1. If authentication has not been performed (flag is set in the security context) the configured authentication manager is called to authenticate its tokens
2. If a AuthenticationRequired exception has been thrown we look for an authentication entry point in the active tokens to redirect to authentication
3. Then the configured AccessDecisionManager is called to authorize the request/action
/**
* The policy enforcement advice. This advices applies the security enforcement interceptor to all methods configured in the policy.
* Note: If we have some kind of "run as" functionality in the future, we would have to manipulate the security context
* before calling the policy enforcement interceptor
*
* @Flow\Around("filter(Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilegePointcutFilter)")
* @param JoinPointInterface $joinPoint The current joinpoint
* @return mixed The result of the target method if it has not been intercepted
*/
public function enforcePolicy(JoinPointInterface $joinPoint)
{
if ($this->securityContext->areAuthorizationChecksDisabled() !== true) {
$this->policyEnforcementInterceptor->setJoinPoint($joinPoint);
$this->policyEnforcementInterceptor->invoke();
}
return $joinPoint->getAdviceChain()->proceed($joinPoint);
}
/**
* @test
*/
public function invokeCallsThePrivilegeManagerToDecideOnTheCurrentJoinPoint()
{
$securityContext = $this->createMock(Security\Context::class);
$authenticationManager = $this->createMock(Security\Authentication\AuthenticationManagerInterface::class);
$privilegeManager = $this->createMock(Security\Authorization\PrivilegeManagerInterface::class);
$joinPoint = $this->createMock(JoinPointInterface::class);
$privilegeManager->expects($this->once())->method('isGranted')->with(Security\Authorization\Privilege\Method\MethodPrivilegeInterface::class);
$interceptor = new Security\Authorization\Interceptor\PolicyEnforcement($securityContext, $authenticationManager, $privilegeManager);
$interceptor->setJoinPoint($joinPoint);
$interceptor->invoke();
}
/**
* @test
* @todo adjust when AfterInvocationInterceptor is used again
*/
public function enforcePolicyDoesNotInvokeInterceptorIfAuthorizationChecksAreDisabled()
{
$this->mockAdviceChain->expects($this->once())->method('proceed')->with($this->mockJoinPoint);
$this->mockJoinPoint->expects($this->once())->method('getAdviceChain')->will($this->returnValue($this->mockAdviceChain));
$this->mockSecurityContext->expects($this->atLeastOnce())->method('areAuthorizationChecksDisabled')->will($this->returnValue(true));
$this->mockPolicyEnforcementInterceptor->expects($this->never())->method('invoke');
$this->policyEnforcementAspect->enforcePolicy($this->mockJoinPoint);
}
