/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof Process) { throw new EyeInvalidArgumentException('$object must be a Process.'); } $objectEyeosUser = null; try { $objectLoginContext = $object->getLoginContext(); if ($objectLoginContext !== null) { $objectEyeosUser = $objectLoginContext->getEyeosUser(); } } catch (EyeNullPointerException $e) { } // The process has no eyeos user associated to it: access granted if ($objectEyeosUser === null) { return true; } if (in_array('kill', $permission->getActions())) { foreach ($context->getSubject()->getPrincipals() as $principal) { if ($principal instanceof AbstractEyeosUser && $principal->getId() == $objectEyeosUser->getId()) { return true; } } throw new EyeAccessControlException('Cannot kill process "' . $object->getName() . '"[' . $object->getPid() . '](' . $objectEyeosUser->getName() . ') as ' . $context->getEyeosUser()->getName() . ': not the owner.'); } return true; }
public function processRequest(MMapRequest $request, MMapResponse $response) { ob_start('mb_output_handler'); MMapManager::startSession(); MMapManager::checkSessionExpiration(); $username = $request->issetPOST('username') ? $request->getPOST('username') : ''; $password = $request->issetPOST('password') ? $request->getPOST('password') : ''; $loginPage = $request->issetPOST('loginPage') ? $request->getPOST('loginPage') : ''; $subject = new Subject(); $loginContext = new LoginContext('eyeos-login', $subject); $cred = new EyeosPasswordCredential(); $cred->setUsername($username); $cred->setPassword($password, true); $subject->getPrivateCredentials()->append($cred); try { $loginContext->login(); $memoryManager = MemoryManager::getInstance(); Kernel::enterSystemMode(); $memoryManager->set('isExternLogin', 1); $memoryManager->set('username', $username); $memoryManager->set('password', $password); $memoryManager->set('loginPage', $loginPage); Kernel::exitSystemMode(); header("Location: index.php"); } catch (Exception $e) { header("Location:" . $loginPage . "?errorLogin=1"); } }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof EyeWorkgroupFile && !$object instanceof EyeWorkgroupConfFile) { throw new EyeInvalidArgumentException('$object must be an EyeWorkgroupFile or EyeWorkgroupConfFile.'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } $workgroup = $object->getWorkgroup(); // The current user is the owner of the workgroup => access granted if ($workgroup->getOwnerId() == $eyeosUser->getId()) { return true; } // Retrieve the role of the current user inside the workgroup (if member) $assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance(); $assignation->setUserId($eyeosUser->getId()); $assignation->setWorkgroupId($workgroup->getId()); $assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation)); if ($assignation === false || $assignation->getStatus() == WorkgroupConstants::STATUS_INVITED) { throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (not member of the workgroup).'); } $refPermissionActions = array(); // Check access to a workgroup:// file if ($object instanceof EyeWorkgroupFile) { // The workgroup has its activity locked => write access denied if (in_array('write', $permission->getActions()) && $workgroup->getStatus() & AbstractEyeosWorkgroup::STATUS_ACTIVITY_LOCKED) { throw new EyeAccessControlException('Access denied to the specified file: the activity of the workgroup ' . $workgroup->getName() . ' is currently locked.'); } switch ($assignation->getRole()) { case WorkgroupConstants::ROLE_ADMIN: return true; case WorkgroupConstants::ROLE_EDITOR: $refPermissionActions = array('read', 'write'); break; case WorkgroupConstants::ROLE_VIEWER: $refPermissionActions = array('read'); break; } } elseif ($object instanceof EyeWorkgroupConfFile) { switch ($assignation->getRole()) { case WorkgroupConstants::ROLE_ADMIN: return true; default: $refPermissionActions = array('read'); break; } } else { $this->failureException = new EyeHandlerFailureException('Unknown $object class.'); return false; } $refPermission = new VirtualFilePermission('', $refPermissionActions); if ($refPermission->implies($permission)) { return true; } throw new EyeAccessControlException('Access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).'); }
/** * */ public function __invoke() { $loggedIn = $this->loginContext->currentUser(); if (!$loggedIn) { $this->redirector->redirect(303, '/'); return false; } return true; }
/** * Executed once before each test method. */ public function setUp() { if (self::$InitProcessToRestore === null) { self::$InitProcessToRestore = ProcManager::getInstance()->getCurrentProcess(); } $this->fixture_file1_path = USERS_PATH . '/john/' . USERS_FILES_DIR . '/myHomeFile.ext'; $this->fixture_metafile1_path = USERS_PATH . '/john/' . USERS_METAFILES_DIR . '/' . USERS_FILES_DIR . '/myHomeFile.ext.xml'; $this->fixture_file2_path = EYEOS_TESTS_TMP_PATH . '/mySysFile.ext'; $this->fixture_dir1_path = USERS_PATH . '/john/' . USERS_FILES_DIR . '/myHomeDir'; $this->fixture_dir2_path = EYEOS_TESTS_TMP_PATH . '/mySysDir'; $this->group = UMManager::getGroupByName(SERVICE_UM_DEFAULTUSERSGROUP); if (!self::$AliceCreated) { try { //create group "wonderland" $wonderland = UMManager::getInstance()->getNewGroupInstance(); $wonderland->setName('wonderland'); UMManager::getInstance()->createGroup($wonderland); } catch (EyeGroupAlreadyExistsException $e) { } try { //create user "alice" $alice = UMManager::getInstance()->getNewUserInstance(); $alice->setName('alice'); $alice->setPassword('alice', true); $alice->setPrimaryGroupId($wonderland->getId()); UMManager::getInstance()->createUser($alice); } catch (EyeUserAlreadyExistsException $e) { } self::$AliceCreated = true; } AdvancedPathLib::rmdirs(USERS_PATH . '/john/' . USERS_FILES_DIR, true); AdvancedPathLib::rmdirs(USERS_PATH . '/john/' . USERS_METAFILES_DIR, true); if (!is_dir(EYEOS_TESTS_TMP_PATH)) { mkdir(EYEOS_TESTS_TMP_PATH, 0777, true); } AdvancedPathLib::rmdirs(EYEOS_TESTS_TMP_PATH, true); $this->fixture_file1 = FSI::getFile('home://~john/myHomeFile.ext'); file_put_contents($this->fixture_file1_path, 'some content'); $this->fixture_file2 = FSI::getFile('sys:///tests/tmp/mySysFile.ext'); file_put_contents($this->fixture_file2_path, 'some other content'); $this->fixture_dir1 = FSI::getFile('home://~john/myHomeDir'); if (!is_dir($this->fixture_dir1_path)) { mkdir($this->fixture_dir1_path); } $this->fixture_dir2 = FSI::getFile('sys:///tests/tmp/mySysDir'); if (!is_dir($this->fixture_dir2_path)) { mkdir($this->fixture_dir2_path); } $proc = new Process('example'); $loginContext = new LoginContext('example', new Subject()); $loginContext->getSubject()->getPrivateCredentials()->append(new EyeosPasswordCredential('john', 'john')); $loginContext->login(); $proc->setLoginContext($loginContext); ProcManager::getInstance()->execute($proc); self::$MyProcPid = $proc->getPid(); }
public function processRequest(MMapRequest $request, MMapResponse $response) { $oauth_verifier = null; $oauth_token = null; if ($request->issetGET('oauth_verifier')) { $oauth_verifier = $request->getGET('oauth_verifier'); } if ($request->issetGET('oauth_token')) { $oauth_token = $request->getGET('oauth_token'); } if ($oauth_verifier && $oauth_token) { $response->getHeaders()->append('Content-type: text/html'); $body = '<html> <div id="logo_eyeos" style="margin: 0 auto;width:350"> <img src="eyeos/extern/images/logo-eyeos.jpg"/></div> <div style="margin: 0 auto;width:350;text-align:center"><span style="font-family:Verdana;font-size:20px;">Successful authentication.<br>Back to Eyeos.</span></div> </html>'; $response->getHeaders()->append('Content-Length: ' . strlen($body)); $response->getHeaders()->append('Accept-Ranges: bytes'); $response->getHeaders()->append('X-Pad: avoid browser bug'); $response->getHeaders()->append('Cache-Control: '); $response->getHeaders()->append('pragma: '); $response->setBody($body); try { $userRoot = UMManager::getInstance()->getUserByName('root'); } catch (EyeNoSuchUserException $e) { throw new EyeFailedLoginException('Unknown user root"' . '". Cannot proceed to login.', 0, $e); } $subject = new Subject(); $loginContext = new LoginContext('eyeos-login', $subject); $cred = new EyeosPasswordCredential(); $cred->setUsername('root'); $cred->setPassword($userRoot->getPassword(), false); $subject->getPrivateCredentials()->append($cred); $loginContext->login(); Kernel::enterSystemMode(); $appProcess = new Process('stacksync'); $appProcess->setPid('31338'); $mem = MemoryManager::getInstance(); $processTable = $mem->get('processTable', array()); $processTable[31338] = $appProcess; $mem->set('processTable', $processTable); $appProcess->setLoginContext($loginContext); ProcManager::getInstance()->setCurrentProcess($appProcess); kernel::exitSystemMode(); $token = new stdClass(); $token->oauth_verifier = $oauth_verifier; $token->oauth_token = $oauth_token; $group = UMManager::getInstance()->getGroupByName('users'); $users = UMManager::getInstance()->getAllUsersFromGroup($group); foreach ($users as $user) { $NetSyncMessage = new NetSyncMessage('cloud', 'token', $user->getId(), $token); NetSyncController::getInstance()->send($NetSyncMessage); } } }
/** * Test the login() method without any configured login module. * * @return void */ public function testLoginSuccessfullWithoutAnyLoginModule() { // prepare the mocks for the login context $subjectMock = $this->getMock('AppserverIo\\Psr\\Security\\Auth\\Subject'); $callbackHandlerMock = $this->getMock('AppserverIo\\Psr\\Security\\Auth\\Callback\\CallbackHandlerInterface'); $configurationMock = $this->getMock('AppserverIo\\Psr\\Security\\Auth\\Login\\SecurityDomainConfigurationInterface'); // initialize a new test instance $loginContext = new LoginContext($subjectMock, $callbackHandlerMock, $configurationMock); // test the login() method $this->assertNull($loginContext->login()); }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { $contextGroupsNames = array(); foreach ($context->getSubject()->getPrincipals() as $principal) { if ($principal instanceof EyeosGroup) { $contextGroupsNames[] = $principal->getName(); } } foreach ($this->groups as $refGroup) { if (!in_array($refGroup, $contextGroupsNames, true)) { throw new EyeAccessControlException('The specified action requires privileges of group "' . $refGroup . '".'); } } return true; }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } if ($object->getId() == $eyeosUser->getId()) { $refPermissions = new SimplePermission('', array('update', 'delete')); if ($refPermissions->implies($permission)) { return true; } } throw new EyeAccessControlException('Access denied to UM (actions: ' . $permission->getActionsAsString() . ')'); }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof VirtualFileMetaData) { throw new EyeInvalidArgumentException('$object must be a VirtualFileMetaData.'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } foreach ($permission->getActions() as $action) { if ($action == 'delete') { // DELETE metadata requires WRITE access to the file $fileObject = $permission->getRelatedObject(); if ($fileObject === null) { throw new EyeNullPointerException('$permission->getRelatedObject()'); } $fileObject->checkWritePermission(); } else { if ($action == 'write') { // Retrieve old metadata (and original owner) $oldMetaData = $permission->getOriginalMetaData(); if ($oldMetaData === null) { throw new EyeNullPointerException('$permission->getOriginalMetaData()'); } $ownerName = $oldMetaData->get(EyeosAbstractVirtualFile::METADATA_KEY_OWNER); // Compare new and old meta // $updatedKeys = array_keys(array_diff($object->getAll(), $oldMetaData->getAll())); // Updating the following value means that we have write access on the file // $publicKeys = array(EyeosAbstractVirtualFile::METADATA_KEY_MODIFICATIONTIME); // if ($updatedKeys == $publicKeys) { $fileObject = $permission->getRelatedObject(); if ($fileObject === null) { throw new EyeNullPointerException('$permission->getRelatedObject()'); } $fileObject->checkWritePermission(); // } // // Some more sensitive values have been updated: only the owner has this right // else if ($eyeosUser->getName() != $ownerName) { // throw new EyeAccessControlException('Only the owner of the file (' . $ownerName . ') can write metadata to it.'); // } } } } return true; }
public function processRequest(MMapRequest $request, MMapResponse $response) { ob_start('mb_output_handler'); $return = null; $dataManager = DataManager::getInstance(); $POST = $request->getPOST(); $params = array(); if (isset($POST['params'])) { $params = $dataManager->doInput($POST['params']); } else { if ($request->issetGET('params')) { $params = $request->getGET('params'); } } //login in the system and get a valid login context $subject = new Subject(); $loginContext = new LoginContext('eyeos-login', $subject); $cred = new EyeosPasswordCredential(); $cred->setUsername($_REQUEST['username']); $cred->setPassword($_REQUEST['password'], true); $subject->getPrivateCredentials()->append($cred); $loginContext->login(); //now create fake process called api Kernel::enterSystemMode(); $appProcess = new Process('api'); $appProcess->setPid('31337'); $mem = MemoryManager::getInstance(); $processTable = $mem->get('processTable', array()); $processTable[31337] = $appProcess; $mem->set('processTable', $processTable); $appProcess->setLoginContext($loginContext); ProcManager::getInstance()->setCurrentProcess($appProcess); kernel::exitSystemMode(); $return = call_user_func_array(array('EyeosApplicationExecutable', '__callModule'), array($request->getPOST('module'), $request->getPOST('name'), $params)); //try to force mime type. If there is a previous mime type defined at application level //this have no effect if (!headers_sent()) { $response->getHeaders()->append('Content-type:text/plain'); } if ($response->getBodyRenderer() === null && $response->getBody() == '') { $response->setBodyRenderer(new DataManagerBodyRenderer($return)); } }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof EyeosPrincipalGroupAssignation) { throw new EyeInvalidArgumentException('$object must be a EyeosPrincipalGroupAssignation.'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } try { $principal = UMManager::getInstance()->getPrincipalById($object->getPrincipalId()); } catch (EyeNoSuchPrincipalException $e) { $actions = $permission->getActions(); if (in_array('removefromgroup', $actions)) { // The principal we want to remove from the group is not found // => we can delete assignation safely, whoever we are return true; } } $group = UMManager::getInstance()->getPrincipalById($object->getGroupId()); // Special processing for workgroup/master group assignations if ($principal instanceof IWorkgroup) { foreach ($permission->getActions() as $action) { switch ($action) { case 'addtogroup': if (!$context->getSubject()->getPrincipals()->contains($group)) { throw new EyeAccessControlException('Cannot add workgroup "' . $principal->getName() . '" to group ' . $group->getName() . ': insufficient permissions.)'); } break; case 'removefromgroup': if ($principal->getOwnerId() != $eyeosUser->getId()) { throw new EyeAccessControlException('Cannot remove workgroup "' . $principal->getName() . '" from group ' . $group->getName() . ': insufficient permissions.)'); } break; } } return true; } throw new EyeAccessControlException('Access denied to UM assignation (actions: ' . $permission->getActionsAsString() . ')'); }
/** * @param array $params(0 => username, 1 => password) */ public static function login($params) { $username = $params[0]; $password = $params[1]; $currentProcess = ProcManager::getInstance()->getCurrentProcess(); $currentLoginContextName = $currentProcess->getLoginContext()->getName(); $subject = new Subject(); $newLoginContext = new LoginContext($currentLoginContextName, $subject); $cred = new EyeosPasswordCredential($username, $password); $subject->getPrivateCredentials()->append($cred); try { $newLoginContext->login(); } catch (EyeLoginException $e) { return false; } //login succeeded, we can replace our current login context by the new one //which will be used by the target application to run ProcManager::getInstance()->setProcessLoginContext($currentProcess->getPid(), $newLoginContext); return true; }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof PrincipalMetaData) { throw new EyeInvalidArgumentException('$object must be a PrincipalMetaData.'); } if (!$permission instanceof MetaDataPermission) { throw new EyeInvalidArgumentException('$permission must be a MetaDataPermission.'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } $reqActions = $permission->getActions(); if (in_array('delete', $reqActions) || in_array('write', $reqActions)) { if ($eyeosUser != $permission->getRelatedObject()) { throw new EyeAccessControlException('Only the owner of the metadata can write or delete them.'); } } return true; }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof WorkgroupMetaData) { throw new EyeInvalidArgumentException('$object must be a PrincipalMetaData.'); } if (!$permission instanceof MetaDataPermission) { throw new EyeInvalidArgumentException('$permission must be a MetaDataPermission.'); } $reqActions = $permission->getActions(); // WRITE and DELETE require special privileges (owner or admin) if (in_array('delete', $reqActions) || in_array('write', $reqActions)) { $workgroup = $permission->getRelatedObject(); try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } // The current user is not the owner, search for the assignation to find his role if ($workgroup->getOwnerId() != $eyeosUser->getId()) { // First of all, is the current user member of the workgroup? if (!$context->getSubject()->getPrincipals()->contains($workgroup)) { throw new EyeAccessControlException('Access denied to the metadata of workgroup "' . $workgroup->getName() . '": not a member.'); } $assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance(); $assignation->setUserId($eyeosUser->getId()); $assignation->setWorkgroupId($workgroup->getId()); $assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation)); if ($assignation === false) { throw new EyeUnexpectedValueException('Wrong assignation.'); } if ($assignation->getRole() != WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied: Only the owner or the admin of the workgroup can write or delete specified resource.'); } } } return true; }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof VirtualFileMetaData) { throw new EyeInvalidArgumentException('$object must be a VirtualFileMetaData.'); } // This handler is only for workgroup files, so check that we are dealing with metadata of that kind $fileObject = $permission->getRelatedObject(); if ($fileObject === null || !$fileObject instanceof EyeWorkgroupFile) { $this->failureException = new EyeHandlerFailureException('Can only work with metadata of workgroup files.'); return false; } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } $UM = UMManager::getInstance(); $workgroup = $fileObject->getWorkgroup(); // Retrieve current user / file's workgroup assignation $assignation = $UM->getNewUserWorkgroupAssignationInstance(); $assignation->setUserId($eyeosUser->getId()); $assignation->setWorkgroupId($workgroup->getId()); $assignation = current($UM->getAllUserWorkgroupAssignations($assignation)); // No assignation found => user is not member of the group if ($assignation === false) { throw new EyeAccessControlException('Only members of workgroup "' . $workgroup . '" can access workgroup files.'); } // Owner and admins have *all* permissions if ($assignation->getRole() === WorkgroupConstants::ROLE_OWNER || $assignation->getRole() === WorkgroupConstants::ROLE_ADMIN || $assignation->getRole() === WorkgroupConstants::ROLE_EDITOR) { return true; } // Don't perform further checks. Default behaviour will be handled by EyeosFileMetaDataSecurityHandler // using UNIX-like permissions of files. We just needed a special processing for owner and admins. $this->failureException = new EyeHandlerFailureException('User is not the owner nor an admin of workgroup "' . $workgroup . '".'); return false; }
public function setUp() { if (self::$InitProcessToRestore === null) { self::$InitProcessToRestore = ProcManager::getInstance()->getCurrentProcess(); } try { UMManager::getInstance()->deletePrincipal(UMManager::getInstance()->getUserByName('fakeUser')); } catch (EyeNoSuchUserException $e) { } try { UMManager::getInstance()->deletePrincipal(UMManager::getInstance()->getGroupByName('fakeGroup')); } catch (EyeNoSuchGroupException $e) { } $this->group = UMManager::getInstance()->getNewGroupInstance(); $this->group->setName('fakeGroup'); UMManager::getInstance()->createGroup($this->group); $this->idGroup = $this->group->getId(); $this->user = UMManager::getInstance()->getNewUserInstance(); $this->user->setName('fakeUser'); $this->user->setPassword('fakePassword', true); $this->user->setPrimaryGroupId($this->group->getId()); UMManager::getInstance()->createUser($this->user); $this->idUser = $this->user->getId(); $proc = new Process('example'); $loginContext = new LoginContext('example', new Subject()); $loginContext->getSubject()->getPrivateCredentials()->append(new EyeosPasswordCredential('fakeUser', 'fakePassword')); $loginContext->login(); $proc->setLoginContext($loginContext); ProcManager::getInstance()->execute($proc); self::$MyProcPid = $proc->getPid(); $this->fixture_file_path = USERS_PATH . '/fakeUser/' . USERS_FILES_DIR . '/testFile.txt'; $this->fixture_newFile_path = USERS_PATH . '/fakeUser/' . USERS_FILES_DIR . '/testDir/testFile2.txt'; $this->fixture_file = FSI::getFile('home://~fakeUser/testFile.txt'); $this->fixture_dir_path = USERS_PATH . '/fakeUser/' . USERS_FILES_DIR . '/testDir'; $this->fixture_dir = FSI::getFile('home://~fakeUser/testDir'); }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { // Retrieve the related workgroup in a "hard" way // ## DEPRECATED ## $workgroup = null; /*try { if (method_exists($object, 'getOwnerId')) { $workgroup = UMManager::getInstance()->getPrincipalById($object->getOwnerId()); } } catch (EyeNoSuchPrincipalException $e) {} try { if (!method_exists($object, 'getOwner')) { $workgroup = $object->getOwner(); if (!$workgroup instanceof AbstractEyeosWorkgroup) { $workgroup = UMManager::getInstance()->getPrincipalByName($workgroup); } } } catch (EyeNoSuchPrincipalException $e) {}*/ if (!$workgroup instanceof AbstractEyeosWorkgroup) { $this->failureException = new EyeHandlerFailureException(''); return false; } // Check if the current context contains our workgroup $wgIdx = $context->getSubject()->getPrincipals()->getIndex($workgroup); if ($wgIdx === false) { throw new EyeAccessControlException('The specified action requires privileges of workgroup "' . $workgroup->getName . '".'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { self::$Logger->warn('Can\'t check permissions for object of class' . get_class($object) . ': no EyeosUser found in login context. Operation cancelled.'); return false; } // The current user is member of the workgroup, retrieve his permissions $assignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance(); $assignation->setUserId($eyeosUser->getId()); $assignation->setWorkgroupId($workgroup->getId()); $assignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($assignation)); if (!$assignation instanceof EyeosUserWorkgroupAssignation) { return false; } //if (in_array('')) //{ // TODO //} return true; }
private function startProcess(AppExecutionContext $appContext) { $appProcess = $appContext->getProcess(); // if no process is already present in the context, create a new one if ($appProcess === null) { $appMeta = $appContext->getApplicationDescriptor()->getMeta(); if ($appMeta === null) { throw new EyeNullPointerException('Missing metadata for application "' . $appContext->getApplicationDescriptor()->getName() . '"'); } $sysParams = $appMeta->get('eyeos.application.systemParameters'); if ($appContext->getParentProcess() === null) { // TODO should we also prevent anonymous execution to JS-only apps? if (!isset($sysParams['anonymous']) || $sysParams['anonymous'] != 'true') { self::$Logger->warn('Execution without checknum denied for application "' . $appContext->getApplicationDescriptor()->getName() . '".'); throw new EyeMMapException($appContext->getApplicationDescriptor()->getName() . ' application cannot be executed without a checknum.'); } } // execute new process $appProcess = new Process($appContext->getApplicationDescriptor()->getName()); ProcManager::getInstance()->execute($appProcess); $appContext->setProcess($appProcess); // SUID if (isset($sysParams['suid']) && $sysParams['suid'] == 'true' && !empty($sysParams['owner'])) { try { $owner = UMManager::getInstance()->getUserByName($sysParams['owner']); // force login with owner try { $subject = new Subject(); $subject->getPrivateCredentials()->append(new EyeosPasswordCredential($sysParams['owner'], $owner->getPassword(), false)); $loginContext = new LoginContext('eyeos-login', $subject); $loginContext->login(); } catch (Exception $e) { self::$Logger->error('Exception caught while trying to elevate privileges by SUID to owner ' . $sysParams['owner'] . ' in application "' . $appContext->getApplicationDescriptor()->getName() . '".'); // kill unfinished process ProcManager::getInstance()->kill($appContext->getProcess()); throw $e; } if (self::$Logger->isInfoEnabled()) { self::$Logger->info('Privileges elevation successful with owner ' . $sysParams['owner'] . ' for application "' . $appContext->getApplicationDescriptor()->getName() . '".'); } ProcManager::getInstance()->setProcessLoginContext($appProcess->getPid(), $loginContext); } catch (Exception $e) { self::$Logger->error('Cannot elevate privileges with owner ' . $sysParams['owner'] . ' for application "' . $appContext->getApplicationDescriptor()->getName() . '".'); throw $e; } } } }
function __shutdown_test() { try { // We need to be root to delete test principals $myUManager = UMManager::getInstance(); $subject = new Subject(); $loginContext = new LoginContext('init', $subject); $subject->getPrivateCredentials()->append(new EyeosPasswordCredential('root', 'root')); $loginContext->login(); // we need a fake shutdown process $procManager = ProcManager::getInstance(); $myProcess = new Process('shutdown'); $procManager->execute($myProcess); $procManager->setProcessLoginContext($myProcess->getPid(), $loginContext); // clean deletion of users foreach (UMManager::getInstance()->getAllUsers() as $user) { UMManager::getInstance()->deletePrincipal($user); } AdvancedPathLib::rmdirs(USERS_PATH, true); } catch (Exception $e) { echo 'Uncaught exception on shutdown!' . "\n"; ExceptionStackUtil::printStackTrace($e, false); } }
public static function resendPassword($params) { $mail = $params[0]; $meta = new BasicMetaData(); $meta->set('eyeos.user.email', $mail); $userIds = MetaManager::getInstance()->searchMeta(new EyeosUser(), $meta); if (count($userIds) == 0) { return 0; } else { for ($i = 0; $i < count($userIds); $i++) { $myUManager = UMManager::getInstance(); $user = $myUManager->getUserById($userIds[$i]); $settings = MetaManager::getInstance()->retrieveMeta($user); if ($settings->get('eyeos.user.email') == $mail) { $subject = new Subject(); $loginContext = new LoginContext('eyeos-login', $subject); $cred = new EyeosPasswordCredential(); $cred->setUsername($user->getName()); $cred->setPassword($user->getPassword(), false); $subject->getPrivateCredentials()->append($cred); $loginContext->login(); $procManager = ProcManager::getInstance(); $lc = $procManager->getCurrentProcess()->getLoginContext(); if (!$lc) { $lc = new LoginContext('eyeos-login'); } $procManager->setProcessLoginContext($procManager->getCurrentProcess()->getPid(), $loginContext); $password = self::generatePassword(); $user->setPassword($password, true); $myUManager->updatePrincipal($user); $procManager->setProcessLoginContext($procManager->getCurrentProcess()->getPid(), $lc); self::sendMailModificationPassword($mail, $user->getName(), $password); return 1; } } } }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof IFile) { throw new EyeInvalidArgumentException('$object must be an IFile.'); } if ($object instanceof EyeUserFile) { $name = $object->getName(); if ($name == '.htaccess') { throw new EyeAccessControlException('You cannot access that kind of file (.HTACCESS).'); } if ('' == $name) { throw new EyeAccessControlException('Empty filename not allowed'); } if (strstr($name, '?')) { throw new EyeAccessControlException('Invalid character ? on filename'); } if (strstr($name, '#')) { throw new EyeAccessControlException('Invalid character # on filename'); } if (strstr($name, '&')) { throw new EyeAccessControlException('Invalid character & on filename'); } if (strstr($name, '<')) { throw new EyeAccessControlException('Invalid character < on filename'); } if (strstr($name, '>')) { throw new EyeAccessControlException('Invalid character > on filename'); } } // If the target file does not exist or we are requesting a deletion permission, // we must check write permissions on the parent folder, to know whether the current // user is allowed or not to manipulate files within it. if (!$object->exists() || in_array('delete', $permission->getActions())) { $parentFolder = $object->getParentFile(); if (!$parentFolder->equals($object)) { $parentFolder->checkWritePermission(); return true; } } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } $objectPermissions = $object->getPermissions(true); if (!is_int($objectPermissions)) { $this->failureException = new EyeHandlerFailureException('"' . $objectPermissions . '" is not a valid octal UNIX permission for file ' . $object->getPath() . '.'); return false; } try { $owner = UMManager::getInstance()->getUserByName($object->getOwner()); } catch (EyeNoSuchUserException $e) { //This is a workaround: when the owner of a workgroup file not longer exist //we have to set a new owner for that file, otherwise we have an exception //when we try to access to load owner informations. if (get_class($object) == 'EyeWorkgroupFile') { $object->fixOwner(); $owner = UMManager::getInstance()->getUserByName($object->getOwner()); } else { throw $e; } } $group = UMManager::getInstance()->getGroupByName($object->getGroup()); $accessGranted = false; $actionText = ''; foreach ($permission->getActions() as $action) { if ($action == 'admin') { if ($eyeosUser->getName() != $object->getOwner()) { throw new EyeAccessControlException('Only the owner ' . $object->getOwner() . ' has admin rights for file ' . $object->getPath() . '.'); } continue; } else { if ($action == 'read') { $ref = 0400; $actionText = 'Read'; } else { if ($action == 'write') { $ref = 0200; $actionText = 'Write'; } else { if ($action == 'execute') { $ref = 0100; $actionText = 'Execution'; } else { // the given action is not supported by this handler $this->failureException = new EyeHandlerFailureException('Unknown action received: ' . $action . '. Wrong configuration?'); return false; } } } } //owner if ($eyeosUser->getId() == $owner->getId()) { if ($ref & $objectPermissions) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).'); } } else { $ref = $ref >> 3; //group if ($context->getSubject()->getPrincipals()->contains($group)) { if ($ref & $objectPermissions) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).'); } } else { $ref = $ref >> 3; //others if ($ref & $objectPermissions) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).'); } } } } if (self::$Logger->isInfoEnabled()) { self::$Logger->info('Access granted to user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on file ' . $object->getPath() . '.'); } return true; }
public static function changePassword($params) { $oldPassword = $params[0]; $newPassword = $params[1]; $currentUser = ProcManager::getInstance()->getCurrentProcess()->getLoginContext()->getEyeosUser(); $fakeUser = UMManager::getInstance()->getNewUserInstance(); $fakeUser->setName($currentUser->getName(), true); $fakeUser->setPassword($oldPassword, true); try { $tmpSubject = new Subject(); $tmpSubject->getPrivateCredentials()->append(new EyeosPasswordCredential($currentUser->getName(), $oldPassword)); $tmpLoginContext = new LoginContext('eyeos-login', $tmpSubject); $tmpLoginContext->login(); unset($tmpSubject); unset($tmpLoginContext); } catch (EyeLoginException $e) { throw new EyeLoginException('The old password supplied is not correct'); //return false; } // Here we need to apply the new password on a copy of the object: in case the update fails // we don't want the login context to be in an inconsistent state (user with unsynchronized password) $currentUserCopy = clone $currentUser; $currentUserCopy->setPassword($newPassword, true); UMManager::getInstance()->updatePrincipal($currentUserCopy); //If and only if the update process is successful, we can update the object in the login context $currentUser->setPassword($newPassword, true); return true; // return md5($newPassword . $newPassword . $newPassword); }
public function testSetProcessLoginContext() { $proc = new Process('example'); $this->fixture->execute($proc); $this->pids[] = $pid = $proc->getPid(); $this->loginContext = new LoginContext('init'); $this->fixture->setProcessLoginContext($pid, $this->loginContext); try { $this->fixture->setProcessLoginContext(ProcManager::MINPIDNUMBER - 1, $this->loginContext); $this->fail(); } catch (EyeProcException $e) { // normal situation } $processTable = $this->fixture->getProcessesTable(); $this->assertNotNull($processTable[$pid]->getLoginContext()); $this->fixture->setProcessLoginContext($pid, $this->loginContext); $processTable = $this->fixture->getProcessesTable(); $this->assertEquals($this->loginContext, $processTable[$pid]->getLoginContext()); $this->assertSame($this->loginContext, $processTable[$pid]->getLoginContext()); $this->tearDown(); $this->setUp(); /**** execute another process then change to a different login context ****/ $this->fixture->setCurrentProcess(self::$InitProcess); $initLoginContext = clone self::$InitProcess->getLoginContext(); $proc = new Process('example2'); $this->fixture->execute($proc); $this->pids[] = $pid2 = $proc->getPid(); $processTable = $this->fixture->getProcessesTable(); //check some necessary conditions before proceeding $this->assertTrue(is_array($processTable)); $this->assertTrue(isset($processTable[$pid2])); $this->assertTrue($processTable[$pid2] instanceof Process); $this->assertEquals('example2', $processTable[$pid2]->getName()); $pid = $processTable[$pid2]->getPid(); $this->assertNotNull($pid); $this->assertTrue(ProcManager::MINPIDNUMBER <= $pid); $this->assertTrue($pid <= ProcManager::MAXPIDNUMBER); $this->assertEquals($initLoginContext, $processTable[$pid2]->getLoginContext()); $this->assertNotNull($processTable[$pid2]->getLoginContext()->getEyeosUser()); $checknum = $processTable[$pid2]->getChecknum(); $this->assertNotNull($checknum); $this->assertTrue(ProcManager::MINCHECKNUMNUMBER <= $checknum); $this->assertTrue($checknum <= ProcManager::MAXCHECKNUMNUMBER); $this->assertNotNull($processTable[$pid2]->getTime()); //create a new login context with another user $subject = new Subject(); $newLoginContext = new LoginContext('example', $subject, $this->authConfig); $cred = new EyeosPasswordCredential('john', 'john'); $this->assertEquals(0, $newLoginContext->getSubject()->getPrivateCredentials()->count()); $newLoginContext->getSubject()->getPrivateCredentials()->append($cred); $newLoginContext->login(); $this->assertNotEquals($initLoginContext, $newLoginContext); $this->fixture->setProcessLoginContext($pid2, $newLoginContext); $this->assertNotEquals($initLoginContext, $proc->getLoginContext()); $this->assertEquals($newLoginContext, $proc->getLoginContext()); $this->assertSame($newLoginContext, $proc->getLoginContext()); $initUser = $this->fixture->getProcessByPid(self::$InitPid)->getLoginContext()->getEyeosUser(); $newUser = $this->fixture->getProcessByPid($pid2)->getLoginContext()->getEyeosUser(); $this->assertEquals('root', $initUser->getName()); $this->assertEquals('john', $newUser->getName()); }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof IShareable) { throw new EyeInvalidArgumentException('$object must be an IShareable.'); } if ($object->getId(false) === null) { $this->failureException = new EyeHandlerFailureException('$object has no ID and though is probably not currently shared.'); return false; } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } // General sharing actions (addCollaborator, removeCollaborator, updateCollaborator) $actions = $permission->getActions(); if (in_array('addcollaborator', $actions) || in_array('removecollaborator', $actions) || in_array('updatecollaborator', $actions)) { // currently, only the owner can perform those actions if ($eyeosUser->getId() != $object->getShareOwner()->getId()) { self::$Logger->info('Access denied to non-owner user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on object ' . $object->getId() . '.'); throw new EyeAccessControlException('Only the owner of the object can perform that kind of actions (' . $permission->getActionsAsString() . ').'); } self::$Logger->debug('Access granted to owner ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on object ' . $object->getId() . '.'); return true; } // Object-dependant sharing actions try { $shareInfos = SharingManager::getInstance()->getAllShareInfo($object); } catch (Exception $e) { $logger = Logger::getLogger('system.services.Security.ShareableObjectSecurityHandler'); $logger->warn('Cannot retrieve shareinfo on object with ID: ' . $object->getId(false)); if ($logger->isDebugEnabled()) { $logger->debug(ExceptionStackUtil::getStackTrace($e, false)); } else { $logger->warn('Exception message: ' . $e->getMessage()); } $this->failureException = new EyeHandlerFailureException('Cannot retrieve shareinfo on object with ID: ' . $object->getId(false) . ': ' . $e->getMessage()); return false; } foreach ($shareInfos as $shareInfo) { $collaborator = $shareInfo->getCollaborator(); //$collaborator is a group if ($collaborator instanceof IGroup) { // "is the subject in the current login context representative of the group collaborator?" if (in_array($collaborator, $context->getSubject()->getPrincipals())) { if ($shareInfo->getPermissions()->implies($permission)) { return true; } else { throw new EyeAccessControlException('$object permission actions (' . $shareInfo->getPermissions()->getActionsAsString() . ') ' . 'do not imply requested permission (' . $permission->getActionsAsString() . ') for collaborator ' . $eyeosUser->getName() . ''); } } } else { if ($shareInfo->getCollaborator()->getId() == $eyeosUser->getId()) { if ($shareInfo->getPermissions()->implies($permission)) { return true; } else { throw new EyeAccessControlException('$object permission actions (' . $shareInfo->getPermissions()->getActionsAsString() . ') ' . 'do not imply requested permission (' . $permission->getActionsAsString() . ') for collaborator ' . $eyeosUser->getName() . ''); } } } } // No matching collaborator found => this module is not applicable to the current check => set it as FAILED $this->failureException = new EyeHandlerFailureException('No matching collaborator found for object with ID ' . $object->getId(false) . '.'); return false; }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof AbstractEyeosWorkgroup && !$object instanceof EyeosUserWorkgroupAssignation) { throw new EyeInvalidArgumentException('$object must be an AbstractEyeosWorkgroup or an EyeosUserWorkgroupAssignation.'); } // $object is a Workgroup => check for actions: Create, Update, Delete if ($object instanceof AbstractEyeosWorkgroup) { $wgManagersGroups = UMManager::getInstance()->getGroupByName('wg-managers'); // The user must be member of the system group "wg-managers" if (!$context->getSubject()->getPrincipals()->contains($wgManagersGroups)) { throw new EyeAccessControlException('The specified action requires privileges of group "wg-managers".'); } // Update or Delete? Must be owner if (in_array('update', $permission->getActions()) || in_array('delete', $permission->getActions())) { try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } if ($object->getOwnerId() != $eyeosUser->getId()) { throw new EyeAccessControlException('Only the owner of the workgroup can perform the requested action(s): ' . $permission->getActionsAsString() . '.'); } } return true; } else { try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } try { $workgroup = UMManager::getInstance()->getWorkgroupById($object->getWorkgroupId()); } catch (EyeNoSuchWorkgroupException $e) { throw new EyeAccessControlException('Unknown workgroup with ID "' . $object->getWorkgroupId() . '".', 0, $e); } // Retrieve the role of the current user in the workgroup $currentUserAssignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance(); $currentUserAssignation->setUserId($eyeosUser->getId()); $currentUserAssignation->setWorkgroupId($object->getWorkgroupId()); $currentUserAssignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($currentUserAssignation)); foreach ($permission->getActions() as $action) { // Add to workgroup if ($action == 'addtoworkgroup') { // If the workgroup's privacy mode is OPEN if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_OPEN) { // If the current user is the one joining the workgroup if ($eyeosUser->getId() == $object->getUserId()) { // Check for illegal role if ($object->getRole() === WorkgroupConstants::ROLE_OWNER && $workgroup->getOwnerId() != $object->getUserId() || $object->getRole() === WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot join a workgroup as owner or admin.'); } return true; } else { // If the current user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } // If the current user is the owner or an admin, he has the right to INVITE if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) { throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.'); } return true; } } else { if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_ONREQUEST) { // If the current user is the one joining the workgroup if ($eyeosUser->getId() == $object->getUserId()) { // Check for illegal role if ($object->getRole() === WorkgroupConstants::ROLE_OWNER && $workgroup->getOwnerId() != $object->getUserId() || $object->getRole() === WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot apply for membership of workgroup ' . $workgroup->getName() . ' as owner or admin.'); } // The status must be PENDING if ($workgroup->getOwnerId() != $object->getUserId() && $object->getStatus() !== WorkgroupConstants::STATUS_PENDING) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": can only apply for membership of workgroup ' . $workgroup->getName() . '.'); } return true; } else { // If the current user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } // If the current user is the owner or an admin, he has the right to INVITE if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) { throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.'); } return true; } } else { if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_ONINVITATION) { // If the current user is the one joining the workgroup if ($eyeosUser->getId() == $object->getUserId()) { // If the owner joins his workgroup (at creation), access granted if ($eyeosUser->getId() == $workgroup->getOwnerId()) { return true; } throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot apply for membership of workgroup ' . $workgroup->getName() . ', access is on invitation only.'); } else { // If the current user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } // If the current user is the owner or an admin, he has the right to INVITE if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) { throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.'); } return true; } } } } } else { if ($action == 'removefromworkgroup') { // If the current user is the one leaving the workgroup if ($eyeosUser->getId() == $object->getUserId()) { return true; } // if the user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } return true; } else { if ($action == 'update') { // if the user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } // Current user is the one from the assignation $object, // and the transition is from "invited" to "member" => access granted if ($eyeosUser->getId() == $currentUserAssignation->getUserId() && $currentUserAssignation->getStatus() === WorkgroupConstants::STATUS_INVITED && $object->getStatus() === WorkgroupConstants::STATUS_MEMBER) { return true; } else { if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } return true; } } else { // Unknown action $this->failureException = new EyeHandlerFailureException('Unknown action specified: ' . $action); return false; } } } } } }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof EyeosApplicationDescriptor) { throw new EyeInvalidArgumentException('$object must be an EyeosApplicationDescriptor.'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } $meta = $object->getMeta(); if ($meta === null) { throw new EyeNullPointerException('$meta cannot be null.'); } $sysParams = $meta->get('eyeos.application.systemParameters'); // Extract owner, group and permissions from application's metadata try { $owner = UMManager::getInstance()->getUserByName($sysParams['owner']); } catch (EyeNoSuchPrincipalException $e) { $this->failureException = new EyeHandlerFailureException('Unknown owner "' . $owner . '".'); return false; } try { $group = UMManager::getInstance()->getGroupByName($sysParams['group']); } catch (EyeNoSuchPrincipalException $e) { $this->failureException = new EyeHandlerFailureException('Unknown group "' . $group . '".'); return false; } try { $perms = AdvancedPathLib::permsToOctal($sysParams['permissions']); } catch (Exception $e) { $this->failureException = new EyeHandlerFailureException('"' . $perms . '" is not a valid octal UNIX permission for application ' . $object->getName() . '.'); return false; } // Loop on actions (but here we currently know the action "execute" only) $accessGranted = false; $actionText = ''; foreach ($permission->getActions() as $action) { if ($action == 'execute') { $ref = 0100; $actionText = 'Execution'; } else { // the given action is not supported by this handler $this->failureException = new EyeHandlerFailureException('Unknown action received: ' . $action . '.'); return false; } //owner if ($eyeosUser->getId() == $owner->getId()) { if ($ref & $perms) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).'); } } else { $ref = $ref >> 3; //group if ($context->getSubject()->getPrincipals()->contains($group)) { if ($ref & $perms) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).'); } } else { $ref = $ref >> 3; //others if ($ref & $perms) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).'); } } } } if (self::$Logger->isInfoEnabled()) { self::$Logger->info('Access granted to user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on application ' . $object->getName() . '.'); } return true; }
public static function register($params) { /* verify permissions again */ $meta = MetaManager::getInstance()->retrieveMeta(kernel::getInstance('SecurityManager'))->getAll(); if (isset($meta['register']) && $meta['register'] == 'false') { return 'unable to register'; } $procManager = ProcManager::getInstance(); $savedLoginContext = $procManager->getCurrentProcess()->getLoginContext(); try { $name = $params[0]; $surname = $params[1]; $username = $params[2]; $password = $params[3]; $email = $params[4]; if (!$name || !$surname || !$username || !$password || !$email) { return 'incomplete'; } $myUManager = UMManager::getInstance(); // check existence $exists = false; try { $myUManager->getUserByName($username); $exists = true; } catch (EyeNoSuchUserException $e) { } if ($exists) { throw new EyeUserAlreadyExistsException('User with name "' . $username . '" already exists.'); } $meta = new BasicMetaData(); $meta->set('eyeos.user.email', $email); $userIds = MetaManager::getInstance()->searchMeta(new EyeosUser(), $meta); if (count($userIds) != 0) { throw new EyeUserAlreadyExistsException('User with email "' . $email . '" already exists.'); } //create the user $user = $myUManager->getNewUserInstance(); $user->setName($username); $user->setPassword($password, true); $user->setPrimaryGroupId($myUManager->getGroupByName(SERVICE_UM_DEFAULTUSERSGROUP)->getId()); $myUManager->createUser($user); //login in the system with new user, if this works, for sure the user exists, even with the //most complex and strange errors $myUManager = UMManager::getInstance(); $subject = new Subject(); $loginContext = new LoginContext('eyeos-login', $subject); $cred = new EyeosPasswordCredential(); $cred->setUsername($username); $cred->setPassword($password, true); $subject->getPrivateCredentials()->append($cred); $loginContext->login(); //we are logged in, so we are going to change the credentials of login $procManager = ProcManager::getInstance(); $procList = $procManager->getProcessesList(); $currentProcess = $procManager->getCurrentProcess(); $procManager->setProcessLoginContext($currentProcess->getPid(), $loginContext); foreach ($procList as $key => $value) { if (strtolower($value) == 'login') { //we are in another login in execution, this is a refresh, lets see //if the login was correct with the old login. $loginProcess = $procManager->getProcessByPid($key); $procManager->setProcessLoginContext($loginProcess->getPid(), $loginContext); } } // save basic metadata from form $userMeta = MetaManager::getInstance()->retrieveMeta($user); $userMeta->set('eyeos.user.firstname', strip_tags($name)); $userMeta->set('eyeos.user.lastname', strip_tags($surname)); $userMeta->set('eyeos.user.email', $email); $userMeta = MetaManager::getInstance()->storeMeta($user, $userMeta); return 'success'; } catch (Exception $e) { // ROLLBACK // restore login context (root probably) $procManager->setProcessLoginContext($procManager->getCurrentProcess()->getPid(), $savedLoginContext); //// delete invalid user created // if (isset($user) && $user instanceof IPrincipal) { // try { // UMManager::getInstance()->deletePrincipal($user); // } catch (Exception $e2) {} // } throw $e; } }
private function createUser($username, $password) { try { $userRoot = UMManager::getInstance()->getUserByName('root'); } catch (EyeNoSuchUserException $e) { throw new EyeFailedLoginException('Unknown user root"' . '". Cannot proceed to login.', 0, $e); } $subject = new Subject(); $loginContext = new LoginContext('eyeos-login', $subject); $cred = new EyeosPasswordCredential(); $cred->setUsername('root'); $cred->setPassword($userRoot->getPassword(), false); $subject->getPrivateCredentials()->append($cred); $loginContext->login(); $procManager = ProcManager::getInstance(); $procManager->setProcessLoginContext($procManager->getCurrentProcess()->getPid(), $loginContext); $myUManager = UMManager::getInstance(); $user = $myUManager->getNewUserInstance(); $user->setName($username); $user->setPassword($password, true); $user->setPrimaryGroupId($myUManager->getGroupByName(SERVICE_UM_DEFAULTUSERSGROUP)->getId()); $myUManager->createUser($user, 'default'); // Add Metadata $user = $myUManager->getUserByName($username); $meta = MetaManager::getInstance()->retrieveMeta($user); $meta->set('eyeos.user.firstname', $username); $meta->set('eyeos.user.lastname', ''); $meta->set('eyeos.user.email', ''); $meta->set('eyeos.user.language', 'es'); MetaManager::getInstance()->storeMeta($user, $meta); return $user; }