/**
  * User attempts to update the given site's certification status. 
  * @param \Site $site
  * @param \CertificationStatus $newCertStatus
  * @param \User $user
  * @param string $reason The reason for this change, max 300 char. 
  * @throws \Exception If access is denied or the change is invalid
  */
 public function editCertificationStatus(\Site $site, \CertificationStatus $newCertStatus, \User $user, $reason)
 {
     //$this->editAuthorization($site, $user);
     require_once __DIR__ . '/Site.php';
     $siteService = new \org\gocdb\services\Site();
     $siteService->setEntityManager($this->em);
     if (count($siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site, $user)) == 0) {
         throw new \Exception('You do not have permission to change site certification status');
     }
     // TODO use validate service
     if (empty($reason)) {
         throw new \LogicException('A reason is required');
     }
     if (strlen($reason) > 300) {
         throw new \LogicException('Invalid reason - 300 char max');
     }
     // Admins can do any cert status change, e.g. to undo mistakes.
     if (!$user->isAdmin()) {
         $this->isChangeValid($site, $newCertStatus);
     }
     $oldStatusString = $site->getCertificationStatus()->getName();
     try {
         $this->em->beginTransaction();
         $now = new \DateTime('now', new \DateTimeZone('UTC'));
         // create a new CertStatusLog
         $certLog = new \CertificationStatusLog();
         $certLog->setAddedBy($user->getCertificateDn());
         $certLog->setNewStatus($newCertStatus->getName());
         $certLog->setOldStatus($oldStatusString);
         $certLog->setAddedDate($now);
         $certLog->setReason($reason);
         $this->em->persist($certLog);
         // update our site
         $site->addCertificationStatusLog($certLog);
         $site->setCertificationStatus($newCertStatus);
         $site->setCertificationStatusChangeDate($now);
         $this->em->merge($site);
         $this->em->flush();
         $this->em->getConnection()->commit();
     } catch (\Exception $ex) {
         $this->em->getConnection()->rollback();
         $this->em->close();
         throw $ex;
     }
 }
Beispiel #2
0
 /**
  * Get an array of Role names granted to the user that permit the requested 
  * action on the given OwnedEntity. If the user has no roles that 
  * permit the requested action, then return an empty array. 
  * <p>
  * Supported actions: EDIT_OBJECT, NGI_ADD_SITE, GRANT_ROLE, REJECT_ROLE, REVOKE_ROLE 
  * 
  * @param string $action
  * @param \OwnedEntity $entity
  * @param \User $callingUser
  * @return array of RoleName values 
  * @throws LogicException If unsupported enitity type or action is passed
  */
 public function authorizeAction($action, \OwnedEntity $entity, \User $callingUser)
 {
     $siteService = new \org\gocdb\services\Site();
     $siteService->setEntityManager($this->em);
     $ngiService = new \org\gocdb\services\NGI();
     $ngiService->setEntityManager($this->em);
     $sgService = new \org\gocdb\services\ServiceGroup();
     $sgService->setEntityManager($this->em);
     $projectService = new \org\gocdb\services\Project();
     $projectService->setEntityManager($this->em);
     if ($entity instanceof \NGI) {
         $grantingRoles = $ngiService->authorizeAction($action, $entity, $callingUser);
     } else {
         if ($entity instanceof \Site) {
             $grantingRoles = $siteService->authorizeAction($action, $entity, $callingUser);
         } else {
             if ($entity instanceof \Project) {
                 $grantingRoles = $projectService->authorizeAction($action, $entity, $callingUser);
             } else {
                 if ($entity instanceof \ServiceGroup) {
                     $grantingRoles = $sgService->authorizeAction($action, $entity, $callingUser);
                 } else {
                     throw new \LogicException('Unsuppored OwnedEntity type');
                 }
             }
         }
     }
     return $grantingRoles;
 }
Beispiel #3
0
 /**
  * Array
  * (
  *     [Service_Type] => 21
  *     [EndpointURL] => Testing://host.com
  *     [Scope] => 2
  *     [Hosting_Site] => 377
  *     [SE] => Array
  *     (
  *         [ENDPOINT] => my.new.host.com21
  *         [HOSTNAME] => my.new.host.com
  *         [HOST_IP] => 10.0.0.1
  *         [HOST_DN] => /cn=JCasson
  *         [HOST_IP_V6] => 0000:0000:0000:0000:0000:0000:0000:0000[/int]
  *         [DESCRIPTION] => hithere
  *         [HOST_OS] =>
  *         [HOST_ARCH] =>
  *         [BETA] => Y
  *         [PRODUCTION_LEVEL] => Y
  *         [IS_MONITORED] => Y
  *         [EMAIL] =>
  *     )
  * )
  * @param Array $values Balues for the new SE (defined above)
  * @param org\gocdb\services\User $user The user adding the SE
  */
 public function addService($values, \User $user = null)
 {
     $this->em->getConnection()->beginTransaction();
     // get the parent site
     $dql = "SELECT s from Site s WHERE s.id = :id";
     $site = $this->em->createQuery($dql)->setParameter('id', $values['hostingSite'])->getSingleResult();
     // get the service type
     $st = $this->getServiceType($values['serviceType']);
     $siteService = new \org\gocdb\services\Site();
     $siteService->setEntityManager($this->em);
     if (count($siteService->authorizeAction(\Action::SITE_ADD_SERVICE, $site, $user)) == 0) {
         throw new \Exception("You don't hold a role over {$site}.");
     }
     $this->validate($values['SE'], 'service');
     $this->validateEndpointUrl($values['endpointUrl']);
     $this->uniqueCheck($values['SE']['HOSTNAME'], $st, $site);
     //check there are the required number of scopes specified
     $this->checkNumberOfScopes($values['Scope_ids']);
     // validate production/monitored combination
     if ($st != 'VOMS' && $st != 'emi.ARGUS') {
         if ($values['PRODUCTION_LEVEL'] == "Y" && $values['IS_MONITORED'] != "Y") {
             throw new \Exception("If Production flat is set to True, Monitored flag must also be True (except for VOMS and emi.ARGUS)");
         }
     }
     $se = new \Service();
     try {
         $se->setParentSiteDoJoin($site);
         $se->setServiceType($st);
         // Set production
         if ($values['PRODUCTION_LEVEL'] == "Y") {
             $se->setProduction(true);
         } else {
             $se->setProduction(false);
         }
         // Set Beta
         if ($values['BETA'] == "Y") {
             $se->setBeta(true);
         } else {
             $se->setBeta(false);
         }
         // Set monitored
         if ($values['IS_MONITORED'] == "Y") {
             $se->setMonitored(true);
         } else {
             $se->setMonitored(false);
         }
         // Set the scopes
         foreach ($values['Scope_ids'] as $scopeId) {
             $dql = "SELECT s FROM Scope s WHERE s.id = :id";
             $scope = $this->em->createQuery($dql)->setParameter('id', $scopeId)->getSingleResult();
             $se->addScope($scope);
         }
         $se->setDn($values['SE']['HOST_DN']);
         $se->setIpAddress($values['SE']['HOST_IP']);
         $se->setOperatingSystem($values['SE']['HOST_OS']);
         $se->setArchitecture($values['SE']['HOST_ARCH']);
         $se->setHostName($values['SE']['HOSTNAME']);
         $se->setDescription($values['SE']['DESCRIPTION']);
         $se->setEmail($values['SE']['EMAIL']);
         $se->setUrl($values['endpointUrl']);
         /* With version 5.3 a service does not have to have an endpoint. 
            $el = new \EndpointLocation();
            $el->setUrl($values['endpointUrl']);
            $se->addEndpointLocationDoJoin($el);
            $this->em->persist($el);
            */
         $this->em->persist($se);
         $this->em->flush();
         $this->em->getConnection()->commit();
     } catch (\Exception $e) {
         $this->em->getConnection()->rollback();
         $this->em->close();
         throw $e;
     }
     return $se;
 }
 /**
  * Persist some seed data - roletypes, user, Project, NGI, sites and SEs and 
  * assert that the user has the expected number of roles that grant specific 
  * actions over the owned objects. For example, assert that the user has 'n' 
  * number of roles that allow a particular site to be edited, or 'n' number 
  * of roles that allow an NGI certification status change.  
  */
 public function testAuthorizeAction1()
 {
     print __METHOD__ . "\n";
     // Create roletypes
     $siteAdminRT = TestUtil::createSampleRoleType(RoleTypeName::SITE_ADMIN);
     $ngiManRT = TestUtil::createSampleRoleType(RoleTypeName::NGI_OPS_MAN);
     $rodRT = TestUtil::createSampleRoleType(RoleTypeName::REG_STAFF_ROD);
     $codRT = TestUtil::createSampleRoleType(RoleTypeName::COD_ADMIN);
     $this->em->persist($siteAdminRT);
     // edit site1 (but not cert status)
     $this->em->persist($ngiManRT);
     // edit owned site1/site2 and cert status
     $this->em->persist($rodRT);
     // edit owned sites 1and2 (but not cert status)
     $this->em->persist($codRT);
     // edit all sites cert status only
     // Create a user
     $u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
     $this->em->persist($u);
     // Create a linked object graph
     // NGI->Site1->SE
     //   |->Site2
     $ngi = TestUtil::createSampleNGI("MYNGI");
     $this->em->persist($ngi);
     $site1 = TestUtil::createSampleSite("SITENAME");
     //$site1->setNgiDoJoin($ngi);
     $ngi->addSiteDoJoin($site1);
     $this->em->persist($site1);
     $se1 = TestUtil::createSampleService('somelabel');
     $site1->addServiceDoJoin($se1);
     $this->em->persist($se1);
     $site2_userHasNoDirectRole = TestUtil::createSampleSite("SITENAME_2");
     $ngi->addSiteDoJoin($site2_userHasNoDirectRole);
     //$site2_userHasNoDirectRole->setNgiDoJoin($ngi);
     $this->em->persist($site2_userHasNoDirectRole);
     // Create ngiManagerRole, ngiUserRole, siteAdminRole and link user and owned entities
     $ngiManagerRole = TestUtil::createSampleRole($u, $ngiManRT, $ngi, RoleStatus::GRANTED);
     $this->em->persist($ngiManagerRole);
     $rodUserRole = TestUtil::createSampleRole($u, $rodRT, $ngi, RoleStatus::GRANTED);
     $this->em->persist($rodUserRole);
     $siteAdminRole = TestUtil::createSampleRole($u, $siteAdminRT, $site1, RoleStatus::GRANTED);
     $this->em->persist($siteAdminRole);
     $this->em->flush();
     // ********MUST******** start a new connection to test transactional
     // isolation of RoleService methods.
     $em = $this->createEntityManager();
     $siteService = new org\gocdb\services\Site();
     $siteService->setEntityManager($em);
     // Assert user can edit site using 3 enabling roles
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
     $this->assertEquals(3, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
     // Assert user can only edit cert status through his NGI_OPS_MAN role
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     // Add a new project and link ngi and give user COD_ADMIN Project role (use $this->em to isolate)
     // Project->NGI->Site1->SE
     //            |->Site2
     $proj = new Project('EGI project');
     $proj->addNgi($ngi);
     //$ngi->addProject($proj); // not strictly needed
     $this->em->persist($proj);
     $codRole = TestUtil::createSampleRole($u, $codRT, $proj, RoleStatus::GRANTED);
     $this->em->persist($codRole);
     $this->em->flush();
     // Assert user now has 2 roles that enable SITE_EDIT_CERT_STATUS change action
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
     $this->assertEquals(2, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::COD_ADMIN, $enablingRoles));
     // Assert user can edit SE using SITE_ADMIN, NGI_OPS_MAN, REG_STAFF_ROD roles (but not COD role)
     $seService = new org\gocdb\services\ServiceService();
     $seService->setEntityManager($em);
     $enablingRoles = $seService->authorizeAction(\Action::EDIT_OBJECT, $se1, $u);
     $this->assertEquals(3, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
     // Assert User can only edit Site2 through his 2 indirect ngi roles
     // (user don't have any direct site level roles on this site and COD don't give edit perm)
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(2, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
     // Delete the user's Project COD role
     $this->em->remove($codRole);
     $this->em->flush();
     // Assert user can only SITE_EDIT_CERT_STATUS through 1 role for both sites
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     // Delete the user's NGI manager role
     $this->em->remove($ngiManagerRole);
     $this->em->flush();
     // Assert user can't edit site2 cert status
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(0, count($enablingRoles));
     // Assert user can still edit site via his ROD role
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
     // Delete the user's NGI ROD role
     $this->em->remove($rodUserRole);
     $this->em->flush();
     // User can't edit site2
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(0, count($enablingRoles));
     // Assert user can still edit SITE1 through his direct site level role (this role has not been deleted)
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
     // Delete user's remaining Site role
     $this->em->remove($siteAdminRole);
     $this->em->flush();
     // User can't edit site1
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
     $this->assertEquals(0, count($enablingRoles));
 }