgroupConstants::ROLE_EDITOR) {
return true;
}
// Don't perform further checks. Default behaviour will be handled by EyeosFileMetaDataSecurityHandler
// using UNIX-like permissions of files. We just needed a special processing for owner and admins.
$this->failureException = new EyeHandlerFailureException('User is not the owner nor an admin of workgroup "' . $workgroup . '".');
return false;
}
public function setUp()
{
if (self::$InitProcessToRestore === null) {
self::$InitProcessToRestore = ProcManager::getInstance()->getCurrentProcess();
}
try {
UMManager::getInstance()->deletePrincipal(UMManager::getInstance()->getUserByName('fakeUser'));
} catch (EyeNoSuchUserException $e) {
}
try {
UMManager::getInstance()->deletePrincipal(UMManager::getInstance()->getGroupByName('fakeGroup'));
} catch (EyeNoSuchGroupException $e) {
}
$this->group = UMManager::getInstance()->getNewGroupInstance();
$this->group->setName('fakeGroup');
UMManager::getInstance()->createGroup($this->group);
$this->idGroup = $this->group->getId();
$this->user = UMManager::getInstance()->getNewUserInstance();
$this->user->setName('fakeUser');
$this->user->setPassword('fakePassword', true);
$this->user->setPrimaryGroupId($this->group->getId());
UMManager::getInstance()->createUser($this->user);
$this->idUser = $this->user->getId();
$proc = new Process('example');
$loginContext = new LoginContext('example', new Subject());
$loginContext->getSubject()->getPrivateCredentials()->append(new EyeosPasswordCredential('fakeUser', 'fakePassword'));
$loginContext->login();
$proc->setLoginContext($loginContext);
ProcManager::getInstance()->execute($proc);
self::$MyProcPid = $proc->getPid();
$this->fixture_file_path = USERS_PATH . '/fakeUser/' . USERS_FILES_DIR . '/testFile.txt';
$this->fixture_newFile_path = USERS_PATH . '/fakeUser/' . USERS_FILES_DIR . '/testDir/testFile2.txt';
$this->fixture_file = FSI::getFile('home://~fakeUser/testFile.txt');
$this->fixture_dir_path = USERS_PATH . '/fakeUser/' . USERS_FILES_DIR . '/testDir';
$this->fixture_dir = FSI::getFile('home://~fakeUser/testDir');
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
// Retrieve the related workgroup in a "hard" way
// ## DEPRECATED ##
$workgroup = null;
/*try {
if (method_exists($object, 'getOwnerId')) {
$workgroup = UMManager::getInstance()->getPrincipalById($object->getOwnerId());
}
} catch (EyeNoSuchPrincipalException $e) {}
try {
if (!method_exists($object, 'getOwner')) {
$workgroup = $object->getOwner();
if (!$workgroup instanceof AbstractEyeosWorkgroup) {
$workgroup = UMManager::getInstance()->getPrincipalByName($workgroup);
}
}
} catch (EyeNoSuchPrincipalException $e) {}*/
if (!$workgroup instanceof AbstractEyeosWorkgroup) {
$this->failureException = new EyeHandlerFailureException('');
return false;
}
// Check if the current context contains our workgroup
$wgIdx = $context->getSubject()->getPrincipals()->getIndex($workgroup);
if ($wgIdx === false) {
throw new EyeAccessControlException('The specified action requires privileges of workgroup "' . $workgroup->getName . '".');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
self::$Logger->warn('Can\'t check permissions for object of class' . get_class($object) . ': no EyeosUser found in login context. Operation cancelled.');
return false;
}
// The current user is member of the workgroup, retrieve his permissions
$assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
$assignation->setUserId($eyeosUser->getId());
$assignation->setWorkgroupId($workgroup->getId());
$assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation));
if (!$assignation instanceof EyeosUserWorkgroupAssignation) {
return false;
}
//if (in_array(''))
//{
// TODO
//}
return true;
}
private function startProcess(AppExecutionContext $appContext)
{
$appProcess = $appContext->getProcess();
// if no process is already present in the context, create a new one
if ($appProcess === null) {
$appMeta = $appContext->getApplicationDescriptor()->getMeta();
if ($appMeta === null) {
throw new EyeNullPointerException('Missing metadata for application "' . $appContext->getApplicationDescriptor()->getName() . '"');
}
$sysParams = $appMeta->get('eyeos.application.systemParameters');
if ($appContext->getParentProcess() === null) {
// TODO should we also prevent anonymous execution to JS-only apps?
if (!isset($sysParams['anonymous']) || $sysParams['anonymous'] != 'true') {
self::$Logger->warn('Execution without checknum denied for application "' . $appContext->getApplicationDescriptor()->getName() . '".');
throw new EyeMMapException($appContext->getApplicationDescriptor()->getName() . ' application cannot be executed without a checknum.');
}
}
// execute new process
$appProcess = new Process($appContext->getApplicationDescriptor()->getName());
ProcManager::getInstance()->execute($appProcess);
$appContext->setProcess($appProcess);
// SUID
if (isset($sysParams['suid']) && $sysParams['suid'] == 'true' && !empty($sysParams['owner'])) {
try {
$owner = UMManager::getInstance()->getUserByName($sysParams['owner']);
// force login with owner
try {
$subject = new Subject();
$subject->getPrivateCredentials()->append(new EyeosPasswordCredential($sysParams['owner'], $owner->getPassword(), false));
$loginContext = new LoginContext('eyeos-login', $subject);
$loginContext->login();
} catch (Exception $e) {
self::$Logger->error('Exception caught while trying to elevate privileges by SUID to owner ' . $sysParams['owner'] . ' in application "' . $appContext->getApplicationDescriptor()->getName() . '".');
// kill unfinished process
ProcManager::getInstance()->kill($appContext->getProcess());
throw $e;
}
if (self::$Logger->isInfoEnabled()) {
self::$Logger->info('Privileges elevation successful with owner ' . $sysParams['owner'] . ' for application "' . $appContext->getApplicationDescriptor()->getName() . '".');
}
ProcManager::getInstance()->setProcessLoginContext($appProcess->getPid(), $loginContext);
} catch (Exception $e) {
self::$Logger->error('Cannot elevate privileges with owner ' . $sysParams['owner'] . ' for application "' . $appContext->getApplicationDescriptor()->getName() . '".');
throw $e;
}
}
}
}
function __shutdown_test()
{
try {
// We need to be root to delete test principals
$myUManager = UMManager::getInstance();
$subject = new Subject();
$loginContext = new LoginContext('init', $subject);
$subject->getPrivateCredentials()->append(new EyeosPasswordCredential('root', 'root'));
$loginContext->login();
// we need a fake shutdown process
$procManager = ProcManager::getInstance();
$myProcess = new Process('shutdown');
$procManager->execute($myProcess);
$procManager->setProcessLoginContext($myProcess->getPid(), $loginContext);
// clean deletion of users
foreach (UMManager::getInstance()->getAllUsers() as $user) {
UMManager::getInstance()->deletePrincipal($user);
}
AdvancedPathLib::rmdirs(USERS_PATH, true);
} catch (Exception $e) {
echo 'Uncaught exception on shutdown!' . "\n";
ExceptionStackUtil::printStackTrace($e, false);
}
}
public static function resendPassword($params)
{
$mail = $params[0];
$meta = new BasicMetaData();
$meta->set('eyeos.user.email', $mail);
$userIds = MetaManager::getInstance()->searchMeta(new EyeosUser(), $meta);
if (count($userIds) == 0) {
return 0;
} else {
for ($i = 0; $i < count($userIds); $i++) {
$myUManager = UMManager::getInstance();
$user = $myUManager->getUserById($userIds[$i]);
$settings = MetaManager::getInstance()->retrieveMeta($user);
if ($settings->get('eyeos.user.email') == $mail) {
$subject = new Subject();
$loginContext = new LoginContext('eyeos-login', $subject);
$cred = new EyeosPasswordCredential();
$cred->setUsername($user->getName());
$cred->setPassword($user->getPassword(), false);
$subject->getPrivateCredentials()->append($cred);
$loginContext->login();
$procManager = ProcManager::getInstance();
$lc = $procManager->getCurrentProcess()->getLoginContext();
if (!$lc) {
$lc = new LoginContext('eyeos-login');
}
$procManager->setProcessLoginContext($procManager->getCurrentProcess()->getPid(), $loginContext);
$password = self::generatePassword();
$user->setPassword($password, true);
$myUManager->updatePrincipal($user);
$procManager->setProcessLoginContext($procManager->getCurrentProcess()->getPid(), $lc);
self::sendMailModificationPassword($mail, $user->getName(), $password);
return 1;
}
}
}
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof IFile) {
throw new EyeInvalidArgumentException('$object must be an IFile.');
}
if ($object instanceof EyeUserFile) {
$name = $object->getName();
if ($name == '.htaccess') {
throw new EyeAccessControlException('You cannot access that kind of file (.HTACCESS).');
}
if ('' == $name) {
throw new EyeAccessControlException('Empty filename not allowed');
}
if (strstr($name, '?')) {
throw new EyeAccessControlException('Invalid character ? on filename');
}
if (strstr($name, '#')) {
throw new EyeAccessControlException('Invalid character # on filename');
}
if (strstr($name, '&')) {
throw new EyeAccessControlException('Invalid character & on filename');
}
if (strstr($name, '<')) {
throw new EyeAccessControlException('Invalid character < on filename');
}
if (strstr($name, '>')) {
throw new EyeAccessControlException('Invalid character > on filename');
}
}
// If the target file does not exist or we are requesting a deletion permission,
// we must check write permissions on the parent folder, to know whether the current
// user is allowed or not to manipulate files within it.
if (!$object->exists() || in_array('delete', $permission->getActions())) {
$parentFolder = $object->getParentFile();
if (!$parentFolder->equals($object)) {
$parentFolder->checkWritePermission();
return true;
}
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
$objectPermissions = $object->getPermissions(true);
if (!is_int($objectPermissions)) {
$this->failureException = new EyeHandlerFailureException('"' . $objectPermissions . '" is not a valid octal UNIX permission for file ' . $object->getPath() . '.');
return false;
}
try {
$owner = UMManager::getInstance()->getUserByName($object->getOwner());
} catch (EyeNoSuchUserException $e) {
//This is a workaround: when the owner of a workgroup file not longer exist
//we have to set a new owner for that file, otherwise we have an exception
//when we try to access to load owner informations.
if (get_class($object) == 'EyeWorkgroupFile') {
$object->fixOwner();
$owner = UMManager::getInstance()->getUserByName($object->getOwner());
} else {
throw $e;
}
}
$group = UMManager::getInstance()->getGroupByName($object->getGroup());
$accessGranted = false;
$actionText = '';
foreach ($permission->getActions() as $action) {
if ($action == 'admin') {
if ($eyeosUser->getName() != $object->getOwner()) {
throw new EyeAccessControlException('Only the owner ' . $object->getOwner() . ' has admin rights for file ' . $object->getPath() . '.');
}
continue;
} else {
if ($action == 'read') {
$ref = 0400;
$actionText = 'Read';
} else {
if ($action == 'write') {
$ref = 0200;
$actionText = 'Write';
} else {
if ($action == 'execute') {
$ref = 0100;
$actionText = 'Execution';
} else {
// the given action is not supported by this handler
$this->failureException = new EyeHandlerFailureException('Unknown action received: ' . $action . '. Wrong configuration?');
return false;
}
}
}
}
//owner
if ($eyeosUser->getId() == $owner->getId()) {
if ($ref & $objectPermissions) {
$accessGranted = true;
continue;
} else {
throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
}
} else {
$ref = $ref >> 3;
//group
if ($context->getSubject()->getPrincipals()->contains($group)) {
if ($ref & $objectPermissions) {
$accessGranted = true;
continue;
} else {
throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
}
} else {
$ref = $ref >> 3;
//others
if ($ref & $objectPermissions) {
$accessGranted = true;
continue;
} else {
throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).');
}
}
}
}
if (self::$Logger->isInfoEnabled()) {
self::$Logger->info('Access granted to user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on file ' . $object->getPath() . '.');
}
return true;
}
public static function changePassword($params)
{
$oldPassword = $params[0];
$newPassword = $params[1];
$currentUser = ProcManager::getInstance()->getCurrentProcess()->getLoginContext()->getEyeosUser();
$fakeUser = UMManager::getInstance()->getNewUserInstance();
$fakeUser->setName($currentUser->getName(), true);
$fakeUser->setPassword($oldPassword, true);
try {
$tmpSubject = new Subject();
$tmpSubject->getPrivateCredentials()->append(new EyeosPasswordCredential($currentUser->getName(), $oldPassword));
$tmpLoginContext = new LoginContext('eyeos-login', $tmpSubject);
$tmpLoginContext->login();
unset($tmpSubject);
unset($tmpLoginContext);
} catch (EyeLoginException $e) {
throw new EyeLoginException('The old password supplied is not correct');
//return false;
}
// Here we need to apply the new password on a copy of the object: in case the update fails
// we don't want the login context to be in an inconsistent state (user with unsynchronized password)
$currentUserCopy = clone $currentUser;
$currentUserCopy->setPassword($newPassword, true);
UMManager::getInstance()->updatePrincipal($currentUserCopy);
//If and only if the update process is successful, we can update the object in the login context
$currentUser->setPassword($newPassword, true);
return true;
// return md5($newPassword . $newPassword . $newPassword);
}
public function testSetProcessLoginContext()
{
$proc = new Process('example');
$this->fixture->execute($proc);
$this->pids[] = $pid = $proc->getPid();
$this->loginContext = new LoginContext('init');
$this->fixture->setProcessLoginContext($pid, $this->loginContext);
try {
$this->fixture->setProcessLoginContext(ProcManager::MINPIDNUMBER - 1, $this->loginContext);
$this->fail();
} catch (EyeProcException $e) {
// normal situation
}
$processTable = $this->fixture->getProcessesTable();
$this->assertNotNull($processTable[$pid]->getLoginContext());
$this->fixture->setProcessLoginContext($pid, $this->loginContext);
$processTable = $this->fixture->getProcessesTable();
$this->assertEquals($this->loginContext, $processTable[$pid]->getLoginContext());
$this->assertSame($this->loginContext, $processTable[$pid]->getLoginContext());
$this->tearDown();
$this->setUp();
/**** execute another process then change to a different login context ****/
$this->fixture->setCurrentProcess(self::$InitProcess);
$initLoginContext = clone self::$InitProcess->getLoginContext();
$proc = new Process('example2');
$this->fixture->execute($proc);
$this->pids[] = $pid2 = $proc->getPid();
$processTable = $this->fixture->getProcessesTable();
//check some necessary conditions before proceeding
$this->assertTrue(is_array($processTable));
$this->assertTrue(isset($processTable[$pid2]));
$this->assertTrue($processTable[$pid2] instanceof Process);
$this->assertEquals('example2', $processTable[$pid2]->getName());
$pid = $processTable[$pid2]->getPid();
$this->assertNotNull($pid);
$this->assertTrue(ProcManager::MINPIDNUMBER <= $pid);
$this->assertTrue($pid <= ProcManager::MAXPIDNUMBER);
$this->assertEquals($initLoginContext, $processTable[$pid2]->getLoginContext());
$this->assertNotNull($processTable[$pid2]->getLoginContext()->getEyeosUser());
$checknum = $processTable[$pid2]->getChecknum();
$this->assertNotNull($checknum);
$this->assertTrue(ProcManager::MINCHECKNUMNUMBER <= $checknum);
$this->assertTrue($checknum <= ProcManager::MAXCHECKNUMNUMBER);
$this->assertNotNull($processTable[$pid2]->getTime());
//create a new login context with another user
$subject = new Subject();
$newLoginContext = new LoginContext('example', $subject, $this->authConfig);
$cred = new EyeosPasswordCredential('john', 'john');
$this->assertEquals(0, $newLoginContext->getSubject()->getPrivateCredentials()->count());
$newLoginContext->getSubject()->getPrivateCredentials()->append($cred);
$newLoginContext->login();
$this->assertNotEquals($initLoginContext, $newLoginContext);
$this->fixture->setProcessLoginContext($pid2, $newLoginContext);
$this->assertNotEquals($initLoginContext, $proc->getLoginContext());
$this->assertEquals($newLoginContext, $proc->getLoginContext());
$this->assertSame($newLoginContext, $proc->getLoginContext());
$initUser = $this->fixture->getProcessByPid(self::$InitPid)->getLoginContext()->getEyeosUser();
$newUser = $this->fixture->getProcessByPid($pid2)->getLoginContext()->getEyeosUser();
$this->assertEquals('root', $initUser->getName());
$this->assertEquals('john', $newUser->getName());
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof IShareable) {
throw new EyeInvalidArgumentException('$object must be an IShareable.');
}
if ($object->getId(false) === null) {
$this->failureException = new EyeHandlerFailureException('$object has no ID and though is probably not currently shared.');
return false;
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
// General sharing actions (addCollaborator, removeCollaborator, updateCollaborator)
$actions = $permission->getActions();
if (in_array('addcollaborator', $actions) || in_array('removecollaborator', $actions) || in_array('updatecollaborator', $actions)) {
// currently, only the owner can perform those actions
if ($eyeosUser->getId() != $object->getShareOwner()->getId()) {
self::$Logger->info('Access denied to non-owner user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on object ' . $object->getId() . '.');
throw new EyeAccessControlException('Only the owner of the object can perform that kind of actions (' . $permission->getActionsAsString() . ').');
}
self::$Logger->debug('Access granted to owner ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on object ' . $object->getId() . '.');
return true;
}
// Object-dependant sharing actions
try {
$shareInfos = SharingManager::getInstance()->getAllShareInfo($object);
} catch (Exception $e) {
$logger = Logger::getLogger('system.services.Security.ShareableObjectSecurityHandler');
$logger->warn('Cannot retrieve shareinfo on object with ID: ' . $object->getId(false));
if ($logger->isDebugEnabled()) {
$logger->debug(ExceptionStackUtil::getStackTrace($e, false));
} else {
$logger->warn('Exception message: ' . $e->getMessage());
}
$this->failureException = new EyeHandlerFailureException('Cannot retrieve shareinfo on object with ID: ' . $object->getId(false) . ': ' . $e->getMessage());
return false;
}
foreach ($shareInfos as $shareInfo) {
$collaborator = $shareInfo->getCollaborator();
//$collaborator is a group
if ($collaborator instanceof IGroup) {
// "is the subject in the current login context representative of the group collaborator?"
if (in_array($collaborator, $context->getSubject()->getPrincipals())) {
if ($shareInfo->getPermissions()->implies($permission)) {
return true;
} else {
throw new EyeAccessControlException('$object permission actions (' . $shareInfo->getPermissions()->getActionsAsString() . ') ' . 'do not imply requested permission (' . $permission->getActionsAsString() . ') for collaborator ' . $eyeosUser->getName() . '');
}
}
} else {
if ($shareInfo->getCollaborator()->getId() == $eyeosUser->getId()) {
if ($shareInfo->getPermissions()->implies($permission)) {
return true;
} else {
throw new EyeAccessControlException('$object permission actions (' . $shareInfo->getPermissions()->getActionsAsString() . ') ' . 'do not imply requested permission (' . $permission->getActionsAsString() . ') for collaborator ' . $eyeosUser->getName() . '');
}
}
}
}
// No matching collaborator found => this module is not applicable to the current check => set it as FAILED
$this->failureException = new EyeHandlerFailureException('No matching collaborator found for object with ID ' . $object->getId(false) . '.');
return false;
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof AbstractEyeosWorkgroup && !$object instanceof EyeosUserWorkgroupAssignation) {
throw new EyeInvalidArgumentException('$object must be an AbstractEyeosWorkgroup or an EyeosUserWorkgroupAssignation.');
}
// $object is a Workgroup => check for actions: Create, Update, Delete
if ($object instanceof AbstractEyeosWorkgroup) {
$wgManagersGroups = UMManager::getInstance()->getGroupByName('wg-managers');
// The user must be member of the system group "wg-managers"
if (!$context->getSubject()->getPrincipals()->contains($wgManagersGroups)) {
throw new EyeAccessControlException('The specified action requires privileges of group "wg-managers".');
}
// Update or Delete? Must be owner
if (in_array('update', $permission->getActions()) || in_array('delete', $permission->getActions())) {
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
if ($object->getOwnerId() != $eyeosUser->getId()) {
throw new EyeAccessControlException('Only the owner of the workgroup can perform the requested action(s): ' . $permission->getActionsAsString() . '.');
}
}
return true;
} else {
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
try {
$workgroup = UMManager::getInstance()->getWorkgroupById($object->getWorkgroupId());
} catch (EyeNoSuchWorkgroupException $e) {
throw new EyeAccessControlException('Unknown workgroup with ID "' . $object->getWorkgroupId() . '".', 0, $e);
}
// Retrieve the role of the current user in the workgroup
$currentUserAssignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance();
$currentUserAssignation->setUserId($eyeosUser->getId());
$currentUserAssignation->setWorkgroupId($object->getWorkgroupId());
$currentUserAssignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($currentUserAssignation));
foreach ($permission->getActions() as $action) {
// Add to workgroup
if ($action == 'addtoworkgroup') {
// If the workgroup's privacy mode is OPEN
if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_OPEN) {
// If the current user is the one joining the workgroup
if ($eyeosUser->getId() == $object->getUserId()) {
// Check for illegal role
if ($object->getRole() === WorkgroupConstants::ROLE_OWNER && $workgroup->getOwnerId() != $object->getUserId() || $object->getRole() === WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot join a workgroup as owner or admin.');
}
return true;
} else {
// If the current user is not a member, exit here
if ($currentUserAssignation === false) {
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
// If the current user is the owner or an admin, he has the right to INVITE
if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) {
throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.');
}
return true;
}
} else {
if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_ONREQUEST) {
// If the current user is the one joining the workgroup
if ($eyeosUser->getId() == $object->getUserId()) {
// Check for illegal role
if ($object->getRole() === WorkgroupConstants::ROLE_OWNER && $workgroup->getOwnerId() != $object->getUserId() || $object->getRole() === WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot apply for membership of workgroup ' . $workgroup->getName() . ' as owner or admin.');
}
// The status must be PENDING
if ($workgroup->getOwnerId() != $object->getUserId() && $object->getStatus() !== WorkgroupConstants::STATUS_PENDING) {
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": can only apply for membership of workgroup ' . $workgroup->getName() . '.');
}
return true;
} else {
// If the current user is not a member, exit here
if ($currentUserAssignation === false) {
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
// If the current user is the owner or an admin, he has the right to INVITE
if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) {
throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.');
}
return true;
}
} else {
if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_ONINVITATION) {
// If the current user is the one joining the workgroup
if ($eyeosUser->getId() == $object->getUserId()) {
// If the owner joins his workgroup (at creation), access granted
if ($eyeosUser->getId() == $workgroup->getOwnerId()) {
return true;
}
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot apply for membership of workgroup ' . $workgroup->getName() . ', access is on invitation only.');
} else {
// If the current user is not a member, exit here
if ($currentUserAssignation === false) {
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
// If the current user is the owner or an admin, he has the right to INVITE
if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) {
throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.');
}
return true;
}
}
}
}
} else {
if ($action == 'removefromworkgroup') {
// If the current user is the one leaving the workgroup
if ($eyeosUser->getId() == $object->getUserId()) {
return true;
}
// if the user is not a member, exit here
if ($currentUserAssignation === false) {
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
return true;
} else {
if ($action == 'update') {
// if the user is not a member, exit here
if ($currentUserAssignation === false) {
throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
// Current user is the one from the assignation $object,
// and the transition is from "invited" to "member" => access granted
if ($eyeosUser->getId() == $currentUserAssignation->getUserId() && $currentUserAssignation->getStatus() === WorkgroupConstants::STATUS_INVITED && $object->getStatus() === WorkgroupConstants::STATUS_MEMBER) {
return true;
} else {
if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) {
throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.');
}
return true;
}
} else {
// Unknown action
$this->failureException = new EyeHandlerFailureException('Unknown action specified: ' . $action);
return false;
}
}
}
}
}
}
/**
* TODO
*
* @param mixed $object
* @param IPermission $permission
* @param LoginContext $context
* @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise.
*
* @throws EyeInvalidArgumentException
* @throws EyeUnexpectedValueException
* @throws EyeAccessControlException
*/
public function checkPermission($object, IPermission $permission, LoginContext $context)
{
if (!$object instanceof EyeosApplicationDescriptor) {
throw new EyeInvalidArgumentException('$object must be an EyeosApplicationDescriptor.');
}
try {
$eyeosUser = $context->getEyeosUser();
} catch (EyeNullPointerException $e) {
$this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.');
return false;
}
$meta = $object->getMeta();
if ($meta === null) {
throw new EyeNullPointerException('$meta cannot be null.');
}
$sysParams = $meta->get('eyeos.application.systemParameters');
// Extract owner, group and permissions from application's metadata
try {
$owner = UMManager::getInstance()->getUserByName($sysParams['owner']);
} catch (EyeNoSuchPrincipalException $e) {
$this->failureException = new EyeHandlerFailureException('Unknown owner "' . $owner . '".');
return false;
}
try {
$group = UMManager::getInstance()->getGroupByName($sysParams['group']);
} catch (EyeNoSuchPrincipalException $e) {
$this->failureException = new EyeHandlerFailureException('Unknown group "' . $group . '".');
return false;
}
try {
$perms = AdvancedPathLib::permsToOctal($sysParams['permissions']);
} catch (Exception $e) {
$this->failureException = new EyeHandlerFailureException('"' . $perms . '" is not a valid octal UNIX permission for application ' . $object->getName() . '.');
return false;
}
// Loop on actions (but here we currently know the action "execute" only)
$accessGranted = false;
$actionText = '';
foreach ($permission->getActions() as $action) {
if ($action == 'execute') {
$ref = 0100;
$actionText = 'Execution';
} else {
// the given action is not supported by this handler
$this->failureException = new EyeHandlerFailureException('Unknown action received: ' . $action . '.');
return false;
}
//owner
if ($eyeosUser->getId() == $owner->getId()) {
if ($ref & $perms) {
$accessGranted = true;
continue;
} else {
throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).');
}
} else {
$ref = $ref >> 3;
//group
if ($context->getSubject()->getPrincipals()->contains($group)) {
if ($ref & $perms) {
$accessGranted = true;
continue;
} else {
throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).');
}
} else {
$ref = $ref >> 3;
//others
if ($ref & $perms) {
$accessGranted = true;
continue;
} else {
throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).');
}
}
}
}
if (self::$Logger->isInfoEnabled()) {
self::$Logger->info('Access granted to user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on application ' . $object->getName() . '.');
}
return true;
}
public static function register($params)
{
/* verify permissions again */
$meta = MetaManager::getInstance()->retrieveMeta(kernel::getInstance('SecurityManager'))->getAll();
if (isset($meta['register']) && $meta['register'] == 'false') {
return 'unable to register';
}
$procManager = ProcManager::getInstance();
$savedLoginContext = $procManager->getCurrentProcess()->getLoginContext();
try {
$name = $params[0];
$surname = $params[1];
$username = $params[2];
$password = $params[3];
$email = $params[4];
if (!$name || !$surname || !$username || !$password || !$email) {
return 'incomplete';
}
$myUManager = UMManager::getInstance();
// check existence
$exists = false;
try {
$myUManager->getUserByName($username);
$exists = true;
} catch (EyeNoSuchUserException $e) {
}
if ($exists) {
throw new EyeUserAlreadyExistsException('User with name "' . $username . '" already exists.');
}
$meta = new BasicMetaData();
$meta->set('eyeos.user.email', $email);
$userIds = MetaManager::getInstance()->searchMeta(new EyeosUser(), $meta);
if (count($userIds) != 0) {
throw new EyeUserAlreadyExistsException('User with email "' . $email . '" already exists.');
}
//create the user
$user = $myUManager->getNewUserInstance();
$user->setName($username);
$user->setPassword($password, true);
$user->setPrimaryGroupId($myUManager->getGroupByName(SERVICE_UM_DEFAULTUSERSGROUP)->getId());
$myUManager->createUser($user);
//login in the system with new user, if this works, for sure the user exists, even with the
//most complex and strange errors
$myUManager = UMManager::getInstance();
$subject = new Subject();
$loginContext = new LoginContext('eyeos-login', $subject);
$cred = new EyeosPasswordCredential();
$cred->setUsername($username);
$cred->setPassword($password, true);
$subject->getPrivateCredentials()->append($cred);
$loginContext->login();
//we are logged in, so we are going to change the credentials of login
$procManager = ProcManager::getInstance();
$procList = $procManager->getProcessesList();
$currentProcess = $procManager->getCurrentProcess();
$procManager->setProcessLoginContext($currentProcess->getPid(), $loginContext);
foreach ($procList as $key => $value) {
if (strtolower($value) == 'login') {
//we are in another login in execution, this is a refresh, lets see
//if the login was correct with the old login.
$loginProcess = $procManager->getProcessByPid($key);
$procManager->setProcessLoginContext($loginProcess->getPid(), $loginContext);
}
}
// save basic metadata from form
$userMeta = MetaManager::getInstance()->retrieveMeta($user);
$userMeta->set('eyeos.user.firstname', strip_tags($name));
$userMeta->set('eyeos.user.lastname', strip_tags($surname));
$userMeta->set('eyeos.user.email', $email);
$userMeta = MetaManager::getInstance()->storeMeta($user, $userMeta);
return 'success';
} catch (Exception $e) {
// ROLLBACK
// restore login context (root probably)
$procManager->setProcessLoginContext($procManager->getCurrentProcess()->getPid(), $savedLoginContext);
//// delete invalid user created
// if (isset($user) && $user instanceof IPrincipal) {
// try {
// UMManager::getInstance()->deletePrincipal($user);
// } catch (Exception $e2) {}
// }
throw $e;
}
}
private function createUser($username, $password)
{
try {
$userRoot = UMManager::getInstance()->getUserByName('root');
} catch (EyeNoSuchUserException $e) {
throw new EyeFailedLoginException('Unknown user root"' . '". Cannot proceed to login.', 0, $e);
}
$subject = new Subject();
$loginContext = new LoginContext('eyeos-login', $subject);
$cred = new EyeosPasswordCredential();
$cred->setUsername('root');
$cred->setPassword($userRoot->getPassword(), false);
$subject->getPrivateCredentials()->append($cred);
$loginContext->login();
$procManager = ProcManager::getInstance();
$procManager->setProcessLoginContext($procManager->getCurrentProcess()->getPid(), $loginContext);
$myUManager = UMManager::getInstance();
$user = $myUManager->getNewUserInstance();
$user->setName($username);
$user->setPassword($password, true);
$user->setPrimaryGroupId($myUManager->getGroupByName(SERVICE_UM_DEFAULTUSERSGROUP)->getId());
$myUManager->createUser($user, 'default');
// Add Metadata
$user = $myUManager->getUserByName($username);
$meta = MetaManager::getInstance()->retrieveMeta($user);
$meta->set('eyeos.user.firstname', $username);
$meta->set('eyeos.user.lastname', '');
$meta->set('eyeos.user.email', '');
$meta->set('eyeos.user.language', 'es');
MetaManager::getInstance()->storeMeta($user, $meta);
return $user;
}
